New Class Action Complaints Target Voice Authentication Security

For years, banks, insurance companies, and other consumer-facing institutions have deployed voice authentication technology to ensure security and privacy of conversations with customers who call for help.

Starting last year, a few plaintiffs’ law firms have tried to turn those companies’ well-intended efforts on their head, filing putative class action lawsuits alleging that use of biometric voice recording technology violates a decades-old section of California’s Invasion of Privacy Act.

These complaints generally assert that defendant companies are recording and examining caller voiceprints to determine the truth or falsity of callers’ statements, without first securing callers’ express written consent.

Plaintiffs have targeted companies that record calls, particularly those that use voiceprint technology or other biometrics.

The complaints seek statutory damages of $1,000 per violation on behalf of each member of the proposed classes of California residents. It remains to be seen whether these high-exposure complaints can survive a motion to dismiss.

Penal Code Provision

Since the late 1970s, a little-known CIPA provision—intended to address lie detector technology—sat dormant.

The California Penal Code’s § 637.3(a) prohibits a person or entity from using “any system which examines or records in any manner voice prints or other voice stress patterns of another person to determine the truth or falsity of statements made by such person” without express written consent “in advance of the examination or recordation.”

Under this provision, “any person who has been injured by a violator of this section may bring an action against the violator” for actual damages or $1,000, whichever is greater.

The complaints filed under this statute alleged that voiceprint authentication technology that records a voiceprint, and later compares a caller’s voice to that voiceprint to authenticate their identity violates § 637.3 because it determines the truth or falsity of a caller’s statements.

Suits on the Rise

This new wave is part of a larger trend in biometric privacy cases as similar suits regarding consumer’s voiceprints have also been filed against various businesses under the Illinois Biometric Information Privacy Act.

Although the CIPA voice authentication theory of liability is still quite novel, defendant companies have presented several defenses in motions to dismiss the complaints.

These include arguing that the court lacks subject-matter jurisdiction because the plaintiffs have not suffered an injury-in-fact, and that some plaintiffs provided their express, written consent to the defendant’s use of their voiceprint.

Additionally, defendants may consider drawing the statutory intent behind § 637.3 to a court’s attention early in the litigation.

When passed in 1978, § 637.3 was legislators’ response to concerns that inaccurate and faulty lie detector and polygraph machines were being used to capture the public’s voiceprints and voice stress patterns to test the truth or falsity of their statements without prior consent.

Although the original intent of the provision at issue was to prevent surreptitious voice recording and analysis for lie detection purposes, plaintiffs are now repurposing it to attack modern technology that safeguards consumer’s accounts.

Court Activity

Initial court decisions on motions to dismiss these novel § 637.3 claims are expected to trickle out this year.

In the first of such opinions, a court in the Southern District of California rejected the plaintiff’s § 637.3 claim, seizing on the considerable gap between the conduct the statute was designed to regulate and the plaintiff’s allegations.

In Balanzar v. Fidelity Brokerage Servs., the plaintiff argued that the defendant’s authentication system assessed the truth or falsity of the identity of the caller and, thus, violated the § 637.3.

But the court disagreed. Instead, because the defendant’s software was alleged to capture and store a caller’s voiceprint to compare it with the voiceprint of subsequent callers and verify a caller’s identity without requiring the caller to make any affirmative statements, the court found the technology more akin to a biometric passcode than a lie detector.

Accordingly, the court dismissed without prejudice the plaintiff’s class claims for failing to sufficiently allege that the defendant’s authentication system determined the truth or falsity of any statements.

Whether and how the plaintiff in Balanzar will address the pleading deficiencies noted by that court remains to be seen. Other courts are considering similar motion to dismiss arguments.

Of course, this is not the first time plaintiffs’ attorneys have re-cast old laws to try to regulate the use of new technology in an attempt to recover windfalls under statutory damages provisions.

Plaintiffs have used a different section of CIPA, as well as other states’ statutes, to try to hold companies liable for their use of session replay software.

Plaintiffs have filed dozens of putative class actions, primarily in, but not limited to, California and Pennsylvania, alleging that use of software to analyze a consumer’s interaction with a website violates state anti-wiretapping statutes.

Those laws were originally enacted for the express purposes of preventing the recording or eavesdropping of phone calls.

The legal defenses to these voiceprint technology claims appear strong. Nonetheless, in light of the prospect of significant statutory damages in a class setting, plaintiffs will continue to seek ways to exploit CIPA and other state statutes for conduct that goes beyond the original intent of statutory protections.

Companies that use call recordings, and particularly those using voiceprint technology, should consider the consent, notice, and security requirements of CIPA, BIPA, and other state laws.

This article does not necessarily reflect the opinion of Bloomberg Industry Group, Inc., the publisher of Bloomberg Law and Bloomberg Tax, or its owners.

Write for Us: Author Guidelines

Author Information

Melissa Fox is counsel at Eversheds Sutherland, where she represents clients on a variety of business and commercial litigation matters, including financial services, securities litigation and enforcement, and professional liability.

Christine Johnson is an associate at Eversheds Sutherland, advising clients on all aspects of complex commercial litigation, with a focus on business disputes and class action defense.

Francis Nolan is a partner at Eversheds Sutherland. He represents companies in class action and commercial litigation, arbitrates domestic and international disputes, and counsels on pre-litigation and compliance.