AI video privacy — biometric data, training practices, and jurisdiction

AI video privacy has a dimension that AI writing and image privacy don't: biometric data. When an organization uploads a video of a real person's face and voice to create a custom avatar, that video contains biometric identifiers — facial geometry measurements, voice characteristics — that are classified as sensitive personal data in multiple regulatory frameworks. The general enterprise security checklist (SOC 2, GDPR, SSO) doesn't fully address biometric data, which has its own regulatory overlay in jurisdictions including Illinois (BIPA), Texas (CUBI), Washington (My Health MY Data Act for biometric components), and EU (GDPR Article 9).

Most AI video privacy discussions focus on whether generated video content is private from public galleries. This is the simpler question. The more consequential question is what happens to the facial video used to create a custom avatar — how it's stored, how long it's retained, who can access it, and whether it can be used for purposes beyond the specific avatar creation. These questions are addressed differently by Synthesia (with documented consent protocols) and HeyGen (with less publicly documented biometric handling), and require direct verification for any organization processing employee or executive likenesses.

Most teams assume that GDPR compliance covers biometric data for AI video avatars. GDPR Article 9 classifies biometric data processed for identification purposes as a special category of personal data requiring explicit consent and higher-level protection. General GDPR compliance covers standard personal data processing; biometric data for avatar creation requires a separate legal basis (explicit consent is the most common) and specific processing documentation. A platform that is GDPR-compliant for its general operations may not have addressed Article 9 requirements for biometric avatar data specifically.

Most teams assume that the person whose face and voice appear in the avatar video is the only person whose consent is required. Organizational consent requirements for biometric data in corporate contexts can be more complex: employee consent in addition to employer authorization, union requirements where applicable, and contractual terms for executives and public figures who have image rights agreements. HR and legal review of the consent workflow is appropriate before any organizational deployment of custom avatar creation.

Most teams assume that generating video content about real people — using AI to put words in their mouths — is covered by the same framework as avatar creation. It isn't. AI-generated video of a real person saying things they didn't say raises deepfake and defamation concerns that are distinct from the biometric data questions around avatar creation. Both questions are privacy-adjacent; they operate under different legal frameworks.

Synthesia's biometric data handling is the most documented in this category: the platform requires identity verification before personal avatar creation, provides explicit consent documentation, and requires re-consent for expanded use of the avatar. The consent protocol is specific — the person must confirm understanding of how the avatar will be used. This documentation covers the explicit consent requirement for GDPR Article 9 and the informed consent requirements in US state biometric data laws.

HeyGen's biometric data handling for Digital Twin creation is less publicly documented than Synthesia's. The consent process exists but isn't described in the public-facing documentation with the specificity that compliance review typically requires. For organizations in regulated industries or jurisdictions with specific biometric data laws, direct inquiry with HeyGen's enterprise team about their biometric data processing documentation is the appropriate next step before implementation.

For AI video content that doesn't involve custom avatars — stock avatar video (Synthesia, HeyGen standard avatars), stock footage assembly (Pictory), and generative video (Runway) — the biometric data question doesn't apply. The privacy questions for these use cases are the more standard questions: are generated videos private from public galleries, does content generated through the platform train future models, and what is the data retention period for scripts and prompts.

Biometric data law is jurisdictionally specific and evolving. Illinois BIPA, Texas CUBI, and EU GDPR Article 9 impose different specific requirements. Additional US states are developing biometric privacy legislation. Organizations with employees, customers, or operations across multiple jurisdictions need to apply the most stringent applicable requirements to their biometric data processing, not an average.

Consent is not a one-time event for custom avatar use. If the avatar's use is expanded — from internal training to external marketing, from one language to multiple — re-consent may be required under the original consent terms. Organizations should maintain consent records that specify the agreed scope and have a process for re-consent when scope changes.

Platform privacy policies and biometric data documentation may not reflect current legal requirements in rapidly evolving regulatory environments. Organizations in highly regulated industries should engage legal counsel to assess whether a specific platform's current documentation satisfies applicable biometric data requirements — rather than relying on the platform's self-characterization of its compliance.