SB 238 defines “workplace surveillance tools” and requires employers to disclose the tools they use and certain details about those systems. The statute creates a centralized disclosure mechanism intended to make employer monitoring practices visible to regulators, workers, and the public.
The bill matters because it broadens transparency obligations across private employers and public entities (including state and local governments and labor contractors), potentially forcing changes in procurement, vendor agreements, and the use of monitoring technologies that collect worker data.
At a Glance
What It Does
Creates a statutory reporting obligation for employer use of automated and electronic monitoring systems and gives the Department of Industrial Relations (DIR) responsibility to host the disclosures. The law defines core terms — including worker, employer, personal information, and workplace surveillance tool — to set the scope of the requirement.
Who It Affects
Applies broadly to employers that exercise control over wages or working conditions, including private businesses, state and local agencies, school districts, and labor contractors; it also touches vendors that build or operate surveillance tools and compliance or privacy teams responsible for disclosures.
Why It Matters
Establishes a public record of employer surveillance that privacy officers, unions, and regulators can use to assess practices and pressure changes. It also creates a compliance workload and raises practical questions about proprietary information, security of published data, and whether employers must offer opt-outs.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
SB 238 constructs two linked elements: a broad definitional baseline and a reporting/publication regime. The definitions expand the reach of regulation by treating virtually any information that can be tied to a worker as “data” or “personal information,” and it defines “workplace surveillance tool” to include automated collection methods beyond a human watching, such as video, continuous time-tracking, geolocation, electromagnetic or photo-electronic tracking, and biometric systems.
The bill explicitly includes job applicants and independent contractors in the definition of “worker,” and it makes clear that government employers and labor contractors fall inside the employer definition.
On the reporting side, the bill requires employers to submit an annual notice to the Department of Industrial Relations listing the surveillance tools they use. Employers that already deployed tools before January 1, 2026, face a one-time early filing deadline.
The statute excludes purely routine IT operations — for example, spam filters, antivirus software, and server uptime monitors — from the reporting requirement, but it otherwise casts a wide net around monitoring systems.That notice must be detailed. It must name the developers and the parties who will run, manage, or interpret the collected data; give the model name and describe the tool’s technological capabilities; disclose significant updates or changes that alter how the tool works or who can access the data; say whether the tool also affects non-workers such as consumers; enumerate what personal information the tool collects and whether subjects can opt out of collection; list all third parties with access to the data; and state whether the employer has notified affected individuals of the tool’s use.Finally, DIR must post submitted notices to its website promptly after receipt.
The combination of mandated disclosure, public posting, and the broad definitions means employers will need new internal processes: inventorying monitoring technologies, revising vendor contracts to obtain necessary information, deciding what to disclose publicly, and preparing notices on a recurring basis. Vendors may face pressure to reveal model details and data flows that they currently treat as proprietary, while employers will need to reconcile transparency with confidentiality and security concerns.
The Five Things You Need to Know
The bill requires employers to file the notice annually and imposes a February 1, 2026 deadline for tools already in use before January 1, 2026.
Employers must disclose both the creators of a surveillance tool and the individuals or vendors who will operate, manage, or interpret the data the tool produces.
The statute’s exemption is narrow: it excludes only tools used exclusively for basic IT operations such as spam filters, antivirus software, and server uptime monitors.
The notice must state the specific data or personal information collected and explicitly indicate whether affected workers or consumers will be given an option to opt out of data collection.
The Department of Industrial Relations must publish each employer’s notice on its website within 30 days of receipt.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Definitions that set the statute’s scope
This portion defines key terms the rest of the law uses: “data” and “personal information” are broadly written to capture any information that can be linked to a worker, however obtained. “Worker” explicitly covers job applicants, employees, and independent contractors, and “employer” includes state and local government entities and labor contractors. The definition of “workplace surveillance tool” is intentionally expansive and lists technical examples to avoid narrow interpretation. Practically, these definitions determine which technologies and personnel fall inside the reporting obligation and will be the first target in any compliance risk assessment.
Who must report and when
This provision creates the duty: employers must provide an annual notice to the Department of Industrial Relations listing surveillance tools in use. It also sets an accelerated initial deadline for tools already deployed before January 1, 2026. The provision includes an explicit carve-out for basic IT-only systems. Employers must translate their inventory of monitoring tools into a formal disclosure schedule and calendar to meet the recurring filing requirement.
Identification of tool creators, operators, and capabilities
These subsections require employers to identify the individuals, vendors, or entities that built each tool and those who will run, manage, or interpret the resulting data. Employers must provide the model name and describe technological capabilities, and must report any significant updates that materially change function, scope, or third-party access. For compliance teams this means drafting vendor-facing clauses to secure model names, capability descriptions, and timely notification of updates.
Data collected, opt-outs, third-party access, and disclosure to workers
This block covers who else is affected and what information will be shared: employers must say whether the tool impacts consumers, list the categories of personal data collected, indicate whether subjects may opt out, list every external party with access to the data, and disclose whether the employer has notified affected workers. The requirement to state whether an opt-out exists is notable because the bill asks for disclosure of opt-out availability but does not require employers to provide an opt-out as a remedy.
Public posting by the Department of Industrial Relations
DIR must make each employer’s notice publicly available on its website within 30 days of receipt. That creates a public-facing registry that can be searched or scraped by researchers, advocates, and competitors. Employers need to consider what to include in their notices because the public posting elevates reputational and security considerations; DIR will need protocols for intake, redaction (if any), and secure publication.
This bill is one of many.
Codify tracks hundreds of bills on Privacy across all five countries.
Explore Privacy in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Workers and job applicants: gain visibility into what automated monitoring is used against them and what categories of personal data are collected, permitting informed conversations about workplace surveillance.
- Unions and worker advocates: obtain a public dataset to support collective bargaining and campaign work aimed at limiting intrusive monitoring practices.
- Regulators and compliance officers: receive centralized disclosures that make it easier to detect widespread uses of particular tools and to prioritize investigations or guidance.
- Privacy researchers and civil-society watchdogs: can analyze the registry to track adoption of biometric, geolocation, or algorithmic monitoring and identify risky vendor practices.
Who Bears the Cost
- Employers (private and public): must inventory surveillance tools, collect vendor and model information, and submit regular notices — generating administrative and legal costs, and potential procurement or contract renegotiation costs.
- Surveillance vendors and integrators: may be pushed to reveal model names, capabilities, and access arrangements that they treat as intellectual property, potentially harming competitive positions.
- Department of Industrial Relations: must process, publish, and maintain the registry and handle inquiries, creating operational and security responsibilities that may require additional funding or staffing.
- Small employers and those without formal privacy teams: face disproportionate compliance burdens because the law contains no size-based exemption and still requires specific technical disclosures.
Key Issues
The Core Tension
The central tension is between worker privacy and transparency on one hand, and employers’ operational needs and vendors’ claims of proprietary secrecy on the other: the law forces public disclosure of monitoring practices to protect workers, but the same disclosures can expose confidential models and security-sensitive details, creating a trade-off with no clear mechanism in the bill to reconcile the two.
The bill balances transparency against few protections for confidential or security-sensitive details. It demands model names and capability descriptions and requires public posting, but it contains no mechanism for redacting trade secrets or sensitive security information.
That gap raises two implementation challenges: employers and vendors will resist disclosure of proprietary algorithms or security architecture, and DIR must decide whether to accept redactions, which could invite litigation over what qualifies as proprietary.
Another tension involves the law’s breadth and ambiguity. The definitions of data and workplace surveillance tool reach many forms of automated processing; without clear thresholds, routine workplace systems could be swept in, multiplying reporting obligations.
The statute asks employers to report whether an opt-out will be available but stops short of requiring an opt-out — so disclosure does not translate into an enforceable right to decline monitoring. Finally, the bill creates an unfunded public-posting duty for DIR and no clarity on enforcement, penalties, or how often employers must update notices after a significant change beyond the annual filing cadence.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.