Capture or Use of Biometric Identifier Act (CUBI) protect Texans' privacy
In-Depth Look at the Capture or Use of Biometric Identifier Act (CUBI)
Introduction
The Capture or Use of Biometric Identifier Act (CUBI), enacted in Texas in 2009, is a crucial piece of legislation aimed at protecting the privacy of individuals' biometric data. As one of the few biometric privacy laws in the United States, CUBI sets stringent requirements for businesses and organizations that handle biometric identifiers. This article delves into the key provisions of CUBI, its enforcement, and its implications for businesses and individuals in Texas.
Key Provisions of CUBI
Definition of Biometric Identifiers
Under CUBI, biometric identifiers are defined as:
- Retina or iris scans
- Fingerprints
- Voiceprints
- Records of hand or face geometry
This specific definition helps limit the scope of data collection to the most sensitive types of biometric information[1][2].
Consent and Notice Requirements
CUBI mandates that any person or business capturing biometric identifiers for commercial purposes must:
- Provide notice to the individual before capturing their biometric identifier.
- Obtain explicit consent from the individual prior to data collection.
This ensures that individuals are aware of and agree to the collection and use of their biometric data[1][2][3].
Restrictions on Data Sharing
The act strictly limits the sharing of biometric data. Entities are prohibited from selling, leasing, or otherwise disclosing biometric identifiers, except under specific circumstances such as:
- Compliance with a law enforcement warrant
- Completing a financial transaction authorized by the individual
- Identifying an individual in the event of their disappearance or death, with the individual's consent[1][2].
Data Security and Destruction
CUBI requires businesses to:
- Use reasonable care to protect biometric identifiers from unauthorized access or disclosure.
- Destroy biometric identifiers within a reasonable time, and no later than one year after the purpose for which the data was collected has been fulfilled, unless an exception applies[1][2][3].
Enforcement
The Texas Attorney General has exclusive authority to enforce CUBI. Violations can result in civil penalties of up to $25,000 per violation. This enforcement mechanism underscores the seriousness with which Texas treats biometric data privacy[1][2][5].
Comparison with Other Biometric Privacy Laws
Illinois Biometric Information Privacy Act (BIPA)
- Scope: BIPA is considered the most stringent biometric privacy law in the U.S. It includes a private right of action, allowing individuals to sue for violations.
- Penalties: Potential damages under BIPA range from $1,000 to $5,000 per violation.
- Consent: Like CUBI, BIPA requires informed consent before data collection[2][4].
Washington State's Biometric Privacy Law
- Scope: Washington's law is less comprehensive than CUBI and BIPA. It does not cover facial recognition data or voiceprints.
- Consent: The consent requirements are less stringent compared to CUBI and BIPA[2][4].
Recent Developments and Implications
Increased Enforcement
In recent years, the Texas Attorney General has taken a more active role in enforcing CUBI. Notable cases include actions against major tech companies like Google and Meta, alleging violations of CUBI and the Texas Deceptive Trade Practices Act (DPTA)[3][5].
Interaction with the Texas Data Privacy and Security Act (TDPSA)
In 2023, Texas introduced the Texas Data Privacy and Security Act (TDPSA), which includes provisions related to biometric data. TDPSA requires businesses to obtain consent before processing or disclosing biometric data and grants consumers rights over their data. The coexistence of CUBI and TDPSA adds complexity to the compliance landscape for businesses operating in Texas[3].
Compliance Recommendations for Businesses
To comply with CUBI, businesses should:
- Develop and maintain a clear privacy policy regarding biometric data.
- Implement robust data security measures to protect biometric identifiers.
- Conduct data mapping to track the collection, use, and storage of biometric data.
- Ensure mechanisms are in place to prevent unauthorized sale, lease, or disclosure of biometric data.
- Regularly review and update compliance practices to align with evolving legal requirements[2][3][5].
Conclusion
The Capture or Use of Biometric Identifier Act (CUBI) represents a significant step in protecting the biometric privacy of Texans. By setting strict requirements for consent, data security, and destruction, CUBI ensures that individuals have control over their biometric information. As enforcement actions increase and new privacy laws emerge, businesses must remain vigilant and proactive in their compliance efforts to safeguard sensitive biometric data.
For more detailed information on CUBI and related compliance strategies, businesses are encouraged to consult legal experts and stay informed about ongoing legal developments.
Citations:
[1] https://www.texasattorneygeneral.gov/consumer-protection/file-consumer-complaint/consumer-privacy-rights/biometric-identifier-act
[2] https://caseguard.com/articles/the-capture-or-use-of-biometric-identifiers-act-cubi/
[3] https://bioconnect.com/2023/12/13/navigating-biometric-privacy-laws-in-texas-a-comprehensive-overview/
[4] https://www.reuters.com/legal/legalindustry/beware-bipa-other-biometric-laws-an-overview-2023-06-22/
[5] https://www.hklaw.com/en/insights/publications/2022/11/texas-enforcement-of-biometric-law-focuses-on-artificial-intelligence