Legal Report: Meta to Settle Biometric Use Lawsuit for $1.4 Billion
Security Management’s Legal Report is a monthly column that highlights the instances where legal matters intersect with the security industry. Our team tracks court cases, new and developing legislation, and regulatory decisions or investigations that affect private organizations and security professionals worldwide.
To share a tip or notify Security Management about emerging legal issues, email Associate Editor Sara Mosqueda at [email protected].
Judicial Decisions
United States
Privacy. Meta, the parent company behind Facebook, Instagram, and WhatsApp, will pay Texas $1.4 billion to settle a lawsuit alleging that the company used Texans’ personal biometric data without users’ permission.
Texas Attorney General Ken Paxton filed the lawsuit in 2022, claiming that Meta used facial recognition software on photos uploaded to Facebook. The suit was the first argued under a 2009 Texas state law protecting citizens’ biometric data, including fingerprints and facial scans. The law requires businesses to inform individuals and get their consent before collecting such data, restricts the sale or disclosure of biometric identifiers except in specific cases, and directs organizations to destroy data within a year after it is no longer needed.
Facebook’s Tag Suggestions feature was introduced in 2011 to make it easier for users to tag people in their photos. Paxton’s office alleged that the feature was turned on by default, running facial recognition on users’ photos without permission. A similar lawsuit about the same feature was settled for $650 million in 2021 in Illinois. The feature was later discontinued in 2021.
Meta admits no wrongdoing as part of the Texas settlement, but it must notify the attorney general’s office of any anticipated or ongoing activities that could fall under Texas’s biometric data laws. Parties have 60 days to resolve any issues if Texas objects to planned activities. (State of Texas v Meta Platforms, Inc., 71st Judicial District, Harrison County, Texas, Cause No. 22-0121, 2024)
Discrimination. Commercial electrical contractor Hatzel & Buehler, Inc., will pay $500,000 to settle an age discrimination lawsuit filed by the U.S. Equal Employment Opportunity Commission (EEOC).
A vice president at the company’s New Jersey branch allegedly engaged in age discrimination during recruiting and hiring practices by asking recruiters to look for younger candidates and refusing to hire older candidates. The executive also allegedly did not retain job applicant and hiring records, a violation of U.S. federal law, according to an EEOC press release.
Hatzel will pay the fine to eight older job candidates who were allegedly discriminated against. In addition, the company will ban the vice president from making final decisions on job candidates for specific positions. It will also adopt anti-discrimination policies, provide specialized training to company officials and employees about recruitment and hiring processes, and comply with mandatory reporting and EEOC monitoring requirements. (EEOC v. Hatzel & Buehler, Inc., U.S. District Court for the District of New Jersey, No. 23-cv-03093, 2024)
Legislation
U.S. States
Domestic violence. The U.S. state of Tennessee now requires certain violent domestic offenders to be monitored with a GPS device while out on bail. The Debbie and Marie Domestic Violence Protection Act (House Bill 2692) makes GPS monitoring a condition of bail for individuals facing certain domestic violence or aggravated stalking charges. Alleged offenders will wear and pay for the devices.
Victims would be notified of the offender’s location via a smartphone app if the individual moves within a certain distance of the victim or into an exclusionary zone—such as the victim’s home. The monitoring company must also notify law enforcement if defendants violate the terms of their bond conditions.
The law is named for Debbie Sisco and her daughter, Marie Varsos, who were shot and killed in 2021 by Varsos’s estranged husband. He was out of jail on bail after attempting to strangle his wife and threatening her with a gun. The judge in his case decided against requiring GPS monitoring as a condition of bail.
Drug testing. California now requires bars and clubs to offer patrons drug-testing devices that can help identify spiked drinks to prevent people from being dosed with date rape drugs or roofies. The tests can be used to detect flunitrazepam (also known as Rohypnol), ketamine, and gamma-hydroxybutyric acid (GHB).
Businesses with Type 48 licenses (which are granted by California’s Department of Alcoholic Beverage Control) must offer the tests for free or at a “reasonable” price and post a sign on their premises notifying patrons of test availability, according to a department press release.
The new law, Assembly Bill 1013, went into effect on 1 July and will affect roughly 2,400 businesses throughout the state.
License holders who fail to “comply with the new law could face administrative actions impacting their licenses,” the department said.
Regulations
United States
Cyber incident reporting. The U.S. Securities and Exchange Commission (SEC) fined the Intercontinental Exchange (ICE) $10 million for failing to promptly notify subsidiaries about a cybersecurity breach.
A third party informed ICE in April 2021 about a potential breach of its virtual private network (VPN). The company quickly determined that malicious code had been introduced and used to remotely access ICE’s corporate network. But ICE did not notify its subsidiaries, one of which is the New York Stock Exchange, about the breach—leaving these organizations unable to assess the issue and to inform the SEC about the breach, as required by regulation.
An SEC investigation into the issue found that “ICE personnel did not notify the legal and compliance officials at ICE’s subsidiaries of the intrusion for several days in violation of ICE’s own internal cyber incident reporting procedures,” the commission said in a press release.