If you were not already aware, Texas has been very aggressive in protecting Texans’ privacy and enforcing Texas law. And that aggressive trend does not appear to be slowing down.
The Texas Attorney General has opened a new investigation into Meta Platforms, Inc., this time focused on the company’s Meta AI Glasses and the privacy practices surrounding their always-on recording features, facial geometry collection, and third-party data handling. The investigation marks the second major enforcement effort the Texas AG’s office has directed at Meta over biometric and surveillance concerns in less than two years.
Meta Glasses are camera-equipped wearables that capture and share audio and video from the wearer’s surroundings. According to the AG’s announcement, Meta’s privacy policy acknowledges an “always enabled” mode that permits the device to continuously process video data for use with Meta AI products. The glasses include an LED indicator intended to signal when recording is active, but the AG’s office notes that the indicator is easily obscured and, more critically, does not illuminate during always-enabled mode. The practical implication is that bystanders, and in some circumstances even wearers themselves, may not be reliably alerted when audio and video capture is occurring.
The investigation also targets Meta’s representations regarding the privacy of data collected through the glasses. Although Meta advertises the product as “designed for privacy” and claims to safeguard personally identifiable information, the AG’s announcement highlights reporting that Meta’s Kenyan subcontractor, Sama, has accessed user content during the data annotation process. Data annotators reportedly have viewed user videos containing intimate moments, including bathroom visits. While Meta represents that faces in annotated data are automatically blurred, at least one annotator has indicated that automatic blurring does not occur in all cases. For practitioners advising clients on vendor management and downstream data handling, the disclosure underscores how upstream privacy representations can be undermined by the operational realities of offshore data labeling.
Of particular concern to the Texas AG is reporting from the New York Times that Meta plans to integrate facial recognition into the glasses. The feature, internally referred to as “Name Tag,” would enable the device to capture and process facial geometry of individuals appearing within the camera’s field of view, including unsuspecting third parties who have no relationship with Meta and no opportunity to provide informed consent. In a state that has actively pursued biometric enforcement under the Capture or Use of Biometric Identifier Act (“CUBI”) (Texas Business and Commerce Code Section 503.001), the prospect of mass, ambient facial geometry collection by a consumer wearable presents an obvious enforcement target.
Attorney General Paxton emphasized the privacy stakes in his announcement, stating that his office will “thoroughly investigate these devices to ensure that no individual is being unlawfully recorded, tracked, or subjected to the unauthorized collection of their data.” The AG’s office has issued a Civil Investigative Demand to Meta to evaluate whether the company is deceptively misrepresenting the extent of its use of consumer data in violation of Texas law.
The new investigation arrives in the shadow of the AG’s July 2024 resolution of similar claims against Meta, which produced a $1.4 billion settlement over the unlawful capture and use of facial recognition data in the Facebook application. That settlement, then the largest privacy-related recovery in Texas history, signaled the AG’s willingness to pursue substantial monetary relief under CUBI and the Deceptive Trade Practices Act for biometric collection conducted without proper notice and consent. The Meta Glasses investigation suggests the AG’s office views the move from application-based facial recognition to wearable-based facial recognition as a continuation of the same regulatory concern rather than a new category of risk.
Practitioner Observations
First, the focus on whether the LED indicator can be obscured reflects an emerging regulatory interest in the design of physical consent signals. Privacy by Design analysis has long emphasized that meaningful notice is a function of both disclosure language and product behavior. When a hardware affordance intended to communicate recording status can be defeated by a sticker or a finger, regulators may treat that design choice as itself a deceptive practice, particularly where the company has marketed the product as privacy-protective.
Second, the Sama disclosures highlight a recurring vulnerability in privacy programs. Representations made by a controller about data minimization, blurring, and access controls must hold up at every stage of the processing pipeline, including offshore vendor environments. Vendor management programs that rely on contractual representations without operational verification are increasingly being deemed inadequate by regulators, particularly when the underlying data contains intimate or sensitive content.
Third, the AG’s apparent willingness to act before “Name Tag” deployment is notable. The Civil Investigative Demand appears to probe not only current functionality but also planned features, suggesting that prospective enforcement based on internal product roadmaps and journalistic reporting is on the table. Companies developing biometric features should anticipate that pre-launch design choices may face regulatory scrutiny before commercial release, particularly when the technology affects non-users.
Fourth, the matter reinforces Texas’s position as the most aggressive state enforcer of biometric privacy in the country following the 2024 settlement. With CUBI’s $25,000 per violation civil penalty structure and the AG’s demonstrated willingness to litigate, Texas exposure should be modeled separately from general state privacy law exposure in any biometric impact assessment.
Fifth, this action could be a precursor for other state enforcement actions. Three states (Illinois, Texas, and Washington) have comprehensive, standalone biometric privacy laws. Additionally, many states include protections for biometric information in their broader consumer data privacy laws or industry-specific legislation. California, Illinois, and Washington are the primary states with direct statutory rights for consumers to sue for privacy violations. California consumer plaintiff firms are very active in bringing claims under CIPA. Could these Meta Glasses open up a new battlefront? Time will tell.
The investigation is in its early stages, and the scope of the Civil Investigative Demand and Meta’s response have not been publicly disclosed. Practitioners advising clients in the wearable technology, augmented reality, or AI-enabled imaging spaces should monitor the matter closely, both for the substantive privacy questions it raises and for the procedural template the Texas AG continues to develop for biometric enforcement actions.
