The software your employer uses to monitor you sends your data to Google and Meta. None of the nine tools tested escape this.
The market for bossware » (this software which allows employers to monitor the activity of their employees remotely) is booming since the generalization of teleworking. A recently published study has just documented what these tools actually do with the data they collect. Researchers intercepted network traffic from nine popular surveillance platforms. The result is clear: the nine transmit personal data of employees to third parties.
What are these tools and what do they convey?
The nine platforms screened are Appploye, Buddy Punch, Deputy, Desklong, Hubstaff, Monitask, Time Doctor 2, Vericlock and When I Work. All are available in France and sold to European companies. The data transmitted includes names, email addresses and activity data of employees. In total, over 145 third-party domains receive this information, including Google, Meta, Microsoft, LinkedIn, Yandex and AppLovin.
A third of the tools tested also transmit the precise geolocation of the employeeincluding in the background (i.e. when the application is running without the user being aware of it). The researchers contacted the nine publishers to ask for explanations. Four responded. One of them, Time Doctor, responded via automatic chatbot (monitoring software that delegates its own transparency to a robot, the loop is closed).
Why these practices are already illegal in France
Under French law, this transmission of data to third-party advertising agencies collides head-on with several texts. The GDPR requires the minimization of data collected (article 5) and requires an explicit legal basis for each processing (article 6). The Labor Code establishes the principle of proportionality of restrictions on the individual freedoms of employees (L.1121-1) and the obligation to inform in advance of any collection system (L.1222-4). The CNIL also ruled that continuous screenshots and permanent geolocation without the possibility of deactivation are “neither relevant nor proportionate”.
The most telling precedent is that of Amazon France Logistique. The CNIL imposed on him 32 million euros fine in December 2023 for “excessively intrusive” surveillance of its warehouse employees (per-second productivity indicators, inactivity time, latency between two package scans). The Council of State reduced this fine to 15 million euros in December 2025, but confirmed the breach of the principle of data minimization. The nine tools documented in this study exactly reproduce the mechanism sanctioned at Amazon, with one difference: they add transmission to third-party advertising, which Amazon did not even do.
For the French employees concerned, the right of access provided for by the GDPR allows them to request from their employer the list of surveillance tools deployed and the register of associated processing. The kind of request that noticeably dampens enthusiasm for the bossware.
👉🏻 Follow tech news in real time: add 01net to your sources on Google, and subscribe to our WhatsApp channel.
Source :
Stephanie Nguyen, Levi Kaplan, David Choffnes, Alan Mislove, Seth Frotman, Erie Meyer
