Call Recording and Monitoring Regulations
Recording and monitoring laws for call centers appear to be a crazy quilt of rules. Here is an introduction to U.S., Canadian, and European laws to make understanding them easier*.
Before skipping over Europe because a call center is elsewhere, consider one key fact. The European Union (EU) applies its 2018 privacy regulations to companies worldwide that do business with EU residents (if the residents are physically located in the EU at the time of the interaction). Requirements significantly exceed those of U.S. and Canadian law.
Finally, laws governing consent to monitor or record are not the end-all of compliance. Additional regulations and rules govern aspects of call recordings, based largely on content.
U.S. Federal and State Laws – An Introduction
U.S. federal law requires one-party consent for call recording or monitoring in call centers.
State laws can be more restrictive and require either one-party or all-party consent (sometimes called “two-party,” but the accurate term is “all-party” since there may be more than two parties to a call).
One-party consent: One party to the conversation consents to monitoring and/or recording.
All-parties consent: All parties to the conversation consent to monitoring and/or recording.
When a call center in one state handles a call from another, the laws of both states can apply. With cell phones, and VoIP phone services that can be moved to wherever there is a web connection, a caller could be anywhere.
For example, an electric utility that only services Louisville, Kentucky cannot assume that all of its calls originate there. The company could be speaking with a former Louisville resident who now lives in Los Angeles. The call could concern a final bill, return of a deposit, or perhaps this customer rents out their former home in Kentucky and continues to pay the utilities. Whatever the reason for the call, both California and Kentucky law can apply.
For this reason, it is prudent to comply with all state laws and obtain all-party consent. It is difficult or impossible to make a case for one-party consent, as shown in the decision tree below, Which U.S. State Laws Apply for Call Monitoring and Recording in a Call Center.
There are criminal penalties for non-compliance in all states except Vermont, as well as in the District of Columbia. Most states also allow civil suits.
U.S. States – One-Party vs. All Party
The following list is for businesses recording or monitoring phone calls. Most state laws apply both to real-time monitoring and recording.
In some states, different rules may apply to in-person conversations and to conversations recorded by a party who is not on the call.
All-party states are in red text.
(One-party if the person monitoring or recording the conversation is a party to it, or if one party has given prior consent.)
(There are conflicting state laws. Delaware’s wiretapping and surveillance law requires one-party consent. However, its privacy law, which is much less recent, requires all-party consent. There has been at least one federal court decision about the two-party privacy law.)
District of Columbia: one-party
(All-party if the recording device is in a private place.)
(One-party only if the recording party is a participant in the conversation.)
(Nevada’s statute requires one-party consent, however, the Nevada Supreme Court has held that all parties must consent.)
New Hampshire: all-party
New Jersey: one-party
New Mexico: one-party
New York: one-party
North Carolina: one-party
North Dakota: one-party
(One-party for electronic communications, all-party for in-person conversations.)
Rhode Island: one-party
(Consent is not necessary when the recorded party does not have a reason to expect privacy.)
South Carolina: one-party
South Dakota: one-party
(No specific law; based on a court case.)
(However, permission is considered given if one party announces in a reasonable manner that they will be recording the call and the announcement is part of the recording.)
West Virginia: one-party
(All-party consent required for a recording to be used in court.)
There are nuances in state laws that must be checked. What constitutes consent varies by state. There can be case law (court cases) that affect interpretation. Occasionally, laws are amended by state legislatures.
Additional introductory information, with links to state laws and some court case citations, is on web pages on the topic at Justia and the Digital Media Law Project (note: its information about Illinois law is outdated, and the state has since passed a new all-party consent law that is constitutional).
Canadian Laws: An Introduction
The Personal Information Protection and Electronics Government Act (PIPEDA) governs the majority of Canadian businesses outside of Alberta, British Columbia, and Quebec, which have their own province-specific regulations. However, PIPEDA governs banking, telecommunications, transportation, and other federally regulated businesses throughout Canada, even if located in Alberta, British Columbia, or Quebec.
For PIPEDA to apply, both the call originator and the receiver must be located in Canada. To comply, in general, businesses must:
1. Inform the other party at the start of the call.
2. Clearly inform the other party of all purposes of the call recording.
3. If there is an objection to recording, provide a meaningful alternative for contact (such as non-recorded phone, in-person, by mail, and so forth).
European Laws – An Introduction
In Europe, laws vary by country. Additionally, in nations that are members of the European Union, the EU’s General Data Protection Regulation (GDPR) governs call recording.
The European Union requires companies worldwide to comply with the GDPR rules when dealing with EU residents (while residents are physically located in the EU). Examples might be when an EU resident calls from their home to the U.S. to buy a ticket on an American domestic airline or to schedule an appointment at a U.S. hospital.
Among other things, the GDPR requires an action on the part of the caller to consent to recording, such as pressing a phone key, and a reason for recording calls that is considered legally valid. Such reasons are:
- Recording is required to comply with a contract.
- Recording is required to satisfy legal requirements.
- Recording is required to protect the interests of one or more participants.
- Recording of calls is necessary for safety or is in the public interest.
- Recording is in the legitimate interests of the recorder, provided those interests are not overwritten by the interests of the participants in the calls.
Additionally, the company must make the recording accessible and be able to produce it for the customer within 30 days. The company must also be able to permanently delete it, if requested, to comply with a customer’s “right to be forgotten.”
In a 2019 ruling, Denmark enforced GDPR call recording regulations and required the country’s largest telephone company, TDC/AS, to cease call recording because its processes did not comply.
Entities that provide services or goods to EU residents (while the residents are located in the EU), that regularly process the personal data of European Union residents, and that don’t have a corporate office in the EU may be required by law to appoint an EU GDPR representative.
* The purpose of this article is to provide a general overview and introduction to encourage a detailed review. These are not recommendations for any specific call center. Lieber & Associates assists clients with regulatory compliance based on client specifics, attorney advice, and industry best practices.
Lieber & Associates Inc. does not provide, and this article should not be construed as, legal advice. For legal counsel consult a competent attorney.