Last updated 2026-07-09

TL;DR
Federal law (18 U.S.C. § 2511) lets you record a call if you are a party to it. That is the one-party rule. But 13 U.S. states require every person on the line to consent before recording starts. The UK requires notification under RIPA 2000. If your calls cross state lines, default to the strictest rule in play, which usually means all-party consent.
What is the federal law on recording telephone calls?
Federal law sets the floor, and the floor is one-party consent. The Electronic Communications Privacy Act (ECPA), specifically 18 U.S.C. § 2511, makes it a federal crime to intercept a wire or oral communication without the consent of at least one party to that conversation [1]. Since the person hitting record is almost always a party to the call, they meet that requirement just by being on the line. That is why, at the federal level, you can record your own calls without telling the other person.
The penalty is steep. The statute allows criminal fines plus civil recovery of the greater of $100 per day of violation or $10,000 [1]. Private suits are common, and the law shifts attorney fees to the winning plaintiff. That fee-shifting is what turns a technical violation into a real threat for a small team.
The FCC keeps a separate rule under 47 C.F.R. § 64.501 that applies to common carriers and telephone companies, requiring them to notify callers before recording [2]. If you run an outbound call center or use a VoIP provider, your provider may already fall under that rule. It does not replace your own duty under federal or state wiretapping law.
Keep one thing straight. The TCPA (47 U.S.C. § 227) governs autodialing, prerecorded messages, and Do Not Call compliance. It says nothing about recording consent [3]. The TCPA and the ECPA are separate statutes with separate consent rules. Confusing the two is the most common mistake I see when a team drafts its first call policy.
Which states require all-party (two-party) consent to record a call?
Thirteen states go past the federal floor and require every party on a call to consent before anyone records. People call these "two-party consent" states. "All-party consent" is the better label, because a call can have more than two people on it.
The thirteen all-party consent states as of mid-2025 are California, Connecticut, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, Nevada, New Hampshire, Oregon, Pennsylvania, and Washington [4].
California's Invasion of Privacy Act (Penal Code § 632) generates the most lawsuits, mostly because its private right of action lets plaintiffs recover $5,000 per violation or three times actual damages, whichever is greater [5]. One recorded sales call to a California number without disclosure can cost you $5,000. Spread that across an auto-dialing campaign and the math turns ugly quickly.
Illinois is the other high-risk jurisdiction. Its Eavesdropping Act (720 ILCS 5/14-2) was struck down by the Illinois Supreme Court in 2014 as applied to recording police in public, but the commercial and private telephone recording provisions stayed in force [4].
Pennsylvania's Wiretapping and Electronic Surveillance Control Act requires all-party consent, treats violations as a third-degree felony, and allows civil damages of $1,000 per violation or actual damages if higher [4]. Florida's Security of Communications Act imposes both criminal and civil penalties too. For the statute-level detail, our pa call recording laws and maryland call recording laws guides walk through each one.
| State | Consent Rule | Civil Penalty (approx.) | Criminal Exposure? |
|---|---|---|---|
| California | All-party | $5,000 per violation | Yes (misdemeanor) |
| Florida | All-party | Actual damages | Yes (felony possible) |
| Illinois | All-party | Actual damages | Yes |
| Maryland | All-party | Actual damages | Yes |
| Massachusetts | All-party | $100/day or $1,000 min | Yes |
| Michigan | All-party | Actual damages | Yes |
| Montana | All-party | Actual damages | Yes |
| Nevada | All-party | Actual damages | Yes |
| New Hampshire | All-party | Actual damages | Yes |
| Oregon | All-party | $100/violation min | Yes |
| Pennsylvania | All-party | $1,000 per violation | Yes (felony) |
| Washington | All-party | $1,000 per violation | Yes |
| Connecticut | All-party | Actual damages | Yes |
| All other states | One-party | Varies | Rarely |
For state-specific reads, see texas call recording laws, new york call recording law, georgia call recording law, arizona call recording laws, and indiana call recording laws.
How do you figure out which state's law applies to your call?
This is where outbound teams get burned. The general rule courts and attorneys apply is that the law of the state where the recorded person sits physically governs the recording. So if your agent is in Texas (a one-party state) and calls a customer in California (an all-party state), California law governs the recipient's rights [5].
Some courts use a different test, looking at where the recording device sits or where the interception technically happens. The honest answer is that this is unsettled in some circuits. So the safe operating assumption for any business dialing across state lines is simple: treat every call as if the strictest all-party rule applies.
Inbound calls work the same way in reverse. A disclaimer at the top of the call ("This call may be recorded for quality and training purposes") documents consent for the caller, but only if they stay on after hearing it. Some businesses use a press-1-to-continue setup instead. Both work. The press-1 method gives you a cleaner electronic record of who agreed.
Group calls make it messier. On a three-way call with one participant in Maryland, Maryland's all-party rule arguably applies to that person no matter where everyone else sits. Our georgia recording consent law group audio call article covers how multi-party situations get analyzed in a one-party state, and the reasoning pattern carries over to any state.
What are the UK call recording laws businesses must follow?
UK and European businesses work under a layered framework that reads very differently from the U.S. one. The two main pieces of legislation are the Regulation of Investigatory Powers Act 2000 (RIPA) and the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000, usually shortened to the LBP Regulations [6].
Under RIPA and the LBP Regulations, businesses may record calls without consent for specific legitimate purposes: checking compliance with regulatory practice, preventing or detecting crime, investigating unauthorized use of a system, or keeping the system running effectively [6]. The catch is that the recording has to serve one of those listed purposes, and the organization has to make reasonable efforts to tell staff and other parties that calls may be recorded. This does not require real-time consent from the caller. It does require that the policy be publicly known.
The UK General Data Protection Regulation (UK GDPR), which kept EU GDPR principles after Brexit, adds a second layer [7]. Call recordings are personal data. You need a lawful basis to process them (legitimate interests, contract performance, or legal obligation are the usual ones for businesses), and you have to meet retention limits, subject access requests, and data minimization rules. The Information Commissioner's Office (ICO) can fine an organization up to £17.5 million or 4% of global annual turnover, whichever is higher, for serious UK GDPR violations [7].
UK financial firms carry an extra load. The Financial Conduct Authority (FCA) imposes mandatory call recording under the Markets in Financial Instruments Directive II (MiFID II) and its UK equivalent, requiring firms to record relevant communications and keep them for at least five years [8]. That is a floor, not a ceiling.
So UK law is less about grabbing consent in the moment and more about a transparent policy, a lawful basis under UK GDPR, and real data governance around the recordings. Most UK businesses cover this with a recorded announcement at the start of calls and a published privacy notice.
Does consent to record a call have to be in writing?
No. Nothing in federal wiretapping law or in the major all-party state statutes requires written consent. Consent can be oral, implied by conduct, or captured electronically.
Oral consent at the top of the call is the standard for outbound sales teams. A plain disclosure like "This call is being recorded," followed by the other person continuing, is generally treated as implied consent [4]. It is not airtight. In California, some plaintiffs have argued that simply continuing after a generic disclosure is not clear enough consent under Penal Code § 632, and a few trial courts have gone along with that. The stronger version is a clear disclosure followed by an affirmative acknowledgment, even a spoken "okay" from the other party.
For inbound calls, an IVR message before the call connects is the industry standard. Continuing to hold or pressing a button meets the consent bar in most places.
B2B calls make the implied-consent argument a little stronger. Courts have been more willing to infer consent in commercial settings where recording is routine and the other side has some sophistication. I still would not lean on that in California or Pennsylvania. Use a verbal disclosure either way.
Written consent earns its keep when the recording will do something serious: evidence in a dispute, training content shared widely, or any spot where you might later have to prove consent to a regulator or a plaintiff's attorney.
What happens if you record a call without required consent?
The fallout depends on jurisdiction and facts, but it lands in three buckets: criminal prosecution, civil lawsuits, and regulatory enforcement.
On the criminal side, violations of state all-party statutes can be charged as misdemeanors or felonies. Pennsylvania's statute treats unlawful interception as a third-degree felony [4]. Prosecutions of businesses for recording their own sales calls are rare but not unheard of, especially in California where the state AG has brought actions.
Civil lawsuits are the main risk for most businesses. California's Penal Code § 632 private right of action is probably the most-litigated call recording statute in the country. Plaintiffs' attorneys file these as class actions because each call is a separate violation, each worth $5,000 [5]. A company that recorded 10,000 California calls without proper disclosure faces theoretical exposure of $50 million before any actual damages. Courts sometimes trim damages in practice, but the threat alone is enough to fund the plaintiff's class action.
Our is it against the law to record phone calls guide covers the criminal-versus-civil split in more depth. For where recording violations meet broader TCPA risk, read tcpa law and recorded phone call laws together.
Federal enforcement under the ECPA is relatively rare for commercial recording, largely because state AGs and private plaintiffs move faster. The FCC steps in when a common carrier violates 47 C.F.R. § 64.501, which is a separate track [2].
Does the TCPA apply to call recording, and how does it interact with wiretapping laws?
The TCPA (47 U.S.C. § 227) does not regulate call recording [3]. Its scope covers automated telephone dialing systems, prerecorded voice messages, and the National Do Not Call Registry. Whether you may record a TCPA-compliant call is a separate question, answered by the ECPA and state wiretapping statutes.
Still, the two frameworks overlap in practice. If you are making TCPA-compliant autodialed calls, you already track consent documentation, call logs, and suppression lists. Bolting recording consent onto that setup is natural. Many outbound teams use the same consent language that covers TCPA prior express written consent to also cover recording disclosure, though these are technically separate consent requirements for separate legal purposes.
Here is one real intersection. Prerecorded voice messages under the TCPA are, by definition, recordings. But the TCPA's consent requirement there is about placing the call, not about recording the recipient's response. If your prerecorded message invites the person to press a key and reach a live agent, and that live portion gets recorded, you are back to needing wiretapping consent for the recorded live conversation.
The FCC's 2023 and 2024 rulemaking on lead generation and one-to-one consent raised the bar on consent documentation across the board [9]. Tighter consent hygiene across both TCPA and recording rules fits together cleanly.
What notice language actually works for call recording compliance?
The disclosure has to do two jobs: tell the other party recording is happening, and give them a genuine chance to opt out or hang up before recording starts. The exact wording matters less than the timing and the clarity.
For outbound calls, many teams use a version of this at the start: "Hello, this is [name] from [company]. I want to let you know this call may be recorded for quality assurance and training purposes. Is that okay?" A verbal "yes" or "okay" beats silence. Some scripts say "please let me know if you'd like to opt out of recording" instead of asking for a yes, which documents consent a bit more weakly but is still common.
For an inbound IVR: "Thank you for calling [company]. This call may be monitored or recorded for quality assurance purposes." That is compliant in one-party states if the caller stays on. In all-party states, play this before any personal information changes hands and before the call reaches an agent.
Avoid vague phrasing like "calls are occasionally recorded." California courts have questioned whether conditional or uncertain language meets the notice standard, because a caller cannot meaningfully consent to something that may or may not be happening [5].
For UK calls, the LBP Regulations require making all reasonable efforts to inform the parties. A pre-call IVR announcement plus a published privacy notice covers that in almost every case [6].
How long do you have to retain recorded calls, and how should you store them?
There is no single federal retention rule for commercial call recordings outside regulated industries. The requirement varies by sector and jurisdiction.
For U.S. financial firms, FINRA Rule 4511 requires member firms to preserve records for at least six years [10]. SEC Rule 17a-4 sets similar minimums for broker-dealers. Insurance companies face state-specific requirements that usually run three to five years.
For UK financial firms under FCA rules, the minimum is five years, and some categories of MiFID II communications must be kept for seven [8].
For a general commercial business with no sector rule, the practical minimum driven by litigation risk is usually two to four years. The federal ECPA civil statute of limitations is two years from the date the plaintiff knew or should have known of the violation [1]. State limits vary. California's is one year for Penal Code § 632 claims, though the discovery rule can stretch that.
On storage, the requirements that matter are access controls (not everyone needs to hear customer recordings), encryption at rest and in transit, a written retention and deletion schedule, and a process for handling subject access requests (required under UK GDPR and the California CCPA). Cloud recording platforms handle most of the technical controls. You still own the governance policies.
Using a third-party recording vendor? Make sure your contract includes a data processing agreement that assigns liability clearly for breaches or unauthorized access. Your vendor's negligence can still land on you in a regulatory action.
Are there special rules for recording calls in specific industries?
Yes. Several industries carry recording requirements that sit on top of the general wiretapping framework.
Healthcare: Recorded calls that hold protected health information (PHI) fall under HIPAA's Security Rule and Privacy Rule [11]. The recording itself becomes a PHI record. You need administrative, physical, and technical safeguards, plus a business associate agreement with any third-party storage or transcription vendor.
Financial services: Beyond the FINRA and SEC retention rules above, the Dodd-Frank Act requires swap dealers and major swap participants to record oral communications relating to swaps under CFTC rules [10].
Debt collection: The CFPB's Regulation F, which implements the Fair Debt Collection Practices Act, does not require call recording, but recorded calls show up constantly as evidence in FDCPA disputes. Plenty of collection compliance programs treat recording as mandatory for that reason.
Government contractors: Some federal contracts require recording capability for oversight. Check your contract terms.
The crossover between sales recording and text/SMS programs is more common than people expect. If your team uses SMS for follow-up, the rules in text message marketing facts shape the consent framework you are running next to your recording disclosures, since many businesses run both channels off the same consent capture.
What should a small outbound sales team's call recording policy actually include?
A written call recording policy is not legally required in most places, but it is the first thing a plaintiff's attorney or regulator asks for. Having one, and following it, is strong evidence of good-faith compliance.
At minimum, your policy should cover the states (and countries) where your team dials, the consent standard you apply, the exact disclosure language agents use, how you document consent, where recordings live, who has access, how long you keep them, and how you handle deletion requests. My strong recommendation on the consent standard: use all-party notice on every call, regardless of state. The documentation cost is zero and the litigation protection is real.
Training is non-negotiable. Agents who do not understand why they give the disclosure will skip it when they are tired or rushed. A one-page job aid with the exact script, plus a monthly reminder in team meetings, handles about 90% of the behavioral risk.
Audit your recordings. Pull a random sample of 20 to 30 calls per agent per quarter and confirm the disclosure happens at the start, before any real conversation. This is where compliance programs fall apart. The policy is fine, but nobody checks execution.
LeadCompliant's free compliance kit includes a call recording policy template alongside its TCPA and DNC checklist tools, if you want a starting point to adapt instead of drafting from a blank page.
On the technical side, most modern outbound platforms (Aircall, RingCentral, Dialpad, and similar) offer per-call or per-number recording toggles and can inject an IVR notice before the agent connects. Use those features. Do not rely on agents to start recordings by hand.
How do recording laws apply to voicemails left on someone's phone?
Leaving a voicemail is a one-sided recording the caller makes onto the recipient's system. Courts have generally found that voicemails left on standard voicemail systems do not trigger the consent requirements of wiretapping statutes, because the message is not intercepted in real time. It is deposited with the recipient's knowledge and their consent to receive messages [4].
The exception is technology that drops a prerecorded voicemail straight into a phone's voicemail box without ringing the phone first. These "ringless voicemail" or "voicemail drop" services have drawn heavy regulatory attention. The FCC has taken the position that ringless voicemails fall under TCPA requirements because they count as calls to the called party's line [9]. Whether they also trip wiretapping statutes is a separate analysis that varies by state.
For an ordinary outbound call where the phone rings, goes to voicemail, and the agent leaves a live or prerecorded message: that is not a recording of an intercepted communication in the traditional sense. But if your system was recording the whole call attempt, including the voicemail, you are now capturing a communication, and the analysis gets thornier depending on the state. Most compliance programs solve this by starting the recording only when a live party answers.
Frequently asked questions
Is it illegal to record a phone call without telling the other person?
It depends on the state. Under federal law and in 37 states, one-party consent is enough, so you can record your own call without telling anyone. In 13 states (California, Connecticut, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, Nevada, New Hampshire, Oregon, Pennsylvania, and Washington) all parties must be notified. Recording without notice in those states can be a crime and exposes you to civil lawsuits.
What is the difference between one-party and two-party consent for call recording?
One-party consent means at least one person on the call must consent to recording. Since you are recording your own call, you meet this automatically. Two-party (or all-party) consent means every person on the call must know and agree before recording starts. Thirteen U.S. states apply the all-party rule. The practical difference for businesses is whether you must disclose recording to the other party before it begins.
Which states require all parties to consent to a recorded phone call?
The 13 all-party consent states are California, Connecticut, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, Nevada, New Hampshire, Oregon, Pennsylvania, and Washington. California carries the highest civil penalty at $5,000 per violation under Penal Code § 632. Pennsylvania treats violations as a third-degree felony. If you dial nationally, defaulting to all-party disclosure on every call is the safest approach.
Does the TCPA require consent to record phone calls?
No. The TCPA (47 U.S.C. § 227) regulates autodialing, prerecorded messages sent to consumers, and Do Not Call compliance. It does not govern whether you may record a call. Recording consent is controlled by the federal ECPA (18 U.S.C. § 2511) and applicable state wiretapping statutes. Many teams manage both consent frameworks at once, but they are legally separate requirements.
What are the UK law requirements for recording phone calls?
UK businesses must comply with the Regulation of Investigatory Powers Act 2000 (RIPA) and the Lawful Business Practice Regulations 2000, which allow recording for specific legitimate purposes but require reasonable efforts to inform affected parties. UK GDPR adds data governance duties: a lawful basis for processing, retention limits, and data subject rights. Financial firms face extra FCA rules requiring five-year minimum retention of relevant communications.
Can I record a call with a customer in California without their consent?
No. California Penal Code § 632 requires all parties to consent to a telephone recording. You must disclose the recording at the start of the call, before any substantive conversation. The penalty is $5,000 per call or three times actual damages, whichever is greater, and plaintiffs can sue individually or as a class. California generates more call recording lawsuits than any other state, so this rule deserves real attention.
How do I disclose call recording on outbound sales calls?
State the disclosure at the very start, before introducing yourself or opening your pitch. A version that works in all states: 'I want to let you know this call is being recorded for quality assurance purposes.' A verbal acknowledgment beats relying on implied consent from a continued conversation. For inbound calls, an IVR message before the call connects is the standard method. Document when and how disclosures happen.
How long do I need to keep recorded phone calls?
There is no single universal rule outside regulated industries. FINRA requires six years for member firms. The UK FCA requires five years for MiFID II communications. For general commercial calls, a two-to-four-year window covers most litigation risk, since the federal ECPA civil statute of limitations is two years and most state limits run one to three years. Set a written retention schedule and actually delete recordings on time.
Does recording apply differently to business-to-business calls versus consumer calls?
The wiretapping statutes generally apply the same way whether the call is B2B or B2C. California's Penal Code § 632 does not carve out business calls. Courts have sometimes been more willing to find implied consent in B2B contexts given commercial sophistication, but leaning on that in an all-party state is a gamble. The safer and simpler move is the same verbal disclosure on every call, no matter who you are calling.
What should I do if my call recording vendor has a data breach?
Your exposure depends on your contract. First, review your data processing or business associate agreement with the vendor to confirm who bears liability for unauthorized access. You may have notification duties under state breach notification laws (all 50 states have them), UK GDPR (72-hour ICO notification window), or HIPAA if PHI was in the recordings. Preserve all evidence, engage legal counsel, and check whether your cyber insurance covers vendor-related breaches.
Can ringless voicemails be left without consent under call recording laws?
Ringless voicemail drops are a separate compliance problem. The FCC has indicated they fall under TCPA requirements as calls, meaning prior express written consent may be required for consumer numbers on wireless lines. Whether they also trigger wiretapping statutes is unsettled, but the TCPA exposure alone is significant. Most compliance-conscious teams avoid ringless voicemail for cold outreach entirely.
Do group or conference calls need all-party consent in every state where a participant is located?
Yes, in principle. If any participant sits physically in an all-party consent state, that state's law applies to that participant's portion of the call. A conference call with people in California, Illinois, and New York technically requires all-party consent even if the host is in a one-party state. For any multi-party call your team records, the safest practice is a verbal disclosure at the start that everyone hears.
Is a written call recording policy legally required?
No statute specifically mandates a written policy for general commercial businesses. But a documented, followed policy is evidence of good-faith compliance, which matters in regulatory investigations and civil litigation. It also turns your disclosure requirements into something agents actually follow. At minimum, put in writing which states you call, the consent standard you apply, the exact disclosure script, where recordings go, who can access them, and how long you keep them.
What is the penalty for violating state call recording laws?
Penalties vary widely. California: $5,000 per violation or treble actual damages (Penal Code § 632). Pennsylvania: $1,000 per violation plus potential felony charges. Massachusetts: $100 per day or $1,000 minimum per violation. Washington: $1,000 per violation. Florida, Illinois, and most other all-party states allow actual damages plus attorney fees. Class action exposure multiplies the per-call penalty by the number of calls made without proper disclosure.
Sources
- U.S. Department of Justice, Electronic Communications Privacy Act (18 U.S.C. § 2511): Federal wiretapping law requires consent of at least one party to record a call; civil damages up to $10,000 per violation.
- National Conference of State Legislatures, State Wiretapping and Electronic Surveillance Laws: Thirteen states require all-party consent to record telephone calls; violation penalties range from civil damages to felony charges depending on the state.
- California Legislative Information, Penal Code § 632 (Invasion of Privacy Act): California Penal Code § 632 imposes a $5,000 per violation or treble actual damages penalty for recording a confidential communication without all-party consent.
- UK Government, Regulation of Investigatory Powers Act 2000 and Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000: UK businesses may record calls without real-time consent for specified legitimate business purposes under RIPA 2000 and the LBP Regulations, but must make reasonable efforts to inform parties.
- UK Information Commissioner's Office, UK GDPR guidance for organisations: The ICO can fine organizations up to £17.5 million or 4% of global annual turnover for serious UK GDPR violations; call recordings are personal data subject to the full UK GDPR framework.
- UK Financial Conduct Authority, MiFID II requirements: FCA rules under MiFID II require UK financial services firms to record relevant communications and retain them for a minimum of five years.
- FINRA, Rule 4511 (General Requirements for Books and Records): FINRA Rule 4511 requires member firms to preserve records, including call recordings, for at least six years.
- U.S. Department of Health and Human Services, HIPAA Security and Privacy Rules: Call recordings containing protected health information are PHI records subject to HIPAA Security and Privacy Rule safeguards and business associate agreement requirements.