Mark Zuckerberg just learned “Don’t Mess with Texas” the hard way. Meta Platforms, better known as the parent of Facebook and Instagram, just agreed to pay the State of Texas $1.4 billion for noncompliance with Texas’ laws on biometric data. This settlement was reached after Meta presumably believed that going to trial would likely be more expensive than the $1.4 billion deal.
In 2022, the Texas Attorney General filed suit against the social media giant for violations of the state’s “Capture or Use of Biometric Identifier Act,” known as CUBI, which was originally passed in 2009. The state alleged that Meta, “unlawfully captures the biometric identifiers of Texans for commercial purpose without their informed consent, disclosed those identifiers to others, and failed to destroy the identifiers within a reasonable time, (one year after it is no longer needed under the Act) all in violation of CUBI.” The state also alleged that Facebook, “engaged in false, misleading, and deceptive acts and practices in violation of the Texas Deceptive Trade Practices-Consumer Protection Act.” The lawsuit entitled “Texas v. Meta Platforms” is the first Texas CUBI enforcement action and now represents the largest privacy settlement that Attorney General’s office ever secured.
Under the State’s CUBI law, biometric identifiers include, retina or iris scans, fingerprints, voiceprint, or record of hand or face geometry. Under this law, a person may not capture these identifiers for a commercial use unless they obtain prior informed consent from the individual. The law also requires businesses to limit the sharing of this personal data, except in certain instances in which they are assisting law enforcement or completing financial transactions. CUBI further requires businesses to protect biometric data at a higher standard and must destroy the data within a year after it is no longer needed.
Many may remember the Facebook feature that “automatically” tagged recognized faces in users’ posts through the platforms “Tag Suggestions.” First introduced in 2011, this technology ran by default, analyzing user photos at a time when approximately 12 million Texans had a Facebook account. Although discontinuing use of the software after only 1 year, Meta claims that it deleted over 1 billion people’s individual facial recognition data.
The use of this technology is quite straight forward. When facial recognition technology examines an image of a face, it extracts data from facial features and generates a face map using facial-recognition algorithms, then compares the captured face map to other stored face maps to determine a match. In its suit against Meta, Texas alleged that Facebook was not only capturing biometric identifiers of users, but also those non-users included in the photos and videos posted by its users.
This $1.4 billion settlement is not Meta’s first large payment for legal violations. In 2020, Facebook settled a class action suit for $650 million in connection with alleged violations of Illinois’ Biometric Privacy Act (BIPA) for use of its Tag Suggestion Program in In re Facebook Biometric Info. Privacy Litig. In 2021 with Parris, et al v. Meta Platforms, Inc., Meta agreed to settle a class action suit for $68.5 million for its use of facial recognition software on its app, Instagram, without the users informed consent, again, in violation of BIPA. And in 2019, Meta received a $5 billion penalty from the Federal Trade Commission for deceptive business practices related to its privacy policies.
This $1.4 Billion settlement by Texas under CUBI, “demonstrates our commitment to standing up to the world’s biggest technology companies and holding them accountable for breaking the law and violating Texan’s privacy rights,” as stated by Texas Attorney General Ken Paxton. This attitude is displayed in Texas’ previous suits against technology giants. In 2020, Texas led 15 states in filing an antitrust lawsuit against Google, which starts trial in March 2025. Texas also pursued damages last year in the multi-state suit, In re Google Play Store Antitrust Litigation, ending in a $700 million settlement, with Texas receiving $8 million for its deceptive advertising claim.
The headstrong attacks by Texas and other states indicate the liability of technology companies under various state privacy laws. Meta is required to pay the first installment of $500 million within the next 30 days and will pay installments of $225 million annually from 2025 to 2028. For anyone thinking the penalties are excessive, remember that unlike emails, passwords, and even names, biometric information can NEVER be changed and therefore, is the most precious form of data.
Very interesting read. I am wondering how this settlement may influence future enforcement of biometric privacy laws in other states?