Quick Hits
- Texas reached a $1.4 billion settlement with a social media company over technology that allegedly unlawfully captured the facial geometry of millions of users in the state.
- The settlement comes after a $650 million settlement for similar claims under Illinois law in 2021.
- The settlements point to a broader trend of increased scrutiny and enforcement of privacy laws concerning biometric information.
On July 30, 2024, Texas Attorney General Ken Paxton’s office announced the settlement, ending two years of litigation in which the state alleged the company violated Texas’s “Capture or Use of Biometric Identifier” Act (CUBI) and the Deceptive Trade Practices Act.
The $1.4 billion settlement is the largest obtained by a single state and, notably, exceeds the $650 million settlement with the same company in 2021 to resolve similar claims under Illinois’s Biometric Information Privacy Act (BIPA or Privacy Act).
“This historic settlement demonstrates our commitment to standing up to the world’s biggest technology companies and holding them accountable for breaking the law and violating Texans’ privacy rights,” Attorney General Paxton said in a statement. “Any abuse of Texans’ sensitive data will be met with the full force of the law.”
Landmark Settlement
The settlement stems from allegations that the company captured and utilized facial recognition data without obtaining proper consent from millions of users in Texas through a feature that made it easier to “tag” individuals in photographs on the platform.
According to a news release from the attorney general’s office, the company “ran this facial recognition software on virtually every face contained in photographs uploaded” to the platform “[u]nbeknownst to most.” The attorney general’s office alleged this violated CUBI, which requires entities to obtain informed consent before capturing biometric identifiers, including facial geometry.
Biometric Privacy Laws
The company had argued that it complied with Texas law and had informed users about how the feature worked. The company further argued that CUBI does not permit the state to seek an injunction and criticized Texas for bringing the suit only after the $650 million settlement in 2021 was approved.
While the Texas settlement and the 2021 settlement concern the use of facial recognition technology in a social media platform, both cases signal how states and potential plaintiffs are bringing claims for technical notice and consent requirements in biometric privacy laws, which can lead to significant liability for companies. Moreover, a growing number of states are enacting comprehensive privacy laws that include protections for individuals’ biometric information.
This increased enforcement is a key concern for employers as technology that captures biometric information of employees, such as facial or fingerprint scans, is becoming more ubiquitous. Such technology serves legitimate business reasons, such as security or timekeeping.
Next Steps
The settlements emphasize the importance of informed consent requirements for collecting biometric information under Texas’s CUBI and other biometric information privacy laws. Employers may want to review and potentially adjust their practices around the collection and use of biometric data, especially with the expansion of comprehensive privacy laws in various states.
Ogletree Deakins will continue to monitor developments and will provide updates on the Cybersecurity and Privacy, Technology, and Texas blogs.
Follow and Subscribe