Employee Data Privacy

United States - Employee Consent

 Download as a PDF

Do I have to obtain employees' consent in order to collect their personal data?

The processing of any personal data may impose obligations to the individuals the data is related to, the data subjects. Some jurisdictions only recognize processing personal data as lawful if the data subject has provided express consent. Other jurisdictions require a legal obligation to process the data, and may not require consent. The processing of HR personal data has raised questions and court decisions in a few countries, and interpretations may vary based on data privacy and labor law requirements.

Consent Requirements

The United States does not have an overarching consent requirement in order to process individual or employee personal data. Instead, employers follow consent or notice requirements based on the type of personal information that is being collected or processed.


Background Checks: Under the Fair Credit Reporting Act (FCRA) and a number of state laws, employers must provide a disclosure notice and receive express consent prior to conducting background checks.

Biometric Data: In Illinois and Texas, employers must obtain consent prior to collecting biometric data on employees (such as hand/face geometry and finger printing). 

Automated Text and Voice Messages: Under the Telephone Consumer Protection Act (TCPA), prior express consent is required before employers send informational text messages or voicemails using an automated telephone dialing system (ATDS). If employers would like to engage in such communications with employees or job applicants, they should track consent and any subsequent opt-outs.

Notification Requirements

Separate from consent, there are certain areas relating to employee data where privacy policies are either necessary or considered to be best practice. For example, the Health Insurance Portability and Accountability Act (HIPAA) requires that employers provide privacy notices to employees who participate in employer-sponsored benefit plans that include HIPAA-covered benefits.


HR Best Practices: Employers should consider putting an employee privacy policy in place and keeping it up-to-date. While not a legal requirement, employers are increasingly posting applicant privacy policies online to inform applicants about how personal data may be processed.

If sending automated voicemails or text message reminders to employees, make sure to obtain and track express consent along with any subsequent opt-outs.


Ultimate Software's HR Compliance Assist team relies on a network of internal and external compliance experts and lawyers to provide clients with best practices and recommendations on topics such as HR document retention, employee data privacy, and HR electronic records. HR Compliance Assist also provides local compliance monitoring and alert services in select countries where Ultimate Software's customers have employees. HR Compliance Assist is a service exclusively available to Ultimate Software customers.

Share Your Feedback

Let's Talk