Texas enacted a biometric information privacy law way back in 2001, which was amended in 2009. That was a long time ago in the context of the development of privacy laws, and even longer when it comes to biometric information privacy laws. In this rapidly changing area of law, Texas was surely ahead of its time.

The law, Sec. 503.001 of the Texas Business and Commerce Code, entitled “Capture or Use of Biometric Identifier,” is quite easy to understand and requires that anyone who “captures a biometric identifier of an individual for a commercial purpose” must first inform the individual that a biometric identifier is being captured and receive the consent of the individual before capturing it. It also prohibits the holder of the biometric identifier from selling or disclosing the biometric identifier to another individual without the individual’s consent (with certain logical exceptions).

It also requires that the biometric identifier be protected through security measures and destroyed no later than one year after the collection (with certain exceptions).

A violation of the law is subject to a $25,000 penalty for each violation if the attorney general (AG) brings an action to recover the penalty.

That’s exactly what Texas Attorney General Ken Paxton did this week—on Valentine’s Day. He sued Meta Platforms (fka Facebook) alleging that Facebook violated the statute millions of times when it collected the facial geometry of 20.5 million Texans without their consent through Facebook and Instagram.

The Complaint provides a thorough and thoughtful summary of how facial recognition technology works, so if you don’t understand how it works or how it affects you, check it out. It reads like a novel. The AG alleges that “Facebook’s campaign of unlawful biometric capture has led to Facebook’s creating the largest dataset in the world. The dataset is powered by DeepFace, Facebook’s deep-learning facial recognition system. DeepFace closely approaches human-level accuracy in identifying faces.”

The Complaint further alleges that Facebook collected the facial geometries of users and non-users through the tagging of photographs without consent, disclosed the biometric identifiers to third parties, and that “Facebook exploits users and non-users to improve the accuracy of its own facial recognition services.” It also alleges that Facebook failed to destroy the biometric information within the statutorily required period of time. Facebook denies the allegations and has stated that it will vigorously defend the suit.

The AG is seeking statutory damages and injunctive relief, including prohibiting Facebook from “capturing, maintaining, or using in any way the biometric identifiers captured in Texas without the informed consent of the relevant individual; performing facial recognition in Texas without the informed consent of all individuals subject to Facebook’s facial recognition technology; and misrepresenting, directly or by implication, that Facebook does not collect biometric identifiers.”

He also is seeking that the court order Facebook to “discontinue its commercial use of any information obtained through its unlawful capture of biometric identifiers in Texas; destroy the information it has collected from the unlawful capture of biometric identifiers in Texas; destroy any neural network or algorithm trained or improved using biometric identifiers unlawfully captured in Texas; and make best efforts to retrieve any information from third parties that may possess such information as a result of Facebook’s unlawful disclosure of that information.” Wow.

That, and of course, the civil monetary penalties—$25,000 times 20.5 million. The math is too high for me.

To take a dive into the consequences of this suit, check out this article by Jake Holland at Bloomberg, with whom I had the pleasure to chat about the case.

This is going to be a very interesting saga to follow.