Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Texas: A firm stand on biometric data protection

On July 30, 2024, Texas Attorney General (AG) Ken Paxton secured the largest settlement ever obtained from an action brought by a single state, thus significantly raising the stakes for any company that violates Texans' privacy rights. The settlement is also the first one ever under Texas's Capture or Use of Biometric Identifier Act (CUBI). OneTrust DataGuidance Research provides insight into biometrics legislation currently in place in Texas and other states, alongside wider enforcement action taken in relation to biometrics use.

diyun Zhu/Moment via Getty Images

Regulation of biometric data in Texas

The AG focused on CUBI in the context of the abovementioned settlement. CUBI defines a 'biometric identifier' as 'a retina or iris scan, fingerprint, voiceprint, or record of hand or face geometry.' According to the AG, this includes features such as facial recognition from photographs, with CUBI explicitly prohibiting:

  • the capture of personal biometric data for commercial purposes unless the business first informs the person and receives their consent; and
  • the sale, lease, or other disclosure of biometric identifiers that have been obtained for commercial purposes unless:
    • the individual consents to the disclosure for identification purposes in the event of the individual's disappearance or death;
    • the disclosure completes a financial transaction that the individual requested or authorized;
    • the disclosure is required or permitted by a federal statute or by a state statute; or
    • the disclosure is made by or to a law enforcement agency for a law enforcement purpose in response to a warrant.

Moreover, CUBI establishes obligations of reasonable care and deletion after a certain period of time. In the lawsuit filed in February 2022 regarding unlawful processing of personal biometric data, the AG alleged that "[w]hen information is wrongfully obtained in the first instance, holding it for any amount of time is unreasonably long."

CUBI also clarifies that where a biometric identifier captured for a commercial purpose has been collected for security purposes by an employer, the purpose for collection is presumed to expire on the termination of the employment relationship. Notably, CUBI does not apply to voiceprint data retained by a financial institution or an affiliate of a financial institution.

In another similar and still ongoing lawsuit of October 2022, the AG alleged the unlawful capture and use of biometric identifiers, including voiceprints and records of face geometry, without informing users and non-users of the business's products of such practice and without collecting informed consent. According to the AG, users were allowed to opt out of facial recognition features only after the images had been uploaded, at which point biometric identifiers had already been extracted. 

It should be noted that the AG expressly addressed and condemned the unlawful use of collected personal biometric data in the development of deep learning systems, including in the creation and maintenance of facial datasets and improving the accuracy of facial recognition technology.

Other legislation

Texas

CUBI is only one law among many in Texas applicable to the use of biometric data.

Under the Texas Data Privacy and Security Act (TDPSA), businesses must obtain consent in order to access, collect, or otherwise process biometric data, which is considered sensitive data when processed for the purpose of uniquely identifying an individual. Furthermore, a business's privacy policies must contain a specific notice in case it sells biometric data, stating 'NOTICE: We may sell your biometric personal data.'

In the February 2022 lawsuit, the AG also alleged that representing, directly or by implication, that no collection of biometric identifiers takes place, as well as by failing to disclose information on the collection of biometric data, constitutes violations of the Texas Deceptive Trade Practices Act (DTPA).

USA

Nonetheless, other states have increasingly sought to address the use of biometrics in commercial settings, excluding comprehensive state privacy legislation, such as the TDPSA, that address biometric data.

In New York City, NYC Admin. Code §§ 22-1201 – 1205 requires businesses that gather, use, share, and store biometric identifiers to notify customers in a formal notice. In addition, businesses may not sell, lease, trade, share in exchange for anything of value, or otherwise profit from transactions involving biometric identifier information. In March 2023, a class action lawsuit was filed against a company, alleging that formal notices were not implemented as required by law.

Washington is another state that has enacted legislation specifically addressing the processing of biometric information, namely the Biometric Law, under Chapter 19.375 of Title 19 of the Revised Code of Washington. Contrary to Illinois and Texas, the definition of 'biometric identifiers' or 'biometric data' under Washington law does not expressly include face geometry, physical or digital photograph, video, or audio recording, or data generated therefrom. The Washington law includes a requirement to provide notice to individuals, obtain their consent, put in place reasonable safeguards to protect biometric data, and not keep data for no longer than is necessary. The Washington My Health My Data Act provides additional requirements regarding consent and data subject rights.

Colorado joins states that have adopted legislation targeting biometrics. House Bill 24-1130 amending the Colorado Privacy Act will enter into effect on July 1, 2025, introducing disclosure and consent requirements, prohibitions on certain acts for data controllers that collect and use biometric data, and retention schedules for biometric identifiers.

Other key litigation and settlements in the US

Although Texas now holds the highest settlement ever obtained from an action brought by a single state, it is not alone in securing a settlement for the alleged unlawful collection and use of personal biometric information.

Illinois was one of the first states to introduce a law regulating the processing of biometric information through the Biometric Information Privacy Act of 2008 (BIPA). While BIPA is similar to CUBI in its definitions, obligation of informed consent, disclosure limitations, and reasonable data security safeguards, it also presents key differences, including:

  • the maintenance of a written public policy concerning retention and destruction;
  • a private right of action; and
  • a prohibition of profiting from biometric data.

In recent years, numerous lawsuits have been brought under BIPA. Regarding the processing of biometric information in the context of facial recognition, the following can be observed from several separate lawsuits and their respective settlements:

  • allegations which addressed the unlawful collection, use, and storing of biometric identifiers from individuals without proper notice, consent, or establishing a compliant retention schedule; and
  • in one case, the settlement agreement required the business to refrain from collecting or storing users' biometric data or identifiers or transmitting US user data outside the US, as well as requiring new compliance training with data privacy laws for all relevant incoming employees and contractors.

Allegations made under BIPA were settled for $650 million in January 2020, $92 million in August 2022, $100 million in August 2022, and $35 million in May 2022.

However, it should be noted that Senate Bill 2979 amending BIPA is currently pending with the Governor of Illinois and, if enacted, would clarify what constitutes a single violation under BIPA.

At the federal level, the Federal Trade Commission (FTC) has also been active in enforcing provisions specifically related to the use of biometric data and facial recognition technology. The FTC determined in one case that an organization failed to consider or address foreseeable harms to consumers stemming from the use of facial recognition technology, failed to test or assess its accuracy before or after deployment, and failed to enforce image quality standards necessary for the technology to function accurately.

Notably, the FTC ordered the deletion or destruction of all photos and videos of consumers used or collected in connection with the operation of a facial recognition or analysis system prior to the effective date of the proposed order, and any data, models, or algorithms derived in whole or in part from it. Going forward, the FTC mandated the organization not to use any automated biometric security or surveillance systems collected from or about consumers, alongside:

  • documenting the content, implementation, and maintenance of a privacy program;
  • designating a qualified employee or employees responsible for the program; and
  • conducting a written assessment for each automated biometric security or surveillance system in use, and again thereafter every 12 months.

The FTC also required the deletion of any biometric data collected within five years under such order.

Conclusion

Amongst the wider use of biometrics through facial recognition technology, among others, states have been proactive in adopting legislation targeting the collection and use of biometric data and biometric identifiers. State AGs and federal authorities have also displayed an increased willingness to use the enforcement powers given to them under applicable legislation.

Anastasia Konova Privacy Analyst
[email protected]