In July 2024, the Texas Attorney General announced a $1.4 billion settlement with Meta — the largest privacy settlement ever obtained by a single state. Ten months later, in May 2025, the same office finalized a $1.375 billion settlement with Google. Both agreements rested on a quiet 2009 Texas statute that, until recently, had never produced a single enforcement action: the Capture or Use of Biometric Identifier Act, better known as CUBI. [Texas Office of the Attorney General]
For sixteen years, CUBI looked like a dormant law that businesses outside of consumer technology could safely ignore. That assumption is now expensive. The Texas Attorney General has signaled — through these settlements, through the 2026 amendments tied to the Texas Responsible AI Governance Act, and through the public CUBI complaint portal — that biometric privacy enforcement is a strategic priority. Any Texas business that captures fingerprints for time-and-attendance, runs facial recognition for building access, records voiceprints in its contact center, or deploys retail analytics that read face geometry now has a regulatory exposure that did not effectively exist before 2024.
This guide explains what CUBI requires, who it covers, how the recent enforcement pattern reshapes practical compliance expectations, and what an IT and security program needs to demonstrate when the data your systems collect happens to include the human body itself.
✓ Key Takeaways
- CUBI covers four biometric identifiers: retina/iris scans, fingerprints, voiceprints, and records of hand or face geometry — captured for any commercial purpose.
- Four core obligations: notice and consent before capture; restricted disclosure; reasonable care in storage and transmission; destruction within a reasonable time and no later than one year after the purpose expires.
- Civil penalties up to $25,000 per violation, enforced exclusively by the Texas Attorney General — there is no private right of action under CUBI.
- The first two settlements totaled nearly $2.8 billion combined (Meta in 2024, Google in 2025), ending a fifteen-year period in which CUBI was effectively unenforced.
- HB 149 (TRAIGA), effective January 1, 2026, adds important exceptions for AI training and security use cases — but does not weaken the core consent requirement for commercial biometric capture.
Why a Sleepy 2009 Statute Suddenly Matters
CUBI was enacted in 2009 — the same year Illinois passed its more famous Biometric Information Privacy Act (BIPA). For the next decade and a half the two laws moved in opposite directions. BIPA generated thousands of class action lawsuits because it includes a private right of action; plaintiffs' firms used it to extract settlements from employers, retailers, and platforms across nearly every industry. CUBI, by contrast, can only be enforced by the Texas Attorney General. With no private right of action, CUBI sat unused — well-known to privacy lawyers, mostly invisible to operations and IT leaders.
That changed in February 2022, when then-Attorney General Ken Paxton sued Meta over the Facebook "tag suggestions" feature, alleging that the company collected facial geometry data of millions of Texans without first obtaining consent. The case settled in July 2024 for $1.4 billion, payable over five years. The Texas AG's office described it as the largest privacy settlement ever secured by a single state. [Texas Office of the Attorney General] [Electronic Frontier Foundation]
The Google settlement that followed in May 2025 was structured similarly. Texas alleged Google had captured voiceprints and facial geometry through Google Photos, Google Assistant, and Nest Hub Max without proper notice or consent — again invoking CUBI alongside other Texas privacy claims. The $1.375 billion resolution, finalized without an admission of liability, was the largest single-state recovery against Google by a wide margin. [Texas Office of the Attorney General] [Alston & Bird]
Two settlements do not, on their own, signal sustained enforcement. But three other facts do. First, the Texas AG's office has publicly maintained a consumer-facing CUBI complaint intake page with a direct file-a-complaint link. Second, the Texas legislature in 2025 amended CUBI through HB 149 — clarifying scope and adding new exceptions — which is the kind of legislative attention statutes only get when enforcement is active. Third, the office has been hiring privacy enforcement attorneys. The structural conditions for repeat enforcement are in place.
What CUBI Actually Says
The statute lives at Texas Business & Commerce Code § 503.001. It is short — a single chapter — but it covers a lot of ground in dense statutory language. The Attorney General's plain-English overview reduces CUBI to two operative pieces: a definition of what counts as a biometric identifier, and a list of obligations that attach when one of those identifiers is captured for a commercial purpose. [Texas Office of the Attorney General]
Definition
Biometric Identifier (Tex. Bus. & Com. Code § 503.001)
A retina or iris scan, fingerprint, voiceprint, or record of hand or face geometry. Photographs, video, demographic data, and most behavioral biometrics (e.g., keystroke dynamics) are not enumerated identifiers under CUBI — although they may still be regulated under other Texas privacy laws or the new AI governance statute.
The phrase "for a commercial purpose" does the heavy lifting. CUBI does not regulate every conceivable use of biometrics — it regulates capture or use that connects to commercial activity. In practice the Attorney General has interpreted "commercial purpose" broadly enough to capture employee time-and-attendance systems, customer authentication, retail analytics, and ad targeting. The 2026 amendments, discussed below, draw a sharper line between commercial and security purposes.
Who the Law Actually Reaches
One of the reasons CUBI exposure surprises Texas business leaders is that biometric capture is now embedded in dozens of routine technology choices. Many of these were procurement decisions made by HR, facilities, or operations teams — not privacy or legal. A non-exhaustive list of scenarios that bring an organization within the statute:
- Time-and-attendance fingerprint clocks: Common in manufacturing, hospitality, healthcare, and field services. Each enrolled employee triggers consent and retention obligations.
- Facial recognition for building or floor access: Increasingly bundled into modern access control platforms as a convenience option alongside badge readers.
- Voiceprint authentication in contact centers: Often deployed by financial services and insurance to reduce caller verification time. The vendor captures and matches voiceprints on the organization's behalf.
- Customer-facing kiosks and self-checkout: Some retail analytics platforms record face geometry for return-fraud detection or loyalty program identification.
- Healthcare patient identification: Palm vein and iris scanning systems used to match patients to records in large hospital networks.
- Multi-factor authentication using face or fingerprint: When the biometric is processed only on-device (e.g., Windows Hello, Apple Touch ID) the organization typically does not "capture" the identifier; when an enterprise system stores or transmits the template, it does.
- AI training data with biometric content: Building models on face or voice data — even from public sources — can implicate CUBI absent a clear exception.
The pattern that emerges is straightforward: CUBI compliance is rarely the responsibility of a single team. The fingerprint clock is owned by HR. The access control system is owned by facilities. The contact center voiceprint platform is owned by customer experience. The MFA rollout is owned by IT. Nothing about CUBI says these have to be coordinated — but the Attorney General will treat them as one organization's obligations when a complaint is filed.
The Four Obligations, Translated
Every CUBI compliance program reduces to four duties. Each has a precise statutory wording and a more useful operational interpretation. Practitioners should track both.
1. Notice and Affirmative Consent Before Capture
The first capture is the moment that matters. CUBI requires that the individual be informed and that consent be obtained before the biometric is captured — not after enrollment, not buried in a click-through that follows the scan. In employment contexts, the consent must be clear enough that an employee understands what is being collected, why, and for how long. A signed acknowledgment alongside an offer letter or employee handbook is the standard approach; an opaque "by using this device you agree" notice on the timeclock kiosk is not.
2. No Sale, Lease, or Disclosure (Narrow Exceptions Only)
CUBI prohibits the sale, lease, or disclosure of a captured biometric identifier except in three specific cases: disclosure to law enforcement under a warrant, disclosure to complete a financial transaction the individual authorized, and disclosure to identify a missing or deceased person with appropriate consent. A vendor relationship in which a SaaS biometric platform "shares" data back to the customer is not a disclosure to a third party — but a vendor that pools biometric data across its customer base for product improvement almost certainly is.
3. Reasonable Care in Storage and Transmission
The statute requires that captured biometric identifiers be protected from disclosure using reasonable care — at least the same care used for other confidential business information. The Attorney General has not published a prescriptive standard, but the general expectation tracks recognized security baselines: encryption in transit and at rest, access control tied to legitimate business need, monitoring and logging of access, and incident response capable of detecting compromise. Organizations already operating to NIST 800-171 or HIPAA Security Rule standards will find that reasonable care for biometric data substantially overlaps with their existing controls.
4. Destruction Within a Reasonable Time (and No Later Than One Year)
This is the obligation that catches most organizations off-guard. Biometric identifiers must be destroyed within a reasonable time after the purpose for collecting them has expired — and, regardless of what is "reasonable," no later than one year after the purpose expires. For an employee fingerprint enrolled for time-and-attendance, the purpose is presumed to expire on the day employment ends. For a customer voiceprint enrolled for authentication, the purpose generally expires when the account is closed. The one-year backstop runs from those triggering events.
Operational note:
Most biometric platforms are not configured by default to delete templates on a schedule. Confirm the vendor's deletion API exists, is automated against your HR or CRM system of record, and produces an auditable log. A retention policy that is not technically enforced is exactly the kind of gap the Attorney General has cited in past biometric matters.
Penalties and the Texas Enforcement Pattern
CUBI authorizes civil penalties of up to $25,000 per violation, which the Attorney General can pursue exclusively — no class actions, no plaintiff-side bar, no parallel federal action. On paper, that cap looks modest; in practice, the per-violation calculation matters enormously. In the Meta case, Texas alleged a separate violation for each of the millions of Texas residents whose facial geometry was captured. That arithmetic is what produced a settlement larger than the entire annual revenue of many publicly traded companies. [Bracewell] [Spencer Fane]
$25,000
maximum civil penalty per CUBI violation — multiplied by every individual whose biometric data was captured without consent
Source: Tex. Bus. & Com. Code § 503.001(d)
Two practical lessons follow from the enforcement pattern. The first is that the Attorney General's office has thus far targeted high-volume, consumer-facing biometric capture — not the kind of enrollment a 200-person manufacturer does at a single timeclock. That is not a guarantee about the future. It is a hint about prioritization. The second is that both major settlements bundled CUBI with other Texas privacy claims, including deceptive trade practices and the data broker statute. An organization that fails on consent will often fail on disclosure or retention as well, and the AG's office will package the claims accordingly.
The 2026 Amendments: HB 149 (TRAIGA)
On June 22, 2025, Governor Abbott signed HB 149 — the Texas Responsible Artificial Intelligence Governance Act, or TRAIGA. The law takes effect January 1, 2026 and amends CUBI in three meaningful ways. None of them weaken the core consent obligation, but together they clarify several edge cases that businesses had been forced to guess about. [Baker Botts] [Perkins Coie]
- Publicly available biometric content does not equal consent. Scraping or ingesting publicly accessible photos or recordings does not satisfy the notice-and-consent requirement unless the individual themselves made the content public. This closes a gap that several AI training pipelines had relied on.
- AI model development carve-out. Processing biometric identifiers solely to develop, train, or evaluate an AI model is now exempt — unless the resulting system is used to uniquely identify a specific individual. This protects general-purpose model training while preserving the consent requirement for identification-grade systems.
- Security and fraud prevention exception. AI systems deployed for specified security and fraud prevention purposes are exempted from CUBI's commercial-capture restrictions, subject to defined guardrails.
The amendments also bring CUBI into the broader TRAIGA enforcement framework, which carries a 60-day cure period before the Attorney General can pursue penalties for certain violations. The cure period applies to TRAIGA-specific obligations and not to all CUBI conduct, so organizations should not assume that every biometric problem now comes with a free 60 days to fix.
How CUBI Compares to Illinois BIPA
Most Texas businesses that have heard of biometric privacy heard about it through Illinois BIPA litigation. The two statutes overlap heavily but differ on the points that matter most for risk management.
| Dimension | Texas CUBI | Illinois BIPA |
|---|---|---|
| Year enacted | 2009 | 2008 |
| Private right of action | No — AG enforcement only | Yes — drives class actions |
| Maximum penalty | $25,000 per violation | $1,000 negligent / $5,000 intentional, per violation (statutory damages) |
| Written policy required | Not explicitly | Yes — public retention/destruction policy required |
| Maximum retention | Reasonable time, no later than 1 year after purpose ends | Until purpose ends or 3 years from last interaction, whichever first |
| Form of consent | Inform + obtain consent (form unspecified) | Written, signed release |
The strategic implication is that organizations operating in both states should default to BIPA-grade documentation — written policies, signed releases, prescriptive retention schedules. BIPA-grade compliance is not just sufficient for CUBI in nearly every dimension; it is also the defensible posture if Texas enforcement evolves toward private litigation in future legislative sessions.
A Practical Compliance Roadmap
The four obligations translate into a recurring program — not a project. Most Texas organizations that take CUBI seriously end up running through a five-step cycle annually, with quarterly check-ins on the components most prone to drift.
Inventory every system that captures or stores a CUBI identifier
Survey HR, facilities, customer experience, security, and IT. Document each system's purpose, the population enrolled, the data retained, the location of storage (on-premises vs. vendor cloud), and the contractual handling terms with the vendor.
Build a defensible consent record
For every individual currently enrolled, confirm a documented notice was provided before capture and that consent was obtained. For employees, this typically means a signed acknowledgment. For customers, a logged opt-in tied to the user record.
Codify a written retention and destruction policy
CUBI does not explicitly require a published policy, but an internal policy is the only credible way to demonstrate that the one-year destruction backstop is enforced. Tie destruction triggers to events your HR or CRM system of record already produces (termination, account closure).
Apply baseline security controls to biometric stores
Encryption in transit and at rest, role-based access tied to least-privilege, monitoring and logging on biometric data stores, vulnerability management for the platforms hosting templates, and an incident response plan that includes biometric data breach notification logic.
Audit vendors and renew contracts with CUBI-aware language
Most biometric capture happens through a vendor product. Confirm that the vendor's contract restricts secondary use, defines deletion timelines, requires breach notification, and accepts the customer's role as the entity responsible for primary CUBI compliance. Update SOC 2 review cadence accordingly.
Fingerprint and face-geometry readers used for time-and-attendance, building access, and customer authentication are the most common CUBI capture points in Texas businesses.
Common Pitfalls We See in CUBI Assessments
Most organizations that fail a biometric privacy review do not fail on the obvious things. They have notices. They have consent forms. The gaps cluster in five recurring patterns:
- Consent collected after the first scan. A common timeclock rollout has employees enroll their fingerprint at the device, then sign a consent form at orientation the next morning. Under CUBI, the order matters: consent must be obtained before capture.
- Retention policies that exist only in the policy library. The HR handbook says biometric data is destroyed at termination. The actual platform retains every template indefinitely because nobody configured the deletion API. The Attorney General will read the configuration, not the handbook.
- Vendor data sharing that nobody noticed. Some biometric vendors aggregate templates across customers for product improvement. That is a disclosure that no exception in CUBI covers. Read the data processing addendum.
- Building access systems that quietly enable face geometry. A modern access control panel arrives with badge, PIN, and face options. Face is sometimes enabled in the field as a convenience. The procurement team did not flag it because the PO said "access control."
- BYOD and third-party MFA. When an enterprise MFA system stores or transmits a face or fingerprint template — even derived from a personal device — CUBI obligations attach. On-device matching that never leaves the user's hardware is generally outside the statute.
Each of these is fixable. None of them are visible without an inventory exercise that crosses HR, facilities, security, and IT — which is why CUBI compliance is, in practice, a coordination problem more than a technical one.
Where Managed IT and Cybersecurity Fit
For most Texas mid-market organizations, the security controls and audit cadence required to demonstrate "reasonable care" under CUBI overlap heavily with the controls already required by HIPAA, CMMC, PCI DSS, and standard cyber insurance underwriting. The right way to think about a CUBI program is not as a separate stack but as a specific set of data classification, retention, and access control disciplines applied to one additional category of sensitive data.
That alignment is why CUBI work tends to land cleanly inside a managed IT or cybersecurity program. The same identity and access management platform that protects PHI under HIPAA can enforce least-privilege on biometric template stores. The same endpoint detection and response platform that is part of a defensible EDR strategy covers the workstations administering biometric systems. The retention automation that already exists for log data extends naturally to biometric template TTLs. ITECS works with Texas businesses across healthcare, financial services, and manufacturing — three sectors in which biometric capture is now routine and CUBI exposure is highest.
Where outside expertise matters most is the inventory and program design phase: getting the cross-functional picture of where biometric data lives, mapping each capture point to the four obligations, and producing the documentation that makes the resulting controls demonstrable in an Attorney General inquiry. That is the work our cybersecurity consulting team most often does on CUBI engagements.
Map your CUBI exposure before the next enforcement wave
A focused biometric privacy assessment from ITECS produces an inventory of every capture point, a gap analysis against CUBI's four obligations, a 30-60-90 day remediation plan, and the documentation you need if the Texas Attorney General ever asks.
Request a Biometric Privacy Assessment →The Bottom Line
CUBI was never a quiet law — it was simply an unenforced one. The Meta and Google settlements ended that period, and the 2026 amendments embed biometric privacy into Texas's broader AI governance framework. For any Texas organization that captures fingerprints, faces, irises, or voices in any volume, the practical compliance question is no longer whether the law applies. It is whether the controls, consent records, retention automation, and vendor contracts already in place would survive a complaint-driven inquiry.
The good news is that the work is finite, the obligations are clear, and the controls overlap heavily with the security baselines most regulated organizations already maintain. The bad news is that the volume math under a $25,000 per-violation cap is unforgiving. A program that is mostly right across 500 enrolled employees is still a settlement risk if the gaps are systemic. The settlements of 2024 and 2025 were the warning shots. The next round will not be limited to platform-scale defendants.
Sources
- Texas Office of the Attorney General — Biometric Identifier Act overview
- Texas Office of the Attorney General — $1.4 billion Meta settlement announcement (July 2024)
- Texas Office of the Attorney General — $1.375 billion Google settlement finalization (May 2025)
- Texas Legislature — Tex. Bus. & Com. Code Chapter 503 — Biometric Identifiers
- Texas Legislature — HB 149 (TRAIGA), enrolled bill text
- Bracewell LLP — Understanding your obligations under CUBI after the Meta settlement
- Electronic Frontier Foundation — Texas wins $1.4 billion biometric settlement against Meta
- Baker Botts — Texas Enacts Responsible AI Governance Act: What Companies Need to Know
- Alston & Bird — Texas AG secures $1.375 billion from Google: Key takeaways for companies collecting consumer data