Texas Attorney General Ken Paxton (R) filed a lawsuit against Facebook’s parent company, Meta Platforms Inc., on Monday, alleging that the social media giant collected Texans’ biometric data without their full consent for years, violating state privacy laws.
Paxton’s lawsuit, filed in Harrison County district court, claims that Facebook collected users’ biometric identifiers from photos and videos without properly informing them, shared the data with third parties, and failed to delete it in a timely manner from about 2010 to late 2021 — when Meta announced it would shut down Facebook’s facial recognition system and delete the data it had collected on more than 1 billion people.
Paxton called the allegations “yet another example of Big Tech’s deceptive business practices” in a statement. At a press conference on Monday, he stated that the state will seek “billions of dollars” in damages from the court.
The lawsuit comes at a sensitive time for Facebook, which rebranded itself as a forward-thinking creator of a digital world known as the “metaverse” after changing its corporate name to Meta in October amid deepening crises for its social media business.
Last year, the company paid $650 million to settle a class-action lawsuit in Illinois that made similar claims. Early Tuesday, Facebook could not be reached for comment. In a statement, a Meta spokesperson told The Washington Post that the Texas claims “are without merit, and we will vigorously defend ourselves.”
According to the complaint, Facebook knowingly violated the state’s Capture or Use of Biometric Identifier Act (CUBI) and Deceptive Trade Practices and Consumer Protection Act (DTPA) for over a decade with its now-defunct, facial-recognition-based photo and video tagging technology.
The DTPA prohibits businesses from engaging in “false, misleading, or deceptive acts or practices,” whereas CUBI makes it illegal for private entities to capture, disclose, or profit from a person’s biometric identifiers without their informed consent. It requires that biometric identifiers collected for commercial purposes be carefully stored, shared, and destroyed “within a reasonable time,” which the law defines as “not later than the first anniversary of the date the purpose for collecting the identifier expires.”
In Illinois, Facebook failed in its attempt to dismiss a class-action lawsuit filed in 2015 on behalf of millions of state users who claimed the social media platform collected and stored their biometric data without their consent, in violation of the Illinois Biometric Information Privacy Act.
Violations of the Texas biometrics law, which, like the Illinois law, requires informed consent of the people whose data is being collected, can result in civil penalties of up to $25,000 per violation. Meanwhile, DTPA violations prosecuted by the Texas Attorney General’s Office can result in fines of up to $10,000 per violation.
According to the Texas complaint, Facebook created the appearance of a safe environment in which users could upload private photos of themselves and their families. According to the complaint, Facebook allowed its users to tag their loved ones in photos, then captured data relating to people’s identifiable facial features without their permission or informed consent, profited from it by sharing it with third parties, and failed to properly dispose of it, “exposing Texans to ever-increasing risks to their well-being, safety, and security.”
Facebook has defended its photo-tagging feature, claiming that users have had the option to opt out of the feature since 2017. In a November statement announcing the technology’s demise, the company stated that more than a third of its daily active users opted in and that it had put other safeguards in place for users, such as “the option to be automatically notified when they appear in photos or videos posted by others.”
Nonetheless, the company stated at the time that it would continue to use facial recognition in certain situations, such as when users were locked out of their accounts. “There are many concerns about the role of facial recognition technology in society, and regulators are still working to develop a clear set of rules governing its use,” the report stated. “Amid this ongoing uncertainty, we believe that limiting the use of facial recognition to a narrow set of use cases is appropriate.”
