Placeholder
Guide to

Texas Biometric Privacy Law

Since 2009, Texas has had a biometric privacy act which prohibits the capture of an individual’s biometric identifiers for a commercial purpose unless the individual is first informed and has consented to such data collection. The law also limits the sale or disclosure of an individual’s biometric information except under limited circumstances.

In the law, “biometric identifier” means a retina or iris scan, fingerprint, voiceprint, or recording of hand or face geometry.

What Businesses Are Covered Under Texas’ Biometric Privacy Act?

Compliance with the law is mandatory for all organizations that seek to capture an individual’s biometric information for a commercial purpose.

Key requirements of the Texas Biometric Privacy Act

The law says a person or entity may not capture biometric identifiers of an individual for a commercial purpose unless the person or entity:

  • Informs the individual before capturing the biometric identifier;
  • Receives the individual’s consent to capture the biometric identifier

The law also prohibits a person who possesses a biometric identifier of an individual that is captured for a commercial purpose from selling or leasing or otherwise disclosing the biometric identifier to another person unless:

  • The subject consents to the disclosure for identification purposes in the event of the individual’s disappearance or death;
  • The disclosure is required or permitted by a federal or state statute
  • The disclosure completes a financial transaction that the individual requested or authorized
  • The disclosure is made by or to a law enforcement agency for a law enforcement purpose in response to a warrant.

Other key requirements of the law include:

  • Each entity shall store, transmit, and protect from disclosure the biometric identifier using reasonable care and in a manner that’s as or more protective than the manner in which the person stores, transmits, and protects any other confidential information the person possesses.
  • Each entity shall destroy the biometric identifier within a reasonable time, but not later than the first anniversary of the date the purpose for collecting the identifier expires, except under specific circumstances

The law does not apply to voiceprint data retained by a financial institution.

Who Enforces the Texas Biometric Privacy Act? What Are Penalties for Non-compliance?

A violation of this law is subject to a civil penalty of not more than $25,000 for each violation. The attorney general may bring an action to recover the civil penalty.

Texas Biometric Privacy Law: Frequently Asked Questions

A biometric identifier under this law includes unique biological characteristics that can be used to identify an individual. Specifically, the law mentions fingerprints, retina or iris scans, voiceprints, and records of hand or face geometry. Notably, the law does not include photographs, physical descriptions, or biological samples.

Businesses must adhere to several requirements under the Texas Biometric Privacy Law:

  • Notice and consent: Companies must inform individuals that their biometric data is being collected and obtain their informed consent before collecting it.
  • Data retention and destruction: Collected biometric data must be retained only for as long as necessary to fulfill the purpose for which it was collected. After that, it must be destroyed no later than one year after that purpose has been satisfied, or within a reasonable timeframe if not otherwise specified.
  • Prohibition on selling biometric data: The law prohibits companies from selling or disclosing biometric data to third parties unless consent has been obtained or the disclosure is necessary to complete a financial transaction authorized by the individual.

Non-compliance with the Texas Biometric Privacy Law can result in significant penalties. While the law does not expressly allow for private lawsuits, the Texas Attorney General can file suit against violators. Penalties can include fines of up to $25,000 for each violation.

The Texas Biometric Privacy Law shares similarities with Illinois’ Biometric Information Privacy Act (BIPA), such as the requirements for notice, consent, and data security. However, there are key differences:

  • Private right of action: Unlike BIPA, Texas law does not provide a private right of action, meaning individuals cannot sue companies directly for violations.
  • Enforcement: Enforcement under Texas law is primarily the responsibility of the state Attorney General, whereas BIPA allows for individual lawsuits, which has led to a significant number of class action lawsuits in Illinois.

To comply with the law, businesses should:

  • Implement clear policies and procedures for collecting and handling biometric data
  • Obtain written consent from individuals before collecting their biometric data
  • Ensure biometric data is stored securely, using encryption and other reasonable security measures
  • Regularly review and update data retention and destruction schedules to ensure compliance, including destroying data within the legally required time frame after its purpose has been fulfilled
  • Train employees on the importance of biometric data protection and the company’s policies and procedures regarding it

Yes, there are exemptions. The law does not apply to:

  • Governmental entities: The law applies only to private entities.
  • Law enforcement agencies: Biometric data collected for law enforcement purposes is exempt.
  • Financial Institutions: Entities subject to the Gramm-Leach-Bliley Act (GLBA) are also exempt from this law.

Best practices for compliance include:

  • Conducting a risk assessment: Evaluate the potential risks associated with collecting and storing biometric data.
  • Establishing a compliance program: Develop a comprehensive compliance program that includes policies for data collection, retention, destruction, and security of biometric data.
  • Conducting regular audits: Conduct regular audits of biometric data practices to ensure ongoing compliance.
  • Updating privacy policies: Ensure that your privacy policies reflect the requirements of the Texas Biometric Privacy Law and are communicated clearly to consumers.
  • Regularly training employees: Regularly train employees on the legal obligations and company policies regarding biometric data.

Hyperproof makes meeting Texas Biometric Privacy Law requirements simple

  • Quickly implement Texas Biometric Privacy Law requirements by using Hyperproof to centrally manage risks, automate risk workflows and track risk posture over time
  • Consolidate and monitor biometric privacy risks in a centralized location for better visibility
  • Use Hyperproof’s out-of-the-box Texas Biometric Privacy Law framework template to jumpstart your compliance journey quickly and effectively
  • Map overlapping controls from other privacy frameworks to accelerate your compliance efforts
  • Efficiently collect and document evidence to demonstrate compliance with biometric privacy regulations
  • Track your compliance progress with Texas Biometric Privacy Law through an intuitive, user-friendly dashboard
Get a Demo

Ready to see
Hyperproof in action?

G2 Crowd Leader
G2 Crowd Best Estimated ROI
G2 Crowd Best Customer Support Enterprise
G2 Crowd Fastest Implementation
G2 Crowd Momentum Leader