On Monday, February 14, 2022, the State of Texas by and through the Attorney General of Texas, Ken Paxton, filed suit against Meta Platforms, Inc. for alleged violations of the state’s biometric and deceptive trade practices laws. The State of Texas claims that “Facebook unlawfully captured the biometric identifiers of Texans for a commercial purpose without their informed consent, disclosed those identifiers to others, and failed to destroy collected identifiers within a reasonable time, all in violation of the Texas Capture or Use of Biometric Identifier Act, Tex. Bus. & Com. Code § 503.001 (“CUBI”); and that Facebook engaged in false, misleading, and deceptive acts and practices in violation of the Texas Deceptive Trade Practices-Consumer Protection Act (“DTPA”), Tex. Bus. & Com. Code §§ 17.41 et seq.” The suit is pending in the District Court of Harrison County, Texas.[1]
The suit alleges that Facebook collected biometric information from photos and that the users’ personal information was then disclosed to other entities who “exploited it.” The suit further alleges that Facebook failed to destroy collected biometric identifiers within a reasonable amount of time, and that the “illegal and deceptive conduct” extended beyond users because Facebook captured some non-users’ biometric identifiers from photos uploaded by users.
The complaint explicitly mentions Facebook’s $650 million settlement in a previous case and payment of $5 Billion to the Federal Trade Commission. Facebook claimed that it was shutting down its facial recognition operations in 2021.
1. CUBI and BIPA: A comparison
If seeing Facebook, a $650 million figure, and a lawsuit in the same sentence looks familiar, that’s for a good reason. Facebook was previously sued under Illinois’ Biometric Information Privacy Act, 740 Ill. Comp. Stat. Ann. § 14/1 et seq. (the “BIPA”) for the same practices triggering Texas’s CUBI action. That 2018 case (litigated in a California federal court) finally settled on February 26, 2021 after the court rejected the parties initial $550 million settlement proposal. That case’s interesting procedural history-and high-dollar value settlement-drew more attention to how BIPA could ensnare private businesses.
BIPA, enacted in 2008, is the nation’s first (and arguably toughest) biometrics statute. While the BIPA’s text has not been adopted verbatim in every jurisdiction proposing or enacting biometrics laws, it has often served as a comparative model for other states and proposed federal legislation. CUBI was passed merely one year after BIPA. But rather than being a copycat statute, CUBI features some distinctions from the BIPA.
Both CUBI and BIPA ostensibly address consumer concerns with using biometrics in financial transactions. Tex. Bus. & Com. Code § 503.001(c); 740 Ill. Comp. Stat. Ann. § 14/5. Both require entities capturing and possessing biometrics to obtain informed consent prior to collection or transmission, ensure biometrics are securely stored, and establish policies pertaining to the destruction of those biometrics after a certain time period. Tex. Bus. & Com. Code § 503.001(c); 740 Ill. Comp. Stat. Ann. § 14/15 (but read here for a detailed summary and compliance-related best practices).
The statutes start to part ways when it comes down to how biometrics are defined, though. Both define ”biometric identifiers” to include eye scans, fingerprints, voice prints, and/or records of facial or hand geometry. Tex. Bus. & Com. Code § 503.001(a); 740 Ill. Comp. Stat. Ann. § 14/10. But BIPA went one step further. BIPA’s requirements also apply to any data based on an individual’s biometric identifiers regardless of how it was captured (“biometric information”). 740 Ill. Comp. Stat. Ann. § 14/10.
The differences compound from there. Each establishes markedly different enforcement schemes. Under CUBI, the Texas Attorney General can sue to recover the $25,000 civil penalty per violation. Tex. Bus. & Com. Code § 503.001(d). In contrast, BIPA allows any individual to bring a private right of action to sue for injunctive relief and recover the greater of actual damages or liquidated damages for up to $1,000 - $5,000 per violation (dependent on a defendant’s culpability). 740 Ill. Comp. Stat. Ann. § 14/20(1)-(2), (4). BIPA also allows a prevailing party to recover attorneys’ fees, which CUBI doesn’t address because the State would sue to enforce it. 740 Ill. Comp. Stat. Ann. § 14/20(3).
While both statutes exclude financial institutions subject to the Gramm-Leach-Bliley Act, 15 U.S.C. § 6801 et seq.), BIPA also excludes healthcare providers and private companies contracting with Illinois governmental units (though only while they provide services). Tex. Bus. & Com. Code § 503.001(e); 740 Ill. Comp. Stat. Ann. § 14/25(a)-(e); 14/10.
While BIPA opened the floodgates to class action suits involving Illinoisans, it remains to be seen how aggressively the Texas Attorney General will use CUBI’s provisions to penalize private businesses.
2. Other Texas Privacy Litigation
This is not Texas’s first foray into privacy related litigation against technology companies. In the last two years, the Attorney General has filed a suit alleging deceptive practices relating to geolocation tracking, issued civil investigative demands relating to online content moderation, and joined a multistate investigation into the conduct of social media platforms relative to children and young adults.
Mackenzie Wallace is a Dallas partner in the Firm’s Business Litigation group. Libby Casale and Dremain Moore are associates in the Firm’s Business Litigation group. Jim Shreve is the chair of the Firm's Cybersecurity group and has advised clients on cybersecurity and privacy issues for over 20 years. David Duffy is a partner in Thompson Coburn’s Cybersecurity group practice.
[1] Harrison County is located in northeastern Texas and is home to Marshall, Texas but only has a population of about 66,000.