Most HR teams know about the Texas Responsible AI Governance Act. Fewer realize it has teeth specifically around biometric data collected during hiring -- and that those teeth bite before the first interview is scheduled.
Texas TRAIGA, codified in the Texas Business and Commerce Code beginning at Chapter 503, requires explicit written consent before any business collects a biometric identifier from an individual. That rule applies to job applicants. It applies even when the collection happens through a third-party AI vendor. And it applies even when the applicant's photo or voice is technically available online. The consent requirement is not a formality buried in terms of service -- it must be obtained before collection begins, and the consequences of skipping it start at $25,000 per affected individual.
This article walks through exactly what counts as biometric data under Texas law, which AI hiring tools trigger the consent requirement, what an HR-compliant consent and audit workflow looks like, and how TRAIGA compares to Illinois BIPA, the other major US biometric statute employers worry about.
What Counts as Biometric Data Under Texas TRAIGA
Texas Business and Commerce Code Section 503.001 defines "biometric identifier" to include:
- Retina or iris scans
- Fingerprints
- Voiceprints
- Records of hand geometry
- Records of face geometry
That final category -- face geometry -- is where AI hiring tools create the most unexpected exposure. The statute does not require a purpose-built fingerprint reader or retina scanner. It covers any record derived from the physical structure of a person's face. An AI tool that analyzes a video interview frame-by-frame to extract facial landmarks, measure distances between facial features, or track micro-expressions is generating a record of face geometry. The intermediate output may never be stored as a traditional biometric template, but the analysis itself constitutes a capture under the statute.
The same logic applies to voiceprints. An AI system that extracts acoustic features from a candidate's spoken responses -- pitch, cadence, formant frequencies, emotional tone -- is generating a voiceprint, even if the vendor describes it as "voice analysis" or "communication style scoring."
What is explicitly excluded from the definition: photographs used for identification, demographic data derived without biometric extraction, and information captured for security access purposes. The photograph exclusion is narrower than it sounds. A raw JPEG of someone's face is not a biometric identifier. A software-generated facial geometry map derived from that JPEG is.
The Consent Rule That Catches HR Teams Off Guard
Section 503.001(b) states that a person "may not capture a biometric identifier of an individual for a commercial purpose unless the person informs the individual before capturing the biometric identifier." The disclosure must be written and must explain the specific purpose for which the biometric data will be used.
This consent-before-collection rule has two edges that consistently trip up HR teams.
The timing problem. Consent must be obtained before collection begins. That means before a video interview platform starts recording, before an AI tool begins parsing audio, before any biometric-extracting analysis runs. A consent checkbox buried in the final step of a 10-page job application is legally inadequate if the applicant's data was already being analyzed earlier in the process.
The publicly available exception is not what it sounds like. Texas law, like Illinois BIPA, contains a carve-out for "publicly available information." But Section 503.001 defines this narrowly: information that is "lawfully made available to the general public from federal, state, or local government records" or information that the individual has voluntarily shared "with the general public without restriction." A LinkedIn profile does not satisfy this standard. LinkedIn users post profile photos for professional networking within a platform that has its own terms of service and privacy settings. They are not sharing those photos with the general public without restriction. Scraping a LinkedIn photo and running facial recognition on it without consent violates Section 503.001.
The same analysis applies to photos from company websites, Twitter profiles, and other social platforms. The "publicly available" exception covers government records and truly unrestricted public disclosures -- not anything a person has ever posted online.
Written consent under TRAIGA must inform the individual:
- That a biometric identifier is being or will be collected
- The specific purpose for the collection
- The length of time the biometric data will be stored or used
Template consent disclosures that simply say "we may use your data for hiring purposes" are insufficient. The disclosure must be specific about biometric collection.
Which AI Hiring Tools Trigger Biometric Compliance
Not all AI in the hiring stack collects biometric data. Understanding the difference prevents both under-compliance (missing tools that do collect biometrics) and over-compliance (treating every AI tool as a biometric risk).
| Tool Category | Biometric Trigger | Consent Required | TRAIGA Risk Level |
|---|---|---|---|
| Video interview with facial expression analysis (e.g., HireVue) | Face geometry, voiceprint | Yes, before recording | High |
| Game-based assessments with audio/video capture (e.g., Pymetrics) | Voice patterns, behavioral biometrics | Yes, before game starts | High |
| Resume screening that parses LinkedIn profile photos | Face geometry if image is analyzed | Yes, if photo is processed | High |
| Video interview with no AI analysis (human review only) | None | No | None |
| Text-only resume screening and ATS tools | None | No | None |
| Skills-based assessments with no audio/video | None | No | None |
| Background check tools using government records | Government records excluded | No (narrow exception applies) | Low |
| Automated reference checks via voice survey | Voiceprint if analyzed by AI | Yes, if AI analyzes audio | Medium |
HireVue's platform -- specifically its AI-analyzed video interview product -- collects face geometry and voiceprint data. The company provides its own consent mechanisms, but employers remain legally responsible for ensuring those mechanisms are properly deployed and that consent is obtained before any recording begins. Delegating to a vendor does not transfer the compliance obligation.
Pymetrics games that include microphone or camera access trigger both voiceprint and behavioral biometric concerns. If the platform's AI is analyzing how a candidate speaks or moves, the employer using Pymetrics needs TRAIGA-compliant consent.
Resume screening tools that import data from LinkedIn or other profile sources are a gray zone that has recently shifted toward high-risk. If the tool ingests a photo and runs any facial analysis -- even to verify identity -- it is capturing face geometry. Most vendors in this category do not clearly document whether photo processing includes AI analysis.
Penalties: What "Per Violation" Means in Practice
Texas Business and Commerce Code Section 503.001 authorizes the Texas Attorney General to seek civil penalties of up to $25,000 per violation. The AG also has authority to seek injunctive relief and recover attorney fees.
There is no private right of action under TRAIGA. That is the single largest structural difference from Illinois BIPA, which has generated hundreds of millions of dollars in class action liability. Under TRAIGA, only the Texas AG can enforce the biometric consent rules.
"Per violation" in AG enforcement practice means per individual affected. An employer that ran 500 video interviews without obtaining proper consent has committed 500 violations, each carrying up to $25,000 in civil penalties. The theoretical maximum exposure for that single hiring campaign: $12.5 million. The AG does not automatically seek the statutory maximum, but large-scale systematic violations -- an employer running thousands of AI-analyzed video interviews without any consent mechanism -- represent the kind of fact pattern that produces significant AG interest.
The absence of a private right of action should not be read as a low-enforcement environment. The Texas AG's office has signaled active interest in AI-related consumer and employee privacy matters, and biometric data collection is a named priority in recent enforcement communications.
7-Step Employer Compliance Checklist
Getting to a defensible TRAIGA compliance position on biometric data in hiring requires working through the full AI tool stack, not just adding a consent checkbox to one form.
1. Audit every AI tool in your hiring stack for biometric data collection. Request data flow documentation from each vendor. Ask specifically whether the tool collects, generates, or analyzes any data type listed in Texas Business and Commerce Code Section 503.001. Do not rely on the vendor's own characterization -- ask for the underlying technical description of what data the system processes.
2. Map which candidates have provided compliant consent. For any tool that collects biometric data, determine whether you have written, pre-collection consent from every affected applicant. If you have been using a tool without a proper consent mechanism, document when that gap began and how many applicants may have been affected.
3. Update job application forms to include biometric consent disclosures. For each tool that triggers TRAIGA, add a standalone written disclosure to the application process. The disclosure must appear before the applicant encounters the biometric-collecting tool, must name the specific data type being collected, state the purpose, and state the retention period. Do not fold it into a general privacy policy acknowledgment.
4. Require vendors to disclose whether their tool collects biometric data. Add a mandatory disclosure requirement to your vendor onboarding process. Before any AI hiring tool is deployed, the vendor must provide written confirmation of whether the tool collects any biometric identifiers as defined under Texas Business and Commerce Code Section 503.001, and if so, how consent is obtained.
5. Update vendor contracts with a TRAIGA compliance warranty clause. Existing and new vendor agreements for AI hiring tools should include a representation that the vendor's tool complies with applicable biometric data laws, including Texas Business and Commerce Code Chapter 503, and that the vendor will notify you within 30 days of any change in how the tool collects or processes biometric data.
6. Train HR staff on the right questions to ask AI tool vendors. HR teams often evaluate AI hiring tools based on functionality, cost, and integration capabilities. Add biometric data compliance to the evaluation criteria. The vendor questionnaire below gives HR staff specific questions to use.
7. Schedule an annual biometric data inventory. Texas law requires that biometric data not be retained beyond the purpose for which it was collected or three years after the last interaction, whichever comes first. An annual inventory of what biometric data exists, where it is stored, and whether the retention period has passed is the minimum standard for ongoing compliance.
Sample Vendor Questionnaire for TRAIGA Biometric Compliance
HR teams can use the following five questions when evaluating or auditing AI hiring tool vendors. Send these in writing and require written responses -- verbal assurances are not adequate documentation.
Question 1: Does your tool collect, use, or generate biometric identifiers as defined under Texas Business and Commerce Code Section 503.001, including retina or iris scans, fingerprints, voiceprints, records of hand geometry, or records of face geometry?
Question 2: What is the legal basis for any biometric data collection in your product, and what consent mechanism does your tool provide to applicants before biometric data is collected?
Question 3: How is biometric data stored within your platform, what security controls protect it, and what is your published retention schedule?
Question 4: Does your company share or disclose biometric data with any third parties, including subprocessors, analytics vendors, model training partners, or data brokers?
Question 5: If a Texas employer is required to obtain written consent from applicants before biometric collection under Texas Business and Commerce Code Section 503.001, does your platform support that workflow, and can you provide documentation of how the consent mechanism functions?
Store vendor responses alongside your AI tool register. If a vendor cannot answer Question 1 with specificity, that is itself a red flag requiring escalation before deployment.
How TRAIGA Biometric Requirements Compare to BIPA
Illinois Biometric Information Privacy Act (BIPA), 740 ILCS 14, is the other major US biometric statute affecting employers. Understanding the differences between BIPA and TRAIGA matters both for multi-state employers and for understanding the enforcement risk profile of each law.
Enforcement structure: BIPA has a private right of action. Any individual whose biometric data was collected without consent can sue. Class actions under BIPA have produced settlements ranging from $1 million to over $650 million (the 2023 Illinois federal class action against a facial recognition vendor). TRAIGA has no private right of action -- only the Texas AG can enforce it. That means no class actions under TRAIGA, but also means systematic violations are handled at the regulatory level rather than the litigation level.
Data types covered: Both statutes cover retina/iris scans, fingerprints, voiceprints, and face/hand geometry. TRAIGA is generally considered to cover at least as broad a range of data types as BIPA, and the face geometry definition under TRAIGA has been applied broadly to AI-inferred geometric data from video.
Consent requirements: Both require written consent before collection. BIPA requires consent from each individual for each specific purpose. TRAIGA requires consent before collection and disclosure of purpose and retention period. BIPA is slightly more granular in its consent specificity requirements, but the practical difference is small for employers drafting compliant forms.
Retention limits: BIPA limits retention to the earlier of the purpose being fulfilled or three years. TRAIGA similarly prohibits retention beyond the purpose or three years from the last interaction. Both statutes require a published retention policy.
Damages: BIPA provides $1,000 per negligent violation and $5,000 per intentional or reckless violation, plus attorney fees. TRAIGA provides up to $25,000 per violation, but only the AG can seek it.
Practical implication for multi-state employers: If you operate in both Illinois and Texas, you need consent mechanisms that satisfy both statutes. That means written, pre-collection consent that specifies the biometric data type, purpose, and retention period. The good news is that a properly drafted consent disclosure for BIPA will generally satisfy TRAIGA as well -- the standards overlap substantially.
For employers operating only in Texas, BIPA is not directly applicable, but it provides useful precedent for what courts and regulators treat as adequate biometric consent. Several employment attorneys in Texas have recommended using BIPA-grade consent practices as the baseline for TRAIGA compliance, precisely because the AG's enforcement guidance will likely draw on the more developed BIPA case law.
What This Means Before Your Next Hiring Cycle
AI hiring tools that analyze video, audio, or behavioral data are now standard parts of many recruiting stacks. The biometric consent requirements under TRAIGA are not theoretical future risk -- they apply to any Texas-based employer using these tools today.
Before your next hiring campaign runs a single AI-analyzed video interview, three things need to be in place: a written consent disclosure that appears before the interview starts and names the specific biometric data being collected, a vendor confirmation that the tool's data collection is accurately characterized, and an internal record that consent was obtained from each affected applicant.
The cost of getting this right is a few hours of legal review and a form update. The cost of a systematic failure -- thousands of unconsented biometric captures flagged in an AG investigation -- starts at $25,000 per person and scales from there.
For further context on the broader TRAIGA compliance picture beyond biometrics, see the Texas TRAIGA compliance checklist. For comparison with how other states regulate AI in hiring, see AI hiring tool compliance across US state laws. If you use AI tools that trigger bias audit requirements in addition to biometric consent, the NYC Local Law 144 employer guide covers the parallel obligations under New York City's law.
This article is informational and does not constitute legal advice. Texas TRAIGA requirements and enforcement guidance are subject to change. Consult qualified legal counsel for advice specific to your organization's hiring practices and AI tool stack.
