Is it legal to record calls and meetings? - A look at the global call recording laws

Since the pandemic, we’ve started to rely more on web conferencing platforms like Zoom and Google Meet for most of our daily meetings. Think about this for a second—when was the last time you left a meeting and said to yourself, “I’m not sure if I’ve captured everything perfectly. I wish I could go back and listen to the conversation again?” 

Happens often, right? And to add to it—Zoom and Google Meet don’t make it easy to record meetings either.

But before we get to the need for recording meetings, we need to answer a fundamental question—is it legal to record meetings?  

The short answer is: Yes, it is indeed legal to record virtual meetings and calls. 

The long answer is—there are nuances to it, depending on factors such as geographic location, reasons to record the meeting, security aspects, and more.

Through this blog post, let’s look at each of those factors in detail.

Disclaimer: We’re not legal experts, and this post is an effort to consolidate and simplify the various recording laws across the world for easy understanding.

Firstly, when to record, and when not to record?

Recording meetings is one of the most helpful ways of making sure you make the most out of your meeting conversation. Here are a few reasons when and why you should be recording your next meeting:

1. To ensure no critical information is lost in thin air
2. You have a reliable source of information to go back to
3. Keep people in the loop in case they missed the meeting
4. Review your meetings and improve yourself
5. Keep track of discussions related to a particular topic or project and more.

When not to record a meeting

While it is perfectly legal to record meetings or calls in general, certain situations have legal sensitivity when it’s best not to record. And if you have to record those meetings, you need to limit the access to those recordings to the concerned parties. For example:

Legal reasons: The laws for recording meetings are not universal. Sometimes certain states within the same country might need consent from both parties for recording, whereas, in some other states, it might be legal to record with the consent of one party alone.

Privacy sensitive conversations 

In case of conversations such as performance reviews and other 1:1 feedback meetings, which are private, you can record it with consent and restrict the recording access to the meeting participants alone.

How long can you retain the recordings?

Like most critical assets organizations maintain in storage systems, audio and video recordings also require secure storage. However, the complexities and requirements regarding recording storage policies differ across industries. 

For instance, the meeting recording of a conversation between a patient and a healthcare professional is categorized as a healthcare record. Since these conversations typically contain patient health information and personally identifiable data, HIPAA rules apply to those recordings, and the data requires encryption at rest. So, if you need to share the recordings, they require password protection and should be shared only with other authorized users. 

Depending on organizations and on a case-to-case basis, you may at times need to keep the recordings for 7-10 years. And before you record any conversation, you need consent from one or more parties.

Seeking consent for recording meetings and calls

Recording virtual meetings typically refer to recording conversations on web conferencing apps such as Zoom, GoogleMeet, Webex, etc. In comparison, recording calls mean recording conversations on the phone and using dialers such as Aircall, RingCentral, Kixie, etc.

From a legal standpoint, the most important factor to understand before recording a meeting or call is—consent. So, for starters, if you want to record a conversation, please let the participants know in advance that you plan to record the meeting—and seek their consent.   

There are four types of consent:

One-party consent:

One-party consent or single-party consent means that you can record a call or meeting as long as you have consent from one of the parties in the meeting. You don’t need explicit consent from the other party.

Two-party consent:

Two-party consent means all parties have to be informed that the call is being recorded, and the party recording the conversation must obtain prior consent from the other party. However, the consent may be given actively or passively.

Active consent: 

Active consent typically involves sending out a visual or audio cue to the meeting participants suggesting that the conversation would be recorded. The participants (other parties) need to actively give you their consent by either clicking an approval button confirming their consent or verbally giving you their consent to record.

Passive consent:

Passive consent refers to the scenario where the meeting participant receives the audio or visual cue (example: the announcement that says “This meeting is being recorded”) while in the meeting, and they don’t object to the recording. If the participants are willing to continue the meeting knowing it’s being recorded, they’ve passively given you their consent.

Now that we understand how ‘seeking consent to record meetings’ works let’s look at the recording laws across a few countries.

Recording laws in the United States (US)

In the US, the Electronic Communications Privacy Act (ECPA) guides the recording of calls. It includes video conference meetings and calls because the ECPA primarily governs acquiring aural transfer (any transfer containing the human voice from the point of origin to reception) through electronic communication channels.

The ECPA states that it is illegal to record a call without the consent of at least one party. As discussed above, the consent sought need not always be ‘active consent.’ But that said, states have developed their variations of the recording laws making it either similar to or more stringent.

The different states can make it more stringent because the ECPA rules serve only as a baseline. For instance, let’s take North Carolina as an example—it is a one-party consent state. It means—a meeting participant can actively or passively imply consent to a meeting recording as long as they’re notified that the meeting or call is recorded.

On the contrary, states such as California and Florida are two-party consent states, meaning—both parties must consent before recording the meeting. It means you need to share the intent to record the meeting in advance. The notification can be in the form of emails, audio disclaimer announcements, clickable CTAs, etc. And also, in this case, the meeting attendees can actively or passively give their consent.

Here’s a snapshot of the states in the US, based on the governing recording law:

One-party consent states:

Here is a list of 37 states (+DC) considered one-party consent states. In addition, Connecticut can also, at times, be regarded as a one-party consent state ​​because there are different laws for in-person conversations and phone/online conversations.

• Alabama
• Alaska
• Arizona
• Arkansas
• Colorado
• District of Columbia
• Georgia
• Hawaii
• Idaho
• Indiana
• Iowa
• Kansas
• Kentucky
• Louisiana
• Maine
• Minnesota
• Mississippi
• Missouri
• Nebraska
• Nevada
• New Jersey
• New Mexico
• New York
• North Carolina
• North Dakota
• Ohio
• Oklahoma
• Rhode Island
• South Carolina
• South Dakota
• Tennessee
• Texas
• Utah
• Vermont (there’s no recording law per se, hence the Federal law applies)
• Virginia
• West Virginia
• Wisconsin
• Wyoming

Two party consent states (all-party consent):

What are Two Party Consent States? A two party consent state is a state where both parties to a conversation must consent to the recording of that conversation. This is in contrast to a one party consent state, where only one party to the conversation needs to consent to the recording.

• California
• Delaware
• Florida
• Illinois 
• Maryland 
• Massachusetts 
• Michigan 
• Montana 
• New Hampshire 
• Oregon 
• Pennsylvania 
• Washington
• Connecticut (as discussed - one-party as well as two-party consent state)

Mixed Consent States 

A few states, such as Oregon, Nevada, and Vermont, either have somewhat ambiguous regulation (Nevada) or no regulation at all (Vermont). The meeting participants from those states are protected and must comply with the law which governs their location. Hence, multiple laws may apply to the same recorded conversation.

So, it’s best to err on the side of caution by always complying with the highest requirements.

Recording laws in the European Union (EU)

The recording laws don’t change drastically in the EU, but we can certainly say that the EU has some of the most stringent recording laws. As long as your organization operates in the EU member states or has customers in the EU, you’re required to follow the rules outlined in the European Union’s General Data Protection Regulation (GDPR). 

GDPR states you need to justify the need to record the call or meeting and obtain unambiguous consent from all parties before recording any conversation. The law works very similarly to the two-party consent states in the US.

Some acceptable reasons to record meetings as per GDPR:

• The recording is necessary for the fulfillment of a contract to which the party is involved.
• The recording is done for the fulfillment of legal obligations.
• The recording is necessary to protect the interests of one or more parties.
• The recording is in the public’s interest or done in official authority.
• The recording is in the legitimate interest of the recorder as long as such interests are not overridden by the interests of the other parties to the call or conversation.

Data retention, storage and protection requirements:

The law clearly states that all recordings can only be stored for as long as it is necessary to fulfil the purposes for which the data were collected or processed. But in cases of public interest, scientific or statistical, or research purposes, the data can be stored for more extended periods.

While you retain the recordings, you need to:

• Pseudonymize (ensure the personal data cannot be linked to a specific individual) and encrypt all personally identifiable data. 
• Ensure the confidentiality, integrity, availability, and resilience of processing systems and services, thus protecting from unauthorized access
• Guarantee the availability and access to personal data on time in case of a physical or technical incident
• Have an established process for regularly testing, assessing, and evaluating the effectiveness of security measures.

Right to access recordings

The participants of the calls and meetings have the right to access the recording and also request more information on:

• The purpose of the information gathered and processed
• Categories of personal data concerning them
• The parties that’ll have access to the recording
• How long the data would be stored (if possible)
• The existence of automated decision-making, including profiling and meaningful information about the logic involved, significance, and possible consequences of such processing for the data subject.

Right to request erasure

GDPR also allows the data subjects to request the erasure of the data concerning them, and it needs to be erased without any delay. The data subjects can request deletion of data if:

• The data is not collected from them.
• The data is no longer needed for the purposes they were collected or processed.
• They withdraw consent for the processing.
• The recording has been illegally processed.
• The personal data involves children.

Recording laws in Canada

Canadian recording laws are straightforward. They have a ‘two-party/ all-party consent’ mandate. So, when you record a conversation involving a Canadian meeting participant, you need to:

• Obtain consent for recording in advance (actively or passively)
• Share the purpose of recording in advance
• Seek consent from every meeting participant

Recording laws in Australia

Across Australia, it’s perfectly legal to record meetings and calls as long as you have two-party consent by informing them in advance. In case of an outbound cold call, you need to let them know at the beginning of the conversation that you will be recording, and the participants have the right to request to be transferred to a non-recording line.

Recording laws in SouthAfrica (RICA Act)

South Africa has similar recording laws to Canada and the two-party consent states in the US. The recordings of communications in SouthAfrica are regulated by the Regulation of Interception of Communications and Provision of Communication-Related Information Act of 2002 (known as RICA).

Compliance aspects to look for when evaluating recording software

As you get to evaluating conversation intelligence software for recording and analyzing calls and meetings across dialers and web conferencing tools, you may notice that pretty much everyone adheres to compliance. But, most systems are compliance capable and not necessarily compliance optimal.

Compliance capable solutions

Compliance capable solutions refer to a product’s capability to comply with the regulations perfectly, but they might not necessarily incentivize the users to keep those compliance levers switched on. 

Not every user will remember and switch on or off a compliance safety measure. And this is where compliance-capable solutions miss the mark by not balancing the capabilities with user experience.

Here’s an example:

Repeated announcements: As discussed earlier, one of the mandates for obtaining consent is to make a mandatory announcement saying “This meeting is being recorded” when someone joins the meeting. A compliance capable solution announces every time someone joins the meeting to the entire room, instead of announcing only the new attendees. 

From a user experience standpoint, you don’t want to interrupt the conversation flow of people in the middle of a meeting.

Compliance optimized solution

Compliance optimized solutions balance compliance requirements and user experience quite well. They deliver the goal of being fully compliant without making the user perform a lot of manual steps.

For example:

1. The mandatory announcements are made only to individual attendees and not to the whole group in the meeting or call
2. Instead of sending a separate email notifying the intent to record the call (which can get missed), compliance optimized solutions ensure visibility by placing the cue within the calendar right where they accept the meeting.

5 questions to ask your vendor before buying their call recording software

Below is a list of questions that you should consider asking call recording providers when you’re evaluating their compliance:

1. What are your call recording best practices in One-Party Consent / Two-Party Consent states and the EU?
2. Is obtaining consent from your attendees across geographies an automated feature your platform offers?
3. How do you ensure compliance if the meeting participant hasn’t opened the notification email before the meeting?
4. How do you announce the recording disclaimer?
5. How do you handle consents for cold calls?

How does Avoma comply with the recording laws?

We at Avoma take compliance seriously. While it is your responsibility to comply with the regulations and seek consent, Avoma offers ways to automate and enable the process.

1. You can enable the following notifications to seek consent from your participants:

i. Email reminder to participants along with a consent disclaimer 

ii. In addition to the email, you can include the consent disclaimer that the meeting will be recorded as a resource for both parties, right within the calendar. It’s hard to miss because it’s right above the meeting acceptance buttons.

2. For more clarity, we recommend you explicitly name the bot, so it’s clear that the bot has joined the call to record. Example: You can name it – ‘Avoma Recorder.’
   

3. When you record meetings natively using a conferencing tool, you’ll always see a constantly blinking red button indicating that the call is recorded.
   

4. If you’re recording the meeting natively using Zoom Cloud, every new meeting participant joining the call gets an audio alert/announcement that the meeting is being recorded. The announcement is heard only by the new meeting participant without interrupting the conversation flow of existing participants.
   
   And if you choose to record using the Avoma Bot, you have to enable the audio announcement, and your meeting participants will start hearing the announcements.

5. The meeting recording is accessible to both parties as long as they are Avoma users. And in case of sharing the meeting with a non-Avoma user, you can control the access permission on what they get to see.

6. Regardless of the meeting participants being from a single-party or two-party consent state, we recommend ​​that you proactively notify all of them and seek consent.

7. In case of a cold outbound call made from a dialer, we recommend the SDRs and BDRs explicitly announce that the call is being recorded right at the beginning of the call. 
   

For example, they can say something like, “Hey! This is John Doe from Acme Inc., and I’m calling from a recorded line.” 

And if the called party continues to stay on the call, it means that they have passively consented. This disclosure isn’t required in single-party consent states, but we recommend standardizing the process across the board.

Summing up… 

We hope this blog post gives you a good perspective on the legal aspects of recording meetings and calls worldwide. With Avoma, we try to make it easy for you to ensure compliance with the call recording laws by automating the process and are committed to keeping up with the changes and updates.

We also ensure that this post is continuously updated as the changes occur.