Capture or Use of Biometric Identifier Act

Overview

Texas Business & Commerce Code § 503.001 requires employers to obtain informed consent before capturing, collecting, or otherwise obtaining biometric identifiers including fingerprints, voiceprints, and retina or iris scans. Employers may not sell, lease, or disclose biometric data and must destroy it within a reasonable time. Increasing litigation activity underscores the importance of CUBI compliance for employers using biometric timekeeping or access systems. (CUBI) — Employer Compliance

This regulatory update carries medium impact for employers in Texas. Below, we cover the key requirements, compliance timeline, practical implications, and recommended next steps.

Key Requirements

Requirements at a Glance

Key provisions of this regulatory update:

Texas Business & Commerce Code § 503.001 requires employers to obtain informed consent before capturing, collecting, or otherwise obtaining biometric identifiers including fingerprints, voiceprints, and retina or iris scans
Employers may not sell, lease, or disclose biometric data and must destroy it within a reasonable time
Increasing litigation activity underscores the importance of CUBI compliance for employers using biometric timekeeping or access systems

Who Is Affected and Where This Applies

This applies to employers operating in Texas (view Texas compliance profile).

Industries affected: healthcare, construction, manufacturing, transportation. This update is relevant across multiple sectors. Employers should assess applicability based on their specific workforce, operations, and regulatory exposure.

Compliance Timeline

Timeline

Compliance Timeline

Active

Pending

Coming

Active

Published/enacted

December 31, 2024

Active

Legislative status

Effective

Active

Last verified

2026-03-11

Background and Context

The Privacy Regulatory Landscape

Employee health data privacy has become an increasingly complex and high-stakes compliance area. At the federal level, HIPAA provides protections for protected health information (PHI) in healthcare settings, but employer-held records from occupational health screenings, drug tests, and fitness-for-duty exams often fall outside HIPAA's coverage. State laws like Illinois's Biometric Information Privacy Act (BIPA), Texas's Capture or Use of Biometric Identifier Act (CUBI), and Washington's biometric consent statutes create additional obligations with per-violation penalty structures.

The litigation landscape around employee health data has expanded dramatically. Courts in Illinois have ruled that BIPA violations accrue per scan — not per person — allowing statutory damages to multiply rapidly. For employers conducting biometric screenings, drug tests, and health assessments, the data collection, storage, consent, and retention practices surrounding these activities carry material financial exposure. Multi-state employers face the additional challenge of complying with different retention schedules and consent requirements across each jurisdiction.

Why This Matters for Employers

This Texas-specific update represents a meaningful shift in privacy compliance requirements. While the immediate scope may be limited, it reflects ongoing regulatory attention to this area and may signal further changes.

Cross-industry impact: This update affects employers across multiple sectors, including healthcare, construction, manufacturing, and transportation. Each industry may face different compliance burdens depending on their existing programs and workforce composition. Multi-site employers should coordinate their response across locations to ensure consistent compliance.

For HR directors, safety managers, and compliance officers, this update should trigger a review of current written programs, training records, and standard operating procedures. The cost of proactive compliance is almost always lower than the cost of responding to violations, litigation, or workplace incidents after the fact.

Penalties for Non-Compliance

Health data privacy violations carry substantial financial exposure. Penalties vary by statute and jurisdiction, but the potential for per-scan or per-record damages can compound rapidly — particularly in class-action litigation.

$5,000

BIPA per intentional violation

$25,000

CUBI per violation (TX)

$2,067,813

HIPAA max per category/year

What Employers Should Do Now

Action Checklist

Your Compliance Action Plan

Check off each step as you complete it

0 of 6 completedNot Started

1. Audit your data collection practices

2. Review consent and notice procedures

3. Update your data retention schedules

4. Restrict and document data access

5. Engage legal counsel

6. Set calendar reminders

Need help with compliance? See how BlueHive automates compliance tracking →

BlueHive provides health data privacy resources nationwide and tracks this topic through our Privacy compliance hub. View the Texas compliance profile for all tracked regulations in this state.