Banking on an Exemption: Do Universities Qualify as Financial Institutions Exempt from the Illinois Biometric Information Privacy Act?

Is a university a financial institution governed by the Gramm-Leach Bliley-Act (“GLBA”), or are they subject to the Illinois Biometric Information Privacy Act (“BIPA”) and its heightened protections for individuals’ biometric data? This question has animated a series of BIPA cases in Illinois courts over the years, and has spawned disagreement as to whether universities can benefit from the law’s GLBA exemption in Section 25(c). BIPA’s severe penalties and private right of action make the exception a desired avenue for avoiding BIPA liability for both universities and their service providers.

Most of these cases have followed closely on the heels of the switch to remote learning during the COVID-19 pandemic. The background of these cases typically unfolds as follows: a university or college hires a third-party test proctoring software vendor (a “biometric processing vendor”) to help administer remote exams to its students. That vendor, in the course of verifying students’ identities, collects biometric data from students but allegedly provides inadequate notice and affirmation of informed consent. This leads to a purported violation of the students’ rights under BIPA. Student-plaintiffs then bring class action litigation against their universities, seeking monetary damages.

Are universities exempt from BIPA under Section 25(c)?

Recent cases have addressed whether universities that engage in making and administering student loans are financial institutions. This has been a question of great importance to universities that find themselves within the jurisdiction of Illinois courts. Federal courts in Illinois have taken two main approaches to this question:

  1. Universities that engage in making and administering student loans are financial institutions and are categorically exempt from BIPA’s requirements under Section 25(c)

This result follows the ruling in Doe v. Northwestern University that the plain language of BIPA makes it clear that the GLBA exemption applies to any “financial institution,” not just entities that are more traditionally thought of as financial institutions, such as banks. The recent district court decision in Powell v. DePaul University supports the categorization of colleges and universities as BIPA-exempt financial institutions. The Powell court dismissed the suit entirely upon finding that DePaul University was a financial institution because it “engages in student aid and lending funds,” including direct lending and participation in federal student aid programs, and is therefore exempt under Section 25(c).

  1. Universities that engage in making and administering student loans may be financial institutions, depending on a factual analysis of their loan-related activity

Under this regime, universities bear the burden of sufficiently demonstrating that they are financial institutions to succeed on a motion to dismiss based on the BIPA Section 25(c) exemption. See Patterson v. Respondus, Inc. The Patterson court reviewed recent holdings in Doe v. Elmhurst Univ. and Doe v. Northwestern University, which both categorized universities as financial institutions exempt from BIPA. Patterson stopped short of entirely repudiating these earlier cases, but clearly disagreed regarding the exemption, stating, “the proper construction of section 25(c) may warrant further analysis in the future. The scope of this exemption could have significant effects on the overall reach of BIPA.” Some courts have also ruled that, because universities’ status as a financial institution is a factual question requiring a showing of evidence, it should not be resolved at the motion to dismiss stage. See Fee v. Illinois Institute Of Technology; see also Harvey v. Resurrection University.

The conflicting opinions between federal courts in Illinois may be partially explained by a footnote discussion in Fee v. Illinois Institute of Technology which highlights that the FTC amended its privacy rule implementing the provisions of the GLBA to “correspond to the reduced scope of the rule due to Dodd-Frank Act changes … remov[ing] the language concerning institutions of higher education.”

Importantly, policy and legislative intent arguments have not been persuasive to the courts. Specifically, arguments that BIPA should govern as a matter of policy where the text of the statute indicates otherwise have failed. Courts remind plaintiffs that the Section 25(c) exemption does not allow financial institutions to escape regulation entirely, because such institutions would still be subject to GLBA’s data protection scheme.

Does the Section 25(c) exemption extend to biometric processing vendors?

While recent court decisions concluded that universities may avoid BIPA regulation as GLBA financial institutions, there is no clear ruling as to whether third party vendors that process biometric data on those institutions’ behalf may still face liability in spite of the exemption granted to the vendors’ customers.

This is in part because, in the majority of recent cases where a university faced litigation for BIPA violations, plaintiffs did not name the vendor as a defendant. As a result, courts did not reach the question of whether the vendor could also benefit from the GLBA exemption. This pattern holds true in this year’s class action litigations against Bradley University, Illinois Institute of Technology and Northwestern University.

As an exception to that trend, vendor Respondus was named alongside Lewis University in Patterson v. Respondus for its role in processing biometric data on behalf of the institution. However, the March 2022 decision denying Lewis University’s motion to dismiss ruled that Lewis failed to show that it was a financial institution exempt under Section 25(c). Accordingly, the decision was silent as to whether Respondus would be able to benefit from the GLBA exemption applied to its customer.

Illinois caselaw demonstrates that the specific set of circumstances for courts to reach the question of vendor liability is complex, and illustrates why the issue remains an open legal question despite years of intense BIPA class action litigation. The circumstances are as follows:

  1. The entity collecting biometric data for its own purposes and its vendor are both sued for BIPA violations.
  2. The court does not dismiss claims against the entity before reaching the Section 25(c) exemption question.
  3. The court finds the entity to be exempt from BIPA as a financial institution governed by GLBA.
  4. The court does not dismiss the entity’s vendor on other grounds including jurisdiction, failure to state a claim, etc.

The mixed signals coming from Illinois courts combined with the factual and procedural hurdles needed to determine if the financial institution exemption applies to vendors means that there may be significant legal uncertainty and risk for vendors for some time to come. Biometric service providers should be aware that, while there is a trend toward classifying certain universities as BIPA-exempt financial institutions, there is still risk related to collecting data on behalf of such entities. Vendors can protect themselves by ensuring that either they or their customers comply with BIPA’s notice, consent, and retention requirements.

With respect to institutions of higher learning, despite some courts concluding that universities are financial institutions, or at least could be financial institutions depending on the facts, the rapid development of privacy law in general and BIPA caselaw in particular means that universities need to protect themselves by developing clear, consistently applied BIPA compliant policies for collecting their own students’ biometric data, and for ensuring the compliance of the third-party vendors with which they work. Even if the risk of losing the type of BIPA case discussed here were lower, the risk of costly litigation and reputational harm is too high to justify having anything other than an up-to-date and strictly enforced biometric data collection and retention policy.