ARTICLE
17 September 2024

Billion-Dollar Biometric Bust: Meta Reaches Largest AG Settlement In History – $1.4 Billion – For Alleged Violations Of Texas Biometric Privacy Law

Last week, the Texas Attorney General's Office announced it had reached a record $1.4 billion settlement with Meta over the company's alleged misuse of facial recognition technology.
United States Privacy

Last week, the Texas Attorney General's Office announced it had reached a record $1.4 billion settlement with Meta over the company's alleged misuse of facial recognition technology. The settlement, which comes after Texas Attorney General Ken Paxton sued Meta for alleged violations of the state's Capture or Use of Biometric Identifier Act (CUBI)1, sets a record for the largest settlement with any single state attorney general's office in history. CUBI prohibits companies from capturing the biometric identifiers of Texans without informing the individual and obtaining the individual's consent prior to the capture.

The rampant use (and misuse) of biometric technologies, including facial recognition, has become an area of increasing regulation throughout the U.S. and led to several eye-popping verdicts and settlements. The likes of Google, Tik Tok, Meta, and even Walmart have not been immune. In 2020, then Facebook settled for $650 million, and Tik Tok for $92 million in litigation alleging misuse of facial recognition technology. In 2021, Walmart reached a $10 million settlement for the company's alleged misuse of palm scanners to check employees in and out of cash registers. More recently, Google reached a $100 million settlement based on its alleged misuse of facial recognition technology. For wealthy tech titans like Google, Tik Tok, and Meta, these types of headlines have become commonplace in the news and are now likely seen as just the cost of doing business. More surprising, however, are the many unwary small and midsized businesses who have fallen prey to the heavy-handed biometric privacy statutes passed by various state legislatures in recent years.

By far, the most infamous and punitive statute among these is the Illinois Biometric Information Privacy Act (BIPA).2 For the last 16 years, BIPA imposed statutory damages of $1,000 per negligent violation – or $ 5,000 for every intentional or reckless violation. These violations can occur intentionally (or unwittingly) for anyone collecting "retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry" of Illinois residents, without their express written consent and release.3 There is no question that BIPA has had teeth, and the plaintiff's bar has taken notice. Between 2017 and 2023, more than 2,000 class action cases were filed under BIPA.

After increasing calls for reform, Illinois Governor J.B. Pritzker signed the first amendment to BIPA on August 2, 2024, capping a busy week in the world of biometric privacy. The amended law now limits statutory damages to $1,000 or $5,000 per person (as opposed to $1,000 or $5,000 per violation). At least one news outlet has dubbed the recent amendment to BIPA as "business-friendly." There is no question that the amended law is a good development for business; however, BIPA, which still allows for massive, multi-million-dollar judgments and survived the new reform with its private right of action intact, remains the most punitive biometric privacy law in all of the U.S.

Unlike Illinois' BIPA, the Texas statute does not have a private right of action. Thus, the Texas law limits the number of cases that can be filed, since only the Texas Attorney General has the right to sue. Many had speculated that companies doing business in Texas may face less scrutiny as a result. For small and midsized businesses, this may ring true due to the Texas Attorney General's Office's finite capacity to handle cases. Yet, last week's $1.4 billion settlement, the highest for any state attorney general's office in history, is an unmistakable statement. If there were any doubt that Texas takes biometric privacy seriously, that doubt has now been removed.

As the saying goes: "Don't mess with Texas!"

Footnotes

1. See Tex. Bus & Com. Code Ann. § 503.001.

2. See 740 ILCS 14/1, et seq.

3. BIPA also contains additional requirements regarding the retention, disclosure, and destruction of biometric information. For all of BIPA's requirements, see 740 ILCS 14/1, et seq.

Originally published August 2, 2024.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.



Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More