COVID-19 accelerated digital transformations across every industry. From the growth of e-commerce and food delivery services to virtual workspaces and online learning, a seismic shift towards digitalizing our day-to-day activities has become the new normal.
One industry that proliferated across the country during the era of online learning has been online testing and proctoring services. Such online testing provides flexibility to academic institutions in administering exams; however, the collection of biometric data through online testing platforms potentially opens the doors to a litany of privacy concerns.
As recent litigation stemming from the Illinois Biometric Information Privacy Act (BIPA) suggests, providers of online testing services, as well as institutions adopting these services, must evaluate how such privacy laws may be implicated by the collection of biometric data through these platforms.
Enacted in 2008, BIPA is the pioneering biometrics law in the United States. The Act protects public welfare, security and safety by regulating the retention, collection, disclosure and destruction of biometric information. Biometric information includes various identifiers such as retina or iris scans, fingerprints, voiceprints, and the scan of hand or face geometry. In enacting BIPA, the Illinois legislature recognized that biometrics “are unlike other identifiers” in that they are biologically unique to each person and, once compromised, there is no recourse.
BIPA requires companies who use biometric information to have a publicly available written policy that establishes a retention schedule and guidelines for the permanent destruction of biometric identifiers. Any collection of biometric data requires advance notice of such collection and, importantly, an individual’s consent to such collection. Most notably, BIPA establishes a private right of action for violations of BIPA.
In a recent suit currently pending before the U.S. District Court for the Northern District of Illinois, a proposed class of students has brought a claim against an online testing company for its collection of biometric data. The students claim that the testing company left students in the dark, collecting students’ biometric data without first obtaining their informed consent and failed to disclose the extent of data to be collected, in violation of BIPA.
Online testing companies are not the only ones potentially at risk of litigation claims, as universities could also be named as defendants in such suits. Pending class action lawsuits brought against Northwestern University and DePaul University allege similar claims for unlawfully collecting and using students’ biometric data without the students’ written and informed consent based on the universities’ use of third-party online testing vendors.
The collection of biometric information will only continue to grow as technological advancements commercialize its use in order to identify, authenticate and track people in academic settings. In order to adapt to evolving technology that makes use of biometric data, such as fingerprint sensors, retina scanning and voice recognition, companies will need to continue to monitor the legal and legislative landscapes, as well as the collection and use of such data within the company and by the company’s vendors. Failure to do so by the online testing industry may leave the door open for a new wave of class action litigation from consumers challenging the collection of biometric data.