In recent months, several SaaS salespeople began our Zoom and Teams meetings online with what appeared to be additional invitees on the call. The additional invitees turned out to be recording features, but none of these salespeople provided advance warning nor did they request consent to record our calls. When I requested removal of any recording and transcription feature, at least one salesperson initially responded that their organization adds it to all calls by default and he did not know how to remove it. This experience raises important legal considerations, especially when none of the parties to the call or meeting adds the recording device.

Under North Carolina’s one-party consent law, if you are a participant, recording without the other parties’ explicit consent generally does not violate NC law. Likewise, U.S. federal law generally requires only one party’s consent, while it is encouraged to provide clear notification to all involved.[1] However, in an all-party consent state (e.g. Illinois), such automatic recording and transcription of a private conversation without clear and all-party consent could violate state law and expose the organization to liability.[2]

The SaaS organizations seemed to be aware of the recording features in our calls, but the practice of using shadow tech and shadow AI is also pervasive. Shadow tech is the use of unapproved technology within an organization, and it presents significant risks. A newer manifestation is shadow AI, where employees leverage unvetted AI tools for work, often including AI tools used in online meetings. One recent webinar on AI in business reported that up to 90% of employees use personal AI tools for professional tasks. The challenge for organizations is to reconcile this widespread use and its potential for increased productivity with the critical need to ensure employees utilize only approved, secure tools.

The push to work more efficiently with new technologies like AI-assisted recording and transcription often leads to rapid adoption of tools such as Otter.ai, sometimes without fully vetting their ethical or legal compliance. For those who are unaware, “Otter auto-joins Zoom, Teams, or Google meetings to record audio, write notes, capture slides, and generate a summary with action items.”[3] Users of Otter should review its default setting. If one user at a company has Otter active, that potentially enables Otter to insert itself into company meetings and transcribe when others are unaware. In a recently filed class action lawsuit against Otter.AI, Inc., the Plaintiff asserted Otter Notetaker violated the ECPA, CFAA, and California laws regarding permissions and knowledge required for recording.

While most North Carolina courts have not banned these specific tools, the U.S. Western District of North Carolina restricts AI use in court filings, reflecting caution toward unverified or fabricated AI-generated content, which could include transcripts from such tools. Otter has powerful features and built-in compliance solutions, but all organizations should complete their own risk assessment before allowing usage. To further mitigate AI risks, organizations should maintain and update an AI Governance Policy annually, provide regular staff training on lawful AI recording practices, and document employees’ use of AI and related technologies.

Working with the SaaS sales teams offered a valuable perspective. Despite their frequent collaboration with legal and other professionals, even these prominent providers have opportunities to enhance their communications approach. The following are five best practices for recording or transcribing calls, accompanied by actionable suggestions:

1. Obtain Clear Consent for Recording, Including Internet Teleconferences

Although North Carolina law permits one-party consent, lawyers should proactively notify all parties when recording calls or virtual meetings, with limited exceptions.

This is especially critical when interacting with clients or parties in all-party consent jurisdictions, such as Illinois. Written disclaimers with a checkbox or button at the start of sessions are probably effective, regardless, document consent from the other party to mitigate risk.

Suggestion #1: Before any call or teleconference, confirm all participants are aware of and consent to the recording to avoid cross-jurisdiction legal complications.

2. Understand and Manage Automatic Recording and Transcription by SaaS Tools

Some SaaS software, like Otter.ai and similar services, automatically record and transcribe calls to improve accessibility and documentation. While convenient, automatic recording without explicit consent from every party can conflict with stricter state laws. Legal professionals must carefully review the terms of these tools and disable automatic recording or ensure prior consent is obtained. The compliance process should include training your firm’s team on these steps.

Suggestion #2: If your organization uses automatic transcription or recording tools, regularly audit these settings and provide clear notices to all participants about when calls are being recorded or transcribed.

3. Secure Storage and Confidentiality of Recordings and Transcripts

Recordings and their transcriptions may contain confidential and sensitive personal information. Recordings could store personally identifiable information (PII) known as voiceprints, classified as high risk or restricted in NC, and the Illinois Biometric Information Privacy Act (BIPA) requires consent before collecting voiceprints.

Suggestion #3: Treat recordings and transcripts as containing confidential and restricted data. Store files securely, encrypt, limit access, and destroy properly.

4. Know the Rules on Transcribing Recorded Calls and Handling Transcripts

Transcription is an extension of recording and requires the same legal consent. Transcripts should be treated with the same care as recordings regarding privacy and confidentiality. Errors in automated transcripts can also introduce risks, so verify transcription accuracy before relying on them in any context.

Suggestion #4: Ensure any transcripts produced, especially by AI services, are reviewed for accuracy and protect confidentiality.

5. Exercise Caution with AI Transcription Services

AI transcription services provide powerful tools but come with legal risks, such as potential breaches of attorney-client privilege and data privacy concerns. Legal professionals should develop policies that balance operational efficiency with privacy rights and carefully vet AI vendors’ security Ask representatives for the AI service to provide a clear explanation of their compliance with laws.

Suggestion #5: Never use “free” models for privileged information! Before using AI transcription services, contractually ensure client data is not used for training, carefully evaluate data handling practices, provide awareness of use, and ensure strong data protections.

As the law surrounding AI remains unsettled, attorneys and organizations must proceed with caution because the use of these tools could waive privilege and expose sensitive data. Transparent communication, coupled with consent protocols, is vital for meeting legal and ethical obligations during interstate or international calls. By following these best practices, legal professionals can reduce the risks of recording and transcription technology. When in doubt, consider following the sage advice given in Hamlet: “Lend thy ear to all, but give thy voice to few.”

Disclaimer: The information provided is for general informational purposes only and does not constitute legal advice, nor is it intended to create an attorney-client relationship between you and the author, their employer(s), or any affiliates. You should not act or refrain from acting based on any information on this website without seeking appropriate legal or professional advice specific to your circumstances. This could be considered attorney advertising.

Stephen Domer is Managing Counsel at Digital Law Counsel, where he advises on AI governance, digital marketing, privacy, and product development. He has served as Vice-Chair of the ABA E-Privacy Law committee for the past two years.

[1] The Electronic Communications Privacy Act (ECPA) prohibits the intentional interception of any wire, oral, or electronic communication without the consent of at least one party to that communication.

[2] The Illinois Eavesdropping Act (720 ILCS 5/14-2) makes it a crime to record a private conversation without the consent of all parties involved, and this Illinois law provides for civil liability.

[3] See Otter AI.

September 16, 2025/by Privacy and Data Security