In one of the first cases to invoke Texas’s biometric law, the state’s Attorney General sued Facebook’s parent company Meta and alleged that it unlawfully captured, disclosed, and retained the facial geometry of users and non-users.
The case highlights the increasing focus on biometric privacy throughout the country. While the Illinois Biometric Information Privacy Act (BIPA)—and its private right of action—has dominated attention in the past decade, a number of jurisdictions have biometric laws on the books and other laws are coming online in 2023.
The AG’s suit brings causes of action under the Texas Capture or Use of Biometric Identifier (CUBI) law, as well as the state’s general deceptive trade practices law. It seeks damages for “billions” of alleged violations dating back to 2010 and seeks an injunction to stop Meta from collecting the information in Texas and to delete anything it already has. While Facebook discontinued biometric collection associated with its “Face Recognition” system last year, the Attorney General alleged that this commitment did not extend to other Meta properties.
In Texas, CUBI regulates “biometric identifiers,” which is defined as a “retina or iris scan, fingerprint, voiceprint, or record of hand or face geometry.” The law bans people from capturing biometric identifiers for a commercial purpose, unless notice and consent is first given. Unlike the strict requirements in Illinois, the method of consent is not defined. The law similarly bars the sale or disclosure of biometric identifiers, except in narrow circumstances like to complete an authorized financial transaction or for law enforcement purposes. CUBI also requires the protection and confidentiality of the data and deletion within a reasonable time, but no later than one year after the purpose of the collection expires. For example, with employee data, the purpose is presumed to expire upon termination.
The Texas Attorney General is the sole authority that can enforce the state law, and it can seek fines of up to $25,000 per violation. The plain text of the law does not have geographical or residential limits built in, but the complaint against Facebook calls out actions that took place “in Texas” and highlights the protection of “Texas residents.”
While the law has been rarely if ever used, the Attorney General’s Office has interpreted an identical definition of “biometric identifier” under open records laws. At various points, the office has held that facial geometry is “more than just the photograph of an individual; it is the unique contours of the face.” Tex. Atty. Gen. Op. OR2002-2436. At other points, the office has said the privacy rights to biometric information “lapses at death” in relation to open records law.
As the Meta litigation continues, we can expect additional insights into issues like jurisdictional scope, form and substance of the required notice and consent, and the types of data that constitute “biometric identifiers” under CUBI.
The Texas legislature originally passed a version of the law in 2001 based on the stated belief that biometrics would eventually become the new password and needed to be protected. One bill analysis from the legislature noted that “Biometric technology is considered by some as the ultimate identifier.”
More than 20 years later, Texas, Illinois, and Washington each have laws that regulate the commercial use of biometrics, along with cities like Baltimore, Portland, and New York. In 2023, comprehensive privacy laws in California, Colorado, and Virginia will treat biometric information as sensitive data — in some cases requiring special opt-out, consent, and privacy impact assessments. A handful of state legislatures are considering similar biometric legislation this year.
While previous compliance efforts were often limited to only address BIPA requirements or prohibit use of certain features in Illinois, companies using biometrics should be prepared to reassess this approach and swiftly adopt new measures to properly address these additional laws.