Regulome
Search regulations…⌘K
For providersFree Checker
The Ledger · Monday, 12 January 2026Issue № 22All issues →

AI Compliance Hub · newsroom

Enforcement Updates · 7 min read

Texas AG vs. Meta: The $1.4B Biometric Settlement Explained

In 2024, Meta settled Texas’s biometric privacy lawsuit for $1.4 billion — the largest privacy settlement in US history. Here’s what happened, what Texas proved, and what it means for companies using facial recognition.

Regulome · AI Compliance Hub editors7 min read
Texas AG vs. Meta: The $1.4B Biometric Settlement Explained
Enforcement UpdatesIllustration · AI Compliance Hub

In July 2024, Meta Platforms agreed to pay $1.4 billion to settle a lawsuit brought by Texas Attorney General Ken Paxton under the Texas Capture or Use of Biometric Identifier Act (CUBI). It is the largest privacy settlement in US history, eclipsing the $650 million BIPA settlement Meta paid to Illinois residents in 2021.

Background: What Meta Did

From 2011 to 2021, Meta’s Facebook platform included a feature called “Tag Suggestions” that automatically identified people in photos uploaded by users and suggested who to tag. The feature used facial recognition technology to build biometric profiles of Facebook users.

Texas AG Paxton alleged that Meta:

  1. Captured biometric identifiers (facial geometry measurements) of Texas residents without consent
  2. Used those identifiers for commercial purposes (advertising and user profile building)
  3. Failed to destroy the biometric data within Texas CUBI’s required timeframe

Meta had shut down Tag Suggestions globally in November 2021 and deleted the associated facial recognition data. The AG’s office filed suit in February 2022 anyway, arguing that the violations occurred during the decade the feature was active.

What Texas CUBI Requires

Texas CUBI (Texas Business and Commerce Code Chapter 503) predates Facebook’s tag suggestions feature. Its requirements:

Consent: A person may not capture a biometric identifier of an individual for a commercial purpose unless the person informs the individual before capturing the identifier and receives the individual’s consent.

No sale or profit: Cannot sell, lease, or otherwise profit from a biometric identifier.

No unauthorized disclosure: Cannot disclose a biometric identifier without consent.

Destruction: Must destroy a biometric identifier within one year after the initial purpose for collecting the identifier has been satisfied.

Enforcement: By the Texas AG only. Penalty of up to $25,000 per violation.

Why $1.4 Billion

The settlement amount reflects the scale of CUBI violations across Texas. With millions of Texas Facebook users whose biometric data was collected daily without consent, the per-violation penalty math produces astronomical numbers.

Texas’s leverage was significant: unlike Illinois BIPA, Texas CUBI enforcement is AG-only, meaning Paxton could control the scope and pace of litigation. The AG was willing to go to trial and had strong evidence.

Meta’s decision to settle rather than litigate reflects:

  • Evidentiary risk (Meta’s internal documents about Tag Suggestions)
  • Reputational risk from a trial
  • The manageable (relative to revenue) cost of settlement

The $1.4 billion will be paid over five years and is not tax-deductible.

What This Changes for Biometric AI Companies

AG-only enforcement doesn’t mean low risk. Pre-settlement, some companies viewed Texas CUBI as lower risk than Illinois BIPA because there’s no private right of action. The Meta settlement eliminates that assumption. A determined AG with evidence of widespread violations can extract nine-figure settlements without private plaintiffs.

The geographic limitation is illusory. Meta is headquartered in California. Texas successfully enforced CUBI against conduct affecting Texas residents regardless of where Meta is based. If your product touches Texas residents’ biometric data, CUBI applies.

Facial recognition for consumer applications is high risk. Tag Suggestions is the canonical example of a consumer-facing facial recognition feature that violated biometric privacy law. Any similar feature — auto-tagging, face-based recommendations, face unlock with biometric data retention — should be reviewed under CUBI and BIPA.

Deletion matters. CUBI requires destruction within one year of the purpose being satisfied. Meta had already deleted the facial recognition data before the lawsuit was filed — but violations had already occurred during the decade the feature was active.

Practical Implications

For companies using facial recognition: Conduct a CUBI (and BIPA) compliance audit. Map what biometric data you collect, when, from whom, and whether you have consent.

For companies building AI products: Facial recognition, emotion detection, and similar features that capture biometric geometry data need explicit informed consent in Texas (and Illinois, Washington, and potentially other states). Build consent flows before launch, not after.

For companies acquiring AI companies: Biometric data liability is a significant M&A risk. Due diligence should include a biometric data audit.

The Meta settlement has elevated biometric AI compliance from “low-priority state issue” to board-level risk.

Tagged regulations
Texas CUBIMetaBiometricsEnforcementSettlement
AI Compliance Hub editors
The editorial desk covers AI and cyber regulation across the US, EU, and UK. Tips? editors@aicompliancehub.com
Not legal advice

This article is for informational purposes only and does not constitute legal advice. Always consult qualified counsel before making compliance decisions. Try the free compliance checker →

← Back to The Ledger

Keep the Ledger coming.

A weekly edition of new regulations, enforcement actions, and compliance deadlines — delivered every Friday. Free forever. No tracking pixels.

Subscribe free →

Read by 4,000+ compliance teams · Cancel any time