This is engineering guidance, not legal advice. Confirm specifics with qualified counsel.

Why This Matters

If you are building or buying a proctored-assessment product, the privacy and legal exposure is not a compliance footnote you can bolt on later — it is a design input that decides what you are allowed to collect, store, and act on. This article is the engineering-grade map of that exposure: what data proctoring actually creates, exactly which laws it triggers and why, how long you may keep what, and what you must write down before you ship. It is written for the product manager, L&D director, or founder who has to scope a proctored assessment and answer a security questionnaire — not for a lawyer, though a privacy lawyer should recognize every rule named here. The companion overview of proctoring approaches and their privacy trade-offs sets up the choices; this article is the deep dive on the law and the data, and on the controls that keep both defensible.

First, You Became a Data Controller

Start with the shift most teams miss. When a learner sits a proctored exam, your system does not merely "use a webcam." It manufactures a stack of sensitive data: a video recording of a private home, an audio recording of a household, a capture of a personal screen, a log of keystrokes and tab switches, and — for automated tools — a faceprint, a mathematical measurement of facial geometry used to recognize a person. The plain term for the role you have just taken on, under European law, is data controller: the party that decides why and how personal data is processed. Your proctoring vendor is usually the processor, acting on your instructions. The controller carries the legal duties. Outsourcing the software does not outsource the responsibility.

That distinction is the spine of this whole article. You can buy the cameras-and-algorithms part of proctoring; you cannot buy your way out of being the controller. The consent you collect, the retention period you set, the impact assessment you file, and the promise that a human reviews every flag are yours to own, whoever wrote the code.

Two pieces of vocabulary recur, so anchor them now. Biometric data is a measurement of the body — a faceprint, a voiceprint, a fingerprint — used to identify someone; it is the most protected class of personal data in almost every regime. Special category data is the GDPR's name for the most sensitive tier, which biometric data joins the moment it is used to uniquely identify a person. Keep those two terms in view; nearly every rule below turns on them.

Which legal regimes attach to proctoring data — US biometric law, GDPR, FERPA, and the EU AI Act — radiating from the captured data. Figure 1. One block of proctoring data triggers four overlapping regimes at once. Which ones apply depends on where your test-takers sit, not where your company is — a single exam can be governed by all four.

The United States: a Biometric Patchwork With Teeth

The United States has no single federal privacy law for this. Instead you face a patchwork, and the sharpest piece is in Illinois.

Illinois BIPA: the law with a private right of action

The Illinois Biometric Information Privacy Act (BIPA, 740 ILCS 14), passed in 2008, is the most consequential biometric law in the country for one reason: it lets ordinary people sue. Most privacy laws can only be enforced by a regulator; BIPA gives the individual a private right of action, which is why it has produced years of class actions and large settlements.

BIPA imposes four concrete duties on anyone who collects a faceprint or other biometric identifier. First, you must obtain informed, written consent before collection (section 15(b)). Second, you must publish a written retention schedule and destruction guidelines, and destroy the data when the purpose is satisfied or within three years of the person's last interaction, whichever comes first (section 15(a)). Third, you may not sell or profit from the data (section 15(c)). Fourth, you need separate consent before disclosing it to anyone else (section 15(d)). Statutory damages run to $1,000 for each negligent violation and $5,000 for each reckless or intentional one, plus attorneys' fees.

For years the open question was what "each violation" meant. In Cothron v. White Castle (2023) the Illinois Supreme Court held that a new violation occurred on every scan — a reading that turned routine systems into nine-figure exposure. The legislature answered in 2024 with Senate Bill 2979, signed on 2 August 2024, which limits a person to a single recovery under 15(b) or 15(d) when the same biometric is collected repeatedly by the same method, and explicitly allows electronic consent rather than ink-on-paper. The Seventh Circuit has since applied the amendment retroactively. The amendment lowers the ceiling; it does not remove the duties.

A worked example makes the exposure concrete. Suppose you proctor 10,000 Illinois test-takers, each scanned at the start of every exam, and you never obtained written consent — a straightforward 15(b) failure.

Per-scan reading (pre-SB 2979, Cothron):
  10,000 people × (say) 5 exams each × $1,000  = 50,000,000  → $50M exposure

Single-recovery reading (post-SB 2979):
  10,000 people × $1,000 (one violation each)  = 10,000,000  → $10M exposure

The 2024 amendment cut a hypothetical $50M to $10M — still a company-ending number for a consent step that costs nothing to implement correctly. The lesson is not "the risk shrank." It is that the cheap, boring control — a real consent checkbox and a written retention policy — is what stands between you and an eight-figure claim.

Beyond Illinois: Texas, Washington, and the sensitive-data wave

Two other states have dedicated biometric statutes. Texas's Capture or Use of Biometric Identifier Act (CUBI) requires informed consent and limits retention, but — unlike BIPA — has no private right of action; only the Texas Attorney General enforces it, with civil penalties up to $25,000 per violation. Washington's 2017 biometric law requires notice and consent before enrolling a biometric identifier for a commercial purpose.

The faster-moving front is the wave of comprehensive state privacy laws. As of 2026, the roughly twenty states with comprehensive consumer-privacy statutes — California, Colorado, Virginia, Connecticut, and the rest — all classify biometric data as sensitive data that generally requires opt-in consent before processing. Colorado went further: an amendment effective July 2025 requires any entity collecting biometric identifiers of Colorado residents to maintain a written policy with a specific retention schedule and security controls. Texas's Responsible Artificial Intelligence Governance Act (TRAIGA, HB 149), effective 1 January 2026, layers AI-specific rules on top. The practical takeaway: the floor is rising everywhere, and "we only operate outside Illinois" is no longer a safe harbor.

Common mistake: assuming biometric law is your vendor's problem. If your test-takers include even one Illinois resident and your tool computes a faceprint, BIPA applies to you as the entity that collected it through the vendor. The institution and the platform are routinely named alongside the proctoring company. Read your data-processing agreement for who indemnifies whom — and never assume the answer is "them."

The European Union and the UK: GDPR for Proctoring Video

For test-takers in the EU or UK, the General Data Protection Regulation (GDPR, Regulation (EU) 2016/679) governs, and proctoring runs straight into its strictest provisions.

Special-category data and the consent trap

Under Article 9, biometric data processed for the purpose of uniquely identifying a person is special-category data, which you may not process unless one of a short list of conditions is met. For commercial proctoring, the realistic condition is the test-taker's explicit consent. Here is the trap: GDPR consent must be freely given (Article 7), and a regulator can find that a student forced to accept proctoring or fail the exam was not free to refuse. That makes consent a fragile legal basis for proctoring — which is why European institutions are repeatedly told to offer a genuine alternative (an in-person sitting, a non-proctored format) and to minimize what they capture.

There is a subtle, important nuance many teams get wrong: not every proctoring system processes biometric data in the Article 9 sense. If the software only flags behavior — "face not centered," "second voice heard" — without building and matching a biometric template to identify the individual, a court may find it is processing ordinary personal data, not special-category biometric data. That exact argument arose on appeal in the Bocconi case below. The distinction is an engineering one: template comparison for identification is what crosses the biometric line. Knowing where your tool sits on that line changes which rules bind you.

The duties that follow: DPIA, DPA, minimization, retention

Three obligations follow almost automatically. A Data Protection Impact Assessment (DPIA, Article 35) is mandatory before you start, because large-scale processing of special-category data is a textbook high-risk activity; the DPIA documents the necessity, the risks, and the mitigations. A data-processing agreement (DPA, Article 28) with your proctoring vendor is required in writing, fixing what the processor may and may not do. And Article 5 sets the principles that shape the whole design: lawfulness and transparency, data minimization (collect only what the purpose needs), and storage limitation (keep it only as long as needed).

Two more articles bite specifically. Article 22 restricts decisions based solely on automated processing that produce legal or similarly significant effects — failing an exam qualifies — which is the GDPR's own reason a human must review every flag. And Articles 44–46 govern sending data outside the EU; if your proctoring vendor stores recordings in the United States, you need a valid transfer mechanism, a requirement that became acute after the Schrems II ruling struck down the old Privacy Shield in 2020.

The proctoring data lifecycle: consent gate, minimized capture, encrypted storage, a retention clock, and a mandatory destruction step. Figure 2. The compliant data lifecycle. Consent gates the capture, minimization shrinks what enters storage, and a retention clock forces deletion — BIPA section 15(a) and GDPR storage limitation both make the final "destroy" box a legal duty, not a nicety.

The Regulators Have Already Ruled: the Bocconi Case

The clearest signal of how European law applies to proctoring is a real decision. In September 2021 the Italian data-protection authority (the Garante) fined Milan's Bocconi University €200,000 for its use of Respondus Monitor and LockDown Browser during pandemic-era online exams. The Garante found the university had processed students' data — including, in its view, biometric data — without an adequate legal basis or proper transparency, and had unlawfully transferred data to the United States. It cited violations across GDPR Articles 5, 6, 9, 13, 25, 35, 44, and 46 — essentially the whole compliance stack this article describes.

The case has a second act that every engineer should note. On appeal, the Court of Milan substantially reduced the fine to €10,000, reasoning that the software's flagging of "suspicious" moments did not amount to processing biometric data, because it did not perform a biometric-template comparison to identify individuals. Whatever the final number, the lesson stands twice over: regulators will enforce against proctoring that skips consent, transparency, a DPIA, and a lawful transfer mechanism — and the precise line between "biometric" and "ordinary" data turns on whether you build and match a face template. Design on the safe side of that line and document it.

The Home and the Student Record: FERPA and the Fourth Amendment

Two more US rules round out the picture. The Family Educational Rights and Privacy Act (FERPA, 20 U.S.C. § 1232g; 34 CFR Part 99) governs how a US educational institution may disclose education records — and a proctoring recording tied to an identified student is one. To share that record with a proctoring vendor, the vendor generally has to fit the "school official" exception: under the institution's direct control, used only for the stated purpose, and barred from re-using the data. Your DPA has to encode that.

Separately, in Ogletree v. Cleveland State University (N.D. Ohio, 2022), a federal court held that a room scan — making a student pan the camera around their bedroom before an exam — was an unreasonable search under the Fourth Amendment. The ruling binds public institutions and is fact-specific, but it put the routine "show me your room" step on notice: the home carries the highest expectation of privacy, and scanning it is not a free action.

The EU AI Act: Exam Monitoring Is Now "High-Risk"

A newer layer sits on top of privacy law. The EU AI Act (Regulation (EU) 2024/1689) regulates AI by risk tier, and it names proctoring explicitly. Annex III, point 3(d) classifies as high-risk any AI system "intended to be used for monitoring and detecting prohibited behaviour of students during tests" — that is automated proctoring, word for word.

High-risk status is not a ban; it is a set of build-time duties owed mainly by the provider of the system, with deployer duties for the institution. They include a risk-management system (Article 9), data governance to fight bias (Article 10), technical documentation (Article 11), automatic logging so decisions can be reconstructed (Articles 12 and 19), transparency to the deployer (Article 13), human oversight by design (Article 14), and accuracy and robustness testing (Article 15). If you build proctoring AI in-house, these become your obligations directly — another strong argument for buying the capability from a specialist who carries the provider burden.

On timing, the picture shifted in 2026 and you should know the current state. The Act's high-risk obligations for Annex III systems were originally due to apply from 2 August 2026. A political agreement reached on 7 May 2026 — part of the EU's "Digital Omnibus" simplification package — moved the application date for standalone high-risk systems to 2 December 2027. That deferral takes legal effect only once the amendment is published in the Official Journal; until then the original date technically stands, so treat 2027 as the working target but do not pause your compliance work on it. One part did not move: the AI Act's outright prohibition on emotion-recognition AI in education (Article 5) has applied since 2 February 2025. Any proctoring feature marketed as "stress detection," "emotion analysis," or inferring a mental state from a face is not merely risky in the EU — it is banned.

Timeline of the legal regimes governing proctoring data: GDPR, BIPA and its 2024 amendment, the EU AI Act emotion ban, and the high-risk date. Figure 3. The moving legal timeline. GDPR and BIPA are long-standing; the EU AI Act's emotion-inference ban is already in force, and its high-risk obligations for exam monitoring now target December 2027 after the May 2026 Digital Omnibus agreement.

Bias Is a Legal Exposure, Not Only an Ethics Problem

Fairness belongs in a legal article because unfair proctoring creates legal risk. Automated proctoring relies on face detection and recognition, and independent research — most prominently the 2022 USENIX Security study "Watching the Watchers" — has documented that these systems perform unequally across skin tones and can be trivially bypassed by a prepared cheater. A tool that fails to detect darker-skinned faces, repeatedly tells those test-takers to "fix their lighting," or flags neurodivergent and disabled learners for normal behavior is not just unethical; it can breach the EU AI Act's data-governance and accuracy duties, US disability law (the Americans with Disabilities Act) where it disadvantages disabled test-takers, and anti-discrimination principles generally. Where proctoring must not disadvantage a disabled learner, the accessibility obligations of the rest of your platform — see WCAG 2.1 AA for educational video — pull directly against blunt surveillance. The mitigation is the same one the law keeps pointing to: a human reviews every flag with context, and a flag never auto-fails anyone.

What You Must Actually Write Down and Build

Compliance here is concrete, and most of it is documentation plus a few design choices. Before the first exam runs, a defensible proctoring deployment has these pieces in place. The downloadable companion below turns them into a one-page gate.

You need a lawful basis stated explicitly — and, in the EU, a genuine non-proctored alternative so consent can be freely given. You need a DPIA on file (GDPR Article 35) and a signed DPA with the vendor (Article 28) that names the school-official/processor limits, the sub-processors, and the transfer mechanism for any US storage. You need a published retention schedule with automatic deletion — BIPA section 15(a) and GDPR storage limitation both require it — and the destruction actually wired up, not aspirational. You need informed consent captured and logged (electronic is fine post-SB 2979). You need data minimization in the capture itself: the shortest recording, the fewest signals, no room scan unless truly necessary, and never emotion inference. And you need a human-in-the-loop review with a documented appeal, both because GDPR Article 22 restricts solely-automated significant decisions and because the AI Act mandates human oversight for high-risk systems.

Decision flow for a defensible proctoring deployment: stakes, alternative consent, DPIA, minimization, and mandatory human review. Figure 4. A compliance flow that holds up. Start with whether proctoring is justified at all; if it is, gate it behind a freely-given consent, a DPIA, strict minimization, and a human who reviews every flag and hears every appeal.

Build vs Buy: What You Can and Cannot Outsource

Lead with the trade-off. You should almost always buy the proctoring engine — the computer vision, the live-proctor workforce, and the provider-side AI Act burden are years of specialist work no learning product should rebuild. But the compliance core is not outsourceable, because you are the controller. What you must own is the policy and the data flow: the lawful basis and consent UX, the DPIA, the retention schedule and its automatic deletion, the DPA terms and transfer mechanism, the human-review-and-appeal process, and the integration that returns a result through LTI 1.3 without leaving orphaned biometric recordings behind. Buy the camera; own the contract, the clock, and the human. The full annotated blueprint for the surrounding subsystem is the proctoring and assessment reference design.

Where Fora Soft Fits In

Fora Soft builds video, real-time, and assessment features for regulated products across e-learning, telemedicine, and other verticals where what you record and how you store it carries legal weight. In proctoring, the value we add is rarely the camera — it is the engineering judgment to integrate a specialist proctoring vendor cleanly, to design the data flow so biometric and recording data is minimized, encrypted, retention-limited, and automatically destroyed on schedule, and to wire a human-review-and-appeal step into the result path so a flag never becomes an automatic verdict. We help teams turn the legal map above into build decisions: where the biometric line sits for a given tool, what the DPIA and DPA must say, and how to keep the integrity goal without inheriting an eight-figure privacy liability.

What to Read Next

Call to action

References

  1. Illinois Biometric Information Privacy Act (BIPA), 740 ILCS 14 — sections 15(a)–(d), private right of action and statutory damages. Illinois General Assembly. Tier 1. https://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=3004
  2. Illinois Senate Bill 2979 (2024 BIPA amendment) — single-recovery limitation and electronic consent; signed 2 August 2024. Illinois General Assembly. Tier 1. https://www.ilga.gov/legislation/billstatus.asp?DocNum=2979&GAID=17&GA=103&DocTypeID=SB&SessionID=112
  3. General Data Protection Regulation (GDPR), Article 9 — Processing of special categories of personal data (biometric data for unique identification). Regulation (EU) 2016/679. Tier 1. https://gdpr-info.eu/art-9-gdpr/
  4. General Data Protection Regulation (GDPR), Article 35 — Data protection impact assessment. Regulation (EU) 2016/679. Tier 1. https://gdpr-info.eu/art-35-gdpr/
  5. General Data Protection Regulation (GDPR), Article 28 — Processor (data-processing agreement); and Article 22 — Automated individual decision-making. Regulation (EU) 2016/679. Tier 1. https://gdpr-info.eu/art-28-gdpr/
  6. EU Artificial Intelligence Act — Annex III, point 3(d): high-risk AI for monitoring and detecting prohibited behaviour of students during tests. Regulation (EU) 2024/1689, Official Journal version 13 June 2024. Tier 1. https://artificialintelligenceact.eu/annex/3/
  7. EU Artificial Intelligence Act — Article 5: prohibited practices (emotion recognition in education, in force 2 February 2025). Regulation (EU) 2024/1689. Tier 1. https://artificialintelligenceact.eu/article/5/
  8. Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. § 1232g; 34 CFR Part 99 — school-official exception. U.S. Department of Education. Tier 1. https://www.ecfr.gov/current/title-34/subtitle-A/part-99
  9. Texas Capture or Use of Biometric Identifier Act (CUBI), Bus. & Com. Code § 503.001 — consent, retention, AG-only enforcement. Texas Legislature. Tier 1. https://statutes.capitol.texas.gov/Docs/BC/htm/BC.503.htm
  10. Italian Garante decision of 16 September 2021, No. 317 — Università Bocconi, €200,000 fine for unlawful processing of students' data via Respondus. European Data Protection Board (EDPB) summary. Tier 2. https://www.edpb.europa.eu/news/news/2021/italian-sa-finds-monitoring-system-online-university-exams-be-breach-privacy-fines_en
  11. Council of the EU — "Artificial Intelligence: Council and Parliament agree to simplify and streamline rules" (Digital Omnibus, 7 May 2026; high-risk Annex III application moved to 2 December 2027). Consilium. Tier 2. https://www.consilium.europa.eu/en/press/press-releases/2026/05/07/artificial-intelligence-council-and-parliament-agree-to-simplify-and-streamline-rules/
  12. Burgess, Ginsberg, Felten, Cohney — "Watching the Watchers: Bias and Vulnerability in Remote Proctoring Software." 31st USENIX Security Symposium, 2022. Tier 5 (peer-reviewed). https://www.usenix.org/conference/usenixsecurity22/presentation/burgess
  13. Ogletree v. Cleveland State University, No. 1:21-cv-00500 (N.D. Ohio, Aug. 22, 2022) — room-scan ruling (Fourth Amendment). Court ruling and reporting. Tier 5/6. https://www.npr.org/2022/08/25/1119337956/test-proctoring-room-scans-unconstitutional-cleveland-state-university
  14. MultiState — "State Privacy Laws in Effect in 2026" (biometric as sensitive data; Colorado biometric amendment effective July 2025). Tier 6 (orientation). https://www.multistate.us/insider/2026/2/4/all-of-the-comprehensive-privacy-laws-that-take-effect-in-2026

Per the editorial conflict rule, where vendor marketing characterizes proctoring data as "not biometric / low-risk," this article follows the named statutes and the Garante/Court of Milan reasoning, and treats the biometric line as turning on template-matching for identification — not on vendor labeling.