Skip to main content
govconCyber
Case Law

Meta's $1.4B Biometric Settlement: Why Contractors Using Face and Fingerprint Tech Should Care

Texas extracted a record $1.4B from Meta over biometric data. The case is a warning for any contractor deploying facial recognition or fingerprint access controls.

Brandon Hancock, J.D., CMMC-RPPublished July 30, 2024Updated June 8, 20265 min read

On July 30, 2024, Meta agreed to pay Texas $1.4 billion to settle a lawsuit over its handling of facial-recognition data — reportedly the largest privacy settlement obtained by a single state. The case is about Facebook photos, but the lesson reaches any government contractor that uses biometrics — fingerprint readers, facial recognition, retina scans — for access control or identity verification.

What the Case Was About

Texas Attorney General Ken Paxton sued Meta in 2022, alleging the company captured and used the biometric data of users from uploaded photos and videos without authorization, in violation of Texas's biometric-privacy law. Meta settled for $1.4 billion without admitting wrongdoing. Texas has signaled it is pursuing a similar theory against other large tech companies.

The Law Behind It

Texas's Capture or Use of Biometric Identifier (CUBI) Act restricts how companies collect, use, and retain biometric identifiers. It is part of a small but consequential family of state biometric laws — the best-known being Illinois's Biometric Information Privacy Act (BIPA), which has driven years of litigation. The common features: you generally must obtain consent before collecting biometrics, limit retention, and protect the data — and the penalties scale fast with the number of individuals.

Why This Hits Contractors

Biometrics are everywhere in the contractor world: fingerprint or face-based building and system access, time-and-attendance systems, and identity-proofing tools. If you collect employees' or the public's biometric data, these laws may apply based on where those people are, independent of your federal contract. Specifically:

  • Consent and notice obligations attach before you collect — not after.
  • Retention limits mean you can't keep biometric templates forever "just in case."
  • Per-person penalties make even a modest biometric program a large potential exposure if you skip the paperwork.

This is the same residency-based logic behind state breach and privacy laws: federal contracting does not preempt a state's biometric statute.

What to Do Now

  • Inventory biometric collection. Door access, devices, time clocks, customer-facing kiosks — list every system that captures a fingerprint, face, or other biometric.
  • Get consent right. Where biometric laws apply, implement written notice and consent before collection.
  • Set retention and deletion rules, and actually purge on schedule.
  • Secure biometric data like the crown jewels — you can reissue a password, not a fingerprint.
  • Prefer non-biometric options where they meet the security need and reduce legal exposure.

Key Takeaways

  • Texas's $1.4B Meta settlement shows states will aggressively enforce biometric-privacy laws.
  • Contractors using facial recognition or fingerprint access can fall under laws like Texas CUBI and Illinois BIPA — based on where the individuals are.
  • The core duties are consent, retention limits, and strong security; penalties scale per person.

Understand the broader state-law picture on the State Requirements page. *(A settlement is not an admission of liability.)*

Tags
Share
BH

Brandon Hancock

J.D. · CMMC Registered Practitioner (RP)

Brandon is the editor of GovConCyber. He translates federal cybersecurity rules into plain language for the contractor community, with a focus on CMMC, DFARS, and False Claims Act enforcement trends.

About GovConCyber →Subscribe to the newsletter →
Was this post helpful?

Keep reading

Case LawThe DOJ's Civil Cyber-Fraud Initiative: Enforcement Cases and What They MeanDOJ's cyber-fraud enforcement is surging. Recent False Claims Act settlements show the real risk is the false certification.May 6, 2026 · 7 min readCase LawThree State AGs, One $4.5M Breach Settlement: The Enzo Biochem LessonNew York, New Jersey, and Connecticut jointly settled with Enzo Biochem for $4.5M over a ransomware breach — a reminder that state AGs enforce 'reasonable security.'August 30, 2024 · 6 min readCase Law$11.3M Cyber-Fraud Settlement: What the Guidehouse and Nan McKay Case Teaches ContractorsGuidehouse and a subcontractor paid $11.3M to settle False Claims Act allegations over cybersecurity failures on a federally funded contract. Here is what went wrong — and how to avoid it.June 17, 2024 · 7 min read