Remote Work Privacy Insights — Edition 12: Pay Transparency, Expense Tracking, and the Privacy Data You Didn't Know You Were Leaking

There's a pattern I've noticed in the compliance failures that generate the most expensive settlements — and it rarely involves a deliberate decision to violate the law. What it usually involves is a compliance team focused intensely on one set of obligations while inadvertently creating a second, entirely distinct problem they weren't watching.

That's exactly what's happening right now at the intersection of pay transparency compliance, remote work expense reimbursement, and location-based compensation. Organizations are scrambling to get their job postings right, their salary ranges disclosed, and their pay equity analyses completed — all legitimate and necessary. But in doing so, they're building data infrastructure that collects, combines, and transmits sensitive employee information in ways that violate the privacy principles their employees brought to the employment relationship, and that expose them to a different category of regulatory risk entirely.

This edition is about that second problem — the one hiding behind the compliance effort you're already working on.

Before we get into pay transparency and expense tracking, I want to establish something foundational: the HR and payroll data ecosystem is actively under attack, at scale, and the breaches that result are expensive in ways that go well beyond the settlement check.

In February 2025, DISA Global Solutions — a third-party employment screening provider that handles drug testing and background checks for major employers — disclosed a breach affecting 3.3 million people. The compromised data included names, Social Security numbers, driver's license numbers, government ID numbers, and financial account information. The attack had been running, undetected, from February 9 to April 22, 2024 — more than two months of unauthorized access before the company discovered it.

In 2024, Paychex faced class action litigation after an April data breach exposed workers' names and Social Security numbers, with a month's delay before notification began. The breach occurred when Paychex attempted to exchange information with the State of California and inadvertently permitted unauthorized access — a vendor-to-government data transmission that went wrong in exactly the way contextual integrity predicts: information flowing across a boundary the employee never anticipated, for a purpose tangentially related to their employment but not one they specifically consented to.

And then there's the UKG ransomware attack — which, while 2021 in origin, remains the defining example of payroll system vulnerability. The attack disrupted HR and payroll functions for major corporations and public employers for weeks, exposing employee names, Social Security numbers, birthdates, passport details, and employment authorization data. UKG settled class actions for $6 million, with individual claimants eligible for up to $7,500 for documented fraud or identity theft. The downstream settlements — including a $1.2 million wage and hour settlement from healthcare employers whose payroll was disrupted — added millions more.

The pattern across these incidents is consistent and instructive: employee PII held in HR and payroll systems is high-value, high-density, and poorly protected. IBM's 2024 Cost of a Data Breach Report found that employee PII breaches cost an average of $189 per record, with overall average breach costs reaching $4.88 million. Breaches involving employee PII accounted for 40% of all breached records in 2024. Shadow data — information stored outside secure systems — was a factor in 35% of breaches and made those incidents 16% more expensive to resolve.

I want that picture clearly in view as we discuss what pay transparency compliance and expense tracking are adding to your data collection footprint, because every data point you add is a data point that can be breached.

Pay transparency is no longer a trend. It's the operational reality for any employer hiring from a substantial portion of the United States. As of early 2026, at least 15 jurisdictions have active pay transparency laws: California, Colorado, Connecticut, the District of Columbia, Hawaii, Illinois, Maryland, Massachusetts, Minnesota, Nevada, New Jersey, New York, Rhode Island, Vermont, and Washington. Those laws collectively cover well over half of the U.S. workforce. Oregon added pay notice requirements at hire, effective January 1, 2026. Delaware's law has been signed and takes effect in 2027.

The laws that matter most for multi-state employers are the ones with extra-territorial reach — where compliance is required not based on where your company is headquartered, but based on where the work might be performed or where the employer does business. Illinois requires disclosure for positions that will be performed "partly or wholly in Illinois" or that will report to a supervisor in Illinois — meaning a company with no Illinois office may still have Illinois pay transparency obligations if it has Illinois-based remote employees. New Jersey's law applies to any employer with 10 or more employees that does business in New Jersey — regardless of where positions are physically located.

The enforcement environment has moved from advisory to active. Colorado's enforcement has resulted in fines reaching $10,000 per violation, with the Colorado Division of Labor Standards and Statistics citing employers for omitting salary ranges, providing ranges that were too broad to be meaningful, and failing to include benefits information. New York and California are in active enforcement phases, with California penalties running from $100 to $10,000 per job posting. Massachusetts and New Jersey began active enforcement in 2025 and 2026 respectively, with the Massachusetts Attorney General issuing cure notices before penalties escalated.

All of this is to say: pay transparency compliance is not optional, and organizations that haven't built it into their job posting workflows are carrying active legal exposure. The Jackson Lewis 2026 pay transparency compliance guide notes that violations can result in private class action lawsuits in some jurisdictions, not just regulatory fines, which dramatically changes the risk calculus for employers with large applicant pools.

Now here's the part that the compliance-focused conversation tends to miss entirely.

The moment you build a pay equity program to support your transparency obligations, you create a data collection operation that reaches far beyond compensation amounts. Understanding why requires applying Helen Nissenbaum's contextual integrity framework — and specifically its five principles — to what pay equity analysis actually does.

Principle 1 — Context. Employees exist in an employment relationship context with well-established norms about what information the employer collects and for what purposes. The context of that relationship is the performance of work in exchange for compensation. Pay equity analysis imports a new set of purposes — regulatory compliance, demographic reporting, equity auditing — that employees may not have anticipated when they joined the organization and shared their personal information.

Principle 2 — Actors. In a traditional employment relationship, the actors in compensation decisions are HR, payroll, and direct management. A pay equity program expands that circle to include external consultants conducting equity analyses, state labor agencies receiving pay data reports, third-party software vendors processing payroll analytics, and, in some jurisdictions, job applicants who can access salary ranges that reveal information about existing employees in comparable roles. Each new actor is a recipient that employees didn't contemplate when they disclosed their compensation information.

Principle 3 — Attributes. Here's where it gets genuinely complex. To conduct a meaningful pay equity analysis — the kind that satisfies regulatory scrutiny and actually identifies disparities — you need compensation data combined with demographic information: race, gender, age, and disability status. You also need location data (because of geographic pay differentials), tenure, education level, performance ratings, and job classification. Each of these individually is an attribute that the employee shared in a specific context with a specific purpose. Their combination creates an attribute — a comprehensive demographic-compensation profile — that the employee almost certainly did not contemplate sharing, and that is significantly more sensitive than any of its components.

Principle 4 — Information Type. The sensitivity of combined compensation and demographic data is not a theoretical concern. Several states now require employers to submit detailed EEO pay data reports — California, Massachusetts, and Illinois among them — that aggregate this information for regulatory review. The Massachusetts law requires employers with 100 or more employees to submit EEO-1 equivalent reports annually to the Commonwealth. California's Civil Rights Department receives detailed pay data reports with demographic breakdowns. While these submissions are aggregated, the underlying data that generates them is employee-specific and sensitive.

Principle 5 — Transmission Principles. Employees shared their compensation information with HR under a transmission principle of "employment administration purposes." They did not share it under a transmission principle of "state regulatory disclosure," or "external equity audit," or "job posting for a comparable role that reveals my salary band to the public." When those transmission principles expand — as they have, under the weight of new state law and compliance pressure — the contextual integrity of the original information flow is broken.

None of this means pay equity analysis shouldn't happen. It should, and it's increasingly legally required. What it means is that the data architecture supporting that analysis needs to be built with the same care and intention as any other sensitive employee data program — with clear purpose limitations, minimum necessary collection, access controls, vendor due diligence, and clear communication to employees about how their information is being used.

A technology company with employees in eight states hires an external pay equity consulting firm to conduct a comprehensive analysis ahead of Massachusetts's new EEO reporting requirement. The consulting firm is given access to the company's full HRIS system: compensation records, performance ratings, demographic data, job classifications, education history, and disability accommodation status — the last of which was collected in a separate, confidential HR system under ADA requirements.

The contextual integrity violation begins at the data access stage. Disability accommodation status was collected under the ADA's strict confidentiality requirements, which mandate that medical information be kept in separate files with access limited to those with a demonstrated need to know in connection with the accommodation. Its inclusion in the pay equity dataset — even with good intentions — violates the ADA's confidentiality protections. If the equity analysis reveals that employees with accommodations are compensated differently, the resulting report contains evidence of potential discrimination and a record that confidential medical information was accessed outside its permitted context.

When the consulting firm's draft report is shared with the company's board compensation committee, and then eventually becomes part of a litigation hold following an EEOC charge, the disability accommodation data in that dataset is now in the hands of people who had no legitimate access to it under the law that governed its collection. The plaintiffs' attorney now has it in discovery.

What compliance requires: Before providing any external consultant with access to HRIS data, map every data field against the legal basis under which it was collected and the permitted disclosure scope. Disability accommodation status and medical information collected under the ADA never enter a compensation analytics dataset, regardless of purpose. Gender, race, and age can and should be included in equity analyses — but under data use agreements with the consultant that specify the analysis purpose, prohibit secondary use, require data destruction upon completion, and meet applicable state privacy law requirements for data processor agreements. California employers conducting these analyses must ensure compliance with CCPA/CPRA requirements for the third-party sharing of sensitive personal information.

A financial services company with 1,200 remote employees implements location-based pay differentials: employees in San Francisco receive 35% above the national baseline; employees in rural Ohio receive 15% below. To verify where employees are actually working — legitimately, to ensure pay accuracy — the company deploys an IT-based verification system that logs IP addresses, VPN connection locations, and badge access data.

Six months in, someone in HR has a useful idea: the location verification system can also verify whether employees are actually working from home or traveling, which would be useful for the new RTO compliance initiative. A manager then asks whether the location logs could be used to confirm that employees are in the office on their designated days. Before long, the system built to verify payroll location is running continuous geolocation surveillance on employees' work activities.

The FTC considers geolocation "sensitive location data." California's CCPA/CPRA treats precise geolocation as sensitive personal information requiring specific notice and consent. California AB-984 requires that employee monitoring be "strictly necessary" for a legitimate business interest. The IP logging built for pay verification purposes may satisfy the "strictly necessary" standard for that purpose. Its extension to RTO compliance monitoring almost certainly does not, because less invasive alternatives exist — the employee's own attestation, office badge data, and scheduled check-ins.

This is the scope creep pattern that geolocation data creates: a tool built for a limited, disclosed purpose gets repurposed for a broader surveillance function, and the employees who consented to IP logging for payroll accuracy never consented to continuous location monitoring for office attendance tracking. The transmission principle has been violated; the contextual integrity of the data collection has collapsed.

What compliance requires: Location verification for pay purposes needs to be narrowly documented and technically scoped. The system architecture should collect only the minimum data necessary for the compensation verification purpose — not real-time continuous location tracking, but periodic verification sufficient to confirm employee work location. Any new use of that data requires a fresh disclosure and purpose assessment. If California employees are in scope, a legitimate interest assessment under CCPA/CPRA is required for the expanded purpose, and it will need to demonstrate proportionality that a blanket extension to RTO monitoring cannot establish.

This is the scenario that surprises practitioners most when I raise it, and it's worth dwelling on because it operates entirely within what most organizations consider a routine administrative process.

Jennifer is a remote marketing manager working from California. Her company reimburses home internet costs at $75 per month, provides a $200 annual home office supply allowance, and offers a $500 one-time ergonomic equipment benefit. To receive these reimbursements, Jennifer submits monthly documentation that her employer's expense system processes and stores.

What that documentation reveals, in aggregate, is considerably more than it appears. Her internet utility statements show her home address with precision, her internet service provider, and her service tier. Her shipping receipts for office supplies show the same home address plus a timestamp record of her physical location on the delivery date. Her ergonomic equipment purchases — a standing desk and specialized keyboard — may indicate disability accommodations in ways that create a medical information record in a system governed only by expense policy, not by the ADA's strict confidentiality requirements.

Eleven states mandate remote work expense reimbursement, including California, Illinois, Massachusetts, Minnesota, and New York. The reimbursement obligation is real and legally required in those jurisdictions. But the data those reimbursements generate has no parallel legal framework governing its handling — it sits in expense systems that were never designed for sensitive personal information, administered by finance teams without specific privacy training, and accessible to anyone with finance system access, regardless of business need.

The contextual integrity violation here is quiet but significant. Jennifer submitted her internet bill and shipping receipts to claim a reimbursement she's legally entitled to. She didn't submit them to build a location database, to reveal potential disability status, or to establish a record of her home infrastructure. The information flows were supposed to serve one purpose; they're actually serving several, most of which the employee didn't contemplate.

What compliance requires: Expense systems that collect reimbursement documentation from remote employees need to be treated as sensitive data systems, not administrative ones. That means minimum necessary collection — do you actually need the full utility statement, or just a confirmation of the cost? It means controlled access — who in the company has system access to expense data that includes home addresses and disability-adjacent equipment purchases? It means a retention policy — expense documentation shouldn't persist indefinitely when its administrative purpose is complete. And it means a data handling policy that covers what expense data can and can't be used for, outside its reimbursement purpose.

I want to connect a thread that runs through each of these scenarios, because I think it's the most practically important structural issue and the one that most organizations haven't fully addressed.

The DISA breach. The Paychex breach. The UKG breach. Three of the most significant HR data breaches of recent years all involved third-party vendors — companies that process sensitive employee information on behalf of employers, that receive data collected under one set of disclosure norms, and that operate their own security posture, which the employing organization may have evaluated once at contract signing and not since.

The 2025 Verizon Data Breach Investigations Report found that exploitation of vulnerabilities has become the initial access vector in 20% of all breaches — a 34% year-over-year increase. Ransomware was involved in 44% of all breaches. These aren't abstract statistics for HR leaders; they describe the exact attack patterns targeting payroll processors, background screening companies, and HR analytics platforms.

The compliance frameworks that apply to this relationship are real and specific. GDPR Article 28 requires written data processing agreements with all third-party processors, specifying instructions, purpose, data type, duration, and mutual responsibilities. CCPA/CPRA requires specific contract language governing service providers' data use, prohibiting secondary use of employee data outside the stated purpose, and establishing employer audit rights. California's 2025 CCPA regulations add cybersecurity audit certification requirements for qualifying businesses, phasing in from 2028.

Most employer-vendor contracts in the HR technology space were not written with these requirements in mind. Many were signed under procurement processes that evaluated cost, functionality, and integration ease — not data processing terms, breach notification timelines, or audit access provisions. The Tractor Supply $1.35 million CCPA enforcement action found that the company's failure to include required CCPA provisions in third-party vendor contracts was one of four distinct violation categories. "The vendor handles that" is not a compliance defense when your employees' Social Security numbers are in a system you contracted for without adequate data governance terms.

The vendor audit that most HR organizations haven't done — and that creates specific compliance exposure under California, Colorado, and emerging state privacy law — is a review of every HR technology vendor against four questions:

Does our contract specify what the vendor can and cannot do with employee data, beyond processing it for the contracted purpose? Does it require the vendor to notify us of a breach within a defined timeframe that allows us to meet our own notification obligations? Does it give us audit rights to review vendor security practices? And have we exercised those rights, or evaluated vendor SOC 2 Type II reports, within the past 12 months?

If the answer to any of those questions is no, you have a contract remediation project and a current vendor risk. Both are manageable before a breach. Neither is manageable after.

The organizations that navigate pay transparency compliance, location-based pay, and expense reimbursement without creating privacy liability are the ones that approach these programs as information flow design problems, not just regulatory checkbox exercises. Let me be concrete about what that means.

Purpose limitation is the foundation. Every data element collected in connection with pay equity analysis, location verification, or expense reimbursement should have a documented business or legal purpose that justifies its collection. Data collected for purpose A cannot be used for purpose B without a fresh assessment of whether that use is disclosed, lawful, and proportionate. This isn't bureaucracy — it's the specific principle that GDPR's Article 5(1)(b), CCPA's purpose limitation requirements, and Colorado's AI Act assessment frameworks all operationalize.

Access controls should match data sensitivity. Employee compensation data combined with demographic information is sensitive personal information under any reasonable reading of applicable privacy law. It should be treated with the same access control discipline as health information — which means role-based access, access logging, and periodic access review to confirm that everyone with system access still has a business need for it. The HR administrator who processed a departing employee's final paycheck six months ago probably doesn't need ongoing access to the company's pay equity analytics dataset.

Separate sensitive data categories. ADA-protected medical information and disability accommodation records belong in separate, confidential systems from general compensation data, expense data, and location data. Their combination in analytics platforms creates both a legal violation and a litigation risk that is entirely preventable through system architecture decisions made at implementation rather than remedied after a complaint.

Build retention schedules and enforce them. Expense documentation for reimbursement purposes doesn't need to live forever. Colorado's pay equity law requires employers to maintain compensation records for two years after employment ends. California's CCPA regulations require four years of retention for AI-related employment data. Beyond those legal minimums, data that is no longer serving an active business or legal purpose should be destroyed, because it represents an irreducible breach risk with no offsetting benefit.

Tell employees what's happening. The contextual integrity violations I've described throughout this edition share a common feature: employees were unaware of the information flows occurring with their data. They didn't know their expense receipts were being stored in a system accessible to the finance department. They didn't know their compensation data was being shared with an external consultant's analytics platform. They didn't know their IP address verification system had been repurposed for RTO monitoring. Transparency doesn't prevent all of these problems, but it transforms the legal and ethical landscape: disclosed information flows that employees understand and have the opportunity to respond to are categorically different from undisclosed ones, both in terms of trust and in terms of compliance posture under state privacy law.

I want to close with something that I think the compliance-by-domain approach obscures. Pay transparency compliance, HR data security, expense tracking privacy, and location verification are not separate issues being managed by separate teams. They are facets of the same underlying challenge: organizations are collecting more sensitive employee data than ever, combining it in more ways than they disclose, transmitting it to more recipients than employees contemplated, and building it all on a vendor ecosystem whose security posture they evaluate inadequately.

The pay transparency enforcement wave — with 15 active state laws and active enforcement in New York, California, Colorado, Illinois, and New Jersey — has accelerated data collection in exactly the areas of highest breach risk and highest privacy sensitivity. The organizations that treat compliance as getting the job posting right but ignore the data governance implications of what the compliance effort requires are building liability in both directions simultaneously: regulatory exposure for inadequate transparency, and privacy exposure from the infrastructure they built to achieve it.

The organizations that will come through this period well are the ones that build pay transparency compliance, expense reimbursement handling, and location verification as integrated privacy programs — with documented purpose limitations, controlled access, vendor due diligence, employee notice, and retention schedules — rather than as separate administrative projects managed by separate teams on separate timelines.

That integration work is harder than posting a salary range. But it's the work that prevents a pay transparency compliance effort from becoming the data breach that funds the next decade of litigation.

If this edition has surfaced questions about your specific pay equity data architecture, your vendor contract posture, your expense system's data handling, or your location verification approach — reply directly. These conversations are considerably more productive before the CPPA investigation notice than after it.

📚Order the book: Intrapreneurship: How to Create a Company of Intrapreneurs. A comprehensive guide on fostering intrapreneurship within organizations. The book emphasizes the importance of identifying and nurturing intrapreneurs, who are the innovative employees within the company.

📚 Order the book: Rethinking Workplace Privacy, Power, and Productivity in the Age of Remote Work. It includes comprehensive compliance frameworks, policy templates, and step-by-step implementation guides for achieving regulatory compliance through contextual integrity.

Disclaimer: Remote Work Privacy Insights is a newsletter that looks at privacy issues in the workplace using academic ideas. It's meant to educate and is not legal advice. For advice tailored to your company, talk to a qualified privacy or employment lawyer. The opinions shared are the author's and not those of any employer.

Pay Transparency Laws and Enforcement

HR Data Breaches and Security

Privacy Law and Regulatory Frameworks

Foundational Theory