Capture or Use of Biometric Identifier Act (CUBI) protect Texans' privacy

Capture or Use of Biometric Identifier Act (CUBI) protect Texans' privacy
Photo by Onur Binay / Unsplash

In-Depth Look at the Capture or Use of Biometric Identifier Act (CUBI)

Introduction

The Capture or Use of Biometric Identifier Act (CUBI), enacted in Texas in 2009, is a crucial piece of legislation aimed at protecting the privacy of individuals' biometric data. As one of the few biometric privacy laws in the United States, CUBI sets stringent requirements for businesses and organizations that handle biometric identifiers. This article delves into the key provisions of CUBI, its enforcement, and its implications for businesses and individuals in Texas.

Ken Paxton Secures $1.4 Billion Settlement with Meta Over Biometric Data Violations
Overview: In a landmark legal case, Texas Attorney General Ken Paxton achieved a historic $1.4 billion settlement with Meta (formerly Facebook) over unauthorized biometric data capture. This marks the largest settlement obtained by a single state action and signifies a major victory for privacy rights. Background: The case stems

Key Provisions of CUBI

Definition of Biometric Identifiers

Under CUBI, biometric identifiers are defined as:

  • Retina or iris scans
  • Fingerprints
  • Voiceprints
  • Records of hand or face geometry

This specific definition helps limit the scope of data collection to the most sensitive types of biometric information[1][2].

Facebook’s 2012 Controversy: Ethical Dilemmas in Psychological Experimentation
Introduction In 2012, Facebook found itself embroiled in a contentious lawsuit over conducting psychological experiments on its users. The social media giant faced significant backlash and legal challenges for its study aimed at mood manipulation, raising serious ethical questions about the boundaries of user consent and privacy in the digital

CUBI mandates that any person or business capturing biometric identifiers for commercial purposes must:

  1. Provide notice to the individual before capturing their biometric identifier.
  2. Obtain explicit consent from the individual prior to data collection.

This ensures that individuals are aware of and agree to the collection and use of their biometric data[1][2][3].

New Mexico’s Legal Battle Against Meta: A Stand Against Child Exploitation on Facebook and Instagram
Introduction In a significant legal action, the state of New Mexico has initiated a lawsuit against Meta Platforms, Inc., the parent company of Facebook and Instagram. The case focuses on the critical issue of child exploitation on these widely used social media platforms. This article delves into the nuances of

Restrictions on Data Sharing

The act strictly limits the sharing of biometric data. Entities are prohibited from selling, leasing, or otherwise disclosing biometric identifiers, except under specific circumstances such as:

  • Compliance with a law enforcement warrant
  • Completing a financial transaction authorized by the individual
  • Identifying an individual in the event of their disappearance or death, with the individual's consent[1][2].

Data Security and Destruction

CUBI requires businesses to:

  • Use reasonable care to protect biometric identifiers from unauthorized access or disclosure.
  • Destroy biometric identifiers within a reasonable time, and no later than one year after the purpose for which the data was collected has been fulfilled, unless an exception applies[1][2][3].

Enforcement

The Texas Attorney General has exclusive authority to enforce CUBI. Violations can result in civil penalties of up to $25,000 per violation. This enforcement mechanism underscores the seriousness with which Texas treats biometric data privacy[1][2][5].

Comparison with Other Biometric Privacy Laws

Illinois Biometric Information Privacy Act (BIPA)

  • Scope: BIPA is considered the most stringent biometric privacy law in the U.S. It includes a private right of action, allowing individuals to sue for violations.
  • Penalties: Potential damages under BIPA range from $1,000 to $5,000 per violation.
  • Consent: Like CUBI, BIPA requires informed consent before data collection[2][4].

Washington State's Biometric Privacy Law

  • Scope: Washington's law is less comprehensive than CUBI and BIPA. It does not cover facial recognition data or voiceprints.
  • Consent: The consent requirements are less stringent compared to CUBI and BIPA[2][4].

Recent Developments and Implications

Increased Enforcement

In recent years, the Texas Attorney General has taken a more active role in enforcing CUBI. Notable cases include actions against major tech companies like Google and Meta, alleging violations of CUBI and the Texas Deceptive Trade Practices Act (DPTA)[3][5].

Interaction with the Texas Data Privacy and Security Act (TDPSA)

In 2023, Texas introduced the Texas Data Privacy and Security Act (TDPSA), which includes provisions related to biometric data. TDPSA requires businesses to obtain consent before processing or disclosing biometric data and grants consumers rights over their data. The coexistence of CUBI and TDPSA adds complexity to the compliance landscape for businesses operating in Texas[3].

Compliance Recommendations for Businesses

To comply with CUBI, businesses should:

  • Develop and maintain a clear privacy policy regarding biometric data.
  • Implement robust data security measures to protect biometric identifiers.
  • Conduct data mapping to track the collection, use, and storage of biometric data.
  • Ensure mechanisms are in place to prevent unauthorized sale, lease, or disclosure of biometric data.
  • Regularly review and update compliance practices to align with evolving legal requirements[2][3][5].

Conclusion

The Capture or Use of Biometric Identifier Act (CUBI) represents a significant step in protecting the biometric privacy of Texans. By setting strict requirements for consent, data security, and destruction, CUBI ensures that individuals have control over their biometric information. As enforcement actions increase and new privacy laws emerge, businesses must remain vigilant and proactive in their compliance efforts to safeguard sensitive biometric data.

For more detailed information on CUBI and related compliance strategies, businesses are encouraged to consult legal experts and stay informed about ongoing legal developments.

Citations:
[1] https://www.texasattorneygeneral.gov/consumer-protection/file-consumer-complaint/consumer-privacy-rights/biometric-identifier-act
[2] https://caseguard.com/articles/the-capture-or-use-of-biometric-identifiers-act-cubi/
[3] https://bioconnect.com/2023/12/13/navigating-biometric-privacy-laws-in-texas-a-comprehensive-overview/
[4] https://www.reuters.com/legal/legalindustry/beware-bipa-other-biometric-laws-an-overview-2023-06-22/
[5] https://www.hklaw.com/en/insights/publications/2022/11/texas-enforcement-of-biometric-law-focuses-on-artificial-intelligence

Read more

The Executive Order on Strengthening and Promoting Innovation in the Nation’s Cybersecurity, signed by President Biden

The Executive Order on Strengthening and Promoting Innovation in the Nation’s Cybersecurity, signed by President Biden

The Executive Order on Strengthening and Promoting Innovation in the Nation’s Cybersecurity, signed by President Biden on January 16, 2025, is a comprehensive document outlining various measures aimed at bolstering cybersecurity across the United States. BidenEOCyberBidenEOCyber.pdf205 KBdownload-circle Key points include: 1. Enhancing Accountability for Software Providers: * Requirements for

By Compliance Hub