Call recording compliance — one-party vs two-party consent by US state

If your PBX records calls, you're in legal territory the moment those calls cross a state line. The US is split between "one-party consent" (only one party — typically you — needs to consent) and "two-party consent" (every party on the call must consent). Get this wrong and you face civil liability plus criminal exposure in some states. This article is the state-by-state map plus the compliance pattern that works everywhere.

Disclaimer: this is a general operational guide, not legal advice. State laws update; case law evolves. For specific deployments, consult a lawyer in the relevant jurisdictions.

The two regimes

• One-party consent: as long as ONE party to the call consents (which can be the recorder themselves), recording is legal. Most US states.
• Two-party (or all-party) consent: EVERY party on the call must consent to the recording. Recording without explicit consent from every party is a crime, often a felony.

Federal law (18 USC § 2511) is one-party, but state laws can be stricter. When a federal call crosses jurisdictions, the strictest law in play typically applies.

States that are two-party (all-party) consent

A meaningful minority of US states have stricter all-party-consent rules. Frequently cited examples include California, Florida, Illinois, Maryland, Massachusetts, Pennsylvania, and Washington — but the full list is longer, several states' status depends on case law rather than plain statute, and the analysis can be situation-specific (e.g. whether the call is in-person or telephonic, whether one party is a business). State laws and case law evolve.

Do not rely on a static list in a knowledgebase article for a production deployment. Consult counsel licensed in the relevant jurisdictions, or refer to a maintained reference like the Reporters Committee for Freedom of the Press's state-by-state recording-law guide.

The cross-jurisdictional rule

If you're in a one-party state (Texas) calling someone in a two-party state (California), most legal interpretations apply the stricter law — you need consent from the California party. The same applies if your CALL CENTER is in a one-party state but you call into two-party states. Compliance teams routinely treat ALL calls as if subject to two-party rules to avoid the analysis.

The "this call may be recorded" pattern

The universal compliance pattern: at the start of every recorded call, the caller hears a notification.

• For outbound: a recorded announcement plays before the call connects to the agent: "This call may be recorded for quality and training purposes." If the called party stays on the line past the announcement, that's treated as implied consent in most jurisdictions.
• For inbound: a recorded prompt during the queue / IVR: "Calls may be recorded for quality assurance." Caller hangs up if they object.

The notification language matters less than the fact of giving it. "Calls may be recorded" gives less consent ambiguity than "your call may be monitored" (which has been challenged as not implying recording).

Implementation on Asterisk® / FreePBX®

FreePBX has a built-in "Call Recording Announcement" feature under Settings → Advanced Settings or per outbound route. Pre-pend a wav file announcement before connecting.

# /etc/asterisk/extensions_custom.conf (or via FreePBX dialplan injection)
exten => s,1,Answer()
 same => n,Playback(custom/recording-disclosure)
 same => n,MixMonitor(${UNIQUEID}.wav)
 same => n,Dial(SIP/trunk1/${EXTEN})

Record the disclosure wav file with whatever wording your legal team approves. Store at /var/lib/asterisk/sounds/custom/recording-disclosure.wav.

Per-call consent vs blanket consent

Some operations use stronger consent collection — interactive ("Press 1 to agree to recording"). Stricter than minimum but uncontestable. Standard in:

• Financial services calls (FINRA-recorded).
• Calls involving health information (HIPAA-adjacent).
• Calls subject to FTC scrutiny for marketing.

The "supervisor monitoring" exception

The Federal Wiretap Act's "business extension exception" allows ordinary-course-of-business call monitoring by an employer without disclosure to the third party. State laws vary on whether they recognize this exception. For call centers, the standard "this call may be recorded" announcement is necessary even with the federal exception in play — state laws often override.

Record-keeping for compliance

If you record, you also need:

• Retention policy — how long recordings are kept and what triggers deletion. Often legally required to specify in your privacy policy.
• Access logging — who can play back recordings and audit trail of who did.
• Encryption at rest — recordings contain customer voice + speech content; treat as PII.
• Subject access — under various consumer-protection laws, called parties can request copies of recordings of themselves. Have a process.

See the dialer-side article on call recording storage, retention, and CDR extraction for the storage patterns. Compliance is policy + technical controls; both have to be right.