Biometric technology has become a part of our everyday lives, with little fanfare. You probably use your face or fingerprint to unlock your phone. Alexa, Siri, and other smart speakers use voice identification. Employers, airports, and banks are exploring ways to use biometrics. But when is a company allowed to collect biometric data? And how can they use it? In Texas, businesses must comply with the Capture or Use of Biometric Identifier Act (CUBI) or face stiff penalties.
Illinois was the first state in the country to pass a biometric information privacy law, the Biometric Information Privacy Act (BIPA), in 2008. The following year, Texas passed the Capture or Use of Biometric Identifier Act (CUBI), which has been called “BIPA-lite.” The most notable difference between the two laws is that Texas does not authorize a private cause of action, and instead empowers the Texas Attorney General to sue violators.
CUBI regulates biometric identifiers that are used for a “commercial purpose.” That term isn’t defined by CUBI, and no Texas court has interpreted it yet in the context of the law, but presumably any collection of biometric identifiers for business-related operations would fall within CUBI’s restrictions.
A “biometric identifier” is defined to include:
- A retina or iris scan
- Record of hand geometry
- Record of face geometry
Under CUBI, a person is allowed to capture a biometric identifier for a commercial purpose only if the person:
- Provides notice to the individual before capturing the biometric identifier; and
- Receives the individual’s consent.
Once biometric identifiers are captured and stored, CUBI prohibits the data’s sale, lease, or disclosure to any third party, unless:
- the individual consents to the disclosure for identification purposes in the event of their disappearance or death;
- the disclosure completes a financial transaction that the individual requested or authorized;
- the disclosure is required or permitted by a federal statute or by a state statute other than the Texas Public Information Act; or
- the disclosure is made by or to a law enforcement agency for a law enforcement purpose in response to a warrant.
The person who collects the biometric identifier must store, transmit, and protect the data using “reasonable care,” and in a manner that is the same as or more protective than the manner in which the person stores, transmits, and protects any other confidential information.
The biometric identifier must be destroyed within a “reasonable time” and no later than one year after the initial purpose for collecting the biometric identifier has ended. If an employer collects and uses biometric identifiers for “security” reasons, the purpose for using that information expires upon termination of the employment relationship, and the identifier would have to be destroyed no later than the one-year anniversary of termination.
Exemption for voiceprint data used by banks
CUBI contains one exemption—financial institutions and their affiliates are exempted entirely from compliance with CUBI in connection with the use of voiceprint data.
A bill (HB 1977) was proposed during the 2021 legislative session that would have extended this exemption to all forms of biometric identifiers retained by financial institutes and their affiliates. The bill passed out of House committee but didn’t receive a floor vote.
Enforcement of CUBI
While CUBI does not authorize a private cause of action, the Texas Attorney General is empowered to pursue violators, who are subject to a civil penalty of up to $25,000 for each violation.
It was reported in July 2020 that attorney General Ken Paxton, who has taken aggressive action against leading tech companies, was investigating Facebook for possible CUBI violations. In February 2021, Facebook reached a $650 million settlement for alleged violations of Illinois’ Biometric Information Privacy Act for their use of facial recognition software without permission from affected users.
Under Section 32.51 of the Texas Penal Code, it is a criminal offense to obtain, possess, transfer, or use unique biometric data of another person without their consent, with the intent to harm or defraud. A person is presumed to have the intent to harm or defraud another if they possess the biometric data of three or more other persons.
Questions about regulatory risk analysis and compliance? Check out our blog archive.