The Capture or Use of Biometric Identifiers Act (CUBI)

The Capture or Use of Biometric Identifiers Act (CUBI)

The Capture or Use of Biometric Identifiers Act or CUBI for short, also known as Texas Business & Commerce Code 503.001, is a biometric information privacy law that was passed in Texas in 2009. As one of only a handful of biometric information privacy laws throughout the nation, including Washington State’s Code 19.375.020 and Illinois’s Biometric Information Privacy Act or BIPA, CUBI provides citizens of Texas with various protections in regards to their biometric information or data. Under CUBI a “person may not capture a biometric identifier without a prior consent, may not sell biometric data without consent or unless allowed by law, must use reasonable care in storing it, and shall destroy the biometric identifier within a reasonable time”. As such, CUBI is similar in nature to the Illinois BIPA law, as many other biometric privacy laws such as Washington State’s Code 19.375.020 only protect against the enrollment of an individual’s biometric information.

What are the requirements of businesses and organizations under CUBI?

CUBI places several requirements and restrictions on how business entities and organizations can go about capturing the biometric identifiers of Texas citizens for commercial purposes. Under CUBI, a biometric identifier is defined as ‘a retina or iris scan, fingerprint, voiceprint, or record of hand or face geometry”. Conversely, CUBI provides no specific definition for the term “commercial purposes”. In practice, Texas courts have defined this term to mean purposes “intended to result in a profit or other tangible benefit.” Furthermore, CUBI does not cover biometric identifiers in the form of voiceprint data that may be retained by a financial institution or their affiliates, as these biometric identifiers are covered by other Texas state laws. To this end, Texas businesses and organizations must adhere to the following requirements when capturing biometric identifiers from citizens of the state:

What can businesses within the State of Texas do to comply with CUBI?

There are a variety of steps and measures that businesses and organizations can take in order to maintain compliance with CUBI. Such steps and measures include:

What are the penalties for non-compliance under CUBI?

Under CUBI, business entities and organizations who are found to be in non-compliance with the law are subject to monetary penalties of up to $25,000 per violation. CUBI is enforced by the Texas State Attorney General, and the law does not allow for individuals to bring a private right of action lawsuits in regards to violations of the law. Notably, there is no maximum cap in regards to the monetary fines that can be imposed as a result of CUBI violations. To provide an example of the scope and potential severity of punishment under CUBI, technology giant Facebook was probed by the Texas Attorney General in regards to violations of CUBI in 2020, following Facebook settling of a class-action lawsuit in response to violations of the Illinois’s Biometric Information Privacy Act or BIPA earlier this year.

As the topic of biometric information privacy continues to gain steam in state legislatures across the country, the state of Texas is ahead of the curve when it comes to protecting the biometric data privacy rights of its citizens. As class action lawsuits involving violations of biometric data privacy rights continue to increase, many states are sure to follow the lead of Illinois, Washington, and Texas in passing their own biometric information privacy laws. While CUBI does not provide the same breadth of protection as the Illinois BIPA law, the law nevertheless gives residents of the state of Texas an avenue of recourse in the event that their biometric data privacy rights are infringed upon. As such, Texas citizens can have the peace of mind that their privacy is being protected at all levels.

Related Reads