David J. Oberly |
For some time now, the well-known Illinois Biometric Information Privacy Act (“BIPA”)—discussed in this previous blog post—has garnered much of the spotlight in the area of biometric privacy. What many are unaware of, however, is that several similar state-level biometric privacy laws are also currently in effect in other parts of the country. One of those laws is Texas’ Capture or Use of Biometric Identifier Act, Tex. Bus. & Comm. § 503.001 (“CUBI”). While not as threatening to businesses that use biometrics in their operations as its Illinois counterpart, CUBI nonetheless poses substantial liability exposure risk for noncompliance.
Overview
- Scope of Applicability to Businesses: CUBI applies to the collection of “biometric identifiers” for a “commercial purpose.”
- “Biometric Identifier”: Biometric identifier means a “retina or iris scan, fingerprint, voiceprint, or record of hand or face geometry.”
- “Commercial Purpose”: “Commercial purpose” is defined by the statute. In the absence of additional guidance, companies should assume a commercial purpose includes any business purpose or related purpose tied to company operations.
Exemptions
CUBI contains one primary exemption:
- Financial Institutions/Voiceprints: Financial institutions governed by the Gramm-Leach-Bliley Act (“GLBA”) are exempted entirely from compliance with CUBI in connection with the use of voiceprint data.
Core Compliance Requirements
- Notice: Notice must be provided to individuals before capturing or collecting any biometric identifiers.
- Consent: Consent must also be obtained before capturing or collecting any biometric identifiers.
- Destruction: All biometric identifiers must be destroyed within a “reasonable time,” but no longer than one year after the purpose for collecting the biometric data has expired.
- Prohibition on Sale, Lease, or Disclosure: CUBI strictly prohibits the sale, lease, or disclosure of biometric identifiers (unless one of four very limited exceptions applies).
- Data Security: Data must be safeguarded using “reasonable care” and in a manner that is at least as robust as the manner in which other types of sensitive personal information are protected.
Penalties & Enforcement: Despite Lack of Private Right of Action, Significant Liability Exposure Remains
Violations of CUBI may subject an entity to civil penalties of up to $25,000 per violation, with no maximum cap. The power to enforce CUBI rests exclusively with the Texas Attorney General.
Practical Compliance Tips & Best Practices
Companies should consider implementing the following to ensure compliance with CUBI:
- Privacy Policy: Although not mandated by BIPA, companies should add language to their existing privacy policies to give customers, consumers, and others unambiguous notice that biometric data is being collected and used; the current and reasonably foreseeable purposes for which the biometric data will be used; and the company’s policy and schedule for deleting biometric data.
- Notice: Provide notice before any biometric data is captured or collected to inform individuals that biometric data is being collected; what the data is used for; and how long it will be retained until it is destroyed.
- Consent: Obtain clear consent from all individuals before any biometric data is collected or captured. While not expressly mandated by the statute, consent should be obtained in writing whenever feasible.
- Retention & Destruction Policies: Implement policies and mechanisms to ensure all biometric data is destroyed within a reasonable time, and no later than one year after the initial purpose for collecting the data has ended.
- Data Security: Maintain data security measures to protect all biometric data that satisfies the “reasonable care” standard and which protects biometric data in a manner that is the same as or more protective than how other types of sensitive personal information are protected.
- Mechanisms to Ensure No Sale, Lease, or Disclosure of Biometric Data: Implement mechanisms to ensure no biometric data is sold, leased, or disclosed to third parties by the company, its employees, or any related parties.
- Arbitration Agreements & Class Action Waivers: Finally, although not mandated by CUBI, ensure to include arbitration agreements and class action waivers in all consumer/online terms and conditions, as well as in all employee onboarding materials. Having an enforceable arbitration agreement is one of the most effective ways to significantly mitigate the ever-increasing scope of biometric privacy liability exposure.
The Final Word
Companies that operate in Texas must take proactive measures immediately, if they have not already done so, to ensure compliance with the Lone Star State’s biometric privacy requirements. For additional information on how to comply with CUBI, please view our CUBI Compliance Checklist.