Key Takeaways
- •A biometric voiceprint consent form is the written notice plus written release that Illinois BIPA (740 ILCS 14/15) requires before any private entity may collect or create a voiceprint, and it is the one document that defeats most BIPA claims.
- •Illinois is the only state with a private right of action. Statutory damages run $1,000 per negligent violation and $5,000 per reckless or intentional violation, and a plaintiff does not have to prove any actual harm to recover.
- •The August 2, 2024 amendment (P.A. 103-769) collapsed repeat collections of the same voiceprint by the same method into a single violation, and the Seventh Circuit held in Clay v. Union Pacific (April 1, 2026) that the change applies retroactively to pending cases.
- •Texas CUBI allows civil penalties up to $25,000 per violation and Colorado's HB 24-1130 up to $20,000, both enforced only by the attorney general, while the GDPR treats a voiceprint as Article 9 special category data carrying fines up to 20 million euros or 4 percent of global turnover.
- •AI model training is the new litigation flashpoint. The Otter.ai (Aug. 2025), Fireflies.AI (Dec. 2025), and Apple Siri (class certified Jan. 29, 2026, roughly 3 million Illinois users) suits all turn on voiceprints captured and reused without disclosed consent.
- •BIPA caps retention at three years from the person's last interaction, Texas at one year after the purpose expires, and Colorado at 24 months, so a compliant consent form must point to a public written retention and destruction schedule.
Reviewed for accuracy by the document.com legal team. Educational information, not legal advice.
What Is Biometric Voiceprint Consent Form?
A biometric voiceprint consent form is the written disclosure and signed release a business must obtain before it captures, creates, stores, or shares a person's voiceprint. A voiceprint is not the audio file. It is the mathematical template, the set of vocal characteristics extracted from a recording, that can single out one person the way a fingerprint does. Under Illinois law a voiceprint is named outright as a biometric identifier (740 ILCS 14/10), and the same is true under Texas CUBI, the GDPR, and California's CCPA as amended by the CPRA. Because the data identifies the individual, every one of those regimes wants the person told what is being collected and why, and wants their agreement on the record before a single template is generated.
The form does two jobs. It delivers the statutory notice (the purpose of collection, how long the data is kept, the method, and any third parties who will receive it), and it captures the release, meaning the person's informed written or electronic agreement to all of that. Get both right and you have built the consent defense that almost every defendant in the current wave of voiceprint litigation wishes it had. Skip the notice, bury the consent in a terms-of-service checkbox, or quietly route the voiceprint into a model-training pipeline you never mentioned, and you have built the exact fact pattern plaintiffs' firms are filing on right now.
Why This Matters Now
Voice biometrics used to live quietly inside call centers and warehouse headsets. That changed when the AI meeting assistant moved into every Zoom and Teams call. Tools like Otter.ai and Fireflies.AI run speaker diarization, the technical step that separates who said what, and speaker recognition that builds a per-person voiceprint so the software can label the same speaker across meetings. That is biometric processing, and most users never agreed to it. In August 2025 plaintiffs filed Brewer v. Otter.ai and Walker v. Otter.ai in the Northern District of California, alleging voiceprint collection for speaker identification and model training with no notice and no consent. In December 2025, Cruz v. Fireflies.AI Corp. made nearly identical claims. On January 29, 2026 a court certified a class against Apple over Siri voiceprints, covering roughly three million Illinois users.
The dollars behind these filings are why general counsel are paying attention. Whole Foods settled the first voiceprint BIPA class action for about $300,000 in January 2023 over warehouse headset collection. Petco paid $445,000 in 2024 for voiceprint capture through a Honeywell warehouse system that swept in 445 workers. Meta paid Texas $1.4 billion in July 2024 over facial recognition, the largest state biometric settlement on record, and Clearview AI settled facial-scraping claims for $51.75 million in March 2025 using a novel deal that hands the class 23 percent equity in the company. Voice is simply the next modality, and the legal theory is identical. If you record voices, route them through software that recognizes speakers, or feed them to a model, you are collecting voiceprints, and a court will not care that your privacy lawyer never used that word.
The Legal Backbone
Illinois BIPA (740 ILCS 14): the statute with teeth
The Illinois Biometric Information Privacy Act is the law that matters most, because it is the only U.S. biometric statute that lets individuals sue directly rather than waiting on a regulator. Section 10 (740 ILCS 14/10) lists voiceprint as a biometric identifier alongside retina and iris scans, fingerprints, and face and hand geometry. Section 15 (740 ILCS 14/15) is the operative command: a private entity may not collect, capture, purchase, or otherwise obtain a biometric identifier without first giving written notice of the specific purpose and the length of time the data will be kept and used, and obtaining a 'written release.' That release is defined as informed written consent, an electronic signature, or, in the employment context, a release signed as a condition of employment. The 2024 amendment confirmed that an electronic signature satisfies the requirement, so a clicked-and-timestamped consent counts. Section 15 also requires a written, publicly available retention and destruction policy that destroys the data when the purpose is satisfied or within three years of the person's last interaction, whichever comes first. Section 20 (740 ILCS 14/20) sets damages at $1,000 per negligent violation and $5,000 per intentional or reckless violation, or actual damages if greater, plus attorneys' fees, costs, and expert fees. Illinois courts have held a plaintiff need not show any concrete harm; the bare statutory violation is the injury.
The 2024 amendment and the Clay retroactivity ruling
For years the open question was whether each scan counted as a separate violation. Under the old reading, a worker who clocked in by voice 1,500 times could theoretically claim 1,500 violations at $5,000 each, $7.5 million from one employee. Public Act 103-769, effective August 2, 2024, ended that: when the same entity collects the same biometric identifier from the same person using the same method more than once, it is a single violation. On April 1, 2026, the Seventh Circuit held in Clay v. Union Pacific Railroad Co. that the amendment applies retroactively to cases already pending. That ruling did not make BIPA toothless. It capped the per-person exposure at one violation per identifier per method, which shrinks the aggregate class math considerably but still leaves a defendant facing $1,000 to $5,000 for every member of a class that can run into the millions, plus fee-shifting. Always confirm the current state of this issue, because the contours of retroactivity and the per-violation rule are still being litigated.
Texas CUBI and the other attorney-general states
Texas's Capture or Use of Biometric Identifier Act (Business & Commerce Code section 503.001) also names voiceprint as a covered identifier and bars capturing one for a commercial purpose without first informing the person and obtaining consent. Texas does not spell out a written-consent mandate the way Illinois does, but documenting consent in writing is the only defensible practice. CUBI is enforced exclusively by the Texas Attorney General, carries civil penalties up to $25,000 per violation, and gives no private right of action; financial institutions are exempt for voiceprint data. Washington's RCW 19.375 bars enrolling a biometric identifier in a database for a commercial purpose without notice and consent, exempts security-related collection, and is enforced solely by the Washington AG under the Consumer Protection Act. Colorado's HB 24-1130, effective July 1, 2025, demands informed affirmative written or electronic consent, restricts when biometric collection can be made a condition of employment, requires destruction by the earliest of purpose-fulfillment, 24 months after last interaction, or 45 days after the data is no longer needed, and authorizes penalties up to $20,000 per violation enforced by the AG and district attorneys. New Jersey's Data Privacy Act, effective January 15, 2025, adds explicit written consent and disclosure duties enforced by the AG.
California CCPA/CPRA: sensitive information, not a standalone biometric law
California has no BIPA equivalent. Voiceprints are folded into the California Consumer Privacy Act (Civil Code section 1798.100 et seq.) as amended by the CPRA. Section 1798.140(o) defines biometric information to include voiceprints and the voice recordings from which a voiceprint template can be extracted, and the CPRA classifies biometric data processed to identify a consumer as 'sensitive personal information,' which triggers the right to limit use and disclosure plus an affirmative opt-in for certain processing. Enforcement runs through the Attorney General and the California Privacy Protection Agency. The private right of action is narrow: it reaches only data breaches of unencrypted, unredacted biometric data, with statutory damages of $100 to $750 per consumer per incident, while administrative fines reach up to $7,988 per intentional violation. So a California defendant answers to the regulator or to a post-breach class rather than to the open-ended per-violation suits that define Illinois.
GDPR: voiceprints as Article 9 special category data
In the EU, Article 4(14) of the GDPR defines biometric data as personal data from specific technical processing that allows unique identification, and a voiceprint built through speaker diarization, a mathematical embedding of vocal characteristics, sits squarely inside that definition and is treated as functionally equivalent to a fingerprint. Article 9 puts biometric data processed to identify someone in the 'special category,' where processing is prohibited unless a narrow exception applies. The cleanest exception for most businesses is explicit consent under Article 9(2)(a), which must be specific to the biometric processing and freely given; bundled or vague consent will not survive a regulator's review. Article 35 separately requires a Data Protection Impact Assessment before any large-scale or systematic processing of special category data, completed before processing begins. GDPR fines reach up to 20 million euros or 4 percent of worldwide annual turnover, whichever is higher (Article 83). Because EU regulators expect granular consent, serious EU-facing forms separate the agreement to record audio, the agreement to create a voiceprint from it, and the agreement to share that voiceprint with a third-party AI vendor.
Biometric Privacy Laws by State: All 50 States and DC
Biometric privacy law, which governs voiceprints and other biometric identifiers, is uneven across the country. 35 of the 51 U.S. jurisdictions regulate biometric data, whether through a dedicated statute like Illinois BIPA or through the biometric provisions of a comprehensive privacy law. The table below covers all fifty states and DC, including whether the law lets individuals sue.
| State | Biometric law | Private suit? | Notes |
|---|---|---|---|
| Alabama | Alabama Personal Data Protection Act (APDPA),... | AG-only | Comprehensive privacy law treats biometric data as sensitive information... |
| Alaska | Alaska Statutes Chapter 18.14 (Biometric... | Yes | Standalone biometric privacy statute. Requires written consent for collection... |
| Arizona | None | No | No standalone biometric privacy statute. Limited protections under data breach... |
| Arkansas | Arkansas Personal Data Protection Act (APDPA)... | AG-only | APDPA treats biometric data as sensitive requiring opt-in consent effective... |
| California | California Civil Code § 1798.100 et seq.... | Yes... | Biometric data classified as sensitive personal information. Private right of... |
| Colorado | C.R.S. § 6-1-1314 (HB24-1130) | No | Dedicated biometric privacy statute effective July 1, 2025. Requires written... |
| Connecticut | Comprehensive privacy law (biometric... | No | Biometric data treated as sensitive data requiring opt-in consent. Civil... |
| Delaware | 6 Del. C. § 12D (Delaware Personal Data Privacy... | No | Biometric data defined as data from automatic measurements of biological... |
| District of Columbia (DC) | D.C. Code § 28-3851 et seq. (Security Breach... | Yes | No standalone biometric privacy statute. Biometric data (fingerprints,... |
| Florida | Comprehensive privacy law (biometric... | No | Biometric data is sensitive data under Digital Bill of Rights (SB 262).... |
| Georgia | Comprehensive privacy law (biometric... | No | Biometric data (including genetic/biometric data for unique identification)... |
| Hawaii | HI SB3018 (2024) - Consumer Data Protection Act... | AG-only | Effective July 1, 2024. SB1085 (2023) proposed standalone biometric privacy act... |
| Idaho | None | N/A | HB744 (2026) - Biometric Identifier Privacy and Consent Act - remains in... |
| Illinois | 740 ILCS 14 (Biometric Information Privacy Act... | Yes | Private right of action with statutory damages: $1,000 per negligent violation,... |
| Indiana | IC 24-15 (Indiana Consumer Data Protection Act... | AG-only | Effective January 1, 2026. Biometric data classified as sensitive data... |
| Iowa | Iowa Code 715D (Consumer Data Protection Act -... | AG-only | Effective January 1, 2025. Biometric data processed for identification... |
| Kansas | None | No | Kansas has limited biometric protections in student data privacy context... |
| Kentucky | Comprehensive privacy law (biometric) | AG-only | Kentucky Consumer Data Protection Act (KCDPA, KRS 367.3611-367.3629) includes... |
| Louisiana | La. R.S. 51:1780.1 et seq. | AG-only | Louisiana Data Privacy Act (SB 386, Act 502) includes biometric data as... |
| Maine | None | No | LD 1822 (Maine Online Data Privacy Act) passed House (Feb 10, 2026) and Senate... |
| Maryland | Md. Commercial Law Code § 14-4701 et seq. | AG-only | Maryland Online Data Privacy Act (MODPA, Chapter 455/SB 541) includes biometric... |
| Massachusetts | None | Yes (if... | S.43 pending - would require written consent before collecting biometric data;... |
| Michigan | None | No | SB 359 (2025-2026) pending - classifies biometric data as sensitive data... |
| Minnesota | Minn. Stat. § 325M.01 et seq. (Minnesota... | AG-only | Enacted May 24, 2024, effective July 31, 2025. Biometric data is sensitive data... |
| Mississippi | None | No | Biometric Identifiers Privacy Act (HB 467) FAILED in Judiciary Committee... |
| Missouri | None | Yes (if... | SB 554 pending - would establish Biometric Information Privacy Act with private... |
| Montana | Montana Consumer Data Privacy Act, MCA... | No | Biometric data classified as sensitive data; opt-in consent required; Attorney... |
| Nebraska | Nebraska Data Privacy Act, Neb. Rev. Stat. §§... | No | Biometric data classified as sensitive data; consent required before... |
| Nevada | Comprehensive privacy law (biometric) - NRS... | No | Biometric data covered only in health-related contexts under consumer health... |
| New Hampshire | RSA 507-H (New Hampshire Data Privacy Act, SB... | No | Biometric data classified as sensitive data; opt-in consent required; effective... |
| New Jersey | N.J.S. 332 (New Jersey Data Privacy Act) | No | Biometric data classified as sensitive data; opt-in consent required; effective... |
| New Mexico | N.M. Stat. 57-12C (Data Breach Notification Act) | AG-only | Biometric data included in data breach notification statute. No private right... |
| New York | N.Y. Gen. Bus. Law §§ 899-aa, 899-bb (SHIELD... | Yes (NYC... | State SHIELD Act (899-aa, 899-bb) includes biometric data but provides AG-only... |
| North Carolina | N.C. Gen. Stat. § 75-61 (Identity Theft... | Yes | Biometric data included in PII definition. Private right of action exists under... |
| North Dakota | None | AG-only | No biometric-specific privacy statute. Biometric data expanded into PII... |
| Ohio | None | No | No dedicated biometric privacy law. Limited protections: O.R.C. § 3301.947... |
| Oklahoma | 75A O.S. §§ 300-315 (Comprehensive privacy law... | No | SB 546 (2026): Comprehensive consumer data privacy law includes biometric data... |
| Oregon | ORS 646A.570-646A.589 (Oregon Consumer Privacy... | No | OCPA: Biometric data includes fingerprints, voiceprints, retinal/iris patterns... |
| Pennsylvania | None | Yes (proposed) | Pennsylvania has no enacted comprehensive biometric privacy law or... |
| Rhode Island | R.I. Gen. Laws § 6-48.1-1 et seq. (Rhode Island... | No | RIDTPPA (effective January 1, 2026): Biometric data includes fingerprints,... |
| South Carolina | None | No (proposed) | South Carolina has no enacted biometric privacy law or comprehensive consumer... |
| South Dakota | None | No | Biometric data covered under data breach notification law (S.D. Code 22-40-20)... |
| Tennessee | Tenn. Code Ann. § 47-18-3301, et seq.... | No | Biometric data classified as sensitive data requiring opt-in consent. AG... |
| Texas | Tex. Bus. & Com. Code § 503.001 (CUBI - Capture... | No | Enacted 2009. Requires prior notice and consent before capture of biometric... |
| Utah | Utah Code § 13-61-101, et seq. (Utah Consumer... | No | Biometric data classified as sensitive data. Requires opt-out notice before... |
| Vermont | None | No | No dedicated biometric privacy statute or comprehensive privacy law currently... |
| Virginia | Comprehensive privacy law (biometric... | AG-only | VCDPA classifies biometric identifiers as sensitive data requiring affirmative... |
| Washington | RCW 19.375 (Washington Biometric Privacy... | AG-only | Regulates collection, storage, and use of biometric identifiers for commercial... |
| West Virginia | None | No | HB5567 (Biometric Information Privacy Act) and HB5034 (Genomic Information... |
| Wisconsin | None | No | Wisconsin includes biometric data in its data breach notification law (Wis.... |
| Wyoming | None | No | Wyoming has no standalone biometric privacy statute or comprehensive consumer... |
Compiled from primary state statutes and verified against legislative sources in 2026. Biometric and privacy laws are being enacted and amended rapidly; confirm current obligations for your jurisdictions.
What separates a consent form that holds up from one that invites a class action
The defendants losing these cases did not all fail to ask for consent. Many had a consent buried somewhere. They lost on specifics. Look at what the Otter.ai, Fireflies.AI, Apple Siri, and Verizon Voice ID complaints actually allege, and a pattern appears: the voiceprint was created or reused for a purpose the person was never told about, usually speaker identification across sessions or training a machine-learning model. A consent form that names 'voice authentication' and then quietly routes the same voiceprint into a model-improvement pipeline is worse than no form, because it documents that you knew the data was sensitive and chose not to disclose the actual use. The strongest forms disclose every purpose by name, and they treat AI model training as its own line item with its own checkbox, separate from the core function. As of 2025 most consent forms in the market still do not do this, which is exactly the gap the current suits are exploiting.
Then there is the line between the raw recording and the derived voiceprint. BIPA and the GDPR both care about the template, not just the audio, and a precise form says so. It tells the person that a voiceprint, a mathematical identifier, will be generated from their voice, names the method, and states the retention period by reference to a public destruction schedule (three years from last interaction under BIPA, one year after purpose expires under Texas CUBI, 24 months under Colorado). A form that says 'we may collect voice data' without acknowledging the biometric template is the kind of language plaintiffs' experts pick apart, because diarization-based speaker recognition demonstrably creates an identifier whether or not the drafter used the word voiceprint.
Last comes the mechanics. The consent must be affirmative and unbundled. A pre-checked box does not count, and folding biometric consent into a forty-page terms-of-service nobody reads is precisely the bundling the GDPR forbids and the kind of fact a BIPA court treats skeptically. Capture the consent with an explicit action (a checkbox the person ticks, a signature, or a clicked agreement), timestamp it, store proof, and give a genuine way to withdraw it. For employees, BIPA permits a release signed as a condition of employment, but Colorado now limits which biometric uses can be forced as a condition of the job to things like secure facility access and timekeeping, so a consent that conditions the entire job on broad biometric processing can itself be unlawful. Build the form to over-disclose, separate the secondary uses, and make withdrawal real, and you have the defense the headline defendants did not.
When You Need This
You record customer service or sales calls and run any speaker-recognition or voice-authentication step (Verizon's Voice ID program drew a 2024 suit for exactly this).
You deploy an AI meeting assistant or transcription tool that labels or identifies speakers across sessions, the conduct at the center of the Otter.ai and Fireflies.AI cases.
You use voiceprints for employee or worksite timekeeping, the warehouse-headset scenario behind the Whole Foods and Petco settlements.
You build a voice authentication, IVR, or fraud-detection product that enrolls a customer's voice as a credential.
You train or fine-tune a speech or speaker model on real voices, which makes model training a disclosed secondary purpose you must consent for separately.
You collect any voice data from Illinois, Texas, Washington, Colorado, or New Jersey residents, or from anyone in the EU or UK, where the GDPR's special-category rules apply.
You are a controller or vendor receiving voiceprints from another company, since BIPA bars obtaining a biometric identifier through trade without the same notice and release.
How to Fill Out Biometric Voiceprint Consent Form
1. Identify the data as a voiceprint
State plainly that you will create a voiceprint, a mathematical template of the person's vocal characteristics, and distinguish it from any raw audio recording. Do not hide behind 'voice data.' BIPA section 10 and GDPR Article 4(14) both regulate the template, so name it. If you keep the underlying recording too, say so on its own line.
2. State every specific purpose by name
List each use: voice authentication, speaker identification in meetings, timekeeping, fraud detection, accessibility. Give AI model training its own separate disclosure and its own checkbox, because reusing a voiceprint to train a model is the secondary use driving the 2025-2026 lawsuits. A purpose you do not name is a purpose you are not authorized to use the data for.
3. Disclose the retention period and link the destruction schedule
Give a concrete trigger and an outside cap, then link to a public retention and destruction policy. Use the strictest cap that applies: three years from last interaction under BIPA, one year after purpose expires under Texas CUBI, 24 months under Colorado HB 24-1130. Confirm that the data is destroyed when the stated purpose is satisfied or the cap hits, whichever is first.
4. List every third party that will receive the voiceprint
Name the cloud vendors, AI processors, and authentication providers that touch the data. For EU and UK subjects the GDPR expects granular per-recipient consent, so present the third-party transfer as its own choice rather than rolling it into the main agreement. If you transfer outside the EEA, note the transfer mechanism.
5. Add the GDPR granular-consent block when EU or UK subjects are involved
Split consent into the recording itself, the creation of the voiceprint, and any third-party or training use, each as a distinct affirmative choice under Article 9(2)(a). Reference or attach your Data Protection Impact Assessment if the processing is large-scale or systematic, as Article 35 requires, and include the Data Protection Officer's contact if you have one.
6. Capture affirmative, unbundled, timestamped consent
Use an unchecked checkbox, a signature, or an explicit click. Never pre-check it, and never bundle biometric consent with unrelated terms of service. Record the timestamp, the version of the notice the person saw, and the identity of the signer. Electronic signatures satisfy BIPA after the 2024 amendment, so a clicked and logged consent is enough if you preserve the proof.
7. Build in a real withdrawal mechanism
Give clear instructions for revoking consent and a separate opt-out for secondary uses like model training, so a person can keep the core service while declining to feed the AI. State honestly what withdrawal does to the service. Weak or missing opt-out is a recurring GDPR and CPRA deficiency, so make this functional, not decorative.
8. Handle the employment and minor scenarios with care
For employees, BIPA allows a release signed as a condition of employment, but Colorado limits which biometric uses can be a condition of the job to secure access, timekeeping, and safety, so do not condition the whole job on broad processing. For anyone under 18, obtain a parent or guardian's consent. Keep the signed form, the notice version, and proof of delivery for the full retention period.
Key Terms Defined
- Voiceprint
- A mathematical template of a person's unique vocal characteristics, extracted from a voice recording through technical processing, that can single out one individual. It is a biometric identifier under BIPA section 10, Texas CUBI, the GDPR, and the CCPA, and it is distinct from the underlying audio file.
- Speaker diarization
- The technical process that partitions a recording by speaker, answering 'who spoke when.' When paired with speaker recognition, it generates a per-person voiceprint, which is why meeting-assistant tools that diarize are treated as performing biometric processing under the GDPR and BIPA.
- Written release (BIPA)
- Under 740 ILCS 14/15, the informed written consent that a private entity must obtain before collecting a biometric identifier. It can be an electronic signature, and in the employment context a release signed as a condition of employment. The 2024 amendment confirmed electronic signatures qualify.
- Private right of action
- The ability of an individual, not just a government regulator, to file suit for a statutory violation. BIPA is the only U.S. biometric law that grants one broadly. Texas, Washington, and Colorado leave enforcement to the attorney general; California's is limited to data breaches.
- Special category data (GDPR Article 9)
- A class of personal data, including biometric data processed to identify someone, whose processing is prohibited unless a narrow exception such as explicit consent under Article 9(2)(a) applies. Voiceprints fall in this category, which is why EU consent must be specific and granular.
- Data Protection Impact Assessment (DPIA)
- A documented risk analysis required by GDPR Article 35 before any large-scale or systematic processing of special category data begins. It identifies the risks of the voiceprint processing, assesses their severity, and records the measures taken to reduce them.
Related Documents
Voiceprint Consent Form vs. Biometric Data Privacy Policy
The consent form is the individual-facing release you collect from each person before capturing their voiceprint, with the BIPA section 15 notice and the signed agreement. The privacy policy is the organization-level document that governs how you handle all biometric data: collection, use, retention, destruction, and third-party disclosure across your whole operation. BIPA requires the retention and destruction schedule inside that policy to be written and publicly available. You need both. The policy sets your rules; the consent form proves each person agreed to them.
Voiceprint Consent Form vs. AI Voice & Likeness Release
They protect against different legal claims and overlap on AI voices. A biometric voiceprint consent form addresses biometric-privacy statutes (BIPA, CUBI, GDPR) and the use of a voiceprint as an identifier. An AI voice and likeness release addresses the right of publicity and laws like California Civil Code section 3344 and Tennessee's ELVIS Act, governing whether you can use or synthesize someone's voice and image commercially. If you are cloning a voice to generate new audio, you likely need both: the release for the publicity right and the consent form for the biometric data.
Voiceprint Consent Form vs. Data Subject Rights Request Form
The consent form runs at the front end, before collection, capturing permission. A data subject rights request form runs at the back end, after collection, giving the person a way to exercise access, deletion, correction, and opt-out rights under the GDPR and CCPA, and to withdraw the consent the first form captured. A mature voiceprint program pairs them: the consent form documents the lawful basis to collect, and the rights request form operationalizes the withdrawal and deletion promises the consent form made.
Legal Authorities & Sources
This page is grounded in primary law. The statutes and official resources below are the authorities behind the guidance above. Verify the current text of any statute before relying on it.
- Illinois Biometric Information Privacy Act, 740 ILCS 14 (full text, Justia)
- Illinois General Assembly, official BIPA text (ActID 3004)
- Texas Attorney General, Capture or Use of Biometric Identifier Act (CUBI)
- Washington RCW 19.375, Biometric Identifiers
- GDPR, Regulation (EU) 2016/679 (EUR-Lex consolidated text)
- Colorado HB 24-1130, Privacy of Biometric Identifiers
- Seventh Circuit BIPA retroactivity analysis, Clay v. Union Pacific (Sidley Data Matters, April 2026)
Frequently Asked Questions
Create your Biometric Voiceprint Consent Form in minutes.
Answer a few questions and download a clear, attorney-drafted document that cites the controlling law and is ready to sign.