Skip to content
CreativeIP.org
The StandardCoursesImmersiveCertificationsAbout
Log inBegin →
CreativeIP.org

Creative Intellectual Property Charity

A charity advancing education in creative IP and AI rights.

London, UK

charity@creativeip.org

Learn

  • The Standard
  • Level 1 Course
  • Immersive Lab
  • Certifications

Resources

  • Tools
  • Resources
  • Self-Assessment
  • Rights Radar
  • Policy Library
  • Reference Architecture
  • Film & TV Vertical Architecture
  • Source Material Architecture
  • Glossary
  • FAQ

Organisation

  • About
  • Governance
  • Partners
  • Insights
  • Adopt
  • Access
  • Case for Support
  • Contact

Legal

  • Terms of Use
  • Certification Terms
  • Privacy Policy
  • Cookie Policy
  • Accessibility
  • Complaints

COORD: 53.4808° N, 2.2426° W

STATUS: OPERATIONAL

© 2026 Creative Intellectual Property · CIO Foundation Model · Charities Act 2011 · Supported by Creation Rights® · v3.84 · Application 5289637

Courses/MOD_09

Biometric Rights

MOD_0930 minFREE // OPEN
Learning outcome

Define biometric data under UK, EU, and US legal frameworks. Explain how Illinois BIPA has influenced state-level biometric legislation. Identify when voice recordings constitute biometric identifiers. Apply the CIP-Biometric-Training: Prohibited declaration correctly. Assess biometric rights exposure in AI content pipelines.

Biometric Rights

This specialist module covers biometric data rights in the context of AI systems. It is designed for creators whose biometric data — voice, face, movement patterns — is commercially significant and at risk of AI exploitation.

What constitutes biometric data

Biometric data is any physiological, biological, or behavioural characteristic that can be used to uniquely identify an individual. In the context of AI and creative rights, the most significant categories are:

  • Voiceprints — the acoustic characteristics that uniquely identify a speaker
  • Faceprints — the geometric measurements and features of a face
  • Gait patterns — movement characteristics identifiable in video
  • Typing patterns — keystroke dynamics that can identify an author

Jurisdictional frameworks

United Kingdom

UK GDPR (retained from EU GDPR) defines biometric data as "personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person". Processing biometric data for identification purposes is classified as processing special category data under Article 9, requiring explicit consent or another lawful basis.

European Union

The EU AI Act classifies biometric identification systems as high-risk AI systems (Annex III). Operators of these systems face additional requirements including conformity assessment, fundamental rights impact assessment, and registration in the EU AI database. The GDPR Article 9 restrictions on biometric data processing apply in parallel.

United States

Illinois BIPA (Biometric Information Privacy Act) is the most significant US legislation. It provides:

  • A private right of action — individuals can sue directly
  • Statutory damages — $1,000 per negligent violation, $5,000 per intentional or reckless violation
  • Informed written consent required before collection
  • Retention and destruction schedule required

Other states with biometric privacy laws include Texas, Washington, and (from 2026) Colorado and Virginia. None match BIPA's private right of action.

Voice as a biometric identifier

Voice is unambiguously a biometric identifier. AI voice cloning inherently processes biometric data — it analyses the acoustic characteristics of a person's voice and creates a model capable of generating speech that mimics those characteristics. This engages biometric data protection requirements in all three major jurisdictions.

For creators whose voice is commercially significant — voice actors, musicians, broadcasters, public figures — AI voice cloning without consent represents both a biometric data violation and a NILP rights violation. These are independent claims with potentially cumulative damages.

The CIP declaration

The CIP framework provides a machine-readable mechanism for declaring biometric rights protection:

CIP-Biometric-Training: Prohibited — declares that no biometric data from the operator's content may be used for AI model training. This covers voiceprints, faceprints, and any other biometric identifier extractable from the operator's published content.

This declaration has legal foundation under all three jurisdictions: it represents an explicit refusal of consent under GDPR Article 9, a rights reservation under BIPA, and a contractual prohibition enforceable through the CIP Vendor Representation clause.

Summary

Key Takeaways

  • Biometric data includes voiceprints, faceprints, and any physiological or behavioural characteristic that can uniquely identify an individual
  • Illinois BIPA provides a private right of action with statutory damages — $1,000 per negligent violation, $5,000 per intentional violation
  • The EU AI Act categorises biometric identification systems as high-risk AI with additional compliance obligations
  • Voice is a biometric identifier — AI voice cloning inherently processes biometric data
  • CIP-Biometric-Training: Prohibited creates a machine-readable signal that AI operators must respect
  • Creators whose biometric data is commercially significant should declare protection in their cip.md

Self-check

Check Your Understanding

  1. What damages does Illinois BIPA provide for intentional or reckless violations?
  2. Why does AI voice cloning engage biometric data protection requirements?
  3. What does CIP-Biometric-Training: Prohibited declare?
Previous module← Sports NIL/NILP RightsNext moduleTDM and Training Data Law→