Meta has reached a $1.4 billion settlement to resolve claims brought by the Texas Attorney General. The Attorney General’s office touted the agreement as the largest ever obtained from an action brought by a single state, and the largest privacy settlement ever obtained by an Attorney General. 

Background

The lawsuit, filed in 2022, focused on Meta’s use of facial recognition software in its photo and video tagging features. The suit claimed that Meta breached the state’s Capture or Use of Biometric Identifier Act (the “Biometric Identifier Act”) and the Deceptive Trade Practices and Consumer Protection Act. The Biometric Identifier Act states that a person “may not capture a biometric identifier of an individual for a commercial purpose unless the person first (i) informs the individual before capturing the biometric identifier and (ii) receives the individual’s consent to capture the biometric identifier.”

Meta launched its “tag suggestions” feature in 2011, promoting it as a way to improve user experience by making it easier for users to tag photographs with the names of people in the photo. This tool was turned on as a default and users were not informed of the mechanics or internal processing of the feature. The suit alleges Meta then captured facial geometry from photographs and “continuously train[ed] its AI” through suggested tags. Although the suggested tag feature was turned off in 2021, the Attorney General states Meta properties such as Instagram continue to subject photographs to facial recognition technology, thereby “exploiting Texan’s most sensitive data.” 

Takeaways

This settlement is part of a larger wave of challenges facing technology companies and their use of sensitive data. In 2022, Texas sued Google for alleged violations of the same Biometric Identifier Act involving the Google Nest. Google also agreed to pay $391 million to settle a separate lawsuit in 2022 brought by a 40-state coalition of attorneys general over allegations of improper tracking of location information. These lawsuits highlight the focus regulators are applying to sensitive information, particularly biometric information. Companies should review their practices around such processing and implement opt-in consent frameworks and clear disclosures.