What the bossware study means for your small business

On 29 May 2026 a team of researchers from Northeastern, Vanderbilt, UC Berkeley and Columbia pulled apart nine of the most common workplace-monitoring platforms, the kind sold to managers as a way to keep an eye on staff, and found something the brochures never mention. The software was not just watching workers. It was talking about them. The study documented 121 separate instances in which these tools sent worker-identifying data out to third parties, names attached, to Facebook, Google, Microsoft and the ad network AppLovin, while logging employee online activity across 145 different third-party domains.

Read that again, because it is the part most coverage skipped. The tracking did not stay between the boss and the worker. It went to a constellation of companies that the worker never agreed to, never saw, and could not name if you asked. A cleaner clocking in for a morning shift, a technician filling in a job report, an office worker opening a spreadsheet, and somewhere in the background the monitoring tool is quietly handing their identity to an advertising network. The researchers called it what it is, a data pipeline running out the back of software you bought to manage your own team.

So zoom out, because if you run a small firm with people in the field this is not an abstract privacy debate, it is your problem now. You did not sign up to be a data broker. You bought monitoring software to answer a simple question, was my crew where they said they were, and instead you inherited a liability you cannot see and cannot switch off. Under UK GDPR you are the controller, which means when that data walks out the door to a third party, it walks out under your name, your legal basis, your accountability. The ICO has been clear that excessive collection and undocumented monitoring decisions are exactly what draws enforcement, and “the vendor was doing it, not me” has never been a defence anyone wants to test.

The word “monitoring” is losing the room

Here is the wider shift the study sits inside, and it matters more than any single leak. The whole category sold under the banner of “monitoring” or “employee surveillance” is haemorrhaging trust, and not only with regulators. The same body of 2026 research on surveilled workforces reports that 42% of monitored employees are considering leaving their job within the year, and 56% say the watching itself is a source of stress. Those are the study’s figures, not ours, and they describe a straightforward bit of human behaviour, treat capable adults like suspects and a good share of them will quietly start looking for the door. In a labour market where you already cannot find electricians, scaffolders or reliable cleaners, that is a cost you absolutely cannot afford to manufacture yourself.

And the maddening part is that almost nobody actually wanted continuous surveillance in the first place. The keylogger, the random screenshots, the idle-time tracker, the live screen feed, that machinery exists to answer a question that was never that complicated. You wanted to know that the shift happened. That the person was on the right site at the right hour, that the eight hours on the invoice matched the eight hours on the ground. To get that one honest answer, the bossware vendors sold you an entire apparatus of distrust, and then, as it turns out, sold the contents of that apparatus to Mountain View and Menlo Park on the side.

---

Proof of work is not surveillance

There is a clean word sitting right next to the dirty one, and it is worth claiming before the marketing departments get to it. Proof of work. Not a feed of everything a person does all day, just a record of the thing that actually matters, that a shift started here, at this moment, and ended there, at that one. It is the difference between following someone home and asking them to sign in at the gate. One is a continuous stream you have to defend to a regulator, store, secure and eventually explain. The other is a single timestamped fact, taken once, that answers the only question you ever had.

That distinction is also the one the ICO and ACAS keep circling back to in their guidance, proportionality. Collect what the job genuinely requires, declare it plainly to the people it concerns, keep it no longer than you need, and you stay on the right side of the line. Hoover up keystrokes and screen captures and movement logs you cannot justify, and a Data Protection Impact Assessment stops being box-ticking and starts being the document that explains, in writing, why you were never allowed to do it. A clock-in tied to a place and a moment passes that test without breaking a sweat. A surveillance suite that ships identities to AppLovin does not, and now there is a peer-reviewed paper that says so out loud.

So the alternative is not a lighter, friendlier bossware. It is a different thing built on a different idea, an automatic record, geo-stamped, taken at the moment of clocking in, that cannot be lost in a forgotten paper folder and cannot be quietly edited after the fact. No continuous tracking through the day. No keylogger. No screenshots. No live screen. Just proof of place and proof of moment, generated once, owned by you, going nowhere near an advertising network. That is the architecture GeoTapp TimeTracker is built on, and it is the opposite of the nine tools the researchers took apart, by design rather than by apology.

So here is the question worth leaving you with. If the only thing you ever actually needed was proof that the shift happened, why are so many firms still paying for a machine that watches everything else, and now leaks it too? Tell me in the comments where your own line sits, because most owners discover they drew it years ago and the software simply ignored it.

Swap the surveillance apparatus for a single honest record your team can actually live with. You can have the proof without the spying, and you can see exactly how in a few minutes.