Jan 24 2022

How to Protect Against Biometrics-Related Class-Action Lawsuits

Colleges and universities are facing backlash over biometric data collection. Learn how your institution can ensure compliant operations.

The use of biometric technology is growing, in part because of its usefulness in enhancing both physical security and cybersecurity. Within higher education, many are already using biometrics for exam proctoring.

Despite the technology’s advantages, some states are changing how they regulate the use of biometrics. Additionally, a growing number of colleges and universities are facing lawsuits due to their implementation of biometrics. Several plaintiffs have filed class-action lawsuits against these institutions for the way they collect biometric information during online proctoring.

In Illinois, for example, some universities are under scrutiny for collecting facial images, keystroke patterns, eye movements, and video and audio recordings through online proctoring software to prevent students from cheating during exams. Lawsuits claim biometric data collection and retention methods violate the Illinois Biometric Information Privacy Act of 2008 (BIPA), which requires companies and institutions to first obtain explicit consent from users.

EXPLORE: Ask these questions when evaluating cybersecurity assessments.

What Biometric Regulations Exist in the U.S.?

BIPA was the first biometric regulation enacted in the U.S. and is perhaps the most notable. The law emphasizes the user’s consent before an institution attempts to collect, use or store biometric data.

In addition to BIPA, regulatory laws have been passed in Texas, Washington, California, New York and Arkansas:

  • Similar to BIPA, Texas’s biometric legislation (Tex. Bus. & Com. Code §503.001) does not permit “capture [of] biometric identifiers” without prior consent. Additionally, consent is required to sell the collected data.
  • Washington’s regulatory law (Wash. Rev. Code Ann. §19.375.020), passed in 2017, requires consent to enter biometric data “in a database for a commercial purpose.” Should this be violated, the attorney general has the right to take legal action.
  • The California Consumer Privacy Act considers biometric data as “personal information” and regulates it as such. The key is how the CCPA defines it: “physiological, biological or behavioral characteristics, including … DNA[,] that can be used … to establish individual identity,” which includes everything from retinas to keystrokes.
  • New York’s Stop Hacks and Improve Electronic Data Security (SHIELD) Act was amended to include biometric information as private information. The law defines biometric information to include “fingerprints, voiceprints, retina or iris images, or other unique physical characteristics.”
  • Like New York, Arkansas amended its existing breach-response law (Arkansas Code §4-110-103(7)) to include biometric data under personal information. The law protects several physical characteristics including “fingerprints; faceprint; retinal or iris scans” and many more.

Click the banner below for exclusive content about security measures as they relate to higher ed.

Biometrics Best Practices for Colleges and Universities

With many biometric regulations already in place and more likely to come, how do institutions remain in good standing? Here are five best practices that can help colleges and universities comply with existing and emerging regulatory requirements:

1. Ensure consent for collection, use and storage: First and foremost, consent is crucial to compliance. Specifically, institutions should gain written consent prior to the collection, use and storage of biometric data. The institution must also explain why and for how long it will collect, use and store the data.

2. Understand the definitions: Most states have similar definitions for biometric data; however, each state is unique. Institutions should have a clear understanding of how its state defines biometric data and what specifically is protected under the law.

LEARN MORE: How colleges and universities can reduce their vulnerability to cyberattacks.

3. Prohibit others from profiting illegally: Selling user data is common these days, and biometrics is not excluded from this practice. However, some regulations, like BIPA, prohibit private entities from “selling, leasing, trading, or otherwise profiting from an individual’s biometric data.”

4. Don’t exceed appropriate retention: If an institution plans on retaining the biometric data it collects, it needs to outline, publish and follow a retention schedule. Part of an institution’s internal compliance is following through with the destruction of biometric data. Once data has been collected and used for its intended purpose, it must be destroyed in accordance with both the institution’s policy and with the state’s regulations.

5. Apply a reasonable standard of care: Finally, institutions must treat biometric data with a standard of care. It’s important to incorporate biometrics into an institution’s data compliance program. This encourages continuous awareness of “security threats and breach prevention.”

A proactive approach to compliance that emphasizes prevention is the best way to ensure your institution is upholding the law and taking appropriate care of students’ biometric data.

BlackJack3D/Getty Images

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT