Skip to main content
Find a Lawyer

Is Your Voiceprint Protected? Amazon’s Biometric Privacy Battle in Illinois

Vaidehi Mehta, Esq.

Article by: Vaidehi Mehta, Esq.

Attorney Writer

Reviewed by Joseph Fawbush, Esq. | Last updated on

“This call may be monitored for quality and security purposes.” It’s a pretty commonplace line for companies to use, but behind that canned line lies a complex legal question: when a company analyzes your voice to verify your identity, has it crossed a line under privacy law? A recent case in Illinois puts that question under a microscope.

Routine Call, Hidden Stakes

The case was brought by Illinois residents who telephoned John Hancock about their retirement accounts. John Hancock is a financial services company that manages retirement plans and related customer accounts. It had those calls routed through Amazon Connect, a cloud-based call‑center platform sold by Amazon Web Services. 

John Hancock configured its version of Amazon Connect to plug into a software called Pindrop, a security tool that listens to phone calls and analyzes the caller’s voice to help verify identity and spot possible fraud. The process allegedly creates “voiceprints” from call audio. Customers say that when they called about their retirement accounts, Pindrop’s system listened to how they sounded, generated a unique voice-based identifier for each caller, and used that identifier to confirm they were the account holders — all without first giving them written notice or obtaining their written permission. 

Illinois’s Biometric Information Privacy Act (BIPA) governs what companies must do before they collect biometric data like fingerprints, face scans, or voiceprints, and how they can store, share, and eventually destroy that data. Various Illinois residents who used John Hancock claimed that Amazon and Pindrop broke several of those rules by collecting and using their voiceprints without following BIPA’s consent, disclosure, and no‑sharing/no‑profiting requirements. 

They banded together into a class action and took the companies to court, in a case titled McGoveran v. Amazon Web Services.

The Lawsuit Takes Shape

The procedural history is winding, but the pieces that matter here all come from what happened in the Delaware federal court, where the plaintiffs sued both Amazon and Pindrop under several provisions of BIPA. There, the district judge quickly narrowed the case by holding that BIPA generally does not apply when the key conduct occurs mostly outside Illinois — a limitation the court described in terms of “extraterritoriality.” The judge dismissed all claims against Pindrop under BIPA’s financial institution exemption, a carve‑out for certain federally regulated financial industry activities. 

The court later allowed the plaintiffs to move forward only on a narrowed claim under Section 15(b) of BIPA, which prohibits companies from collecting someone’s biometric data (like a voiceprint) unless they first give clear notice and get that person’s written permission. After extensive discovery, the district judge granted summary judgment to Amazon on Section 15(b). He concluded that the core conduct at issue (Amazon’s operation of servers in Virginia, its passing of data to Pindrop in Georgia, and its routing of calls and risk scores back to John Hancock in Massachusetts) took place outside Illinois, so BIPA could not apply. He also pointed out that Amazon itself never actually obtained or stored any biometric identifiers or information because Pindrop handled the voice‑based authentication and Amazon did not keep the underlying voiceprints or voice data.

The plaintiffs also had a BIPA Section 15(d) claim, which addresses the sharing or disclosure of someone’s biometric data. But the judge dismissed this claim, too. He concluded that even if everything the plaintiffs alleged were true, what Amazon did still did not constitute an improper disclosure under that section of the statute.

Third Circuit Weighs In

Next, the plaintiffs appealed to the U.S. Court of Appeals for the Third Circuit, asking it to undo what the Delaware district court had done. On appeal, they challenged the use of BIPA’s financial‑institution exemption to knock out Pindrop, the judge’s tight control over discovery and his refusal to let them voluntarily dismiss some newly added plaintiffs, the grant of summary judgment to Amazon on the Section 15(b) claim, and the dismissal of their revived Section 15(d) disclosure claim.

On appeal, the Third Circuit left the Delaware court’s work intact. It agreed that Pindrop was properly dismissed under BIPA’s financial‑institution exemption and found no abuse of discretion in how the judge handled discovery or refused to let plaintiffs drop newly added class representatives at the last minute. On the merits, the panel adopted the same basic view of BIPA’s limited reach and of Amazon’s role, holding that BIPA did not apply to the conduct at issue, that Amazon had not “collected” biometric data within the meaning of Section 15(b), and that the revived Section 15(d) disclosure claim still did not describe an unlawful disclosure.

Why This Decision Matters

One practical takeaway from this case is that the courts treated Amazon and Pindrop differently based on who actually handled biometric data. Amazon avoided liability in part because, on this record, it never obtained or stored biometric identifiers or information, while Pindrop was the one that allegedly created and used voiceprints. The opinions also make clear that where the key conduct occurs matters: both courts focused on the fact that Amazon’s call‑processing and data handling took place on systems outside Illinois when deciding that BIPA did not apply.

For companies, these rulings underscore that technical details about how a service is set up (such as which entity has access to biometric data and where the relevant systems are located) can be decisive in a BIPA lawsuit. At the same time, the decisions do not eliminate biometric privacy claims in Illinois; instead, they show that plaintiffs will need to connect their claims to defendants that both handle biometric information and engage in conduct that happens “primarily and substantially” in Illinois. In simplest terms, BIPA might be narrowed, but it is far from dead.

Was this helpful?

Copied to clipboard