Texas CUBI: What the Capture or Use of Biometric Identifier Act Requires
- 01 What biometric identifiers does Texas CUBI actually cover?
- 02 What must Texas businesses do before collecting biometric data?
- 03 Who enforces CUBI and how large can the penalties reach?
- 04 How does Texas CUBI compare to Illinois BIPA?
- 05 What did the 2025 Texas AI law add to biometric obligations?
- 06 How Shufti handles Biometric Compliance for Organisations capturing Identity Data
TL;DR
- Texas has required informed consent before commercial biometric capture since 2001.
- The AG can impose up to $25,000 per violation with no cap on total liability.
- Meta’s $1.4 billion July 2024 settlement is the largest AG privacy settlement in US history.
- Unlike Illinois BIPA, CUBI gives individual Texans no private right to sue.
- The 2025 Texas AI law added a narrow AI-training exemption, effective January 2026.
In 2011, Meta rolled out a feature called Tag Suggestions. The tool automatically scanned every face in uploaded Facebook photos, extracted facial geometry measurements, and matched them to user profiles with no disclosure and no consent request to the Texans it affected. For roughly a decade, the scanning continued.
In July 2024, the Texas Attorney General settled the resulting lawsuit for $1.4 billion, the largest privacy settlement a single state AG has ever obtained in US history. The law Meta violated, the Capture or Use of Biometric Identifier Act (CUBI), has been on the books since 2001. Its requirements are not ambiguous. This guide covers what CUBI requires, how enforcement works, how it differs from Illinois BIPA, and what the 2025 Texas AI law changed.
What biometric identifiers does Texas CUBI actually cover?
CUBI applies to five specific data types and if your system captures any one of them for a commercial purpose, the law’s full consent and retention requirements follow immediately.
The five data types the statute names
The identifiers CUBI protects are: retina or iris scans, fingerprints, voiceprints, and records of hand or face geometry. The statute is intentional in its precision. Generic health data, behavioural data, and metadata derived from biometric signals fall outside the law unless they directly constitute one of these five categories. The face geometry category is the one that caught Meta. A facial recognition system that extracts dimensional measurements from a photograph creates a “record of face geometry” under CUBI, regardless of whether the output is described internally as a “template,” a “vector,” or an “embedding.”
When “commercial purpose” triggers the law
CUBI applies when the biometric capture serves a commercial purpose. That framing is broad. A retailer running facial recognition to prevent shoplifting, a gym collecting fingerprints for door access, a financial institution authenticating customers by voiceprint all qualify. Non-commercial contexts, such as a state agency verifying identity for a government service, fall outside CUBI’s scope, though other Texas statutes may apply.
What must Texas businesses do before collecting biometric data?
Texas businesses must inform individuals and obtain written consent before capturing any biometric identifier for a commercial purpose. The sequence is fixed: disclosure and consent come first, capture comes second.
Inform and obtain written consent before capture
The notice must explain that a biometric identifier is being captured and state the specific purpose for the capture. CUBI does not prescribe an exact form, but the AG’s guidance and the Meta case make clear that a buried clause inside a general terms-of-service document does not satisfy the statute. Consent must be written and must precede capture. Retrospective consent obtained after data has already been collected does not cure the violation.
A clarification added by the 2025 Texas AI law matters here: the fact that someone’s image or biometric data is publicly available online does not constitute consent to capture their biometric identifiers, unless that person personally made it public. A company cannot scrape social media profiles and treat the public nature of the images as permission.
Retention limits and destruction obligations
Once captured, a biometric identifier must be destroyed within a reasonable time after the purpose for its collection has expired, and in no case later than one year after that expiration. CUBI does not define “reasonable time” with a fixed number of days, which means businesses need a documented retention policy tied to a defined purpose-expiry event, not a rolling calendar date.
Selling, leasing, or disclosing a biometric identifier to a third party is also prohibited under CUBI unless the individual has specifically consented to that disclosure, or the transfer is required by law.
Who enforces CUBI and how large can the penalties reach?
The Texas Attorney General holds exclusive enforcement authority under CUBI. No private citizen, no class action plaintiff, and no other state or federal agency can bring a CUBI claim.
The AG as the sole enforcer
The AG’s office can investigate complaints, issue civil investigative demands, and file suit directly. Since the Meta settlement in July 2024, the AG has treated biometric enforcement as an active priority. The Meta case was the first lawsuit ever brought under CUBI and the first settlement ever obtained.
In the months that followed, the AG’s consumer protection division issued compliance inquiry letters to companies operating facial recognition systems in Texas retail environments. A statute that had sat relatively dormant for over two decades is now under active enforcement attention.
$25,000 per violation, no aggregate cap
Each CUBI violation carries a civil penalty of up to $25,000. There is no aggregate cap on total liability. A company that captures biometric data from 100,000 Texas residents without consent faces theoretical exposure of up to $2.5 billion.
What was the $1.4 billion Meta Texas facial recognition settlement?
In July 2024, Meta agreed to pay $1.4 billion to resolve the Texas AG’s CUBI lawsuit, the first case ever brought and the first settlement ever obtained under the statute, and the largest privacy settlement a single state AG has secured anywhere in the US.
The AG alleged that Meta’s Tag Suggestions feature, launched in 2011, automatically extracted face geometry records from uploaded photos on Facebook and Instagram without informing Texas users or obtaining their written consent. Meta reportedly ran this facial recognition system across virtually every face appearing in photos uploaded by Texas residents over roughly a decade, then denied or minimised the practice when it became public.
Settlement payments are structured over five years under an agreed final judgment. Beyond the dollar figure, the case established what the industry needed to understand:
The Texas AG will bring CUBI cases, the per-violation arithmetic produces liability at a scale that exceeds most corporate risk tolerances, and the absence of private litigation under CUBI does not mean absent enforcement.

How does Texas CUBI compare to Illinois BIPA?
Illinois enacted the Biometric Information Privacy Act (BIPA) in 2008. CUBI predates it, having passed in 2001. Both laws share the same core logic: consent before capture, restrictions on disclosure, destruction obligations but diverge sharply on enforcement model and litigation exposure.
| Feature | Texas CUBI | Illinois BIPA |
| Enacted | 2001 | 2008 |
| Private right of action | No — AG enforcement only | Yes — individuals and class actions |
| Penalty per violation | Up to $25,000 (AG enforcement) | $1,000 negligent / $5,000 intentional |
| Enforcement body | Texas Attorney General | Private plaintiffs and Illinois AG |
| Consent standard | Written, prior to capture | Written, prior to capture |
| Retention / destruction | Within 1 year after purpose expires | Per published retention schedule |
| Litigation volume | Low (one major case to date) | 1,400+ putative class actions since 2019 |
The practical difference is volume versus magnitude. BIPA’s private right of action has generated thousands of class actions across Illinois employers and retailers. CUBI generates fewer cases but, as the Meta settlement proved, individual AG actions can dwarf anything a private plaintiff could recover under BIPA. Both laws reward exactly the same compliance behaviour: informed consent before collection.
What did the 2025 Texas AI law add to biometric obligations?
On June 22, 2025, Texas Governor Greg Abbott signed House Bill 149, the Responsible Artificial Intelligence Governance Act (TRIAGA). The law took effect January 1, 2026, and amended CUBI in three distinct ways.
The AI training exemption
TRIAGA creates an exemption from CUBI for the training, processing, or storage of biometric identifiers used to develop, train, evaluate, or offer AI models or systems. The exemption ends the moment the AI system is deployed for the purpose of uniquely identifying a specific individual. A company building a general facial recognition model is exempt during training. The moment that model is used commercially to identify specific Texans, full CUBI obligations apply.
The security and fraud detection carve-out
Biometric data used in AI systems deployed specifically for security, fraud detection, or the prevention of illegal activity receives a separate exemption. A financial institution using an AI voice analysis system to flag fraudulent account access falls within this carve-out. The carve-out is narrowly drafted: it covers the specific security or fraud-detection deployment, not the organisation’s biometric data practices at large.
Consent and publicly available data
TRIAGA clarified that publicly available media does not constitute consent to biometric capture unless the individual personally made that media public. This closes a gap that some companies had attempted to exploit by treating scraped social media images as consent-neutral input.
For businesses, the practical implication is that TRIAGA does not reduce the compliance burden for standard commercial biometric deployments. It opens a development window for AI builders during training, but any production system that identifies specific people requires the same consent, disclosure, and destruction compliance that CUBI has always required.
How Shufti handles Biometric Compliance for Organisations capturing Identity Data
If your product captures face images, runs liveness checks, or extracts biometric measurements from documents, CUBI’s compliance sequence is the workflow your identity stack needs to enforce. Disclose before capture. Obtain written consent. Destroy on schedule.
Most verification vendors route biometric signals through multiple sub-processors, which makes it difficult to trace what was captured, when, and whether it was retained beyond its stated purpose. Shufti built and owns its entire verification stack. Document intelligence, liveness detection, and face matching are all in-house, with no third-party sub-processors on the biometric path. That ownership makes audit-ready consent and destruction records achievable rather than approximate.
Shufti’s face verification holds iBeta Level 3 conformance under ISO/IEC 30107-3 and operates across 240+ countries with identity verification deployment options that support data residency requirements wherever your users are.
See how Shufti’s face verification handles your biometric compliance obligations on real user data. Book a demo.
Frequently Asked Questions
Can individual Texans sue companies under CUBI?
No. CUBI does not include a private right of action. Only the Texas Attorney General can bring a CUBI lawsuit. Individual residents who believe a company violated their biometric privacy rights can file a complaint with the AG's office, but they cannot initiate their own legal claim under the statute.
Does CUBI apply to employee biometric data collected in the workplace?
Yes. CUBI does not exempt employment contexts. A Texas employer using fingerprint time-clocks, iris scanners for facility access, or voice authentication for secure systems must disclose the capture to employees and obtain written consent before collection and must destroy the data within the required timeframe after the purpose expires.
Do Texas residents have the right to opt out of facial recognition under CUBI?
CUBI is an opt-in law, not an opt-out framework. A business cannot collect biometric identifiers and then offer an opt-out after the fact. Written consent must be obtained before capture occurs. If a company collects facial geometry without prior consent, the collection itself is the violation; there is no post-collection mechanism that cures it.
