Is Your Business Complying With Applicable Call Recording Laws?

Businesses often record and monitor telephone calls involving their customer service representatives or call center agents for quality control or quality assurance purposes. After all, call quality monitoring is an effective method for improving the level of service provided to customers. The recording of either incoming or outgoing calls, however, is subject to federal and state wiretapping laws, which apply to the electronic recording of telephone calls. Businesses, therefore, should understand and comply with call recording laws. Failure to do so may result not only in a civil claim for money damages, but also criminal prosecution.

From a legal perspective, the primary inquiry is whether consent from one or all parties to a call must be obtained before recording it. Federal law and a majority of state wiretapping statutes permit recording if at least one party to the phone call consents. Other states require that all parties consent.

Under federal law and most state statutes, it is unlawful to disclose an illegally recorded telephone call. It is also illegal in all jurisdictions to secretly record calls between two or more people who have not consented. In addition, irrespective of whether consent has been obtained, federal law and the laws of a number of states do not allow the recording of calls if it is done for a criminal or tortious purpose.

Under federal law and “one-party consent” state statutes, you are permitted to record a telephone call as long as you are a participant. Over thirty states and the District of Columbia have adopted one-party consent laws. There are twelve “all-party consent” states requiring, under most circumstances, the consent of every party to a telephone call in order to make the recording legal: California, Connecticut, Delaware, Florida, Illinois, Maryland, Massachusetts, Montana, Nevada, New Hampshire, Pennsylvania and Washington.

Unfortunately, it is not always easy to tell which law applies to the recording of a telephone call, particularly if the call participants are in different states. It is difficult, therefore, to assess in advance whether federal or state law applies, and if state law applies which of the two (or more) relevant state laws controls. In general, the law of the jurisdiction in which the recording device is located will apply. Some jurisdictions, however, take a different approach when addressing this issue. For example, some courts have applied the law of the state where the injury occurred. Accordingly, when recording a call with participants in more than one state, it is best to err on the side of caution and either comply with the strictest laws that may apply or get the consent of all parties. It is generally legal to record a conversation where all the parties to it consent.

Businesses should document consent to recorded calls. The best way to do so is to record the consent along with the telephone call. This requires (1) notifying the person to be recorded of the intent to record; (2) getting consent prior to starting the recording; (3) starting the recording; and then (4) asking the person to confirm that he or she consents to the recording. This is not always feasible. Often, however, “implied” consent is sufficient to satisfy call recording laws. In that situation, one party expressly agrees to the recording and the other continues the conversation after having been informed that the call is being recorded or is about to be recorded.

When obtaining consent, businesses may provide a verbal announcement at the beginning of incoming telephone calls, notifying third parties of the recording policy and of the purpose for the recording (e.g., for training purposes or quality assurance). Customer service representatives should also be instructed to recite a similar announcement of the recording policy when making outgoing calls to third parties/customers. The following statements may be used:
“For training purposes, this call may be recorded.”

“Thank you for calling. To ensure the highest level of customer service, this call may be monitored and recorded.”

“Thank you for calling. Your call may be monitored and recorded to ensure quality of service.”

The statement should reflect and disclose the real purpose for recording the call.

Businesses must also be cautious with regard to the information they record and store. By way of example, recording and storing personally identifiable information raises a number of issues regarding its protection — and whether such storing is even permitted.

Massachusetts data security laws, for example, require minimum standards to be met to safeguard personal information of Massachusetts residents contained in both paper and electronic records. All businesses that own, license, store or maintain personal information about a resident of Massachusetts must adopt a comprehensive, written information security program. The information security program must include the establishment and maintenance of a computer security system covering the business’ computers, including any wireless systems. The term “personal information” includes an individual’s first name (or first initial) and last name in combination with a financial account number, credit or debit card number, with or without any required security code, access code, personal identification number or password that would permit access to an individual’s financial account.

In addition to complying with applicable data security laws, business who accept and/or process payment card data over the telephone must comply with Requirements 3.1 through 3.6 of the Payment Card Industry Data Security Standard (PCI DSS) with respect to storage and protection of stored data. Among other things, it is a violation of PCI DSS Requirement 3.2 to store any sensitive authentication data, including card validation codes and values, after authorization — even if encrypted. Specifically, PCI DSS Requirement 3.2 provides that the three-digit or four-digit card verification code or value printed on the card (CVV, CVC, CID, or CAV) cannot be retained after authorization, and full primary account numbers (PANs) cannot be kept without further protection measures. As such, there is a risk that businesses taking customer payment card details over the telephone may be recording the full cardholder details, thereby violating PCI Requirement 3.2. Businesses must take appropriate steps to avoid such violations. Businesses must also ensure that their call centers adhere to an information security policy, and, with regard to permitted storage, that any media used to record the information is clearly labeled, inventoried and rendered unreadable following PCI DSS requirements.

In conclusion, businesses must understand and comply with call recording and other applicable laws to minimize the potential for civil or even criminal liability. Businesses are advised to work with counsel to develop and implement call recording and call quality programs that comply with those laws.