What Is Call Compliance Recording? - Call Recording

What Is Call Compliance Recording?

Compliance Recording

Compliance recording is the legally required process of capturing (recording) phone calls in a manner that adheres to local, national, and global regulations. Call recordings have been used to improve the commercial goals of many companies, the principal aim of call recording is contact center compliance. 

Global and National Compliance Laws

While very few regulations are globally applicable, national laws can have an effect beyond their target country because of country-to-country commerce, like GDPR and CPPA.

These regulations often require us to establish consent with the called party which is only provable with a recording of the call. Consent reasons range from customer permission to carry out financial transactions on their behalf, look up personal data, record the current call, finalize purchases, and so on. 

State and Local Compliance Laws

In the United States, laws regulating call recording vary from state to state. California recording laws may not match Florida recording laws, making it vital to understand call recording laws by state. While call recording regulations differ locally and globally, the financial penalties for violating these laws, especially when data breaches occur, are steep and financially damaging to any enterprise.

Notification of Call Recording

The Federal Communications Commission (FCC) requires notification of call recording and defines the acceptable means of notification as:

  • Prior verbal or written notification of all parties to the telephone conversation.
  • Verbal notification before the recording is made. This is the most commonly used type.
  • An audible beep tone repeated at regular intervals during the call.

Two-Party Consent States

Currently, 12 states require the spoken consent of all parties on a phone call to deem the recording lawful. This is referred to as two-party consent and it’s currently enacted in the following states (exceptions noted):

  1. California
  2. Connecticut (required if and when a 3rd, non-participating party records the conversation. When recordings are made in-person, one-party consent will suffice)
  3. Florida
  4. Hawaii (two-party consent is required when the recording device resides in a separate or private location)
  5. Illinois (two-party consent, but not for electronic communications)
  6. Maryland
  7. Massachusetts (bans secretive recordings, uniquely, Massachusetts has a public location exception)
  8. Montana (requires notification of recording, but not spoken consent)
  9. New Hampshire
  10. Oregon (electronic communications require only one-party consent. Two-party is necessary for in-person recorded conversations)
  11. Pennsylvania
  12. Washington (but Washington law validates permission when any party announces recording is taking place in a reasonable manner and if the recording captures the announcement)

Two-Party Spoken Consent States

Contact Center Call Recording Protects Your Company

To any manager of a call center, regulatory compliance is a top priority. For this reason, managers expend time and funding for their call center on compliance training. Employing a scripted greeting is proven to keep your call recordings compliant. However, there are several ways to make obtaining informed consent easier. 

Call Center Recording: Inbound & Outbound Calls

Inbound Call Consent

Most inbound customer calls are picked up automatically by an Interactive Voice Response (IVR) system that plays a message. Depending on what state or country your business resides in, having your IVR tell the inbound caller that “this call is being recorded for quality and training purposes” will satisfy for consent. 

However, not every state has the same support and customer service call recording laws. While it saves time and takes human error out of the way, it may not strike the tone you’re looking for on a sales call. Customers’ mood can quickly downshift merely because they are greeted by an IVR system and not a person. 

Outbound Call Consent

When your company makes an outbound call, obtaining consent becomes more difficult. The calling agent must immediately inform the called party (or parties) that the call is being recorded. If parties join the conversation while the call is in progress, consent must be obtained again.

Many live agents handle this disclosure right in their introduction. For example “Hi, my name is Sarah from Company A on a recorded line”. 

What if I don’t start my calls with a live agent?

Many companies use auto-dialers that will play a message informing the customer of call recording before the agent picks up. This method may not be optimal because auto and predictive dialers tend to annoy customers before the call even starts. In the big picture, how you obtain consent can either be personal and seen as considerate by the customer, or it can be impersonal and imposing. 

Making your agents responsible for obtaining consent does introduce the possibility of human error. However, with training and the number of CRM tools available in the marketplace, these errors can be minimized. 

If you do not want to open your call with a recording notification, we recommend you do not record outbound calls to two-party states, or that you use a record on-demand function to record only the portions of the call that are required, and do so after a different notification script is used later in the call.

Call Center PCI Compliance

As stated in one of our previous articles, whenever a customer gives your company a bank or credit card number, your company is subject to PCI DSS compliance. Since the customer gave the card number over the phone it gets recorded and possibly transcripted by a speech-to-text application. Immediately that data exists in 2 different recording media and is vulnerable.

PCI Compliance Call Recording


PCI DSS laws mandate the protection of that data through masking and redaction. 

Masking alters the audio recording to encrypt sensitive speech segments, namely the numbers spoken on the call while leaving the rest of the recording listenable. This encryption renders even a stolen recording useless to a malicious party. 

To comply, your audio recordings and text transcriptions should go from having vulnerable numbers (credit card, account, phone and social security)  in them to looking like this image. It’s wise to equip your call center with recording software that can automatically perform masking and redaction. 

Call Compliance for Financial Institutions

Hospitals, insurance agencies, banks, investment firms, brokerages, and enterprises of every sort are subject to financial compliance laws like:

Dodd-Frank: Governs consumer lending, including credit and debit cards

MAD II & MiFID II—Market Abuse Directive, Markets in Financial Instruments Directive: Concerned with providing increased investor protection in EU financial trading venues

FDCPA—Fair Debt Collection Practices Act: Prohibits debt collection through deceptive or abusive means

TILA—Truth In Lending Act: Protects consumers through mandated disclosure of key lending terms

Overall, these regulations mandate accountability for financial data passing between company and customer. They also dictate security requirements for storing call recordings and text media. 

The fines for violations of these regulations can deeply damage any enterprise. In all of these laws, call recording is not only required, it is a company’s best line of defense in the event of a dispute. 

Compliance is the first step to establishing cause in any dispute, and if the dispute goes to litigation, the validity of a compliance recording can be questioned. For that reason, redundant Cloud storage with military-grade encryption is highly recommended. Your recordings, transcripts, and agent screen recordings (if you have them) all help you establish authenticity. 

Call Recording and HIPAA Compliance

When a medical practice, hospital, or health insurance company speaks to patients and customers over the phone, HIPAA—the Health Insurance Portability and Accountability Act, regulates recorded communications. If you’ve set up your operation for informed consent, PCI redaction, and encrypted storage you might think you’re all set for HIPAA. However, there’s one last place you might need to shore up your compliance recording methods:

In healthcare markets there are pieces of information providers can neither give over the phone, nor email. The solution is faxing, and because faxing is faster than other ways of sending data, it’s use has actually increased.

Online faxing produces an image file every time an online Fax is sent. Millions of images with critical patient information are stored every year. Those images should be treated with the same concern your transcripts and call recordings are. The right call recording platform can be used to stay compliant anywhere you are in the world and no matter what industry you’re in. 

To learn more about how CallCabinet can help manage your call compliance needs, reach out to us today.