Texas Capture or Use of Biometric Identifier Act (CUBI)
Citation: Texas Business & Commerce Code § 503.001
Effective: Originally enacted 2009; current version in effect
Jurisdiction: Texas — applies when hiring for Texas positions or interviewing Texas-located candidates
Enforced by: Texas Attorney General (AG-only; no private right of action)
Official Source: Texas Statutes – Business & Commerce Code § 503.001
Overview
The Texas Capture or Use of Biometric Identifier Act (CUBI) is the primary Texas law governing the collection and use of biometric data — including data collected through AI hiring tools. Unlike more comprehensive AI hiring laws in Illinois (AIVIA/BIPA), New York City (LL 144), or Colorado (SB24-205), CUBI focuses specifically on biometric identifiers and is currently in effect.
Who must comply: Any employer collecting biometric data from Texas candidates or employees in hiring — regardless of where the employer is headquartered.
Bottom line: Before using any AI tool that captures facial geometry, voiceprints, or fingerprints from Texas job applicants, employers must provide written notice and obtain written consent.
What Are "Biometric Identifiers" Under CUBI?
CUBI defines a biometric identifier as:
- Retina or iris scans
- Fingerprints
- Voiceprints
- Records of hand or face geometry
AI hiring tools that likely capture biometric identifiers:
| Tool Type | Biometric Data Collected |
|---|---|
| AI video interview platforms (HireVue, Spark Hire, etc.) | Facial geometry, voiceprints |
| Facial recognition identity verification during interviews | Face geometry scans |
| Emotion AI / affective computing tools | Facial geometry (micro-expressions) |
| Voice analysis AI | Voiceprints |
| Fingerprint scanning (background checks or onboarding) | Fingerprints |
Key Requirements Under CUBI
1. Informed Written Notice
Before capturing a biometric identifier, employers must inform the person in writing that biometric data is being captured or will be used. The notice must:
- Be provided before any biometric data is collected
- State clearly that biometric data is being captured
- Identify the purpose for which biometric data will be used
- Be in a format the individual can retain (written or electronic)
2. Written Consent
After providing notice, employers must obtain written consent before collection occurs:
- Consent must be in writing (electronic consent satisfies this)
- Must be given before collection begins
- The individual must understand what they are consenting to
Sample consent language:
"During this video interview, AI technology may capture and analyze your facial features and/or voice patterns to assess your qualifications for the role. By providing your consent below, you authorize [Employer] to capture and process this biometric data for hiring evaluation purposes. Your biometric data will not be sold or shared with third parties without your consent and will be destroyed within [X days/upon hiring decision]."
3. Prohibition on Sale or Profit
CUBI prohibits selling, leasing, or otherwise profiting from biometric identifier data. This prohibition extends to third-party vendors — employers must ensure AI vendors are not monetizing biometric data collected during hiring.
4. No Third-Party Disclosure Without Consent
Biometric identifiers cannot be disclosed to third parties without prior consent, unless:
- Disclosure is required by law
- Disclosure is necessary for a valid legal purpose
- The individual consented to the disclosure
5. Reasonable Data Security
Employers must use reasonable care to protect biometric identifiers from unauthorized disclosure. Security measures should be commensurate with the sensitivity of biometric data.
6. Data Destruction
Biometric identifiers must be destroyed when the purpose for which they were collected is fulfilled:
- Rejected candidates: Delete shortly after hiring decision
- New employees: Delete upon termination
- No later than 1 year after the individual's last interaction with the employer
Enforcement and Penalties
Unlike Illinois BIPA, CUBI is enforced exclusively by the Texas Attorney General — there is no private right of action.
| Enforcement Type | Details |
|---|---|
| Enforcement authority | Texas Attorney General |
| Private right of action | No — AG-only enforcement |
| Injunctive relief | AG can seek court orders to stop violations |
| Negligent violations | Up to $10,000 per violation |
| Intentional violations | Up to $25,000 per violation |
Key distinction from Illinois BIPA: CUBI's AG-only enforcement model means individuals cannot bring their own class action lawsuits (unlike BIPA, which has generated massive class action exposure). However, AG enforcement can still result in significant penalties.
CUBI vs. Illinois BIPA: Key Differences
| Feature | Texas CUBI | Illinois BIPA |
|---|---|---|
| Private right of action | ❌ No | ✓ Yes (major class action risk) |
| AG enforcement | ✓ Yes | Limited |
| Max penalty (intentional) | $25,000/violation | $5,000/violation + no aggregate cap |
| Written policy required | Not explicit | ✓ Required |
| Retention schedule | Destroy when purpose fulfilled; max 1 year | 3-year maximum |
| Effective date | 2009 | 2008 |
Practical Compliance for AI Hiring Tools
Step 1: Identify Biometric-Capturing AI Tools
Ask your AI video interview vendors in writing:
- Does your platform capture, process, or store facial geometry, voiceprints, or other biometric identifiers as defined by Texas CUBI?
- Can facial/voice analysis be disabled entirely?
- What is your data retention and destruction timeline?
Step 2: Draft CUBI-Compliant Notice and Consent
Create a notice and consent document including:
- Clear statement that biometric data (specify type: facial geometry, voiceprint, etc.) will be captured
- Purpose of collection (e.g., "to evaluate candidate qualifications through AI video analysis")
- How data will be stored and protected
- When data will be destroyed
- Contact information for questions
Step 3: Integrate into Pre-Interview Workflow
- Build consent collection into your ATS before video interviews are scheduled
- Store consent records with the candidate's application file
- Ensure consent is obtained before any AI processing begins
Step 4: Vendor Due Diligence
Ask AI hiring tool vendors:
- Do you capture biometric identifiers under Texas CUBI's definition?
- Do you have a written CUBI compliance policy?
- Will you provide contractual indemnification for CUBI violations?
- Do you sell or share biometric data with third parties?
- What is your data destruction timeline for hiring-related biometric data?
Step 5: Establish Data Destruction Protocols
- Define destruction timelines for rejected candidates (e.g., 90 days post-decision)
- Ensure vendors delete biometric data on your behalf when requested
- Document destruction in compliance records
CUBI in a Multi-State Hiring Context
Texas employers hiring candidates in other states must also comply with those states' biometric laws:
| State | Law | Key Difference |
|---|---|---|
| Illinois | BIPA (740 ILCS 14/) | Private right of action; $5K/violation; major class action risk |
| Washington | My Health My Data Act | Broader biometric + health data protections |
| California | CCPA/CPRA biometric provisions | Biometric data as "sensitive personal information" |
| New York City | Local Law 144 | Annual independent bias audit for AI hiring tools |
For any Illinois candidates, BIPA consent is required separately and carries far greater class action exposure than CUBI.
Common CUBI Compliance Mistakes
| Mistake | Risk |
|---|---|
| Assuming AI video platforms don't capture biometrics | Vendor platforms frequently capture facial geometry by default |
| Using general "terms of service" as consent | CUBI requires specific informed written consent |
| No data destruction timeline documented | Violates CUBI's destruction requirement |
| Vendor contract doesn't address biometrics | Employer remains liable if vendor captures biometric data improperly |
Compliance Checklist
- Identify all AI hiring tools that capture biometric identifiers under CUBI
- Draft CUBI-compliant written notice and consent for each biometric tool
- Integrate consent collection into ATS before interviews begin
- Review all AI vendor contracts for biometric data provisions
- Ensure vendor contracts prohibit sale or profiting from biometric data
- Establish data destruction timelines and workflows
- Train HR staff on CUBI obligations and consent procedures
- Review multi-state obligations for candidates in Illinois, Washington, California
How EmployArmor Helps
EmployArmor supports Texas CUBI compliance with:
- Vendor biometric assessment: Identify which AI hiring tools capture biometric data under CUBI
- Consent form templates: Texas CUBI-compliant notice and consent forms
- Data destruction workflows: Automated reminders and tracking for biometric data deletion
- Multi-state compliance: Combined CUBI + BIPA consent workflows for multi-state hiring
- Regulatory monitoring: Alerts when Texas AI legislation (including TRAIGA) advances
Get your Texas Biometric Compliance Assessment →
Texas Employer Resources
- Texas Employment Law Compliance Hub
- Texas AI Hiring Compliance Guide
- Texas HR Compliance Software
- Texas TRAIGA Guide (proposed future law)
Frequently Asked Questions
Does CUBI apply to out-of-state employers hiring in Texas?
Answer: Yes — if you are hiring for Texas-based positions or interviewing candidates located in Texas, CUBI applies regardless of where your company is headquartered.
Can individuals sue employers under CUBI like they can under Illinois BIPA?
Answer: No. CUBI does not include a private right of action. Enforcement is handled exclusively by the Texas Attorney General. This significantly reduces class action exposure compared to Illinois BIPA — but AG enforcement can still result in $10,000–$25,000 per violation.
What if our AI vendor captures biometric data without our knowledge?
Answer: Employers are still liable under CUBI if their vendor captures biometric data from Texas candidates without proper consent. Conduct thorough vendor due diligence and include CUBI compliance representations in vendor contracts.
Is verbal consent sufficient under CUBI?
Answer: No. CUBI requires written consent. Electronic consent (e.g., a checkbox on a digital form) satisfies the writing requirement.
What is the difference between Texas CUBI and TRAIGA?
Answer: CUBI is currently in effect and covers biometric identifiers specifically — facial geometry, voiceprints, fingerprints. TRAIGA is proposed legislation that would create a broader AI governance framework covering all types of high-risk AI in employment, not just biometric data.
When must biometric data be destroyed under CUBI?
Answer: When the purpose for collection is fulfilled (e.g., when a hiring decision is made for rejected candidates), or no later than 1 year after the individual's last interaction with the employer.
Last updated: March 2026. This content is for informational purposes only and does not constitute legal advice. Consult qualified employment counsel for guidance specific to your organization.
Related Laws and Resources: