The Texas Capture or Use of Biometric Identifiers (CUBI) Act: what businesses need to know in 2024
Biometric data has become a key tool for businesses to enhance security and improve customer experiences. This includes not only traditional biometric identifiers like fingerprints and facial geometry but also video-based technologies that capture and analyze behaviors or movements.
With this, comes the need to handle this data properly.
Enacted in 2009, The Texas Capture or Use of Biometric Identifiers (“CUBI”) Act governs the collection, storage, and use of biometric data, such as fingerprints, retina scans, voiceprints, and facial geometry. It applies to all businesses that collect or use these identifiers for commercial purposes within Texas, ensuring biometric data is handled carefully and transparently.
Key data obligations under the CUBI
CUBI sets strict guidelines on how businesses must handle biometric identifiers. These include:
Informed consent: businesses must inform individuals before capturing their biometric data and obtain explicit consent, whether through video surveillance, facial recognition, or other technologies.
Restricted disclosure: selling, leasing, or disclosing biometric data is prohibited unless the individual consents, or it’s required for legal or financial transactions.
Data protection: biometric data must be stored securely, with businesses using reasonable care to protect it from unauthorized access. This includes implementing secure protocols for video footage that incorporates biometric identifiers.
Data destruction: collected data must be destroyed no later than one year after the purpose for collecting it has expired.
These requirements mean that businesses must have clear processes in place to manage biometric data from the point of collection through to its eventual destruction.
Enforcement and compliance under CUBI
The Texas Attorney General (AG) enforces CUBI, and the penalties for violating it can be severe—up to $25,000 per violation. Each breach is treated as a separate violation, which means that non-compliance can quickly escalate into significant financial penalties.
In recent years, the AG has prioritized enforcing CUBI more aggressively. In 2024, the Texas Attorney General reached a $1.4 billion settlement with Meta, accusing the company of illegally capturing and using biometric data through its facial recognition feature without obtaining the proper consent required by CUBI.
This case has set a precedent, showing that large tech companies will be held accountable for violating biometric privacy laws. More importantly, it sends a clear signal to businesses of all sizes that compliance with CUBI is no longer optional but a critical aspect of doing business in Texas.
How does the CUBI Act compare with other state biometric laws?
Texas’s CUBI is similar to biometric privacy laws in states like Illinois, but it stands out in a few notable ways:
No private right of action: unlike Illinois's BIPA, individuals cannot directly sue under CUBI. Instead, enforcement is handled exclusively by the Texas Attorney General.
Strict data destruction rules: Texas law is particularly clear about the one-year deadline for destroying biometric data, which provides businesses with a more specific compliance requirement, especially when considering video-based biometric systems.
The Texas Data Privacy and Security Act (TDPSA)
In addition to the CUBI law, Texas has recently introduced the Texas Data Privacy and Security Act (TDPSA), which came into full effect in July 2024. This new law overlaps with the CUBI Act but introduces broader requirements for data processing, including biometric data. What’s more, the TDPSA grants more rights to consumers and places further restrictions on businesses processing personal data, emphasizing the need for dual compliance.
With no clear guidance yet on how CUBI and the TDPSA will interact, businesses must adapt now to ensure full compliance.
How can businesses comply with the CUBI?
Businesses can take clear steps to ensure they are in compliance with CUBI and stay ahead of enforcement action:
Obtain clear consent: ensure that individuals are fully informed about the collection of their biometric data, including data captured via video or security footage, and that consent is freely given.
Implement security measures: protect biometric data with strong security protocols and regularly review data storage practices.
Data destruction policies: have processes in place to destroy biometric data, including video with biometric identifiers, within the legally required timeframe.
Review disclosures: ensure that biometric data is not shared or disclosed unless strictly necessary and legally permissible.
By following these steps, businesses can minimize their risk and ensure compliance with both the CUBI and the TDPSA as the enforcement landscape tightens.
As we move through 2024, businesses must adapt their data privacy practices to align with both the Capture or Use of Biometric Identifiers Act and the Texas Data Privacy and Security Act. The growing emphasis on biometric data protection means that businesses must act now to avoid hefty penalties and ensure they are safeguarding consumer privacy.