Why Call Recording Laws Matter More Than Ever in 2026
I've watched exhibitors spend $50,000 on a booth and zero dollars on figuring out whether they're legally allowed to record the conversations happening in it. That's a problem. If you're capturing conversations at a trade show, voice notes, dictation, any form of digital recording, you're subject to call recording laws. Get it wrong and you're looking at fines, lawsuits, and the kind of press coverage that kills deals.
Privacy laws are moving fast. Your compliance can't be static.
New legislation, stricter enforcement, and people actually caring about their data rights, all of that means what was fine two years ago might get you sued today. GDPR in Europe, PIPEDA in Canada, a patchwork of state laws in the US. They keep changing. Your lead capture approach has to change with them.
Why this matters if you're a founder
As a founder, I know the feeling: your sales rep meets 100 prospects at a show, but you have no idea which conversations mattered, what pain points came up, or what was promised. That's why I built Exporb. It turns raw trade show conversations into structured, actionable data through voice notes and AI. But that power comes with responsibility. When you record conversations, even for internal notes, you need a strategy that respects privacy laws from day one.
A generic disclaimer won't save you
A lot of exhibitors think a "this conversation may be recorded" sign covers them. It doesn't. Depending on the jurisdiction, consent has to be "freely given, specific, informed, and unambiguous", that's the exact language from GDPR Article 7. A generic sign at your booth doesn't meet that bar.
And it gets more complicated. Different laws kick in depending on where the conversation happens, where the participants are from, and how you plan to use the data. One-size-fits-all compliance is almost always wrong. You need a jurisdiction-aware strategy, especially at international trade shows where your next conversation might be with someone from California, then Germany, then Singapore.
What Are the Core Pillars of Global Call Recording Compliance?
There are really three things you need to get right: informed consent, data protection, and purpose limitation. Miss any one of them and you're exposed. I learned this the hard way when I started building Exporb. I thought consent was the whole game. It's not.
Informed Consent: The Foundation of Lawful Recording
People need to know they're being recorded. Sounds obvious, but you'd be surprised how many exhibitors skip this. Consent can't be assumed or implied, it has to be an active, clear agreement. Under GDPR Article 7, consent must be "freely given, specific, informed, and unambiguous." That means an affirmative opt-in and a real way to opt out. In practice, that's a verbal disclosure at the start of a conversation, plus an opportunity for the other person to say no. And no β scanning someone's badge or taking their business card doesn't count as consent for recording. If you're evaluating badge scanning apps for events, keep in mind that badge scanning and conversation recording are separate activities with different legal requirements.
Data Protection and Privacy: Navigating GDPR, PIPEDA, and Beyond
Getting consent is only step one. How you store, process, and protect that recorded data matters just as much. GDPR, Canada's PIPEDA, and a patchwork of US state laws all have strict requirements for handling personal data, including voice recordings and transcriptions. You need strong security measures, data minimization (only collect what you actually need), and clear retention policies. If you're capturing leads at international shows, these regulations overlap and sometimes contradict each other. That's the messy reality.
Purpose Limitation: Defining Why and How You Use Recordings
This one trips people up. You have to define why you're recording and then stick to that purpose. If you tell someone you're recording for lead qualification, you can't later use a clip from that conversation as a marketing testimonial. Not without getting separate consent for that specific use. I've seen exhibitors get sloppy here β they record everything "for training" and then want to repurpose it six ways. That's not how it works. You need documented policies covering your legitimate purpose, retention periods, and who gets access.
One-Party vs. All-Party Consent: Which Rule Governs Your Conversations?
This is where most people get confused. The question is simple: do you need permission from just one person on the call, or everyone? The answer depends entirely on where the conversation is happening, and where the participants are from.
Understanding the "One-Party" Rule: Federal and Majority US States
In one-party consent states, you can record a conversation as long as you're a participant (or at least one participant has agreed). You don't need to tell the other people. The Electronic Communications Privacy Act (ECPA) sets this as the federal baseline. Right now, 38 US states follow the one-party rule. So if you're at a booth in Texas and you want to take a voice note about a conversation you just had, you're generally fine under federal and state law β as long as you were part of that conversation.
The "All-Party" (Two-Party) Consent Requirement
Then there are the 12 states where every person in the conversation has to know about and agree to the recording before it starts. California, Pennsylvania, Massachusetts, Illinois, these are all-party consent states. A lot of countries outside the US lean this way too, especially in Europe under GDPR. So "I'm recording this" isn't enough. You need a clear yes from everyone involved.
Navigating Mixed Consent States and the "Strictest Law Applies" Principle
Here's where it gets tricky. At a big international trade show, you might talk to someone from California, then someone from Germany, then someone from Singapore β all in the same hour. Different rules for each. The standard legal advice is simple: default to the strictest law. If even one person in the conversation is from an all-party consent jurisdiction, get consent from everyone. It's the safest play, and honestly, it's just good practice. I default to all-party consent at every show, regardless of location. Less to think about.
Overview of One-Party vs. All-Party Consent Rules for Call Recording in 2026
Call Recording Consent Laws by Country
Loading interactive map...
How Do US Federal and State Laws Govern Call Recording in 2026?
The US is a mess when it comes to recording laws. Federal law says one thing, individual states say another. If you're planning your trade show booth design, compliance should be part of the conversation from day one, not something you figure out the night before the show.
The Electronic Communications Privacy Act (ECPA)
The ECPA from 1986 is the federal baseline. It follows one-party consent. If you're part of the conversation, you can record it. But here's the catch: the ECPA explicitly lets states set stricter rules. Federal law is the floor, not the ceiling. So you can't just say "federal law allows it" and call it a day.
A full Breakdown of US State Consent Laws
Eleven to thirteen states require all-party consent, depending on how you classify mixed-consent states: California, Connecticut (all-party for phone, one-party for in-person), Delaware, Florida (all-party for both in-person and phone, no exceptions), Illinois, Maryland, Massachusetts, Michigan, Montana, New Hampshire, Oregon (all-party for in-person, one-party for phone), Pennsylvania, and Washington. In those states, every person in the conversation has to agree before you hit record.
One state that catches people off guard: Nevada. It's a mixed-consent state: all-party for phone calls (NRS 200.620), but one-party for in-person conversations. That matters because Las Vegas is one of the biggest trade show cities in the world. If you're recording phone follow-ups from your hotel room after CES, that's all-party. If you're taking voice notes on the show floor about a conversation you just had, that's one-party. Know the difference.
The remaining states follow one-party consent. What does this mean practically? An exhibitor in Las Vegas has to operate differently from one in New York (one-party state). Same company, same product, different rules.
Practical Guidance for Interstate and Cross-State Calls
My advice? Just default to all-party consent everywhere. If your booth is in a one-party state but you're talking to someone from California, you still need their consent. At any major trade show, you'll have people from a dozen different states walking through your booth in a single day. Trying to track which consent rule applies to each person is a nightmare. Get everyone's consent. It takes five seconds and it protects you across the board.
Related: The Trade Show Follow-Up Strategy That Closes Deals
What Does GDPR Mandate for Call Recording in the EU and UK?
If you're recording conversations with anyone in the EU or UK, GDPR is the framework you need to know. It's strict, it's detailed, and it has teeth. When I first started researching compliance for Exporb, GDPR was the one that made me rethink everything about how we handle recorded data.
Lawful Bases for Processing: Consent, Legitimate Interest, and Contractual Necessity
Under GDPR Article 6, you need a valid "lawful basis" to process personal data, and yes, call recordings count. The three most relevant ones for business recording:
- Consent: Has to be "freely given, specific, informed, and unambiguous" per GDPR Article 4(11). Safest option, but also the most demanding. You need a real opt-in, not a pre-checked box.
- Legitimate Interest: You can record for things like quality assurance or training, but only if your business interest doesn't override the person's rights. You'll need a Legitimate Interest Assessment (LIA) to back this up. In the UK, saying "This call may be recorded for training and quality purposes" is generally enough, when paired with an actual legitimate purpose and UK GDPR compliance.
- Contractual Necessity: If recording is genuinely needed to perform a contract or take pre-contractual steps at someone's request, this can work. But it's narrow.
Transparency, Data Subject Rights, and Data Minimization Requirements
GDPR is big on transparency. You have to tell people what you're recording, why, who controls the data, and what their rights are. Those rights are real and enforceable:
- Right to Access: They can ask for copies of their recordings.
- Right to Erasure ("Right to Be Forgotten"): They can ask you to delete everything.
- Right to Rectification: They can ask you to fix inaccurate data.
- Right to Object: They can say "stop processing my data."
- Right to Data Portability: They can request their data in a portable format.
- Data Minimization: Only collect what you actually need. Don't record every conversation just because you can.
In countries like Poland and Spain, regulators explicitly treat call recordings as personal data. So callers must be informed of the purpose and their data subject rights, access, erasure, portability, all of it.
Data Retention, Cross-Border Transfers, and ePrivacy Considerations
You can't keep recordings forever. Under GDPR, retention for quality/training purposes is typically 3-12 months. Records tied to financial or contractual transactions can go up to 7 years, but you need to justify it. France's CNIL recommends no longer than 6 months for general purposes.
And if you're transferring recordings outside the EU/UK (say, to a US-based server) for AI processing, you need safeguards like Standard Contractual Clauses (SCCs) or adequacy decisions. The ePrivacy Directive adds another layer on top, specifically addressing confidentiality of communications. Bottom line: don't assume your cloud provider has this covered. Verify it.
How Do Other Major Countries Regulate Call Recordings?
Once you step outside the US and EU, every country has its own take. I've exhibited at shows on four continents, and every time I think I've figured it out, a new jurisdiction surprises me. Here's the country-by-country breakdown.
Canada (PIPEDA), Australia, and Key European Nations (Germany, France, Spain)
- Canada: Canada runs two parallel tracks. Under the Criminal Code (Section 184), individuals can record conversations with one-party consent. If you're part of the conversation, you can record it. But for businesses, PIPEDA kicks in: you have to notify the other party, explain why you're recording, and give them a way to opt out. If they stay on the call after being told, that counts as implied consent. So it's one-party for personal recording, but businesses need to disclose and get consent.
- Australia: Federal law allows one-party consent, but it varies by state. All-party consent: New South Wales, South Australia, Western Australia, Tasmania, ACT. One-party consent: Victoria, Queensland, Northern Territory. So if you're at a trade show in Sydney (NSW), you need everyone's consent. In Melbourne (Victoria) or Brisbane (Queensland), one-party is enough. For cross-state calls, default to all-party. Penalties vary, NSW can hit up to 5 years imprisonment.
- Germany: One of the strictest countries in the world on this. Recording without explicit consent from everyone is illegal under the German Criminal Code and GDPR. Don't mess around here.
- France: Same direction as Germany. The CNIL (French data protection authority) requires explicit consent from all parties and has specific guidance on retention limits.
- Spain: Spanish law treats call recordings as personal data under GDPR. Callers must be informed of the purpose and their rights. While it's not always framed as "all-party consent," the practical effect is the same: you need consent.
Western Europe: Italy, Switzerland, Belgium, Netherlands
Italy splits the difference. If you're part of the conversation, you can record it, that's the "participation in the dialogue" exception under Article 615-bis of the Penal Code. But the moment you want to share that recording or use it for business purposes, you need explicit GDPR consent. Milan hosts Salone del Mobile and HOMI at Fiera Milano, Bologna runs MARCA. Italy is the second-largest trade fair market in Europe. Record if you're a participant, but don't distribute without consent.
Switzerland isn't in the EU, and it has its own rules. The Swiss Criminal Code (Articles 179bis and 179ter) requires all-party consent, even participants can't record without everyone agreeing. Penalties go up to 3 years in prison. The revised Federal Act on Data Protection (FADP, effective September 2023) sits on top of that. If you're at Baselworld in Basel, Art Basel, or anything in Zurich or Geneva, get consent from every person in the conversation. No exceptions.
Belgium requires all-party consent too, stricter than its neighbors France and the Netherlands. The Telecommunications Act and Belgian Penal Code make recording without everyone's agreement punishable by 6 months to 2 years imprisonment plus fines up to EUR 10,000. Brussels Expo is a major venue, and Antwerp hosts significant fairs. Don't assume Belgium follows the same rules as Amsterdam just because they share a border.
The Netherlands is more relaxed for personal recording, one-party consent if you're a participant. But for business use, the Dutch DPA has specifically ruled that companies must get affirmative consent before recording, and people have to be able to stop the recording while continuing the interaction. Amsterdam's RAI Convention Centre, Utrecht, Rotterdam. If you're exhibiting in the Netherlands, announce your recording at the start and give people a real way to opt out.
Nordic Countries: Norway, Sweden, Denmark
All three Nordics allow one-party consent for personal recording, if you're in the conversation, you can record it. But GDPR applies to any business use, so the permissive personal recording rules don't mean you can skip consent at a trade show.
Norway isn't in the EU but is in the EEA, so GDPR still applies. Penal Code Section 205 carries up to 2 years imprisonment for recording conversations you're not part of. Oslo and Stavanger (home of the Offshore Northern Seas conference) are the main venues.
Sweden follows the same pattern. Swedish Penal Code Chapter 4, Sections 8-9 cover unauthorized recording by non-participants. Stockholm and Gothenburg host major fairs. Participants can record; non-participants can't.
Denmark allows participant recording, but the Danish DPA has ruled that businesses need affirmative consent for recording customer calls, not just a "this call may be recorded" announcement. Copenhagen's Bella Center and Herning's MCH are the key venues.
Southern Europe: Greece, Portugal
These two deserve special attention because of penalty severity.
Greece, this one stopped me in my tracks when I read the law. Article 370A of the Greek Penal Code makes unauthorized recording of a private conversation a felony punishable by up to 10 years imprisonment. That's the harshest penalty in the EU by a wide margin. All-party consent, no exceptions. If you're exhibiting at the Thessaloniki International Fair or anywhere in Athens, get explicit consent from every person before you even think about hitting record.
Portugal treats communication privacy as a criminal matter under Articles 190-194 of the Penal Code. All-party consent required. Lisbon's FIL (Feira Internacional de Lisboa) and Porto host growing trade show scenes. Recording without consent isn't just a fine here. It's a crime.
Central and Eastern Europe: Austria, Hungary, Romania, Poland
Austria follows the strict DACH-region approach (same as Germany and Switzerland). Section 120 of the Austrian Criminal Code makes recording without all-party consent a criminal offense. Vienna's Reed Exhibitions venue hosts major international fairs. Same rules as Munich or Zurich, get everyone's agreement.
Hungary has an interesting twist. Consent is required, and data subjects must be informed at the start of any recording. But here's the unique part: Hungary recognizes a "mutual recording right": if an organization records you, you have the right to record them back. There's also a crowd/public event exception that's useful for general trade show floor recordings (think background footage, not targeted conversations). Budapest's HUNGEXPO is the main venue.
Romania is one of the more permissive EU members. One-party consent, participants can record their own conversations. Distribution and business use still fall under GDPR. Bucharest's ROMEXPO is the primary trade show venue.
Poland sits in the permissive camp too. Under Polish Penal Code Article 267, if you're a participant, you can record without notifying others. But once you're handling those recordings as a business (storing them, processing them, running them through AI), GDPR kicks in fully. Warsaw, Krakow, and Poznan (MTP trade fair center) all apply the same rules.
Asia-Pacific: Japan, China, South Korea, and Southeast Asia
Japan. Japan's APPI requires explicit consent before recording. At trade shows, that means signage at your booth, verbal notification, and a clear opt-in. You can't just hit record and figure it out later.
China, China's PIPL is one of the strictest frameworks out there. Explicit, specific, fully informed consent, every time. A sign won't cut it. You'll likely need a digital opt-in or signed consent form. And transferring recordings outside China? That requires separate consent and has its own cross-border transfer requirements. I've talked to exhibitors who didn't know this until they were already on the show floor. Not a fun surprise.
South Korea, PIPA strictly regulates personal information collection. You need explicit consent, a clear explanation of the purpose, retention period, and the person's right to refuse. Penalties for non-compliance are serious.
Singapore. The PDPA mandates explicit consent for collecting personal data, and recording trade show conversations falls squarely under it. Clear notices, verbal disclosure, easy opt-in/opt-out.
Hong Kong, The PDPO requires fair and lawful data collection. It doesn't technically mandate two-party consent for the act of recording itself, but using those recordings for business purposes requires transparency and, practically speaking, explicit consent.
Taiwan. The Personal Data Protection Act requires explicit consent. You have to tell people what you're recording, what data you're collecting, and how it'll be used.
Thailand, Thailand's PDPA mandates explicit consent that's freely given, specific, and unambiguous. People can withdraw consent at any time.
Indonesia. Law No. 27 of 2022 requires explicit consent before processing personal data. Inform attendees about the recording, its purpose, and their rights.
New Zealand, One-party recording is allowed under the Crimes Act, but the Privacy Act 2020 still requires you to tell people about data collection and why you're doing it. Signage, verbal notification, privacy statement. The usual.
Vietnam, Decree 13/2023 on Personal Data Protection requires clear, voluntary, and affirmative consent. A new Personal Data Protection Law enacted in 2025 strengthens that framework. But the real catch is data localization: Vietnamese citizens' data must be stored locally. If you're at METALEX Vietnam or Vietnam Expo in Ho Chi Minh City, you can't just ship recordings back to your US server without keeping a copy in Vietnam.
Philippines, One of the stricter countries in Asia. The Anti-Wiretapping Act (RA 4200) requires all-party consent, and the Data Privacy Act of 2012 layers on top with fines up to PHP 5 million and imprisonment up to 7 years. Processing personal data without consent can land you 1-3 years plus PHP 500,000-2,000,000 in fines. Manila hosts PDEX, PhilConstruct, and World Food Expo.
Malaysia requires two-party (all-party) consent for call recording. Everyone on the call has to agree. The 2024 amendments to the Personal Data Protection Act 2010 increased penalties dramatically: up to RM 1 million or 3 years imprisonment for serious violations. That's a 5x increase from previous levels. Kuala Lumpur hosts METALTECH and the Malaysia International Furniture Fair.
Pakistan doesn't have a dedicated data protection law yet, but the Prevention of Electronic Crimes Act (PECA) 2016 is clear: all-party consent required. Secretly recording audio or video carries up to 3 years imprisonment and a PKR 1 million fine. Karachi's Expo Centre, Lahore, and Islamabad all fall under the same rules.
Bangladesh requires two-party consent under the Digital Security Act 2018 and the new Personal Data Protection Ordinance (PDPO) gazetted in November 2025, the country's first full data protection law. Explicit consent from all participants before any recording. Dhaka International Trade Fair is the main venue.
Middle East: UAE, Saudi Arabia, and Israel
UAE / Dubai. Federal Decree-Law No. 45 of 2021 requires explicit, informed consent. If you're exhibiting at GITEX or any Dubai trade show, you can't rely on implied consent. It has to be freely given, specific, and unambiguous.
Saudi Arabia, The PDPL mandates explicit consent for processing personal data. Recording at events like Riyadh Season requires clear notification, opt-in mechanisms, and secure data handling.
Israel. This one's interesting. The Wiretapping Law (5739-1979) allows one-party recording, you can record a conversation you're part of. But the Privacy Protection Law (5741-1981) governs what you do with that recording. The moment you put it in a CRM, run it through AI, or share it with your sales team, that's data processing. And that requires informed consent.
Qatar. Law No. 13 of 2016 on Personal Data Privacy requires consent for data processing, and competent authority permission for sensitive data. The law doesn't clearly define sensitive data categories, which creates uncertainty. If you're at an event in Doha, take the conservative route and get explicit consent.
Bahrain is one of the more regulated GCC states. The Personal Data Protection Law (2018) and Telecommunications Law together require all-party consent, you need everyone's agreement, and it has to be documented. Manama's Bahrain International Exhibition Centre hosts the main events.
Kuwait has the weakest data protection framework in the GCC. Data Privacy Protection Regulation No. 42 of 2021 primarily targets telecommunications service providers. There's no broad data protection law yet. But "weakest" doesn't mean "none." You still need documented consent if you're recording at Kuwait International Fair events.
Oman passed a Personal Data Protection Law in 2022 (Royal Decree 6/2022) requiring consent for processing personal data. Enforcement is still developing, but the law is on the books. Muscat's Oman Convention & Exhibition Centre is the main venue.
Jordan enacted a Personal Data Protection Law in 2023 that's notably stricter than other Middle Eastern laws. Unlike GDPR, Jordan's law doesn't provide "legitimate interests" as a standalone lawful basis. So consent is almost always your only option. If you're at an event in Amman, explicit consent isn't just best practice, it's essentially the only legal path.
Russia and Eastern Europe
Russia. Federal Law No. 152-FZ requires explicit consent before recording. But the bigger issue is data localization, recordings of Russian citizens must be stored on servers physically located in Russia. That catches a lot of international companies off guard.
Czech Republic, Finland, Ireland: all three fall under GDPR. Same rules as the EU section above.
Turkey
Turkey is a significant omission from most recording law guides, given that Istanbul is one of the world's top trade show cities. The KVKK (Personal Data Protection Law No. 6698) requires explicit consent, freely given, specific, and informed. Pre-ticked boxes and bundled consents are invalid. On top of that, the Turkish Penal Code (Articles 132-140) criminalizes unauthorized recording and surveillance. Administrative fines under KVKK range from TRY 83,000 to TRY 17 million (~$2,500 to $500,000), and they increased 25% for 2026 due to the revaluation rate. If you're at WIN Eurasia, IDMA, or Istanbul Jewelry Show, treat Turkey like Germany β explicit consent from everyone, documented and specific.
Africa: Nigeria, Kenya, Egypt, Morocco, Tunisia
Nigeria passed the Nigeria Data Protection Act (NDPA) in 2023, replacing the older NDPR. Consent must be freely given, specific, informed, and unambiguous, implied consent through pre-ticked boxes or inactivity is explicitly prohibited. For major entities, penalties go up to NGN 10 million or 2% of annual gross revenue, whichever is greater. Lagos is West Africa's largest trade show market, hosting events like GITEX Africa.
Kenya doesn't have specific wiretapping legislation, but the Data Protection Act of 2019 and the Constitution (Article 31) protect privacy. Consent must be freely given, specific, informed, and unambiguous. The controller bears the burden of proof. Penalties reach up to KES 5 million or 1% of annual turnover, with criminal penalties up to 10 years imprisonment. Nairobi's Kenyatta International Convention Centre hosts the main events.
Egypt. The Personal Data Protection Law No. 151 of 2020 explicitly defines voice as personal data. Processing without consent carries imprisonment (minimum 3 months) and fines of EGP 200,000 to EGP 5 million. Serious violations bump that to 6+ months. Cairo hosts Cairo ICT, EGYPS, and Food Africa. The implementing regulations were delayed for years but are now in force.
Morocco was early on data protection for the region, passing Law No. 09-08 back in 2009. Consent is required before collecting personal data. Unauthorized interception or recording carries up to 1 year imprisonment. The CNDP (data protection commission) handles administrative enforcement. Casablanca and Marrakech are the main trade show cities.
Tunisia was a pioneer too, its Organic Law No. 2004-63 on personal data protection predates most African frameworks. The 2022 Constitution strengthened privacy protections further in Article 24, including confidentiality of communications. Consent is required, and the national authority (INPDP) oversees compliance.
India, South Africa, and Latin America
India β The Digital Personal Data Protection Act (DPDPA) was passed in 2023, but it's rolling out in phases. The Data Protection Board was established in November 2025, but full substantive compliance, privacy notices, consent systems, breach protocols, data retention policies β doesn't kick in until May 13, 2027. After that date, enforcement is immediate with no grace period. In the meantime, the general principle leans toward requiring explicit consent before recording. If you're at India International Trade Fair or any major Indian expo, get consent. Don't assume the law isn't enforced yet means it's safe to ignore.
South Africa, RICA (Regulation of Interception of Communications Act) actually allows one-party consent β if you're a participant in the conversation, you can record it. Recording a conversation between others that you're not part of requires a warrant. However, POPIA (Protection of Personal Information Act) adds a data protection layer on top: if you're processing the recording as personal data for business purposes, you need to inform the person and have a lawful basis. So you can record, but what you do with that recording is regulated.
Brazil, Brazil's LGPD mirrors GDPR closely. Lawful basis, consent, transparency. Same playbook as EU events.
Mexico, One-party consent for personal recordings under federal law, but for businesses, the LFPDPPP (Federal Law on Protection of Personal Data Held by Private Parties) requires prior express consent. Fines go up to MX$2.2 million, and PROFECO can impose business suspensions up to 90 days. Mexico City hosts Expo Manufactura, ABASTUR, and Expo ANTAD.
Argentina requires prior, free, express, and informed consent under the Personal Data Protection Law (Law 25,326). The burden of proof sits with the data controller. Argentina has EU adequacy status, which means data transfers to/from the EU are smoother than most Latin American countries. Buenos Aires hosts Expo Real Estate and ArgenTIC.
Colombia. This one's serious. Penal Code Article 192 makes unauthorized interception of communications punishable by 48-96 months imprisonment plus fines of 200 minimum salaries. That's among the harshest criminal penalties in Latin America. Law 1581 of 2012 adds data protection requirements on top. If you're at Corferias in Bogota or Colombiamoda in Medellin, document your consent process thoroughly, the SIC (Superintendency of Industry and Commerce) can ask for evidence.
Chile is in the middle of a major overhaul. Law No. 21,719, a GDPR-style Personal Data Protection Law, becomes fully active in December 2026. Until then, constitutional protections for communications still apply. Santiago's Espacio Riesco venue hosts the main events. If you're planning a show in Chile for late 2026 or beyond, plan for the new law now.
Peru updated its Personal Data Protection Law (Law 29733) with 2025 amendments that create stricter consent requirements. Explicit, informed, freely given consent that's easily withdrawn. Lima hosts Expo Peru and Excon. The fine amounts under the updated regulations are still being finalized, but the direction is clear: stricter enforcement.
Related: Boost Trade Show ROI: A Founder's Guide
Major Trade Show Cities: Quick Reference
Before you pack for your next show, check the rules for where you're headed. I put this table together because I got tired of looking up the same cities over and over.
Quick reference for call recording consent rules in major trade show cities (2026)
What Are the Legal and Reputational Consequences of Non-Compliance?
Let me be blunt: the consequences aren't theoretical. Companies get fined, sued, and publicly embarrassed for getting this wrong. If you're an exhibitor recording conversations without proper consent, you're gambling with your entire business.
Criminal Penalties, Civil Lawsuits, and Significant Financial Fines
Wiretapping violations can lead to criminal charges. Actual imprisonment for individuals, plus criminal fines for the company. On top of that, anyone whose conversation you recorded illegally can sue you. Emotional distress, privacy invasion, the damages add up fast.
And then there are the regulators. The ICO in the UK, state attorneys general in the US, data protection authorities across Europe β they can all levy administrative fines. Under GDPR Article 83, fines go up to β¬20 million or 4% of annual global turnover, whichever is higher. Think about that for a second. You just spent $50K on a trade show booth and now you're facing a fine that could wipe out your year. I've seen companies get hit with multi-million dollar penalties for recording customer calls without consent in all-party states. It happens more often than you'd think.
Case Studies: Real-World Impacts of Illegal Call Recording
The cases that make headlines tend to be telecom companies, they record millions of calls, and when they get consent wrong in an all-party consent state, the class-action lawsuits follow fast. Marketing firms have been hit too, recording sales calls "for training" without telling anyone, then getting exposed and settling for millions plus dealing with the reputational fallout. These aren't edge cases. If your business records conversations and you don't have a clear consent process, you're exposed. As a founder, that should worry you β because it's not just about the fine. It's about losing the deals you went to the trade show to win in the first place.
Eroding Trust: The Long-Term Damage to Brand and Customer Relationships
The fines are bad. The trust damage is worse. When a prospect finds out you recorded them without consent, that relationship is over. And in B2B, relationships are everything. Word travels. One bad story and suddenly your brand is the company that secretly records people. That reputation sticks. I've watched companies recover from fines, they write a check and move on. Recovering from a trust crisis? That takes years. It kills deals, it scares off partners, and it makes hiring harder. The long-term cost dwarfs whatever the regulators charge you.
Mastering Call Recording Compliance: Strategies for Trade Show Exhibitors
So how do you actually make this work on the show floor? You need three things: workflows that adapt to different jurisdictions, clear governance for your recorded data, and tools that don't force you to choose between compliance and productivity.
Implementing Jurisdiction-Aware Workflows and Dynamic Consent Prompts
Your system needs to adapt based on where you're and who you're talking to. If a prospect is from California or Germany, your process should default to all-party consent, automatically. That could be a verbal script for your booth staff, a consent prompt on a tablet, or signage that covers your bases. Train your team to ask where someone's based early in the conversation. It sounds awkward, but it's a lot less awkward than a lawsuit.
Granular Recording Governance: Retention, Access, and Re-use Policies
Recording the conversation is just the beginning. You need clear rules for what happens to that data after the show:
- Retention: How long do you keep recordings? General training purposes: 3-12 months. Contractual records: up to 7 years if you can justify it, per GDPR data retention principles. Set a policy and stick to it.
- Access: Not everyone on your team needs to hear every recording. Sales managers for coaching, legal for disputes, that's it. Lock it down.
- Re-use: Want to use a conversation snippet as a testimonial? You need separate consent for that. The original recording consent doesn't cover new purposes.
Document these policies, share them with your team, and review them at least once a year as regulations change.
How We Handle This at Exporb
Here's the problem I was trying to solve: founders need to know what happened at every conversation their team has at a show, but they can't afford to cut corners on compliance. So when I built Exporb, I designed it around this tension.
Exporb lets teams record conversations and capture business cards right at the booth, even offline. Recording happens on the device. When you reconnect, AI transcribes the conversations, extracts key interests and pain points, and generates next steps. It's digital note-taking with structured follow-up, not surveillance.
In practice, here's how you stay compliant with Exporb:
- Train your team to get explicit verbal consent before starting a voice note.
- Use the rich text notes field to document that consent was given.
- Rely on AI summaries instead of raw audio for day-to-day decisions, that minimizes your data exposure.
- Export everything to CSV/Excel when you need to manage retention or hand data off to your CRM.
For a deeper look at how structured lead capture works at trade shows, see our complete guide to trade show lead capture and lead management strategies.
The goal is simple: full visibility for the founder, full compliance for the business.
Beyond Audio: Video, AI Analysis, and Public Dissemination Rules in 2026?
Recording laws don't stop at audio. In 2026, you also need to think about video, AI processing, and what happens when you want to share any of this publicly. Each one has its own compliance wrinkles.
Reconciling Audio Call Recording with Video and Virtual Event Capture
Video recording is generally held to stricter privacy standards than audio. You're capturing faces, body language, potentially sensitive visual information. For hybrid or virtual trade show meetings, you need participants to know they're on video, understand the purpose, and agree to it. The "strictest law applies" principle matters even more here because video surveillance laws vary wildly between states and countries.
The Nuance of Consent for AI Transcription, Summarization, and Profiling
This is something I think about a lot, given what we're building at Exporb. Recording a conversation requires consent. But what about running that recording through AI to transcribe it, summarize it, extract pain points, or flag follow-up actions? That's further processing of personal data, and under some frameworks it could require additional consideration.
My recommendation: when you ask for consent to record, also mention that the recording may be processed by AI for summaries and key interest identification. Get it all covered upfront. It takes one extra sentence and it protects you from a whole category of problems down the road.
Public Sharing: Legalities of Repurposing Conversations for Marketing or Training
This catches people off guard constantly. You got consent to record a conversation for lead qualification. Great. But that doesn't mean you can put a snippet on your website or use it in a case study. Public sharing requires separate, explicit consent, specific to the medium (website, social media, wherever), the duration, and the context. Don't assume your original consent covers this. It almost never does.
Your 2026 Action Plan for Compliant Call Recording
Alright, here's what you should actually do. Three steps: assess your risk, fix your tools, and train your people.
Conduct a full Jurisdictional Risk Assessment
Map out every jurisdiction where you do business, attend shows, or have target prospects. Figure out which consent rules apply to each: one-party, all-party, GDPR, PIPEDA, whatever. Think about what kind of data you're collecting and how it flows through your systems. This is important for protecting your company, and it's not a one-time thing. Privacy laws keep changing, so revisit this at least once a year. I do this exercise before every major show season.
Integrate Compliance Tools and Processes into Your Technology Stack
Your tools should make compliance easier, not harder. Here's what to look for:
- Dynamic Consent Mechanisms: Your lead capture app or CRM should have built-in has for obtaining and documenting consent, checkboxes, verbal scripts, digital forms.
- Data Minimization: Only capture what you need. And make sure you can delete data easily when retention periods expire.
- Security: Encryption and access controls aren't optional. Verify your platforms actually have them.
- Export Capabilities: You need to be able to get your data out. Exporb lets you export everything: voice notes, AI insights, all fields, to CSV/Excel so you can manage retention and integrate with your existing systems.
Encourage a Culture of Data Privacy: Training and Continuous Review
Tools alone won't save you. Your team has to actually care about this.
- Train Your Team: Before every show, run through the consent rules for that jurisdiction. Role-play the awkward conversations. Make sure everyone knows the script and feels comfortable delivering it.
- Develop Clear Policies: Write them down. Recording rules, retention limits, who can access what, when data gets deleted. Make it simple enough that everyone follows it.
- Regular Audits: Check your recorded data periodically. Are you keeping stuff longer than you should? Does everyone who has access actually need it?
- Lead by Example: If the founder doesn't take compliance seriously, nobody will. I make it a point to ask about consent processes in every post-show debrief. Your team notices when you care.
That's the whole picture. Get the assessment right, pick tools that support compliance by default, and build a team culture where nobody cuts corners on consent. The shows are too expensive and the stakes are too high to get this wrong.