ProctorU faces a proposed class action that claims the company’s online test-proctoring software unlawfully collects and stores students’ biometric information.
The 25-page case claims ProctorU has violated the Illinois Biometric Information Privacy Act by collecting students’ eye movements, facial expressions and keystroke biometrics without first providing the individuals with sufficiently specific data retention and destruction policies. The defendant has also failed to properly safeguard proposed class members’ biometric identifiers from unauthorized disclosure, as ProctorU experienced in July 2020 a data breach that exposed the records of nearly 500,000 students who used the software to take online exams, the lawsuit alleges.
The lawsuit avers that the BIPA confers on those who’ve used the ProctorU software a right to know of the risks associated with the collection of their biometric information, a right to have their biometrics stored “using a reasonable standard of care” and a right to know how long such risks will continue after they’ve stop using the defendant’s technology.
ProctorU is software that monitors students’ online exams through “[m]ultiple face recognition, eye movement tracking, [and] auditory analysis,” the case explains. Students who use ProctorU while taking an exam are asked to share on camera their photo ID for facial recognition purposes and perform a biometric keystroke measurement for some exams, the suit says. The company’s facial recognition software can detect “suspicious behavior,” e.g., if a student looks down at their lap to look up an answer on their phone, and report such instances as possible cheating, according to the suit.
Per the case, the Illinois legislature enacted the BIPA in 2008 in recognition of the fact that the use of biometric identifiers, such as face geometry and fingerprints, exposes consumers to “serious and irreversible privacy risks” given the information cannot be changed or replaced if compromised. One of the requirements of the BIPA is that an entity in possession of consumers’ biometric information must develop a publicly available, written policy establishing a retention schedule and guidelines for the permanent destruction of the data when the purpose for collecting the information has been satisfied or within three years of the consumers’ last interaction with the entity, whichever occurs first.
The lawsuit claims ProctorU has violated the BIPA by failing to both specify the length of time for which it retains individuals’ biometric information and publish a deletion schedule for such. Because no retention policy has been provided, “the only reasonable conclusion,” the case says, is that the defendant will retain students’ biometrics beyond the time limit established by law.
The case goes on to claim that ProctorU has further violated the BIPA by failing to store, transmit and protect from disclosure students’ biometric information “using the reasonable standard of care” within its industry and in a manner that is the same as or more protective than the manner in which the company stores other confidential information. Per the lawsuit, ProctorU was subject to a data breach in July 2020 that exposed the records of nearly 500,000 students. The case adds that some of the records involved in the breach date back to 2012, further evidencing that ProctorU has, according to the complaint, no time limit on how long it retains biometric information.
The lawsuit claims ProctorU has committed violations of the BIPA since at least June 2019 through the present.
Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s newsletter here.