Texas sues Facebook parent Meta over use of facial recognition, alleging privacy violations

In a statement, Paxton called the allegations “yet another example of Big Tech’s deceitful business practices.” At a news conference on Monday, he said the state will ask the court for damages in the “billions of dollars.”

The lawsuit comes at a sensitive time for Facebook, which changed its corporate name to Meta in October amid deepening crises for its social media business, rebranding itself as a forward-looking creator of a digital world known as the “metaverse.”

The company settled a class-action lawsuit that made similar claims in Illinois last year for $650 million. Facebook could not immediately be reached for comment early Tuesday. A spokesperson for Meta told The Washington Post in a statement that the Texas claims “are without merit and we will defend ourselves vigorously.”

The complaint claims that Facebook — which it estimated had some 20.5 million users in Texas in 2021 — knowingly violated the state’s Capture or Use of Biometric Identifier Act (CUBI) and Deceptive Trade Practices and Consumer Protection Act (DTPA) for over a decade with its now-defunct, facial-recognition-based photo and video tagging technology.

The DTPA bans “false, misleading, or deceptive acts or practices” in business, while CUBI makes it illegal for private entities to capture, disclose or profit from a person’s biometric identifiers without their informed consent. It mandates that biometric identifiers collected for commercial purposes be stored and shared carefully and destroyed “within a reasonable time,” defined in the law as “not later than the first anniversary of the date the purpose for collecting the identifier expires.”

In Illinois, Facebook unsuccessfully tried to quash a class-action lawsuit filed in 2015 on behalf of millions of users in the state who said the social media platform collected and stored their biometric data without their consent, in violation of the Illinois Biometric Information Privacy Act.

Under the Texas biometrics law, which like the Illinois law requires the informed consent of the people whose data is being collected, violations can incur civil penalties of up to $25,000 each. Meanwhile, violations of the DTPA enforced by the Texas Attorney General’s Office can result in fines up to $10,000 each.

The Texas complaint says Facebook created the illusion of a safe environment in which people could upload private photos of themselves and their families. Facebook, it claims, offered its users the option to tag their loved ones in the photos and then captured data relating to people’s identifiable facial features without their permission or informed consent, profited off it by sharing it with third parties and failed to properly dispose of it, “exposing Texans to ever-increasing risks to their well-being, safety and security.”

Facebook has defended its photo-tagging feature, including by arguing that users have had the option of opting out since 2017. In its statement from November announcing the end of the technology, the company said that over a third of its daily active users opted in and that it had put other safeguards in place for users, such as “the option to be automatically notified when they appear in photos or videos posted by others.”

Still, the company said then, it would continue to use facial recognition in some instances, such as when users have been locked out of their accounts. “There are many concerns about the place of facial recognition technology in society, and regulators are still in the process of providing a clear set of rules governing its use,” it said. “Amid this ongoing uncertainty, we believe that limiting the use of facial recognition to a narrow set of use cases is appropriate.”

The Texas Attorney General’s Office suggests in the complaint that Facebook may continue to engage in improper use of biometric data in the future, even as the company said in November it would shut it down in photos and videos and delete its users’ individual “facial recognition templates.”

It also points out that “Facebook has made no such commitment with respect to any of the other platforms or operations under its corporate umbrella, such as Instagram, WhatsApp, Facebook Reality Labs, or its upcoming virtual-reality metaverse.”

Paxton, a tea party favorite who is running for his party’s nomination for re-election, has launched legal actions against several tech companies, including Apple and Google, alleging privacy or antitrust violations.

He faces several challengers in the Republican primary on March 1 who hope to capitalize on the two-term attorney general’s ongoing legal troubles, including allegations of abuse of power made in 2020 by former aides, which Paxton’s office in an internal report called “either factually incorrect or legally deficient” as it concluded that Paxton “committed no crime.”

Last week, Paxton’s office launched an investigation into GoFundMe after the donation platform refused to disburse millions of dollars collected in a fundraiser to the organizers of the self-styled “Freedom Convoy” of vaccine-mandate protesters in Canada, with the company citing “evidence from law enforcement that the previously peaceful demonstration has become an occupation.”

— Elizabeth Dwoskin contributed to this report.

Read more: