Legal and data protection research writer at TermsFeed.
On this page
- 1. Biometric Data Overview
- 2. Specific Biometric Data Types and Uses
- 3. Texas's Biometric Privacy Law
- 3.1. Central CUBI Requirements
- 3.2. Penalties for Violating CUBI
- 3.3. No Private Right of Action Under CUBI
- 4. Compliance with Texas's Biometric Privacy Law
- 4.1. Data Mapping and Inventory Exercise
- 4.3. Provide Written Notice
- 4.4. Obtain Consent
- 4.5. Ensure No Sale of Data
- 4.6. Retention & Destruction Policies
- 4.7. Ensure the Data is Secure
- 5. Summary
Quantum leaps forward in biometric technologies now allow companies in the private sector and law enforcement and government institutions around the world to enhance security in ways that were only dreamed of just ten years ago.
However, while advocates of the technology push its apparent benefits to the law enforcement and security sectors, naysayers condemn the blatant risk to personal freedoms that biometric advances bring.
Lawmakers in many regions recognize the dangers and have sought to minimize them, particularly within the private sector. For example, in the first months of 2021, New York and Maryland introduced new legislation concerning biometric data.
However, legislators across America and elsewhere have essentially given a free pass to how government-run institutions and law enforcement use biometric data. Indeed, many biometric laws specifically exempt these organizations.
That blank check could be seen as a problem since it assumes the police, three-letter agencies, and others in government are above abusing the incredible power biometric technologies provide.
It remains to be seen whether those in state congresses will recognize the holes in their legislation and move to address the problems inherent in focusing attention on limiting the private sector while providing what many see as carte blanche to the public sector.
In this article, we'll look at Texas's Capture or Use of Biometric Identifier Act ("CUBI"), signed into law by former governor Rick Perry in 2009. The law puts controls on biometric data used to identify individuals for a "commercial purpose."
Unfortunately, CUBI doesn't define "commercial purpose," so it has been left to the courts to interpret the law. We'll continue examining Texas's efforts to protect its residents' biometric data in a moment, but first, let's look at what actually comprises biometric data.
Biometric Data Overview
Biometric data comprises things like hand geometry, scans of faces, voiceprints, fingerprints, and retinal scans. Each of these is now used regularly to authenticate an individual's identity.
For example, finger and facial biometric recognition are ordinarily used to login to smartphones or authenticate credit card transactions.
Biometric data is also used within commercial settings in a variety of other ways. For example, consider that airports use bio-data to verify passenger identities before flights, authenticate user IDs for computer and mobile logins, and track employee attendance.
To bring that home to you, consider the following:
Suppose you own an Android phone. Every time you ask Google Assistant or, say, Samsung's Bixby for information or unlock your phone, or access a bank account with your fingerprint, you're using biometric data to unlock those features.
Law enforcement frequently uses biometric information, such as audio and video footage, to analyze how an individual walks and talks. They can use it to study face shapes and expressions. The authorities might also collect DNA and fingerprints at a crime scene.
The healthcare industry also routinely uses biodata. For instance, doctors may ask for retinal scans, genetic tests, and more.
However, what happens if someone steals that information? A thief could conceivably rob you of your entire identity. When biometric information is compromised, it can't be used as a security and authentication mechanism anymore.
Specific Biometric Data Types and Uses
Facial Recognition: Often used to unlock laptops and smartphones, this type of biometric data is also used in security and law enforcement. It measures an individual's facial patterns by comparing and analyzing the face's contours.
Iris Recognition: Frequently seen in spy movies, this kind of biometric information isn't used in commercial settings most of the time. Instead, most often, government institutions and high security installations use the technology to scan an individual's iris patterns, which is the colored part around the pupil.
Fingerprint Scanner: This technology is commonly used to scan the ridges and valleys unique to the individual. Many smartphones now use a person's fingerprints as a kind of password and to unlock various features. Today, some companies have started using fingerprint scanners in their laptops, too.
Voice Recognition: This tech is used to verify an individual's identity by measuring the sound waves in the voice. An example of how the technology can be used is when someone calls in to ask about their bank account. As mentioned above, many companies now use voice recognition to provide users with information, as when asking questions of Amazon's Alexa or Apple's Siri.
Hand Geometry: Originally used back in the 1980s, this technology was one of the first major ways biometric data was used. Hand scanning devices measured and recorded the surface area of your hand, taking note of its width and length. Government institutions used them primarily for security reasons.
Behavior Characteristics: Used to assess who you are, this biometric data encompasses everything from how you walk to the way you type on your keyboard to the way you write. It's all measured and recorded.
Texas's Biometric Privacy Law
Considered similar in many ways to Illinois' Biometric Information Privacy Act (BIPA), Texas's biometric privacy law isn't as well-known. However, companies doing business in the Lone Star state would be wise to be aware of what the law requires in order to lessen the risk of liability.
As mentioned earlier, the Texas statute limits the use of biometric information, which is commercial in nature. Specifically, those limits apply to "biometric identifiers," which are defined as retinal or iris scans and "fingerprint, voiceprint, or record of hand or face geometry."
To date, the state's courts have interpreted the "commercial use" of biometric identifiers in an expansive sense. By default, businesses may wish to impose CUBI's requirements on all of their operations and not only on the collection and use of biometric data for business purposes.
Central CUBI Requirements
By and large, the central requirements of CUBI are as follows:
- Notice & Consent: A Company must provide notice and acquire the consent of an individual before it can "capture" that person's biometric identifier for a "commercial purpose."
- Retention & Destruction: Biometric identifiers must be destroyed within a "reasonable time." The law provides a window of one year in which companies can retain biometric data. The countdown begins after the purpose for which the data was collected has been satisfied. After that period, the company no longer has a right to the data. If you collect biometric data from your employees for (undefined) "security reasons" connected to someone's employment, your right to the data expires when the employment relationship ends.
- Prohibition on Sale, Lease, or Disclosure: A company is not allowed to sell, lease, or disclose to third parties any biometric data unless an exception applies. There are four. These exceptions are when (A) an individual agrees that his or her data may be disclosed if he or she disappears or dies, (B) the individual requests or authorizes a financial transaction and the disclosure of data is necessary to complete that transaction, (C) when a federal or state law requires or permits such disclosure and (D) when the disclosure is made due to the issuance of a warrant.
- Data Security: A company must take "reasonable care" when storing, transmitting, and protecting biometric information. Additionally, it must ensure that the method it uses to secure biometric data is the same as, or greater than, the way in which it stores, transmits, and protects other kinds of personal data.
Penalties for Violating CUBI
Companies that violate CUBI's regulations may be subject to fines of up to $25,000 per infringement. There is no cap, which means that penalties could run into the hundreds of thousands if not millions of dollars depending on the number of your violations.
Texas's Attorney General has the sole power to enforce CUBI. To illustrate this fact, the attorney general's office opened up an investigation into Facebook for illegally harvesting biometric data in June 2020.
No Private Right of Action Under CUBI
CUBI does not provide for a private right of action. However, that doesn't mean there is no risk of civil exposure if your business fails to comply with the law. As noted above, each violation carries a penalty of $25,000.
By way of example, and in practical terms, this means a company might have 50 employees. If you failed to comply with CUBI's requirements by collecting biometric data on each of those employees without following the law's notice and consent rules ... you would potentially be liable for up to $1.2 million.
Compliance with Texas's Biometric Privacy Law
If your company operates in Texas and uses biometric data or is considering it, you should create and implement a compliance program if you haven't done so already. That program should be adaptable as the law could be amended or replaced entirely. You'll want your company to be flexible enough to roll with the punches in such an event.
To do that, your biometric privacy compliance program should take in mind the following best practices.
Data Mapping and Inventory Exercise
Every piece of biometric information that you collect, use, or sell, along with your data processing practices, should be mapped and inventoried. By doing that, you'll better manage and safeguard that data in a proactive fashion.
You'll also be able to write clear and transparent privacy disclosure notices that are vital to compliance with CUBI and other existing biometric data laws. (You will also know which data needs to be destroyed and when.)
You should also explain why you collect the data, how you protect it, and the rules and schedule under which you'll permanently destroy it.
Provide Written Notice
Ideally, you should place that notice in a prominent location or at the point of collection ... which allows an informed person to provide or decline consent.
You must acquire clear and explicit consent from those whose biometric data you intend to collect. That consent is necessary for you to use collected data for business purposes.
CUBI doesn't detail the precise manner that you must obtain consent. However, a best practice is to acquire consent by using a signed release/consent form.
Ensure No Sale of Data
You should make sure that you have a mechanism in place that prevents biometric data from being sold, leased, or disclosed to any third party by the company or its employees.
Retention & Destruction Policies
Make certain that you have a mechanism in place to ensure that all biometric data your company possesses is destroyed within a "reasonable time frame."
The definition of a "reasonable time frame" is one year from the moment the initial purpose for collecting the information has ended.
Ensure the Data is Secure
You must make certain that your security practices vis-a-vis biometric data are as strict or more so than measures you take to secure other kinds of sensitive personal data.
The regulation of biometric data and its use is increasing all over the world. Texas was one of the first three states in the USA to pass legislation designed to protect its residents from the misuse of biometric information in a commercial setting.
CUBI's core demands are as follows:
- Provide notice and acquire consent before collecting biometric data
- Retain biometric data for a maximum of one year after the purpose for which it was collected has been fulfilled. It must then be permanently destroyed
- No sale, lease, or disclosure of biometric data to any third party
- Biometric data must be protected at the same level or higher as all other sensitive, private information
Remember that while there is no private right of action, Texas's attorney general has the power to pursue companies that break the law. Each violation carries a penalty of $25,000.
With the above in mind, companies that do business in Texas (and in other states that have similar laws) should put together a flexible biometric data compliance program and follow it to mitigate the risk of liability.