The Texas Capture or Use of Biometric Identifier Act (CUBI) aims to prevent the commercial collection of an individual’s biometric identifiers without their consent. CUBI has been around since 2009, but it has been making headlines recently due to a $1.4 billion settlement between Meta Platforms, Inc. (Meta) and the Texas Attorney General over allegations that a tagging suggestions tool in Meta’s Facebook application violated CUBI.
What Is CUBI?
CUBI defines “biometric identifiers” as “a retina or iris scan, fingerprint, voiceprint, or record of hand or face geometry.” CUBI imposes limits on the collection, use, and storage of biometric identifiers for commercial purposes.
CUBI bars capturing an individual’s biometric identifiers for a commercial purpose unless the collector “(1) informs the individual before capturing the biometric identifier; and (2) receives the individual’s consent to capture the biometric identifier.”
Biometric identifiers may not be sold, leased, or otherwise disclosed to a third party. There are four narrow exceptions to this rule:
- an individual consents to the disclosure for identification purposes in the event of their death/disappearance;
- the disclosure is pursuant to a financial transaction at the individual’s request;
- the disclosure is required/permitted under federal or state law; or
- the disclosure is to a law enforcement agency acting with a warrant.
Finally, CUBI requires reasonable care and protection of biometric identifiers at least commensurate with the way the person protects other confidential information, including that the biometric identifiers be destroyed within a reasonable time period after the purposes for collecting them have expired.
What Is a Commercial Purpose?
One of the most challenging issues in determining whether CUBI applies is whether a particular use of biometric identifiers is for a “commercial purpose.” The term “commercial purpose” is not defined in the statute, and there is little guidance on the question. But, there is good reason to believe the term, “commercial purpose,” will be broadly construed.
For example, the term does not appear to be limited to the consumer context, as the statute refers to employee biometric identifiers. Specifically, CUBI suggests that collecting employee biometric identifiers for security would be considered a “commercial purpose” as the law specifies that the purpose of collecting employee biometric identifiers would “expire on termination of the employment relationship.”
The recent Meta settlement further suggests that the definition is broad. Meta claimed that part of the reason for collecting facial data was to improve their facial recognition software. And it paid a massive settlement. Businesses, therefore, should beware that the collection of biometric identifiers, even for the purposes of training technology (including AI or large language models), could result in violations of CUBI.
What Are the Penalties Under CUBI?
Violations of CUBI may result in a civil penalty of up to $25,000 per violation. Note that the Texas Attorney General has taken the view that not only is the collection of a biometric identifier without consent a violation, but it is also a separate violation to store that biometric identifier. In the complaint against Meta, the Attorney General argued that because collection of the biometric identifiers was unlawful, maintaining possession for any length of time was unreasonable and thus also unlawful. Under this theory, a single non-compliant collection would instantly double the penalty up to $50,000.
What Occurred in the Meta Suit?
Meta’s recent settlement with the State of Texas under CUBI for $1.4 billion “is the largest ever obtained from an action brought by a single State” according to the Texas Attorney General’s Office and arose from claims first brought in 2022.
The alleged CUBI violation stemmed from Facebook’s tagging suggestions program. The tagging suggestions feature was first introduced in 2011 and used facial recognition software to help users tag others in photos. This software was automatically enabled for all Facebook users. In 2021, Meta announced it would shut down its facial recognition software. It attributed this to growing societal concerns about the proper user of biometric identifiers and a lack of guidance from regulators. Meta previously paid $550 million to settle a similar suit in Illinois.
What’s Next?
The Texas Attorney General’s Office has made the enforcement of privacy rights a key component of the current administration. Further, the publicity of the Meta suit may drive an increase in complaints to the Attorney General regarding biometric identifier collection.
Companies, including employers, concerned about potential liability under CUBI should undertake a comprehensive review of what data they collect to ensure that they are treating biometric identifiers properly.
For assistance in understanding and complying with CUBI, contact Bracewell’s data security & privacy team to help you navigate this increasingly important area of law.
A version of this update was published by The Texas Lawbook on August 16, 2024.