If you create a custom AI avatar using your own face or voice, Synthesia collects and stores that likeness and voice data to build and operate the avatar.
This analysis describes what Synthesia's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Your face and voice are among the most sensitive categories of personal data and may qualify as biometric data under Illinois, Texas, or Washington state law, triggering specific consent, retention, and deletion obligations.
Interpretive note: Whether personal likeness and voice data qualifies as biometric data under GDPR Article 9 or specific US state laws depends on regulatory interpretation and how the data is processed technically; classification is not settled across all jurisdictions.
Using the custom avatar feature means Synthesia processes your personal likeness and voice recordings; depending on your location, this may be governed by biometric privacy laws that give you specific rights to consent, limit use, and demand deletion.
How other platforms handle this
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
We use information to enhance the quality, reliability, and/or accuracy of our AI Features by creating, developing, training, testing, improving, and maintaining AI and ML models run by Strava or our service providers. We use aggregated, de-identified data for this purpose. We also use personal info...
If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the right to access, correct, or erase your personal data; the right to restrict or object to our processing of your personal data; the right to data portability; and, where our processing is based on your...
Monitoring
Synthesia has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"If you choose to create a Personal AI Avatar, we will collect and process your personal data including your physical appearance (likeness) and voice. This data is used to create and operate your personalised AI Avatar within our platform.— Excerpt from Synthesia's Synthesia Privacy Policy
(1) REGULATORY LANDSCAPE: Processing of personal likeness and voice for AI avatar generation engages GDPR Article 6 lawful basis requirements and potentially Article 9 if regulators classify such data as biometric data revealing identity. In the US, the Illinois Biometric Information Privacy Act requires informed written consent before collecting biometric identifiers including facial geometry and voiceprints; the Texas CUBI Act and Washington BIPA equivalent impose similar requirements. The FTC has enforcement authority over deceptive or unfair biometric data practices. The EU AI Act may impose additional transparency and human oversight requirements on AI systems using personal likeness. (2) GOVERNANCE EXPOSURE: High. The processing of personal likeness and voice data for AI avatar creation represents the highest-risk data processing activity in this policy. Unauthorized or insufficiently consented collection of biometric identifiers under BIPA carries statutory damages of $1,000 to $5,000 per violation without requiring proof of harm, creating significant class action exposure for organizations deploying this feature with employees or third parties. (3) JURISDICTION FLAGS: Illinois, Texas, and Washington create the highest exposure for biometric data collection without explicit informed consent. EU and UK users are protected by GDPR and UK GDPR, requiring a clearly documented lawful basis. California's CPRA does not treat facial recognition as biometric data in the same way as BIPA but does include it in the definition of sensitive personal information, triggering opt-out and limit-use rights. Organizations in healthcare or financial services contexts should assess whether additional sector-specific rules apply. (4) CONTRACT AND VENDOR IMPLICATIONS: Enterprise customers using Synthesia's custom avatar features for employees or third parties should ensure their own consent mechanisms and internal policies satisfy applicable biometric privacy laws before uploading likeness or voice data. The DPA between Synthesia and enterprise customers should clearly delineate controller and processor responsibilities for this data type, including retention periods and deletion obligations. Standard commercial DPAs may not address biometric data specifically and may require amendment. (5) COMPLIANCE CONSIDERATIONS: Compliance teams should map all workflows involving custom avatar creation to identify whether employee or third-party likeness data is being processed; obtain BIPA-compliant written consent if operating in Illinois; update data inventories to classify likeness and voice data separately from standard personal data; and confirm that Synthesia's deletion processes for avatar data meet applicable statutory timelines upon contract termination.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Your face and voice are among the most sensitive categories of personal data and may qualify as biometric data under Illinois, Texas, or Washington state law, triggering specific consent, retention, and deletion obligations.
Using the custom avatar feature means Synthesia processes your personal likeness and voice recordings; depending on your location, this may be governed by biometric privacy laws that give you specific rights to consent, limit use, and demand deletion.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Synthesia.