Employee Data Privacy: What US State Privacy Laws Mean for Workplace Data in 2026

Do State Privacy Laws Protect Employee Data?

If you're a business owner or HR professional, you might assume that the wave of state privacy laws sweeping the US applies only to customer data. For most states, you'd be right — but the exceptions are significant and growing.

Understanding the employee data privacy landscape is critical because getting it wrong can result in lawsuits, regulatory fines, and eroded employee trust. This guide breaks down which state privacy laws cover employee data, what obligations they create, and how to build a compliance framework for workplace information.

The Employee Data Exemption — and Its Limits

Most comprehensive state privacy laws follow the Virginia model, which explicitly exempts data collected in an employment context. If you look at the state law comparison, you'll see that states like Virginia, Colorado, Connecticut, Indiana, and many others include an employment exemption. This means employee data such as resumes, performance reviews, payroll information, and background checks fall outside the scope of these laws.

But there are major exceptions to this pattern.

California: The CCPA Covers Employee Data

California is the most important exception. Since January 1, 2023, the CCPA/CPRA fully applies to employee personal information. The employee data exemption that existed under the original CCPA expired, and it was not renewed. This means that California employees have the same privacy rights as consumers, including:

• Right to know what personal information their employer collects and how it's used
• Right to delete personal information (with business-necessity exceptions)
• Right to correct inaccurate personal information
• Right to limit use of sensitive personal information (including biometric data, precise geolocation, race, and union membership)
• Right to non-discrimination for exercising privacy rights

For employers, this means you must provide a privacy notice at or before the point of collection, respond to employee data subject access requests (DSARs), and implement reasonable security measures for employee data. Use our Privacy Law Calculator to check whether the CCPA's thresholds apply to your organization.

Maryland: Broad Coverage Under MODPA

The Maryland Online Data Privacy Act (MODPA), which took effect on October 1, 2025, does not include a blanket employee data exemption. While enforcement-related practical guidance is still evolving (Maryland's enforcement phase began in April 2026), employers collecting online data from Maryland-based employees should be prepared to comply with MODPA's data minimization and purpose limitation requirements.

Illinois BIPA: Biometric Data in the Workplace

Even in states with broad employee data exemptions, Illinois BIPA applies to employee biometric data. If you use fingerprint time clocks, facial recognition for building access, or any other biometric system for your Illinois workforce, you must obtain written informed consent before collection and maintain a publicly available retention policy. The massive settlements in cases like BNSF Railway ($228 million) stemmed from employee biometric data violations — not consumer data. See our biometric privacy laws guide for details.

What Employee Data Are We Talking About?

Employee data privacy covers a broad range of information that employers routinely collect and process:

• Recruiting data — resumes, applications, interview notes, background checks, reference checks
• Onboarding data — Social Security numbers, tax forms, I-9 verification, bank account details for payroll
• Performance data — reviews, disciplinary records, goal tracking, productivity metrics
• Health and benefits data — health plan enrollments, disability accommodations, FMLA records, wellness program participation
• Monitoring data — email surveillance, internet usage logs, keystroke logging, GPS tracking, video surveillance
• Biometric data — fingerprint scans, facial recognition data, voice recordings
• Device data — data collected from company-owned devices, BYOD policies, mobile device management

Workplace Monitoring: The Growing Privacy Concern

Employee monitoring has surged since the shift to remote and hybrid work. Employers increasingly deploy tools that track keystrokes, take periodic screenshots, monitor application usage, and analyze email content. While these practices may be legal in most states, they raise significant privacy concerns and may trigger obligations under existing laws.

Several states and cities are moving to regulate employee monitoring specifically:

• New York — Requires employers to provide written notice of electronic monitoring to new hires (Section 52-c of the Civil Rights Law)
• Connecticut — Requires employers to inform employees of electronic monitoring (Public Act 98-142)
• Delaware — Requires employers that monitor email or internet usage to give prior written notice
• California — The CCPA's requirement to disclose data collection purposes at or before collection applies to employee monitoring tools

Best Practices: Protecting Employee Data in 2026

1. Create a Clear Employee Privacy Notice

Regardless of whether your state's privacy law covers employee data, providing a clear privacy notice to employees is a best practice that builds trust and reduces legal risk. In California, it's a legal requirement. Your notice should explain what data you collect, why, how long you keep it, and who you share it with. See our privacy policy requirements guide for state-specific language recommendations.

2. Apply Data Minimization to HR Data

Collect only the employee data you genuinely need. Many organizations hoard employee information "just in case" without a clear business purpose. Apply the data minimization principle: if you don't need it, don't collect it. This reduces both your compliance burden and your exposure in a data breach.

3. Implement Retention and Destruction Schedules

Employee data should not be kept indefinitely. Develop a data retention schedule that specifies how long each category of employee data is retained and when it's destroyed. Account for legal hold requirements, tax record retention periods, and state-specific rules.

4. Get Consent for Biometric Collection

If you collect employee biometric data anywhere — fingerprint time clocks, facial recognition access systems, voice recordings — get written consent first. Even if your state doesn't mandate it today, the trend is clearly toward requiring consent, and obtaining it proactively protects you from future liability.

5. Train Your HR Team

Employee data privacy training is essential. HR professionals handle the most sensitive employee information and need to understand their obligations around data access, sharing, retention, and destruction. Regular training also helps prevent accidental disclosures and ensures your organization can respond to employee data requests efficiently.

6. Prepare for DSARs From Employees

In California, employees can submit data subject access requests just like consumers. Even if your state exempts employee data today, building DSAR infrastructure now prepares you for the inevitable expansion of employee privacy rights. Use our DSAR guide to understand the process.

The Future of Employee Data Privacy

The trend is clear: employee data exemptions are narrowing. California already removed its exemption. Maryland's MODPA lacks one. As state legislatures revisit their privacy laws, expect more states to bring employee data within scope. Federal proposals like ADPPA also include employee data protections.

Additionally, the rise of AI in the workplace — from resume screening to performance analytics to monitoring tools — is accelerating calls for employee data protections. Minnesota's proposed 2026 legislation would require employers to label their privacy notice as a "surveillance notice" if they engage in profiling or targeted advertising using employee data.

Smart businesses are getting ahead of this trend by implementing employee data protections now, rather than scrambling to comply after new laws take effect.

Frequently Asked Questions

Does the CCPA apply to my employees?

If your business meets the CCPA's thresholds and you have employees in California, yes. The CCPA's employee data exemption expired on January 1, 2023. California employees now have the same privacy rights as consumers, including the right to know, delete, correct, and limit the use of their personal information. Use our calculator to check applicability.

Can I monitor my employees' email and internet usage?

In most states, yes — but with conditions. You should provide clear, written notice to employees that monitoring occurs. Some states (New York, Connecticut, Delaware) legally require this notice. In California, monitoring data collection is subject to CCPA disclosure requirements. Best practice is to have employees acknowledge a written monitoring policy.

Do I need consent to use fingerprint time clocks?

Yes, if you have employees in Illinois (BIPA), Texas (CUBI), Washington, or any state with a comprehensive privacy law that classifies biometric data as sensitive. In Illinois, the stakes are highest because employees can sue directly for violations, with statutory damages of $1,000–$5,000 per incident.

What's the biggest employee data privacy risk for employers?

Biometric data collection without consent is currently the highest-risk area, given BIPA litigation. Beyond that, employee monitoring without adequate notice, failing to respond to California employee DSARs, and retaining employee data longer than necessary are the most common compliance gaps we see.

Should I treat employee data the same as customer data?

As a best practice, yes — even if your state law exempts employee data today. Applying the same privacy principles (notice, purpose limitation, data minimization, security, retention limits) to employee data builds trust, reduces breach impact, and prepares you for the expanding scope of state privacy laws.

Last updated: March 29, 2026.