Duane Morris Takeaway: In an important ruling for higher education entities, Judge Robert Gettleman of the U.S. District Court for the Northern District of Illinois recently dismissed a student’s proposed class action alleging that Defendant’s remote test-proctoring software violated the Illinois Biometric Information Privacy Act (“BIPA”). The Court determined that Defendant DePaul University qualified as a financial institution exempt from the statute. Powell v. DePaul University, No. 21-C-3001, 2022 U.S. Dist. LEXIS 201296 (N.D. Ill. Nov. 4, 2022). Employers in the higher education space who are confronted with biometric privacy class actions can tuck this ruling away for potential use at the pleading stage.
Plaintiff alleged that Defendant’s use of the Respondus Monitor, an online remote proctoring tool, violated the BIPA by capturing, using, and storing students’ facial recognition and other biometric identifiers and biometric information. Plaintiff specifically asserted that Defendant did not “disclose or obtain written consent before collecting, capturing, storing, or disseminating user’s biometric data, and failed to disclose what it does with that biometric data after collection, in violation of BIPA’s retention and destruction requirements. Id. at *2.
Defendant moved to dismiss the action pursuant to Rule 12(b)(6) for failure to state a claim. It argued that the BIPA’s express terms specify that it does not apply to financial institutions that are subject to Title V of the Gramm-Leach-Bliley Act (“GLBA”). Id. Defendant contended that since it was a participant in the U.S. Department of Education’s Federal Student Aid Program, it is considered a financial institution subject to Title V of the GLBA. Defendant contended that both the Federal Trade Commission (“FTC”) and the Department of Education (“DOE”) have recognized that universities are considered financial institutions under the GLBA. Defendant also asserted that Title V rulemaking authority lies with the Consumer Financial Protection Bureau (“CFPB”), which adopted and republished the privacy rules originally promulgated by the FTC. The FTC rules state that any institution “significantly engaged in financial activities” is a financial institution. Id. at *5.
Plaintiff argued that Defendant was not a financial institution, but rather was in the business of higher education. Thus, Plaintiff contended that Defendant was not subject to Title V, and therefore subject to the BIPA.
The Court’s Decision
The Court granted Defendant’s motion to dismiss. First, the Court noted that at least five other district courts have ruled on the same issue and rejected Plaintiff’s argument, and have determined that the BIPA’s section 25(c) exemption for financial institutions applies to institutions of higher education. Id.
In support of its conclusion, the Court found that the guidance provided by the CFPB included examples demonstrating the word “significantly” means something less than “primary.” Id. at *8. Accordingly, the Court rejected Plaintiff’s argument that the exemption should not apply was because Defendant was not primarily in the financial business. Id.
The Court further explained that the DOE provided issued public guidance in 2020 reiterating that the GLBA required financial institutions to have information privacy protections, and that the FTC “has enforcement authority for the requirements and has determined that institutions of higher education (institutions) are financial institutions under GLBA.” Id. at *4-5.
Additionally, the Court opined that the FTC’s rule, made in 2000 when it had enforcement and rulemaking authority under the GLBA, also considered universities to be financial institutions if they “appear to be significantly engaged in lending funds to consumers.” Id. at *6. The Court reasoned that the consistent interpretation of the statute by multiple entities was particularly persuasive in finding that the claims should be dismissed. For these reasons, the Court granted Defendant’s motion to dismiss Plaintiff’s claims with prejudice.
Implications For Employers
In the BIPA class action landscape, federal and state courts in Illinois have rejected many potential affirmative defenses that employers have used to try and stave off these massive cases. However, even though the exemption is somewhat narrow, higher education institutions now have a blueprint to attack BIPA class actions at the pleading stage. Finally, to the extent states beyond Illinois enact similar privacy statutes, this ruling may be of use to higher education institutions in those states that are confronted with class actions.