Voice cloning used to require months of recorded material and specialist audio engineering. Now a short audio sample and one of several off-the-shelf tools, ElevenLabs, Microsoft Azure AI Speech, or Google Cloud Text-to-Speech, will produce something many listeners cannot distinguish from the original in a brief listen. Small professional services firms are exploring this technology for website explainers, IVR menus, and outbound messaging. The question that causes the pause: is it actually legal?
What is AI voice cloning, legally speaking?
In the UK, there is no standalone voice cloning law. Using AI to replicate someone’s voice engages several overlapping legal frameworks: data protection under UK GDPR, privacy rights, performers’ rights under the Copyright, Designs and Patents Act 1988, passing off, consumer protection rules, and fraud law. The legality of any given use depends on whose voice is involved, what the purpose is, and whether the person whose voice it is knew.
A person’s voice can qualify as biometric data under UK GDPR if it is processed in a way that uniquely identifies them. That pushes it into the special-category tier, which carries stricter requirements for both processing and storage. The ICO has been clear in its draft biometric data guidance that systems processing voice for identification purposes carry higher risks and generally require a Data Protection Impact Assessment before deployment.
The practical implication: if you clone a named staff member or a recognisable customer, the legal bar is materially higher than if you use a generic synthetic voice not based on any real individual. Vendor-provided synthetic voices, the pre-built options in tools like ElevenLabs or Azure AI Speech, largely sidestep the biometric-data question.
Why does it matter for owner-managed businesses?
The legal risk for a services firm runs in two directions. Your voice or your staff’s voices can be cloned and used against you in fraud. And your business can trigger liability if you clone someone else’s voice without the right protections in place. TSB Bank reported a 15-fold increase in AI-generated voice scam cases over 18 months as of early 2024.
The ICO’s enforcement action against Clearview AI, though ultimately overturned on jurisdiction grounds, made clear that the regulator is prepared to act against large-scale biometric profiling without a lawful basis. Voice profiling at scale is a close analogue to facial recognition profiling, and the direction of regulatory scrutiny has not eased.
Cyber insurance is relevant here too. Policies increasingly include conditions around social engineering and impersonation controls. Insurers may expect documented call-back verification for high-value financial instructions, and a firm whose voice recordings are widely accessible with no internal controls may find its position weaker after an incident.
In regulated sectors, the exposure is wider still. The FCA expects firms to treat their use of new technology with the same care they apply to any other operational risk. Using cloned voices in customer-facing calls without proper disclosure or controls can create conduct risk, even when the underlying technology is sophisticated.
Where will you actually encounter it?
The three most common scenarios for a small services firm are: cloning the founder’s own voice for marketing content, creating a synthetic brand voice using a vendor-provided model not based on any real individual, and using AI-generated narration for internal training or knowledge content. Each carries a different risk profile. Cloning a staff member’s voice for outbound customer calls without their explicit written consent sits firmly in the high-risk category.
The lowest-risk starting point is to clone your own voice as founder for content that is clearly labelled as synthetic. A brief disclosure, spoken or written, covers the transparency requirement under the EU AI Act’s Article 50, which requires deployers to label AI-generated or manipulated audio where a listener might realistically be confused.
Generic synthetic voices from established providers carry less legal complexity, because they are not built from any identified individual’s recordings. They still require a lawful basis for processing personal data contained in the scripts, but the biometric-data question drops away.
Cloning customer voices is where many owner-managed businesses should stop. The compliance overhead is significant, the benefit to a small services firm is rarely proportionate, and the consent requirements are difficult to satisfy correctly without dedicated legal advice.
When is voice cloning low risk, and when does it cross a line?
Low-risk uses share three features: the voice belongs to someone who gave written consent, the content is labelled as synthetic where confusion is possible, and no biometric identification is involved. High-risk uses involve cloning without consent, using the voice in a context that could mislead customers about who they are dealing with, or processing at a scale that would concern the ICO.
For a firm that wants to use its founder’s voice in website content and branded voicemail, the practical steps are straightforward. Get a signed agreement covering what the voice will be used for, how long the arrangement runs, and how consent can be withdrawn. Add a brief disclosure. Update your privacy notice to mention AI audio processing and the vendor involved. Ask the vendor for confirmation that their training data is lawfully obtained.
If you are in financial services or healthcare, add a Data Protection Impact Assessment to that list. The ICO’s draft biometric data guidance requires a DPIA for any system that processes voice in ways that could identify individuals, and the ICO can request to see it.
The UK Fraud Act 2006 applies where a cloned voice is used to make a false representation with a view to gain. That includes CEO voice scams, where a cloned voice is used to authorise a payment transfer. A firm whose founder’s voice is publicly accessible in audio form should consider implementing call-back verification for high-value financial instructions, regardless of whether the firm uses voice cloning itself.
What other rules are worth knowing?
Three additional legal frameworks sit alongside the main data protection and fraud law picture. They cover performers’ rights under UK copyright law, the EU AI Act’s disclosure requirements for UK firms serving EU customers, and the Consumer Protection from Unfair Trading Regulations 2008. Understanding them prevents compliance gaps that are easy to miss when the focus is only on UK GDPR.
Under the Copyright, Designs and Patents Act 1988, performers have exclusive control over the recording and exploitation of their performances. A staff member whose voice is recorded without their knowledge or agreement for training a clone could use performers’ rights to object. A solid written consent process resolves this, but a verbal agreement is unlikely to be sufficient.
The EU AI Act’s Article 50 requires deployers of systems that generate or manipulate audio to disclose that the content is artificially produced, unless the context makes this obvious to a reasonable person. UK firms serving EU customers fall within its scope for voice content delivered to EU recipients.
Under the Consumer Protection from Unfair Trading Regulations 2008, misleading a customer into believing they are speaking to a human when they are not can be an unfair commercial practice if it influences their transactional decision. A short spoken or written disclosure at the start of a call, or in the adjacent copy, covers the requirement.
The practical decision gate before you deploy voice cloning in any form is four questions: whose voice, what purpose, what disclosure, and what consent? Those four questions map to the main legal risks. If any answer is unclear, a brief consultation with a data protection solicitor is considerably less expensive than responding to an ICO enquiry.
