Texas Attorney General’s Office Zeroes In on Data Privacy and Entities Using Biometric Data
At a Glance
- The Texas Attorney General has created a new data privacy and security unit and warns of increased future enforcement of Texas’ biometric privacy statute.
- Texas reaches a historic $1.4 billion dollar settlement with Meta in its first-ever CUBI enforcement suit.
- Texas Meta settlement signals increased risk for businesses alleged to have violated other states’ laws.
Recently, Texas Attorney General (AG) Ken Paxton announced the launch of a Texas data privacy and security law enforcement initiative by establishing a new unit focusing on Texas’ privacy laws. The AG’s Office made the announcement just before the new Texas Data Protection and Security Act (TDPSA) took effect on July 1, 2024, specifically mentioning not only the TDPSA, but also the Texas Identify Theft Enforcement and Protection Act, the Texas Data Broker Law, the Texas Biometric Identifier Act also known as the Texas Capture or Use of Biometric Identifier law (CUBI), the Texas Deceptive Trade Practices Act, and the federal Children’s Online Privacy Protection Act (COPPA) and the federal Health Insurance Portability and Accountability Act (HIPAA).
The Texas AG’s Office did not wait long to demonstrate that the announcement was not an empty threat: On July 30, 2024, the Texas AG’s Office announced that it had reached a $1.4 billion settlement with Meta Platforms Inc. (Meta) related to alleged violations of CUBI.
The announcement of the initiative quickly followed by the announcement of a significant settlement is a good opportunity for companies doing business in Texas to take stock of their data privacy practices, particularly under CUBI.
Obligations Under CUBI
Texas was the first state to pass a privacy law — the Capture or Use of Biometric Identifier law — directed specifically at private entities’ collection, use and storage of “biometric” information. Although the law had been in effect since 2001, it is enforceable solely by the Texas AG, and the AG’s Office only started to enforce it publicly within the past two years. The CUBI imposes many requirements similar to those of the Illinois Biometric Information Protection Act (BIPA) — and the later-passed Illinois law has generated significantly more attention as a result of its private right of action.
Like its more famous progeny BIPA, CUBI: (i) obligates entities to give advance notice prior to the collection of a “biometric identifier” (a “retina or iris scan, fingerprint, voiceprint, or record of hand or face geometry”) and obtain consent to the collection and specific uses of the biometric identifier(s); (ii) imposes data security obligations on entities that possess biometrics; (iii) limits the length of time private entities can retain biometrics; and (iv) forbids sale, lease or disclosure of biometrics except in narrow circumstances. But CUBI also differs from BIPA: amongst other things, it applies solely to biometrics collected or possessed “for a commercial purpose,” does not specify the form of notice and consent, has far fewer exceptions, and (as noted above) is enforceable solely by the Texas AG.
Recent Enforcement
The first notable CUBI enforcement occurred in February 2022 when the Texas AG’s Office sued Meta. There, the Texas AG alleged that Meta’s photo-tagging feature violated CUBI and the DTPA through its collection of face geometries. The Texas AG’s lawsuit followed a California federal court’s final approval in February 2021 of a $650 million class action settlement resolving claims that the same conduct violated BIPA.
Then in October 2022, the same month that an Illinois state court judge granted final approval of a $100 million settlement of a similar BIPA case against Google, the Texas AG filed another copycat CUBI action: State of Texas v. Google LLC. The AG’s Office alleged that Google was not only storing face geometries but also voiceprints. Litigation for the Google litigation remains ongoing.
Future Enforcement
Unlike BIPA, which is enforced through a private right of action, CUBI is enforceable only by the Texas AG. Violations can result in penalties of up to $25,000 per violation.
The Meta settlement is, according to the Texas AG’s announcement, the largest ever in an action brought by a single state and the largest privacy settlement an attorney general has ever received. And given the Texas AG’s track record (albeit limited to two cases) of filing lawsuits under CUBI after the approval of settlements under BIPA, companies settling BIPA lawsuits whose conduct reached Texas should be prepared to hear from the Texas AG’s Office.
What This Means for Companies
With the establishment of the Texas AG’s new data privacy unit and the announcement of the $1.4 billion settlement with Meta, companies that collect, process and store data from Texas consumers should consider re-examining their compliance with Texas data privacy laws.