State Laws Present Litigation Risks for Financial Industry’s Artificial Intelligence Use

State Law Claims Against the Use of AI in the Financial Sector

In Turner v. Nuance Commc'ns, Inc., 735 F. Supp. 3d 1169 (N.D. Cal. 2024) and Gladstone v. Amazon Web Servs., Inc., 739 F. Supp. 3d 846 (W.D. Wash. 2024), plaintiffs claimed that AI use by their banks violated the California Invasion of Privacy Act. In Turner, AI recorded bank customer calls for voice authentication and fraud prevention. In Gladstone, AI analyzed customer voice recordings for sentiment, response time, etc. to provide personalized service.

Plaintiffs in both actions claimed that they expected their calls with the bank representative to be confidential, and not be tapped by AI without their knowledge or consent. Plaintiffs sued the AI service providers under the California Penal Code § 631(a), which prohibits tapping of phone calls between parties without their consent, and § 632(a), which forbids eavesdropping or recording of confidential communications. In Turner, plaintiffs also alleged violation of § 637(3) of the California Penal Code that bars nonconsensual scrutiny of voice patterns to authenticate the speaker’s statements.

Both the Turner and the Gladstone courts refused to dismiss the cases. Per the Turner court, whether plaintiffs’ consent to the bank to record phone conversations extended to a third-party AI service presented “a factual dispute which is not appropriate for resolution at the pleadings stage.” 735 F. Supp. 3d at 1181. The Gladstone court rejected the argument that AI was merely helping banks improve their service at their bidding, noting that the data the AI entity collected was also “to improve its own products and services.” 739 F. Supp. 3d at 854–55.

State Law Implications for AI Use in Financial Institutions

In both actions, plaintiffs pressed claims against third parties who provided the AI service to the banks, and not against the banks. But financial institutions may not be immune from state privacy laws for their use of third-party AI tools or in-house AI.

California Penal Code § 631(a), for instance, imposes liability even on parties to a communication “who aids, agrees with, employs, or conspires with” non-parties to tap the communication. See Tate v. VITAS Healthcare Corp., 2025 WL 50447, at *7 (E.D. Cal. Jan. 8, 2025) (holding that § 631(a) is implicated when a phone-call participant allows a third party “access to the calls . . . to analyze the data [from] those calls”). Likewise, California Penal Code § 632.7 prohibits parties from intercepting, receiving and intentionally recording phone calls without consent, as well as assisting in such conduct. See, Smith v. LoanMe, Inc., 11 Cal. 5th 183 (2021) (holding that parties to a communication fall within the scope of § 632.7).

Analogous litigation risks to financial institutions for AI use are likely in about a dozen two-consent states where privacy laws require the consent of all parties to a communication to eavesdrop on or record conversations. See, e.g., Mulder v. Wells Fargo Bank, N.A., 2018 WL 3750627 (W.D. Pa. July 10, 2018), report and recommendation adopted, 2018 WL 3744821 (W.D. Pa. Aug. 7, 2018) (holding that Pennsylvania’s two-party consent rule applied to a bank’s recording of automated dialing calls to a customer).

Besides existing state privacy laws, burgeoning AI-specific state legislation also points to implications for the financial industry’s AI use. Proposed legislation in California, District of Columbia, Oklahoma, Rhode Island, and Vermont envisions private right of action against disparate impact of AI-aided decisions in credit and insurance. A bill in New York requires banks to notify loan applicants of AI use and the data such tools use in their lending decisions.

With most states legislating to regulate AI use even as the financial industry seeks to integrate AI into more facets of the business, litigation risks for the industry can be expected to heighten.

To navigate the state laws that implicate AI use and litigation risks, contact BCLP’s AI or Business and Commercial Disputes teams with any questions. Please note that BCLP does not provide advice to an entity unless we have been expressly engaged to provide such advice.