Is Speaker Diarization a BIPA Violation? What Basich v. Microsoft Teams Means for Every AI Notetaker with Speaker ID

Published July 17, 2026

Key takeaways

Quick answer: A February 2026 class action, Basich v. Microsoft Corporation (2:26-cv-00422, W.D. Wash.), alleges that the speaker diarization behind Microsoft Teams live transcription creates voiceprints and violates Illinois BIPA. If the court agrees that diarization itself constitutes biometric collection, every AI notetaker that labels 'who said what' — Otter, Fireflies, Zoom AI Companion, Read AI — faces $1,000–$5,000 per-scan statutory exposure unless it processes audio entirely on-device.

Published July 17, 2026 · 11 min read

On February 5, 2026, five Illinois residents — Alex Basich, Kristin Bondlow, Marquis Boyce, Jessica Brewer, and Jamari Brown — filed Basich et al. v. Microsoft Corporation (Case No. 2:26-cv-00422) in the U.S. District Court for the Western District of Washington. Their claim is deceptively narrow and jurisprudentially explosive: the machine-learning process behind Microsoft Teams' "live transcription" — a technique called speaker diarization — creates a mathematical voiceprint for every participant, and doing so without written notice and consent violates the Illinois Biometric Information Privacy Act (BIPA), 740 ILCS 14/15.

If Judge rules for the plaintiffs, the fallout is not confined to Microsoft. Every AI notetaker that labels "who said what" — Otter, Fireflies, Zoom AI Companion, Read AI, Fathom, tl;dv — relies on the same underlying diarization architecture. The question every legal, IT, and compliance team is now being forced to answer: is speaker attribution biometric collection, or is it just transcription with labels? The answer, and how you insulate your organization from a $5,000-per-scan liability, is what this article is about.

What the Basich complaint actually alleges

The complaint is carefully targeted at the default diarization pipeline, not the opt-in Intelliframe enrollment feature. That distinction matters: Microsoft built a BIPA-compliant consent flow for Intelliframe and blocked it in Illinois — proving Microsoft knows how to comply when it wants to. The plaintiffs argue that the default transcription feature collects the same category of biometric data through the same type of voice analysis, but without any of the same safeguards.

The complaint walks through a five-step pipeline that runs on Microsoft Azure servers: (1) audio pre-processing and noise reduction; (2) Voice Activity Detection; (3) Speech Segmentation; (4) extraction of individual speaker profiles as voiceprints — numerical vectors capturing pitch, tone, and timbre; and (5) matching each speech segment to a speaker and linking it to profile pictures, email addresses, and organizational affiliations to produce an attributed transcript. Steps 4 and 5 are where the BIPA claim lives.

Why voiceprints are the third rail of biometric privacy law

BIPA was enacted in 2008 and lists "voiceprint" alongside retina scans, fingerprints, and face geometry as a protected biometric identifier. As Mason LLP explains, a voiceprint is a mathematical model of the unique characteristics of your voice — pitch, cadence, tone, and vocal-tract shape — and much like a fingerprint, it can identify you with a high degree of certainty. Unlike a password, you cannot change your voiceprint if it is compromised.

Under BIPA, before any "private entity" collects a voiceprint, it must: provide written notice, disclose the specific purpose and duration of storage, obtain a written release, and publish a public retention and destruction schedule. Miss any one of those steps and statutory damages accrue: $1,000 per negligent violation and $5,000 per reckless or intentional violation, with the Illinois Supreme Court holding in Cothron v. White Castle System that damages can accrue on a per-scan basis. A team of ten sales reps recording five meetings a day with Illinois residents can, as one analysis put it, scale fines into the millions within a single quarter.

Basich did not happen in a vacuum: the 2025–2026 voiceprint wave

The Microsoft suit is the fourth in a rapidly compounding sequence. In August 2025, plaintiff Justin Brewer filed Brewer v. Otter.ai Inc. (No. 5:25-cv-06911, N.D. Cal.), alleging that Otter's notetaker auto-joined a Zoom call, recorded him without his consent, and created voiceprints used to train Otter's ML models. In December 2025, Illinois resident Katelin Cruz filed Cruz v. Fireflies.AI Corp. (No. 3:25-cv-03399, C.D. Ill.), which as reported by the National Law Review alleges that Fireflies' "Speaker Recognition" feature generates voiceprints without publishing a retention policy or obtaining written releases from non-account holders.

Then in May 2026 came the biggest escalation yet. According to the American Bar Association's litigation review, seven Illinois broadcast journalists and voice actors filed a coordinated set of nine class actions against Meta, Google, Apple, NVIDIA, Adobe, ElevenLabs, Amazon, and Microsoft, alleging that these companies extracted voiceprints from publicly available recordings to train commercial AI voice models. The ABA analysis notes that by targeting the extraction of voiceprints rather than copyrighted content, plaintiffs may have uncovered an easier path for bringing class-wide claims against AI training practices.

The technical question that decides everything: is diarization biometric collection?

Every cloud notetaker relies on speaker diarization to produce readable transcripts. As Lewis Rice's BIPA analysis puts it, plaintiffs are alleging that software creates biometric identifiers subject to the statute whenever it attributes speech to specific individuals using speaker recognition technology — even where the company does not market its product as "biometric."

There are technically two flavors of diarization:

The vendor argument is that ad hoc clustering produces ephemeral, session-scoped embeddings that are not "biometric identifiers" because they are never used to authenticate a person. The Basich plaintiffs' counter-argument is that BIPA does not require authentication — the statute simply protects vocal characteristics used to "identify or distinguish" a speaker. Distinguishing is exactly what diarization does.

Cloud AI notetaker vs on-device: the compliance table nobody wants to publish

Here is how the leading AI notetakers stack up against BIPA's four collection requirements, based on their public documentation and current pleadings:

Tool Processing location Speaker ID method Non-user consent flow Active BIPA suit
Microsoft Teams live transcription Azure cloud Diarization + directory linkage None (default on) Basich (Feb 2026)
Otter.ai Cloud Enrolled voiceprints Host-only consent model Brewer (Aug 2025)
Fireflies.ai Cloud Speaker Recognition feature None for non-account holders Cruz (Dec 2025), Fricker (Mar 2026)
Zoom AI Companion Cloud (partner LLMs) Diarization + directory Recording banner only Same theory applies
Basil AI iPhone / Mac Neural Engine On-device SpeechAnalyzer No third-party collection None — no cloud entity

Employers are on the hook too — not just the vendors

The scariest sentence for corporate counsel comes from Amundsen Davis's client alert: "An employer that licenses or encourages the use of an AI notetaker in business meetings — or whose employees activate such software during meetings involving Illinois residents — may be implicated in BIPA claims if proper safeguards aren't in place. This risk extends even to organizations headquartered outside Illinois if any meeting participant is physically located in the state."

In other words: if your VP of Sales in New York runs a Zoom demo with an Illinois-based prospect and Fireflies auto-joins, both Fireflies and your company are potential co-defendants. Workplace Privacy Report flags four especially exposed use cases: training sessions with multiple employees on the same VC, HR witness and investigation interviews, applicant interviews where candidates never knew biometrics were being collected, and — for healthcare — patient encounters where BIPA layers on top of HIPAA.

The GDPR angle: Article 9 catches biometrics too

US-only teams tend to forget that Article 9 of the GDPR classifies biometric data "for the purpose of uniquely identifying a natural person" as a special category — meaning processing is prohibited unless one of a narrow set of exemptions applies. A cloud notetaker that generates voiceprints of EU meeting participants is processing Article 9 data. Combined with the international-transfer complications flagged by Social Europe's analysis of Otter under Schrems II, the operational risk stack for cloud AI notetakers in a mixed US/EU workforce is now genuinely severe.

The Otter privacy policy and Fireflies privacy policy both reserve broad rights to process audio and derived data — the very language plaintiffs are now citing as evidence that no reasonable expectation of confidentiality exists.

Why on-device transcription eliminates the collection element entirely

BIPA's statutory hook is that a "private entity" must "collect, capture, purchase, receive through trade, or otherwise obtain" a biometric identifier. If the audio is processed exclusively on the speaker's own device and no biometric identifier is ever transmitted to or stored by a third party, there is no "private entity" doing any collecting. That is the entire architectural point of on-device AI.

Apple's iOS 26 Speech framework introduced SpeechAnalyzer and SpeechTranscriber, an on-device replacement for the older SFSpeechRecognizer API. According to the Inscribe benchmark against LibriSpeech, SpeechAnalyzer hits a 2.12% word error rate on clean speech and 4.56% on noisy speech — beating OpenAI's Whisper Small model at roughly one-third the compute cost, all running fully on-device on an M2 Pro. Older apps that keep using SFSpeechRecognizer must set the requiresOnDeviceRecognition flag to guarantee audio never touches Apple's servers; forgetting that flag falls back to server-side recognition by default.

How Basil AI solves this

Basil AI is built on the exact primitives that eliminate BIPA exposure at the architecture layer:

For a deeper look at the underlying architecture, see our technical walkthrough on how to transcribe in-person meetings on iPhone entirely on-device, or read our comparison of bot-free vs on-device AI notetakers on Mac. For legal teams, our earlier analysis on AI notetakers and attorney-client privilege after Heppner covers the parallel privilege-waiver risk.

What to do this week if your organization uses cloud AI notetakers

1. Inventory the tools actually running in your meetings

Ask IT for a list of every AI notetaker sanctioned or observed in the last 90 days. Match each against the compliance table above. Any tool that performs cloud-side speaker attribution is a candidate for immediate audit.

2. Kill default auto-join on external calls

Fireflies, Otter, and Read AI all offer auto-join settings that dispatch bots to any meeting on a connected calendar. Turn these off at the tenant level, not just per-user. This alone eliminates the highest-risk scenario: a bot joining a call with Illinois residents you don't know are Illinois residents.

3. Rewrite your engagement letters and vendor MSAs

Follow the Duane Morris guidance: review vendor terms of service, disclose AI use to clients, obtain affirmative consent, and prohibit third-party notetakers in privileged or regulated conversations.

4. Move regulated conversations to on-device tools

For any conversation involving healthcare (HIPAA), legal (privilege), financial (Reg S-P), HR investigations, or Illinois-resident participants, default to an on-device transcription workflow. See the HHS HIPAA Privacy Rule for what qualifies as PHI in this context.

The bigger picture: BIPA is the leading edge, not the endpoint

Illinois is currently the only US state with a private right of action for voiceprint collection, but Texas and Washington have their own biometric statutes, and comprehensive state privacy laws in Colorado, Virginia, Connecticut, and Vermont either already regulate biometrics or will by 2027. The California Consumer Privacy Act (CCPA) as amended now classifies voice recordings as sensitive personal information, giving consumers a right to limit its use. The direction of travel is unambiguous: capturing voice patterns without explicit, granular consent will become presumptively unlawful across most of the developed world within the next 24 months.

The tools that survive the next two years of litigation and rulemaking will be the ones that made a bet, years ago, on processing audio where it originates rather than shipping it to a data center. Everything else is running the clock on a lawsuit.

Get Basil AI — Private by Architecture

Meeting transcription that never touches the cloud. No bots, no voiceprint databases, no BIPA exposure. Just Apple Neural Engine, running on your device.

Download on the App Store Download on the Mac App Store

Frequently Asked Questions

Does speaker diarization create a voiceprint under BIPA?

The Basich v. Microsoft complaint alleges yes: to attribute speech to specific participants, diarization extracts vocal characteristics — pitch, tone, timbre — into numerical vectors that identify the speaker. BIPA (740 ILCS 14/10) lists 'voiceprint' alongside fingerprints and face geometry as a biometric identifier. If the court accepts the technical argument, any diarization pipeline that stores speaker embeddings triggers BIPA.

What are the penalties if an AI notetaker violates BIPA?

Illinois BIPA imposes statutory damages of $1,000 per negligent violation and $5,000 per reckless or intentional violation, plus attorneys' fees and injunctive relief. Damages can accrue on a per-scan basis under Cothron v. White Castle. A sales team recording five daily meetings with Illinois residents could rack up seven-figure exposure in a single quarter.

Can employers be liable for using tools like Fireflies or Otter in Illinois?

Yes. Illinois courts have held that multiple entities can be responsible for the same biometric collection when they enable, authorize, or benefit from the technology. An employer that licenses or activates an AI notetaker in meetings involving Illinois residents — even if the company is headquartered elsewhere — can be joined as a defendant alongside the vendor.

Does on-device transcription avoid BIPA exposure?

On-device transcription with no persistent speaker embeddings and no cloud upload dramatically reduces BIPA risk because no 'private entity' collects, stores, or transmits a voiceprint outside the speaker's own device. Basil AI uses Apple's iOS 26 SpeechAnalyzer and SFSpeechRecognizer with requiresOnDeviceRecognition enabled, meaning audio never leaves the phone or Mac.

What if my organization is outside Illinois?

BIPA can still reach you. The Cruz v. Fireflies complaint established specific personal jurisdiction over an out-of-state vendor because the recording occurred while the plaintiff was physically present in Illinois. Any meeting with an Illinois resident on the line can trigger BIPA. Texas, Washington, and other states have their own biometric statutes that mirror parts of BIPA.

Is Microsoft Teams' opt-in Intelliframe feature also implicated?

No. The Basich complaint specifically excludes users who enrolled in Intelliframe voice profiles, because Microsoft built a BIPA-compliant consent flow for that feature and blocked it in Illinois. The lawsuit targets the default diarization that runs automatically whenever any organizer enables live transcription — with no consent flow shown to other participants.