Employees collaborating with laptops and mobile devices

call-recording.com workplace communications guide

Workplace Messaging and Device Monitoring

A practical U.S. guide for employers and employees dealing with instant messages, social media, SMS, business mobile phones, employer-paid cellular service, and BYOD devices used for company work.

This guide is general information for business planning. It is not legal advice, and recording or monitoring programs should be reviewed with qualified counsel for every jurisdiction where employees, customers, or call participants are located.

Company systems

Business accounts are easier to monitor.

When an employee uses a company system, company chat account, business social account, or employer-owned device, the employer usually has stronger security and recordkeeping reasons to monitor.

Notice

Monitoring should not be a surprise.

Clear written policies, state-required notices, and employee acknowledgements reduce disputes about whether monitoring was expected.

Personal accounts

Passwords and private social accounts are different.

Many states restrict employers from demanding access to personal social media accounts, even when the employee also uses social media for work.

Working time

After-hours messages can become wage issues.

For nonexempt employees, business SMS, chat, email, and calls outside scheduled hours may need timekeeping and pay treatment.

Employers have real business reasons to monitor work communications.

Companies often need to preserve customer instructions, protect confidential information, investigate misconduct, satisfy cybersecurity duties, enforce acceptable-use rules, and keep regulated communications on approved channels. Those reasons can cover Teams, Slack, Google Chat, Zoom chat, business SMS, email, company-managed social accounts, CRM notes, support platforms, and mobile-device logs.

The stronger case is monitoring tied to a legitimate business purpose and a tool the employer owns, pays for, or expressly approves for company work. The weaker case is broad collection of personal messages, private social media, off-duty location, family texts, or unrelated browsing simply because the device touched the company network.

Employees still keep important rights.

Personal social media

A company can regulate official brand accounts and work conduct, but many states limit demands for personal usernames, passwords, forced login sessions, or manager access to private accounts.

Protected workplace speech

Social posts or chats about pay, benefits, schedules, safety, and working conditions may be protected concerted activity under the NLRA when tied to group workplace action.

Off-duty and personal data

Monitoring that follows an employee outside work, collects sensitive personal information, or sweeps in family communications should be reviewed carefully and limited aggressively.

Wage and hour treatment

If nonexempt employees answer business texts, calls, or chats after hours, the work may need to be captured in time records and paid under FLSA and state wage rules.

State notice and privacy watchlist

Some states require more than a handbook sentence.

The states below are the recurring review points for electronic workplace monitoring, employee personal information, and personal social-account access. The details vary, so a policy should be mapped to where employees actually work.

CT

Written notice and posting

CT requires prior written notice for electronic monitoring and a conspicuous workplace posting. Build this into onboarding and remote-work policy acknowledgements.

DE

Daily notice or acknowledged policy

DE employers must give notice before monitoring telephone, email, or internet use, either through daily electronic notice or a one-time acknowledged notice.

NY

New-hire notice plus posting

NY requires private employers to notify employees on hiring about covered electronic monitoring and post the notice where employees can see it.

CA

Privacy notice and HR data rights

CA employers should treat monitoring data as employee personal information under CCPA/CPRA where applicable and provide notice at or before collection.

Multi

Personal social-account protections

Many states restrict employers from demanding usernames, passwords, compelled access, or added contacts for personal social media accounts.

All

Federal labor and wage overlay

NLRA rights, anti-retaliation rules, and FLSA hours-worked rules can matter even where state monitoring-notice law is thin.

Social media

Company brand accounts and personal accounts should not be treated alike.

If an employee posts from an official company account, a role-based brand account, or an approved social-selling profile used to conduct company business, the employer should define posting rules, retention expectations, approval workflows, message supervision, and account recovery access. The account is part of the business operation.

Personal social media is different. Employers can investigate specific misconduct, protect trade secrets, and enforce lawful conduct policies, but many states limit requests that force employees or applicants to disclose private credentials, log in while a manager watches, add a supervisor as a contact, or change privacy settings.

States to check for personal social-account access restrictions

ARCACOCTDEHIILLAMEMDMIMTNENVNHNJNMOKORRITNUTVTVAWAWVWI

This list is a review prompt, not a substitute for checking current state text and exceptions. Investigations, regulated-industry duties, and publicly available posts may be treated differently from password demands.

IM, chat, and SMS

Business messaging should happen on approved channels.

Instant messages and SMS often feel informal, but regulators and courts can treat them as business records when employees use them to approve work, advise customers, negotiate terms, handle complaints, or discuss regulated activity. Financial firms have paid large penalties for failing to preserve business communications sent through unapproved personal texting and chat apps.

A practical policy should identify approved tools, ban or tightly control off-channel business messaging, explain what is archived, describe legal holds, and tell employees what to do if a customer sends business content through a personal or unapproved channel.

  • For employers: provide an approved path that is easy enough that employees do not route work to personal texts.
  • For employees: keep business communications inside the channels your employer has authorized and retained.

Misconduct investigations

Message history can protect both the complainant and the accused.

Bullying, harassment, threats, retaliation, discriminatory comments, pressure to violate policy, and other non-financial misconduct often happen through the same tools employees use to work: chat, SMS, meeting messages, comments, and social DMs connected to company accounts. When an allegation is serious, contemporaneous message history can show what was said, who saw it, whether it was repeated, and whether context changes the interpretation.

This is especially important in regulated environments. The UK FCA's PS25/23 guidance comes into force on September 1, 2026 alongside COCON 1.1.7FR, and it is aimed at helping affected firms apply conduct rules to non-financial misconduct consistently. The operational lesson is broader than the UK: if a business may need to make a fair conduct finding, notify a regulator, discipline an employee, or answer a future reference request, it needs reliable work-channel evidence rather than memory alone.

Keep the boundary clear

Preserve company-channel records for legitimate investigations, but do not use that need as a reason to monitor personal social media, private messages, or off-duty life unless counsel confirms a specific lawful basis and the scope is tightly limited.

Mobile phones

Ownership, service account, and management software all matter.

On an employer-owned phone or employer-supplied cellular plan, the business usually has a stronger interest in managing the device, enforcing security settings, retaining business communications, reviewing usage records, and wiping company data. That does not mean every personal photo, private message, health app, or family location event should be collected.

For BYOD, the employer's position should be narrower and clearer. The cleanest model uses mobile app management, work profiles, managed apps, or other containerized controls that separate company email, chat, files, and contacts from the employee's personal side of the device.

Employer-owned or employer-paid

Disclose MDM, remote wipe, location use, call/SMS log review, app restrictions, backup rules, and whether personal use is permitted.

Approved BYOD

Use written consent, selective wipe, work containers, minimum security baselines, and an exit process that removes company data without taking personal data.

Working hours

A phone can turn downtime into compensable work.

Monitoring policies often miss the wage side of messaging. If hourly or nonexempt employees respond to business SMS, chat, email, or social DMs after their shift, the company should have a timekeeping rule, manager escalation path, and clear boundaries for when after-hours work is allowed.

For employees, the safest habit is to follow the company's reporting process whenever work is performed outside scheduled time. For employers, the safest design is to either stop after-hours work or capture it accurately and pay it when required.

Policy controls

A defensible monitoring program is narrow, documented, and reviewable.

Written monitoring notice

Explain what systems, devices, accounts, content, logs, and metadata may be monitored.

Employee acknowledgement

Collect acknowledgement during onboarding and whenever monitoring scope materially changes.

Approved communication channels

Define which tools can be used for customers, regulated work, internal chat, and urgent SMS.

BYOD agreement

Spell out MDM/MAM scope, selective wipe, security requirements, support limits, and separation of personal data.

Retention and legal hold

Retain business communications for the required period and suspend deletion for disputes or investigations.

Data minimization

Avoid collecting personal content when device, app, or account design can limit collection to company data.

Labor-law review

Do not use monitoring or social policies to chill protected concerted activity about working conditions.

After-hours workflow

Require approval or reporting for nonexempt after-hours work performed through mobile messages or calls.

State-by-state roster

Track employee work locations and update notices for remote work, travel, and state-specific monitoring rules.

Call Observe

The cleanest policy is the one employees can actually follow.

Choose approved channels, disclose monitoring, preserve what must be preserved, and leave personal accounts and personal data outside the program whenever possible.

Call Recording Law Guide