Meta has agreed to settle a Texas biometric privacy lawsuit for $1.4 billion, in what will be the largest such payment yet initiated by an individual state data privacy law. The suit was filed in 2022 but cites the 2009 Capture or Use of Biometric Identifier Act (CUBI), which Meta is accused of violating via Facebook’s “billions” of captures of facial recognition data via photos and videos uploaded by its users.
Facial recognition settlement more than doubles amount paid in prior Illinois case
The biometric privacy law on the books in Illinois is widely thought of as the premier example in the US of regulation of facial recognition technology, and does have the most stringent terms. But the Texas Attorney General’s office found a way to apply their own comparable law to great effect, extracting a settlement that more than doubles the $650 million Meta paid in Illinois under similar charges in 2020. The Texas payment is due to be made in installments over the course of five years.
The suit is the first of its type to be brought under CUBI, in terms of addressing a major social media platform handling millions of user records. The suit hinges on Facebook’s now-deprecated “Tag Suggestions” feature, which was first rolled out in 2011 and shuttered in 2019. The feature allowed Facebook users to be tagged by others in their uploaded photos, automatically creating a link to the tagged person’s Facebook page. The platform was using facial recognition software to automatically suggest tags for friends and family that might be in uploaded photos. The Illinois lawsuit, which was initiated in 2015, also centered on this feature.
The Texas law was particularly damaging to Meta as it provides for up to $25,000 in penalties per violation, with the state accusing the company of “billions” of violations during the window of nearly a decade that the feature was active. The company allegedly violated CUBI and the state’s Deceptive Trade Practices and Consumer Protection Act in capturing and profiting from facial recognition data without obtaining required informed consent, and failing to delete this stored data after a required amount of time. As with the Illinois case, Meta has denied any wrongdoing in spite of the staggering settlement total.
Meta continues to face legal trouble over former Facebook features
The “move fast and break things” culture that Facebook was famous for in the prior decade continues to haunt Meta in the form of regulatory penalties and lawsuits, with a number of states taking action against the company for a variety of reasons other than facial recognition: its protection of children on the platform and serving of harmful or addictive content to them, the security and storage of the personal data it holds, and the use of its sprawling targeted advertising network.
Meta has not only scuttled the Tag Suggestions option, but its facial recognition program for Facebook as a whole. In late 2021 the company announced it would delete all of the facial recognition templates it had gathered due to “uncertainty” about regulation of the technology going forward. These templates were not created if users opted out, but for years everyone was opted in by default and had to manually change a setting they may not have been aware of.
While Texas law usually makes the news for disputes about border enforcement and the handling of undocumented immigrants, the state has been forced to update its tech regulations as it has become a growing hub for the industry in recent years. While it is not the central headquarters for most, it is easier to list off the big names in tech that have not opened some sort of regional offices in the state at this point (with a particular concentration in Austin). Some, such as Oracle, have outright stated their intention to eventually pull up stakes from Silicon Valley and make Texas their new home. While the state is gradually increasing regulatory pressure on these companies, it is still seen as a favorable move due to tax savings and much more affordable real estate.
The Texas Data Privacy and Security Act went into force at the beginning of July, and among its other terms it expands requirements for obtaining consent from users to process sensitive personal data. But the state has been active in regulation even before this, with the Attorney General also suing Google in 2022 over its use and storage of facial recognition data and in two separate suits in 2023 over its Android payment processing practices and alleged deceptive advertising of its browser privacy features. The state also passed a law that prevents large social media companies from censoring user-created content on the basis of political views, though this has been challenged by the Supreme Court and turned over to a lower court for review.