Skip to content

Knitting Together Patchwork Privacy and Labor Law Frameworks to Protect Workers from Corporate Surveillance


Alvin Velazquez is Associate General Counsel for the Service Employees International Union. 

This post is part of a symposium on Worker Surveillance & Collective Resistance. Read the rest of the posts here.


As this symposium has underscored, surveillance has become a defining feature of the American workplace: almost seventy percent of large employers surveil their workers, some using old fashioned in-person surveillance tactics and others using electronic surveillance for the purpose of giving praise or monitoring employee discontent. Still others use military or ex-intelligence officials to monitor events, purportedly as part of their brand protection.

In particular, surveillance tools have long affected low-wage workers, and continue to do so in novel ways. For example, as my colleague Sowmya Kypa and I wrote on behalf of the SEIU in a recent comment letter to a Federal Trade Commission advanced notice of proposed rulemaking, many janitorial services employers require that their workers download apps on their personal phones. This is presumably to help workers with human resource functions such as clocking in and out of shifts without needing to touch a time clock. However, these apps have geolocation and geotracking features that let employers log the worker’s location at certain intervals. Geotracking raises a real concern for workers, especially those who use their own smartphone pursuant to a “bring your own device policy,” because employers may be able to surveil workers during off-time hours.

This off-time surveillance raises a related concern about employer and third-party access to workers’ personal data. Many direct employers, especially those that serve the general public, often mix the data workers produce in professional and personal capacities with information gleaned from other Alexa and Google devices. This may occur even though the employer segregates the HR data they have on each employee from the customer relationship manager (CRM) software data they have on an employee; because employers often sell, or trade, “enhanced” CRM data to drive profits, it is possible to identify which people are providing the data. Additionally, data brokers who purchase employee data then sell it to other actors, including law enforcement agencies, in a “gray market.” Because data collected by employers is aggregated on massive cloud servers and mixed, this raises further concerns about workers’ privacy, as Charlotte Garden and Ifeoma Ajunwa have described; it is difficult to address digital workplace surveillance precisely because it is difficult to disaggregate data that workers produce as employees from the data they produce as consumers.

What tools exist in law and current policy to protect low-wage workers from invasive digital surveillance that follow them all the way home? Here, I argue that Congress needs to remedy the existing patchwork, and nearly non-existent, worker data privacy regime of the United States with a comprehensive framework that protects both worker data and consumer data. In the absence of such Congressional action, I argue that regulatory action such as the FTC’s advanced notice of proposed rulemaking, and the National Labor Relations Board’s (NLRB) recent focus on surveillance is welcome. I also argue that labor law doctrines could venture even further to address the impacts of surveillance: for instance, the NLRB should hold that evidence of surveillance is an essential term or condition of employment for determining whether two companies are a worker’s joint employer under its newly proposed joint employer rule. 

Using Privacy Law to Address Worker Surveillance

We have no comprehensive privacy statute in the U.S. equipped to protect workers’ data. This is perhaps not surprising, given the federal government’s own wide-ranging ability and interest in engaging in surveillance and, specifically, surveillance of cloud-based activities: the more information corporations get about their workers and save on the cloud, the more information becomes available for sale to the government. Thus, perhaps governmental purchase of data to support its own surveillance activity partly accounts for why Congress has refused to provide a comprehensive framework to protect the personal data of workers in both their personal and professional capacities.

Whatever the reason for Congress’s inaction, federal agencies and state legislatures have tried to fill the gap. The Federal Trade Commission is examining the possibility of using its rulemaking authority to regulate certain information-collecting activity that affects consumers and workers. Similarly, as of January 1, 2023, the California Consumer Privacy Act (CCPA) provides job applicants in California with the rights to: know how their information will be used; delete and opt out of the sale of their information; opt out of automated decision making; correct inaccurate personal information, and limit use and disclosure of sensitive information.

Though important, neither option is a panacea, and not just because of the Supreme Court’s increasingly hostile approach to reviewing federal regulatory activity. The state-by-state approach, in particular, leaves the core problem of workplace surveillance unsolved because of the mobility of data. While multinational companies rarely move worker data from one country to another because the worker’s rights are governed by the laws where they are employed, they do frequently move such data at a sub-national level. For example, every day in the U.S., companies transmit data back and forth between corporate field offices and headquarters.

Given this state of affairs, it is incumbent upon Congress to develop a stronger, more comprehensive set of privacy laws. Even more than this, privacy law needs to recognize workers’ right to the data they produce on the job. Article 88 of the European Union’s General Data Protection Regulation (GDPR) provides that member states may, through collective bargaining or state action, impose greater rules to protect workers than what the GDPR allows; this is a good place to start since it acknowledges that workers have a specific right to dignity and privacy, and creates the beginnings of a framework that would prioritize the privacy rights of U.S. citizens as workers, and not just consumers. In other words, privacy law needs to focus on workers, rather than only consumers, because existing privacy law discourse is focused on consumer issues, when in fact these and worker issues are intertwined. As scholar-activist Phela Townsend has succinctly stated, “[L]ack of data access and information harms workers because it undermines their power to bargain or negotiate to improve their working conditions or pay, or to address other work issues that may be important to them.” Workers can only get this through both collective bargaining in a unionized environment and a statutory regime that clearly sets out the rules of engagement.

Using Labor Law to Address Worker Surveillance

Section 7 of the National Labor Relations Act applies to all employees, whether unionized or not. Workers seeking to unionize have long been subject to surveillance. In 1938, only three years after passage of the NLRA, the Supreme Court upheld an NLRB finding of an unfair labor practice where the employer had contracted with “industrial spies and undercover operatives” to investigate the union activities of their employees. Without defining the scope of acceptable employer surveillance, the Court found that the NLRB could bar the employer from continuing to use “outside investigative agencies.” Subsequently, the NLRB has held that it is unlawful for an employer to engage in surveillance covertly, or openly create the impression of surveillance because such an impression tends to inhibit employees’ protected activities under Section 7 of the NLRA due to fear of possible employer retaliation

The NLRB has also held that surveillance is a mandatory subject of collective bargaining. Using these bargaining rights, unions have been able to engage in bargaining and bargain for limited use of tools like geofences for clocking in and clocking out. That means that an employer’s tracking app only works when the worker is present at the employer’s worksite to work.

NLRB General Counsel Jennifer Abruzzo recently issued a memorandum outlining new enforcement priorities, including the prosecution of unfair labor practice charges in which employers engage in unlawful surveillance and algorithmic decision making. This is a major step in the right direction, as the NLRB has never discussed the interaction of surveillance or algorithmic decision making. However, I share Charlotte Garden’s outlook regarding use of the NLRB to combat surveillance because the NLRB can only issue unfair practices when surveillance chills the exercise of Section 7 rights, and data cannot always be so cleanly disaggregated. 

Despite those limitations, there is even more that labor law can do to protect workers and unions from insidious surveillance—particularly in the “fissured economy” in which, as Garden puts it, “large companies devolve responsibility for parts of their operations onto smaller, less-accountable companies, or even onto workers themselves (through contract work and the gig economy).”

One example I’d like to advance here concerns the Board’s joint employer standard (which until recently, as I argued in an earlier post on this Blog, protected corporate interests more than corporate law did). The Biden Board’s proposed joint employer standard seeks to restore a common law approach wherein employers are joint employers when they share or codetermine “essential terms and conditions of employment,” which in turn “include, but are not limited to: of employment wages, benefits, and other compensation; hours of work and scheduling; hiring and discharge; discipline; workplace health and safety; supervision; assignment; and work rules and directions governing the manner, means, or methods of work performance.”

If the Board succeeds in promulgating its proposed standard, given the ubiquity of workplace surveillance in the franchising context and in other industries, it seems to make sense to consider this an essential term or condition of employment for the purposes of evaluating joint-employer status. Where other companies make use of a primary employer’s data, then, that would serve as evidence of a joint employer relationship for in the context of successorship-in-interest analysis and bargaining. 

This doctrinal move would make a big difference, especially in low-wage retail and food industries dominated by franchising. In the franchising context, there are franchisors who are using franchise management software to monitor employees. The extension of the joint-employer rule to surveillance would then force an interesting legal dilemma for franchisors—would they rather use their franchisee’s systems to monitor workers and open themselves up to a joint employer finding, or get out of the surveillance business and avoid a joint employer finding? Still another option would be to work out a solution to this dilemma through collective bargaining using some of the solutions suggested by Lisa Kresge of the UC Berkeley Labor Center to limit the scope of management surveillance. By calling out corporate America’s reliance on surveillance in this manner, the Board will take one step further toward effectively applying the Act to a fractured economy. 

What do we make of all this? Agencies such as the FTC and NLRB have important tools to deploy against the ill effects of surveillance on workers, especially in the joint employer context. However, the best fix to these problems (though potentially less politically feasible at the moment) would be for Congress to heed the call for comprehensive privacy law reform, and include workers within the ambit of its protection as Article 88 of the GDPR does. In that way, privacy legislation and labor law can work together synergistically to reinforce worker’s rights at the national level.

This post represents the personal views and comments of the author, and should not be attributed to his employer.