Rise of Exam Fraud, Proxy Hiring & AI Cheating - Talent Integrity
Post image

Online Exam Data Privacy & Compliance: What You Need to Know

Team TI
Team TI

When a student sits down to take an online exam, they're doing more than answering questions. They're submitting to a system that may be recording their face, their voice, their keystrokes, their browser history, their room, and in some cases, their biometric data. Most students have no idea how much information is being collected — or what happens to it afterward.

For institutions, the stakes are even higher. Choosing a proctoring platform isn't just a procurement decision anymore. It's a legal and ethical responsibility. Get it wrong, and you're not just facing student complaints — you're facing regulatory scrutiny under GDPR, FERPA, CCPA, and a growing patchwork of state and national biometric privacy laws.

This guide breaks down what data online exam proctoring actually collects, which laws apply, what compliance really looks like in practice, and how both students and institutions can protect themselves.

What Data Does Online Proctoring Actually Collect?

This is the question most students never think to ask — and that many institutions haven't fully answered themselves. The short answer: a lot more than you might expect.

Modern proctoring platforms typically collect:

- Video footage from the webcam — capturing the student's face, body, and surrounding environment

- Audio recordings — ambient room sound and sometimes keyword detection

- Screen activity — browser tabs, application usage, mouse movements

- Keystroke logs — what was typed and when, sometimes including rhythm patterns

- Identity verification data — government-issued ID scanned against a real-time facial match

- Device metadata — operating system, IP address, browser version, network information

- Behavioral flags — AI-generated suspicion scores based on gaze, head movement, or "anomalous" behavior

Some platforms go further, collecting biometric identifiers — including facial geometry and typing dynamics — that trigger the strictest category of protections under data privacy law.

The problem isn't that this data exists. The problem is that many students don't know it's being collected, don't understand how long it's stored, and have no meaningful way to opt out.

The Regulatory Landscape: Which Laws Apply?

Data privacy in online education is governed by an overlapping set of laws, and institutions must navigate all of them simultaneously.

FERPA (USA)

The Family Educational Rights and Privacy Act is the baseline for US higher education. FERPA classifies exam recordings and proctoring data as education records — meaning students have the right to access them, request corrections, and consent to their disclosure. Critically, when institutions share this data with a third-party proctoring vendor, they must have a legitimate educational interest exception documented, and the vendor must agree to operate under FERPA's restrictions.

GDPR (European Union)

For institutions in the EU — or any institution serving EU-based students — GDPR is the gold standard. It requires:

- A lawful basis for processing (consent, legitimate interest, or contractual necessity)

- A Data Processing Agreement (DPA) with any third-party vendor

- Data minimization — only collect what's strictly necessary

- The right to erasure (students can request deletion)

- Data breach notification within 72 hours

Under GDPR, facial recognition data and biometric identifiers are classified as special category data requiring explicit consent. This is a much higher bar than standard consent.

CCPA (California)

The California Consumer Privacy Act gives California residents the right to know what personal data is collected, the right to delete it, and the right to opt out of its sale. Institutions using proctoring platforms that monetize or share data must disclose this and honor opt-out requests.

State Biometric Privacy Laws

Illinois, Texas, Washington, and a growing number of states have enacted biometric information privacy laws (BIPA and similar). These laws require:

- Prior written notice before biometric data collection

- Informed, affirmative consent

- Defined retention schedules

- Prohibition on selling or profiting from biometric data

As of mid-2026, more than a dozen US states have active biometric privacy legislation, with more in progress. Any institution deploying facial recognition-based proctoring must audit their compliance state by state.

The Consent Problem: Are Students Really Agreeing?

Consent is where most proctoring implementations fall apart — not because institutions mean to violate the law, but because "consent" in practice often looks like this: a student clicks "I Agree" on a terms-of-service screen at the start of an exam, with no real ability to refuse without losing the opportunity to sit the test.

Under GDPR, this is not valid consent. Consent must be:

- Freely given (no penalty for refusal)

- Specific (clearly describing what is collected and why)

- Informed (not buried in legalese)

- Unambiguous (explicit affirmative action)

The reality in most university settings is that exam participation is effectively mandatory. This creates a coercion problem: students cannot freely refuse consent if refusing means failing the course. GDPR guidance from several EU data protection authorities has flagged this explicitly as a consent validity issue.

Best practice for institutions: don't rely on consent as your legal basis unless you can genuinely make participation optional. Instead, consider legitimate interest assessments or contractual necessity as more defensible grounds — and be transparent about this in your privacy notices.

Data Retention: The Forgotten Risk

Even institutions that handle data collection responsibly often stumble on retention. Proctoring platforms may store exam recordings for months or years by default. Each day that data sits on a server is another day it's vulnerable to breach, subpoena, or misuse.

Best practices on data retention:

- Define a retention schedule before deploying any platform. 30–90 days post-exam is typically sufficient for dispute resolution purposes.

- Build deletion into the contract. Specify that the vendor must delete all recordings, identity data, and behavioral logs within a defined period after the exam window closes.

- Audit retention regularly. Annual spot checks confirm that contractual deletion is actually happening.

- Apply the principle of data minimization. If you don't need keystroke logs for academic integrity purposes, don't collect them.

Under GDPR, retention must be tied to a specific, documented purpose. "Indefinite storage just in case" is not a lawful retention basis.

Third-Party Vendors: You're Still Responsible

This is the nuance that catches many institutions off guard: when you hire a proctoring company, you remain the data controller. The vendor is a data processor. That means if the vendor mishandles student data, violates GDPR, or suffers a breach — your institution is legally exposed.

Before signing any proctoring contract, institutions should require:

- A signed Data Processing Agreement (DPA) that explicitly binds the vendor to applicable regulations

- Evidence of security certifications (SOC 2 Type II, ISO 27001, or equivalent)

- Clear disclosure of all subprocessors (companies the vendor itself shares data with)

- Defined breach notification timelines (ideally 24–48 hours to the institution, before the regulatory 72-hour window)

- Explicit right to deletion clauses — what happens to student data when the contract ends?

- A published data retention and deletion schedule

- Documentation of any AI model training practices — is student footage being used to improve the vendor's algorithms?

That last point deserves special attention. Several proctoring vendors have faced criticism for using student recordings as training data for their AI detection models. Under GDPR and most US privacy frameworks, this requires explicit, separate consent — and in most cases, it's simply not disclosed.

What Students Can (and Should) Do

Students aren't powerless here. Understanding your rights is the first step to exercising them.

If you're in the EU:

- You have the right to request a copy of all data held about you (Subject Access Request)

- You can request deletion under the right to erasure

- You can file a complaint with your national Data Protection Authority if you believe your data has been mishandled

- You can ask your institution what legal basis they're using to process your exam data

If you're in the US:

- Under FERPA, you can request access to your education records, including proctoring data

- In California, CCPA gives you additional rights around disclosure and deletion

- If biometric data was collected without proper consent in a state with biometric privacy law, you may have a legal claim

Regardless of jurisdiction:

- Read the privacy notice before your exam — even the short version usually contains key disclosures

- Ask your institution directly: what data is collected, how long is it stored, and who can see it?

- If you're in a country without robust privacy law, advocate through your student union for institutional policies that go beyond the legal minimum

A Compliance Checklist for Institutions

Getting online exam data privacy right isn't a one-time exercise. It's an ongoing governance function. Here's a practical starting point:

Before deployment:

- Conduct a Data Protection Impact Assessment (DPIA) — required under GDPR for high-risk processing

- Identify the lawful basis for processing and document it

- Draft and publish a clear, student-facing privacy notice specific to proctoring

- Execute a DPA with the proctoring vendor

- Audit subprocessor disclosure and international data transfer mechanisms

Ongoing:

- Review and enforce the vendor's data retention and deletion practices annually

- Update consent language and privacy notices when platform capabilities change

- Train faculty and administrators on what data is collected and what students' rights are

- Maintain an incident response plan for potential breaches

- Stay current on state biometric privacy law developments

Student-facing:

- Provide plain-language summary of what data is collected and why

- Make it clear how to submit a data access or deletion request

- Offer alternative assessment options where feasible for students with privacy concerns

FAQs

What personal data does online proctoring software typically collect?

Most proctoring platforms collect webcam video, microphone audio, screen activity, keystroke logs, browser and device metadata, and identity verification data including photo ID matches. Some platforms also collect biometric identifiers like facial geometry, which triggers stricter legal protections.

Is online proctoring legal under GDPR?

Yes, but only with proper safeguards. Institutions must have a lawful basis for processing (not just a checkbox "I agree"), execute a Data Processing Agreement with the vendor, apply data minimization principles, honor student rights including erasure, and disclose the use of any special category data like biometrics.

What is the difference between a data controller and a data processor in proctoring?

The institution (university, certifying body) is the data controller — they decide what data is collected and why. The proctoring vendor is the data processor — they handle the data on the institution's behalf. Even though the vendor processes the data, the institution remains legally responsible for ensuring it's handled lawfully.

How long can proctoring platforms keep exam recordings?

There's no universal rule, but best practice is to delete recordings within 30–90 days of the exam, unless there's an active academic integrity dispute. GDPR requires that retention be tied to a specific purpose, and "indefinite storage as a precaution" is not a sufficient legal basis.

Can a student refuse to consent to online proctoring?

Under GDPR, consent must be freely given — meaning a student can't be penalized for refusing. In practice, many institutions make proctored exams mandatory, which invalidates consent as a legal basis. Institutions should consider using "legitimate interest" or "contractual necessity" as their legal basis instead, while still providing transparent notice and offering alternatives where possible.

What should students do if they believe their proctoring data was mishandled?

EU students can file a complaint with their national Data Protection Authority. US students under FERPA can request record access and file complaints with the Department of Education. In states with biometric privacy laws, students may have a private right of action. All students should start by contacting their institution's data protection officer or privacy office.

Does FERPA apply to proctoring data?

Yes. In US higher education, proctoring recordings and related exam data are typically classified as education records under FERPA. This means students have the right to inspect and review them, and institutions must have a legitimate educational interest exception documented when sharing them with a third-party vendor.