On July 30, 2024, the Texas Attorney General reached a $1.4 billion settlement with Meta related to the company’s alleged use of personal biometric data without user consent. The Office of the Attorney General (OAG) is touting the settlement as the largest ever obtained from an action by a single state and the largest privacy settlement ever secured by an attorney general. It highlights the OAG’s continued focus on enforcing Texas privacy laws and ensuring compliance by major technology companies.
The OAG sued Meta, formerly known as Facebook, in February 2022 alleging its “Tag Suggestions” feature violated the Texas Capture or Use of Biometric Identifier Act (CUBI)1 and the Texas Deceptive Trade Practices Act (DTPA).2 CUBI prohibits a business from capturing an individual’s biometric identifiers (retina or iris scan, fingerprint, voiceprint, or record of hand or face geometry) for a commercial purpose without informed consent. Meta’s Tag Suggestions feature, rolled out in 2011, used proprietary facial-recognition technology to capture and analyze facial geometry from photos and videos uploaded to Facebook and used that information to identify individuals in other uploaded photos and videos, suggesting to users that they tag those individuals accordingly.
After more than two years of contested litigation, the parties have reached a historic settlement. Meta has agreed to pay $1.4 billion to settle the OAG’s claims. The settlement also establishes pre-litigation notice and dispute resolution procedures for any future disputes the parties may have regarding the application of biometrics laws, including CUBI and Texas’ comprehensive privacy law, the Texas Data Privacy and Security Act (TDPSA).3
This settlement is the latest in a flurry of activity out of the OAG’s office, signaling ramped up enforcement of Texas privacy laws, with a focus on major technology companies. On June 4, 2024, the OAG announced a major initiative to “protect Texans’ sensitive data from illegal exploitation by Tech, AI, and Other Companies.” The OAG established a team within its Consumer Protection Division focused on enforcing the TDPSA, the Identify Theft Enforcement and Protection Act,4 the Data Broker Act,5 the Biometric Identifier Act,6 the Deceptive Trade Practices Act, and federal laws including the Children’s Online Privacy Protection Act and the Health Insurance Portability and Accountability Act.
Two days later, the OAG announced an investigation into car manufacturers’ suspected collection and sale of drivers’ data, citing reports that manufacturers had been secretly collecting driver data directly from vehicles and then selling that data to insurance companies and other third parties. The OAG is investigating under the DTPA.
Finally, on June 18, 2024, the OAG notified more than 100 companies of suspected noncompliance with the State’s data broker law which requires companies that buy, sell, trade, or process personal data to (1) register with the State and (2) implement safeguards to protect personal data.
At the same time, Texas’ new TDPSA became effective July 1, 2024. Businesses subject to the new law must, among other things, provide a clear and accessible privacy notice to consumers, limit personal data collection to disclosed purposes, maintain reasonable data security practices, notify consumers if they will sell consumers’ sensitive or biometric data, and provide consumers the ability to opt out of certain types of profiling. The law provides exclusive enforcement authority to the OAG.
When announcing its expanded privacy enforcement team, the OAG said it was “poised to become among the largest in the country focused on enforcing privacy laws.” In light of these developments, we should expect more privacy enforcement activity out of the Texas Attorney General’s Office in the coming months and years.
1 Tex. Bus. & Com. Code § 503.001.
2 Tex. Bus. & Com. Code § 17.41 et seq.
3 Tex. Bus. & Com. Code § 541.001 et seq.
4 Tex. Bus. & Com. Code § 521.001 et seq.
5 Tex. Bus. & Com. Code Ch. 509.
6 Tex. Bus. & Com. Code § 503.001 et seq.