Spyrix logo

Software

Phone Tracker

Mac

Purchase

Download

Business

Support

Company

Spyrix logo

Software

Phone Tracker

Phone Tracker

Parental Control

Parental Control

Mac

Pricing

Sign up

My account

Online Monitoring Laws

The Spyrix team gathers major legal acts and documents outlining how employers may legally monitor their employees' online activities. It also provides guidelines on how monitoring tools may be used for personal purposes.

Global International Acts

GDPR (General Data Protection Regulation - European Union)

The GDPR is the European Union's core data protection regulation and applies to any organization processing personal data of individuals in the EU, regardless of where the organization operates. Online activity monitoring, employee monitoring, and any form of digital tracking fall within its scope whenever they involve personal data.

Under the GDPR, monitoring is generally lawful only when there is a valid legal basis, such as legitimate interest, fulfilling a contract, or obtaining explicit consent. Before implementing monitoring tools, organizations should ensure that the monitoring is necessary, proportionate, and does not unduly interfere with individuals' privacy.

The GDPR requires companies to conduct a Legitimate Interest Assessment (LIA) or, when monitoring is likely to pose higher risks, a Data Protection Impact Assessment (DPIA). These evaluations help determine the justification for monitoring and identify ways to reduce data collection risks.

Transparency is essential. Individuals must be clearly informed in advance about the type of monitoring, the purpose, the data collected, the legal basis, who will have access, and how long the data will be retained. Undisclosed or covert monitoring is generally restricted and permitted only under very narrow circumstances defined by national laws.

The GDPR also emphasizes data minimization, requiring organizations to collect only what is necessary for a defined purpose. Continuous or overly intrusive monitoring without a clear justification may violate GDPR principles.

For online monitoring tools, the most relevant GDPR obligations include:

  • Providing clear notice about monitoring

  • Collecting only necessary data

  • Using appropriate technical and organizational security measures

  • Identifying and documenting the lawful basis for processing

  • Allowing individuals to exercise their rights (access, deletion, objection, etc.)

OECD Privacy Guidelines (Organisation for Economic Co-operation and Development)

The OECD Privacy Guidelines provide internationally recognized principles for data protection and privacy. Although they are not legally binding, they influence national privacy laws worldwide and serve as a framework for responsible data handling.

The guidelines emphasize fairness, transparency, purpose limitation, data quality, security safeguards, openness, and accountability. These principles encourage organizations to collect personal data only for clear, legitimate purposes and to ensure that individuals understand how their data is used.

For online and employee monitoring, the OECD Guidelines support practices that are transparent, proportionate, and respectful of privacy. While they do not contain detailed rules specific to monitoring, they promote responsible data governance and inform national legislation that does regulate monitoring directly.

In practice, the guidelines encourage organizations to:

  • Clearly communicate monitoring practices

  • Limit data collection to what is necessary

  • Protect monitored data from unauthorized access

  • Review monitoring practices regularly for fairness and necessity

Although not enforceable like the GDPR, the OECD Privacy Guidelines help shape global standards and best practices for lawful and ethical monitoring.

United States

Act

Where it applies

Scope for monitoring

Key requirements

Notes for Spyrix users

CCPA

California

Monitoring that collects personal information

Privacy notice, right to access/delete, opt-out of data sharing

Applies if monitoring collects identifiers, activity logs, or usage data

CPRA

California

Monitoring involving "sensitive" data or detailed profiling

Purpose limitation, data minimization, stricter rules for sensitive data

Important when tools log geolocation, behavior patterns, or detailed digital activity

ECPA

Federal (U.S.)

Interception or access to electronic communications (email, chat, keystrokes)

Restrictions on intercepting content; employer exceptions often require notice

Highly relevant to keylogging, email monitoring, and screen-content capture

FLSA-Related Guidance

Federal (U.S.)

Monitoring used to track work hours or productivity

Time tracking must support accurate wages; no unpaid off-the-clock activity

Not a privacy law, but affects how monitoring data is used for payroll decisions

State-Specific Monitoring Laws

Varies by state (NY, CT, DE, CO, VA, UT, etc.)

Electronic monitoring of employees and workplace systems

Often require written notice or explicit acknowledgment

Multi-state employers benefit from a unified monitoring policy + state additions

Canada

PIPEDA (Personal Information Protection and Electronic Documents Act)

  • Applies to private-sector organizations across Canada (except where provincial laws replace it).

  • Covers any collection, use, or disclosure of personal information, including online and employee monitoring.

  • Requires organizations to identify a clear purpose for monitoring and obtain meaningful consent where appropriate.

  • Monitoring must be reasonable, limited to what is necessary, and conducted in a transparent manner.

  • Employees should be informed about what is monitored, why it is monitored, and how the information will be used.

  • Personal information must be protected with appropriate security safeguards.

Provincial Privacy Acts (Alberta PIPA, British Columbia PIPA, Quebec Law 25)

  • Apply to private-sector organizations within their respective provinces.

  • Generally mirror PIPEDA principles but may have stricter rules around consent, retention, and employee privacy.

  • Monitoring must be reasonable for business purposes and aligned with clear, communicated policies.

  • Employers must inform employees before collecting personal information through monitoring tools.

  • Some provinces require policies that explain the type of data collected, how long it is retained, and who has access.

  • Organizations must provide employees access to their personal information upon request.

United Kingdom

UK GDPR

  • Applies to processing of personal data in the UK, including employee and online activity monitoring.

  • Requires a clear lawful basis for monitoring (often "legitimate interests" or contract).

  • Monitoring must be necessary, proportionate, and not excessively intrusive.

  • Employers should conduct a risk assessment or DPIA for higher-risk monitoring (e.g., continuous tracking, keylogging).

  • Strong focus on transparency: staff should know what is monitored, why, and how data will be used and stored.

Data Protection Act 2018

  • Supplements UK GDPR and provides additional rules and exemptions.

  • Sets out specific provisions on employment context and law enforcement access.

  • Reinforces principles of data minimization, purpose limitation, and security for monitoring data.

  • Gives individuals rights to access their personal data and, in some cases, to object to certain types of monitoring.

RIPA (Regulation of Investigatory Powers Act)

  • Regulates interception of communications and use of surveillance and covert monitoring.

  • Generally restricts interception of communications without consent or proper authority.

  • Covert monitoring of employees (without their knowledge) is only allowed in very limited circumstances, such as serious misconduct investigations and when proportionate.

ICO Employment Practices Code (and related guidance)

  • Non-binding guidance from the UK Information Commissioner's Office on monitoring at work.

  • Emphasizes that monitoring should be targeted, not excessive, and justified by a clear business need.

  • Recommends carrying out impact assessments before introducing new monitoring tools.

  • Advises employers to create clear written policies explaining what is monitored, how, and for what purposes.

  • Stresses consultation, transparency, and respect for workers' reasonable expectations of privacy.

Australia & New Zealand

Privacy Act 1988 (Australia)

The Privacy Act 1988 sets the overarching framework for how Australian organizations handle personal information, including data collected through online and employee monitoring. It requires organizations to collect only information that is reasonably necessary, to be transparent about how that information is used, and to keep it secure. While the Act does not contain detailed workplace-surveillance rules, any monitoring that identifies an individual will generally be subject to the Australian Privacy Principles, especially around notice, purpose limitation, and access rights. In practice, this means employers and service providers using monitoring tools should define clear business purposes, avoid excessive tracking, and explain their practices in privacy policies and internal documentation.

Workplace Surveillance Acts (state-level, Australia)

Several Australian states and territories regulate monitoring more directly through workplace surveillance laws, such as the Workplace Surveillance Act 2005 (NSW) and the Workplace Privacy Act 2011 (ACT). These laws typically control when and how employers can use camera, computer, and tracking surveillance, often requiring advance written notice, visible signage, and clear policies before monitoring begins. Hidden surveillance is tightly restricted and usually only allowed with specific authority and for serious misconduct or unlawful activity investigations, not for routine performance tracking. For online monitoring tools, this means employers in affected states must provide employees with clear, timely notice that their computer, Internet, or email use may be monitored, and ensure that any monitoring aligns with the statutory conditions.

Privacy Act 2020 (New Zealand)

New Zealand's Privacy Act 2020 modernizes the country's privacy framework and applies to both customer and employee data, including information collected through workplace or online monitoring. The Act requires organizations to collect information only for lawful, necessary purposes, to be open about their practices, and to give individuals access to their personal information. Guidance from regulators emphasizes that monitoring, recording, or filming employees must be proportionate and should be supported by clear workplace policies developed in line with both the Privacy Act and employment law. Employers are encouraged to consult staff, explain why monitoring is needed, and consider the impact on trust and morale, especially when using tools that enable continuous or detailed tracking.

Asia-Pacific Area

PDPA (Personal Data Protection Act) – Singapore

  • Covers personal data handled by organizations, including employee and monitoring data.

  • Requires a clear and lawful purpose for monitoring.

  • Consent or another valid basis is generally needed.

  • Strong focus on transparency, proper notification, and data protection safeguards.

  • Retention must be limited to what is necessary.

PDPA – Malaysia

  • Applies to personal data processed in commercial and employment contexts.

  • Consent is a primary requirement for collecting monitoring data.

  • Data must be processed fairly and for a specific, stated purpose.

  • Includes rules on retention limits, data security, and third-party processors.

APPI (Act on the Protection of Personal Information) – Japan

  • Governs the handling of both customer and employee personal data.

  • Requires organizations to define and communicate the purpose of monitoring.

  • Emphasizes data security and proper supervision of staff handling personal information.

  • Monitoring must be proportionate and aligned with internal policies.

  • Employees may have rights to access and correction depending on context.

PIPL (Personal Information Protection Law) – China

  • Comprehensive data protection law covering workplace and consumer data.

  • Requires a clear purpose, data minimization, and transparency for monitoring.

  • Consent may be needed, especially when monitoring involves sensitive or detailed data.

  • Sets strict requirements on retention, security, and documentation of processing.

  • Gives individuals rights to access, correct, and request deletion of monitored data.

Latin America

LGPD (Lei Geral de Proteção de Dados) – Brazil

Brazil's LGPD regulates any use of personal data, including information gathered through online or workplace monitoring. Organizations need a clear legal basis for monitoring and must explain its purpose. Monitoring should be limited to what is necessary, carried out transparently, and supported by appropriate security measures. Individuals have rights to access, correct, and request deletion of their personal data.

National Privacy Laws in Argentina, Mexico, and Chile

These countries have national data protection laws that apply to personal data collected through monitoring tools. The common requirements include having a lawful purpose, informing individuals about monitoring, and keeping the data secure. Monitoring should be reasonable and proportionate, and individuals generally have the right to access or update their information. While specific rules differ, transparency and necessity are consistent expectations across the region.

Middle East Area

UAE Data Protection Law (DPL / PDPL)

The UAE's federal data protection law applies to organizations processing personal data about individuals in the UAE, including employees. For monitoring, it requires a clear and lawful purpose, limits data collection to what is necessary, and places strong emphasis on transparency and security. Organizations should inform staff about any monitoring, document their reasons for it, and put in place internal policies and safeguards for handling monitored data.

Qatar Data Privacy Protection Law

Qatar's personal data privacy law covers personal data processed electronically or intended for electronic processing. It recognizes an individual's right to data privacy and generally requires consent or another legitimate ground before processing personal data, including data gathered through monitoring systems. Organizations must implement appropriate security measures, be transparent about how personal data is used, and respect individuals' rights to access and correct their information.

Saudi Personal Data Protection Law (PDPL)

Saudi Arabia's PDPL applies to processing of personal data about individuals in the Kingdom, by organizations inside or outside the country. For monitoring, it requires organizations to define clear purposes, adopt written privacy policies, and inform individuals about how their data will be collected and used. Consent is an important basis for processing in many cases, although the law also allows processing for certain business, legal, and public-interest reasons. Employers using monitoring tools are expected to protect monitored data, limit access, and handle employee information in line with the PDPL's transparency, security, and retention rules.