Skip to Content
Workplace Law Partners Workplace Law Partners
Call Us Today! 312-818-2407
Top
Employment Law Class Course Materials

Class 6: Workplace Privacy

Topics Overview:

  • Employee Privacy Rights: This class examines the balance between an employer’s need to monitor and regulate the workplace and employees’ expectation of privacy. Key areas include electronic communications monitoring (email, internet usage, phone calls), video surveillance, searches of personal belongings or workspaces, drug and alcohol testing, and emerging tech like GPS tracking and biometric scans.
  • Legal Framework: There is no single comprehensive privacy law for private employment at the federal level, but various laws touch on aspects: the Electronic Communications Privacy Act (ECPA) restricts interception of electronic communications. We discuss how courts have generally allowed employers to monitor work email and internet on company devices/networks – employees have a limited expectation of privacy there. However, if an employer goes into an employee’s personal email account or phone without authorization, that could violate ECPA or the Computer Fraud and Abuse Act.
  • Illinois Law on Privacy: Illinois has some specific protections: the Illinois Right to Privacy in the Workplace Act (mentioned earlier) which protects off-duty lawful activities (e.g., employer can’t fire someone for smoking or drinking off-duty, with some exceptions). Social Media Password Law: Illinois (like many states) bars employers from demanding employees’ social media passwords or forcing them to show private social media content. This is a newer privacy protection.
  • Biometric Privacy: We delve deeper into the Biometric Information Privacy Act (BIPA) – Illinois’s landmark law requiring consent and safeguards for collection of biometrics (fingerprints, facial recognition). BIPA allows employees to sue if, for example, their employer uses a fingerprint time clock without the required notice/consent and retention policy. This is a strong Illinois-specific privacy right with statutory damages per violation, which has driven many class actions.
  • Workplace Searches: The law distinguishes between public-sector employees (who have 4th Amendment rights against unreasonable searches by the government employer) and private-sector (no constitutional protection against private employer searches). We discuss common law tort of intrusion upon seclusion – an employee might claim this if an employer, say, searches their personal locked desk or purse without permission. But if it’s company property (desk, locker) and there’s notice that it can be inspected, the expectation of privacy is reduced. Many employers have policies reserving a right to search. Illinois common law would ask: was there a reasonable expectation of privacy and was the search highly offensive? For example, secret video surveillance in a restroom would clearly violate privacy.
  • Medical and Genetic Privacy: The Americans with Disabilities Act (ADA) and Illinois Human Rights Act restrict employer inquiries into medical conditions and require that medical information (from exams or self-disclosure) be kept confidential. Also, the federal GINA (Genetic Information Nondiscrimination Act) and an Illinois counterpart prohibit employers from asking for or using genetic info. We cover that employers should be careful with health data (especially after COVID, handling of employee health screenings and vaccination info raised privacy questions). Illinois specifically protects the privacy of employee’s personal social media and also has made it illegal to discriminate based on genetic info or to even gather it.
  • NLRB and Privacy: NLRA protects some employee communications (like discussing pay on Facebook could be protected concerted activity – the NLRB has decided cases where firing over Facebook complaints about boss was illegal because it was group activity about work conditions). So even if no privacy expectation, firing for that content could violate labor law.

Drafting Assignment: Draft a workplace privacy section of a handbook for an employer. 

Required Readings:

  • Casebook chapter on Workplace Privacy: 
  • Right to Privacy in Workplace Act: 820 ILCS 55 – relevant sections: can’t fire for use of lawful products off premises during non-work time (with exceptions for non-profits and safety-sensitive jobs). This was extended to cannabis in 2020 amendment (Cannabis Regulation and Tax Act made cannabis a lawful product). 
  • Prohibited inquiries & Discrimination for use of lawful products prohibited
  • Illinois Constitution Privacy Section 
  • McDonald v. Symphony (Ill. Sup Ct)

Hypothetical Questions & Model Responses:

Hypothetical: A company suspects an employee is leaking confidential info. Without telling him, IT accesses the employee’s company email account and personal Gmail account (which was left logged in on his work computer) and reviews his emails. They find evidence he sent secrets to a competitor using Gmail. From a privacy standpoint, was it legal for the company to search those emails?

Model Response: The company was likely within its rights to search the company email account, but accessing the employee’s personal Gmail account without consent is very problematic. For the company email (@company.com), employees typically have no reasonable expectation of privacy on work accounts, especially if company policy says emails are monitored or company property. Employers can review communications on their systems in the ordinary course of business. The federal ECPA has an exception that likely covers this: the emails are stored on company servers or accessed with company authorization. So digging through his company Outlook, for example, is generally lawful. However, logging into his personal Gmail (even if he inadvertently left it open on the work computer) steps into personal territory. Unless the company had a very clear policy that any activity on work devices is subject to monitoring (some policies do say any personal accounts accessed via company network/device can be monitored), this could violate federal law (ECPA) or the Stored Communications Act. Courts have held that employers cannot access an employee’s personal email stored on a third-party server without authorization. The fact he left it logged in doesn’t necessarily equal consent for the employer to read private messages. It’s akin to finding someone’s unlocked phone – it’s accessible, but not necessarily legal to snoop. If the employer clicked into his Gmail intentionally, they likely exceeded their authorization. The SCA prohibits unauthorized access to communications in electronic storage – here the personal emails on Google’s server might qualify. There are cases where employers were found liable for reading personal webmail accessed on work computers (unless the employee saved it locally, etc.). 

Real-World Example:

Social Media and Privacy: A Georgia teacher was forced to resign after photos of her holding a drink at a party surfaced on Facebook. This sparked debate on whether employers overreach into private life. In Illinois, while no specific law protected her, it underscores the concept that what you post online, even privately, can find its way to your employer. Illinois’ social media privacy law would prevent an employer from demanding your login, but if a coworker or someone showed the employer your post, it’s fair game. Many have learned the hard way that privacy settings aren’t foolproof – a rant on Facebook about your boss seen by a coworker can be reported and you could be fired (unless it’s concerted/protected under NLRA). So the line between private life and work is thin when it comes to social media. Illinois law gives some cushion (the employer can’t directly snoop your account), but ultimately the content can still leak.

Federal vs. Illinois Law:

Federal law provides a baseline for certain privacy aspects (like electronic monitoring via ECPA, anti-discrimination laws indirectly protect some privacy like ADA medical info confidentiality). Illinois often goes further – e.g., BIPA is state-specific; no federal biometric law for private sector. The NLRA (federal) intersects by protecting some off-duty speech if work-related and concerted. The Fourth Amendment (federal) is only for public employers, irrelevant to private. Federal OSHA doesn’t have privacy rules, but during COVID some OSHA guidance touched on not revealing names of infected employees (to encourage reporting). That said, overall privacy rights come from state tort law and statutes like those Illinois has for social media, lawful products, and biometrics. Illinois also has a constitutional right of privacy (in its state constitution) but courts haven’t applied that to private employment – it’s mostly for government action.

One interesting federal piece: the Americans with Disabilities Act (ADA) – it limits when an employer can require medical exams or ask health questions (only job-related and consistent with business necessity, or after a conditional offer for pre-employment). It also requires keeping medical info separate. That’s a privacy protection at the federal level for medical information of employees. So if a boss broadcasts an employee’s medical condition, that could violate ADA confidentiality. Illinois law via IHRA aligns with that too.

Federal law (ERISA) has HIPAA provisions that protect health information but mainly for health plans, not general workplace. So if an employer is self-insured, HIPAA may restrict HR from sharing health plan info about employees. But personal sick notes outside the health plan might not be HIPAA-protected.
In summary, Illinois gives employees more privacy rights than federal law in areas like biometrics and off-duty conduct, whereas federal law is more silent or employer-friendly (aside from ADA and a few niche laws). Employers operating in Illinois must heed those state-specific rules.

Impacts on Employers and Employees:

  • For Employers: Establish clear privacy and monitoring policies. Let employees know: computers, internet, work emails, and company phones are subject to monitoring and not private. This notice not only deters misuse but also provides legal protection by defeating privacy expectations. Before implementing surveillance (cameras, GPS in company vehicles, keystroke logging), consider the necessity and whether to inform staff. While hidden cameras are lawful in common areas, a culture of trust might favor transparency (and it avoids morale issues when inevitably “discovered”). Absolutely avoid surveillance in restrooms, locker rooms, or undressing areas – that’s a litigation nightmare (invasion of privacy and even criminal). If searching an employee’s office or desk, have a policy that those are company property and can be searched; ideally have the employee present or at least two managers do it to avoid claims of personal item rummaging. For drug testing, apply it consistently (random truly random, or based on reasonable suspicion documented). With Illinois’ cannabis legalization, update drug policies to define impairment and consider removing automatic termination for off-duty cannabis use (some employers now only test for cause or for safety roles). Always keep medical info confidential as required by ADA – e.g., if an employee gives HR a doctor’s note, don’t share the diagnosis with the manager, only necessary work restrictions. Under BIPA, if using biometrics (fingerprint, face ID), get the written consent and follow the law’s notice and retention schedule; if not, consider using badges or PIN codes instead to avoid BIPA exposure. Social media: don’t ask for passwords or non-public info – that’s illegal in IL. If you see concerning public posts, consult HR or legal before acting, especially if it might be about work conditions (to not violate NLRA). And train managers not to overshare employee personal info: e.g., if someone is out for depression, manager should just say “out on leave” not broadcast the medical details. Respect off-duty boundaries when feasible – unless it affects work, many employers take a “what they do on their own time is their business” approach (subject to exceptions like reputational harm or illegal conduct).
  • For Employees: Be aware that when you’re at work or using work resources, your privacy is limited. Assume that your internet use and emails on work accounts are visible to your employer. Many a worker has been caught by an inappropriate email or website at work. Use personal devices/networks for truly private communications – but even then, don’t do it on company time if it violates policy (like browsing social media at length). Know that your employer can search your workspace – so don’t keep highly personal items there (or if you do, maybe in a sealed, marked “Personal” envelope – though not foolproof legally, might discourage snooping). If your employer implements new monitoring or asks for something like a biometric scan, you can ask what it’s used for and how it’s stored – you have a right under BIPA to be informed and to consent. If you’re uncomfortable, you can voice that, but refusing could risk discipline if it’s a condition of work (except maybe you could request an accommodation if related to a disability or religion, in rare cases). For drug tests, know your employer likely can test – if you use substances, be mindful that a random test could happen. With cannabis legal in IL, you might assume it’s okay off-duty, but a positive THC test could still jeopardize your job since many employers treat any positive as impairment (because current tests can’t precisely measure current impairment). It’s a tricky area – some progressive employers have stopped testing for marijuana for non-safety jobs, but policy varies. As for social media, lock down your privacy settings, but even so, only post what you’d be okay with your boss seeing – because it happens. Don’t friend managers unless you’re comfortable with them seeing your content. Illinois law ensures your boss can’t force into your account, but a coworker could screenshot something and pass it on. So use discretion. Also, if your employer has a policy against, say, making disparaging remarks about the company online, that can be enforced (aside from protected labor speech). Employees should also know they have rights: if an employer truly violates privacy – like installs a camera in a restroom or reads your personal texts without permission – you should consult a lawyer; you might have a claim. And if you believe you were fired for off-duty lawful conduct (like you have proof it was solely because you smoke or because of political bumper sticker), Illinois’s laws might help – file a complaint with the Illinois Department of Labor in such cases. But those scenarios are rarer; generally, caution and common sense are the best protection of your privacy.
Continue Reading Read Less