The State of Texas fined Meta, parent company to Facebook and Instagram, a sum of $1.4 billion for violating a 2001 act by the Texas Legislature that protects the confidentiality of biometric information by prohibiting its use for commercial intent. The terms of the Act are now part of Texas Business and Commercial Code. Texas sued Google in 2022 under the same law; a case that is still pending.
A Facebook feature called ‘Tag suggestions’ used facial recognition technology that was defaulted to “on,” violated the Texas law, because parties disclosing personal biometric data must disclose to the individual that they may make use their “retina or iris can, voiceprint, fingerprint or record of hand or face geometry” for business purposes, and the individual must consent to it. The penalty for violation is up to $25,000 for each violation.
However severe this may sound, Meta admitted no wrongdoing. Also, the final judgment permits situations in which the state may not object to, or take no action against, conduct by Meta involving the biometrics law. The settlement also requires legal fees to be paid by the State – not by Meta.
Not Meta’s first rodeo and likely not the last
Meta had announced in 2021, seemingly with some regret, that it would discontinue its facial recognition system and delete the facial profiles that it had captured; contending that a third of its users had opted in to sharing this biometric content.
A biometrics settlement similar to the one in Texas was won by a class action filed in the state of Illinois in 2015, which alleged violations of the Illinois Biometric Information Privacy Act, 740 ILCS 14/1, et seq. (“BIPA”). Facebook moved the case to California and attempted to dismiss the complaint multiple times, each attempt at which was denied.
In the 2020 Illnois decision, a “Settlement Fund” of $650,000,000.00 was established; a pro-rated amount of which was to be paid to anyone in the class that submitted a claim. Like Texas, Illinois requires companies to get permission before collecting biometric data and images; for Illinois, up to $5,000 per violation.
Not just for biometrics
Separate from the Texas and Illinois cases, Meta has already paid billions against privacy judgments made in many other jurisdictions; mostly the use or exposure of personal details that are not biometric in nature. And these cases are not limited to the United States.
The European Union has fined Meta multiple times for privacy violations, including a $1.3 billion fine in May 2023 for violating the EU’s General Data Protection Regulation. Prior to this, the Data Protection Commission of the Republic of Ireland had already fined Meta for about $1 billion for multiple prior GDPR violations. One of those violations resulted from the posting by hackers of the full names and contact details for 533 million Facebook users.
Australia fined the company $13 million by Australia for privacy violations by a VPN app that Meta had acquired; which the company exploited to identify competitive threats, according to a report by CreativeFuture.
The most egregious violation was the Cambridge Analytica case, which mined more than 50 million Facebook profiles using a Facebook data API to model, target and influence potential voters in the 2016 election cycle. The case resulted in a class action law suit that was settled in 2022 for more than $700 million.
In 2019, the US Federal Trade Commission fined Facebook $5 billion for privacy violations, and mandated a company restucturing and the creation of an independent oversight committee. That same year, a cybersecurity firm had found about 540 million Facebook user records on a public server.
Meta violates EU’s Digital Markets Act too
In November 2023, Meta began to offer European users the option to pay €10/month for versions of Facebook and Instagram without using personal data for targeted advertising, which the European Commission has found to be in breach of the EU’s new Digital Markets Act because it provides no way for consumers to opt out of Meta’s use of personal data while not paying for the service.
Further reading
Agreed Final Judgment. The State of Texas Court v Meta Platforms Inc f/k/a Facebook Inc. July 30, 2024. Case no. 22-0121. 71st Judicial District, Harrison County, Texas.
Capture or Use of Bioletric Identifiers. Chapter 503. Biometric Identifiers, Title 11 Personal Identity Information, Subtitle A Identifying information, Business and Commerce Code, State of Texas
Page 52, Analysis. An Act relating to collection and use of biometric identifiers; providing a civil penalty. July 19, 2001. HB 678, which added Chapter 35.50 to Section 1. Subchapter D, Business & Commerce Code. Legislature of the State of Texas.
In re Facebook Biometric Information Privacy Litigation, Case No. 3:15-cv-03747-JD Class Action Notice of amended stipulation of class action settlement. US District Court for the Northern District of California, San Francisco Division.
Meta accused of breaking EU digital law by charging for ad-free social networks. Article. by Dan Milmo. July 1, 2024. The Guardian
Meta versus us: Updating the Facebook timeline of scandal and strife. Article. January 23, 2024. CreativeFuture
Facebook data breaches: Full timeline through 2023. Article. October 5, 2023. by Michael X Heiligenstein. Firewall Times
Why it matters
Meta, Google and other online platforms have long histories of exposing private data, by intent, through APIs. Piracy Monitor strongly frowns on the use of any private information for commercial or poitical purposes without knowledge or permission by the individual whose personal information is being exposed.
Little is stopping exposed data from being used for nefarious purposes. Our sensitivity to this issue is multiplied by the ability to target individuals with disinformation and deepfakes in this political year of 2024.
Meanwhile, the Texas law has been in effect since 2001 and has teeth, and yet this Meta judgment was the first instance in which it was actually enforced. Even though $1.4 billion is a huge amount of money to most people, it’s not much more than a rounding error for Meta.
(Photo by Bernard Hermant, Unsplash.com)