What is CUBI and Why Should Texas Companies Be Aware of the Act?

In an increasingly digital world, how we approach privacy needs to be reimagined. Businesses default to gathering as much data as they can to help increase performance, insights, and efficiency. Yet when consumers’ and employees’ personal information is on the line, two clear questions arise:

  • What actions do businesses need to take to protect sensitive information?
  • And if businesses fail to protect sensitive information, how should they be held responsible?

The answer varies from state to state and one privacy issue to the next.

Let’s look at biometric data as an example. Biometric data is a fancy, legalese term referring to the unique physical identifiers of an individual person such as fingerprints, facial recognition imprints, and iris scans. In the state of Texas, the Capture or Use of Biometric Identifier (CUBI) Act was passed in 2009, creating regulations for the use of this and other biometric data by businesses and organizations.

If the law was put into place over ten years ago, why all the attention now? For starters, Ken Paxton, the Attorney General of Texas, is now choosing to enforce this law against two mega corporations his office asserts are currently in violation: Google and Meta. Google ended up giving Illinois $100 million for a similar lawsuit. However, in February of this year, Meta pushed back on the allegations. CUBI is now in the spotlight, and that doesn’t appear to be changing anytime soon.

What the Law Requires

The act requires companies to provide crystal-clear notice when someone’s biometric data is being collected, stored, or used. Additionally, organizations must obtain consent from individuals before collecting, storing, or using said data.

The importance of this law lies in the act’s ability to protect the privacy and security of employees. Biometric data is highly sensitive information and can be used by cyber criminals for identity theft, fraud, and even illegal surveillance. CUBI prevents these abuses by regulating the use of biometric data and ensuring people have control over how their data is collected and used.

CUBI is not the only act of its kind. In fact, Illinois has the Biometric Information Privacy Act (BIPA) that also protects biometric identifiers. However, some variances exist:

  • BIPA concentrates on any information based on/derived from biometric identifiers as opposed to CUBI’s sole focus on biometric identifiers.
  • BIPA requires written consent whereas CUPI simply requires consent.
  • BIPA restricts all collections of biometrics, apart from data collected under HIPAA, the Financial Privacy Rule, or other regulations. CUBI only restricts collections for commercial purposes.
  • BIPA can be enforced by individuals whereas CUBI is only enforceable by Texas’s AG.

And this is only the difference between two very specific states. Comparing the variations in data privacy legislations between states can be a challenge in its own right and require the guidance of legal counsel to perfectly navigate the pitfalls.

What Companies in Texas and Beyond Need to Know

What does all this mean for you and your business? It is a strong reminder to make sure you have clearly documented data privacy processes and policies in place, especially if you collect biometric data on a regular basis. When it comes to the security of your employees and consumers, every i must be dotted and every t crossed. Here are a few initial considerations:

Privacy Policy – Are your processes and language up to date? Have you shown any privacy documents to a reliable legal team to ensure state compliance? The policy should spell out how biometric data is being collected and stored and divulge how your company will permanently delete the data once you no longer have contact with the employee or consumer.

Notice – Obtain clear, written consent before any biometric data is collected. Explain exactly how the data will be collected, stored, and eventually destroyed (again written consent is not strictly required for CUBI, but a signed consent form is prudent).

Data Security – Ensure your data is safe and secure and explain what measures you are taking to protect against the loss, misuse, and alteration of your data and information that is under control.

The personal data and identification of individuals are of utmost importance to your company. Leaders need to remain vigilant when monitoring the requirements surrounding the details and statuses of content and disclosure documents. As always, consulting with your legal team can help you to safeguard your business as the conversation about privacy continues to evolve.

Have further questions on biometric data privacy or other hot button issues? Reach out to our team today to discuss best practices to keep your people and your company protected in this digital world.