Biometric Voice Recognition and Privacy Laws in 2023

Biometric voice recognition solutions like Illuma Shield™ collect and store voice data during telephone communications in contact centers. These voiceprints make it possible to seamlessly and securely identify credit union members by the unique characteristics of their voice. While our Illuma Shield™ solution doesn’t record member conversations, it does capture voice and calling device characteristics to create a unique AudioPrint™ that is stored in the cloud.

The collection, use, and storage of these voiceprints may be governed by laws that directly or indirectly cover biometrics and other personal information as part of regulations for private data and/or privacy. For example, some of these laws require notice, disclosure, or member consent prior to collecting biometric data.

Over the past several years, we have been compiling information on various state, federal, national, and international laws that may impact how our credit union clients use voice recognition technology.

Our white paper “Biometrics & Privacy Laws: Best Practices for Implementing Illuma Shield” covers what we have learned so far.

This resource has been updated for 2024!

Please note: Our findings are provided for informational purposes only, and should not be construed as legal, risk, or compliance advice specific to your institution, locations, and use cases.

One Size Doesn’t Fit All: Common Requirements Vary by State

Consumer privacy is a complex issue with widely varying approaches to legislation and enforcement across the U.S.

Data privacy laws for biometric voice recognition vary by state
See source at IAAP.org
  • To date, California has implemented the most comprehensive set of data privacy laws, and Illinois has the most comprehensive laws governing the use of biometric data. There are many exceptions to state laws applicable to financial institutions and data regulated under the GLBA.
  • Maximum retention limits govern how long the biometric data can be legally kept on file. Some states require data to be destroyed no later than a year after it is no longer needed to serve the purpose for which it was collected. Others have no maximum retention limit. It is important to have systems in place to show compliance with these requirements in the event that data retention practices are audited.
  • Some states require specific written consent. Others only require clear affirmative consent for members to opt in. Either way, it’s important to be able to document that consent was given in compliance with state laws. Being able to opt-out is important too. Illuma Shield is designed to be used with the full knowledge and consent of members. We find 9 out of 10 members are happy to say “yes!”
  • While Illuma has no intention to sell data captured at client credit unions’ call centers, biometric voice recognition data in general is viewed as potentially having value to outside parties. In many states, sale of this data is prohibited altogether. In others, this practice is restricted or covered by the same consent and notifications applied to other member data.
  • Biometric data may be included in breach notification requirements. This is true in more than 20 U.S. states. In Illinois, individuals can bring private legal claims if Biometric Information Privacy Act (BIPA) is violated, even without proving actual harm.

Key Takeaway Regarding Biometric Voice Recognition Data

None of the requirements we discovered are overly burdensome. We foresee credit unions across the United States being able to reasonably comply with state and federal regulations. Our system is built to support and demonstrate compliance, making it easier to stay current.

For access to the full white paper, along with our recommendations for best practices for compliance, request access here.