Corporate Accountability Project • Biometric Surveillance • Filed February 2026
Breaking: Class Action Filed
Microsoft Teams Secretly Harvested Voiceprints from Millions of Workers
A federal class action reveals that Microsoft collected biometric voiceprints from Teams meeting participants in Illinois without notice, consent, or a privacy policy, violating the state’s landmark biometric data law.
🔴 CRITICAL SEVERITY
TL;DR
Microsoft Teams, used by 320 million people daily and generating over $8 billion per year, has been secretly extracting biometric voiceprints from meeting participants since 2021. Workers in Illinois joined calls, spoke, and had their unique voice data harvested, stored on Azure servers, and linked to their names and email addresses. Microsoft never told them. Microsoft never asked permission. Microsoft has no public policy describing how long this voice data is kept or when it is destroyed. This is a deliberate and ongoing violation of Illinois’s Biometric Information Privacy Act, a law passed specifically to stop corporations from treating human bodies as data sources.
Your voice is biometric data. Microsoft took it. Demand accountability.
320M
Daily active Teams users as of 2025
$8B+
Microsoft Teams annual revenue
$5,000
Statutory damages per willful BIPA violation
$1,000
Minimum damages per negligent violation
2021
Year Microsoft launched live transcription in Teams
2008
Year BIPA was enacted in Illinois
The Allegations: A Breakdown
▾
| 01 | Microsoft extracted biometric voiceprints from Teams meeting participants during live transcription sessions starting in 2021, capturing each person’s unique vocal pitch, tone, and timbre as mathematical vectors comparable to fingerprints or faceprints. | high |
| 02 | Microsoft stored these voiceprints on Azure cloud servers and linked them to meeting participants’ names, profile pictures, email addresses, and organizational affiliations without consent. | high |
| 03 | At no point did Microsoft inform Teams meeting participants in writing that it was collecting biometric identifiers or biometric information during meetings where transcription was active. | high |
| 04 | Microsoft never obtained written consent or a signed release from meeting participants before capturing their voiceprints, as required under all three prongs of BIPA Section 15(b). | high |
| 05 | Microsoft failed to publish any publicly available retention schedule or guidelines for the permanent destruction of voiceprints collected from Teams users, violating BIPA Section 15(a). | high |
| 06 | This conduct continued despite BIPA existing since 2008 and Microsoft having attorneys and compliance teams fully capable of identifying the legal obligations BIPA imposes on biometric data collectors. | high |
▾
| 01 | Microsoft maintains a U.S. State Data Privacy Laws Notice addressing state-specific privacy regulations in California and other states, yet published no equivalent notice for Illinois or BIPA despite operating one of the most widely used platforms subject to that law. | high |
| 02 | The complaint alleges Microsoft’s omission of any Illinois-specific privacy policy is reckless, if not intentional, given the company’s size, legal sophistication, and explicit awareness of biometric privacy litigation nationwide. | high |
| 03 | The only voice-related disclosure in Microsoft’s Privacy Statement refers to optional, opt-in review of raw audio clips for AI improvement, an entirely different process that does not address voiceprint collection during live transcription. | medium |
| 04 | Microsoft provides a specific privacy policy for its corporate Azure AI Speech-to-Text clients, but extended no equivalent protections to the individual users and meeting participants whose voice data fuels the same underlying technology. | high |
| 05 | The “Privacy policy” link shown during Teams transcription sessions links to a statement that never mentions voiceprints, leaving participants with no meaningful disclosure of what is actually being collected from their bodies. | high |
▾
| 01 | Microsoft Teams generates over $8 billion per year in revenue. The live transcription feature, which drives this biometric collection, was introduced specifically to deepen market share and competitive advantage against rival platforms. | high |
| 02 | Voiceprints are a uniquely valuable form of biometric data: unlike passwords or usernames, they are permanent and irrevocable. Microsoft extracted this irreplaceable personal data to power a commercial product without compensating or even notifying the people it harvested. | high |
| 03 | Microsoft’s diarization technology, the system that identifies who spoke and when in a transcript, is commercially valuable precisely because it works at scale across millions of meetings. The Illinois workers who powered this system gave Microsoft nothing less than their biological identity. | medium |
| 04 | Obtaining written consent would have cost Microsoft nothing financially but would have required transparency about a practice it chose to conceal, suggesting the company placed commercial convenience above its legal and ethical obligations to users. | medium |
▾
| 01 | Microsoft gave meeting participants no way to know their voiceprints were being collected, no way to refuse collection, and no way to request deletion, stripping them of every meaningful privacy safeguard BIPA was designed to provide. | high |
| 02 | The complaint notes Microsoft’s failure is especially inexcusable because BIPA compliance has been the subject of major litigation and public legal commentary since 2015, giving Microsoft ample opportunity to build compliant systems before launching transcription in 2021. | high |
| 03 | Microsoft cannot confirm whether voiceprints collected during Teams transcription sessions are ever permanently destroyed, or whether destruction follows the same protocols applied to its corporate Azure clients, leaving individual users in total ignorance about the fate of their biometric data. | high |
| 04 | The class may include tens of thousands of Illinois residents whose voiceprints were collected without consent from March 2021 to the present, spanning years of ongoing BIPA violations with no corrective action taken by Microsoft. | medium |
| 05 | Plaintiffs seek injunctive relief to force Microsoft into compliance with BIPA’s mandates, in addition to statutory damages of $1,000 per negligent violation and $5,000 per willful or reckless violation, meaning total liability could reach billions of dollars given the scale of the class. | medium |
▾
| 01 | The five named plaintiffs, Illinois residents who used Teams in transcribed meetings for work or school, represent tens of thousands of individuals who participated in Microsoft Teams meetings unaware their biological voice signature was being captured and stored. | high |
| 02 | Microsoft Teams is used by workplaces, schools, government agencies, families, and friends. This means voiceprint collection extended to teachers, students, government employees, and others who had no choice but to participate in transcribed meetings. | high |
| 03 | Because voiceprints are biologically permanent, unlike a compromised password or credit card number that can be reissued, every affected participant faces a permanent risk: their biometric identity, once exposed or misused, cannot be replaced. | high |
| 04 | Non-Microsoft account holders who joined Teams meetings as guests were also subject to voiceprint capture and identification, extended to the names they provided at entry and sometimes their email addresses, with no account relationship giving them any expectation of such surveillance. | medium |
Timeline of Events
2008
Illinois enacts the Biometric Information Privacy Act, the nation’s strongest state biometric privacy law, requiring written consent and public retention policies before companies can collect voiceprints, fingerprints, or other biometric identifiers.
2017
Microsoft launches Microsoft Teams as a workplace collaboration platform. The product grows to serve hundreds of millions of users across workplaces, schools, and government agencies in the U.S. and globally.
March 2021
Microsoft introduces live, automated transcription in Teams with speaker attribution and timestamps. The feature begins extracting voiceprints from meeting participants to power its speaker identification process, called diarization, on Microsoft Azure servers.
2021 to 2026
Microsoft continues collecting biometric voiceprints from Illinois Teams users and meeting participants in transcribed sessions without consent, disclosure, or a public retention policy, in ongoing violation of BIPA.
February 5, 2026
Five Illinois residents file a federal class action complaint against Microsoft in the Western District of Washington, alleging violations of BIPA Sections 15(a) and 15(b) and seeking $1,000 to $5,000 in statutory damages per violation plus injunctive relief.
Direct Quotes from the Legal Record
QUOTE 1
On the permanence of biometric data
Core Allegations
“Biometrics, however, are biologically unique to the individual; therefore, once compromised, the individual has no recourse, is at heightened risk for identity theft, and is likely to withdraw from biometric-facilitated transactions.”
This is the foundation of why BIPA exists. Microsoft, knowing this language from 15 years of legal precedent, extracted permanent biometric data from millions of people without asking once.
QUOTE 2
On what voiceprints actually capture
Core Allegations
“These voiceprints capture the distinct vocal characteristics of the individual, including for example, their specific pitch, tone, and timbre. This information, stored as a series of numerical vectors, is unique to the individual and is akin to fingerprint or a faceprint.”
Microsoft was not collecting abstract audio data. It was extracting the biological equivalent of your fingerprint from your voice, silently, every time you spoke in a transcribed Teams meeting.
QUOTE 3
On what Microsoft never told participants
Regulatory Failures
“Microsoft does not, at any time, (1) inform Microsoft Teams meeting participants that it collects, obtains, uses, or generates voiceprints or any other biometrics from them as part of its transcription process.”
Zero disclosure. Zero notice. Every worker, student, and citizen who spoke in a transcribed Teams meeting was subjected to biometric extraction in complete silence from Microsoft.
QUOTE 4
On the Privacy Statement’s failure to disclose voiceprints
Regulatory Failures
“In the linked Microsoft Privacy Statement, however, Microsoft does not disclose that it obtains voiceprints during the live transcription of Microsoft Teams meetings, purport to gain the user’s consent for the same, or even mention voiceprints at all.”
Microsoft’s own privacy policy, the document it offered as a substitute for real disclosure, says nothing about voiceprints. The link shown in the transcription interface led to a document that did not reflect what was actually happening.
QUOTE 5
On recklessness of the omission
Accountability Failures
“There is no justification for Microsoft’s failure to maintain any privacy policy specific to Illinois, Illinois residents, or BIPA. To the contrary, the omission is reckless, if not intentional.”
The complaint does not use the word reckless lightly. Microsoft covers California. It covers other states. Illinois, whose biometric privacy law is the most consequential in the country, got nothing.
QUOTE 6
On the ongoing nature of the violation
Core Allegations
“Even though BIPA was created in 2008 and BIPA compliance (or lack thereof) has been the subject of significant litigation and legal commentary, Microsoft continues to violate BIPA by providing live transcription services in its Microsoft Teams platform through the unauthorized collection of Teams meeting participants’ voiceprints.”
This is not an oversight from before the law existed. BIPA is 17 years old. Microsoft chose to build and operate a biometric collection system without complying with a law it had every reason and opportunity to know about.
Commentary
❓
What exactly is a voiceprint and why does it matter?
▾
A voiceprint is a mathematical representation of the unique biological characteristics of your voice: pitch, tone, timbre, and rhythm. It is stored as a series of numerical vectors and can identify you as precisely as a fingerprint or a facial scan. Unlike a password you can change or a credit card you can cancel, your voiceprint is permanent. If Microsoft’s systems are breached, sold, or misused, there is no “reset.” Every Illinois worker who spoke in a transcribed Teams meeting now has a permanent biometric profile linked to their name and email on Microsoft’s servers, created without their knowledge.
Is this lawsuit legitimate or just opportunistic litigation?
▾
This case is serious and rests on a well-established law. BIPA has been on the books since 2008 and has resulted in major settlements, including a $650 million settlement by Facebook and a $228 million settlement by BNSF Railway. The allegations here are specific: Microsoft collects voiceprints, stores them, links them to personal identifiers, and has published no retention or destruction policy covering individual users. The law requires all three steps (notice, disclosure of purpose, and written consent) before collecting biometrics. According to the complaint, Microsoft skipped all three for years.
Did Microsoft give any notice at all during transcribed meetings?
▾
Microsoft displayed a banner indicating that transcription had started and included a hyperlink labeled “Privacy policy.” However, the linked privacy statement does not mention voiceprints at any point. The only voice-related disclosure in that document discusses optional, opt-in review of raw audio clips by Microsoft staff for AI improvement. There is no disclosure that Microsoft captures biometric voice profiles to identify speakers, no explanation of how long those profiles are kept, and no mechanism through which a participant could consent or decline. The link substituted the appearance of disclosure for actual disclosure.
Who is most harmed by this practice?
▾
Every person who participated in a transcribed Teams meeting while in Illinois from March 2021 to the present. That includes workers in offices and remote settings, teachers in virtual classrooms, government employees in official meetings, students in school sessions, and anyone who joined a Teams call as a guest. Non-account holders who simply typed their name to enter a meeting were also subject to voiceprint collection and identification. These are not sophisticated technology professionals who read fine print. They are ordinary people whose biological data was taken from them while they were simply trying to do their jobs or attend class.
How does this connect to broader patterns of Big Tech’s treatment of user data?
▾
This is a precise case study in a pattern that defines modern Big Tech: extract the maximum commercial value from users’ personal data while providing the minimum legally defensible disclosure. Microsoft built a $8 billion-per-year product feature on biometric data it harvested from users who had no idea it was happening. This is not an isolated privacy slip. It is the predictable outcome of an industry that treats user data as a raw material to be extracted rather than a right to be protected. BIPA was specifically designed to stop this, which is why Microsoft’s years-long failure to comply with a law it absolutely knew existed is so damning.
What can I do to prevent this from happening again?
▾
If you are an Illinois resident who participated in transcribed Teams meetings, you may be a class member. Monitor the case at PACER or through organizations like ClassAction.org. Contact your state legislators and urge them to strengthen biometric privacy enforcement and expand BIPA-style protections. Support federal biometric privacy legislation: the U.S. still has no national equivalent of BIPA. Demand that your employer and school disclose which AI transcription tools they use and whether those tools collect biometric data. Ask platform providers directly whether voice data is retained, how long, and for what purpose. Make privacy a condition of your participation, and vote for lawmakers who will make corporations answer for surveillance they conduct without consent.
What could the financial penalty actually look like for Microsoft?
▾
BIPA provides for $1,000 per negligent violation and $5,000 per intentional or reckless violation. The class is expected to contain many thousands or tens of thousands of Illinois residents, each with claims spanning years of transcribed meetings. Even at the lower figure, with tens of thousands of class members, total liability could exceed tens or hundreds of millions of dollars. For a company generating $8 billion per year from Teams alone, that is a meaningful penalty, but not one that threatens Microsoft’s survival. The more consequential outcome may be the injunctive relief: a court order forcing Microsoft to build and operate a BIPA-compliant system for all future users.
Does this affect users outside Illinois?
▾
The class action is limited to Illinois residents because BIPA is an Illinois law and currently the strongest state-level biometric privacy statute in the country. However, the underlying conduct, which is the collection of voiceprints from all Teams users in transcribed meetings, is not limited to Illinois. Users in Washington, Texas, and across the country have participated in transcribed Teams meetings with no more disclosure than Illinois residents received. Illinois residents have legal recourse under BIPA. Most other Americans do not yet have equivalent protection, which is precisely why advocates are pushing for federal legislation and why state-by-state BIPA expansion matters.
💡 Explore Corporate Misconduct by Category
Corporations harm people every day — from wage theft to pollution. Learn more by exploring key areas of injustice.
- 💀 Product Safety Violations — When companies risk lives for profit.
- 🌿 Environmental Violations — Pollution, ecological collapse, and unchecked greed.
- 💼 Labor Exploitation — Wage theft, worker abuse, and unsafe conditions.
- 🛡️ Data Breaches & Privacy Abuses — Misuse and mishandling of personal information.
- 💵 Financial Fraud & Corruption — Lies, scams, and executive impunity.
