On July 30, 2024, the Texas Attorney General (“AG”) announced a $1.4 billion settlement with Meta in its suit against the platform for alleged violations of the Texas Capture and Use of Biometric Identifier Act (“CUBI”) and Texas consumer protection law. Intriguingly, the final order also implicates the Texas Data Privacy and Security Act (“TDPSA”). This historic settlement establishes Texas as a formidable biometric privacy enforcer.
For many years, CUBI was not enforced by the AG, while the Illinois Biometric Information Privacy Act (“BIPA”) generated waves of class action lawsuits and numerous multi-million-dollar settlements. CUBI regulates the same types of biometric data as BIPA, and like BIPA, it requires businesses to provide notice and obtain consent to collect and (subject to limited exceptions) disclose biometric data and to destroy such data within a prescribed timeframe. However, unlike BIPA, CUBI has no private right of action and is only enforceable by the Texas AG. Despite its rigorous requirements and steep penalties (up to $25,000 per violation), CUBI was treated by some as a paper tiger due to lack of enforcement.
That paper tiger came roaring to life in February 2022, when (as we previously covered) the Texas AG sued Meta under CUBI for allegedly failing to provide sufficient notice and obtain consent to collect and disclose Facebook users’ facial geometry data, and for failing to destroy this data within a reasonable time. The case stemmed from Facebook’s Tag Suggestions feature, which automatically suggested the names users should tag in photos and videos based on the subjects’ faces. The feature was introduced in 2011 and retired in 2021, the same year that Facebook reached a $650 million settlement with plaintiffs in a BIPA class action suit over the tagging feature. In its complaint, the Texas AG alleged that Facebook captured Texans’ biometric data “billions of times” in violation of CUBI and Texas consumer protection law.
In addition to the $1.4 billion penalty, the final judgment limits future actions by the Texas AG against Meta regarding biometrics under CUBI and the TDPSA (cited collectively in the judgment as “Biometrics Laws”).
- The judgment establishes a procedure by which Meta may notify and seek to confer with the Texas AG about anticipated or current activities that may implicate Biometrics Laws, and the AG may take no action, seek further information, or object to such activities.
- If the AG does not object, it may only raise a subsequent objection if (1) there is a material change in the circumstances known to the AG, including changes in applicable law, or (2) it establishes that Meta’s initial disclosure was materially false or misleading.
- If Meta notifies the AG of an activity, the AG must follow this procedure before it can bring a civil enforcement action against Meta regarding the activity or seek other remedies under Biometrics Laws. If Meta does not notify the AG of activities that implicate Biometrics Laws, the AG must provide notice and grant Meta 60 days to cure the alleged violation before suing.
These limitations only apply to Meta, but other companies sued by the AG for alleged biometrics violations may seek to obtain similar terms.
The future of CUBI enforcement has yet to unfold, but the AG’s action against Meta (and Google – see below) suggests that there will be fewer actions with bigger settlements and a focus on large entities.
- So far, the AG seems focused on large companies, as its only other CUBI suit to date is against Google (filed in October 2022).
- After suing Meta and Google in 2022, the AG has not publicly announced other actions. Because CUBI is only enforceable by the AG, it will likely continue to generate fewer suits than BIPA has with its private right of action.
- CUBI settlements will likely be larger than BIPA settlements, partly because CUBI provides for greater damages per violation and partly because the AG alleges a high number of violations.
The Meta case also illustrates a broader U.S. privacy trend: companies’ handling of biometric data, especially for commercial purposes, is increasingly regulated and scrutinized. In addition to CUBI and BIPA, all twenty-one U.S. state privacy laws (both those in effect and those yet to take effect) define biometric data as “sensitive data” subject to heightened obligations. Colorado recently passed an amendment to the Colorado Privacy Act that will impose more specific notice, consent, and retention obligations regarding biometric data when it takes effect on July 1, 2025. As this space evolves, companies handling biometric data should tread carefully to ensure compliance with applicable laws and monitor legislative and enforcement developments.