Grace Buczak

Associate Editor 

Loyola University Chicago School of Law, JD 2027

The expansion of remote and hybrid work has fundamentally transformed the compliance landscape for organizations. Traditional compliance programs, which were designed for centralized offices and direct supervision, are insufficient in environments where employees and compliance officers are distributed across multiple locations. Remote work creates new risks, including data‑security vulnerabilities, misconduct via digital channels, and gaps in reporting and auditing. Illinois law, including the Right to Privacy in the Workplace Act and the Biometric Information Privacy Act, as well as emerging statutory guidance on remote‑work notifications, presents unique requirements and limitations that employers must navigate to maintain effective compliance.

The remote‑work landscape in Illinois

Remote work has become a permanent feature for many Illinois employers, with Chicago being amongst the 12 cities that saw the greatest volume of new hybrid jobs in Q2 2025. With this shift, compliance risks have increased. Employees may engage in misconduct through digital communication such as email, video conferencing, and chat applications. While these concerns may have existed in a traditional office setting, they have been amplified in the work-from-home environment. Confidential data may be accessed through unsecured home networks or personal devices, and timekeeping and reporting become more difficult to verify. Legislative developments in Illinois, such as the requirement to provide electronically‑distributed workplace notices to remote employees, illustrate the evolving regulatory obligations that organizations must address to maintain compliance. These changes highlight the need for compliance programs that account for the dispersed nature of remote work and the unique oversight challenges it creates.

Right to Privacy in the Workplace Act and the Biometric Information Privacy Act (BIPA)

The Right to Privacy in the Workplace Act (The Act) prohibits employers from demanding usernames, passwords, or access to personal online accounts of their employees. The Act permits employer monitoring of company‑owned equipment or network usage but limits access to employees’ personal online accounts. Pending amendments, such as those under SB 0173, which would add new notice requirements to the Right to Privacy in the Workplace Act, would require employers to give employees prior written notice describing the types and, in some versions, the frequency of electronic monitoring. These provisions are highly relevant for remote‑work compliance programs. Monitoring tools must be carefully designed to comply with notice and consent requirements, particularly given the risk of monitoring blended home and workspaces.

In Illinois, BIPA regulates biometric data collection such as fingerprints, facial scans, and voice prints, and imposes significant private‑right‑of‑action liability. Illinois employers that use advanced monitoring tools such as biometric access systems or behavioral analytics must fully comply with BIPA, including obtaining informed consent, maintaining retention and destruction policies, and ensuring the secure handling of biometric information.

Elements of an effective remote‑work compliance program in Illinois

A successful compliance program for remote work in Illinois must integrate several core elements. Policies should articulate the organization’s commitment to compliance, define expected behaviors for remote employees, and outline how misconduct will be reported and investigated. They must explicitly guarantee protection from intimidation or retaliation for employees who report in good faith, the same way they do for in-person work.

Employers should deploy tools for remote‑work environment like secure VPNs. In Illinois, the program must ensure that the monitoring is of employer‑owned equipment or accounts, not personal accounts, unless proper consent and notice are given, and any monitoring involving biometric data complies with BIPA.

Training for remote settings should be designed for skills that are newly necessary, such as regular sessions on data security, confidentiality, remote‑work etiquette, harassment in digital forums, and how to use reporting channels. The training should also cover state specific guidelines (e.g., monitoring expectations, privacy rights).

Compliance programs  must evolve to ensure remote employees can report misconduct and that investigations are adapted to digital contexts (e.g., chat log review, screen share capture, remote interviews). Audit mechanisms should account for remote‑work permutations, like periodic review of device logs, remote access records, and time‑keeping validations. Reporting channels must reassure employees of protection from retaliation and organizations should integrate compliance analytics to identify risk patterns.

Remote work presents new and complex challenges for compliance programs in Illinois. Employers must adopt a comprehensive approach that integrates policies, technology, training, and reporting mechanisms while remaining within the bounds of state and federal law. By adapting compliance programs to the realities of remote work and addressing state‑specific regulatory requirements organizations can reduce legal risk, maintain ethical standards, and foster a culture of accountability in distributed workplaces.