In re Otter.AI Privacy Litigation: What the May 2026 Motion-to-Dismiss Hearing Means for Every AI Notetaker User

On May 20, 2026, in Courtroom 7 of the San Jose federal courthouse, Judge Eumi K. Lee heard oral argument on Otter.ai's motion to dismiss In re Otter.AI Privacy Litigation, case number 5:25-cv-06911. It is the first time a federal judge has been asked to decide whether decades-old wiretap statutes reach an AI bot that quietly joins a Zoom call. The case consolidates four putative class actions filed in 2025 — Brewer, Walker, Theus, and Winston — and the ruling, whenever it comes down, will reshape how every cloud-based AI notetaker is sold, configured, and consented to in the United States.

If you have ever joined a meeting where an OtterPilot bot popped into the participant list, this case is about you. If you run a company that uses Otter.ai, Fireflies, or Read AI, it is about your liability. And if you are still evaluating which AI transcription tool to roll out, the architectural lesson is already clear: cloud-based notetakers are facing the first federal stress test of their consent model, and on-device alternatives sidestep every theory in the complaint.

How the cases got consolidated

The lead complaint was filed on August 15, 2025, by Justin Brewer, a California resident who alleges that a February 2025 sales call was recorded because another participant had OtterPilot running. Brewer had no Otter account, no privacy policy to accept, and no opportunity to decline. NPR's coverage at the time noted that the suit accuses Otter of "deceptively and surreptitiously" recording private conversations and using them to train its transcription models without permission.

Three more cases — Walker (August 26), Theus (September 3), and Winston (September 10) — followed within a month. Judge Lee consolidated all four on October 22, 2025, and interim co-lead counsel was appointed from Levin Law, Clarkson Law Firm, and Werman Salas. A consolidated complaint was filed December 5, 2025. The official CourtListener docket tracks every motion, order, and pro hac vice admission in the case.

What the complaint actually alleges

The factual theory across all four cases is consistent. According to Baker Botts' AI Legal Watch, the complaint alleges that when Otter.ai is connected to a user's calendar, the tool "automatically joins every meeting and begins recording and transcribing the conversation, as well as taking screenshots of the video call," and creates a voiceprint of each participant that is stored for use in future meetings — all without notice to attendees or their consent.

The legal claims span seven separate statutes. The National Law Review's analysis lists violations of the federal Electronic Communications Privacy Act (ECPA) and the Computer Fraud and Abuse Act (CFAA); California's Invasion of Privacy Act (CIPA), the Comprehensive Computer Data and Fraud Access Act, common-law intrusion upon seclusion and conversion, and the Unfair Competition Law (UCL); and, in the Winston sub-case, Illinois's Biometric Information Privacy Act (BIPA). The plaintiffs frame Otter not as a passive tool but as "an unauthorized third-party eavesdropper, intercepting communications and repurposing them for product training without consent."

The follow-up email problem

One particularly damaging factual allegation goes beyond recording itself. The complaint alleges that Otter sends follow-up emails containing partial transcripts and screenshots to all invitees — regardless of whether they actually attended — and encourages non-users to create accounts. Notification of non-users is reportedly gated behind Otter's Enterprise plan, its most expensive tier. That detail matters: it suggests the default product behavior monetizes the data of people who never consented to be in the funnel.

What Otter is arguing in the motion to dismiss

Otter.ai filed its motion to dismiss on January 1, 2026, and a reply brief in April 2026. UC Today's coverage of the briefing quotes the reply: "Across all claims, plaintiffs do not plausibly allege that they disclosed private or sensitive information (or any information whatsoever), that Otter intercepted communications in transit, or that Otter accessed their computers or data without authorization."

Otter's broader defense rests on three pillars: (1) the OtterPilot bot is visible in the participant list, which Otter argues is sufficient notice; (2) account-holders, not Otter, are responsible for obtaining consent under the company's terms of service; and (3) plaintiffs lack Article III standing because they cannot show concrete injury. CEO Sam Liang stated the company's public posture bluntly: "If they accuse us, then they could accuse everyone else, all the tools you heard about doing meeting notes. My view is that we are on the right side of history."

Why this case is bigger than Otter

The legal novelty is not that someone recorded a meeting without consent — that has been actionable under state wiretap law for decades. The novelty is that an autonomous software agent did the recording on behalf of a user. Paul Hastings' privacy practice frames the question precisely: courts are being asked to decide whether AI transcription is "a distinct legal person acting as a third party, not merely a passive tool controlled by the meeting host." That distinction determines whether California's privacy regime — and CIPA in particular — applies at all.

The damages exposure is enormous. ECPA allows the greater of $10,000 per violation or $100 per day; CIPA runs to $5,000 per violation; and BIPA adds $1,000 for negligent violations and $5,000 for intentional ones per voiceprint. Otter's own December 2025 press release put its user base at more than 35 million, with over a billion meetings processed. The arithmetic is uncomfortable enough that one analysis estimates a settlement could land between $50 million and $150 million.

The single-consent model is the central question

Otter's privacy policy and terms of service instruct account-holders to "make sure you have the necessary permissions" before using the bot. In one-party-consent jurisdictions like New York and Texas, that may be enough. In the eleven all-party-consent states — California, Florida, Illinois, Maryland, Massachusetts, Pennsylvania, and others — it is legally precarious.

Goodwin's April 2026 alert warns that in all-party-consent states, "AI transcription tools that automatically join meetings or record audio without obtaining explicit advance consent from attendees through an opt-in or opt-out banner or other consent mechanism risk being found to have violated these statutes," with CIPA exposure being particularly steep. Goodwin also notes that federal wiretap liability can attach "regardless of the organization's consent" under statutory exceptions, meaning the geographic-arbitrage strategy some employers rely on ("our HQ is in Texas, so we're fine") may not hold.

The voiceprint angle: BIPA exposure

Layered on top of the wiretap theory is a separate biometric-privacy theory. The April 2026 Workplace Privacy Report on the parallel Cruz v. Fireflies.AI Corp., No. 3:25-cv-03399 (C.D. Ill.) case explains that AI notetakers that process voice characteristics to identify speakers may be generating "voiceprints" — biometric identifiers regulated under BIPA. In the Otter litigation, the Winston complaint alleges Otter captures speaker voiceprints to maintain consistent labeling across meetings, which would bring it squarely within BIPA's per-voiceprint damages framework.

This is not a hypothetical exposure. Fisher Phillips' employment-law analysis walks through how a single training session, all-hands meeting, or applicant interview can generate dozens of unconsented voiceprints — each one a separate statutory violation if BIPA applies.

Cloud notetakers vs. on-device transcription: what's actually at risk

The architectural choice an organization makes determines which theories in the Otter complaint apply to it. Here is the comparison that matters:

The point is structural. Every claim in the consolidated complaint depends on Otter being a separate actor that intercepted, transmitted, stored, or reused communications. On-device transcription removes the actor.

Employer liability is the part most companies are underestimating

The Otter litigation is nominally about Otter, but its terms shift consent obligations onto customers. That structure is exactly what creates downstream employer exposure. Article 5 of the GDPR requires lawfulness, fairness, and transparency in any processing of personal data — a standard that, as Social Europe's January 2026 analysis notes, a silent transcription bot makes structurally impossible to satisfy.

For more on how this maps to vicarious-liability theories under state wiretap law, see our deeper analysis in employer liability for AI notetakers under BIPA and CIPA. For the discovery and litigation-hold consequences of these tools, see our explainer on whether AI meeting transcripts are discoverable evidence.

What a ruling either way would mean

If Judge Lee denies the motion to dismiss, the case proceeds to discovery and class certification — and every other AI notetaker vendor inherits the precedent that an AI bot can be treated as a separate party for wiretap purposes. Settlement pressure on Otter, Fireflies, Read AI, and similarly architected products would intensify immediately.

If she grants it in whole or in part, the visible-bot-as-consent model gets a federal stamp of approval — at least for ECPA — and the litigation wave shifts to state courts and BIPA. Either way, the architectural question for buyers does not change: do you want to be the test case for the next theory plaintiffs' lawyers develop, or do you want a tool whose design moots the question?

How Basil AI solves this

Basil AI is built on a fundamentally different architecture. Recording happens on your iPhone, iPad, or Mac. Transcription runs locally through Apple's Speech Recognition framework, which Apple's privacy commitments document as on-device by default. No bot joins your Zoom, Teams, or Google Meet call. No audio is transmitted to a vendor server. No voiceprint is stored on infrastructure outside your device. No transcript is ever used to train any AI model.

For sensitive meetings — legal strategy, M&A, clinical, board, HR, candidate interviews — this is the cleanest answer to the questions the Otter litigation has put on the table. There is no third party to be the third-party eavesdropper. There is no interception in transit because nothing is in transit. There is no BIPA voiceprint because biometric processing happens in Apple's Secure Enclave and is not stored as a regulated biometric identifier. There is no GDPR international transfer because the data never leaves the EU device it was recorded on.

For more on the comparative privacy architecture across cloud and on-device tools, see our AI meeting notetaker comparison guide.

A Monday-morning checklist for compliance and IT leaders

1. Inventory which AI notetakers are connected to employee calendars today. Otter, Fireflies, Read AI, Fellow, Jamie, and others all auto-join through calendar integrations.
2. Identify any meetings that include external participants in all-party-consent states (CA, FL, IL, MD, MA, PA, WA, NH, MT, CT). Those are the highest-exposure calls.
3. Disable auto-join on calendar integrations until you have an affirmative-consent flow in place. A visible bot is not, on the current case law, a substitute for affirmative consent in those states.
4. Flip every account's training-contribution toggle to off. Otter's default is opt-out; that means new users contribute to training until someone changes the setting.
5. For sensitive meetings (legal, HR, clinical, board, M&A), move to an on-device tool that does not transmit audio, store voiceprints, or train on user data.
6. Update your meeting-recording policy to require explicit verbal consent at the top of every recorded call and a written notice in the calendar invite.
7. Brief your legal team on the docket. When Judge Lee rules, the standard for "reasonable AI governance" in your industry will change overnight.

The bigger picture

The Otter litigation is not an isolated event. Duane Morris' February 2026 analysis places it inside a broader pattern in which AI transcription tools "that join meetings or record conversations without the affirmative consent of all participants may expose law firms, employers, and individuals using the platforms to violations of federal and/or state law and associated penalties." The Fireflies BIPA case (Cruz v. Fireflies.AI Corp.), the Heppner privilege ruling, and the bans of Read AI at the University of Washington, Chapman University, and the University of California, Riverside all point the same direction.

The federal question Judge Lee is being asked to answer — whether a software agent can lawfully sit in on a conversation without the affirmative consent of everyone in the room — is one that wiretap law was not written for. However she rules, the answer will not make the underlying tension go away. Privacy-conscious organizations are already routing around it by choosing tools that never raise the question in the first place.