Federal and state enforcement actions involving biometric data violations, tracked from official government sources.
17
Total Actions
$8.3B
Total Fines
3
Jurisdictions
Connecticut Attorney General William Tong submitted testimony in support of genetic privacy legislation that would grant residents exclusive control over their DNA and genetic data. The legislation is inspired by his office's investigation into 23andMe's data breach affecting over six million customers and the company's subsequent bankruptcy. The bill requires express consent for DNA use, imposes security measures, and prohibits marketing use of DNA.
Texas Attorney General Ken Paxton secured a $1.375 billion settlement with Google for unlawfully tracking Texans' geolocation data, incognito browsing activity, and biometric identifiers without consent. This is the largest single-state privacy settlement against Google, significantly larger than multistate settlements. The agreement resolves two major privacy enforcement actions brought by Texas.
$1.4B
Texas Attorney General Ken Paxton secured a record-setting $1.4 billion settlement with Meta for unlawfully capturing and using the biometric data of millions of Texans, marking one of the largest privacy settlements in U.S. history.
$1.4B
Texas Attorney General Ken Paxton announced a comprehensive privacy enforcement initiative, achieving record settlements with Meta ($1.4B) and Google ($1.375B) for biometric and geolocation data violations, suing General Motors and TikTok, and investigating numerous companies for children's data and AI practices. The AG's office has enforced multiple Texas privacy laws and registered over 200 data brokers.
$2.8B
Texas Attorney General Ken Paxton filed a lawsuit in the 23andMe bankruptcy case to prevent the sale of Texans' genetic data without proper consent. The action seeks to confirm Texans' property rights over their genetic information under the Texas Data Privacy and Security Act and the Texas Direct-to-Consumer Genetic Testing Act. The AG argues that 23andMe's proposed asset sale would violate Texas law requiring separate express consent for disclosure of genetic information.
Connecticut joined a coalition of 28 attorneys general to object to 23andMe's proposed sale of genetic data in bankruptcy without customer consent. The states argue such sensitive information requires express consent and cannot be sold like ordinary property. Attorney General Tong also advised consumers to delete their data and genetic samples.
Attorney General Ken Paxton sued Google for unlawfully tracking and collecting Texans' private data, including geolocation, incognito searches, and biometric data. The case resulted in a $1.375 billion settlement, the largest ever against Google for state privacy enforcement, marking a major win for data privacy rights.
$1.4B
Texas Attorney General Ken Paxton filed a motion to appoint a Consumer Privacy Ombudsman in the Chapter 11 bankruptcy case of 23andMe to protect the sensitive genetic and personal data of Texans. The genetic testing company seeks to sell assets that may include genetic data, health information, and personally identifiable information. The AG's office is also informing Texans of their rights under Texas law to request deletion of their data and genetic samples.
The Connecticut Office of the Attorney General released an updated enforcement report on the Connecticut Data Privacy Act (CTDPA) for 2024, summarizing investigations into companies handling connected vehicles, genetic data, palm recognition, teen messaging apps, and facial recognition. The report outlines expanded enforcement priorities around opt-out practices and dark patterns, and includes legislative recommendations to strengthen the CTDPA.
The FTC finalized an order against IntelliVision Technologies Corp. for making deceptive claims about its facial recognition software's accuracy and lack of bias. The company must now back up any claims with competent testing and is prohibited from misrepresenting the software's performance. No monetary penalty was imposed.
Meta captured facial recognition data from millions of Texans without consent, violating Texas biometric privacy laws. The company agreed to pay $1.4 billion over five years to settle the case. This is the largest privacy settlement obtained by a single state.
$1.4B
The FTC has proposed amendments to the COPPA Rule to enhance children's privacy protections. Key changes include requiring separate parental consent for targeted advertising, prohibiting conditioning access on data collection, limiting push notifications, strengthening data security and retention requirements, and restricting commercial use in educational technology. The proposal shifts responsibility from parents to companies to safeguard children's data.
The FTC settled charges that Rite Aid deployed AI facial recognition technology in hundreds of stores from 2012 to 2020 without reasonable safeguards, resulting in false-positive matches that disproportionately harmed women and people of color. The proposed order bans Rite Aid from using facial recognition for surveillance for five years and requires comprehensive biometric data safeguards, data deletion, consumer notifications, and a certified security program.
CRI Genetics, LLC was charged by the FTC and California Attorney General for deceptive marketing of DNA testing services, including false accuracy claims, fake reviews, and using dark patterns in billing. The company agreed to a settlement, paying a $700,000 civil penalty, and is prohibited from deceptive practices, must obtain consent for data sharing, and allow data deletion for consumers who requested it.
$700K
The FTC finalized an order against 1Health.io for failing to secure genetic data and unfairly changing its privacy policy. The company must pay $75,000 for consumer refunds, destroy DNA samples, and implement security measures. It deceived consumers about data deletion and shared data without proper consent.
$75K
The FTC settled with genetic testing company 1Health.io for failing to secure sensitive genetic and health data, deceiving consumers about data deletion, and unfairly changing its privacy policy without notice or consent. The settlement includes refunds totaling over $49,500 to 2,432 affected consumers.
$50K
Everalbum, Inc. settled FTC allegations that it deceived consumers about its use of facial recognition technology in its photo storage app and failed to delete photos when users deactivated their accounts. The settlement requires Everalbum to obtain express consent before using facial recognition, delete user photos and derived face embeddings, and delete developed models and algorithms. It also prohibits misrepresentations about data practices and requires consent for biometric data use if marketing software to consumers.