Growing use of voice-recognition technology leads to heightened risk of US lawsuits

A growing number of companies deploy voice-recognition software in their everyday business dealings with customers, and they’re facing an escalating risk of being sued by those customers for breaking biometric privacy laws, particularly in Illinois.

Fast-food giant McDonald’s and Nuance Communications, an AI company currently being acquired by Microsoft in a $19.7 billion deal, are two examples. Both have been hit recently with lawsuits alleging that their voice-recognition technology violated the Illinois Biometric Information Privacy Act by collecting customers' voice prints without express permission.

US tech companies such as Google, Amazon and Apple are no strangers to privacy lawsuits over voice-recognition technology. They’ve faced numerous lawsuits from disgruntled customers, and questions from regulators, after it was discovered their human reviewers were listening to and sharing audio recorded by smartphones and home speakers.

Now, other industries could be facing similar litigation as the use of voice-recognition technology pervades nearly every aspect of day-to-day life. By 2026, the global market valuation for voice-recognition technology is estimated to reach about $7 billion as its use surges on everything from smartphones to connected cars to drive-through restaurants, a report released late last year by Global Market Insights estimated.

Workplaces are even deploying IoT recording devices to scan for problematic emotions in employees, April Doss, executive director of the Georgetown Institute for Technology Law and Policy, said at a conference* today.

“Most of the science so far suggests those kind of emotional-analysis algorithms are not effective; they don’t work. And yet they are in use,” Doss said.

Meanwhile, it’s unclear which agency should regulate the use of the technology, she said: the Department of Education, the Department of Labor, the US Federal Trade Commission, or Congress through federal privacy legislation?

“There is a whole set of questions around the use of IoT devices in both the workplace and business,” she said.

McDonald’s drive-through recordings

To streamline operations and reduce staff at its drive-throughs, McDonald’s, which is based in Illinois, bought technology company Apprente in 2019 to implement an AI voice assistant at its restaurants, a group of customers allege in a proposed class action filed in late May.

Now, McDonald’s is using voice-recognition technology so that customers can order without interacting with humans “and to identify repeat customers to provide a tailored experience,” according to the complaint.

McDonald’s goes even further by combining its voice-recognition technology with license-plate scanning technology to identify repeat customers and their typical menu choices, no matter what location they visit, customers alleged.

But McDonald’s isn’t telling customers about any of those practices, or getting their permission to collect their voiceprints, all of which violates BIPA, according to their complaint.

“Nor does McDonald's have a publicly available data retention policy that discloses what McDonald's does with the voiceprint biometric data it obtains or how long it is stored for,” they said.

FedEx customer service

The same law firm that sued McDonald’s over alleged BIPA violations has also filed a proposed class action against Nuance Communications, a Burlington, Massachusetts-based artificial intelligence and speech recognition currently being acquired by Microsoft.

Microsoft announced In April that it had agreed to acquire Nuance for $56 per share in an all-cash transaction worth $19.7 billion, as part of efforts to deliver cloud and AI capabilities across health care and other industries.

Nuance makes "Interactive Voice Response" software, an automated customer-service phone system that collects and analyzes callers' voiceprints to interpret their requests and reply automatically with a personal response, according to a proposed class action transferred to US District Court for the Northern District of Illinois in March.

Named plaintiff Michelle Campana alleges that Nuance’s software captured her voiceprint without her permission when she called FedEx's automated customer service phone line to check on the status of an incoming package.

During that phone call, her voiceprint was passed on to a customer service representative when her call was transferred, all without her written consent, which violated BIPA.

"Plaintiff to this day does not know the whereabouts of the voiceprint biometrics Nuance obtained from her through its IVR software,” according to the complaint.

Proving that Nuance actually collects a biometric identifier, as defined under BIPA, however, may prove difficult.

Nuance argued in May that the case should be dismissed because it doesn't collect a biometric identifier. Customers are describing software that uses speech-recognition technology, not biometric fraud detection and authentication technology, and their allegations don't “provide any basis to infer that Nuance IVR software collects, uses, or stores voiceprints,” Nuance said.

*"6th Annual National Internet of Things Institute;" American Bar Association, June 10-11, 2021.