Texas, along with Washington and Illinois, is among the states that have enacted legislation governing the use of biometric data. Texas have enacted these laws:
1 - Capture or Use of Biometric Identifiers Act (CUBI) in 2009,
2 - The Texas Data Privacy & Security Act (TDPSA) covers, among other topics, biometric data handling. Enacted in 2023 with general provisions to take effect on July 1, 2024, and specific rights concerning consumer-designated agents starting on January 1, 2025.
Overview
As technology evolves, biometric identification, using physical traits like fingerprints and facial features for verification, has become a common practice. However, the use of such personal data raises significant privacy concerns. Texas has responded with its latest piece of legislation aimed at protecting the privacy of Texas residents, by regulating the way the businesses collect, store, process and share their personal data. This blog delves into the key aspects of these laws, what it means for businesses, and how it empowers consumers.
1 - What is Biometric Data?
Biometric data refers to attributes that can be used to uniquely identify an individual. This includes fingerprints, facial recognition, iris scans, and even voice patterns. Unlike passwords or ID cards, which can be changed or replaced, biometric data is inherently personal and permanent, making its protection critically important. “Biometric data includes information about a person’s unique physical or behavioral characteristics that can be used to identify them. It is often used in security settings, for example, for access control and identification purposes.3”
2 - Overview of the Capture or Use of Biometric Identifiers Act (CUBI):
This law, as previously mentioned, was enacted in 2009 and seeks to specifically regulate the use of biometric data for commercial purposes. Cubi applies to all private entities in Texas, except for financial institutions and their affiliates that retain voiceprint data. (Voiceprint data is the use of human voice to uniquely identify an individual by creating a digital model of unique vocal characteristics)
Among other requirements, CUBI mandates that businesses must:
- Get consent and provide notice before collecting biometric data. [Because the manner in how this should be done is not listed within the law, a signed release/consent form is the most common way to obtain consent.]
- Destroy biometric identifiers within one year of fulfilling their purpose.
- Protect biometric data at the same lever, or higher, as other sensitive information.
- Not sell, release or disclose biometric data to third parties.
3 - Overview of the The Texas Data Privacy & Security Act (TDPSA):
The Texas Biometrics Law (TDPSA), enacted in June 2023 introduces more rigid rules for handling biometric information, such as:
- Consent Requirement: Explicit consent must be obtained before collecting any biometric data.
- Prohibition of Dark Patterns: The use of deceptive designs or "dark patterns" that trick users into giving up their personal data is banned.
- Exemptions for Small Businesses: Small businesses are mostly exempt unless they deal in sensitive data, in which case prior consent is required.
- Prohibition on Sale: The law forbids the sale or leasing of biometric data.
- Data Protection Assessments (DPAs): The TDPSA mandates that DPAs be conducted for processing activities that could potentially harm consumers.
- Data Security: Businesses must adhere to strict guidelines for securely storing and destroying biometric data to prevent unauthorized access.
A notable provision of the TDPSA. 4:
The Small Business Carveout: TDPSA introduces a unique exemption for "small businesses" as defined by the U.S. Small Business Administration (SBA). Determining if a business qualifies as "small" involves complex, fact-specific evaluations. Despite the carveout, the absence of revenue or data processing limits, common in other state privacy laws, could lead to broad applicability of the TDPSA, affecting many companies in the state.
4 - Comparison table that outlines how the Texas Data Privacy and Security Act (TDPSA) complements the existing provisions of the Capture or Use of Biometric Identifier Act (CUBI) in Texas:
5 - Implications for Businesses
Businesses operating in Texas will need to implement several changes to comply with the new law:
- Policy Updates: Revising privacy policies and employee training programs to include biometric data handling procedures.
- Technical Adjustments: Investing in secure technologies for data storage and establishing clear protocols for data deletion.
Failure to comply can result in hefty fines and legal challenges, emphasizing the need for immediate action by corporate entities.
6 - Consumer Rights Under the New Law
The Texas Biometrics Law greatly enhances consumer protections, granting residents the right to:
- Informed Consent: Individuals must be fully informed and consent prior to their biometric data being collected.
- Data Deletion: Consumers can request the deletion of their biometric data from any database.
These provisions ensure that consumers have significant control over their personal information. Businesses should consult experts to ensure compliance, and consumers should stay informed about their rights under this new law.
