The Capture or Use of Biometric Identifiers Act (CUBI)
The Capture or Use of Biometric Identifiers Act or CUBI for short, also known as Texas Business & Commerce Code 503.001, is a biometric information privacy law that was passed in Texas in 2009. As one of only a handful of biometric information privacy laws throughout the nation, including Washington State’s Code 19.375.020 and Illinois’s Biometric Information Privacy Act or BIPA, CUBI provides citizens of Texas with various protections in regards to their biometric information or data. Under CUBI a “person may not capture a biometric identifier without a prior consent, may not sell biometric data without consent or unless allowed by law, must use reasonable care in storing it, and shall destroy the biometric identifier within a reasonable time”. As such, CUBI is similar in nature to the Illinois BIPA law, as many other biometric privacy laws such as Washington State’s Code 19.375.020 only protect against the enrollment of an individual’s biometric information.
What are the requirements of business entities and organizations under CUBI?
CUBI places several requirements and restrictions on how business entities and organizations can go about capturing the biometric identifiers of Texas citizens for commercial purposes. Under CUBI, a biometric identifier is defined as ‘a retina or iris scan, fingerprint, voiceprint, or record of hand or face geometry”. Conversely, CUBI provides no specific definition for the term “commercial purposes”. In practice, Texas courts have defined this term to mean purposes “intended to result in a profit or other tangible benefit.” Furthermore, CUBI does not cover biometric identifiers in the form of voiceprint data that may be retained by a financial institution or their affiliates, as these biometric identifiers are covered by other Texas state laws. To this end, Texas businesses and organizations must adhere to the following requirements when capturing biometric identifiers from citizens of the state:
- A person may not capture any form of biometric identifier from an individual for commercial purposes unless said person informs the individual before capturing their biometric identifier, and receives said individual’s consent to capture their biometric identifier.
- A person who possesses the biometric identifier of an individual for commercial purposes is prohibited from selling, leasing, or otherwise disclosing said biometric identifier to another person unless the individual in question consents to having their biometric identifier used for identification purposes in the event of their disappearance or death, the disclosure completes or facilitates a financial transaction that the individual authorized or requested, the disclosure is permitted or required by a federal statute or state statute other than Chapter 552 (Public Information), Government Code, or the disclosure is made to law enforcement for the purpose of responding to a warrant or other legal requirement.
- A person who possesses the biometric identifier of an individual is also required to ensure that said information is stored, transmitted, and protected from disclosure using reasonable care, and in a manner that is consistent or more protective to the manner in which said person stores, transmits, and protects other forms of personal information they have in their possession.
- A person who possesses the biometric identifier of an individual is required to destroy said biometric identifier within a reasonable timeframe, but no later than the first anniversary of the date for which the purpose in which said identifier was collected has expired, except in instances where an individual has given consent for their biometric identifier to be used in the event of their disappearance or death as stated above.
- If a biometric identifier of an individual that has been captured for commercial purposes is used in connection with a document or instrument that is required by another law to be maintained for a period longer than is described in the above section, the person who possesses said biometric identifier must destroy said identifier within a reasonable time frame, but no later than the one year anniversary of the data in which the document or instrument in question is no longer to be maintained by the law.
- If a biometric identifier that has been captured for commercial purposes has also been collected for security purposes by an employer, the purposes for this collection under CUBI are presumed to expire in accordance with the termination of the employment relationship.
What can businesses and organizations within the State of Texas do to comply with CUBI?
There are a variety of steps and measures that businesses and organizations can take in order to maintain compliance with CUBI. Such steps and measures include:
- Data security– It is also recommended that business entities and organizations implement comprehensive data security measures that can protect the biometric identifiers of Texas citizens in the same manner, if not more stringent, than the manner in which said business or organization handles other forms of personal data or information.
- Data mapping– It is recommended that businesses and organizations conduct some form of data mapping or inventory exercise, which entails inventorying and mapping each piece of biometric data that said business or organization collects, uses, or sells, as well as the business or organization’s data processing practices. Undergoing the process of data mapping can help companies both proactively manage and safeguard the biometric identifiers they receive from Texas citizens.
- Implement mechanisms to ensure that no biometric identifiers are sold, leased, or disclosed– Businesses and organizations are advised to implement mechanisms that will ensure that no citizen’s biometric identifier is sold, leased, or disclosed to any third parties by the company who collected this information, the employees of said company, and any related parties of the company.
What are the penalties for non-compliance under CUBI?
Under CUBI, business entities and organizations who are found to be in non-compliance with the law are subject to monetary penalties of up to $25,000 per violation. CUBI is enforced by the Texas State Attorney General, and the law does not allow for individuals to bring a private right of action lawsuits in regards to violations of the law. Notably, there is no maximum cap in regards to the monetary fines that can be imposed as a result of CUBI violations. To provide an example of the scope and potential severity of punishment under CUBI, technology giant Facebook was probed by the Texas Attorney General in regards to violations of CUBI in 2020, following Facebook settling of a class-action lawsuit in response to violations of the Illinois’s Biometric Information Privacy Act or BIPA earlier this year.
As the topic of biometric information privacy continues to gain steam in state legislatures across the country, the state of Texas is ahead of the curve when it comes to protecting the biometric data privacy rights of its citizens. As class actions lawsuits involving violations of biometric data privacy rights continue to increase, many states are sure to follow the lead of Illinois, Washington, and Texas in passing their own biometric information privacy laws. While CUBI does not provide the same breadth of protection as the Illinois BIPA law, the law nevertheless gives residents of the state of Texas an avenue of recourse in the event that their biometric data privacy rights are infringed upon. As such, Texas citizens can have the peace of mind that their privacy is being protected at all levels.