Students Sue Online Exam Proctoring Service ProctorU for Biometrics Violations Following Data Breach

Online exam proctoring companies like ProctorU “have seen a significant uptick in light of the COVID-19 pandemic, which has caused institutions to move exams online. This has led to significant privacy implications for students”; specifically, three students filed a class-action complaint on Friday in the Central District of Illinois against ProctorU for alleged biometric violations, particularly after a data breach.

According to the complaint, ProctorU “develops, owns, and operates an eponymous online proctoring software service that collects biometric information,” in violation of the Illinois Biometric Information Privacy Act (BIPA). The plaintiffs claimed that ProctorU engaged in illegal actions by “collecting, storing and using” the plaintiffs’ and putative class’s biometric identifiers and biometric information (collectively referred to as biometrics). In particular, the plaintiffs alleged that ProctorU “failed to provide the requisite data retention and destruction policies, and failed to properly ‘store, transmit, and protect from disclosure’ these biometrics in direct violation of BIPA.”

The plaintiffs, who used ProctorU, asserted that while they were using the defendant’s software, “ProctorU collected their biometrics, including eye movements and facial expressions (i.e., face geometry) and keystroke biometrics.” According to the complaint, “(o)ne of the ways in which ProctorU monitors students is by collecting and monitoring their facial geometry.” The plaintiffs noted that ProctorU’s privacy policy states, “[w]e require you to share your photo ID on camera and we use that ID in conjunction with biometric facial recognition software to authenticate your identity. We also require you to perform a biometric keystroke measurement for some exams.” Moreover, the plaintiffs asserted that in order to capture their biometrics, ProctorU “requires students to take a photo as ‘baseline’ for their appearance before students begin an exam.” Allegedly, the defendant’s facial recognition software allows it to “check for ‘suspicious behavior.’” The plaintiffs also noted that ProctorU “uses biometrics to create an identity profile for students and to confirm students’ identities during testing so as to prevent cheating.”

The plaintiffs contended that because ProctorU “did not take the proper steps to safeguard Plaintiffs’ biometrics, Defendant was subject to a data breach.” The plaintiffs argued that although ProctorU claims that it “‘use[s] commercially reasonable technical, organizational, and administrative measures to protect our Services against unauthorized or unlawful access or processing and against accidental loss, theft, disclosure, copying, modification, destruction, or damage,’ ProctorU was subject to a data breach in July 2020 that exposed the records of almost 500,000 students.” Thus, the plaintiffs contended from at least June 2019 to the present, ProctorU has “failed to ‘store, transmit, and protect from disclosure all’ biometrics in its possession using a ‘reasonable standard of care.’” Furthermore, according to the plaintiffs, ProctorU does not specify a time limit for how long it retains biometrics or provide information on its biometrics destruction policies, as required by BIPA. Instead, its Privacy Policy states “‘We retain information for as long as necessary to perform the Services described in this Policy, as long as necessary to perform any contract with you or your institution, or as long as needed to comply with our legal obligations,’” and it also does not have a section regarding the deletion of biometrics. The plaintiffs added that the data breach “concerned records that dated back to 2012.” Therefore, the plaintiffs argued that “ProcturU is retaining records beyond when the initial purpose for collecting or obtaining such data has been satisfied.” Consequently, the plaintiffs argued that their rights under BIPA have been violated as a result of ProctorU’s conduct.

According to the complaint, the plaintiffs were taking exams online such as the Test of English as a Foreign Language (TOEFL), Graduate Record Examination (GRE), Law School Admission Test (LSAT) or online exams with University of Illinois at Urbana-Champaign (UIC).

The putative class consists of: “all Illinois residents who used ProctorU to take an exam online and ( ) who had their facial geometry collect, captured, received, or otherwise obtained and/stored by Defendant.” The plaintiffs also seek to represent a TOEFL subclass, UIC subclass, GRE subclass, and LSAT subclass, each with a different Class Period.

The plaintiffs seek certification of the classes and for the plaintiffs and their counsel to represent the classes; declaratory judgment in their favor; an award for damages; prejudgment interest; restitution and other monetary relief; an award for costs and fees; and other relief.

The plaintiffs are represented by Wolf Haldenstein Adler Freeman & Herz LLC and Bursor & Fisher P.A.