Clifford Chance

On February 14, 2022, Texas Attorney General Ken Paxton sued Meta over its allegedly illegal collection and use of Texans' biometric data to develop and improve its facial recognition technology, seeking billions of dollars in damages. The suit is the first significant action in Texas alleging a violation of the state's biometric data privacy law, demonstrating that the law has teeth and that state enforcers are not afraid to bite.

In recent years, the Illinois Biometric Information Privacy Act (BIPA) has dominated headlines with respect to biometric privacy. The law's strict consent requirements and its private right of action, which provides for damages of up to $5,000 per violation, created significant liabilities for companies that collect and use biometric identifiers of Illinois residents— including a $650 million class action settlement just last year against Facebook. Now it appears that Texas is jumping into the fray with its suit against Meta, alleging much of the same facial recognition practices raised in the BIPA class action.

Texas's Capture or use of Biometric Indentifier Act (CUBI)

Enacted in 2009, CUBI prohibits companies from collecting a person's biometric identifiers for a commercial purpose unless the company first provides notice to the individual and obtains consent. The law also prohibits companies from selling or disclosing biometric identifiers to third parties, outside of a few exceptions. Biometric identifiers that the company collected must be destroyed within a "reasonable time" and no later than one year after "the purpose for collecting the data expires." "Biometric identifier" is defined to include a person's retina or iris scan, fingerprint, voiceprint, or record of hand or face geometry.

The most notable distinction between the Texas law and BIPA is the law's penalty provisions. CUBI provides for a civil penalty of up to $25,000 for each violation, but only empowers the Texas Attorney General to bring an enforcement action. So while CUBI's penalties are significant—up to $25,000 per violation versus BIPA's $5,000—the risk of litigation is mitigated by the fact that there is no private right of action. However, Texas's Deceptive Trade Practices Act (DTPA), which Meta is also alleged to have violated, does create a private right of action for aggrieved Texans to recover damages for economic harm or emotional distress.

The Allegations

The lawsuit, filed on February 14 in a District Court in Harris County, alleges that DeepFace, Meta's facial-recognition technology, was developed in part by collecting and using the biometric data of millions of Texans without their consent, in violation of CUBI and DTPA. The complaint alleges four causes of action based on Meta's: (1) illegal capture of biometric data; (2) use of biometric data without consent; (3) failure to timely destroy biometric data; and (4) deceptive acts and practices when it misled Texans about its collection and use of their biometric data.

Facebook allows its users to upload photos or videos to the platform to share with other Facebook users. Users who upload photos or videos to the platform can "tag" individuals in the picture or video, regardless of whether those individuals are Facebook users. In 2010, Facebook introduced "Tag Suggestions," which allegedly applied the company's proprietary facialrecognition technology to analyze facial geometry records of users and nonusers to "suggest" the identity of an individual in a photo. Users could then accept the suggested "tag" or reject it and enter their own "tag." The complaint alleges that Facebook never fully disclosed that the company used this data to train and improve its facial recognition technology.  Furthermore, Facebook allegedly avoided using terms like "biometric" when describing the Tag Suggestions feature because it purportedly believed that doing so would scare consumers away from using it.

While many of the allegations involving Tag Suggestions mirror those in the settled BIPA class action, the Texas complaint notably goes further and accuses Meta of implementing facial recognition technology in its Instagram service, despite promising users that it would not do so. The suit alleges that Meta secretly harvested data from photos uploaded to Instagram and used the data to train its facial-recognition technology.

The complaint demands a jury trial and seeks billions of dollars in civil penalties from Meta, arguing that it has committed "countless" violations of unlawful biometric data collection.

Takeaways

Consumers and regulators have been increasingly focusing on how companies use and monetize personal data and raising their concerns in courts. Texas's lawsuit is confirmation that BIPA was just the tip of the biometric data litigation iceberg. States and cities around the country have recently enacted their own laws protecting biometric information, including California, Washington, and New York City. Numerous other jurisdictions are proposing their own versions of these laws. Furthermore, Texas's lawsuit serves as a reminder that state enforcers, like private litigants, may look not only to data privacy laws to litigate alleged mishandling of data, but also to good old unfair trade practices laws, which exist in every state. It is now more important than ever that a company's collection and use of biometric data comply with all applicable laws. Failure to do so can have severe consequences, a costly lesson that Meta and others are continuing to face