Knowing the call recording laws by country you operate in is the difference between a productive business tool and a federal class-action lawsuit. In 2025, a man named Justin Brewer was quietly recorded during a Zoom call by an AI notetaker he never consented to β and he sued. This guide maps consent requirements across 50+ countries, breaks down US state-by-state rules, explains what GDPR demands, and gives you a compliance playbook that takes five minutes to implement.
What Happens When You Ignore Call Recording Laws by Country?
In August 2025, Justin Brewer joined a routine Zoom meeting and got burned by an AI that didn't bother asking for consent. Nothing unusual about the meeting itself β except one of the other participants had Otter.ai's AI notetaker running. Brewer wasn't an Otter user. Nobody asked him. Nobody told him. The AI just quietly started capturing everything he said, stored it indefinitely, and used his voice data to train its machine learning models.
He filed a federal class-action lawsuit in the Northern District of California. The charges: violations of the Federal ECPA, the Computer Fraud and Abuse Act, California's Invasion of Privacy Act, and a handful of other statutes.
That case is still making its way through the courts. But here's the thing: Brewer wasn't doing anything shady. He was just in a business meeting. The tool that recorded him was a legitimate product used by thousands of companies. And he still got burned because nobody bothered with the five-second question: "Mind if we record this?"
That's what this whole guide comes down to. Recording business conversations is genuinely useful. Your memory isn't nearly as good as you think it is (more on that later). But the difference between "useful business tool" and "federal lawsuit" is one sentence.
Quick note on scope: we cover "call recording laws" because that's what everyone searches for. But these laws don't just apply to phone calls. They cover voice memos, meeting recordings, booth conversations, AI transcription β anything where you're digitally capturing someone's spoken words. If you're using badge scanning apps alongside voice recording at events, those are separate legal activities with different requirements.
Why Is Recording Business Conversations Worth the Legal Homework?
Recording business conversations is normal, useful, and almost universally welcomed β when you do it right.
Here's why it matters. Hermann Ebbinghaus published his forgetting curve research in the 1880s, and a 2015 PLOS ONE study confirmed it still holds up: people forget about 50% of new information within one hour and roughly 70% within 24 hours. That means after a full day of trade show conversations, you've already lost most of the specific details, numbers, commitments, and nuances by the next morning.
Think about that. You had 15 great booth conversations at a trade show. By the time you sit down at the hotel bar that evening, more than half of what was said is gone. By the time you're on the flight home? You're working from fragments.
Recording with AI changes everything:
- Nothing gets lost. Every detail, every number, every "send me a proposal for X," captured.
- Better follow-ups. Instead of "great meeting you!" you can reference the exact thing they said was their biggest pain point.
- No "he said / she said." When both sides agree to record, there's a shared record of what was discussed. That builds trust, not tension.
- Your team gets smarter. AI summaries turn rambling conversations into structured data: action items, interests, timeline, budget signals.
And here's what I've found: people are almost always fine with being recorded in a business context. At trade shows especially, when you say "Mind if I record this so I can follow up properly? Our memories aren't great after 30 conversations in one day," the response is almost always a smile and a "yeah, absolutely."
The consent workflow itself takes five steps:
- Tell the other person you want to record the conversation
- Explain why β follow-up notes, shared record, or AI summarization
- Wait for their verbal "yes" before pressing record
- Log the consent in your CRM with a timestamp
- Set a retention date and delete the recording when it expires
That's it. The whole process takes about 10 seconds. If you're using AI-powered lead capture tools, consent can be logged automatically as part of the capture flow.
The key word is business context. We're talking about two companies exploring a potential relationship. Nobody's recording personal conversations, gossip, or private life stuff. When the conversation is about products, partnerships, and deals, recording it is just... professional.
The problem isn't recording. The problem is recording without telling people. That's where the law gets involved.
How Do Call Recording Laws by Country Compare?
The interactive map below shows consent requirements for every country we track β hover over any to see its recording rules at a glance.
Call Recording Consent Laws by Country
Loading interactive map...
A few things jump out when you look at this map:
- Most of the world leans toward all-party consent or strict data protection requirements
- The US is one of the few "mixed" countries β 38 states say one-party, 12 say all-party
- Europe is almost entirely red (strict GDPR-level), not just the EU β Switzerland, Norway, and the UK have their own strict frameworks too
- Asia is tightening fast. China's PIPL, Japan's APPI, South Korea's PIPA β all require explicit consent
What Is the Difference Between One-Party Consent Recording and All-Party?
Every recording law boils down to one question: how many people in the conversation need to agree to the recording?
One-party consent means you can record if you're part of the conversation. You don't need to tell the other person. The US federal ECPA follows this rule, and 38 states do too: New York, Texas, Georgia, Arizona, and most others.
All-party consent (sometimes called "two-party") means everyone needs to agree. California, Pennsylvania, Massachusetts, Maryland, Illinois, Washington β 12 US states require this. So does most of Europe, Canada, and an increasing chunk of Asia.
Here's the practical problem: you're at CES in Las Vegas (Nevada, an all-party consent state). You meet a prospect from New York (one-party). Another from California (all-party). A third from Germany (strict GDPR).
Which law applies?
Always follow the strictest one. If any participant is from an all-party jurisdiction, get everyone's consent. This isn't just legal advice. It's the only approach that doesn't require you to run a jurisdictional analysis before every conversation.
The four categories of recording consent laws globally (2026)
Does Your Phone's Built-In Recorder Actually Keep You Legal?
Apple added native call recording to iOS 18, and Google Pixel phones have had it for a while β but technology availability and legal permission are completely different things.
When you tap "Record" on an iPhone, iOS plays a notification tone and announces the recording to the other party. Apple designed it this way specifically because of consent laws. Google's implementation varies by region. In some countries, it announces the recording; in others, the feature is disabled entirely.
Here's what this means for trade show teams:
- Just because your phone can record doesn't mean local law allows it. iOS 18's call recording works globally, but the consent requirements depend on where you are and who you're talking to.
- Built-in recording is for phone calls. It doesn't cover in-person booth conversations, meeting recordings, or voice memos, which is what most exhibitors actually need.
- Dedicated tools handle consent better. A phone's call recorder isn't built for capturing booth conversations. You need something that helps your team get consent naturally, record the conversation, and then turn it into structured follow-up data, which is exactly what we built Exporb to do.
How Do US State Recording Laws Work?
The US is uniquely complicated because federal law says one thing and state laws can say another.
Federal baseline: The ECPA allows one-party consent for recording any wire, oral, or electronic communication. But it lets states set stricter standards.
The 12 All-Party Consent States
These states require consent from every person in the conversation before you can legally record:
The 12 US states requiring all-party consent for recording (2026)
What about Oregon? Oregon requires all-party consent for in-person conversations but is one-party for telephone calls, a distinction that catches people off guard.
The 38 One-Party Consent States
The remaining 38 states follow one-party consent, meaning you can legally record any conversation you're participating in: Alabama, Alaska, Arizona, Arkansas, Colorado, Delaware, Georgia, Hawaii, Idaho, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Minnesota, Mississippi, Missouri, Nebraska, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon (phone calls only), Rhode Island, South Carolina, South Dakota, Tennessee, Texas, Utah, Vermont, Virginia, West Virginia, Wisconsin, Wyoming, plus the District of Columbia.
That said, "one-party" doesn't mean "secret recording is a great idea." Even in Texas or New York, telling someone you're recording builds trust. And if the person on the other end is calling from California or Pennsylvania, their state's stricter law might be the one that applies.
What This Means at Trade Shows
If you're exhibiting at Dreamforce in San Francisco (California β all-party), you need consent from everyone before recording any conversation. If your booth is at NRF in New York (one-party), you're covered as long as you're part of the conversation. When you're planning your trade show booth design, factor in a quiet corner or signage about recording policies.
But here's what most guides miss: trade show floors aren't private spaces. Courts have generally held that conversations in public or semi-public settings (like an expo hall) have a lower expectation of privacy. This doesn't eliminate consent requirements, but it does affect how courts interpret violations. That said, a private meeting room at a convention center? That's a different story entirely.
My advice: don't rely on the "it's a public space" argument. Ask for consent. It takes five seconds and eliminates all ambiguity.
What Are the GDPR Recording Requirements for Consent?
If your prospect is in the EU or the UK (which kept GDPR-equivalent rules post-Brexit), you need to understand three things about how voice recordings are handled.
1. You need a "lawful basis" to record
Under GDPR Article 6, you can't just record because you want to. You need one of these:
- Consent β The cleanest option. Get explicit permission, explain why you're recording, and give them a way to say no. Per GDPR Article 7, consent must be "freely given, specific, informed, and unambiguous."
- Legitimate interest β You have a business reason (sales training, quality assurance, dispute evidence) AND the individual's rights don't override your interest. This requires documenting a Legitimate Interest Assessment.
- Contractual necessity β The recording is necessary to perform a contract or take pre-contractual steps at the individual's request.
For trade show conversations, consent is usually your best bet. Legitimate interest works for established business relationships, but it's harder to justify for a first conversation at a booth.
(I know, reading about "lawful basis for data processing" isn't exactly riveting. The practical version: at a trade show, just ask before you record. Consent is the cleanest path, and it takes five seconds.)
2. You must tell them what you're doing with the data
Transparency isn't optional. You need to disclose:
- That you're recording
- Who's responsible for the data (your company)
- Why you're recording
- How long you'll keep it
- Their rights (access, erasure, portability, objection)
3. Retention limits are real
You can't keep recordings forever. France's CNIL recommends 6 months max for general purposes. UK guidance suggests reviewing recordings regularly and deleting them when they've served their purpose. A reasonable default:
- Trade show voice notes / conversation summaries: 6-12 months
- Records tied to contracts or transactions: up to 7 years (with justification)
- Training recordings: 3-6 months, then delete or anonymize
The Fines Are Not Theoretical β Real Cases, Real Money
GDPR Article 83 allows fines up to EUR 20 million or 4% of annual global turnover. And they've actually been enforced for recording violations:
AG2R La Mondiale (France, 2021): France's CNIL fined this insurance group EUR 1.75 million for recording 30% of outgoing calls through subcontractors without ever informing the people being called. They didn't tell callers they were being recorded, didn't explain the purpose, and didn't give anyone the right to object. On top of that, CNIL made the decision public, naming and shaming.
HMRC (UK, 2019): The UK's tax authority collected over 5 million voice biometric records using a "my voice is my password" system, without ever giving anyone the option to opt out. The UK Information Commissioner's Office ordered HMRC to delete every single one of those records. A government agency, forced to destroy millions of recordings because their consent process was broken.
These aren't small companies cutting corners. These are major organizations that thought "we mentioned recording in the fine print" was enough. It wasn't.
Which Countries Have the Strictest Recording Laws?
If you're exhibiting internationally, this section could save you from becoming the next Justin Brewer. Here are the countries that come up most at trade shows, with the call recording laws by country details you need.
Canada
PIPEDA requires you to notify individuals that you're recording, explain why, and get their consent. It's functionally all-party consent. If you're exhibiting at shows in Toronto or Vancouver, treat it like California: get everyone's agreement first.
China
China's PIPL is arguably stricter than GDPR. You need explicit, specific, fully informed consent. A sign at your booth isn't enough β you often need a documented opt-in. And here's the kicker: you can't transfer recordings outside China without separate consent AND meeting cross-border data transfer requirements. If you're exhibiting at shows in Shanghai or Shenzhen, plan your data infrastructure carefully. (I read the PIPL's cross-border data provisions three times before they fully made sense. They are not kidding around.)
Japan
APPI requires explicit consent with a clear statement of purpose. At Japanese trade shows, you'll need verbal notification, visible signage, and an easy opt-in mechanism. Japanese business culture already values formality in communication, so consent requests feel natural here.
South Korea
South Korea's PIPA (Personal Information Protection Act) is strict. You must inform people about the recording purpose, what data you're collecting, how long you'll keep it, and their right to refuse. The Personal Information Protection Commission has been increasingly active in enforcement, and non-compliance carries significant fines.
India
India's Digital Personal Data Protection Act (DPDPA) came into effect in 2023, with implementation rules still being finalized in 2026. The law requires explicit consent for processing personal data, including voice recordings. With 1.4 billion people, India is one of the largest markets where recording consent is non-negotiable. If you're exhibiting at shows in Mumbai or Bangalore, treat it like GDPR territory: get consent, state your purpose, and document everything.
UAE and Saudi Arabia
Both require explicit informed consent for processing personal data. At major shows like GITEX (Dubai) or Saudi trade expos, you need consent that's freely given, specific, and unambiguous. The "strictest law" principle is especially important here because many attendees are from diverse jurisdictions.
Australia
Federal law allows one-party recording. But New South Wales and Victoria have their own rules that may require all-party consent for telephone conversations. If you're at a trade show in Sydney or Melbourne, check the state-level requirements.
South Africa
RICA requires all-party consent. No covert recording. Period.
Brazil
LGPD mirrors GDPR closely. You need a lawful basis, consent, and transparency. If you're at Expo Center Norte or other Brazilian venues, apply the same GDPR playbook.
Russia
Federal Law No. 152-FZ requires explicit consent AND data localization. Recordings of Russian citizens' data must be stored on servers physically located within Russia. This is a real logistical headache for international companies and one of the reasons many Western firms use local data hosting partners when doing business there.
Israel
Interesting case. The Wiretapping Law allows one-party recording β you can record your own conversations. But the Privacy Protection Law governs what you DO with that recording. Storing it in a CRM, running it through AI analysis, sharing it with your sales team β that's data processing, and that requires informed consent. So you can record easily, but using the recording for business purposes still needs permission.
Do Meeting Notes, Voice Recordings, and AI Transcription Follow the Same Rules?
Yes β and this is where most guides about call recording laws by country fall short. They focus on phone calls and ignore everything else.
At a trade show, you're probably not making phone calls. You're having in-person conversations and capturing them as voice notes. You're recording meetings with prospects in conference rooms. You're using AI tools that transcribe, summarize, and extract action items from those recordings.
All of this falls under the same legal framework. The laws don't care about the technology. They care about whether you're capturing someone's spoken words without proper consent.
AI notetakers: the new legal frontier
The Brewer v. Otter.ai case I mentioned at the top? It's part of a growing wave. A separate class action hit Heartland Dental and RingCentral in 2025 for using AI to analyze patient calls in real time without consent. Legal publications are calling it a "wave of lawsuits" targeting AI recording tools.
The pattern is the same every time: a company deploys an AI tool that records or transcribes conversations, the tool asks only the host for permission (or nobody at all), and the other participants find out later. Using AI-powered lead capture responsibly means baking consent into the workflow from the start.
Voice notes at booth conversations
When your team takes a voice memo during a booth conversation, they're recording personal data. The prospect's voice, their stated interests, their pain points. That's all personal information under GDPR and similar laws.
The workflow should be simple: have the conversation, ask "Mind if I take a voice note so I don't forget the details?", and then record. AI transcribes and enriches the data later, but the consent happens at the moment of recording, before anything gets captured.
Meeting recordings
Whether it's a scheduled meeting in a hotel conference room or an impromptu chat at a networking event, the same rules apply. If anything, private meeting settings have higher privacy expectations than open expo floors, making consent even more important.
AI transcription and summarization
When you use AI to process a recording β transcribing it, extracting key points, identifying sentiment β that's additional data processing. Under GDPR, you should mention this when getting consent. A simple addition to your script: "I'm going to record this and our AI will help me summarize the key points. Is that OK?"
This isn't just GDPR perfectionism. It builds trust. When prospects know exactly what you're doing with their data, they're more comfortable sharing.
Where Is the Line Between Business Recording and Personal Conversations?
Recording a business conversation between two companies exploring a partnership is fundamentally different from recording someone's personal life. This is worth calling out because people mix it up.
Business conversations β product discussions, pricing negotiations, partnership exploratory calls, trade show booth interactions β are professional exchanges between companies. Both sides generally expect some form of documentation. Notes get taken. Emails get saved. CRMs get updated. Adding a voice recording to that workflow is a natural extension, and people understand that.
Personal conversations β anything about someone's private life, health, family, personal opinions not related to the business at hand β are a completely different category. Even in one-party consent jurisdictions, recording personal content that someone shares in confidence can create legal and ethical problems.
The rule of thumb: if the conversation is about business between two companies, recording it (with consent) is professional and expected. If the conversation shifts to personal territory, that's not what your recording tool is for.
At trade shows, this is rarely an issue. Almost every conversation is about products, services, and business needs. But it's worth training your team on the distinction, especially for dinner events and social settings where conversations naturally get more personal. Handing out trade show giveaways while having personal side conversations? Leave the recorder off.
What Are the Recording Consent Penalties When You Get It Wrong?
The consequences range from expensive to career-ending, and they're not theoretical.
Financial penalties
GDPR: up to EUR 20 million or 4% of global turnover. US wiretapping violations: criminal fines plus civil damages. In California alone, victims can recover the greater of $5,000 or three times actual damages per violation. Maryland's wiretap violations are a felony carrying up to 5 years in prison and $10,000 in fines. Class actions under Illinois BIPA have resulted in multi-million dollar settlements for companies that captured biometric or voice data without consent.
Criminal liability
In some jurisdictions (Germany, Pennsylvania, Maryland, Massachusetts), unauthorized recording is a criminal offense. That means personal liability for the individuals who did the recording, not just corporate fines.
Reputation damage
This is the one that keeps founders up at night. In B2B, trust is everything. If a prospect finds out your team recorded their conversation without consent, that story travels. It gets shared at industry events. It shows up in online reviews. The financial penalty ends eventually; the reputation damage can last for years.
Lost deals
Even without formal consequences, the social awkwardness of getting caught recording kills the relationship. A promising conversation turns cold the moment someone realizes they're being recorded without their knowledge.
What Does a Practical Recording Compliance Playbook Look Like?
Stop reading law review articles β here's what to actually do.
1. Default to all-party consent
It's simpler and covers you everywhere. Train your team to ask: "Mind if I record this so I can follow up properly? Our memories aren't great after a full day of conversations." Most people say yes. Almost always.
2. Know your three tiers
- Tier 1 β Relaxed: US one-party states, Sweden, Denmark. You can record your own conversations. Still a good practice to inform people.
- Tier 2 β Consent required: US all-party states, Canada, Japan, UAE, most of Asia-Pacific. Get explicit agreement from everyone.
- Tier 3 β Strict data protection: EU/UK (GDPR), China (PIPL), Brazil (LGPD). Consent PLUS transparency about purpose, retention, rights, and data processing.
3. Create a consent script for your team
Don't leave it to improvisation. Give your booth staff a simple line they can use naturally:
"I'd like to take a voice note so I can remember our conversation and follow up on what we discussed. We use AI to help summarize key points. Is that OK with you?"
It's direct. It's honest. And it covers consent for recording, purpose, and AI processing in one sentence.
4. Log that you got the green light
Whatever CRM or lead capture tool you use, add a note that consent was given, even just "verbal consent, [date]" is enough. If someone later asks "did I agree to be recorded?", you want an answer. This takes two seconds and could save you months of legal headaches.
5. Set retention policies and stick to them
Decide how long you'll keep recordings (6-12 months is reasonable for trade show data) and actually delete them when that period expires. This is where most companies fail: they capture data, use it once, and then leave it sitting on a server indefinitely.
6. Brief your team before every international show
Different show, different country, different rules. A 10-minute pre-show briefing covering the local consent requirements is cheap insurance.
For a deeper look at how structured lead capture works at trade shows, see our complete guide to trade show lead capture and lead management strategies.
Understanding call recording laws by country doesn't have to be complicated. Justin Brewer's entire federal lawsuit could have been avoided with five words: "Mind if we record this?"
Recording is one of the smartest things you can do in business. Your memory is genuinely terrible (remember the forgetting curve from earlier?), details evaporate after a day of trade show conversations, and follow-ups suffer when you're working from fragments. AI-powered recording fixes all of that.
But the gap between "smart business tool" and "class-action lawsuit" is one sentence spoken before you hit record.
Ask. Tell people what you're doing with the data. Delete it when you don't need it anymore. The companies that treat consent as a natural part of the conversation, not a legal chore, are the ones that actually close deals. Because trust beats a clever recording workaround every single time.