In 2009, Texas took a significant step in protecting biometric data with the enactment of the Capture or Use of Biometric Identifiers Act (CUBI). The legislation aimed to regulate the collection of biometric identifiers for commercial purposes. Over the years, the legal landscape has evolved, introducing new challenges and opportunities for businesses operating in the state. This blog post explores the key provisions of CUBI, recent developments with enforcement actions, and the implications of the Texas Data Privacy and Security Act (TDPSA), a more comprehensive law that includes provisions on biometric data.
The Foundation: Texas Capture or Use of Biometric Identifiers Act (CUBI)
CUBI, enacted in 2009, applies to all private entities in Texas, except for voiceprint data retained by financial institutions or their affiliates. The legislation mandates that businesses provide notice and obtain consent before collecting biometric data for commercial purposes. Additionally, CUBI requires the timely destruction of biometric identifiers, allowing only a one-year window for businesses to permanently delete captured biometric data after fulfilling its intended purpose.
The enforcement of CUBI falls under the purview of the Texas Attorney General. Despite a lack of complaints in the initial years following enactment, recent developments in 2022 saw Attorney General Ken Paxton filing complaints against large organizations, such as Google, alleging violations of CUBI and the Texas Deceptive Trade Practices Act (DPTA). These cases, still in the early stages of litigation, mark a turning point in the enforcement of biometric privacy laws in Texas.
Evolving Landscape: Texas Data Privacy and Security Act (TDPSA)
In 2023, Texas introduced the Texas Data Privacy and Security Act (TDPSA), a comprehensive data privacy law that encompasses biometric data. This legislation goes beyond CUBI, providing a framework for disclosure requirements related to personal data collection and processing. TDPSA grants consumers rights over their data, mandates opt-outs for specific data processing activities, and imposes obligations on data controllers and processors.
Similar to CUBI, TDPSA requires businesses to obtain consent before processing or disclosing biometric data. However, TDPSA includes a crucial exemption for data controllers and processors engaged in security functions, differentiating it from its predecessor.
Bridging the Gap: Navigating the Transition
With TDPSA set to take effect on July 1, 2024, businesses face the challenge of ensuring compliance with both CUBI and TDPSA. The lack of provisions within TDPSA on how the new requirements relate to CUBI adds complexity to the compliance landscape. As of now, there is no case law or guidance on the implementation of TDPSA concerning biometrics.
It is essential for businesses operating or having significant sales in Texas, especially those collecting or processing biometric data, to proactively ensure compliance with both CUBI and TDPSA. Until further guidance is available, the coexistence of these distinct laws underscores the importance of a thorough understanding of their respective scopes and requirements.
Navigating the Future of Biometric Privacy in Texas
As businesses prepare for the enforcement of TDPSA and continue to address the evolving landscape of biometric privacy laws, staying informed and proactive is crucial. The potential for overlap or conflict between provisions of CUBI and TDPSA emphasizes the need for vigilance and a commitment to robust data privacy practices. Until the legal landscape becomes clearer, businesses must navigate the dual compliance requirements, ensuring the protection of biometric data in accordance with the laws of the Lone Star State.
Learn more by downloading SIA’s guide to U.S. Biometric Privacy Laws, which stands as a valuable resource for business users and industry suppliers seeking to navigate the intricate web of biometric privacy laws.