Illinois Privacy Laws and Employee Monitoring Software: What Employers Should Know

The trend for employee monitoring grows together with the trend for remote and hybrid work. Indeed, these tools are beneficial to businesses in many ways: they help track productivity objectively, decrease security risks, track work time, and many more. However, implementing tracking software requires careful preparations. One of the key considerations here is employee privacy and compliance with applicable regulations. These regulations are not universal: they vary not only from country to country but also from state to state within a country. Today, we will explore the regulations Illinois employers must remember and how not to violate employee rights with monitoring.

Disclaimer: This article provides only the general information and cannot be used as a legal instruction.

Like other US states, Illinois complies with federal laws and has its own regulations regarding privacy. Although they are general rather than employee-monitoring-specific, businesses must still interpret them for their tracking practices and comply.

On the federal level, there is the Electronic Communications Privacy Act (ECPA). It protects the privacy of wire, oral, and electronic communications while they are being made, in transit, and when stored. When we interpret it for employee monitoring, we can say that employers are prohibited from intentionally intercepting or monitoring employees' communications without authorization.

There are two major exceptions here:

1. Companies can monitor their employees in the ordinary course of business and for legitimate business reasons, such as productivity control or protection of valuable assets.
2. Employers can monitor communications if the employees give their consent. It is often done through special policies or employee handbooks.

Under the ECPA, employers can also track communications on company-owned devices and networks, where employees generally have a reduced expectation of privacy.

But can employees expect privacy in the workplace at all? Yes. The employee does not shed all privacy rights upon entering the office or logging onto a company network. For example, employees' privacy is still protected in certain areas, such as restrooms and locker rooms, because employees retain a reasonable expectation of privacy there.

In addition to ECPA, Illinois has introduced its own privacy-related regulations that employers must comply with: the Right to Privacy in the Workplace Act (IRPWA), the Illinois Eavesdropping Act (Wiretap Act), and the Biometric Information Privacy Act (BIPA).

The Right to Privacy in the Workplace Act and its amendments are the main legal frameworks regulating how employers can monitor employees. Here are the key points of this regulation:

1. Employers must inform employees in writing about any form of electronic monitoring. The notice must be given upon hiring or before monitoring begins.
2. Companies can monitor employees without notice only when they believe the employee is engaged in unlawful activity, and monitoring may yield evidence of such activity.
3. Employers cannot request employees or candidates to provide usernames, passwords, or other account information for personal online accounts.
4. Employers cannot make employees accept friends or follow requests or demand access to private social media content. However, they may view public posts or obtain information that is already publicly available.
5. The IRPWA protects employees from lifestyle discrimination. They have the right to do lawful activities outside work, for example, use alcohol or tobacco, and employees cannot refuse to hire, terminate, or discipline them for such activities.

According to the Illinois Eavesdropping Act, it is illegal to record private conversations without the consent of all parties. Secretly recording them in the workplace can be a felony offense.

The BIPA is one of the strictest privacy laws in the U.S. Under it, employers must obtain employees' written consent before collecting or using their biometric data, for example, facial scans or fingerprints. This data cannot be sold or disclosed. Employers must have a policy on biometric data retention and destruction which should be publicly available.

Summing it up, the recurring theme of Illinois legislation is explicit consent and notice.

Finding a balance between business needs and employee rights may seem hard but is absolutely possible if you follow the principles of ethics and legal compliance.

The first step is creating a monitoring policy. This policy should describe the tracking methods you use, the scope of collected data, its retention period, and who has access to data. But that is not all. Since many regulations protect private activities and conversations, it is worth outlining which activities in the workplace are considered private. The same applies to social media, as it may not always be clear when the employee uses an account as an individual or as a company representative.

Every employee should read and accept this policy upon hiring or before the monitoring begins. Besides, this policy should be readily available to the staff at any time.

Before you begin monitoring any activity, you should obtain written consent from employees. You can do it on paper or electronically.

Additionally, you can post conspicuous notices about monitoring around the office.

Do not monitor in areas where employees have a reasonable expectation of privacy or their personal devices and accounts.

Track only the activities that are directly related to business purposes. For example, if you are trying to eliminate lateness and track work hours more accurately, additionally tracking browser history (just because you can) may be excessive.

Avoid unnecessary or overly intrusive surveillance, and regularly review monitoring practices to ensure they are still necessary and proportionate.

Ensure the data you collect are stored securely and can be accessed only by authorized personnel. Develop clear data retention and destruction policies. For accountability, it is great to use audit trails and document all monitoring activities.

Training helps ensure employees understand their privacy rights, the boundaries of lawful monitoring, policies in action in the company, and acceptable workplace conduct.

Establish internal systems to track compliance and respond promptly to violations or concerns. Regularly review your monitoring policies and conduct privacy impact assessments, especially when applicable privacy regulations change.

Laws are constantly evolving, so make it a habit to consult with employment law attorneys regularly about the changes. This way you will always be updated and sure that your monitoring practices comply.

Looking for a balance between business interests and upholding employee privacy rights may seem daunting, but finding it is totally achievable. Proactive compliance, underscored by transparency, is not merely a legal checkbox; it is the foundation for avoiding potential legal challenges, fostering a culture of trust, and ultimately, building a more secure and productive work environment.