Shufti-Sphere-Website-Banner
burger-menu cross-icon-2

Resources

us

216.73.217.31

Texas CUBI: What the Capture or Use of Biometric Identifier Act Requires

texas cubi biometric identifier act

TL;DR

  • Texas has required informed consent before commercial biometric capture since 2001.
  • The AG can impose up to $25,000 per violation with no cap on total liability.
  • Meta’s $1.4 billion July 2024 settlement is the largest AG privacy settlement in US history.
  • Unlike Illinois BIPA, CUBI gives individual Texans no private right to sue.
  • The 2025 Texas AI law added a narrow AI-training exemption, effective January 2026.

In 2011, Meta rolled out a feature called Tag Suggestions. The tool automatically scanned every face in uploaded Facebook photos, extracted facial geometry measurements, and matched them to user profiles with no disclosure and no consent request to the Texans it affected. For roughly a decade, the scanning continued.

In July 2024, the Texas Attorney General settled the resulting lawsuit for $1.4 billion, the largest privacy settlement a single state AG has ever obtained in US history. The law Meta violated, the Capture or Use of Biometric Identifier Act (CUBI), has been on the books since 2001. Its requirements are not ambiguous. This guide covers what CUBI requires, how enforcement works, how it differs from Illinois BIPA, and what the 2025 Texas AI law changed.

What biometric identifiers does Texas CUBI actually cover?

CUBI applies to five specific data types and if your system captures any one of them for a commercial purpose, the law’s full consent and retention requirements follow immediately.

The five data types the statute names

The identifiers CUBI protects are: retina or iris scans, fingerprints, voiceprints, and records of hand or face geometry. The statute is intentional in its precision. Generic health data, behavioural data, and metadata derived from biometric signals fall outside the law unless they directly constitute one of these five categories. The face geometry category is the one that caught Meta. A facial recognition system that extracts dimensional measurements from a photograph creates a “record of face geometry” under CUBI, regardless of whether the output is described internally as a “template,” a “vector,” or an “embedding.”

When “commercial purpose” triggers the law

CUBI applies when the biometric capture serves a commercial purpose. That framing is broad. A retailer running facial recognition to prevent shoplifting, a gym collecting fingerprints for door access, a financial institution authenticating customers by voiceprint  all qualify. Non-commercial contexts, such as a state agency verifying identity for a government service, fall outside CUBI’s scope, though other Texas statutes may apply.

What must Texas businesses do before collecting biometric data?

Texas businesses must inform individuals and obtain written consent before capturing any biometric identifier for a commercial purpose. The sequence is fixed: disclosure and consent come first, capture comes second.

Inform and obtain written consent before capture

The notice must explain that a biometric identifier is being captured and state the specific purpose for the capture. CUBI does not prescribe an exact form, but the AG’s guidance and the Meta case make clear that a buried clause inside a general terms-of-service document does not satisfy the statute. Consent must be written and must precede capture. Retrospective consent obtained after data has already been collected does not cure the violation.

A clarification added by the 2025 Texas AI law matters here: the fact that someone’s image or biometric data is publicly available online does not constitute consent to capture their biometric identifiers, unless that person personally made it public. A company cannot scrape social media profiles and treat the public nature of the images as permission.

Retention limits and destruction obligations

Once captured, a biometric identifier must be destroyed within a reasonable time after the purpose for its collection has expired, and in no case later than one year after that expiration. CUBI does not define “reasonable time” with a fixed number of days, which means businesses need a documented retention policy tied to a defined purpose-expiry event, not a rolling calendar date.

Selling, leasing, or disclosing a biometric identifier to a third party is also prohibited under CUBI unless the individual has specifically consented to that disclosure, or the transfer is required by law.

Who enforces CUBI and how large can the penalties reach?

The Texas Attorney General holds exclusive enforcement authority under CUBI. No private citizen, no class action plaintiff, and no other state or federal agency can bring a CUBI claim.

The AG as the sole enforcer

The AG’s office can investigate complaints, issue civil investigative demands, and file suit directly. Since the Meta settlement in July 2024, the AG has treated biometric enforcement as an active priority. The Meta case was the first lawsuit ever brought under CUBI  and the first settlement ever obtained.

In the months that followed, the AG’s consumer protection division issued compliance inquiry letters to companies operating facial recognition systems in Texas retail environments. A statute that had sat relatively dormant for over two decades is now under active enforcement attention.

$25,000 per violation, no aggregate cap

Each CUBI violation carries a civil penalty of up to $25,000. There is no aggregate cap on total liability. A company that captures biometric data from 100,000 Texas residents without consent faces theoretical exposure of up to $2.5 billion.

 

What was the $1.4 billion Meta Texas facial recognition settlement?

In July 2024, Meta agreed to pay $1.4 billion to resolve the Texas AG’s CUBI lawsuit, the first case ever brought and the first settlement ever obtained under the statute, and the largest privacy settlement a single state AG has secured anywhere in the US.

The AG alleged that Meta’s Tag Suggestions feature, launched in 2011, automatically extracted face geometry records from uploaded photos on Facebook and Instagram without informing Texas users or obtaining their written consent. Meta reportedly ran this facial recognition system across virtually every face appearing in photos uploaded by Texas residents over roughly a decade, then denied or minimised the practice when it became public.

Settlement payments are structured over five years under an agreed final judgment. Beyond the dollar figure, the case established what the industry needed to understand:

The Texas AG will bring CUBI cases, the per-violation arithmetic produces liability at a scale that exceeds most corporate risk tolerances, and the absence of private litigation under CUBI does not mean absent enforcement.

texas cubi

How does Texas CUBI compare to Illinois BIPA?

Illinois enacted the Biometric Information Privacy Act (BIPA) in 2008. CUBI predates it, having passed in 2001. Both laws share the same core logic: consent before capture, restrictions on disclosure, destruction obligations  but diverge sharply on enforcement model and litigation exposure.

Feature Texas CUBI Illinois BIPA
Enacted 2001 2008
Private right of action No — AG enforcement only Yes — individuals and class actions
Penalty per violation Up to $25,000 (AG enforcement) $1,000 negligent / $5,000 intentional
Enforcement body Texas Attorney General Private plaintiffs and Illinois AG
Consent standard Written, prior to capture Written, prior to capture
Retention / destruction Within 1 year after purpose expires Per published retention schedule
Litigation volume Low (one major case to date) 1,400+ putative class actions since 2019

The practical difference is volume versus magnitude. BIPA’s private right of action has generated thousands of class actions across Illinois employers and retailers. CUBI generates fewer cases but, as the Meta settlement proved, individual AG actions can dwarf anything a private plaintiff could recover under BIPA. Both laws reward exactly the same compliance behaviour: informed consent before collection.

What did the 2025 Texas AI law add to biometric obligations?

On June 22, 2025, Texas Governor Greg Abbott signed House Bill 149, the Responsible Artificial Intelligence Governance Act (TRIAGA). The law took effect January 1, 2026, and amended CUBI in three distinct ways.

The AI training exemption

TRIAGA creates an exemption from CUBI for the training, processing, or storage of biometric identifiers used to develop, train, evaluate, or offer AI models or systems. The exemption ends the moment the AI system is deployed for the purpose of uniquely identifying a specific individual. A company building a general facial recognition model is exempt during training. The moment that model is used commercially to identify specific Texans, full CUBI obligations apply.

The security and fraud detection carve-out

Biometric data used in AI systems deployed specifically for security, fraud detection, or the prevention of illegal activity receives a separate exemption. A financial institution using an AI voice analysis system to flag fraudulent account access falls within this carve-out. The carve-out is narrowly drafted: it covers the specific security or fraud-detection deployment, not the organisation’s biometric data practices at large.

Consent and publicly available data

TRIAGA clarified that publicly available media does not constitute consent to biometric capture unless the individual personally made that media public. This closes a gap that some companies had attempted to exploit by treating scraped social media images as consent-neutral input.

For businesses, the practical implication is that TRIAGA does not reduce the compliance burden for standard commercial biometric deployments. It opens a development window for AI builders during training, but any production system that identifies specific people requires the same consent, disclosure, and destruction compliance that CUBI has always required.

How Shufti handles Biometric Compliance for Organisations capturing Identity Data

If your product captures face images, runs liveness checks, or extracts biometric measurements from documents, CUBI’s compliance sequence is the workflow your identity stack needs to enforce. Disclose before capture. Obtain written consent. Destroy on schedule.

Most verification vendors route biometric signals through multiple sub-processors, which makes it difficult to trace what was captured, when, and whether it was retained beyond its stated purpose. Shufti built and owns its entire verification stack. Document intelligence, liveness detection, and face matching are all in-house, with no third-party sub-processors on the biometric path. That ownership makes audit-ready consent and destruction records achievable rather than approximate.

Shufti’s face verification holds iBeta Level 3 conformance under ISO/IEC 30107-3 and operates across 240+ countries with identity verification deployment options that support data residency requirements wherever your users are.

See how Shufti’s face verification handles your biometric compliance obligations on real user data. Book a demo.

Frequently Asked Questions

Can individual Texans sue companies under CUBI?

No. CUBI does not include a private right of action. Only the Texas Attorney General can bring a CUBI lawsuit. Individual residents who believe a company violated their biometric privacy rights can file a complaint with the AG's office, but they cannot initiate their own legal claim under the statute.

Does CUBI apply to employee biometric data collected in the workplace?

Yes. CUBI does not exempt employment contexts. A Texas employer using fingerprint time-clocks, iris scanners for facility access, or voice authentication for secure systems must disclose the capture to employees and obtain written consent before collection and must destroy the data within the required timeframe after the purpose expires.

Do Texas residents have the right to opt out of facial recognition under CUBI?

CUBI is an opt-in law, not an opt-out framework. A business cannot collect biometric identifiers and then offer an opt-out after the fact. Written consent must be obtained before capture occurs. If a company collects facial geometry without prior consent, the collection itself is the violation; there is no post-collection mechanism that cures it.

Related Posts

Shufti Blog

Texas CUBI: What the Capture or Use of Biometric Identifier Act Requires

Texas CUBI: What the Capture or Use of Biometric Identifier Act Requires

Explore More

Shufti Blog

Best AML Software and Solutions Providers in 2026: Top 10 Compared

Best AML Software and Solutions Providers in 2026: Top 10 Compared

Explore More

Shufti Blog

AML 2027: what the EU’s new anti-money laundering rulebook means for compliance teams

AML 2027: what the EU’s new anti-money laundering rulebook means for compliance teams

Explore More

Shufti Blog

EUDI Wallet readiness for regulated businesses

EUDI Wallet readiness for regulated businesses

Explore More

Shufti Blog

Money Laundering Red Flags: 12 Warning Signs to Watch For

Money Laundering Red Flags: 12 Warning Signs to Watch For

Explore More

Shufti Blog

AML Compliance: A Complete Guide to Requirements, Programmes, and Best Practices

AML Compliance: A Complete Guide to Requirements, Programmes, and Best Practices

Explore More

Shufti Blog

Facial Recognition Laws in Canada: Compliance Guide Under PIPEDA

Facial Recognition Laws in Canada: Compliance Guide Under PIPEDA

Explore More

Shufti Blog

Texas CUBI: What the Capture or Use of Biometric Identifier Act Requires

Texas CUBI: What the Capture or Use of Biometric Identifier Act Requires

Explore More

Shufti Blog

Best AML Software and Solutions Providers in 2026: Top 10 Compared

Best AML Software and Solutions Providers in 2026: Top 10 Compared

Explore More

Shufti Blog

AML 2027: what the EU’s new anti-money laundering rulebook means for compliance teams

AML 2027: what the EU’s new anti-money laundering rulebook means for compliance teams

Explore More

Shufti Blog

EUDI Wallet readiness for regulated businesses

EUDI Wallet readiness for regulated businesses

Explore More

Shufti Blog

Money Laundering Red Flags: 12 Warning Signs to Watch For

Money Laundering Red Flags: 12 Warning Signs to Watch For

Explore More

Shufti Blog

AML Compliance: A Complete Guide to Requirements, Programmes, and Best Practices

AML Compliance: A Complete Guide to Requirements, Programmes, and Best Practices

Explore More

Shufti Blog

Facial Recognition Laws in Canada: Compliance Guide Under PIPEDA

Facial Recognition Laws in Canada: Compliance Guide Under PIPEDA

Explore More

Take the next steps to better security.

Contact us

Get in touch with our experts. We'll help you find the perfect solution for your compliance and security needs.

Contact us

Request demo

Get free access to our platform and try our products today.

Get started