Summary
In February 2022, Texas Attorney General Ken Paxton sued Meta (formerly known as Facebook), alleging that Meta unlawfully captured the biometric identifiers of Texans for commercial purposes without obtaining informed user consent and retained the data for an extended period, in violation of the Texas Capture or Use of Biometric Identifiers Act (CUBI). In late July 2024, Meta agreed to settle all claims for $1.4 billion. This settlement marks the largest amount ever obtained from a single state action, surpassing the $390 million settlement a group of 40 states secured from Google in late 2022.
Facts of the Case
Biometric Data Collection
Facebook offers a face-tagging feature allowing users to tag individuals in photos and videos by name. In 2010, Facebook introduced an additional "Tag Suggestion" feature, which uses facial recognition algorithms to analyze the geometry of faces in user-uploaded content, and matches captured facial geometry with its database to suggest names for tagging. While initially only applied to photos, the feature eventually extended to analyzing faces in videos.
Under the CUBI, face geometry falls within the scope of"biometric identifier," which encompasses identifiers like retina scans, fingerprints, voiceprints, and records of hand or face geometry. As such, Meta's technology constitutes the collection and processing of biometric identifiers and Meta is obligated to comply with CUBI's provisions.
According to CUBI §503.001(b), capturing a biometric identifier for commercial purposes requires informing the individual and obtaining their consent before the collection. However, Facebook failed to inform users or obtain their consent. Instead, it had been extracting users' facial geometries from uploaded content under the guise of social sharing, and subsequently, disclosed, unlawfully retained, and profited off of the biometric data. The Attorney General claimed that Facebook's practices involved unlawfully capturing biometric data from both users and non-users. In the latter situation, those individuals have no avenue to be informed of the practice or contest the exploitation.
Disclosure of Biometric Identifiers for Commercial Purposes
The Attorney General reasoned that Facebook has been disclosing biometric identifiers of both users and non-users and each possession of biometric identifier servers a commercial purpose for Facebook. Under CUBI §503.001(c), a person possessing biometric identifiers for commercial purposes cannot sell, lease, or otherwise disclose them without consent, except under specific conditions, such as at the disappearance or death of the individual, or where the disclosure is required by law. None of these exemptions apply to Meta's case.
Extensive Retention of Data
CUBI mandates the deletion of biometric identifiers within a reasonable time, not exceeding one year after the collection purpose expires. The Attorney General cited findings from a 2009 FTC investigation, which revealed that Facebook continued to access photos of users who had deleted their accounts. The lawsuit argued that Facebook's failure to promptly delete the data not only breached legal duties but also increased risks to the data concerned. The Attorney General further states that, since Facebook's possession of biometric identifiers in the first instance was unlawful, maintaining possession of these biometric identifiers for any period of time is therefore unreasonable and in violation of the law. .
Deceptive Business Practices
Beyond data privacy concerns, the Attorney General also accused Facebook of misrepresenting its collection and use of biometric identifiers, failing to disclose critical information, and thereby violating Texas' Deceptive Trade Practices Act.
Penalty and Damages
In the 2022 lawsuit, the Attorney General sought civil penalty of up to $25,000 for each CUBI violation and up to $10,000 for each Deceptive Trade Practices Act violation. The parties eventually agreed on a settlement this July, with Meta paying $1.4 billion, including a first installment of $500 million due within 30 days.
Insight
This is not the first time Meta has faced biometric data lawsuits in the U.S. for extracting facial geometry from users' content. In 2019, the FTC fined Meta over $5 billion for its opaque use of biometric data, among other issues. In 2021, Meta settled a similar lawsuit in Illinois for $650 million. Earlier this year, the Ninth Circuit finalized a case involving Meta and a non-Facebook user, Zellmer, concerning the use of his photos uploaded by a friend (see our previous discussion on this case).
While Illinois' Biometric Information Privacy Act (BIPA) often dominates conversations about biometric data privacy, this case demonstrates that Texas and other states also have robust biometric-specific regulations. It underscores the importance for enterprises handling biometric data to be aware of and comply with applicable laws. In practice, even if a state lacks specific regulations for biometric data, companies should still exercise reasonable care in handling sensitive personal information, ensuring that all users are afforded a common baseline standard of protection.
