COVID-19 ushered in a new work world that has required employers, employees, customers and contractors to adapt quickly. In this novel environment, businesses are doing everything they can to keep their employees employed, their suppliers in business, and their customers happy. At the same time, these companies are learning how to comply with contact-tracing and workplace safety directives.
Some companies have opted to rely on devices and kiosks that record and use customers’ and employees’ biometric information to trace and mitigate COVID-19 exposure. For example, numerous companies installed and utilized non-contact, infrared thermometer stations to identify each employee and take his or her temperature, alerting the company if the individual has a fever. This option, while efficient and effective, poses unique risks Texas businesses need to be aware of.
The Texas Capture or Use of Biometric Identifier Act (“CUBI”) was enacted in 2007 with little recorded commentary by the Texas Legislature. The statute prohibits capture and storage of biometric identifiers, such as retina or iris scans, fingerprints, voiceprints or records of hand or face geometry.
Since it was amended in 2009, CUBI has prohibited businesses and individuals in the state from capturing an individual’s biometric identifier “for a commercial purpose” without informed consent. However, the statute does not define the term “commercial purpose,” and no Texas court has interpreted CUBI to date. But in other contexts, Texas courts have interpreted the term broadly so that it likely would include devices and kiosks used for purposes of contact-tracing and ensuring workplace safety.
CUBI also restricts the sale, lease and disclosure of biometric identifiers except in limited circumstances, and requires that after a company captures the identifiers, it generally must destroy them within one year. Finally, once a company captures biometric identifiers, they must be stored, transmitted and protected “using reasonable care and in a manner that is the same as or more protective than the manner in which . . . other confidential information” is stored, transmitted, and protected.”
There is little question that CUBI is restrictive and demands careful compliance. Fortunately for employers, individuals cannot sue companies in Texas for violating CUBI. But compliance is important because the Texas Attorney General may enforce the statute directly, and the penalty for failing to comply is up to $25,000 per violation. As negative press about data breaches abounds and individual concerns about privacy increase in our ever-more-digital day-to-day lives, the attorney general may have greater political incentive to enforce CUBI’s requirements. In recent months, the Texas Attorney General initiated an investigation into Facebook’s compliance with CUBI, and it remains to be seen whether other companies are already under the microscope.
While it is beyond the scope of this article to address all the ways in which a Texas companies might ensure their compliance with CUBI, they could begin by reviewing their internal policies and agreements with third-parties. In doing so, a business should aim to understand how it (and any third-parties it engages) collect, store, retain and destroy biometric information. In particular, if the biometric information is stored off-site or in cloud-based storage, businesses should try to determine where the data is stored, because other, more restrictive state laws might apply in addition to CUBI. In sum, the heightened privacy concerns and increased collection of and reliance on biometric identifiers attending the COVID-19 pandemic should push Texas businesses to evaluate their policies critically to ensure their compliance with CUBI. Steps towards compliance now can mitigate the risk of penalties later.
Brent A. Turman is a senior associate and T.J. Hales is an associate with Dallas law firm Bell Nunnally.