Oracle is requiring its U.S. employees and contractors to submit their face to a biometric authentication system as a condition of accessing their own workspaces, according to multiple Oracle staff members. The program, called Identity Assurance, will become mandatory in July 2026 through a phased rollout covering their U.S. workforce. Oracle declined to comment when we reached out to them.

We've seen the internal email and the enrollment screen, and what Oracle puts in front of its workers when they log in is a checkbox asking them to consent to something they have no meaningful power to refuse.

Mandatory “Consent”

The Identity Assurance enrollment screen presents employees with a terms-and-conditions box and a single checkbox: “I consent to Oracle’s use of my facial biometric data to periodically validate my identity.”

Beneath it, a button reads: “Agree and continue.”

Beneath that: “Skip enrollment.”

The skip option exists for now. As of July, it won’t. The internal email sent to U.S. staff under the organisation of Clay Magouyrk, Oracle’s co-CEO states: “Enrollment will become mandatory through a phased rollout, beginning in July through the end of the year.”

This is what is known as coerced consent. Oracle has constructed a system in which workers tick a box affirming their voluntary agreement to something that may cost them their jobs if they refuse. Oracle are offering the concept of consent, without presenting the opportunity in reality.

What employees are actually agreeing to

The program has two components. First, employees must submit a government-issued identity document: a passport, driver’s license, or state ID.

After the ID is validated, employees are enrolled in facial biometrics via a live camera scan. That biometric template is then used for “periodic checks” during Oracle’s single sign-on process, meaning Oracle is not simply verifying identity at login. It is conducting ongoing surveillance of who is accessing its systems, and when.

The enrollment screen directs employees to Mitek’s biometric data policy for more information. That policy is the same company’s, and the same data practices, that a federal appeals court refused to help shield from a class action lawsuit.

The litigation chasing Oracle’s chosen company

Oracle did not build Identity Assurance alone. The identity verification layer, the part that scans your government ID and matches your face to it, is handled by a third-party vendor Oracle selected for the purpose. That vendor is Mitek, a San Diego-based identity verification company. It is worth knowing something about them.

Mitek has faced a federal class action over exactly the kind of biometric data collection it is now being asked to perform for Oracle. In December 2021, an Illinois man named Joshua Johnson sued the company under the Illinois Biometric Information Privacy Act, BIPA, after Mitek scanned his selfie and driver’s licence as part of an identity verification process for a car rental platform called HyreCar.

Johnson alleged that Mitek had created a biometric template of his facial geometry without obtaining his informed consent, and without providing the notifications BIPA requires. Oracle has since solved for that problem by making consent mandatory.

Mitek tried twice to force the case into arbitration, failing both times. A U.S. District Court rejected the first attempt. The Seventh Circuit Court of Appeals, in a ruling by Circuit Judge Frank Easterbrook, rejected the second.

The court found there was no basis to conclude Johnson had ever agreed to arbitrate with Mitek at all. The case, which was remanded to state court following the Seventh Circuit ruling, remains unresolved. Oracle has since contracted Mitek to handle the biometric data of its entire U.S. workforce.

Exemptions reveal Oracle’s legal anxiety

The enrollment screen includes a link: “Learn if you qualify for an exemption.”

Oracle has not said publicly what qualifies someone for one. What we know, from sources with knowledge of the rollout, is that employees based in Colorado and Texas are exempt. The reason has not been communicated internally.

Both states have biometric privacy protections. Texas enacted the Capture or Use of Biometric Identifier Act, CUBI, in 2009, one of the earliest such laws in the country.

Colorado amended its Privacy Act in July 2025 to require explicit employer consent before collecting employee biometric data. An exemption carved out for those two states, and apparently not for Illinois, the state with the most plaintiff-friendly biometric privacy law in the nation and the one under which Mitek is already being sued, is a decision that is sure to interest lawyers.

Illinois is the state with the strongest laws on biometrics. Its biometric privacy law, BIPA, lets any resident sue a company directly for collecting their biometric data without proper consent, no proof of harm required. It is the law that cost Facebook $650 million, TikTok $92 million, and Google $100 million. Oracle has significant Illinois-based staff, has not exempted them, and has chosen a vendor already facing a BIPA suit.

No union to step in

Oracle’s U.S. workforce is not unionised. There is no collective mechanism to push back, no shop steward to file a grievance, no bargaining unit to negotiate over the terms of biometric data collection.

What there is, according to sources with direct knowledge of the workforce's response, is fear. No one is planning to protest or refuse. According to our sources, people are quietly looking for other jobs, but some don't feel safe enough to act on it.

There was no grace period for employee feedback before this was announced. Oracle, per sources, treated the optional window as the feedback mechanism. Employees were informed of a decision already made and given time to comply before compliance became compulsory.

According to the same sources, this new biometric login applies to contractors as well as direct employees. The scope of the program is the full U.S.-based workforce, with the exemptions mentioned earlier.

Oracle declines comment

We sent Oracle a list of questions about the program, including its legal basis, the scope of the rollout, the selection of Mitek, data retention practices, the criteria for exemptions, and its obligations under state and federal biometric privacy law.

Oracle public relations replied within hours. The response was four words: “Oracle declines comment.”

They did not deny a single fact, and crucially, did not outline the scope of the program. We were specifically interested in whether this extends beyond the U.S. border. For employees in the EU, GDPR would present a significant legal obstacle to mandatory biometric collection. Oracle declined to address it.

What this is

The people inside Oracle’s U.S. workforce have no union, no recourse, and no real choice. By July, handing over their face will be the price of keeping their job. Their biometric data will sit with a vendor that has already been sued for mishandling exactly this kind of information, contracted by one of the most powerful technology companies on earth, which had eight chances to explain itself and took none of them.

Oracle sells its cloud infrastructure to governments, hospitals, and banks. It now also surveils the faces of everyone who works for it. The employees who told us about this did so at personal risk.

Crust News contacted Oracle on June 9, 2026, with a deadline of 18:00 Eastern Time on June 11. Oracle responded within hours, and declined comment. Sources for this story spoke on condition of anonymity due to fear of professional retaliation.