The doctrine
BIPA, CCPA, GDPR, and a growing thicket of state and foreign privacy laws apply to AI training corpora that contain personal data, biometric identifiers, or facial geometry — and to AI systems that process them at deployment.
The Illinois Biometric Information Privacy Act (740 ILCS 14) has produced the largest AI-privacy settlements to date. State of Illinois v. Clearview AI resulted in a 2022 nationwide injunction limiting Clearview's access to biometric data for private actors. The ACLU coordinated multiple BIPA actions producing settlements in the tens of millions.
Under California's CCPA and emerging California Privacy Rights Act regulations, automated-decisionmaking and "training-data" disclosures are increasingly scrutinized. The EU's GDPR adds purpose-limitation, lawful-basis, and erasure questions: the Italian Garante temporarily banned ChatGPT in 2023, and EU data-protection authorities have collectively issued an opinion on lawful basis for generative-AI training.
For platform AI products specifically, plaintiffs have begun to argue that ingesting user-supplied content (chats, uploaded files, voice recordings) into training corpora without renewed consent violates both contract and privacy law. The boundary between platform telemetry and training data is becoming a litigation pressure point.
Leading cases
BIPA, CCPA, and EU enforcement; nationwide injunctive relief 2022.
Illinois consumer class actions over OpenAI's processing of voice and image inputs.
Temporary ban March 2023; formal sanction proceedings ongoing.
Key holdings
- Biometric training-data exposure is real. BIPA's per-person statutory damages create class-aggregate exposure in the billions.
- Consent isn't fungible. Consent for one purpose (e.g., platform features) does not authorize training-data use under GDPR or BIPA.
- Data-subject rights apply to models. EU regulators are pressing erasure-from-models theories, with operational implications for fine-tuning and RAG.