Employer Monitoring Personal Devices During Remote Work — Is This Legal?

I work remotely as a software developer for a mid-size tech company in Colorado. Last week, IT pushed a mandatory update that included ActivTrak monitoring software on my personal laptop. I use my own device because the company has a BYOD (Bring Your Own Device) policy.

The software tracks keystrokes, takes periodic screenshots, and logs which applications I use throughout the day. I was never asked for consent — the software was bundled into what I thought was a routine VPN update.

The employee handbook only mentions monitoring on "company-owned devices and company networks." My laptop is my personal property, purchased with my own money.

Is this legal? Do I have any recourse? I'm especially concerned because I also do freelance work on this laptop in the evenings, and the monitoring appears to run 24/7.

This is a hot-button issue right now, and your employer may have significantly overstepped.

Under federal law (the Electronic Communications Privacy Act / ECPA), employers generally can monitor devices used for work purposes, but the key is consent. If your employee handbook only covers "company-owned devices," they likely do not have your consent to monitor a personal device.

A few important angles:

• Computer Fraud and Abuse Act (CFAA) — Installing software on your personal computer without authorization could constitute unauthorized access under the CFAA, which is both a criminal and civil statute.
• State wiretapping laws — Keystroke logging and screenshots may constitute "interception" of communications under Colorado's wiretapping statutes.
• BYOD policy scope — If the BYOD policy didn't explicitly authorize this level of monitoring, the employer exceeded the scope of the agreement.

I'd recommend: (1) screenshot the monitoring software's settings/scope, (2) save a copy of your current employee handbook, and (3) consult an employment attorney in Colorado. Many offer a brief initial assessment.

Colorado has some of the strongest privacy protections in the country right now. The Colorado Privacy Act (CPA) went into effect July 2023 and gives consumers rights over their personal data — including the right to opt out of data collection.

While the CPA primarily targets businesses collecting consumer data, there's an argument that an employer collecting personal data from an employee's personal device falls within its scope, especially if the monitoring captures non-work activities.

Also worth noting: Colorado recently passed the Colorado AI Act (SB 24-205) that restricts how AI and automated monitoring tools can be used in employment decisions. If ActivTrak's data feeds into any performance evaluation, there may be additional compliance issues.

Update: I checked the BYOD agreement I signed when I started. It says "Company may install security certificates and VPN software necessary for secure access to company systems." Monitoring software wasn't mentioned anywhere.

Also, I spoke with two coworkers and they're in the same situation. One of them is in California. Does that change anything?

If your coworker is in California, they have even stronger protections. California's Invasion of Privacy Act (Penal Code 631) makes it illegal to tap into or monitor electronic communications without consent. Plus CCPA gives California employees specific data rights against their employers (this was expanded in 2023).

The fact that the BYOD agreement only authorized "security certificates and VPN software" is a huge deal. Monitoring software like ActivTrak is categorically different from a VPN. Your employer almost certainly exceeded the scope of the agreement.

IT manager here (not your IT department, obviously). This kind of stealth deployment is a massive red flag even from a corporate governance perspective. Proper BYOD monitoring requires: (1) explicit written consent, (2) clear disclosure of what's monitored, (3) an option to use a company device instead, and (4) a way to separate work and personal data.

The fact that they bundled it into a "routine VPN update" suggests they knew employees wouldn't consent if asked directly. That's going to look very bad if this ends up in any legal proceeding.

The BYOD agreement language you found is excellent for your case. "Security certificates and VPN software" is a narrow authorization — monitoring/surveillance software is neither a security certificate nor VPN software.

The fact that multiple employees across different states are affected could make this a class or collective action situation. That significantly increases the stakes for the employer and could attract attorney interest on a contingency basis.

One practical step right now: document exactly when the software was installed (check your system logs), what it captures, and whether it runs during non-work hours. If it's capturing your freelance work, personal banking, or personal communications, those are additional damages beyond the employment context.

Similar thing happened at my company last year but they at least sent an email about it first. Half the team refused and they had to provide company laptops as an alternative. If your company doesn't offer an alternative device, that strengthens the argument that this is coercive.

Also — if the monitoring captured any of your freelance client data, you might have a contractual obligation to those clients to report a data breach. Just something to think about.

Update for anyone following: I consulted with an employment attorney today. She confirmed this is likely a violation of both Colorado wiretapping law and the CFAA. She's reaching out to the California coworker's situation too since the multi-state angle strengthens the case.

She also pointed out that installing software on someone's personal device without consent could potentially be a criminal offense under Colorado computer crime statutes (CRS 18-5.5-102). The employer might have real exposure here.

Will update as this progresses. Thanks everyone for the guidance — this thread was incredibly helpful in knowing what questions to ask the attorney.