WIXLIB

www.LieberAndAssociates.com * info AT lieberandassociates.com * 773-325-9400Article from theKnowledgebase for Contact Centers 2020 by Lieber & Associates, Inc. All rights reserved.Call Recording and Monitoring Regulations – Revisitedby Mitchell LieberRecording and monitoring laws for call centers appear to be a crazy quilt of rules. Here is anintroduction to U.S., Canadian, and European laws to make understanding them easier*.Before skipping over Europe because a call center is elsewhere, consider one key fact. TheEuropean Union (EU) applies its 2018 privacy regulations to companies worldwide that dobusiness with EU residents (if the residents are physically located in the EU at the time of theinteraction). Requirements significantly exceed those of U.S. and Canadian law.Finally, laws governing consent to monitor or record are not the end-all of compliance.Additional regulations and rules govern aspects of call recordings, based largely on content.U.S. Federal and State Laws – An IntroductionU.S. federal law requires one-party consent for call recording or monitoring in call centers.1

State laws can be more restrictive and require either one-party or all-party consent (sometimescalled “two-party,” but the accurate term is “all-party” since there may be more than twoparties to a call).One-party consent: One party to the conversation consents to monitoring and/or recording.All-parties consent: All parties to the conversation consent to monitoring and/or recording.When a call center in one state handles a call from another, the laws of both states can apply.With cell phones, and VoIP phone services that can be moved to wherever there is a webconnection, a caller could be anywhere.For example, an electric utility that only services Louisville, Kentucky cannot assume that all ofits calls originate there. The company could be speaking with a former Louisville resident whonow lives in Los Angeles. The call could concern a final bill, return of a deposit, or perhaps thiscustomer rents out their former home in Kentucky and continues to pay the utilities. Whateverthe reason for the call, both California and Kentucky law can apply.2

For this reason, it is prudent to comply with all state laws and obtain all-party consent. It isdifficult or impossible to make a case for one-party consent as shown in the decision tree,Which U.S. State Laws Apply for Call Monitoring and Recording in a Call Center (on page 6).There are criminal penalties for non-compliance in all states except Vermont, as well as in theDistrict of Columbia. Most states also allow civil suits.U.S. States – One-Party vs. All PartyThe following list is for businesses recording or monitoring phone calls. Most state laws applyboth to real-time monitoring and recording.In some states, different rules may apply to in-person conversations and to conversationsrecorded by a party who is not on the call.All-party states are in red text.Alabama: one-partyWhy Call Centers Choose All Party ConsentAlaska: one-partyWhich U.S. states require one-party and whichrequire all-party consent is irrelevant for most callcenters.Arizona: one-partyArkansas(One-party if the person monitoring or recordingthe conversation is a party to it, or if one partyhas given prior consent.)Here’s why. Both the caller’s and receiver’s statelaws apply. Most companies do business nationwideand receive calls from all-party consent states. It’simpractical to vary the type of consent required bythe customer’s state.California: all-partyEven if a commerce area and company contactcenter are both in a one-party state, it likelyreceives some calls from all-party states. Customerstravel and use cell phones to call from whereverthey may be. If an organization places outgoingcalls, it could dial a phone number in Nebraska (oneparty consent) and reach Florida (all-party consent)because the number has been forwarded to asummer home landline there or a cell phone that’scurrently in Florida.Colorado: one-partyConnecticut: all-partyDelaware(There are conflicting state laws. Delaware’swiretapping and surveillance law requires oneparty consent. However, its privacy law, which ismuch less recent, requires all-party consent.There has been at least one federal courtdecision about the two-party privacy law.)3For these reasons, the consent decision is usuallymore straightforward than it appears. For nearly allcall centers, it is necessary to obtain all-partyconsent to avoid violating a state law governingmonitoring and recording.

There’s More to Compliance than ConsentDistrict of Columbia: one-partyConsent is one big compliance touchpointconnected with call monitoring and recording but isnot the only one.Florida: all-partyGeorgia: one-partyPersonal Information: If a call center recordspersonal information, storing the recordings in away that prevents unauthorized listening or copyingis essential. Unauthorized access is a type of databreach, and data breach laws likely apply. Amongother things, these laws govern when and howcustomers must be notified of a breach.Hawaii: all-party(All-party if the recording device is in a privateplace.)Idaho: one-partyCredit Cards: In the event credit card information ison recordings, there are PCI compliance aspects asto how the recordings are stored. Measures mustbe taken to prevent unauthorized copying or use.Illinois: all-partyIndiana: one-partyBanking Information and Automatic MonthlyPayments: If a contact center accepts phone checks,debit cards, banking information, or authorizationfor automatic monthly payments, governmentregulations about these may extend to the use andretention of recordings.Iowa: one-partyKansas: one-partyKentucky: one-partyLouisiana: one-partyFor Specific Business Types: Other business sectors,such as mortgages, as well as stocks and securities,often have regulations that affect audio records ofcalls.Maine: one-partyMaryland: all-partyHealthcare: In the event a call center handleshealthcare calls, in the U.S., HIPAA (HealthInsurance Portability and Accessibility Act) rulesapply. Everyone who will listen to calls withprotected health information must sign a BusinessAssociates Agreement (BAA) regarding compliancewith HIPAA protections. Unauthorized listeningconstitutes a violation of the law. Additionally,organizations that use a cloud call center vendormust make sure that it stores recordings in a HIPAAcompliant manner, and the data center storingthese files is located in the U.S.Massachusetts: all-partyMichigan: all-party(One-party only if the recording party is aparticipant in the conversation.)Minnesota: one-partyMississippi: one-partyMissouri: one-partyMontana: all-party(Requires notification.)Nebraska: one-party4Risk Management and Legal: When Lieber &Associates assists clients with these issues, thecontact center often works with its company’s riskmanagement and legal departments. One issue isthe different ways in which a recording can be usedin a lawsuit against the firm. Sometimes the audiofile is an advantage, and on occasion, a recording isa disadvantage. Companies differ in how long theychoose to archive recordings (and any back-ups thathave been made).

Nevada: all-party(Nevada’s statute requires one-partyconsent, however, the Nevada SupremeCourt has held that all parties mustconsent.)South Carolina: one-partyNew Hampshire: all-partyTexas: one-partyNew Jersey: one-partyUtah: one-partyNew Mexico: one-partyVermont: all-party(No specific law; based on a court case.)South Dakota: one-partyTennessee: one-partyNew York: one-partyVirginia: one-partyNorth Carolina: one-partyWashington: all-party(However, permission is considered given ifone party announces in a reasonablemanner that they will be recording the calland the announcement is part of therecording.)North Dakota: one-partyOhio: one-partyOklahoma: one-partyWest Virginia: one-partyOregon: all-party(One-party for electronic communications,all-party for in-person conversations.)Wisconsin: one-party(All-party consent required for a recordingto be used in court.)Pennsylvania: all-partyWyoming: one-partyRhode Island: one-party(Consent is not necessary when therecorded party does not have a reason toexpect privacy.)There are nuances in state laws that must be checked. What constitutes consent varies bystate. There can be case law (court cases) that affect interpretation. Occasionally, laws areamended by state legislatures.5

Additional introductory information, with links to state laws and some court case citations, is onweb pages on the topic at Justia and the Digital Media Law Project (note: its information aboutIllinois law is outdated, and the state has since passed a new all-party consent law that isconstitutional).Canadian Laws – An IntroductionThe Personal Information Protection and Electronics Government Act (PIPEDA) governs themajority of Canadian businesses outside of Alberta, British Columbia, and Quebec, which havetheir own province-specific regulations. However, PIPEDA governs banking,telecommunications, transportation, and other federally regulated businesses throughoutCanada, even if located in Alberta, British Columbia, or Quebec.6

For PIPEDA to apply, both the call originator and the receiver must be located in Canada. Tocomply, in general, businesses must:1. Inform the other party at the start of the call.2. Clearly inform the other party of all purposes of the call recording.3. If there is an objection to recording, provide a meaningful alternative for contact (such asnon-recorded phone, in-person, by mail, and so forth).Here are the basics about the Recording of Customer Telephone Calls from Canada’s PrivacyCommissioner. Here is the Privacy Commissioner’s page with information about PIPEDA.European Laws – An IntroductionIn Europe, laws vary by country. Additionally, in nations that are members of the EuropeanUnion, the EU’s General Data Protection Regulation (GDPR) governs call recording.7

The European Union requires companies worldwide to comply with the GDPR rules whendealing with EU residents (while residents are physically located in the EU). Examples might bewhen an EU resident calls from their home to the U.S. to buy a ticket on an American domesticairline or to schedule an appointment at a U.S. hospital.Among other things, the GDPR requires an action on the part of the caller to consent torecording, such as pressing a phone key, and a reason for recording calls that is consideredlegally valid. Such reasons are: Recording is required to comply with a contract. Recording is required to satisfy legal requirements. Recording is required to protect the interests of one or more participants. Recording of calls is necessary for safety or is in the public interest. Recording is in the legitimate interests of the recorder, provided those interests are notoverwritten by the interests of the participants in the calls.Additionally, the company must make the recording accessible and be able to produce it for thecustomer within 30 days. The company must also be able to permanently delete it, if requested,to comply with a customer’s “right to be forgotten.”In a 2019 ruling, Denmark enforced GDPR call recording regulations and required the country’slargest telephone company, TDC/AS, to cease call recording because its processes did notcomply.8