Call Recording and Monitoring Regulations
Revisited


Statue of the scales of justice balancing a consumer cell phone versus a business phone

Recording and monitoring laws for call centers appear to be a crazy quilt of rules. Here is an introduction to U.S., Canadian, and European laws to make understanding them easier*.


Before skipping over Europe because a call center is elsewhere, consider one key fact. The European Union (EU) applies its 2018 privacy regulations to companies worldwide that do business with EU residents (if the residents are physically located in the EU at the time of the interaction). Requirements significantly exceed those of U.S. and Canadian law.


Finally, laws governing consent to monitor or record are not the end-all of compliance. Additional regulations and rules govern aspects of call recordings, based largely on content.


U.S. Federal and State Laws – An Introduction


U.S. federal law requires one-party consent for call recording or monitoring in call centers.


State laws can be more restrictive and require either one-party or all-party consent (sometimes called “two-party,” but the accurate term is “all-party” since there may be more than two parties to a call).


Map Showing the 50 U.S. States and District of Columbia

One-party consent: One party to the conversation consents to monitoring and/or recording.


All-parties consent: All parties to the conversation consent to monitoring and/or recording.


When a call center in one state handles a call from another, the laws of both states can apply. With cell phones, and VoIP phone services that can be moved to wherever there is a web connection, a caller could be anywhere.


For example, an electric utility that only services Louisville, Kentucky cannot assume that all of its calls originate there. The company could be speaking with a former Louisville resident who now lives in Los Angeles. The call could concern a final bill, return of a deposit, or perhaps this customer rents out their former home in Kentucky and continues to pay the utilities. Whatever the reason for the call, both California and Kentucky law can apply.


For this reason, it is prudent to comply with all state laws and obtain all-party consent. It is difficult or impossible to make a case for one-party consent, as shown in the decision tree below, Which U.S. State Laws Apply for Call Monitoring and Recording in a Call Center.


There are criminal penalties for non-compliance in all states except Vermont, as well as in the District of Columbia. Most states also allow civil suits.


U.S. States – One-Party vs. All Party


The following list is for businesses recording or monitoring phone calls. Most state laws apply both to real-time monitoring and recording.


In some states, different rules may apply to in-person conversations and to conversations recorded by a party who is not on the call.


All-party states are in red text.


Alabama: one-party

Alaska: one-party

Arizona: one-party

Arkansas
(One-party if the person monitoring or recording the conversation is a party to it, or if one party has given prior consent.)

California: all-party

Colorado: one-party

Connecticut: all-party

Delaware
(There are conflicting state laws. Delaware’s wiretapping and surveillance law requires one-party consent. However, its privacy law, which is much less recent, requires all-party consent. There has been at least one federal court decision about the two-party privacy law.)

District of Columbia: one-party

Florida: all-party

Georgia: one-party

Hawaii: all-party
(All-party if the recording device is in a private place.)

Idaho: one-party

Illinois: all-party

Indiana: one-party

Iowa: one-party

Kansas: one-party

Kentucky: one-party

Louisiana: one-party

Maine: one-party

Maryland: all-party

Massachusetts: all-party

Michigan: all-party
(One-party only if the recording party is a participant in the conversation.)

Minnesota: one-party

Mississippi: one-party

Missouri: one-party

Montana: all-party
(Requires notification.)

Nebraska: one-party

Nevada: all-party
(Nevada’s statute requires one-party consent, however, the Nevada Supreme Court has held that all parties must consent.)

New Hampshire: all-party

New Jersey: one-party

New Mexico: one-party

New York: one-party

North Carolina: one-party

North Dakota: one-party

Ohio: one-party

Oklahoma: one-party

Oregon: all-party
(One-party for electronic communications, all-party for in-person conversations.)

Pennsylvania: all-party

Rhode Island: one-party
(Consent is not necessary when the recorded party does not have a reason to expect privacy.)

South Carolina: one-party

South Dakota: one-party

Tennessee: one-party

Texas: one-party

Utah: one-party

Vermont: all-party
(No specific law; based on a court case.)

Virginia: one-party

Washington: all-party
(However, permission is considered given if one party announces in a reasonable manner that they will be recording the call and the announcement is part of the recording.)

West Virginia: one-party

Wisconsin: one-party
(All-party consent required for a recording to be used in court.)

Wyoming: one-party

There are nuances in state laws that must be checked. What constitutes consent varies by state. There can be case law (court cases) that affect interpretation. Occasionally, laws are amended by state legislatures.


decision tree for one-party vs. all-party consent for call recording in call centers

Additional introductory information, with links to state laws and some court case citations, is on web pages on the topic at Justia and the Digital Media Law Project (note: its information about Illinois law is outdated, and the state has since passed a new all-party consent law that is constitutional).


Canadian Laws: An Introduction


The Personal Information Protection and Electronics Government Act (PIPEDA) governs the majority of Canadian businesses outside of Alberta, British Columbia, and Quebec, which have their own province-specific regulations. However, PIPEDA governs banking, telecommunications, transportation, and other federally regulated businesses throughout Canada, even if located in Alberta, British Columbia, or Quebec.


Map showing the Canadian provinces

For PIPEDA to apply, both the call originator and the receiver must be located in Canada. To comply, in general, businesses must:

1. Inform the other party at the start of the call.

2. Clearly inform the other party of all purposes of the call recording.

3. If there is an objection to recording, provide a meaningful alternative for contact (such as non-recorded phone, in-person, by mail, and so forth).


Here are the basics about the Recording of Customer Telephone Calls from Canada’s Privacy Commissioner. Here is the Privacy Commissioner’s page with information about PIPEDA.


European Laws – An Introduction


In Europe, laws vary by country. Additionally, in nations that are members of the European Union, the EU’s General Data Protection Regulation (GDPR) governs call recording.


Map showing the countries of Europe

The European Union requires companies worldwide to comply with the GDPR rules when dealing with EU residents (while residents are physically located in the EU). Examples might be when an EU resident calls from their home to the U.S. to buy a ticket on an American domestic airline or to schedule an appointment at a U.S. hospital.


Among other things, the GDPR requires an action on the part of the caller to consent to recording, such as pressing a phone key, and a reason for recording calls that is considered legally valid. Such reasons are:

  • Recording is required to comply with a contract.
  • Recording is required to satisfy legal requirements.
  • Recording is required to protect the interests of one or more participants.
  • Recording of calls is necessary for safety or is in the public interest.
  • Recording is in the legitimate interests of the recorder, provided those interests are not overwritten by the interests of the participants in the calls.


Additionally, the company must make the recording accessible and be able to produce it for the customer within 30 days. The company must also be able to permanently delete it, if requested, to comply with a customer’s “right to be forgotten.”


In a 2019 ruling, Denmark enforced GDPR call recording regulations and required the country’s largest telephone company, TDC/AS, to cease call recording because its processes did not comply.


Entities that provide services or goods to EU residents (while the residents are located in the EU), that regularly process the personal data of European Union residents, and that don’t have a corporate office in the EU may be required by law to appoint an EU GDPR representative.


Here is the text of the European Union's GDPR. The EU co-funds this website about GDPR Compliance.


* The purpose of this article is to provide a general overview and introduction to encourage a detailed review. These are not recommendations for any specific call center. Lieber & Associates assists clients with regulatory compliance based on client specifics, attorney advice, and industry best practices.


Lieber & Associates Inc. does not provide, and this article should not be construed as, legal advice. For legal counsel consult a competent attorney.



Knowledgebase for Contact Centers
Article by Mitchell Lieber

Lieber & Associates Knowledgebase Blog Logo

Go to:


Subscribe!

Receive links to new Knowledgebase how-to articles as soon as they are published.


  

* required

Send or Share This Article

Send via: Email Gmail Messenger WhatsApp

Share on: Twitter Facebook

Download as: