Texas Attorney General Ken Paxton has successfully negotiated a $1.4 billion settlement with Meta Platforms, Inc. (formerly known as Facebook) over allegations of unauthorized biometric data collection. This settlement, the largest ever obtained from a single state’s action, underscores the importance of protecting privacy rights in the digital age and sets a new precedent for holding technology giants accountable.
Background and Context
The roots of this historic settlement trace back to 2011 when Meta introduced a feature known as Tag Suggestions. This feature, designed to improve user experience by making it easier to tag individuals in photographs, operated by using facial recognition technology to automatically identify people in photos uploaded to Facebook. While the feature was promoted as a convenience, it also involved the surreptitious collection and use of biometric data without users’ informed consent.
Biometric data, which includes unique identifiers such as facial geometry, is considered highly sensitive due to its permanent and unchangeable nature. Recognizing the potential for abuse and the need for stringent protections, Texas enacted the “Capture or Use of Biometric Identifier” Act (CUBI) to regulate the collection and use of such data. Under CUBI, businesses are required to inform individuals and obtain their explicit consent before capturing their biometric identifiers.
However, Meta’s implementation of facial recognition technology violated these legal requirements. The company turned on the Tag Suggestions feature by default, capturing biometric data from millions of Texans without proper disclosure or consent. This practice persisted for over a decade, impacting virtually every user who uploaded photos to the platform.
The Legal Battle
In February 2022, Attorney General Ken Paxton filed a lawsuit against Meta, accusing the company of violating Texas’s biometric privacy and consumer protection laws. The lawsuit argued that Meta’s actions not only breached CUBI but also constituted deceptive trade practices under Texas law. The primary allegations included:
- Unauthorized Biometric Data Collection: Meta collected biometric identifiers from Texans without their informed consent, a clear violation of CUBI.
- Deceptive Practices: By failing to disclose the true nature and extent of its data collection practices, Meta misled users about the privacy implications of using its platform.
- Privacy Violations: The unauthorized use of facial recognition technology posed significant privacy risks, given the sensitive nature of biometric data.
Attorney General Paxton’s office emphasized the significance of the case, noting that it was the first lawsuit brought and the first settlement obtained under Texas’s CUBI Act. The legal action aimed not only to secure justice for affected Texans but also to send a strong message to other companies about the importance of complying with privacy laws.
Settlement Details
After two years of vigorous litigation, the parties reached a settlement agreement in 2024. Meta agreed to pay the state of Texas $1.4 billion over five years, marking the largest privacy settlement ever obtained by an Attorney General. This settlement dwarfs the previous record, a $390 million settlement a group of 40 states obtained from Google in late 2022.
The settlement includes several key provisions designed to ensure future compliance and protect Texans’ privacy rights:
- Consent Requirement: Meta must obtain explicit, informed consent from users before collecting any biometric data. This includes clear and conspicuous disclosures about the types of data being collected and the purposes for which it will be used.
- Data Deletion: Meta is required to delete all previously collected biometric data that was obtained without proper consent. This includes data collected through features like facial recognition.
- Transparency Measures: Meta must implement enhanced transparency measures, providing users with easy access to information about the data being collected and how it is being used. This may involve updates to privacy policies and user interfaces.
- Compliance Audits: Meta will be subject to regular compliance audits to ensure adherence to the new data collection practices. These audits will be conducted by an independent third party, with the results reported to the Texas Attorney General’s office.
- User Control: Meta must provide users with greater control over their biometric data, including options to opt-out of data collection and to request the deletion of their data at any time.
- Training and Policies: Meta is required to implement comprehensive training programs for its employees on data privacy and biometric data handling. Additionally, the company must establish and enforce internal policies to ensure compliance with the new requirements.
Statements and Reactions
Attorney General Ken Paxton hailed the settlement as a significant victory for Texans and a warning to other companies. “After vigorously pursuing justice for our citizens whose privacy rights were violated by Meta’s use of facial recognition software, I’m proud to announce that we have reached the largest settlement ever obtained from an action brought by a single State,” Paxton stated. “This historic settlement demonstrates our commitment to standing up to the world’s biggest technology companies and holding them accountable for breaking the law and violating Texans’ privacy rights. Any abuse of Texans’ sensitive data will be met with the full force of the law.”
The legal teams involved in the case also played a crucial role in securing the settlement. Keller Postman and McKool Smith served as co-counsel to the Texas Attorney General’s office, with Zina Bash, Sam Baxter, and Jennifer Truelove leading the litigation efforts. Their aggressive litigation posture and expertise in privacy law were instrumental in achieving this landmark outcome.
Implications and Future Impact
The $1.4 billion settlement has far-reaching implications for both Meta and the broader technology industry. For Meta, the financial penalty and mandated changes to its data collection practices represent a significant shift in how the company handles biometric data. The settlement serves as a wake-up call, highlighting the need for transparency and user consent in data-driven business models.
For the technology industry, the case sets a new standard for privacy protection and regulatory compliance. It demonstrates that state governments can and will take decisive action against companies that violate privacy laws, regardless of their size or influence. The settlement may encourage other states to enact or strengthen their biometric privacy laws, leading to increased scrutiny of data collection practices nationwide.
Privacy advocates have lauded the settlement as a major step forward in safeguarding consumer rights. The case underscores the importance of robust legal frameworks to protect individuals from unauthorized data collection and misuse. As digital technologies continue to evolve, ensuring that privacy laws keep pace with technological advancements remains a critical priority.
Conclusion
The $1.4 billion settlement between Texas and Meta marks a historic moment in the fight for digital privacy. It reflects the determination of Attorney General Ken Paxton and his team to hold technology companies accountable for violating privacy rights and sets a powerful precedent for future enforcement efforts. As Texans benefit from the strengthened protections and increased transparency resulting from this settlement, the case stands as a testament to the importance of vigilant oversight and robust legal safeguards in the digital age.