When you use certain Runway features to generate video or audio, the service collects your voice recordings and face scan data, which are classified as biometric identifiers under some state laws. Runway states it uses this data only to fulfill the service you requested.
This analysis describes what Runway's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Biometric data such as voice prints and facial geometry receives heightened legal protection under state statutes including the Illinois Biometric Information Privacy Act, and collection without required written consent, retention schedules, or destruction policies may create legal exposure for both Runway and enterprise customers deploying these features to their own users.
Interpretive note: The policy does not specify written consent procedures, retention periods, or destruction timelines for biometric data; whether current practices satisfy BIPA or analogous state statutes depends on implementation details not disclosed in the policy text.
Users who engage Runway's generative video and audio features submit biometric identifiers including voice data and face scans, which the policy states are used only to provide the requested service; however, the policy does not specify how long this data is retained or when it is destroyed, which matters for users in Illinois, Texas, and other states with biometric privacy statutes.
How other platforms handle this
When you visit the Careers portion of our websites, we collect the information that you provide to us in connection with your job application. This includes but is not limited to business and personal contact information, professional credentials and skills, educational and work history and other in...
American does not knowingly collect personal information directly from children – persons under the age of 13, or another age if required by applicable law – other than when required to comply with the law or for safety and security reasons. Due to the nature of our Services, we may collect travel i...
We may collect information about your location, including precise geolocation information, when you use our Services. We use this information to provide location-based services, such as showing you products available in your area, and for other purposes described in this Privacy Policy.
Monitoring
Runway has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"Biometric data, such as voice data and scans of faces that you submit when you use certain product features to create videos and audio using characteristics like voice and face. Such characteristics may be considered biometric identifiers or biometric information under certain laws including applicable privacy laws. When you choose to use these features, we use any biometric data submitted by you only to provide the service requested by you.— Excerpt from Runway's Runway Privacy Policy
(1) REGULATORY LANDSCAPE: This provision implicates the Illinois Biometric Information Privacy Act (BIPA, 740 ILCS 14), the Texas Capture or Use of Biometric Identifier Act (CUBI, Tex. Bus. & Com. Code Ch. 503), and the Washington My Health MY Data Act for biometric health data where applicable. The FTC and state attorneys general in Illinois, Texas, and Washington hold relevant enforcement authority. BIPA requires a written policy, written informed consent prior to collection, and a destruction schedule; the policy as written does not specify these elements, creating potential tension with BIPA requirements. (2) GOVERNANCE EXPOSURE: High. The collection of facial geometry and voice prints for AI generative features is among the highest-risk data practices under US state law, with BIPA authorizing statutory damages of $1,000 to $5,000 per violation. Enterprise customers deploying Runway to their own end users may face downstream exposure if they have not assessed whether their use of Runway's biometric features satisfies applicable consent and disclosure obligations in their users' jurisdictions. (3) JURISDICTION FLAGS: Illinois presents the highest exposure due to BIPA's private right of action. Texas and Washington impose similar collection and destruction requirements enforced by state attorneys general. Organizations with EU or UK users should assess whether voice and face data processing for AI generation satisfies GDPR requirements for processing special category data, which may require explicit consent under Article 9. California's CCPA classifies biometric data as sensitive personal information subject to opt-in consent requirements. (4) CONTRACT AND VENDOR IMPLICATIONS: Enterprise procurement teams should request clarification from Runway regarding written consent workflows, data retention schedules, and destruction timelines for biometric data before deploying generative voice and face features to their user bases. Data processing agreements with Runway should explicitly address biometric data handling obligations. The policy's assertion that biometric data is used only to provide the requested service should be confirmed contractually. (5) COMPLIANCE CONSIDERATIONS: Legal and compliance teams should audit whether Runway's biometric data collection for generative features has been disclosed to users in Illinois, Texas, and Washington in a manner that satisfies applicable statutory consent requirements. A data mapping exercise should document which specific product features trigger biometric data collection and whether separate consent flows are required. Organizations should evaluate whether their terms with end users downstream of Runway adequately disclose biometric data processing.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Netflix updated its Privacy Statement on April 18, 2026, disclosing voice recording collection and expanded household ad profiling for the first time.
Google's Privacy Policy covers Search, Gmail, YouTube, Maps, and every site running Google Analytics. Here is what it actually authorizes.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Biometric data such as voice prints and facial geometry receives heightened legal protection under state statutes including the Illinois Biometric Information Privacy Act, and collection without required written consent, retention schedules, or destruction policies may create legal exposure for both Runway and enterprise customers deploying these features to their own users.
Users who engage Runway's generative video and audio features submit biometric identifiers including voice data and face scans, which the policy states are used only to provide the requested service; however, the policy does not specify how long this data is retained or when it is destroyed, which matters for users in Illinois, Texas, and other states with biometric privacy …
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Runway.