The Texas lawsuit against
Private litigation tied to alleged violations of Illinois’ Biometric Information Privacy Act has grabbed headlines and caused companies to settle for millions—but the lawsuit from Texas Attorney General Ken Paxton (R) shows that litigation by state attorneys general is also a potentially large legal headache.
“The thought that if you don’t do business in Illinois, you don’t have to worry about the risk of significant liability, that’s been refuted by this lawsuit,” said Greg Abrams, a partner at Faegre Drinker Biddle & Reath LLP in Chicago. “This lawsuit demonstrates that there’s still significant risk if biometrics are being collected, used, or stored in other states, even if those states don’t provide for private rights of action.”
Facebook last year paid $650 million to settle claims the social media company collected and stored digital scans of users’ faces in violation of BIPA, which requires companies to obtain consent before collecting data such as fingerprints and facial scans. Some companies, facing the prospect of costly private litigation, have opted to abandon or modify their use of biometric technology.
The Meta lawsuit—in which Paxton alleges Facebook and Instagram monetized people’s faces without their consent and maintained a facial-geometry database—is the first time the Texas attorney general’s office has sued under the state’s Capture or Use of Biometric Identifier Act, attorneys say. The Texas biometric privacy law, unlike that of Illinois, doesn’t have a private right of action that gives consumers the right to sue.
The Texas law empowers the attorney general to litigate against alleged violators of the statute. Washington also has a biometric privacy law without a private right of action that its attorney general can enforce. But attorneys general in those states and others can also target facial recognition through other state laws.
“This is a big statement given the heft of Texas and the heft of Meta, and it could embolden other state attorneys general to pursue investigations using their own deceptive trade practices laws,” said Melissa Krasnow, a partner at VLP Law Group in Minneapolis. “This is certainly a cautionary tale for other companies.”
The case could cause a domino effect and result in amped-up biometric privacy enforcement in Texas and Washington, said David Oberly, an associate at Blank Rome LLP in Cincinnati.
Paxton also included allegations under Texas’ deceptive trade practices law. Most states have similar statutes that prohibit companies from acting in ways that run contrary to their stated practices, Abrams said.
“The fact that Texas is pursuing this action under its deceptive trade practices act in addition to its more specific biometric information statute also potentially sets a precedent for those states that don’t have laws specifically on biometric information to pursue a similar action where appropriate,” Abrams said.
While biometric privacy class action litigation may be more widely publicized, attorneys general are interested in pursuing privacy violations, putting companies with weak biometrics or security practices at risk, said Linn Freedman, a partner at Robinson & Cole LLP in Providence, R.I.
New Mexico Attorney General Hector Balderas (D) has aggressively pursued Google for its alleged violations of the Children’s Online Privacy Protection Act and the New Mexico Unfair Practices Act, Freedman said.
“The consumer protection divisions of state AG offices will probably be taking a close look at this suit,” she added. “I wouldn’t be surprised if they are assessing whether it makes sense for them to commence similar actions.”
Regardless of how the Meta lawsuit plays out, it’s clear Texas is dedicated to pursuing the company—Paxton’s office hired private counsel to help litigate the case, said Mark Olthoff, a shareholder at Polsinelli P.C. in Kansas City.
If the lawsuit does spur other attorneys general to launch their own biometric privacy investigations, those efforts are likely to focus on large companies.
“There’s got be enough of a group of people that would be impacted that it would make sense for AGs to do it,” Olthoff said.
The lawsuit should serve as a reminder of the financial and reputational hits that companies thrust in the spotlight on biometric privacy can face, whether that’s in private, plaintiff-led litigation, or in a publicized attorney general-led litigation as in Texas, Oberly said.
Data minimization—properly disclosing information, especially that to sensitive identifiers such as biometrics—is a crucial safeguard for companies, he added.
“Companies need to realize that they shouldn’t hold onto biometric data even if they don’t fall under the Texas law or other biometric laws,” Oberly said. “If you’re no longer using the data, get rid of it—keeping it around is a gigantic risk for data breaches.”
The lawsuit may also inspire legislators in states without biometric privacy legislation to enact similar statutes to Texas’ law, Freedman said.
“We’re seeing more and more states become interested in the collection and protection of biometric information,” she added. “This could spur them to act now.”
Meanwhile, companies are likely to face large volumes of BIPA litigation in Illinois and should work to ensure they are compliance with that law, Krasnow said. The same goes for complying with biometrics requirements in the California Privacy Rights Act and in the Colorado and Virginia privacy statutes once those take effect next year, Krasnow said.