Before a flowscope capture agent runs on a single machine, a short list of facts about US law decides what's permitted, what requires notice, and what no statute currently forbids but the evidence says you should never do anyway. Most vendors selling workplace observation software get at least one of those facts wrong, and the most common error is treating a bill that died in committee as though it were the law of California. We map every deployment against the real legal floor first, because an agent that learns how a business actually runs has to do that learning without putting the customer on the wrong side of a notice statute, and because the trust that makes shadowing tolerable to the people being shadowed depends on getting the law exactly right.
The federal floor
The baseline is the Electronic Communications Privacy Act, which generally permits an employer to monitor activity on company-owned systems through two long-established exceptions. The first is the business-purpose exception, which covers interception in the ordinary course of business on the employer's own equipment, and the second is consent, which covers the rest once the employee has agreed. A flowscope engagement satisfies both: the agent runs on the company's machines, captures work performed for the company in the company's systems, and does so with the employer's authorization and, in our model, the employee's informed awareness. The ECPA is permissive by design, which is exactly why it can't be the whole analysis. It tells you that monitoring company systems is legal at the federal level; it tells you almost nothing about the notice you owe before you start.
The states that require notice
Above the federal floor, several states impose affirmative obligations to tell employees that electronic monitoring is happening, and a vendor deploying nationally has to honor whichever one applies to a given worker. Connecticut was first, with Conn. Gen. Stat. §31-48d requiring prior written notice of the types of monitoring an employer may engage in, backed by civil penalties for violations. Delaware's Title 19 §705 demands that employers either give daily electronic notice before monitoring or obtain a one-time signed acknowledgment from the employee. New York's NYLL §52-c, effective in May 2022, requires notice to new hires at the point of hire plus a conspicuous posting in a place employees regularly see, and the analysis Holland & Knight published when it took effect lays out how the three statutes compare and what each one penalizes. The pattern across all three is the same: monitoring is allowed, but only after the employer has said, in writing and in advance, that it is happening.
The bill the SEO blogs got wrong
This is where most of the published guidance fails. Many vendor blog posts and compliance roundups describe California AB 1221 as a 2026 workplace-surveillance law, and it is not a law. Introduced by Assemblymember Bryan as the "workplace surveillance tools" bill, AB 1221 would have been the broadest statute of its kind in the country, and it failed on 2 February 2026. It never reached the governor, and nothing in it binds any employer now. Anyone telling a customer they must comply with AB 1221 is wrong on the most basic fact of the matter, which should give pause about the rest of that vendor's legal posture.
What AB 1221 would have required is worth reading carefully, because it tells you where the regulation is heading even though it isn't here. As the Proskauer and Coblentz analyses of the proposed bill set out, it would have mandated prior notice before deploying a surveillance tool, banned inference of emotion, gait, and neural or other protected traits, and required that a human corroborate any algorithmic output before it could be used as the basis for discipline or termination. Those are the contours of the next decade of workplace-monitoring law, drafted in California and likely to surface again in some form.
Why flowscope adopts a failed bill's principles anyway
The useful response is to treat AB 1221 as a model for what to build rather than a regulation to fear. A vendor who voluntarily builds to its principles (prior notice with a stated purpose, no inference of protected traits, and human corroboration before any adverse action) is both ahead of whatever statute eventually passes and aligned with what the behavioral evidence already says works. People behave more naturally and resist less when they've been told what's being captured and why, which is the same reason our capture agent throws away far more than it keeps and the reason we frame the engagement as shadowing rather than surveillance. The behavioral case and the legal case point the same direction, so adopting the stricter standard costs nothing we'd want to keep.
A reasonable counter is that voluntarily binding yourself to the terms of a bill that failed is naive, since the legislature looked at AB 1221 and declined to enact it. The reply is that the bill's death was about scope, drafting ambiguity, and employer cost, not about the principles, none of which any serious operator would defend opposing. Telling people they're being observed, refusing to guess at their emotional state, and putting a human between an algorithm and a firing are not concessions to a hypothetical law; they are the conditions under which an observation agent can run inside a real workplace without degrading the data it exists to collect, which is why we treat them as the minimum we hold ourselves to rather than the most we'll do. None of this is legal advice. It's how we read the rules we operate under, and any specific deployment should be checked against counsel for the states where the workforce actually sits.