RatedWithAI

RatedWithAI

Accessibility scanner

AI RegulationJuly 2, 2026

Texas CUBI Biometric Law and AI Compliance 2026

Illinois BIPA gets most of the attention because it lets individuals sue. Texas's Capture or Use of Biometric Identifier Act doesn't — and the Texas Attorney General has still extracted more than $2.7 billion combined from Meta and Google. If your AI product touches face, voice, or hand geometry data from Texans, CUBI applies whether or not anyone can sue you directly.

$1.4B
Meta's 2024 settlement with Texas over facial-recognition photo tagging
$1.375B
Google's 2025 settlement with Texas over biometric and privacy claims
$25,000
Maximum civil penalty per violation the Texas AG can seek under CUBI

What CUBI Actually Requires

CUBI (Tex. Bus. & Com. Code § 503.001) requires a business to obtain informed consent before capturing a biometric identifier for a commercial purpose. "Biometric identifier" covers retina or iris scans, fingerprints, voiceprints, and hand or face geometry — a definition broad enough to cover most AI features that process a camera feed or an audio stream to identify or authenticate a person.

Beyond consent, CUBI imposes ongoing obligations: biometric data must be protected using the same reasonable care a business uses for its own confidential information, it cannot be sold, leased, or disclosed for a commercial purpose except in narrow circumstances, and it must be destroyed within a reasonable time — no more than one year — after the purpose for collecting it ends.

CUBI vs. Illinois BIPA: The Difference That Matters Most

01

No Private Right of Action

BIGGEST DIFFERENCE

BIPA lets any individual sue, with statutory damages of $1,000–$5,000 per violation — this is what produced billions in Illinois class-action settlements. CUBI has no equivalent. Only the Texas Attorney General can enforce it.

This doesn't reduce your exposure — it concentrates it. A single AG investigation can produce a settlement larger than most BIPA class actions, because the AG can seek statewide penalties across every affected Texan at once.

02

Reasonable Care Standard, Not Strict Retention Schedule

MORE FLEXIBLE, STILL ENFORCEABLE

BIPA requires a written, publicly available retention schedule. CUBI's standard is less prescriptive — 'reasonable care' and destruction 'within a reasonable time, not to exceed one year' — but AG enforcement has shown this is still an affirmative obligation, not a suggestion.

Meta and Google were not sued for a specific data breach — they were pursued for the underlying practice of capturing and retaining biometric data without adequate consent and disclosure processes.

03

Applies Broadly to AI Voice and Face Features

SAME SCOPE AS BIPA

Any AI feature that scans a face for authentication or tagging, or extracts a voiceprint for authentication or personalization, falls within CUBI's biometric identifier definition if it processes data from Texas residents — regardless of where the company is headquartered.

Photo auto-tagging, face-based login, voice-based call center authentication, and AI avatar or filter features that map facial geometry are all in scope.

The Meta and Google Settlements

In 2022, Texas Attorney General Ken Paxton sued Meta alleging the company's since-discontinued "Tag Suggestions" facial-recognition feature captured biometric identifiers from millions of Texans' photos without consent. The case settled in 2024 for $1.4 billion — at the time, the largest privacy-related settlement ever obtained by a single state.

Google faced a related but broader suit combining CUBI claims with other Texas privacy statutes, covering biometric data collection through products like Google Photos and location and search tracking practices. That case settled in 2025 for $1.375 billion. Neither case required a single private plaintiff — both were driven entirely by AG enforcement.

Compliance Checklist for AI Products Touching Texas Users

Inventory every feature that processes camera or microphone input to identify, verify, or tag a personStep 1
Obtain clear, informed consent before capturing any biometric identifier — don't bury it in a general privacy policyStep 2
Set and enforce a retention limit of no more than one year after the collection purpose endsStep 3
Prohibit sale, lease, or commercial disclosure of biometric data absent a narrow statutory exceptionStep 4
Apply the same security controls to biometric data that you apply to your most sensitive confidential business dataStep 5
Document your consent flow and retention practice — AG enforcement actions focus on process, not just outcomesOngoing

Monitor your product for biometric compliance exposure

RatedWithAI helps teams track compliance requirements across their web products, including AI features that touch biometric or sensitive personal data. Start with a free scan.

Scan Your Product for Free →

Frequently Asked Questions

Does CUBI apply to my company if we're not based in Texas?

Yes. CUBI applies based on whose biometric identifier is captured, not where the company is headquartered. If your AI product processes face, voice, or hand geometry data from Texas residents, CUBI applies regardless of where your servers or offices are located.

Can a Texas resident sue my company directly under CUBI?

No — CUBI has no private right of action. Only the Texas Attorney General can bring an enforcement action. This means your risk is concentrated in the possibility of an AG investigation rather than distributed across many individual or class-action lawsuits.

How is CUBI different from Illinois BIPA?

The core requirements are similar — consent before capture, limits on disclosure, and a retention/destruction obligation. The critical difference is enforcement: BIPA allows private lawsuits with statutory damages per violation, while CUBI can only be enforced by the Texas AG, with penalties up to $25,000 per violation sought in an AG action.

What counts as a 'biometric identifier' under CUBI?

Retina or iris scans, fingerprints, voiceprints, and hand or face geometry. AI features like face-based login, camera-based photo tagging, and voice-authentication systems for call centers or apps typically fall within this definition.

How long can we retain biometric data under CUBI?

CUBI requires destruction within a reasonable time, and specifies that this must not exceed one year after the purpose for collecting the biometric identifier has been satisfied — whichever comes first based on your specific use case.

Related Guides