Highlights
- A single noncompliant capture of a biometric identifier could result in multiple violations of Texas Capture or Use of Biometric Identifier Act (CUBI), with a potential $25,000 penalty for each violation.
- Training data-hungry AI models with biometric identifiers is potentially high-risk.
- Companies may have obligations under CUBI when capturing the face geometry from bystanders in photographs and video or voice recordings from individuals talking in the background, even when they are not using the companies' products or services.
While many organizations are focusing their attention on compliance with the state consumer privacy laws becoming effective in 2023, they should keep in mind that the Texas Attorney General has now filed two cases in 2022 that concern the collection of biometric data, including in relation to developing or using artificial intelligence (AI) models that rely on machine learning. The potential consequences of noncompliance with the Texas Capture or Use of Biometric Identifier Act (CUBI) can be substantial. CUBI provides for civil penalties up to $25,000 per violation, and the volume of data necessary for machine learning ratchets up the number of potential violations dramatically. This post examines the Texas AG's broad interpretation of CUBI and identifies some compliance considerations for organizations handling biometric data in the context of AI implementation.
CUBI Background
CUBI regulates the capture, receipt, possession, sharing and retention of biometric identifiers. This Texas law (an older law) uses a list-limited approach to the definition of "biometric identifiers," specifically: "a retina or iris scan, fingerprint, voiceprint, or record of hand or face geometry."
Under CUBI, organizations are generally prohibited from capturing biometric identifiers for a commercial purpose unless they first provide notice and obtain consent from the affected individual. (The term "commercial purpose" is not defined by the statute.) Any disclosures of biometric identifiers must be limited. Organizations must protect biometric identifiers with reasonable care and normally must destroy them in a reasonable time – no longer than one year after the purpose for collecting them ends. Notably, only the Texas AG can bring suit under CUBI; there is no private right of action.
Broad Interpretations of CUBI in Facebook and Google Petitions
Earlier this year, the Texas AG (with the help of private law firms) filed a petition against Facebook for alleged violations of CUBI. Piggybacking on a civil settlement, the Texas AG alleged that Facebook's photo "Tag Suggestions" feature captures biometric identifiers without providing notice or obtaining consent. Last month, the Texas AG filed a second CUBI lawsuit – this time against Google. The Texas AG alleges that Google's products capture face geometry from photos and videos and (for Google Assistant) voiceprints from detected voices in violation of CUBI.
Facebook and Google allegedly use biometric data not only for obvious purposes (suggestions, groupings, and assistance), but also to train and improve their facial and voice recognition AI models.
CUBI regulates the capture and use of biometric identifiers for "commercial purposes." The Facebook and Google petitions indicate that the purpose of improving AI models alone may be enough to be a commercial purpose under CUBI, according to the Texas AG. Thus, when the underlying use is commercial in nature, the implication is that almost any capture or use of biometric identifiers relating to Texas residents in connection with developing AI models would require compliance with CUBI.
The Texas AG also makes clear in its petitions that sharing biometric identifiers among affiliates would be viewed by the Texas AG as "disclosures" that are subject to CUBI restrictions. Given this interpretation, organizations should be intentional and careful as to which affiliates are collecting, handling, and using biometric identifiers so they can ensure that all such processing is compliant with CUBI.
The Texas AG has taken the position that CUBI regulates the capture and use of biometric identifiers alone, even without other identifying information. The petitions against Facebook and Google do not allege Facebook and Google collected other information along with the biometric identifiers or that Facebook and Google had the ability to determine who people were. In fact, the Texas AG has complained about the capture of biometric identifiers relating to non-users of Facebook's and Google's products. Therefore, organizations take on risk even if they collect and use biometric identifiers about unidentified individuals.
The Texas AG has also taken the position that unpermitted capture and retention of biometric identifiers result in two separate CUBI violations. As the Texas AG stated, "Because Facebook's possession of biometric identifiers in the first instance was unlawful, maintaining possession of these biometric identifiers for any period of time is unreasonable, and violates [CUBI]." The effect of this is that $25,000 per violation can become $50,000 or more, for each noncompliant capture of a biometric identifier.
Takeaways
The risks under CUBI and other privacy laws increase as more protected data is collected. In particular, organizations should evaluate their collection and handling of biometric identifiers, particularly if they are collecting or using the data for the improvement of AI models. Currently, improving AI models based on machine learning techniques requires massive amounts of data, and AI developers could be taking on significant risk under CUBI and similar laws if they are not in compliance. It is also conceivable that the Texas AG would seek to extend its reach to businesses that work with AI developers to train AI models and could be seen as indirectly capturing biometric identifiers.
Organizations should consider the following checklist before capturing biometric identifiers for a commercial purpose:
- Provide adequate notice to affected individuals prior to capture
- Obtain consent (that is not buried in an agreement) from affected individuals prior to capture
- Do not disclose (even among affiliates) biometric identifiers, except in narrow circumstances expressly permitted by statute
- Use reasonable care to protect biometric identifiers
- Destroy biometric identifiers within a reasonable time, and not more than a year after the purpose for capturing the biometric identifiers has ended
As stated, each violation can result in substantial penalties. Also, the Texas AG can seek permanent injunctions of CUBI violations, which could result in a significant impact to features or business activities that depend on the use of collected biometric identifiers.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.