Workplace monitoring platforms are sharing your data.

An Investigation & Roadmap to Address Data Abuses
May 2026

Abstract

This article investigates the data collection practices of nine widely used workplace monitoring platforms to determine the extent to which they track and analyze employee activity, behavior, or performance during work, including how these platforms transmit worker information and to which third-parties. This article finds that (1) nine out of nine workplace monitoring platforms studied directly shared identifying worker data to third parties, (2) nine out of nine workplace monitoring platforms studied shared information about workers’ online activities with third parties, and (3) three out of nine workplace monitoring platforms studied utilize features to track workers’ precise location. This article contextualizes the practice of workplace monitoring within the broader data policy landscape to argue that workers face similar privacy vulnerabilities and lack of protections already seen in consumer landscapes. This article concludes with recommendations for regulators, policy and lawmakers, and researchers and investigative journalists.

Questions

  1. Do the workplace monitoring platforms share worker-related information to third parties?

    If so, which third parties received this information and what worker-related information was shared (e.g. name, email, role, worker activities, etc.)?

  2. To what extent do the workplace monitoring platforms share workers' online activities with known third-party trackers?

    If so, which third-party trackers and unique tracking URLs?

  3. To what extent do workplace monitoring platforms collect geolocations and motion sensor data from workers' devices?

    If so, what are the potential risks and harms?

Findings

  1. Finding 1: Worker data shared.

    All (9 of 9) workplace monitoring platforms directly shared identifying worker data such as first name, last name, email, and company to third parties in one session. This resulted in 121 unique instances of worker data being shared with companies including Facebook, Google, Microsoft, and AppLovin (a mobile advertising platform).

    1. Data sharing when workers access workplace monitoring platforms via web browsers1 is roughly three times higher than when accessing workplace monitoring platforms via mobile apps (104 versus 39 cases of data sharing).2

    2. Workplace monitoring platforms shared worker email data with up to 6 third parties, including Microsoft, Facebook, Intercom,3 ProfitWell,4 Segment.io,5 and ZoomInfo,6 among others. Email addresses are often used as identifiers for accounts on online platforms, and as such are easily linked to individual identities. In fact, many data brokers offer “data append” services7 that match e-mail addresses to other personal data such as name, address, and phone number   making it easy to build detailed profiles without a worker's knowledge, which can increase risks of surveillance, targeting, and misuse.

    3. Workplace monitoring platforms publicly disclose the names of third parties that worker data is shared with only a fraction of the time. Two of nine companies offering workplace monitoring platforms disclosed specific third party company names in their privacy policies or terms of service.8 The remaining seven did not mention specific third party company names in these public-facing documents.

    4. Company disclosures underreported the third parties observed in testing. Even among the two companies offering workplace monitoring platforms that disclosed third-party names, those disclosures captured only a subset of the third parties identified through testing, indicating that privacy policies often provide an incomplete picture of actual third-party data sharing.9

    5. Bosses were not immune to their data being shared.10 Data sharing was not limited to workers, but also included the sharing of personal data of the boss using the workplace monitoring system.11

  2. Finding 2: Online activity transmitted.

    The 9 workplace monitoring platforms in the sample transmitted information about workers' online activities (such as IP address, device information, web pages visited, unique identifiers, etc.) to a total of 145 unique third party domains including facebook.com, linkedin.com, bing.com, google.com, googletagmanager.com, stripe.com (an online payment processing company), and yandex.com (a Russian tech company known for its search engine).

    1. The 9 workplace monitoring platforms shared information about workers' online activities (such as IP address, device information, web pages visited, unique identifiers, etc.) to a total of 145 unique third party domains (including facebook.com, linkedin.com, bing.com, google.com, googletagmanager.com, stripe.com, yandex.com, among others). These third parties often provide services like external analytics, advertising, marketing, social media, or financial services – and may also pass the data on to other third parties who can then use it to generate revenue. For example, information about when the app is used (i.e., when the worker is on the job), the device or network being used (which can pinpoint individuals and their geolocations), and general usage patterns (e.g., what websites you visit) can be used to create further inferences about workers beyond the monitoring software itself - including employee engagement or commitment to the job.

    2. In terms of range, the workplace monitoring platforms in our sample each exposed12 information related to workers' online activities to between 14 and 54 distinct third party domains. While each of the nine workplace monitoring platform companies exposed workers to numerous third party domains, the number of third-party domains contacted by each company varied widely.

  3. Finding 3. Location tracking.

    One third of the workplace monitoring platforms in the sample have features to track workers' precise location at any time – even when the app is in the background or potentially when the worker is clocked out. Separately, 3 of 9 apps can require access to motion sensor data (via accelerometer, gyroscope) to clock-in.

    Beyond data collection and sharing mentioned above, workplace monitoring platforms have the ability to collect various degrees of real-world tracking information – including where the worker is at a point in time and their movements, captured through mobile device sensors such as GPS receivers, accelerometers, and gyroscopes. In this investigation, we explored always-on tracking features, location data collection, and instances where motion sensor access was required to use the clock-in feature.

    1. 3 of 9 workplace monitoring platforms sampled can collect worker location data at any time – even if the mobile app is running in the background and not open on the phone screen.

    2. 3 of 9 apps in our sample can require workers' motion sensor data (e.g. gyroscope or accelerometer information) in order to clock-in.

Recommendations

Enhance data protections with bright line rules:

  • Ban selling or sharing worker data.

  • Ban surveillance sludge features.

  • Ban unlimited data retention.

  • Ban collecting sensitive worker data.

Examine how these practices violate Federal and State laws

prohibiting Unfair, Deceptive, or Abusive Acts or Practices (UDAAP laws), the federal Fair Credit Reporting Act (FCRA) and state equivalents, state consumer privacy laws, and companies that are repeat offenders of the law.

Conduct timely, independent research to fill gaps of workplace monitoring-related knowledge.

It is critical for researchers and practitioners to help analyze these practices today – to keep pace with the quickly evolving landscape of surveillance practices

Footnotes

  1. Bossware can also be accessible to log in through a web browser, in addition to a dedicated mobile or desktop application.

  2. In some cases worker data was shared to the same third party on both web browsers and mobile apps. When counting the unique third parties receiving data (via web and/or mobile), we found 121 unique instances.

  3. Intercom describes itself as an “AI-first customer service platform.” See Deliver exceptional customer service with Intercom, INTERCOM, [https://perma.cc/V2ZJ-X8YS].

  4. ProfitWell says they “[p]rovid[e] industry standard Business Intelligence solutions that improve your retention and monetization automatically through unmatched subscription intelligence.” See ProfitWell by Paddle, LINKEDIN, [https://perma.cc/A6QQ-6QPS].

  5. Segment.io, a company that provides “customer data products” such as a platform to “collect real-time data in unified profiles,” was acquired by Twilio, a “customer engagement platform [that] combines powerful communications APIs with AI and first-party data.” See Segment ❤️ Twilio. We're finally moving in together on Twilio.com!, TWILIO SEGMENT, [https://perma.cc/4KHX-CFH7]; Where amazing customer experiences are built, TWILIO, [https://perma.cc/P58N-YMA5].

  6. ZoomInfo describes itself as “[t]he AI platform for go-to-market teams built on the world's best B2B data…” See The AI platform for go‑to‑market teams, ZOOMINFO, [https://perma.cc/K56S-JQWC].

  7. For example, see Accurate Data. Amazing Results., ACCURATE APPEND, [https://perma.cc/Z7Z9-N4G2].

  8. Subprocessors, HUBSTAFF (2025), [https://perma.cc/Z8W8-6MVM]; Sub-processors, TIME DOCTOR (2024), [https://perma.cc/7G9A-HJDS].

  10. Overall, among the total 121 instances of data sharing cases – there are 76 data-sharing cases involving managerial workers and 45 cases involving non-managerial workers.

  11. We observed other types of data being shared – including that managerial account is categorized under the role of “administrator” or the “number of active employees” in the company – but did not include this field in the final count of worker-related data.

  12. Exposure to these trackers creates a risk that workplace monitoring platforms share worker data with external analytics, advertising, or marketing firms.