Article

Meet CUBI—What Companies Need to Know About Texas’ Biometric Privacy Law

Recently, Illinois’ sweeping biometric privacy law—the Illinois Biometric Information Privacy Act (“BIPA”)—garnered headlines in connection with a landmark settlement involving Facebook’s agreement to pay a staggering $650 million to settle a longstanding BIPA dispute.

And while it has received less fanfare than its Illinois counterpart, Texas maintains its own biometric privacy statute—the Capture or Use of Biometric Identifier Act (“CUBI”). Importantly, CUBI also poses substantial risk for noncompliance. Entities doing business in the Lone Star State utilizing biometric data—or considering doing so—are well-advised to ensure compliance with CUBI to mitigate their own liability.

Overview of Biometric Data

Biometric data encompasses unique, measurable human biological or behavioral characteristics—including fingerprints, facial geometry, iris/retina scans, and voiceprints—used primarily for authentication and identification purposes.

The use of biometric data, however, comes with significant risks. Most importantly, passwords can be changed. Conversely, fingerprints, facial geometry, and iris scans cannot. Thus, once compromised, an individual’s biometric data has forever lost its ability to be used as a secure identifying feature.

History of CUBI

Several states have enacted targeted biometric privacy laws to regulate the collection and use of biometric data by business entities.

Overall, Illinois’ BIPA is generally considered the most stringent. Under BIPA, a private entity cannot collect or store biometric data without first providing notice, obtaining written consent, and making certain disclosures. BIPA also contains a private right of action that permits recovery of statutory damages between $1,000 and $5,000 by any “aggrieved” person.  This combination of terms has generated a tremendous amount of class litigation from consumers alleging mere technical violations.

Following BIPA’s enactment in 2008, a year later Texas passed its own biometric privacy law, CUBI, which imposes similar requirements relating to notice, consent, prohibitions on disclosures, and mandatory data security measures.

Aside from BIPA and CUBI, in 2017, Washington followed suit by becoming the third state to enact a targeted biometric privacy law, HB 1493.

Applicability

CUBI applies to the collection of “biometric identifiers” for “commercial purposes.”

Biometric identifier is defined as a “retina or iris scan, fingerprint, voiceprint, or record of hand or face geometry.”

“Commercial purpose” is not, however, defined by the statute. In the absence of additional guidance, companies should assume a commercial purpose includes the collection and use of biometric data for any business purpose or related purpose tied to company operations.

Core CUBI Requirements

Generally speaking, CUBI requires the following:

• Notice & Consent: For a company to “capture” a biometric identifier for a “commercial purpose,” it must first: (1) provide notice; and (2) obtain the individual’s consent to capture his or her biometric identifier.
• Retention & Destruction: Companies must destroy biometric identifiers within a “reasonable time,” and no later than one year after the initial purpose for collecting the biometric identifier has been satisfied (subject to limited exceptions). For employers, the purpose for collecting biometric data for “security” reasons (also not defined by the statute) is presumed to expire upon termination of the employment relationship.
• Prohibition on Sale, Lease, or Disclosure: Companies are prohibited from selling, leasing, or disclosing biometric identifiers in their possession to any third party unless one of four exceptions applies: (1) the individual consents to the disclosure for identification purposes in the event of his or her disappearance or death; (2) the disclosure completes a financial transaction requested or authorized by the individual; (3) the disclosure is required or permitted by federal or state statute; or (4) the disclosure is made in response to a warrant.
• Data Security: Companies must store, transmit, and protect biometric data using “reasonable care” and in a manner that is the same or more protective than the manner it stores, transmits, and protects other types of sensitive personal information.

Penalties & Enforcement 

Violations of CUBI may subject an entity to civil penalties of up to $25,000 per violation, with no maximum cap. The power to enforce CUBI rests exclusively with the Texas Attorney General—which is currently investigating Facebook for alleged improper biometrics practices.

Despite Lack of Private Right of Action, Significant Liability Exposure Remains 

Although CUBI lacks a statutory private right of action, it still poses substantial potential civil exposure for noncompliance. As just one example, a business that employs only 100 workers and is found to have violated CUBI’s notice and consent requirements could face up to $2.5 million in potential exposure where noncompliance in connection with each individual employee is deemed a separate and independent “violation.”

What to Do Now

Texas businesses utilizing biometric data (or considering doing so) should take immediate action to implement an adaptable biometric privacy compliance program that directly addresses CUBI’s requirements—but that also maintains enough flexibility to comply with similar, future biometric privacy laws.  Companies should consider the following:

• Data Mapping: Conduct a data mapping and inventory exercise—which entails mapping and inventorying every piece of biometric data collected, used, and sold by the company, as well as its data processing practices. Doing so will allow companies to proactively manage and safeguard biometric data, build out the privacy disclosures that are essential to complying with today’s biometric privacy laws, and satisfy CUBI’s data destruction requirements.

• Privacy Policy: While companies are not required to maintain a biometrics-specific privacy policy under CUBI, it is nonetheless recommended companies do so as a best practices. At a minimum, this policy should provide clear notice biometric data is being collected, used, and/or stored; the current and reasonably foreseeable purposes for which the company uses biometric data; and the company’s guidelines and schedule for the permanent destruction of biometric data.

• Notice: Provide written notice—prior to the collection of any biometric data—that conspicuously informs individuals biometric data is being collected, used, and/or stored by the company; how that data will be used and/or shared; and the length of time over which the company will retain the data until it is permanently destroyed.

• Consent: Obtain unequivocal consent from all individuals prior to collection that permits the company to collect the individual’s biometric data and allows both the company and its vendors/service providers to use such data for business purposes. While not expressly required by CUBI, ideally this consent should be obtained in writing via a signed release/consent form.

• Mechanisms to Ensure No Sale, Lease, or Disclosure of Biometric Data: Implement mechanisms to ensure no biometric data is sold, leased, or disclosed to third parties by the company, its employees, or any related parties.

• Retention & Destruction Policies: Implement policies and mechanisms to ensure all biometric data in the company’s possession is destroyed within a reasonable time, and no later than one year after the initial purpose for collecting the data has ended.

• Data Security: Implement data security measures to protect all biometric data that satisfies the “reasonable care” standard and which protects biometric data in a manner that is the same or more protective than other types of sensitive personal information is protected.

• Consult With Experienced Biometric Privacy Counsel: Consult with experienced biometric privacy counsel before implementing any type of biometric technology to ensure compliance with CUBI and, from a broader perspective, with the constantly-evolving biometric privacy legal landscape.

Conclusion 

The responsible use of biometric data by commercial entities continues to be a popular topic of national conversation. The use of biometrics has also received a significant amount of negative press in recent months stemming from allegedly improper or controversial uses of this technology.  All of this has put significant pressure on regulators to strictly enforce the current biometric laws.

As such, companies that operate in Texas must take proactive measures immediately—if they have not already done so—to ensure compliance with the Lone Star State’s biometric privacy requirements.

And from a broader perspective, companies that may not currently be subject to any biometric regulation should take proactive measures to construct flexible, adaptable biometric privacy compliance frameworks that integrate the common elements required across the current biometric privacy. Doing so now will put companies in a position where only small adjustments will be needed to ensure compliance with new laws.

“Meet CUBI—What Companies Need to Know About Texas’ Biometric Privacy Law,” by Jeffrey N. Rosenthal, David J. Oberly, and Zachary J. Wyatte was published in Texas Lawyer on October 5, 2020.

Reprinted with permission from the October 5, 2020, edition of Texas Lawyer © 2020 ALM Media Properties, LLC. All rights reserved. Further duplication without permission is prohibited. For information, contact 877-257-3382, reprints@alm.com or visit www.almreprints.com.