Recording a work call is legal in most places, but only if the right people have been told and, in many jurisdictions, agreed. The US splits between one-party and all-party consent states. The EU, the UK, and most of Canada treat the recording itself as personal data and require notice plus a documented lawful basis. The safest team policy is to announce the recording at the start of every meeting, log consent, and treat the strictest jurisdiction on the call as the default for everyone. This post is general guidance, not legal advice.
The one question that decides everything
Meeting recording law turns on a single question: how many people on the call have to know and agree before you can hit record? Every jurisdiction in the world picks one of two answers, and the entire body of rules flows from that choice.
One-party consent means at least one person on the call has to know. If you are on the call, that person can be you. All-party consent means every participant has to know. If even one person hasn't been told, the recording is unlawful, even if the rest of the room is happy.
The trap is jurisdictional. The rule that applies isn't the rule where your company is registered. It's the rule that protects the person on the call. If you are in Texas and your customer is in California, California's all-party rule reaches in. The recording lives in your storage, but the harm sits with the person who didn't consent.
United States: federal floor, state ceiling
Federal US law is one-party consent under the Electronic Communications Privacy Act. As long as one party to the call has agreed, recording is lawful at the federal level. That party can be the person doing the recording.
States are allowed to set a stricter rule, and many have. As of 2026, the commonly cited all-party consent states are California, Connecticut, Delaware, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, Nevada, New Hampshire, Pennsylvania, and Washington. The exact list moves over time because some of these are court-built rather than statute-built, and some states (like Connecticut and Nevada) split between civil and criminal exposure.
The practical effect for a team that runs national calls: you cannot rely on the one-party rule. Any meeting with a participant in an all-party state pulls the all-party rule onto the whole call. That is why most US SaaS companies adopted an "announce on join" policy years before voice AI showed up.
What "consent" actually looks like
Courts have generally accepted three forms of consent for business calls:
- Express verbal consent: the host says "this call is being recorded" and the participants stay on the line.
- Implied consent through notice: the calendar invite, the meeting platform banner, or a pre-call email tells the participant, and they join anyway.
- Documented written consent: a checkbox on a form or a clause in a contract, used for ongoing relationships.
The first two are the workhorses for live meetings. The third matters when you record systematically, like in sales coaching or compliance archives.
Europe and the UK: data protection swallows the question
In the EU and the UK, the framing is different. The question isn't "did the parties consent to being recorded." It's "do you have a lawful basis to process personal data?" A meeting recording is personal data the moment it captures a recognisable voice.
Under GDPR Article 6, the six lawful bases are: consent, contract, legal obligation, vital interests, public task, and legitimate interests. For internal team meetings, the two that matter are consent and legitimate interests. Either can support recording, but you have to pick one in advance, document it, and tell people which one you chose.
Articles 13 and 14 require you to tell participants, in plain language, who is recording, why, how long the recording will be kept, who else will see it, and how to ask for it to be deleted. This is a transparency duty, not a checkbox.
The UK keeps GDPR almost intact through the Data Protection Act 2018. There's no meaningful daylight between the two regimes for a team that runs cross-border meetings.
The retention trap
Even with a lawful basis and good notice, GDPR's storage limitation principle (Article 5(1)(e)) requires you to keep the recording only as long as you actually need it. "We might want it someday" is not a purpose. Concrete examples that have survived audits: training and quality review for 90 days, regulatory record-keeping for the statutory period, contract evidence for the life of the contract plus the limitations window.
If your meeting AI keeps a transcript forever by default, you are inheriting that risk. The fix is not to delete the AI. The fix is to set the retention window inside the tool and document it.
Canada, Australia, and the rest of the world
Canada is mostly one-party consent at the federal level under PIPEDA, but in practice the privacy commissioners treat business calls under a knowledge-and-consent framework that looks a lot like all-party. Notify, document, retain only what you need. Quebec adds stricter rules under Law 25.
Australia varies by state. The Commonwealth Surveillance Devices Act, plus state acts in Victoria, NSW, and Queensland, generally lean toward all-party consent for private conversations, with carve-outs for calls a person is themselves part of. Federal Privacy Act obligations layer on top once the recording becomes a record.
Japan, South Korea, and Singapore are closer to one-party consent in criminal law, but their data protection regimes (APPI, PIPA, PDPA) all require notice and purpose limitation once the recording exists. The pattern is consistent: even where it's legal to record without telling, it's almost always unlawful to keep and share what you recorded without explaining yourself.
The simple policy that covers all of it
It is easier to run one strict policy than to track which rule applies to which participant on which call. Pretend every meeting is in California and Germany at once.
Six rules will get most teams to a defensible posture without a legal department:
- Announce on join. The host or the AI says "this call is being recorded and a summary will be created" inside the first 10 seconds.
- Notice in the calendar invite. One sentence: "Note: this meeting will be recorded and summarised by relly. You can opt out by replying to this invite."
- Visible recording indicator. A red dot, a badge, an icon. People should be able to glance at any point and see they are still being recorded.
- One-click opt-out. A participant who says "please stop recording" gets a stop, not a discussion. Log the request.
- Retention schedule. Pick a default (60 or 90 days is common for internal calls), write it down, set the tool to enforce it.
- Access log. Who can see the transcript, who has seen it, and how to revoke access. This is the part GDPR auditors look at first.
None of these rules is hard. The point is to do them consistently. Most enforcement actions in this space land because a company had no policy or had one and didn't follow it, not because the recording itself was unlawful in the first place.
What changes when an AI is in the meeting
A voice AI that joins your call is doing two things at once: recording, and processing. The recording is the part the wiretap statutes care about. The processing (transcription, summarisation, action extraction) is the part GDPR and similar regimes care about.
That means an AI teammate inherits both obligations. It has to be announced as a participant, not just as a tool. It has to be transparent about what it does with the audio. And it has to honour the same opt-out rule a human note-taker would: if someone says stop, it stops.
The new question, in 2026, is not whether AI can join a meeting. It's whether the AI is honest about what it does. (See voice AI privacy for the data-flow side of this question.)
Where relly sits
relly announces itself on join, shows a visible indicator for the full meeting, and respects per-meeting and per-participant opt-outs. Retention is configurable, with a sensible default that matches the strictest jurisdiction we hear from customers. We document the lawful basis in our DPA so a privacy officer can answer the audit question in one sentence.
If you are evaluating voice AI for a team that crosses jurisdictions, early access gets you in before public launch, with 50% off the first 12 months. We'll show you the consent flow on a live call before you commit.
This post is general guidance, not legal advice. For a specific contract, employment matter, or evidentiary use, talk to a lawyer who knows the jurisdictions on your call list.
Common questions
Is it legal to record a work meeting without telling people?
It depends on where every participant is located, not just where you are. Federal US law and many countries allow one-party consent, but twelve US states, the entire EU, the UK, and most of Canada effectively require all participants to be told and to agree. If even one person on the call sits in an all-party jurisdiction, the safer rule is to ask everyone.
Which US states require all-party consent for recording?
As of 2026, the commonly cited all-party consent states are California, Connecticut, Delaware, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, Nevada, New Hampshire, Pennsylvania, and Washington. Statutes and case law shift, so for any contract, employment, or evidentiary use you should confirm the current rule with local counsel.
Does GDPR allow meeting recording?
GDPR allows meeting recording if you have a lawful basis under Article 6, give clear notice under Articles 13 and 14, and limit retention to what the purpose requires. For internal team calls, consent or legitimate interest can both work, but you must document the basis, let people object, and keep recordings only as long as you actually need them.
What's the safest meeting recording policy for a global team?
Announce the recording at the start of every meeting, post the same notice in the calendar invite, give an easy way to opt out, log who consented, and delete recordings on a clear schedule. Treat the strictest jurisdiction on the call as the standard for everyone. It is simpler to run one policy than to track who sits where.
Want voice AI that respects the consent rules?
relly announces itself on join, honours opt-outs, and ships with a retention schedule your privacy officer can defend. Early access is open with 50% off your first year.
Claim early access →