Meta Limits Employee Tracking Programme Used to Train AI After Privacy Backlash

3rd Jun 2026
Meta has introduced new limits on a programme that collects employee clicks, mouse movements, and keystrokes to help train AI systems after employees objected to the monitoring. The dispute puts the focus on a practical legal problem that extends well beyond one company. If workplace activity data can be used to improve AI systems, where should the line be drawn between legitimate business purposes and excessive employee surveillance? What Makes AI Training Different From Traditional Employee Monitoring Meta's proposed monitoring programme reportedly involved collecting mouse movements, clicks, and keystrokes from employees in the United States to help train the company's AI systems. Following internal backlash, the company introduced new limits, including allowing employees to pause data collection for up to 30 minutes and request exemptions from the programme. Workers reportedly expressed concerns about privacy, home internet usage, and the possibility that sensitive information could be captured during the monitoring process. Meta has said safeguards were in place and that the data was intended solely to improve its AI models. The legal significance of the programme lies not in the monitoring itself, but in its intended purpose. Many employers monitor workplace systems for reasons that can include cybersecurity, compliance, fraud prevention, and productivity management. Using employee activity data to train artificial intelligence systems creates a different set of considerations because information collected during the course of daily work may be used for an entirely separate objective. That distinction becomes particularly important under modern privacy frameworks. In the United Kingdom and European Union, organisations must generally be able to demonstrate that personal data is collected for a specific purpose, processed transparently, and limited to what is necessary to achieve that purpose. Some U.S. privacy laws, including California's CCPA as amended by the CPRA, contain transparency and data-use requirements relevant to personal information. Legal teams therefore need to consider not only what information is being collected, but whether employees have been adequately informed about how that information may ultimately be used. The challenge is that activity-monitoring tools can capture far more than basic productivity data. Depending on how a system operates, collected information could potentially include confidential communications, commercially sensitive material, customer information, authentication credentials, or personal data unrelated to an employee's role. Even where safeguards exist, organisations may still need to assess whether the scope of collection remains proportionate to the objective being pursued and whether existing policies adequately address the use of workplace data as AI training material. What happens to the information after it is collected may prove more important than the monitoring itself. Most employees understand that some level of workplace monitoring already exists. The debate becomes more complicated when the same information is used to train AI systems. Reports suggest concerns about how the information would be used formed part of the employee backlash. Managing Sensitive Information Across Different Jurisdictions One of the concerns reportedly raised by Meta employees was that monitoring could expose passwords, internal product information, and personal data. Companies that collect large amounts of employee activity data also have a responsibility to protect confidential business information and trade secrets. In highly competitive industries, internal communications, development plans, source code, research materials, and strategic discussions are often among a company's most valuable assets. Monitoring systems designed to capture real-world employee activity may create additional risks if sensitive information is inadvertently collected, stored, or incorporated into AI training processes. The challenge becomes even more complex for multinational employers. Monitoring practices that may be permissible in one jurisdiction can trigger far greater compliance obligations elsewhere. In the United States, employers generally have broader flexibility to monitor activity on company-owned systems, subject to applicable federal and state laws. Organisations operating in the United Kingdom and European Union, however, must satisfy stricter requirements relating to transparency, proportionality, and the lawful processing of personal data. The issue is therefore not simply whether information can be collected. Companies must also consider who can access it, how it is secured, how long it is retained, and whether employees have been given sufficient information about how it will be used. As businesses expand their use of AI across multiple jurisdictions, employee monitoring can quickly become a question of governance, data protection, cybersecurity, and regulatory compliance rather than a straightforward workplace policy decision. Employee Data and AI Training Meta's decision to introduce new limits addressed concerns raised by employees about how workplace activity data was being collected and used. The programme drew attention to a broader issue facing companies that use employee information to develop AI systems, particularly when workers may not expect data gathered through routine workplace monitoring to be used for that purpose. Reports suggest that employee concerns went beyond the monitoring itself. Workers reportedly questioned whether information generated during everyday use of company systems could expose passwords, personal information, or sensitive internal material while being used to improve AI tools. Those concerns help explain why the programme attracted such a strong reaction and why similar initiatives may face resistance elsewhere.