Voice Recording Collection and Use

What it is

Duolingo records your voice when you use speaking exercises and uses those recordings to improve its speech recognition systems and provide pronunciation feedback.

Why it matters (compliance & governance perspective)

Voice data is a sensitive category of personal information and is subject to specific legal protections in several US states (notably Illinois under BIPA) and under GDPR in the EU; collection for AI model improvement purposes may require explicit informed consent beyond general terms acceptance.

This document changed recently

Consumer impact (what this means for users)

Your voice recordings made during Duolingo speaking exercises may be retained and used to train or improve Duolingo's speech recognition technology, meaning this biometric-adjacent data persists beyond the immediate lesson interaction. Users in states like Illinois may have additional rights regarding how this data is stored and used.

What you can do

Institutional analysis (Compliance & governance intelligence)

(1) REGULATORY LANDSCAPE: Voice data collection engages the Illinois Biometric Information Privacy Act (BIPA), Texas Capture or Use of Biometric Identifier Act (CUBI), and Washington's My Health MY Data Act in the US, as well as GDPR Article 9 if voice data is treated as biometric data used to uniquely identify individuals in the EEA. The FTC and relevant State AGs are primary enforcement authorities in the US. Whether Duolingo's voice data meets the statutory definition of 'biometric identifier' under BIPA is a question that has been actively litigated and compliance teams should not assume the policy's current framing resolves this exposure. (2) GOVERNANCE EXPOSURE: High. The use of voice recordings for product improvement and AI model training creates material exposure under state biometric laws that impose written consent, retention schedule, and destruction requirements. BIPA in particular provides a private right of action with statutory damages of $1,000 to $5,000 per violation, and courts have certified class actions based on similar fact patterns involving app-based voice collection. (3) JURISDICTION FLAGS: Illinois (BIPA), Texas (CUBI), and Washington create the most acute exposure for US operations. In the EEA, GDPR Article 9 may apply if voice recordings are processed in a way that enables unique identification, requiring explicit consent rather than general consent. Users in these jurisdictions represent heightened class action and regulatory enforcement risk. (4) CONTRACT AND VENDOR IMPLICATIONS: If Duolingo shares voice recordings with third-party speech recognition or AI vendors, Data Processing Agreements must be assessed to confirm appropriate controller/processor designations and data handling restrictions. Vendor contracts should address retention, destruction, and prohibition on secondary use of voice data consistent with applicable biometric law requirements. (5) COMPLIANCE CONSIDERATIONS: Legal teams should conduct a biometric data audit to determine whether Duolingo's voice data collection meets BIPA's written policy, public availability, and informed consent requirements. Consent mechanisms for voice data should be reviewed to ensure they are separate from general terms acceptance, particularly for EEA users. Retention and destruction schedules for voice recordings should be documented and enforced.

Applicable agencies

Provision details

Other risks in this policy

• Third-Party Advertising Data Sharing medium
• Children's Privacy and COPPA Compliance high
• Data Retention Discretion medium
• California Resident Rights (CCPA/CPRA) low
• EEA and UK User Rights Under GDPR low
• Cross-Border Data Transfers medium