This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.
| 2 minute read

The Voiceprint You Didn't Mean to Create: What Delgado v. Meta Means for Employers

Employers and tech companies face real litigation risk when they process voice data in ways that could be used to identify individuals, even if they never actually use the data for that purpose. That is the key takeaway from Delgado v. Meta Platforms, Inc., where a federal court in California denied Meta's motion for summary judgment in a proposed class action alleging voiceprint collection in violation of the Illinois Biometric Information Privacy Act.

Understanding BIPA and Voiceprints

Illinois Biometric Information Privacy Act (BIPA) regulates how private entities collect, retain, disclose, and destroy "biometric identifiers." That classification of data expressly includes voiceprints, along with fingerprints, retina or iris scans, and scans of hand or face geometry. Before collecting biometric data, an entity must provide written notice, obtain a written release, and maintain a publicly available retention and destruction policy. Violations carry statutory damages of $1,000 per negligent violation and $5,000 per intentional or reckless violation, and that exposure scales rapidly in a class action.

A voiceprint, however, is distinct from a simple audio recording. It involves the analysis of unique vocal characteristics (pitch, tone, cadence, and speech patterns) to identify or distinguish a specific speaker. When software processes voice data in a way that attributes speech to a particular individual, that process may create a "biometric identifier" under BIPA.

Delgado v. Meta Platforms, Inc.

In Delgado v. Meta Platforms, Inc., an Illinois Facebook user alleged that Meta collected her voiceprint without BIPA-compliant notice or consent after she used audio functions on Facebook and Messenger. Meta moved for summary judgment, arguing that BIPA does not apply to "mere voice recordings" and that it never used the plaintiff's recordings to actually identify her.

U.S. District Judge Susan Illston denied the motion. The court's reasoning centered on a principle with broad implications: "the salient question is not whether Meta in fact used plaintiff's voice data to identify her; 'BIPA applies if it could.'" Because the plaintiff presented evidence that Meta possesses the technological infrastructure to link voice recordings to user identities, including account linkages and probabilistic matching systems, the court found a triable dispute existed. The court also rejected Meta's argument that a formal enrollment process is required before voice data can qualify as a voiceprint, finding that other identification mechanisms suffice.

What This Means for Employers

This decision has significant implications for any organization that processes voice data, whether through call centers, AI-powered meeting transcription tools, voice authentication systems, or communication platforms.

Capability triggers liability, not actual use. BIPA liability does not require proof that an employer actually identified someone using their voice data. If the organization possesses the technological capability to do so, even by linking voice recordings to account information or employee records, that may be enough.

Linking voice recordings to identities creates risk. Employers who store voice recordings in systems that connect audio to employee or customer identities should evaluate whether those systems could be deemed to create voiceprints under BIPA. The court expressly declined to "precisely delineate at what point voice data transforms from a 'mere voice recording' into a 'voiceprint' under BIPA." That ambiguity means employers should err on the side of compliance.

There is no "enrollment" safe harbor. Meta argued that because it never asked users to formally submit voice samples tied to their names, no voiceprint was created. The court disagreed. If an organization can link a voice recording to a person's identity through other means, such as account data or matching algorithms, that can be enough to trigger BIPA.

Organizations operating in Illinois or interacting with Illinois residents should:

  • Audit voice-processing technology to determine whether any platform performs speaker identification, voice analytics, or speech-to-speaker attribution

  • Implement BIPA-compliant notice and consent before collecting any voice data that could be linked to an individual

  • Publish a written retention and destruction policy for biometric data, and 

  • Evaluate third-party vendors and AI tools, including meeting transcription software and communication platforms, to determine whether they create voiceprints on behalf of the organization.