The Two Doors: When Your Employer Decides You're Training Data

I spent last week wearing an AI pendant around my house. It records conversations, transcribes meetings, remembers what I said three days ago when I can't. The technology works disturbingly well — better than I expected, honestly.

Meta just bought the company that makes it. It's called Limitless.

So now Meta owns two different ways to capture a human being. The pendant and glasses it sells you directly — products you choose to wear, boxes you consciously tick. And the monitoring software it quietly deployed on its own employees' laptops this spring, recording keystrokes and screens to train AI models. Sixteen hundred of those employees signed a petition objecting to it.

Same company. Same appetite for human data. Two very different doors.

One you walk through. The other was installed on you while you were working.

The Illinois Problem Nobody's Talking About

Here's where this stops being a consumer privacy story and becomes an employment law minefield.

Illinois wrote the rulebook on this in 2008. The Biometric Information Privacy Act — BIPA — says you cannot collect someone's biometric data without informed, written consent, and it gives people the right to sue you directly when you don't. Not file a complaint. Not wait for a regulator. Sue.

Meta knows this statute personally. It paid $650 million under BIPA for scanning faces in photos without asking first.

The nastiest BIPA cases were never the consumer ones. They were employees.

Fingerprint timeclocks. Warehouse workers scanning thumbs to punch in, never having signed anything. Facial recognition turnstiles. Under BIPA's original interpretation, every single scan could count as a separate violation — which turns a convenience feature into a class-action liability generator faster than most legal teams can draft a settlement.

I've sat in conference rooms where the GC went pale realizing their "seamless employee experience" had been collecting biometric data for eighteen months without the consent paperwork anyone assumed HR had handled.

Consumer Capture You Agreed To Is a Product. Employee Capture You Didn't Is a Lawsuit.

This is the distinction that matters.

When you buy the pendant, you click through disclosures. You read (or at least scroll past) the privacy policy. You make a choice, even if that choice is influenced by clever UX and peer pressure. The law treats that as consent, however manufactured.

When your employer deploys monitoring software on the laptop they issued you, what exactly did you consent to? Using company equipment? Sure. Being recorded to train an AI model? That's murkier. The data doesn't change when it crosses from your customer to your staff. The consent does. And consent is the whole ballgame.

I watched this play out before, just with a different technology. In the early 2010s, employers rolled out biometric timeclocks to prevent buddy punching — one worker clocking in for another. Seemed reasonable. Solved a real problem. Nobody thought much about the legal exposure until the BIPA lawsuits started landing.

The companies arguing "but we're just trying to stop timecard fraud" discovered that good intentions don't cure bad consent practices. The statute doesn't care why you collected the data. It cares whether you got proper authorization first.

The Training Data Trap

Every firm now asking "what internal data can we train AI on" is either sitting in Illinois or sitting in a state that's about to copy it. California, Texas, New York, Washington — they're all considering or have passed biometric privacy laws modeled on BIPA. The regulatory perimeter is expanding, not shrinking.

Before you point the AI training camera inward, ask: did your people agree, in writing, to become the model?

Not "did they sign an acceptable use policy when we onboarded them in 2019." Did they specifically consent to having their work product, communications, keystrokes, or screen activity captured and used to train machine learning models?

Because here's the uncomfortable question I keep asking clients: what counts as biometric data when the AI is analyzing typing patterns, voice characteristics, or even writing style to identify individuals?

We built these laws when "biometric" meant fingerprints and retina scans. Clean, obvious, physical. The new stuff is probabilistic, behavioral, ambient. Your typing cadence can identify you as reliably as your thumbprint. Does BIPA cover that? Courts are figuring it out right now, which means you're betting your compliance program on case law that doesn't exist yet.

The Railroad Arrives in Two Boxcars

I've survived enough technology cycles to recognize the pattern. The technology always arrives twice: first as something you buy, then as something your employer requires.

Laptops. Smartphones. Email. Slack. Every tool that showed up as consumer choice eventually became workplace infrastructure — and the consent model flipped the moment it did.

Nobody forces you to use Gmail. Plenty of employers force you to use Google Workspace.

Nobody forces you to carry an iPhone. Plenty of employers issue you one and expect you to install MDM software that gives IT visibility into the device.

The AI monitoring tools coming for the enterprise aren't going to ask employees if they'd like to opt in. They're going to show up as "business intelligence platforms" and "productivity analytics" and "quality assurance systems," bundled into the software stack you're already required to use.

Meta's employee monitoring wasn't positioned as surveillance. It was positioned as AI training infrastructure — a way to improve products, optimize workflows, build better tools. That framing doesn't change the legal exposure when the statute requires informed written consent before you collect biometric identifiers or biometric information.

What to Ask Your Legal Team Monday Morning

If you're in-house counsel, HR, or running compliance at a firm exploring AI training on internal data, here's the checklist I'm walking through with clients:

1. Inventory what you're already collecting. Not just the new AI project — the timeclocks, the badge readers, the voice-activated meeting tools, the collaboration platforms that transcribe and analyze speech patterns. Map it all.

2. Audit your consent trail. Do you have written consent that specifically covers biometric data collection? Not buried in page 47 of the employee handbook. Explicit, standalone, informed consent that complies with BIPA or your state's equivalent.

3. Review your AI training plans through a biometric lens. If your model learns to identify people by their writing style, voice, typing patterns, or video presence, you might be creating biometric identifiers even if you never intended to. Intent doesn't matter. The statute doesn't care what you meant to build.

4. Don't assume your vendor handled consent. I cannot count how many times I've heard "but the software company said it was compliant." BIPA makes YOU liable, not your SaaS provider. The company collecting the data is the one on the hook.

5. Remember that "employment requirement" isn't the same as "informed consent." Telling someone "you need to use this system to work here" doesn't satisfy BIPA's consent standard if they can't realistically say no without losing their job.

The Uncomfortable Middle

Here's where I land, and it's not a clean answer: The AI tools are real, the productivity gains are real, and the legal risk is also real.

I tested the pendant because I wanted to understand what the technology actually does, not what the marketing says it does. It's legitimately useful. I can see why companies want to deploy this internally. I can also see why sixteen hundred Meta employees signed a petition objecting to it.

Both things are true.

The firms that navigate this well won't be the ones that avoid AI tools entirely, and they won't be the ones that deploy them recklessly. They'll be the ones that take consent seriously — not as a compliance checkbox, but as the actual legal and ethical line that separates a tool from a violation.

We perfected the AI. We're still figuring out the humans.

But what do I know — I've only watched technology disrupt workplace norms four times in the last twenty years. This time will definitely be different.

Here's your specific action item: Pull the documentation for every system you operate that collects employee biometric data — timeclocks, badge readers, meeting transcription tools, any AI system that trains on individual work patterns. Then ask your legal team one question: "If we're in a BIPA jurisdiction, would this documentation survive summary judgment?" If the answer is anything other than an immediate yes, you have work to do before you expand what you're collecting.

The consent you didn't get yesterday becomes the lawsuit you're defending tomorrow.