DePaul University can be considered a financial institution and is therefore exempt from complying with Illinois’ Biometric Privacy Act, a federal district court ruled, in dismissing a student’s putative class-action litigation.
Cody Powell, a student at DePaul, a private Catholic university in Chicago, sued the university, stating its use of the Respondus Monitor online procuring tool, which is administered by Redmond, Washington-based Respondus Inc., violated BIPA by capturing, using and storing student’s facial recognition and other biometric identifiers without disclosing or obtaining written consent, according to Friday’s ruling by the U.S. District Court in Chicago in Cody Powell v. DePaul University.
The BIPA legislation specifies that it does not apply to Title V of the Gramm-Leach Billey Act, which regulates how financial institutions treat nonpublic personal information about consumers.
The Federal Trade Commission, which has enforcement and rulemaking authority under the GLBA, has indicated it “considered colleges and universities to be financial institutions where ‘such institutions appear to be significantly engaged in lending funds to consumers,’” the ruling said.
The ruling noted that at least five courts have concluded that the BIPA exclusion for financial institutions “applies to institutions of higher education that are significantly engaged in financial activities such as making or administering student loans.”
Attorneys in the case did not respond to requests for comment
Observers say last month’s first jury verdict in a case involving BIPA will increase the flood of cases filed under the 2008 law.