Guide to

Texas Biometric Privacy Law

Since 2009, Texas has had a biometric privacy act which prohibits the capture of an individual’s biometric identifiers for a commercial purpose unless the individual is first informed and has consented to such data collection. The law also limits the sale or disclosure of an individual’s biometric information except under limited circumstances.

In the law, “biometric identifier” means a retina or iris scan, fingerprint, voiceprint, or recording of hand or face geometry.

What Businesses Are Covered Under Texas’ Biometric Privacy Act?

Compliance with the law is mandatory for all organizations that seek to capture an individual’s biometric information for a commercial purpose.

Key requirements of the Texas Biometric Privacy Act

The law says a person or entity may not capture biometric identifiers of an individual for a commercial purpose unless the person or entity:

Informs the individual before capturing the biometric identifier;
Receives the individual’s consent to capture the biometric identifier

The law also prohibits a person who possesses a biometric identifier of an individual that is captured for a commercial purpose from selling or leasing or otherwise disclosing the biometric identifier to another person unless:

The subject consents to the disclosure for identification purposes in the event of the individual’s disappearance or death;
The disclosure is required or permitted by a federal or state statute
The disclosure completes a financial transaction that the individual requested or authorized
The disclosure is made by or to a law enforcement agency for a law enforcement purpose in response to a warrant.

Other key requirements of the law include:

Each entity shall store, transmit, and protect from disclosure the biometric identifier using reasonable care and in a manner that’s as or more protective than the manner in which the person stores, transmits, and protects any other confidential information the person possesses.
Each entity shall destroy the biometric identifier within a reasonable time, but not later than the first anniversary of the date the purpose for collecting the identifier expires, except under specific circumstances

The law does not apply to voiceprint data retained by a financial institution.

Who Enforces the Texas Biometric Privacy Act? What Are Penalties for Non-compliance?

A violation of this law is subject to a civil penalty of not more than $25,000 for each violation. The attorney general may bring an action to recover the civil penalty.