Biometric Privacy Enforcement in Texas and what the Meta Settlement Means for Businesses

Biometric Privacy Enforcement in Texas and what the Meta Settlement Means for Businesses

The Texas Attorney General’s recent $1.4 billion settlement with Meta Platforms over alleged violations of the Texas Capture or Use of Biometric Identifier Act (“CUBI”) has sent shockwaves through the business community. This historic agreement, the largest-ever biometrics settlement to date, underscores the state’s commitment to aggressively enforcing its data privacy laws. As Texas ramps up oversight with its newly established data privacy unit, businesses must reassess their compliance with biometric and data privacy laws to mitigate potential liabilities.

The Capture or Use of Biometric Identifier Act (“CUBI”), enacted in 2001, is one of the earliest biometric privacy laws in the United States. CUBI governs how businesses collect, use, and store biometric identifiers, which include fingerprints, voiceprints, facial recognition data, and records of hand or face geometry. While CUBI shares similarities with Illinois’s Biometric Information Privacy Act (“BIPA”), such as requiring notice and consent before collecting biometric data and mandating security measures, it is enforceable exclusively by the Texas Attorney General, rather than private citizens.

The distinction has historically limited the volume of enforcement activity under CUBI. However, recent actions by the Texas Attorney General’s Office suggest a renewed focus on biometric privacy, bolstered by the creation of a dedicated data privacy and security unit. This shift signals a heightened risk for companies operating in Texas that fail to comply with the law.

The $1.4 billion settlement with Meta represents a significant milestone in the enforcement of CUBI. The case centered on Meta’s facial recognition technology, used in Facebook’s photo-tagging feature, which allegedly collected biometric data from Texas residents without proper notice or consent. While Meta discontinued its facial recognition program in 2021, the lawsuit and resulting settlement highlight the long-term risks of non-compliance with biometric privacy laws.

The financial penalties in this case underscore the severity of CUBI’s statutory penalties, up to $25,000 per violation. The Texas Attorney General’s Office argued that each unlawful collection and retention of biometric data constituted separate violations, multiplying the potential liability for Meta. Businesses should take note: even minor lapses in compliance can lead to substantial financial exposure when multiplied across thousands or millions of data points.

The Meta settlement is more than just a caution for large technology companies, it sets a precedent for enforcement actions under CUBI and other biometric privacy laws. As the Texas Attorney General’s Office doubles down on enforcement, companies across industries should prepare for increased scrutiny.

One of the most challenging aspects of CUBI compliance is the vague definition of “commercial purpose,” which determines whether the law applies to a particular activity. For example, collecting employee biometric data for security purposes or using facial recognition technology to train artificial intelligence systems could fall under CUBI’s jurisdiction. Businesses must carefully assess their data collection practices to ensure they meet the law’s requirements.

Compliance Recommendation.

To mitigate the risk of enforcement actions under CUBI and similar laws, businesses should take proactive measures, including:

1. Auditing Data Collection Practices. Identify all biometric data being collected, the purposes for its use, and whether these purposes align with CUBI’s requirements.

2. Implementing Clear Consent Mechanisms. Ensure that all individuals whose biometric data is collected are informed and provide explicit consent. This includes employees, customers, and other stakeholders.

3. Strengthening Data Security. Adopt robust measures to protect biometric data from breaches and unauthorized access. This includes implementing encryption, access controls, and regular security assessments.

4. Establishing Retention Policies. Develop and enforce policies for destroying biometric data within a reasonable time frame after its intended purpose has been fulfilled.

5. Monitoring Legislative and Enforcement Trends. Stay informed about developments in biometric privacy laws, both in Texas and other jurisdictions, to anticipate new compliance obligations.

The Texas Attorney General’s aggressive enforcement of CUBI reflects a broader trend in biometric privacy regulation across the United States. While Illinois remains the leader in biometric privacy litigation due to BIPA’s private right of action, Texas has demonstrated that state agency enforcement can yield equally significant consequences for businesses.

For companies, the key takeaway is clear, compliance with biometric privacy laws is no longer optional. The stakes are too high to ignore. By proactively addressing potential vulnerabilities and aligning with best practices, businesses can reduce their risk and demonstrate a commitment to protecting individuals’ biometric data in an era of increasing regulatory scrutiny.

(Image Credit: iStock Photo)

This article is for information purposes only. It is not intended to be and should not be relied on as legal advice for any particular matter.