On February 17, 2022, the California Legislature introduced a biometric privacy law (SB 1189) similar to the Illinois Biometric Information Privacy Act (“BIPA”). SB 1189 would dramatically increase biometric privacy protection for California consumers, expand regulation among private business, and add to the flurry of biometric privacy class action litigation that has taken hold of U.S. courts.
David J. Oberly |
2021 has brought with it a sizeable expansion in the types of technology and companies that are now being targeted with bet-the-company Illinois Biometric Information Privacy Act (“BIPA”) class action lawsuits. The first major expansion involved the targeting of virtual try-on technology, a feature made even more popular during the COVID-19 pandemic, which, according to plaintiffs, utilizes facial recognition technology. More recently, a high volume of BIPA class action suits have been filed targeting the use of voice-powered technologies.
BIPA & Voice Data
BIPA regulates the collection, use, and storage of “biometric identifiers,” which includes—among other things—“voiceprints.” However, the term “voiceprint” is not defined in Illinois’ biometric privacy statute. “Voiceprint” is generally defined as a distinctive pattern of curved lines and whorls made by a machine that measures human vocal sounds for the purpose of identifying an individual speaker. It is this hallmark of identifying (or verifying the identity of) an individual that makes voice data a “voiceprint” under BIPA. In this respect, courts have noted that voice biometrics, also known as voiceprinting, is the use of biological characteristics—one’s voice—to verify an individual’s identity.
Thus, a critical distinction exists between general voice data, which is not covered by BIPA, and voiceprint, which fall under the scope of Illinois’ biometric privacy statute—with the important dividing line being the identifying quality of the biometric information. In a 2017 case, an Illinois federal court recognized this distinction, noting the difference between the mere capture of voice data and an actual “voiceprint.” In doing so, the court noted that if an entity simply captures a person’s voice without generating a voiceprint for the specific purpose of identifying ,or verifying the identity of, an individual, then there is no violation of BIPA.