Business call recording laws by country: legal guide 2026

See also: What is automatic call transcription? | What is a Voice CRM (customer relationship management)?

TL;DR: In most of Europe (UK, Germany, Poland, Spain, France), you can legally record business calls if you inform the other party that recording is taking place — consent is implied by continuing the call. In the US, requirements vary by state: 38 states require only one-party consent (you), while 12 "two-party consent" states (including California, Florida, Illinois) require informing all participants. Under GDPR, you must also state the purpose of recording and provide a data subject access right.

Disclaimer: This article provides general information only and does not constitute legal advice. Consult a qualified lawyer for advice specific to your jurisdiction and situation.

One-party vs two-party consent: the core distinction

Most call recording laws worldwide use one of two frameworks:

Framework	Definition	Where it applies
One-party consent	Only one person in the call (often the person recording) needs to consent	Most of continental Europe, most US states, UK
Two-party (all-party) consent	All participants must consent before recording begins	12 US states, some interpretations in specific EU contexts

In practice, informing the caller that recording takes place (via an announcement or IVR (automated menu — "press 1...") message) satisfies both frameworks in business contexts — because a caller who stays on the line after the notification is deemed to have given implied consent.

Country-by-country guide

United Kingdom

Legal basis: UK GDPR (post-Brexit version of EU GDPR) + Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (LBP Regulations).

Rules:

• You may record calls for legitimate business purposes (staff training, quality assurance, evidence of transactions) without explicit consent if you inform callers that recording may take place.
• A recorded announcement ("This call may be recorded for training and quality purposes") is considered sufficient notification.
• You must handle recordings in accordance with UK GDPR: store securely, retain only as long as necessary, provide access on request.

Verdict: ✅ Legal with announcement. No explicit consent required.

---

Germany

Legal basis: Bundesdatenschutzgesetz (BDSG) + GDPR + §201 StGB (criminal law on privacy).

Rules:

• Recording without the other party's knowledge is a criminal offence under §201 StGB (up to 3 years imprisonment).
• Informing the caller that the call will be recorded (and stating the purpose) before recording begins is required.
• Consent must be freely given — you cannot make service conditional on consenting to recording in most consumer contexts.
• Business-to-business (B2B) calls: easier to justify under "legitimate interest" basis, but notification is still required.

Verdict: ✅ Legal with explicit pre-recording notification. Stricter than UK — purpose must be stated.

---

Poland

Legal basis: GDPR (directly applicable) + Ustawa o ochronie danych osobowych (UODO).

Rules:

• Notification before or at the start of the call is required ("This call is being recorded").
• The purpose of recording must be disclosed.
• Recordings are personal data under GDPR — data subject rights apply (access, erasure, portability).
• The Polish Data Protection Authority (UODO) has fined companies for inadequate call recording policies.

Verdict: ✅ Legal with notification and GDPR-compliant data handling.

---

Spain

Legal basis: GDPR + Ley Orgánica de Protección de Datos y garantía de los derechos digitales (LOPDGDD).

Rules:

• Spain follows standard GDPR rules on call recording.
• Notification at the start of the call is required.
• The Spanish DPA (AEPD) has issued guidance that recordings for quality/training purposes are lawful under legitimate interest, provided callers are informed.
• Retention periods should not exceed what is necessary for the stated purpose.

Verdict: ✅ Legal with notification. Legitimate interest basis available for B2B and quality purposes.

---

France

Legal basis: GDPR + Loi Informatique et Libertés.

Rules:

• Notification required before recording ("Cet appel peut être enregistré…").
• French courts have ruled that continued participation after notification constitutes valid consent.
• The CNIL (French DPA) recommends retaining call recordings for no longer than 6 months unless there is a specific legal or contractual reason to keep them longer.

Verdict: ✅ Legal with notification. Recommended retention: ≤ 6 months.

---

United States

Legal basis: Federal Wiretap Act (18 U.S.C. § 2511) + state laws.

Rules:

• Federal law (one-party consent): Only one party in the call needs to consent. If you are a participant, you can legally record without informing the other party at the federal level.
• State two-party consent states (all-party consent required): California, Connecticut, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, Nevada, New Hampshire, Oregon, Washington.
• In two-party states, all participants must be notified before recording begins.
• Best practice for US businesses: always use a notification announcement to comply in all 50 states.

Verdict: ✅ Legal in all states with notification announcement. Required without notification only in one-party states.

---

GDPR obligations for EU/UK businesses recording calls

Regardless of the country-specific rules above, any business subject to GDPR (i.e., any business with EU/UK customers or based in the EU/UK) must also comply with these GDPR principles when recording calls:

1. Lawful basis — typically "legitimate interest" (quality, training, legal protection) or "consent". Document which basis you rely on.
2. Transparency — inform callers what you record, why, and for how long, before or at the start of the call.
3. Data minimisation — only record calls where there is a clear business need.
4. Retention limits — define and follow a retention period (common practices: 3–12 months for training, 7 years for financial transactions).
5. Data subject rights — be able to respond to requests for copies, correction, or deletion of call recordings.
6. Security — store recordings encrypted, with access controls. Limit who can listen to recordings.
7. Processor agreements — if a third-party tool (e.g., Heilo) stores your recordings, you must have a Data Processing Agreement (DPA) in place.

How to implement compliant call recording

Step 1: Add an IVR announcement

Add an automatic message at the start of every call, e.g.:

"Thank you for calling [Company]. This call may be recorded for quality assurance and training purposes."

This single step covers legal requirements in the UK, Germany, Poland, Spain, France, and all US states.

Step 2: Document your lawful basis (GDPR)

Write a brief internal policy stating: what you record, why (purpose), what lawful basis you rely on, how long you keep recordings, and who has access.

Step 3: Update your privacy policy

Your website privacy policy should mention call recording. Include: what data is captured, retention period, how to request access or deletion.

Step 4: Ensure your tool has a DPA

Any third-party call recording tool must offer a Data Processing Agreement. Reputable tools provide this in their terms of service or on request.

Step 5: Train staff

Staff should know: calls are recorded, who can access recordings, and how to handle data subject access requests.

FAQ

Can I record a business call without telling the other person?

In most of Europe and Canada: no — you must inform the other party. In most US states (one-party consent states): yes, but it is strongly inadvisable from a trust and GDPR perspective. Best practice globally is always to announce recording.

Does announcing "this call may be recorded" constitute consent?

In the UK, most EU countries, and US one-party states: yes, continuing the call after an announcement is legally sufficient. In Germany and some other EU countries, the announcement must also state the purpose of recording. In US two-party states, you must wait for affirmative indication of consent if required by state law, though most callers interpret the announcement as adequate notice.

How long can I keep call recordings?

This depends on your jurisdiction and purpose. GDPR does not set a specific maximum, but requires you to delete data when the purpose is fulfilled. Common business practices: 3–6 months for quality monitoring, 12 months for sales evidence, up to 7 years for financial services records. The French CNIL specifically recommends ≤ 6 months for training purposes.

Are call transcripts subject to the same laws as recordings?

Yes. A call transcript is personal data (it contains what a specific person said) and is subject to GDPR/data protection laws in the same way as the recording. Apply the same retention policies and access controls.

Does GDPR apply to B2B calls (business-to-business)?

GDPR applies wherever a natural person (individual) is involved. In a B2B call, the individual on the other end is protected under GDPR even if they are calling in a professional capacity. However, the legitimate interest basis is generally easier to establish for B2B calls than consumer calls.

What is the penalty for illegal call recording?

In the EU: GDPR fines of up to €20 million or 4% of global annual turnover (whichever is higher). In Germany: criminal liability under §201 StGB (up to 3 years). In the US (two-party state violation): civil liability and potential criminal charges under state wiretapping laws.

Summary

Recording business phone calls is legal in the UK, Germany, Poland, Spain, France, and most of the US — provided you inform participants before or at the start of the call. A standard IVR announcement ("This call may be recorded") covers the requirement in virtually all jurisdictions. Under GDPR, you must also document your lawful basis, limit retention, and sign a DPA with any third-party recording tool.

Heilo.io handles call recording with built-in consent announcement support, EU data storage, and a Data Processing Agreement — so you can record calls confidently and compliantly.

• Heilo.io