What It Feels Like to Have Your Biological Identity Taken Without Asking

Think about the last work call you were on. Maybe you were running on three hours of sleep, half-distracted, answering a question about a deadline you already missed. Maybe you were trying to sound confident in a meeting with people who have more power over your paycheck than you will ever have over theirs. You were not thinking about your voice as a piece of data. You were just talking.

Microsoft was listening differently. While you spoke, its systems were silently breaking down the acoustic fingerprint of your voice. Not the words, specifically, though it took those too. The underlying biological pattern of you. The specific frequency at which your vocal cords vibrate. The resonance of your nasal cavity. The way your timbre shifts when you change pitch. These characteristics, encoded as a sequence of numbers, are as unique to you as the whorls on your fingertip. They are yours in a way that nothing manufactured or assigned can replicate.

Microsoft took that biological signature and stored it on servers you have never seen, in a data center you will never visit, under policies that did not exist in any form the law required. You were never asked. You were never told. The small notification that transcription had started contained a link to a Privacy Statement that did not use the word “voiceprint” a single time.

This matters beyond the legal argument, and it matters beyond the dollar figures in the complaint. Your voice is the one piece of yourself you carry into every professional relationship. It is how you project authority or request help. It is how you negotiate, advocate, push back, or give in. In the modern workplace, it is transmitted through Microsoft’s infrastructure on a daily basis by hundreds of millions of people. And Microsoft decided, for years, that no law requiring your permission to collect and store the biological map of your voice was worth the effort of compliance.

The Illinois legislature understood this when they wrote BIPA in 2008. They understood that biometrics are different from any other kind of identifying data because they cannot be reset. If your credit card is stolen, you cancel it. If your email is compromised, you change the password. If your voiceprint is stolen, you cannot get a new voice. You live with that exposure, permanently, for the rest of your life. Every scammer, every deepfake operator, every identity thief who acquires that data has a weapon that can never be disarmed. This is not a theoretical risk. The market for stolen biometric data exists and it is growing alongside the AI tools that can weaponize it.

The people named in this complaint are not lawyers or activists by profession. They are workers who used the collaboration software their employers installed. They had no meaningful choice about whether to participate in transcribed calls. In most workplace settings, you do not decline the tool your employer mandates. You show up. You talk. You trust that the technology is not harvesting the biological signature of your voice without telling you. That trust was broken, every single meeting, for years.

Straight From the Complaint: What Microsoft Did, In Its Own Words and the Law’s

These are verbatim passages from the class action complaint filed February 5, 2026, in the U.S. District Court for the Western District of Washington. Every word below comes directly from the source document.

“Biometrics are unlike other unique identifiers that are used to access finances or other sensitive information. For example, social security numbers, when compromised, can be changed. Biometrics, however, are biologically unique to the individual; therefore, once compromised, the individual has no recourse, is at heightened risk for identity theft, and is likely to withdraw from biometric-facilitated transactions.”

740 ILCS 14/5(c), as cited in Complaint ¶4

• This is the foundational legislative finding that makes BIPA’s consent requirements mandatory, not advisory. Illinois lawmakers understood in 2008 that biometric data is in a legal and practical category of its own, and they wrote the law accordingly.
• By invoking this passage, the complaint is establishing that Microsoft cannot claim ignorance of the stakes. The law and the reasoning behind it have been public for seventeen years.

“Microsoft, a private entity, owns and operates Microsoft Teams, a video conferencing and virtual meeting platform offered across the United States and used by millions of individuals. As a feature of Microsoft Teams, Microsoft provides automated real-time transcription services, creating a written and archivable record of what was said, when, and by whom during a Microsoft Teams meeting.”

Complaint ¶8

• This paragraph pins down the mechanism. The transcription feature is not incidental. It is a deliberate, marketed product that Microsoft built and promotes as a competitive advantage, generating part of the $8 billion in annual Teams revenue.
• The phrase “archivable record” is critical. Microsoft is not just listening in real time. It is creating permanent files associating your voice, your name, your profile picture, and your words, stored on Azure servers.

“Microsoft extracts individual speaker profiles in the form of voiceprints, for each individual speaker from the speaker segments. These voiceprints capture the distinct vocal characteristics of the individual, including for example, their specific pitch, tone, and timbre. This information, stored as a series of numerical vectors, is unique to the individual and is akin to fingerprint or a faceprint.”

Complaint ¶37

• This passage describes the actual technical process: Voice Activity Detection, Speech Segmentation, and then extraction of voiceprints as mathematical vectors. This is not a passive recording. It is active biometric profiling.
• The complaint draws the explicit legal parallel to fingerprints and faceprints, both of which are unambiguously covered by BIPA and both of which require full written consent before collection.

“The only reference to voice-related privacy at all in the Microsoft Privacy Statement appears in a section titled ‘Speech Recognition technologies’ in which it refers to Microsoft employees and vendors being able to ‘review snippets of your voice data or voice clips,’ i.e. portions of your raw audio recording, in order to build and improve AI technology, and even then only ‘de-identified’ and ‘with your permission’ on an opt-in basis.”

Complaint ¶42

• This is the privacy policy Microsoft pointed meeting participants to. It mentions voice data only in the context of a separate, opt-in AI improvement program. It says nothing about voiceprints, nothing about biometric identifiers, and nothing about diarization.
• The contrast matters: Microsoft’s own policy treats sharing raw audio clips with employees as something requiring permission and opt-in. Extracting and storing a permanent biometric profile of your voice was treated as something requiring no notice at all.

“Microsoft also lacks even a general BIPA-compliant policy detailing the retention schedule and guidelines for the permanent destruction of voiceprints obtained from Microsoft Teams users. Microsoft does not have a dedicated BIPA or Illinois-specific policy reflective of its collection of voiceprints from Microsoft Teams users, despite having a U.S. State Data Privacy Laws Notice which covers the laws of other states, such as California. There is no justification for Microsoft’s failure to maintain any privacy policy specific to Illinois, Illinois residents, or BIPA. To the contrary, the omission is reckless, if not intentional.”

Complaint ¶43

• Microsoft has a page specifically addressing state privacy laws. California is covered. Illinois, which passed the strongest biometric privacy law in the country in 2008, is absent. This is a legal compliance choice, not an oversight.
• The complaint uses the word “reckless” and then escalates to “intentional.” Under BIPA, the difference between negligent and intentional violations is the difference between $1,000 and $5,000 per violation. That language is not accidental.

Inside the Voiceprint Machine: How Microsoft Builds a Biological Profile of You

The complaint describes a multi-step technical pipeline that Microsoft runs on every transcribed Teams meeting. Understanding the steps makes clear that this is active biometric profiling, not passive audio recording.

• Microsoft records the meeting audio and pre-processes it to reduce background noise and improve clarity. This cleaned audio stream is then sent to Microsoft Azure servers for the computational heavy lifting.
• Voice Activity Detection (VAD) identifies the moments when any individual is speaking. Speech Segmentation then chops the detected speech into discrete portions and flags transitions between speakers.
• From each speaker segment, Microsoft extracts a voiceprint: a mathematical representation of that individual’s unique vocal characteristics, including specific pitch, tone, and timbre. The complaint states explicitly that these are stored “as a series of numerical vectors” and that the data is “unique to the individual and is akin to fingerprint or a faceprint.”
• Microsoft then uses those voiceprints to match each segment of speech to the person who spoke it. For Teams account holders, it links the voiceprint to names, profile pictures, email addresses, and organizational affiliation. For guests who joined without a Microsoft account, it links the voiceprint to whatever name they typed when entering the meeting, and potentially their email address if the host’s organization collected it.
• This process, called “diarization,” is described in Microsoft’s own Azure documentation as “differentiating speakers in an audio input based on their voice characteristics” to determine “who said what, when.” The complaint cites this directly from Microsoft’s Azure AI Foundry documentation.

The complaint makes a point that is easy to miss: even participants who do not have a Microsoft account, guests who were simply sent a link and typed their name to join, have their voiceprints extracted. They have no account agreement with Microsoft. They never accepted any terms of service. They just spoke on a call, and Microsoft built a biological profile of them anyway.

Years of Violations, Then a Lawsuit

The chronology of this case shows that BIPA was not a new or obscure law when Microsoft launched its transcription feature. It was seventeen years old.

The Damage Runs Deeper Than One Lawsuit

Public Health: The Permanent Exposure Problem

The biometric data at the center of this case is fundamentally different from other stolen data because the exposure never ends. These are the documented harms and risks the complaint and the underlying law identify.

• A voiceprint, once extracted and stored, is a permanent biometric record. Unlike a password or an account number, it cannot be changed or revoked. Any breach of Microsoft’s Azure servers that exposes stored voiceprints creates a lifetime of elevated identity theft risk for every person whose data was stored.
• The Illinois legislature explicitly found, and the complaint cites, that individuals whose biometrics are compromised “are likely to withdraw from biometric-facilitated transactions.” This chilling effect on participation in digital life is a documented, anticipated harm, not speculation.
• The growth of AI voice-cloning technology makes an exposed voiceprint more dangerous every year. A voiceprint collected in 2021 and stolen in 2030 can be weaponized with tools that did not exist when it was taken. The harm compounds over time without the victim ever knowing their data was taken in the first place.
• Workers who had no choice but to use Microsoft Teams in their jobs were subjected to biometric profiling without any workplace notification, policy, or protection. The risk was imposed on them without consent and without any of the safeguards that informed consent would have triggered.

Economic Inequality: Who Bears the Risk and Who Gets the Revenue

Microsoft Teams generates over $8 billion per year in revenue. The voiceprints that power its transcription feature are extracted from workers who in most cases had no say in whether their employer mandated the platform.

• Workers who use Teams through their employers have no realistic ability to opt out of transcribed meetings. If a manager enables transcription, participants are not presented with a meaningful consent mechanism. They are told transcription has started, given a link to a Privacy Statement that does not mention voiceprints, and left with the choice of staying in the meeting or leaving.
• The $8 billion in annual Teams revenue is generated in part by the AI transcription and diarization features whose development depends on extracting and processing biometric voice data. The people whose data powers those features received no compensation and were given no disclosure.
• Microsoft had, according to the complaint, a specific guidance document for corporate enterprise clients using Azure AI Speech-to-Text that described how voice characteristics are “temporarily retained” and then “discarded” after annotation. Individual consumer users of Teams, meaning workers and students, were given no equivalent disclosure. The company maintained a two-tier information system: enterprise clients got some information, individual workers got nothing.
• BIPA’s per-violation statutory damages ($1,000 to $5,000) are specifically designed to make biometric privacy violations economically painful for large corporations even when individual harm is difficult to quantify in dollars. The law accounts for the power imbalance between a company collecting data at scale and an individual who may never know their biometrics were taken.
• Small businesses, schools, and government agencies that use Teams and enabled transcription may face their own secondary liability exposure under other state laws, because they were the “meeting organizers” who activated the feature without knowing Microsoft was collecting biometrics from their participants.

The Structure of the Harm

The complaint identifies a layered relationship between Microsoft, its enterprise clients, and end users that explains how millions of people ended up having their biometrics collected without being the direct customer of the service doing the collecting.

The Numbers Behind the Negligence

BIPA’s statutory damages are structured to force large corporations to feel the financial consequence of biometric privacy violations at scale. Here is what the exposure looks like when applied to Microsoft’s platform.

What the Law Required vs. What Microsoft Did

BIPA’s requirements are not ambiguous. The complaint maps each legal requirement against Microsoft’s documented failure. Here is that gap visualized.

Who to Watch and What to Do

The lawsuit is filed. Here is who is accountable, which institutions have jurisdiction, and what you can do right now.

Accountability: Named Defendants and Legal Team

• Microsoft Corporation, headquartered at One Microsoft Way, Redmond, WA 98052. This is a Washington State corporation with a principal place of business in the Western District of Washington, which is why the suit was filed there.
• Plaintiffs are represented by Byrnes Keller Cromwell LLP (Seattle), Levin Law P.A. (Miami), and Labaton Keller Sucharow LLP (New York). The complaint requests injunctive relief forcing Microsoft to comply with BIPA, plus statutory damages for the class.
• The class definition covers every person whose biometric data was captured in a Teams meeting while they were in Illinois from March 1, 2021, to the present, with one exception: those who voluntarily enrolled a Microsoft Intelliframe voice profile and used it during the transcribed meeting.

Watchlist: Regulatory Bodies With Jurisdiction

• Illinois Attorney General: BIPA enforcement authority. The AG can bring independent actions for systemic violations and has done so with other companies. This complaint may prompt regulatory attention independent of the civil suit.
• Federal Trade Commission (FTC): Has authority over deceptive practices by technology companies under Section 5 of the FTC Act. If Microsoft’s privacy disclosures are found to materially misrepresent what data is collected, FTC action is possible.
• U.S. Congress / Senate Commerce Committee: BIPA demonstrates what a strong biometric privacy law can do, but it only protects Illinois residents. Federal biometric privacy legislation has been proposed repeatedly. This case adds to the pressure for a national standard.
• State Attorneys General (other states): Texas and Washington state also have biometric data laws. If similar voiceprint collection occurred in those states, parallel actions are possible. Monitor actions from the TX AG and WA AG in particular.

What You Can Do: Mutual Aid, Organizing, and Direct Action

• If you are in Illinois and participated in a Microsoft Teams meeting that used live transcription after March 2021: Contact the law firms on record. Byrnes Keller Cromwell, Levin Law P.A., and Labaton Keller Sucharow are listed in the complaint. Your claim may qualify you as a class member.
• At your workplace: Ask your employer’s IT or legal team whether your organization has enabled Teams transcription, and if so, whether a BIPA-compliant notice and consent process was implemented for Illinois employees. Employers who activated transcription without addressing BIPA compliance may have exposure of their own.
• Organize with coworkers: Workplace privacy is a labor issue. If your employer uses tools that harvest biometric data without your knowledge, that is a working condition. Talk to your coworkers. If your workplace is unionized, raise it in your next contract negotiation or grievance process.
• Support biometric privacy legislation in your state: Only a handful of states have laws as strong as BIPA. Contact your state representative and demand comprehensive biometric privacy protections that cover voice, face, and all other biometric identifiers. Generic data privacy laws are not sufficient.
• Reduce your exposure now: You cannot opt out of voiceprint collection if transcription is enabled by a meeting organizer. But you can disable auto-transcription in any meetings you host, and you can advocate within your organization for a policy that requires organizer consent forms from all participants before enabling the feature.