This guide on call recording laws is for informational purposes only and does not constitute legal advice. Consult qualified legal counsel before making compliance decisions for your organization.
Table of contents
- What do federal call recording laws require?
- What is the difference between one-party and all-party consent?
- Which states require all-party consent for call recording?
- What happens when a call crosses state lines?
- How does remote work change compliance to call recording laws?
- What does non-compliance cost?
- Are certain industries subject to stricter call recording requirements?
- What should a compliant call recording setup do?
- How does Landis Call Recording support compliance?
- Where do you start?
Many businesses record calls, but few have read the law or considered the cost of doing it wrongly.
For example,
- Fifth Third Bank paid $50 million in a class action settlement over recorded calls to California businesses without consent.
- Wells Fargo has settled multiple call recording cases totaling over $47 million in California alone.
- A single undisclosed recorded call with a California resident can trigger a civil lawsuit for statutory damages with no requirement that the plaintiff prove actual harm.
We built call recording software for Microsoft Teams, and to do that, we needed to understand this thoroughly. What follows is what we learned: the federal baseline, state-by-state consent requirements, the interstate problem, and the software-features that make compliance manageable.
Use this as a starting point for a conversation with your legal counsel, not a substitute for one.
What do federal call recording laws require?
The primary federal statute governing call recording is the Electronic Communications Privacy Act (ECPA), specifically 18 U.S.C. § 2511. At the federal level, the standard is one-party consent: recording a call is legal as long as one participant in the conversation consents. That participant can be you, the person initiating the recording.
This means that a business recording its own customer service or contact center calls satisfies federal consent requirements simply by having the recording system in place. The recording party is a participant who has consented.
Federal criminal penalties for ECPA violations can be up to five years imprisonment per violation, fines up to $250,000 for individuals and $500,000 for organizations. Section 2520 provides for civil liability on top of that.
But federal law is the floor, not the ceiling. States are free to set stricter requirements, and many have.
What is the difference between one-party and all-party consent?
One-party consent means a single participant in the conversation can authorize the recording. No disclosure to other parties is legally required, though it remains good practice.
All-party consent means every person on the call must be informed of and consent to the recording before it begins. Continuing the conversation after receiving a clear notification that the call is being recorded generally satisfies this requirement. This is called implied consent, and it is why automated “this call may be recorded” messages are so common.
This means that if your business calls customers in an all-party consent state without an upfront recording disclosure, you may be out of compliance regardless of what federal law says.
Which states require all-party consent for call recording?
The following reflects our research of current state statutes. Verify the current status with legal counsel, as laws can and do change.
States requiring all-party consent:
| State | Notes |
|---|---|
| California | Strictest in the country; CIPA allows $5,000 civil penalty per violation, no proof of harm required |
| Delaware | All-party consent required |
| Florida | Violations can be prosecuted as felonies |
| Illinois | Applies to private telephone conversations |
| Maryland | Up to 5 years imprisonment for violations |
| Massachusetts | Criminal penalty up to $10,000 and 5 years imprisonment |
| Montana | All-party consent required |
| Nevada | Technically one-party by statute; courts interpret it as all-party for phone calls |
| New Hampshire | All-party consent required |
| Pennsylvania | Felony penalties may apply; no participant exception under state wiretap law |
| Washington | All-party consent required |
All other states and D.C. follow the federal one-party standard.
Something worth noting: Connecticut applies one-party consent in criminal cases but requires all-party consent to avoid civil liability for private telephone conversations. Always verify your specific state’s current rules.
What happens when a call crosses state lines?
The FCC has explicitly stated it has no rules governing interstate call recording by individuals and has not moved to create any. That leaves a patchwork of state laws and judicial interpretations.
The controlling precedent is Kearney v. Salomon Smith Barney, Inc. (California Supreme Court, 2006). A Georgia-based brokerage routinely recorded calls with California clients. Georgia required only one-party consent, but California required all-party consent. The court applied California law, finding that California’s interest in protecting its residents’ privacy would be more impaired if its law did not apply; making the out-of-state location of the recording party irrelevant.
The implication is that if a caller is located in an all-party consent state, that state’s law likely governs, regardless of where your agent is. Every major law firm that has published guidance on this topic converges on the same recommendation: implement universal all-party consent notification on every recorded call, regardless of participant locations.
The FCC has identified three accepted methods for obtaining consent:
- Verbal notification before the recording begins
- Written consent obtained in advance
- An audible beep tone at regular intervals.
The most defensible for business use is an automated message at the start of every call.
How does remote work change compliance to call recording laws?
Before 2020, most companies could map their recording obligations to a finite number of call center locations, but remote work changed that. The core legal principle is that employment laws apply based on the location of the employee. So an agent working from home in California subjects the company to California’s CIPA, even if the company is headquartered in Texas and has never had a physical presence in California.
Per Reed Smith LLP’s guidance, “If even one participant is located in an all-party consent state, the meeting organizer must obtain consent from everyone involved to be compliant.” Seyfarth Shaw adds that companies need to understand the law where employees work and travel, meaning even temporary relocation creates exposure.
No published court decision has yet addressed a case where an agent’s remote-work location was the specific jurisdictional trigger for a recording violation. However, that is not reassurance; it simply means the case hasn’t arrived yet. The legal infrastructure from Kearney combined with the employee-location doctrine makes such a case entirely possible.
It is wise to maintain a continuously updated roster of every state where remote employees work and mapping applicable consent requirements to each.
What does non-compliance cost?
Federal level: ECPA violations carry up to five years imprisonment and fines up to $500,000 for organizations. Civil liability is available under Section 2520.
California (CIPA): Civil plaintiffs can recover $5,000 per violation or three times actual damages, whichever is greater. No proof of actual harm is required. This structure makes class action litigation economically viable at scale, and plaintiffs’ firms have industrialized it. Since 2022, legal research firm estimates put CIPA-related filings and demand letters at 50,000 to 100,000 or more, with plaintiff firms sending hundreds of demand letters monthly.
Examples of California’s largest call recording settlements:
- Fifth Third Bank: $50 million settlement (Narayan v. Fifth Third Bank, 2022) — recorded calls to California small businesses without consent during telemarketing campaigns
- Wells Fargo (Narayan): $28 million settlement, 2021
- Wells Fargo (Credit Wholesale): $19.5 million settlement, 2024-2025, covering approximately 102,000 California businesses
- Allstate (Tobajian v. Allstate): $3.3 million settlement, 2024
- Wells Fargo AG action: $8.5 million California Attorney General settlement, 2016 for failing to timely disclose automatic call recording to consumers
Maryland and Massachusetts: Both carry criminal penalties up to five years imprisonment for illegal recordings.
Florida: Violations can be prosecuted as felonies under certain circumstances.
Pennsylvania: No participant exception under the state wiretap statute. Even recording your own customers without disclosure can create liability.
The less quantifiable cost is reputational. A class action lawsuit over recording disclosures is not the kind of press any organization wants.
Are certain industries subject to stricter call recording requirements?
Yes, and those industries face a more complex compliance picture than call recording consent law alone.
Financial services operates under some of the most demanding recording obligations in any industry. SEC Rule 17a-4 requires broker-dealers to preserve all communications relating to the securities business for at least three years, with the first two years in easily accessible storage. FINRA Rule 3110 requires supervision of all communications on approved channels. FINRA Rule 3170 mandates that certain firms record all telephone conversations with customers and retain them for three years minimum.
The enforcement record shows that between December 2021 and early 2025, the SEC and CFTC levied over $3.5 billion in fines against financial firms for failures to capture and retain business communications, including JPMorgan ($200 million, December 2021), 16 firms in the September 2022 sweep ($1.8 billion combined), 11 firms in August 2023 ($549 million combined), and 26 firms in August 2024 ($474 million combined).
Healthcare organizations face a different dynamic: HIPAA does not require call recording, but it regulates it heavily once you do. When a recorded call contains Protected Health Information, the recording becomes electronic PHI subject to the full HIPAA Security Rule which is encryption at rest and in transit, role-based access controls, audit logging, and secure disposal. The call recording vendor becomes a Business Associate under HIPAA and must sign a Business Associate Agreement before any PHI is shared. Operating without a BAA is a standalone HIPAA violation regardless of whether a breach occurs.
Payment processing adds a third layer for any contact center handling card payments. PCI DSS prohibits storing Sensitive Authentication Data like CVV codes, PINs, and full magnetic stripe data after authorization, with no exceptions. PCI DSS v4.0.1, with a compliance deadline of March 31, 2025, effectively made the traditional pause-and-resume recording approach obsolete by demanding proactive prevention of cardholder data capture rather than reactive manual pausing. DTMF masking, where customers enter card data via keypad with tones suppressed so they never enter the audio stream, is now the expected technical solution.
For organizations in financial services, this creates the following conflict: FINRA, MiFID II, and Dodd-Frank require complete and uninterrupted recording of all calls. PCI DSS requires that cardholder data never appear in recordings. DTMF masking is how the industry resolves that conflict technically, but the technology must be specifically configured.
Landis Call Recording is designed for quality assurance and documentation use cases. Organizations in regulated industries with mandatory compliance recording requirements should confirm their specific obligations with legal counsel and evaluate whether additional compliance recording infrastructure is needed for their situation.
What should a compliant call recording setup do?
Play an automatic disclosure on every recorded call. The message should be clear and should play before the conversation begins. Manual disclosure which relies on agents to announce recording, creates inconsistency and compliance gaps that become class action exposure at scale.
Give administrators policy-level control by user, queue, and call type. Since not every call warrants the same treatment. Your recording system should allow administrators to set policies once and apply them consistently, without depending on agent behavior.
Restrict access based on role. Not everyone should be able to listen to every recording. Role-based access controls limit who can play back, download, or export recordings; and audit logs document who accessed what and when.
Define and enforce retention policies. How long recordings are stored, and what happens when the retention period ends, should be a documented policy enforced by the software. Different regulatory frameworks carry different retention requirements, and your system needs to support configurable policies per organization and per use case.
Offer data sovereignty options. For organizations with jurisdiction-specific data residency requirements, control over where recordings are stored is a compliance requirement, not a preference.
Store recordings securely with full audit trails. Secure storage with access logging, encryption, and defined controls over sharing is a baseline expectation.
Document your consent policy. Written documentation of your policy which should include what you record, why, who has access, how long it is retained, provides the paper trail that compliance reviews require.
For organizations already on Microsoft Teams, a Teams-native recording solution also eliminates the third-party data exposure that comes with routing calls through an external system. Call audio stays within your existing secure Teams ecosystem, which simplifies both security reviews and compliance documentation. You can read more about how Landis achieved ISO 27001 certification and what it covers.
How does Landis Call Recording support compliance?
Landis Call Recording is a native Microsoft Teams product. It can be used as a built-in feature of Landis Contact Center or deployed as a standalone product.
Automatic disclosure. Recording notifications are built into the call flow. When Landis’s audio notification is configured off, the organization takes explicit responsibility for ensuring all legally required notices have been provided through other means, either through a custom recording played before recording begins, or through terms requiring users to personally notify participants. The product places responsibility for disclosure at the configuration level and documents it.
Policy-based recording governance. Recordings can be set to trigger automatically based on configurable policies (by user, by queue, or on demand). Administrators set policies once; the system applies them consistently.
Configurable retention. Recordings are stored for 90 days by default. Organizations can configure storage in their own Azure Blob Storage for extended or custom retention periods. Admins can delete recordings directly from the Landis portal, giving compliance and legal teams direct control over what is retained and for how long.
Data sovereignty. Storage options include multiple Azure regions, supporting organizations with specific data residency requirements. This can be useful for multinational operations or regulated industries with jurisdiction-specific rules.
Role-based access and audit logs. Access to recordings is controlled by role. Audit logs track configuration changes and user activity, providing the documentation trail that compliance reviews require.
Microsoft Teams and Azure infrastructure. Call audio remains within your secure Teams ecosystem. Landis is ISO 27001 certified and GDPR and HIPAA compliant.
Other Resources: You can also explore how Landis Contact Center uses the Teams Extend Model for more on the underlying architecture, or call quality monitoring best practices for how recorded calls can be used effectively once captured. Organizations like Connect Mat-Su have used Landis Call Recording to improve training and service quality alongside compliance.
Where do you start?
Compliance to call recording laws concisely is this: disclose before you record, automate that disclosure, and make sure your software enforces the policy consistently.
It get’s harder when considering the interstate question, the remote workforce variable, and the gap between what your software does by default and what your legal team has reviewed. Most compliance problems come not from bad intent, but from policies that weren’t designed for a distributed workforce operating across multiple states.
If you want to see how Landis Call Recording handles disclosure and policy configuration in a Microsoft Teams environment, book a demo and we can walk you through how it works.
