A long-dormant Texas privacy law is finally being put to use against tech giants
Image: Ray Shewsberry/The Record
Andrea Peterson October 21, 2022

A long-dormant Texas privacy law is finally being put to use against tech giants

Andrea Peterson

October 21, 2022

A long-dormant Texas privacy law is finally being put to use against tech giants

When Texas passed a biometric privacy law in 2009, it was only the second state to have such a rule on its books. But the regulation laid dormant until this year, when the state’s attorney general brought a suit against Meta.

On Thursday, Attorney General Ken Paxton activated the law again, alleging that Google’s data practices violate the 2009 Capture or Use of Biometric Identifier (CUBI) Act. The move highlights the power a handful of key states now wield in a U.S. privacy policy debate that has seen little action on the federal level — and suggests that Texas might soon play a leading role. 

While federal lawmakers, regulators, and enforcement agencies have struggled to keep pace as the power and influence of tech giants has swelled over recent decades, a handful of states have stepped up to fill the gap. California, New York, and Illinois have taken on key roles in recent years, in addition to Texas.

The size of these states’ economies and populations have long meant their policy decisions carry outsized weight. That trend holds true in technology regulation, where their decisions have effectively set standards when national laws are absent, such as data breach notifications. 

“States are leading the effort to protect biometric privacy, because Congress has failed to do so,” Electronic Frontier Foundation senior attorney Adam Schwartz told The Record.

In the latest Texas suit, Attorney General Paxton faulted Google’s alleged practices related to the facial recognition system used to identify people in Google Photos, launched in 2015, as well as the face matching and voice recognition features in Nest smart home devices.

“Google records—without consent—friends, children, grandparents, and guests who stop by, and then stores their voiceprints indefinitely,” according to the suit, which compares the tech giant’s actions to surveillance tech in George Orwell’s 1984 and the Eye of Sauron in the Lord of the Rings.

“Ultimately, Google has turned Texans’ desire to take, store, and share photos and videos into a testing ground for AI and other products in its ever-growing, advertising-revenue stream. And, Google has enlisted the friends and family members of those Texans as non-consenting, unknowing participants in Google’s scheme,” the suit alleges.

The company does not “affirmatively inform users, much less nonusers, that records of their biometric identifiers are being captured and stored,” putting it on the wrong side of CUBI, according to the lawsuit. 

And that could potentially be pricey: The law authorizes penalties of up to $25,000 per violation and the state is also seeking reimbursement for legal fees related to the suit. 

The suit also seeks an injunction preventing Google from collecting or maintaining biometric data in Texas without appropriate consent. 

In an emailed statement, Google spokesperson José Castañeda said the Attorney General was “once again mischaracterizing” the company’s products and the firm will “set the record straight in court.”

“Google Photos helps you organize pictures of people, by grouping similar faces, so you can easily find old photos,” Castañeda said, adding the feature is only visible to users of that account, can be turned off, and the company does “not use photos or videos in Google Photos for advertising purposes.”

The Voice Match and Face Match features are off-by-default in Next and “give users the option to let Google Assistant recognize their voice or face to show their information,” Castañeda wrote. 

More to come?

Texas passed its biometric privacy law one year after Illinois, the first state in the country to do so. 

However, Illinois’ 2008 Biometric Information Privacy Act (BIPA) lets individuals sue companies directly for violations — what’s known as a private right of action. 

“Unfortunately, the Texas law does not allow private enforcement by the victims of biometric surveillance, unlike the Illinois biometric privacy law, which thus has been much better enforced than the Texas law,” Schwartz told The Record, adding that the decision to enforce Texas’ law is up to the attorney general’s discretion. 

The Texas suit versus Meta was launched in February after the social media giant agreed to pay a $650 settlement in a similar case brought through private action under Illinois’ law. 

Paxton also is leading a group of state attorneys general in an ongoing antitrust suit against Google, alleging an illegal deal with Facebook to fix online advertising pricing, and sued Google in January over allegedly deceptive location tracking practices. 

Washington passed a biometric privacy law without a private right to action in 2017, but Maryland, California, and New York are all considering bills that would allow individuals to sue for violations. California, a leader on state privacy, brought in its first data privacy related fine amidst a settlement with make-up giant Sephora earlier this year. 

On the national level, the Federal Trade Commission is at the beginning stage of a process that may result in data privacy and cybersecurity regulation. 

A bipartisan privacy bill that would generally supplant state-level standards with a federal law also made progress on Capitol Hill this year, but ultimately didn’t make it on the calendar before the midterm elections. It was stalled when the California delegation raised concerns about the proposal effectively lowering the state’s privacy standards, though it may still end up being the blueprint for legislative deals. 

But for now at least, some states like Texas will keep pushing policy forward on their own terms. 

Andrea Peterson (they/them) was a senior policy correspondent at Recorded Future News and a longtime cybersecurity journalist who cut their teeth covering technology policy ThinkProgress (RIP), then The Washington Post from 2013 through 2016, before doing deep dive public records investigations at the Project on Government Oversight and American Oversight. Their work has also been published at Slate, Politico, The Daily Beast, Ars Technica, Protocol, and other outlets. Peterson also produces independent creative projects under their Plain Great Productions brand and can generally be found online as kansasalps.