Texas CUBI Biometric Law and AI Compliance 2026
Illinois BIPA gets most of the attention because it lets individuals sue. Texas's Capture or Use of Biometric Identifier Act doesn't — and the Texas Attorney General has still extracted more than $2.7 billion combined from Meta and Google. If your AI product touches face, voice, or hand geometry data from Texans, CUBI applies whether or not anyone can sue you directly.
What CUBI Actually Requires
CUBI (Tex. Bus. & Com. Code § 503.001) requires a business to obtain informed consent before capturing a biometric identifier for a commercial purpose. "Biometric identifier" covers retina or iris scans, fingerprints, voiceprints, and hand or face geometry — a definition broad enough to cover most AI features that process a camera feed or an audio stream to identify or authenticate a person.
Beyond consent, CUBI imposes ongoing obligations: biometric data must be protected using the same reasonable care a business uses for its own confidential information, it cannot be sold, leased, or disclosed for a commercial purpose except in narrow circumstances, and it must be destroyed within a reasonable time — no more than one year — after the purpose for collecting it ends.
CUBI vs. Illinois BIPA: The Difference That Matters Most
No Private Right of Action
BIGGEST DIFFERENCEBIPA lets any individual sue, with statutory damages of $1,000–$5,000 per violation — this is what produced billions in Illinois class-action settlements. CUBI has no equivalent. Only the Texas Attorney General can enforce it.
This doesn't reduce your exposure — it concentrates it. A single AG investigation can produce a settlement larger than most BIPA class actions, because the AG can seek statewide penalties across every affected Texan at once.
Reasonable Care Standard, Not Strict Retention Schedule
MORE FLEXIBLE, STILL ENFORCEABLEBIPA requires a written, publicly available retention schedule. CUBI's standard is less prescriptive — 'reasonable care' and destruction 'within a reasonable time, not to exceed one year' — but AG enforcement has shown this is still an affirmative obligation, not a suggestion.
Meta and Google were not sued for a specific data breach — they were pursued for the underlying practice of capturing and retaining biometric data without adequate consent and disclosure processes.
Applies Broadly to AI Voice and Face Features
SAME SCOPE AS BIPAAny AI feature that scans a face for authentication or tagging, or extracts a voiceprint for authentication or personalization, falls within CUBI's biometric identifier definition if it processes data from Texas residents — regardless of where the company is headquartered.
Photo auto-tagging, face-based login, voice-based call center authentication, and AI avatar or filter features that map facial geometry are all in scope.
The Meta and Google Settlements
In 2022, Texas Attorney General Ken Paxton sued Meta alleging the company's since-discontinued "Tag Suggestions" facial-recognition feature captured biometric identifiers from millions of Texans' photos without consent. The case settled in 2024 for $1.4 billion — at the time, the largest privacy-related settlement ever obtained by a single state.
Google faced a related but broader suit combining CUBI claims with other Texas privacy statutes, covering biometric data collection through products like Google Photos and location and search tracking practices. That case settled in 2025 for $1.375 billion. Neither case required a single private plaintiff — both were driven entirely by AG enforcement.
Compliance Checklist for AI Products Touching Texas Users
Monitor your product for biometric compliance exposure
RatedWithAI helps teams track compliance requirements across their web products, including AI features that touch biometric or sensitive personal data. Start with a free scan.
Scan Your Product for Free →Frequently Asked Questions
Does CUBI apply to my company if we're not based in Texas?
Yes. CUBI applies based on whose biometric identifier is captured, not where the company is headquartered. If your AI product processes face, voice, or hand geometry data from Texas residents, CUBI applies regardless of where your servers or offices are located.
Can a Texas resident sue my company directly under CUBI?
No — CUBI has no private right of action. Only the Texas Attorney General can bring an enforcement action. This means your risk is concentrated in the possibility of an AG investigation rather than distributed across many individual or class-action lawsuits.
How is CUBI different from Illinois BIPA?
The core requirements are similar — consent before capture, limits on disclosure, and a retention/destruction obligation. The critical difference is enforcement: BIPA allows private lawsuits with statutory damages per violation, while CUBI can only be enforced by the Texas AG, with penalties up to $25,000 per violation sought in an AG action.
What counts as a 'biometric identifier' under CUBI?
Retina or iris scans, fingerprints, voiceprints, and hand or face geometry. AI features like face-based login, camera-based photo tagging, and voice-authentication systems for call centers or apps typically fall within this definition.
How long can we retain biometric data under CUBI?
CUBI requires destruction within a reasonable time, and specifies that this must not exceed one year after the purpose for collecting the biometric identifier has been satisfied — whichever comes first based on your specific use case.