When you use certain Runway features to create videos or audio, the service may collect your voice recordings and face scans, which are considered biometric data under some state laws. Runway states it only uses this biometric data to deliver the specific feature you requested.
This analysis describes what Runway's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Biometric identifiers such as face scans and voiceprints are among the most sensitive personal data categories and are subject to specific consent, retention, and destruction requirements under laws such as Illinois BIPA and Texas CUBI. The policy does not disclose a specific biometric data retention schedule, which is a material requirement under several of these statutes.
Interpretive note: The provision asserts biometric data is used only to provide the requested service, but the absence of a stated retention schedule creates uncertainty about full compliance with state biometric statutes that impose mandatory retention and destruction timelines.
Users who activate face or voice-based generation features in Runway are submitting biometric data. The policy asserts use is limited to providing the requested service, but does not state how long biometric data is retained or when it is destroyed, which may limit users' ability to verify compliance with applicable state biometric privacy laws.
How other platforms handle this
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
If we collect health information from these integrations (such as heart rate), we will not sell or use it for advertising or other similar purposes; we do not disclose it to third parties without your prior consent; and we will only use it for the specific purposes described in this Policy.
We collect your personal data when you use our Services, create a new eBay account, provide us with information via a web form, add or update information in your eBay account, participate in online community discussions or otherwise interact with us.
Monitoring
Runway has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"Biometric data, such as voice data and scans of faces that you submit when you use certain product features to create videos and audio using characteristics like voice and face. Such characteristics may be considered biometric identifiers or biometric information under certain laws including applicable privacy laws. When you choose to use these features, we use any biometric data submitted by you only to provide the service requested by you.— Excerpt from Runway's Runway Privacy Policy
1) REGULATORY LANDSCAPE: This provision implicates Illinois BIPA (740 ILCS 14), Texas Capture or Use of Biometric Identifier Act (CUBI), Washington's biometric privacy statute, and potentially the California Consumer Privacy Act's sensitive personal information category. The FTC also holds general jurisdiction over deceptive or unfair data practices. Illinois BIPA requires a written retention and destruction policy, informed written consent prior to collection, and prohibits sale of biometric identifiers; private right of action exists under BIPA with statutory damages. 2) GOVERNANCE EXPOSURE: High. The policy acknowledges that voice data and face scans may constitute biometric identifiers under applicable law but does not disclose a biometric-specific retention schedule or destruction policy, which is a required disclosure under BIPA. The absence of this disclosure, combined with the broad geographic user base of an AI creative platform, creates elevated regulatory and litigation exposure in Illinois specifically. 3) JURISDICTION FLAGS: Illinois presents the highest exposure due to BIPA's private right of action and statutory damages of $1,000 to $5,000 per violation. Texas CUBI is enforced by the Texas Attorney General without a private right of action. Washington's biometric law also lacks a private right of action. California classifies biometric data as sensitive personal information under CPRA, requiring additional disclosures and opt-out rights. 4) CONTRACT AND VENDOR IMPLICATIONS: Vendors and enterprise customers integrating Runway's face and voice features into their own workflows should assess whether their use of those outputs constitutes independent biometric data processing subject to their own compliance obligations. Data processing agreements with Runway should address biometric data handling obligations, retention periods, and destruction timelines. 5) COMPLIANCE CONSIDERATIONS: Legal teams should confirm whether Runway has published a publicly available biometric data retention and destruction schedule as required by BIPA. Consent mechanisms for biometric feature activation should be reviewed to confirm they meet BIPA's written informed consent standard prior to collection. Data mapping exercises should tag biometric data flows separately given heightened regulatory treatment. Where Runway is used through enterprise accounts, administrators should verify that end-user consent workflows for biometric features meet applicable state law requirements.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Biometric identifiers such as face scans and voiceprints are among the most sensitive personal data categories and are subject to specific consent, retention, and destruction requirements under laws such as Illinois BIPA and Texas CUBI. The policy does not disclose a specific biometric data retention schedule, which is a material requirement under several of these statutes.
Users who activate face or voice-based generation features in Runway are submitting biometric data. The policy asserts use is limited to providing the requested service, but does not state how long biometric data is retained or when it is destroyed, which may limit users' ability to verify compliance with applicable state biometric privacy laws.
ConductAtlas has identified this type of provision across 20 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Runway.