Go Ahead and Mess with Texas -- The AG Won’t Mind?
Privacy Plus+
Privacy, Technology and Perspective
Go Ahead and Mess with Texas -- The AG Won’t Mind? This week, let’s consider the current state of enforcement of biometric data laws, covering fingerprints, hand and face geometry, retina scans, voiceprints, and more.
Currently, three states have enacted specific biometric data laws: Illinois (740 ILCS 14), Texas (Tex. Bus. & Com. Code § 503.001) and Washington (RCW § 19.375). In addition, other states, like California, have introduced privacy laws covering biometric information in their definition of “personal information.”
But devoted followers of biometric data law all realize that despite the laws that are on the books across these jurisdictions, Illinois is where the action is.
Why? Because Illinois’ Biometric Information Privacy Act (“BIPA”) is the only law with a private right of action that allows plaintiffs to recover liquidated damages (of up to $5,000 or actual damages, whichever is greater) and attorneys’ fees.
Texas’ biometric data law, called “The Texas Capture or Use of Biometric Identifier Act” (CUBI) was enacted way back in 2009, with a penalty of up to $25,000 for each violation.
Briefly, CUBI provides as follows:
With some exceptions, for anyone who captures “biometric identifiers” (defined as eye scans, fingerprints, voice prints, or records of hand or face geometry) for “commercial purposes” (not specifically defined). CUBI requires:
- Informed consent before sale, lease, or disclosure of biometric information;
- Storage and protection of biometric information; and
- Destruction within the lesser of a reasonable time or one year after collection.
You may read the text of CUBI by clicking on the following link:
https://statutes.capitol.texas.gov/Docs/BC/htm/BC.503.htm
You might think a statute more than ten years old that provides for civil penalties of up to five (5) times as much as Illinois’ would have attracted attention by now, but it hasn’t. Until very recently, CUBI has lain quietly in the wide-open prairies of Texas law, “the world forgetting, and by the world forgot” except in privacy circles. CUBI has always confided its enforcement to the Texas Attorney General; and as far as we can tell, that office has been occupied with other things ever since.
That may be about to change, in part, because of the present circumstances.
Recently, there has been a flurry of court decisions that have concluded that the Illinois’ BIPA protects plaintiffs’ concrete privacy interests, and rejected the dismissal of BIPA cases, judging that a violation of Illinois’ BIPA is sufficient to confer Article III standing. For example:
- Bryant v. Compass Grp. USA, Inc., 20-1443 (7th Cir. May 5, 2020) (“This regime is designed to protect consumers against the threat of irreparable privacy harms, identity theft, and other economic injuries arising from the increasing use of biometric identifiers and information by private entities. As a matter of state law, anyone ‘aggrieved’ by a violation of the disclosure and informed consent obligations is entitled to bring a private action against the alleged offender.”)
- Rosenbach v. Six Flags Entm’t Corp., 129 N.E.3d 1197, 1207 (Ill. 2019) (concluding that “an individual need not allege some actual injury or adverse effect, beyond violation of his or her rights under [BIPA], in order to qualify as an ‘aggrieved’ person and be entitled to seek liquidated damages and injunctive relief pursuant to the Act.” )
- Patel v. Facebook, 932 F.3d 1264, 1266 (9th Cir. 2019) (“Because a violation of the Illinois statute injures an individual's concrete right to privacy, we reject Facebook's claim that the plaintiffs have failed to allege a concrete injury-in-fact for purposes of Article III standing.”
The Ninth Circuit’s decision in Patel v. Facebook specifically found that Facebook’s facial-recognition and photo-tagging did “actually harm or pose a material risk of harm” to the plaintiffs’ “concrete privacy interests,” and the Supreme Court denied certiorari.
Shortly afterwards, Facebook announced it would settle the suit for $550 million – a figure soon increased to $650 million. This week, that settlement has been approved by the court, and a link to an article describing that development follows:
https://www.courthousenews.com/judge-approves-650-million-settlement-in-facebook-biometric-case/
Perhaps realizing that Texas has nearly twice as many people and five times the BIPA penalty ceiling as Illinois, that kind of number has gotten the Texas AG’s attention at last.
Just a few weeks ago, Axios reported that the Texas AG has sent Facebook a Civil Investigative Demand for documents, interrogatory answers, identities of Facebook’s retained experts, deposition transcripts, and all motions and pleadings:
In 1985, the Texas Department of Transportation introduced its mildly menacing “Don’t Mess with Texas” anti-litter campaign. Over the years its red, white and blue trashcans and design have become iconic not just for keeping highways clean, but for other warnings as well.
Perhaps CUBI will be one of them.
---
Hosch & Morris, PLLC is a Dallas-based boutique law firm dedicated to data protection, privacy, the Internet and technology. Open the Future℠.