Texas Attorney General Ken Paxton has sued Meta Platforms Inc., Facebook's parent company, under the Texas Capture or Use of Biometric Identifier Act (CUBI) and the Deceptive Trade Practices Act (DTPA).
Enacted in 2009, CUBI regulates biometric data and prohibits the capture of an individual's "biometric identifier" for a "commercial purpose" absent the individual's informed consent. The statute defines "biometric identifier" as "a retina or iris scan, fingerprint, voiceprint, or record of hand or face geometry." Proving that everything is bigger in Texas, CUBI provides for a $25,000 fine for each violation, but there has been little to no enforcement of the statute until now. The DPTA regulates deceptive trade practices and provides for a $10,000 fine for each violation. Only the Texas AG may enforce CUBI.
The Texas AG's Complaint alleges that the Facebook technology captures and stores the facial geometry of individuals—both Facebook users and non-users—from user-uploaded photos and videos without the users' consent, shares the data with third parties, and fails to destroy the data in a timely manner. Specifically, the Complaint alleges that once a record of an individual's facial geometry exists in Facebook's database, the facial-recognition technology can identify that individual in later uploaded photos and videos. According to the Complaint, this enables Facebook to suggest to its users—with a high degree of accuracy—who to "tag" in their photos and videos. Although Facebook discontinued the facial-recognition technology in November 2021, the Complaint alleges that the technology captured the facial geometries of up to 20.5 million Texans.
The Texas lawsuit arrives on the heels of Facebook's $650 million settlement of a class action under Illinois's Biometric Information Privacy Act (BIPA), which also involved Facebook's facial-recognition technology. Like CUBI, BIPA prohibits a private entity from obtaining an individual's "biometric identifier" (which it defines the same way as CUBI does) without their informed consent.
Despite their similarities, there are significant differences between CUBI and BIPA. CUBI prohibits only the capture of biometric information for a "commercial purpose," while BIPA contains no such limitation. BIPA requires an entity seeking to collect biometric information to obtain an individual's "written release," whereas CUBI requires only the individual's "consent." And most significantly, unlike CUBI, BIPA contains a private right of action, which enables individuals who experience the unlawful collection of their biometric information to sue for statutory damages, which provides a powerful incentive for the plaintiffs' bar to enforce BIPA's provisions.
The Texas AG's lawsuit could signal a trend of state attorneys general, spurred on by the success of private plaintiffs, to institute civil enforcement actions under their states' respective biometric privacy laws in the wake of large BIPA settlements.
TIP: Given the increase in biometric law enforcement, companies that collect biometric data should understand and comply with existing state biometric privacy laws and ensure that the privacy policies contain accurate information about the collection, use, and protection of biometric data.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
