Texas's Capture or Use of Biometric Identifier Act ("CUBI") was signed into law by former governor Rick Perry in 2009. This law puts controls on biometric data used to identify individuals for a "commercial purpose."
In this article, we'll look at what CUBI requires, how it helps protect consumers, and what steps you need to take to comply with it. We'll also look at potential penalties for not complying.
- 1. Biometric Data Overview
- 2. Specific Biometric Data Types and Uses
- 3. How to Comply with the Capture or Use of Biometric Identifier Act (CUBI)
- 3.1. Provide Notice and Obtain Consent
- 3.2. Have Data Retention and Destruction Limits in Place
- 3.3. Respect the Prohibition on Sale, Lease, or Disclosure of Biometric Data
- 3.4. Utilize Adequate Data Security
- 4. Best Practices for a Biometric Privacy Compliance Program
- 4.1. Conduct a Data Mapping and Inventory Exercise
- 4.3. Provide Written Notice
- 4.4. Obtain Consent
- 4.5. Ensure No Sale of Data
- 4.6. Have Retention and Destruction Policies
- 4.7. Ensure the Data is Secure
- 5. Penalties for Violating CUBI
- 5.1. No Private Right of Action Under CUBI
- 6. Summary
Biometric Data Overview
Biometric data comprises things like hand geometry, scans of faces, voiceprints, fingerprints, and retinal scans. Each of these is now used regularly to authenticate an individual's identity.
For example, finger and facial biometric recognition are ordinarily used to login to smartphones or authenticate credit card transactions.
Biometric data is also used within commercial settings in a variety of other ways. For example, consider that airports use bio-data to verify passenger identities before flights, authenticate user IDs for computer and mobile logins, and track employee attendance.
Consider the following:
Suppose you own an Android phone. Every time you ask Google Assistant for information or unlock your phone, or access a bank account with your fingerprint, you're using biometric data to unlock those features.
Law enforcement frequently uses biometric information, such as audio and video footage, to analyze how an individual walks and talks. They can use it to study face shapes and expressions. The authorities might also collect DNA and fingerprints at a crime scene.
The healthcare industry also routinely uses biodata. For instance, doctors may ask for retinal scans, genetic tests, and more.
However, what happens if someone steals that information? A thief could conceivably rob you of your entire identity. When biometric information is compromised, it can't be used as a security and authentication mechanism anymore.
Specific Biometric Data Types and Uses
Facial Recognition: Often used to unlock laptops and smartphones, this type of biometric data is also used in security and law enforcement. It measures an individual's facial patterns by comparing and analyzing the face's contours.
Iris Recognition: Frequently seen in spy movies, this kind of biometric information isn't used in commercial settings most of the time. Instead, most often, government institutions and high security installations use the technology to scan an individual's iris patterns, which is the colored part around the pupil.
Fingerprint Scanner: This technology is commonly used to scan the ridges and valleys unique to the individual. Many smartphones now use a person's fingerprints as a kind of password and to unlock various features. Today, some companies have started using fingerprint scanners in their laptops, too.
Voice Recognition: This tech is used to verify an individual's identity by measuring the sound waves in the voice. An example of how the technology can be used is when someone calls in to ask about their bank account. As mentioned above, many companies now use voice recognition to provide users with information, as when asking questions of Amazon's Alexa or Apple's Siri.
Hand Geometry: Originally used back in the 1980s, this technology was one of the first major ways biometric data was used. Hand scanning devices measured and recorded the surface area of your hand, taking note of its width and length. Government institutions used them primarily for security reasons.
Behavior Characteristics: Used to assess who you are, this biometric data encompasses everything from how you walk to the way you type on your keyboard to the way you write. It's all measured and recorded.
How to Comply with the Capture or Use of Biometric Identifier Act (CUBI)
The central requirements of CUBI are as follows.
Provide Notice and Obtain Consent
A company must provide notice and acquire the consent of an individual before it can "capture" that person's biometric identifier for a "commercial purpose."
Notice can be via a document like this Notice of Collection of Biometric Data and Consent from ExamSoft.
Your notice must let users know that you will collect their biometric data and what that means.
Here's how ExamSoft notes that its software applicatoin will collect things such as image scans and voice recordings:
Have Data Retention and Destruction Limits in Place
Biometric identifiers must be destroyed within a "reasonable time." The law provides a window of one year in which companies can retain biometric data. The countdown begins after the purpose for which the data was collected has been satisfied. After that period, the company no longer has a right to the data. If you collect biometric data from your employees for (undefined) "security reasons" connected to someone's employment, your right to the data expires when the employment relationship ends.
Here's how ExamSoft notes that it will only keep data for as long as needed:
Respect the Prohibition on Sale, Lease, or Disclosure of Biometric Data
A company is not allowed to sell, lease, or disclose to third parties any biometric data unless an exception applies.
There are four exceptions: When (A) an individual agrees that his or her data may be disclosed if he or she disappears or dies, (B) the individual requests or authorizes a financial transaction and the disclosure of data is necessary to complete that transaction, (C) when a federal or state law requires or permits such disclosure and (D) when the disclosure is made due to the issuance of a warrant.
Usually you can request consent to share the biometric information when you ask for consent, as seen here from ExamSoft:
Utilize Adequate Data Security
A company must take "reasonable care" when storing, transmitting, and protecting biometric information. Additionally, it must ensure that the method it uses to secure biometric data is the same as, or greater than, the way in which it stores, transmits, and protects other kinds of personal data.
A simple clause like the one below will be adequate to give notice of data security processes being in place:
You don't have to set out all of your security practices to the public, but you do need to take active steps towards security, and let it be known that you are doing so.
Best Practices for a Biometric Privacy Compliance Program
If your company operates in Texas and uses biometric data or is considering it, you should create and implement a compliance program if you haven't done so already. That program should be adaptable as the law could be amended or replaced entirely. You'll want your company to be flexible enough to roll with the punches in such an event.
To do that, your biometric privacy compliance program should take in mind the following best practices.
Conduct a Data Mapping and Inventory Exercise
Every piece of biometric information that you collect, use, or sell, along with your data processing practices, should be mapped and inventoried. By doing that, you'll better manage and safeguard that data in a proactive fashion.
You'll also be able to write clear and transparent privacy disclosure notices that are vital to compliance with CUBI and other existing biometric data laws. (You will also know which data needs to be destroyed and when.)
You should also explain why you collect the data, how you protect it, and the rules and schedule under which you'll permanently destroy it.
Provide Written Notice
Ideally, you should place that notice in a prominent location or at the point of collection, which allows an informed person to provide or decline consent.
You must acquire clear and explicit consent from those whose biometric data you intend to collect. That consent is necessary for you to use collected data for business purposes.
CUBI doesn't detail the precise manner that you must obtain consent. However, a best practice is to acquire consent by using a signed release/consent form.
It's a common best practice to use an "I Agree" checkbox when obtaining consent, such as seen here:
Ensure No Sale of Data
You should make sure that you have a mechanism in place that prevents biometric data from being sold, leased, or disclosed to any third party by the company or its employees.
Have Retention and Destruction Policies
Make certain that you have a mechanism in place to ensure that all biometric data your company possesses is destroyed within a "reasonable time frame."
The definition of a "reasonable time frame" is one year from the moment the initial purpose for collecting the information has ended.
Ensure the Data is Secure
You must make certain that your security practices vis-a-vis biometric data are as strict or more so than measures you take to secure other kinds of sensitive personal data.
Penalties for Violating CUBI
Companies that violate CUBI's regulations may be subject to fines of up to $25,000 per infringement. There is no cap, which means that penalties could run into the hundreds of thousands if not millions of dollars depending on the number of your violations.
Texas's Attorney General has the sole power to enforce CUBI. To illustrate this fact, the attorney general's office opened up an investigation into Facebook for illegally harvesting biometric data in June 2020.
No Private Right of Action Under CUBI
CUBI does not provide for a private right of action. However, that doesn't mean there is no risk of civil exposure if your business fails to comply with the law. As noted above, each violation carries a penalty of $25,000.
By way of example, and in practical terms, this means a company might have 50 employees. If you failed to comply with CUBI's requirements by collecting biometric data on each of those employees without following the law's notice and consent rules ... you would potentially be liable for up to $1.2 million.
The regulation of biometric data and its use is increasing all over the world. Texas was one of the first three states in the USA to pass legislation designed to protect its residents from the misuse of biometric information in a commercial setting.
CUBI's core demands are as follows:
- Provide notice and acquire consent before collecting biometric data
- Retain biometric data for a maximum of one year after the purpose for which it was collected has been fulfilled. It must then be permanently destroyed
- No sale, lease, or disclosure of biometric data to any third party
- Biometric data must be protected at the same level or higher as all other sensitive, private information
Remember that while there is no private right of action, Texas's attorney general has the power to pursue companies that break the law. Each violation carries a penalty of $25,000.
With the above in mind, companies that do business in Texas (and in other states that have similar laws) should put together a flexible biometric data compliance program and follow it to mitigate the risk of liability.