Texas Biometric Privacy Laws: Collection, Consent & Penalties (2026)
Texas has emerged as the most aggressive enforcer of biometric privacy in the United States. While Illinois gets the headlines for its private right of action under BIPA, Texas has quietly secured more than $2.7 billion in biometric privacy settlements through attorney general enforcement alone.
The Capture or Use of Biometric Identifier Act, known as CUBI, has been Texas law since 2009. For over a decade it sat largely dormant. That changed in 2022 when Attorney General Ken Paxton began filing enforcement actions against major technology companies, producing historic settlements that dwarfed anything seen under Illinois BIPA.
This article covers every provision of CUBI, the layered protections added by the TDPSA, enforcement history, employer obligations, and what a 2025 amendment means for artificial intelligence companies operating in Texas.
What Is the Texas Capture or Use of Biometric Identifier Act?
CUBI is codified at Chapter 503 of the Texas Business and Commerce Code. The Texas Legislature passed the law in 2009, making Texas the second state (after Illinois in 2008) to enact a dedicated biometric privacy statute.
The law regulates the capture, possession, disclosure, and destruction of biometric identifiers when collected for a commercial purpose. Unlike comprehensive data privacy laws that cover all personal data, CUBI focuses exclusively on biometric data.
CUBI applies to any person or entity that captures biometric identifiers for a commercial purpose within Texas. There are no revenue thresholds or minimum employee counts. A small business using fingerprint scanners for employee timekeeping is subject to the same rules as a multinational technology company running facial recognition software.
What Biometric Identifiers Does CUBI Cover?
Under Section 503.001(a), a "biometric identifier" means:
- Retina or iris scans
- Fingerprints
- Voiceprints
- Records of hand geometry
- Records of face geometry
This definition is narrower than the biometric data definitions found in some comprehensive privacy laws. CUBI does not cover DNA, keystroke patterns, gait analysis, or behavioral biometrics.
The one statutory exclusion applies to voiceprint data held by a financial institution or an affiliate of a financial institution. Under Section 503.001(e), these entities are exempt from CUBI for voiceprint data only.
Notably, unlike Illinois BIPA, CUBI does not explicitly exclude photographs, written signatures, or demographic data from its definitions. However, enforcement actions have focused on biometric data that can be used to uniquely identify individuals, such as facial geometry extracted from photographs rather than the photographs themselves.
Consent and Notice Requirements
CUBI establishes a straightforward two-step consent process under Section 503.001(b). Before capturing a biometric identifier for a commercial purpose, a person must:
- Inform the individual that a biometric identifier is being captured
- Receive the individual's consent to capture the biometric identifier
The statute does not specify that consent must be in writing, which differs from Illinois BIPA's requirement of a written release. This means Texas employers and businesses have more flexibility in how they obtain consent, but the consent must still be affirmative and given before collection begins.
The "commercial purpose" requirement is important. CUBI only applies when biometric data is captured for a commercial purpose. Government agencies collecting biometric data for law enforcement or national security purposes fall outside the statute's scope.
Disclosure Restrictions: Four Permitted Exceptions
Once a biometric identifier has been captured, Section 503.001(c)(1) prohibits selling, leasing, or otherwise disclosing it to another person. There are only four narrow exceptions:
- Disappearance or death identification: The individual consents to disclosure for identification purposes if the individual disappears or dies
- Financial transactions: The disclosure completes a financial transaction that the individual requested or authorized
- Legal requirements: The disclosure is required or permitted by a federal statute or a state statute other than Chapter 552 of the Government Code (the Texas Public Information Act)
- Law enforcement: The disclosure is made by or to a law enforcement agency for a law enforcement purpose in response to a warrant
These restrictions are significant. They mean a company cannot share biometric data with third-party vendors, advertising partners, or affiliated companies unless one of these four exceptions applies. The Meta and Google enforcement actions both centered on unauthorized sharing and use of biometric data beyond what users consented to.
Storage and Destruction Requirements
CUBI imposes two obligations on anyone who possesses a commercially captured biometric identifier under Section 503.001(c).
Reasonable Care Standard
The holder must store, transmit, and protect the biometric identifier from disclosure "using reasonable care and in a manner that is the same as or more protective than the manner in which the person stores, transmits, and protects any other confidential information the person possesses."
This ties the security standard to the entity's existing data protection practices. If a company uses encryption and access controls for financial data, it must apply at least the same protections to biometric data.
Mandatory Destruction Timeline
The holder must destroy the biometric identifier "within a reasonable time, but not later than the first anniversary of the date the purpose for collecting the identifier expires." In plain terms, once the reason for collecting the data no longer applies, the data must be destroyed within one year.
If another law requires the entity to retain records for a longer period, Section 503.001(c-1) extends the destruction deadline to one year after that other law's retention requirement ends.
Employer Obligations Under CUBI
Many Texas employers use fingerprint scanners, hand geometry readers, or facial recognition systems for timekeeping, building access, or security purposes. CUBI has specific implications for these employers.
Under Section 503.001(c-2), when an employer captures a biometric identifier for security purposes, the purpose for collecting the identifier is legally presumed to expire on termination of the employment relationship. This triggers the one-year destruction clock.
Practical steps for Texas employers include:
- Notify employees in writing before enrolling them in any biometric system, even though CUBI does not require written consent
- Obtain affirmative consent from each employee before capturing fingerprints, face scans, or other biometric identifiers
- Establish a retention schedule that destroys biometric data within one year after an employee leaves the company
- Apply reasonable security measures to protect stored biometric data at least as rigorously as other confidential business information
- Never share biometric data with third-party payroll providers, staffing agencies, or other vendors unless a statutory exception applies
Enforcement: No Private Right of Action, But Massive Penalties
CUBI does not include a private right of action. Individual Texans cannot sue companies for violating the statute. Only the Texas Attorney General has authority to enforce the law.
Under Section 503.001(d), violations carry civil penalties of up to $25,000 per violation. The AG's office interprets both the unauthorized capture and the improper storage of a biometric identifier as separate violations, potentially doubling the penalty exposure per incident.
This enforcement model has proven devastating for major technology companies. Because the AG aggregates violations across millions of users, the per-violation penalties compound into figures that dwarf anything seen under Illinois BIPA's private right of action.
The $1.4 Billion Meta Settlement (2024)
On July 30, 2024, Attorney General Ken Paxton announced a $1.4 billion settlement with Meta over Facebook's facial recognition "Tag Suggestions" feature. Meta had automatically enabled facial recognition for all users, capturing face geometry from uploaded photos without first informing users or obtaining their consent.
Key details of the Meta settlement:
- Amount: $1.4 billion paid over five years
- Basis: First-ever lawsuit filed and settlement obtained under CUBI
- Violation: Meta ran facial recognition on photos uploaded by Texans without notice or consent
- Scale: The largest privacy settlement ever obtained by a single state attorney general
- Context: Dwarfed the $390 million multistate settlement (40 states) that Google paid in 2022
The lawsuit originated in February 2022 after Meta announced it would discontinue its facial recognition system. The AG alleged that Meta had been violating CUBI for years by automatically scanning the face geometry of every person in uploaded photographs.
The $1.375 Billion Google Settlement (2025)
On October 31, 2025, the AG finalized a $1.375 billion settlement with Google. This settlement resolved two lawsuits filed in 2022.
The first lawsuit alleged Google violated CUBI by collecting biometric identifiers through Google Photos (facial geometry), Google Assistant (voiceprints), and Nest Hub Max cameras (face geometry of anyone appearing on camera) without consent.
The second lawsuit alleged Google violated the Texas Deceptive Trade Practices Act by misleading users about geolocation tracking and Incognito mode data collection.
Key details of the Google settlement:
- Amount: $1.375 billion, the largest single-state privacy settlement against Google
- Comparison: The next largest single-state Google privacy settlement was $93 million
- Products involved: Google Photos, Google Assistant, Nest Hub Max
- Biometric data: Face geometry and voiceprints captured without consent
Together, the Meta and Google settlements total over $2.77 billion, establishing Texas as the most consequential enforcer of biometric privacy in the country.
How CUBI Compares to Illinois BIPA
Texas CUBI and Illinois BIPA are the two most significant biometric privacy laws in the United States, but they work very differently.
| Feature | Texas CUBI | Illinois BIPA |
|---|---|---|
| Enacted | 2009 | 2008 |
| Statute | Tex. Bus. & Com. Code Ch. 503 | 740 ILCS 14 |
| Private right of action | No | Yes |
| Enforcement | AG only | Individuals and AG |
| Consent type | Informed consent (no writing required) | Written release required |
| Max penalty per violation | $25,000 | $5,000 |
| Largest settlement | $1.4 billion (Meta) | $650 million (Meta) |
| Retention policy required | Implied by destruction rule | Written policy required |
| Applies to | Any person | Private entities only |
The key difference is enforcement mechanism. BIPA's private right of action has produced over 1,400 class action lawsuits, but individual settlements tend to be smaller. CUBI's AG-only model produces fewer cases but far larger outcomes because the state aggregates violations across entire populations.
The TDPSA: A Second Layer of Biometric Protection
The Texas Data Privacy and Security Act (TDPSA), codified at Chapter 541 of the Business and Commerce Code, took effect on July 1, 2024. It adds a comprehensive layer of biometric protection on top of CUBI.
The TDPSA classifies "biometric data" as sensitive personal data. Under the TDPSA, biometric data is defined as "data generated by automatic measurements of an individual's biological characteristics" that is processed for the purpose of uniquely identifying an individual.
This definition is broader than CUBI's. It potentially covers behavioral biometrics, gait analysis, and other biological measurements that fall outside CUBI's enumerated list of five identifiers.
Under the TDPSA, businesses must obtain the consumer's affirmative consent before processing sensitive data, including biometric data. The TDPSA defines consent as "a clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement." Acceptance of general terms of use does not qualify. Consent obtained through dark patterns does not qualify.
The practical effect is that Texas businesses now face two overlapping consent requirements for biometric data: CUBI's informed consent standard and the TDPSA's affirmative consent standard. Compliance with the stricter TDPSA standard will generally satisfy both.
2025 Amendment: The AI Training Exemption
On June 22, 2025, Governor Greg Abbott signed House Bill 149, the Texas Responsible Artificial Intelligence Governance Act. This law, effective January 1, 2026, amends CUBI to create a limited exemption for artificial intelligence development.
Under the new Section 503.001(e) added by HB 149, CUBI's restrictions do not apply to the training, processing, or storage of biometric identifiers used in developing, training, evaluating, or offering AI models or systems. However, this exemption disappears if the AI system is used or deployed to uniquely identify a specific individual.
Important limitations on the AI exemption:
- If biometric data captured for AI training is later repurposed for commercial identification, standard CUBI provisions apply
- An individual is not considered to have consented to biometric capture simply because their image appears on the internet, unless the individual made the image publicly available themselves
- Government entities are prohibited from deploying AI systems for biometric identification using images gathered from public internet sources without individual consent
This amendment reflects the tension between AI development and biometric privacy. Companies training AI models on facial data can do so without CUBI compliance, but the moment they deploy those models to identify specific people in Texas, full CUBI requirements apply.
Filing a Complaint
Texans who believe their biometric data has been collected or shared without consent can file a complaint directly with the Texas Attorney General's Consumer Protection Division. While individuals cannot sue under CUBI, AG complaints have led to investigations and the massive enforcement actions described above.
More Texas Laws
- Texas Recording Laws
- Texas Recording Laws
- Texas Recording Laws
- Texas Dog Bite Laws
- Texas Data Privacy Laws
- Texas Recording Laws
- Texas Recording Laws
- Texas Recording Laws
This article provides general legal information about Texas biometric privacy laws. It is not legal advice. If you need guidance about a specific situation involving biometric data collection or compliance, consult a qualified attorney licensed in Texas.
Related: Texas Data Privacy Laws | Illinois Biometric Privacy (BIPA) | Data Privacy Laws by State
Sources and References
- Texas Business and Commerce Code Chapter 503(statutes.capitol.texas.gov).gov
- Texas AG CUBI Information Page(texasattorneygeneral.gov).gov
- AG Paxton $1.4B Meta Settlement Announcement(texasattorneygeneral.gov).gov
- AG Paxton $1.375B Google Settlement Announcement(texasattorneygeneral.gov).gov
- AG Paxton Google Settlement Finalized(texasattorneygeneral.gov).gov
- TDPSA Official AG Page(texasattorneygeneral.gov).gov
- TDPSA Full Text (HB 4, 88th Legislature)(capitol.texas.gov).gov
- HB 149 Bill History (89th Legislature)(capitol.texas.gov).gov
- HB 149 Enrolled Text(capitol.texas.gov).gov
- HB 149 Senate Analysis(capitol.texas.gov).gov