CUBI: Everything You Need to Know About Texas' Biometric Law and Beyond...

As companies continue to take advantage of developing technologies involving the use of biometric information, it is crucial that businesses and legal practitioners alike stay informed of the legal and compliance concerns associated with the use of such information. For instance, companies conducting business in Texas should be aware of Capture of Use of Biometric Identifiers Act (“CUBI”) (Tex. Bus. & Com. Code §503.001). Passed in 2009, CUBI regulates biometric identifiers that are used for a “commercial purpose.” While “commercial purpose” is not itself defined by CUBI and Texas courts have yet to meaningfully interpret that phrase, Texas courts have construed the term “commercial purpose” broadly, in other contexts when no definition is available (see e.g., Texas’ Product Liability Act, Tex. Bus. & Com. Code §503.001, et al.).  CUBI related concerns have created a buzz around employers’ use of kiosks and other devices for contact-tracing and other reasons, as practitioners believe that any collection of biometric identifiers for this purpose will likely fall within CUBI’s restrictions.  Importantly, while CUBI does not itself authorize a private cause of action, the Texas Attorney General is empowered to pursue violators who are subject to a penalty of up to $25,000 per violation.

Overview of CUBI

CUBI defines “biometric identifier” to include iris or retina scans, fingerprints, voice prints, and hand or face geometry.  Under CUBI, a company may only capture a biometric identifier for a commercial purpose if it (1) provides notice to the individual before the biometric identifier is captured and (2) obtains the individual’s consent to capture that identifier.  Once biometric identifiers are captured and stored by a company, CUBI prohibits it from selling, leasing, or disclosing any biometric identifiers, albeit with the following exceptions: (1) if the individual consents for identification purposes in the event of disappearance or death, (2) if the disclosure completes a financial transaction requested or authorized by the individual, (3) if the disclosure is required or permitted by federal or state statute, or (4) if the disclosure is in response to a warrant.

Under the law, companies are required to store, transmit, and protect biometric information using “reasonable care,” and in the same, or a more protective, manner than how it stores, transmits, and protects other types of sensitive information. Once a company no longer has use for a biometric identifier, it must be destroyed within a “reasonable time” and no later than one year after the initial purpose for collecting the biometric identifier.  Under CUBI, if an employer collects and uses biometric identifiers for “security” reasons, the employer’s justification for using that information expires upon termination of the employment relationship.  Accordingly, an employer should destroy biometric information as soon as possible, once an employee quits or is terminated.  

Practical Considerations for Businesses State by State

Texas is one of a handful of states that has passed biometric legislation. Illinois enacted its Biometric Information Privacy Act[1] (“BIPA”) in 2008. Texas followed suit in 2009, and Washington enacted its biometric privacy law in 2017.[2]  Other states, such as Louisiana[3] and Arkansas[4], have expanded the statutory protection relating to data breaches to include biometric information.  California’s California Consumer Privacy Act[5] (“CCPA”) and New York’s Stop Hacks and Improve Electronic Data Security Act[6] (the “SHIELD Act”) provide similar protection.  While the state statutes share many similarities, there are some key differences that companies and legal professionals should be aware of.

Illinois

BIPA is the first and oldest biometric regulation in the United States, and is considered by many to be the most comprehensive. BIPA regulates the collection and storage of biometric information including “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.”[7] Under BIPA, private companies that collect and use biometric information must have a written policy, schedule and guidelines for its collection, retention, and destruction of the collected data.[8]  BIPA also requires advance disclosure and a written release from the subject or employee whose information is going to be collected.  BIPA allows for a private right of action, and Illinois state and federal courts have become hotbeds for litigation in this area.

Washington

As with CUBI, Washington’s biometric privacy law addresses the “enrollment” of a biometric identifier in a database for a commercial purpose. RCW §19.375.020 defines “biometric identifier” as “data generated by automatic measurements of an individual’s biological characteristics,” such as “fingerprints, voiceprints, eye retinas, irises, or other unique biological patterns or characteristics that are used to identify a specific individual.”  However, unlike CUBI and BIPA, Washington law does not protect hand or face geometry.

Moreover, unlike BIPA and CUBI, Washington’s law limits its focus to the enrollment process of biometric identification instead of a broader regulation of the capture and possession of biometric identifiers. The enrollment process consists of biometric identifiers’ data being captured, converted into a reference template that cannot be reconstructed into the original output image, and stored in a database that matches the biometric identifier to a specific individual. If an entity does not enroll biometric data in the method specifically laid out in RCW §19.375.020, the Act will not impose its notice and consent requirements.  Unlike Texas and Illinois, Washington’s law also includes a broad security exception which exempts entities that collect and store biometric data in relation to a “security purpose.” Finally, Washington’s law contains a carve-out for data generated from digital photographs and audio recordings that would have meaningfully impact technology companies operating social networking and photo storage websites.

Arkansas

Arkansas’ amendment to its breach notification law became effective in July 2019. The state amended its law by expanding the definition of covered information under its data breach response law to include biometric data, such as an individual’s voiceprint, handprint, fingerprint, DNA, retinal or iris scan, hand geometry, faceprint, or any other unique biological characteristic. Companies are required to report any breach that affects 1,000 or more individuals to the Arkansas Attorney General.  Notably, Arkansas law does not create a private right of action for a biometric violation. 

California

California’s CCPA expanded its existing privacy and information security regulatory framework to include protections for biometric data. Biometric data under the CCPA is defined as “an individual’s physiological, biological or behavioral characteristics, including an individual’s deoxyribonucleic acid (DNA), that can be used, singly or in combination with each other with other identifying data, to establish an individual’s identity.” The CCPA specifies that a consumer “shall have the right to request that a business that collects a consumer’s personal information disclose to that consumer the categories and specific pieces of personal information the business has collected.”  The CCPA applies to businesses earning annual revenue in excess of $25 million, collecting personal information concerning 50,000 people or devices, or receiving more than 50% of their annual revenue from the sale of personal information.

Like BIPA, the CCPA provides consumers with a private right of action but only in a very limited set of circumstances. Therefore, consumers are able to file an individual or class action suit when their personal data is breached, and the company has violated its duty to implement and maintain reasonable security measures.[9] While the private right of action is limited, companies should be cautious of underestimating the risks associated with the CCPA. Since its enactment, plaintiffs have aggressively filed class actions based on CCPA violations, such as the February 2020 lawsuit against Clearview AI in connection with its use of facial recognition technology.  The CCPA is also used as a predicate claim for causes of action under California’s plaintiff-friendly Unfair Competition Law.

New York

Finally, New York’s SHIELD Act revised its breach notification law to include biometric information under its definition of “personal information.”  Under New York law, “biometric information” is defined as “data generated by electronic measurements of an individual’s unique physical characteristics, such as fingerprint, voice print, retina or iris image, or other unique physical representation or digital representation of biometric data which are used to authenticate or ascertain the individual’s identity.” The Act requires any person or business that owns or licenses computerized data that includes private information of a New York resident to develop, implement and maintain reasonable administrative, technical and physical safeguards to protect the security, confidentiality and integrity of information. The SHIELD Act does not create affirmative rights for New York residents, although the Attorney General may bring an action to enjoin violations of the law and obtain civil penalties. Moreover, courts are empowered to impose penalties of the greater of $5,000 or up to $20 per instance, with a cap of $250,000. 

State Biometric Laws On the Horizon

Several states have pending legislation in this area, including Delaware,[10] Michigan,[11] Massachusetts,[12] Arizona,[13] and Alaska.[14]  It is only a matter of time before such protections are afforded in some form or another by all fifty states. 

Clearly, biometric information is subject to important legal protections, and the regulatory landscape in this area will, of course, continue to evolve.  It is therefore critical that corporations develop and implement policies that are designed to protect biometric identifiers, and these policies must become an integral part of any company’s corporate risk management practices.  

[1] 740 ILL. COMP. STAT. 14/1, et seq.

[2] RCW §19.375.020

[3] Data Breach Security Notification Law, Louisiana Revised Statutes 51:3071, et seq.

[4] Personal Information Protection Act, Ark. Code §4-110-101.

[5] Cal. Civ. Code § 1798.100.

[6] N.Y. Gen. Bus. Law §899-bb.

[7] 740 ILCS 14/10.

[8] 740 ILCS 14/15(a).  

[9] Cal. Civ. Code § 1798.150(a).

[10] H.B. 350

[11] H.B. 72

[12] H.B. 1215

[13] H.B. 2729

[14] H.B. 72

Get Updates By Email

Blog Contributors