Recording Meetings in Two-Party Consent States: A 2026 Compliance Guide for AI Notetaker Users

Key takeaways
  • 12 U.S. states — CA, CT, DE, FL, IL, MD, MA, MT, NH, OR, PA, WA — require all-party consent to record a meeting in 2026.
  • Kearney v. Salomon Smith Barney (2006) means California's law follows you across state lines whenever a Californian is on the call.
  • The In re Otter.AI Privacy Litigation and Cruz v. Fireflies BIPA cases show AI notetakers are the newest wiretap-law defendants.
  • Damages stack fast: $5,000 per CIPA violation, $5,000 per intentional BIPA violation, up to 5 years in prison under Florida's felony statute.
  • On-device transcription eliminates the underlying legal risk because no interception, cloud transmission, or voiceprint extraction ever occurs.

Quick answer: Twelve U.S. states require all-party consent to record a conversation: California, Connecticut, Delaware, Florida, Illinois, Maryland, Massachusetts, Montana, New Hampshire, Oregon, Pennsylvania, and Washington. If any participant sits in one of these states — or if you're a California resident being called from elsewhere — every attendee must consent before an AI notetaker like Otter, Fireflies, or Zoom AI Companion records the meeting.

Published July 7, 2026 · 11 min read

If any participant on your next Zoom, Teams, or Google Meet call sits in California, Connecticut, Delaware, Florida, Illinois, Maryland, Massachusetts, Montana, New Hampshire, Oregon, Pennsylvania, or Washington, your AI notetaker needs consent from every attendee before it starts transcribing. These are the 12 all-party (two-party) consent states as of 2026, and they are the reason a wave of federal class actions is now testing whether Otter, Fireflies, and Microsoft Teams have been quietly violating decades-old wiretap statutes every time their bots joined a meeting.

This guide walks through exactly which states require all-party consent, how interstate calls are governed, what the pending Otter.ai wiretap litigation means for enterprise buyers, and why an on-device architecture is the only design that reliably sidesteps the entire problem.

The 12 All-Party Consent States (2026)

Federal law sets a one-party consent floor: 18 U.S.C. § 2511 lets any participant record a call as long as one party (which can be the recorder) consents. States are free to be stricter, and 12 of them are. According to Recording Law's 2026 two-party consent guide, the current list is: California, Connecticut, Delaware, Florida, Illinois, Maryland, Massachusetts, Montana, New Hampshire, Oregon, Pennsylvania, and Washington.

A few nuances matter for AI notetaker users. Connecticut and Oregon operate mixed rules depending on whether the conversation is by phone or in person. Michigan's statute reads all-party on its face, but the Michigan Court of Appeals recognized a participant exception in Sullivan v. Gray in 1982 — a construction a federal court explicitly reaffirmed in April 2026, per the ConvertAudioToText state-by-state reference. Hawaii is one-party for phone calls but all-party for recordings made inside private places under HRS § 711-1111.

These aren't obscure jurisdictions. As NextPhone's 2026 compliance guide notes, the 12 all-party states represent roughly 35% of the U.S. population and include four of the country's largest business hubs. If your team sells nationally, you will hit an all-party consent requirement on essentially every workday.

The Interstate Rule: Kearney v. Salomon Smith Barney

The most common misconception among AI notetaker users is that only the recorder's state law matters. It doesn't. In Kearney v. Salomon Smith Barney, 39 Cal. 4th 95 (2006), the California Supreme Court held that California's two-party consent statute applies to out-of-state callers who record California residents — the case involved a Georgia-based broker recording a California-based client without consent. Nimitai's 2026 compliance guide notes that federal circuit courts have generally followed the Kearney logic, and most state attorneys general apply the same 'stricter law wins' posture for enforcement.

Practical translation: if you're on a call with anyone in California, Florida, or Illinois, treat the whole call as all-party regardless of where you're sitting. A sales rep in Texas calling a lead in Florida must follow Florida's 934.03. A consultant in New York on a Zoom with a Chicago client should assume Illinois law applies to the Chicago participant. The safest practice, as FreedomRankings notes in its 2026 update, is a simple verbal disclosure before substantive conversation begins.

What 'consent' actually requires

For wiretap statutes, an audible announcement at the top of the call is usually enough — if all parties stay on the line, courts generally treat that as implied consent. For biometric statutes like the Illinois Biometric Information Privacy Act (BIPA), a spoken disclaimer is not sufficient. BIPA § 15(b) requires written notice and a written release before a voiceprint is extracted, and Illinois courts have consistently rejected boilerplate 'as needed for business purposes' language.

How AI Notetakers Trigger These Statutes

Traditional wiretap statutes were written for tape recorders and telephone taps. The question courts are now confronting is whether an AI bot invited by one participant qualifies as an unlawful interceptor. Mayer Brown's June 2026 analysis observed that AI notetakers function as automated participants that record, transcribe, and summarize discussions, often generating written notes minutes after a meeting ends — and their normalization has largely outpaced legal and compliance scrutiny.

The Recording Law lawsuit tracker confirms that Otter's motion-to-dismiss hearing was argued before Judge Eumi K. Lee on May 20, 2026, and no ruling had issued as of the most recent case update. The court's decision will be the first federal test of whether decades-old wiretap statutes reach an AI bot sitting quietly in the corner of a video call — an outcome that will affect every AI meeting product on the market.

The Otter litigation and CIPA damages

According to the National Law Review's analysis, four separate suits filed between August and September 2025 were consolidated into In re Otter.AI Privacy Litigation, 5:25-cv-06911 (N.D. Cal.), before Judge Eumi K. Lee. The lead case, Brewer v. Otter.ai, was filed August 15, 2025 by Justin Brewer, a California resident who did not have an Otter account and whose February 2025 sales call was recorded because another participant had OtterPilot running.

The consolidated complaint alleges violations of the federal Electronic Communications Privacy Act, California's Invasion of Privacy Act (CIPA), and the Computer Fraud and Abuse Act, and that Otter uses recorded content to train its speech-recognition models. UC Today's coverage summarizes the damages framework as unusually generous to plaintiffs: ECPA provides the greater of $10,000 per violation or $100 per day, CIPA allows $5,000 per violation, and BIPA runs $1,000 for negligent and $5,000 for intentional violations.

The BIPA voiceprint problem

The parallel biometric theory is even more punitive. In Walker v. Otter.ai, one of the cases folded into the consolidated action, the plaintiffs allege Otter's system captures 'voiceprints' — unique biometric identifiers built from pitch, cadence, and vocal-tract characteristics — and uses them to identify speakers across later meetings, all without written consent or a published retention schedule, in violation of BIPA. Mason LLP's analysis explains that unlike a password, a voiceprint cannot be changed if compromised — creating a permanent privacy risk.

The Fireflies cases (Cruz v. Fireflies.AI Corp., 3:25-cv-03399, and a second suit filed in the Northern District of Illinois) raise the same theory. Every AI notetaker that uses speaker diarization — Fireflies.ai, Avoma, Fathom, Circleback, Granola, Grain, MeetGeek, Read.ai, Sembly AI, Tactiq, tl;dv — extracts a voiceprint vector to attribute lines of a transcript to specific participants, as TopReviewed's technical breakdown details. If the courts accept the plaintiffs' theory, the entire category is exposed.

Two-Party Consent by State: Penalties and Statutes

State Statute Consent Rule Max Criminal Penalty Civil Damages
CaliforniaCal. Penal Code § 632All-party (Kearney extraterritorial)1 year jail, $2,500 fine$5,000/violation (CIPA)
FloridaFla. Stat. § 934.03All-party5 years, third-degree felony, $5,000 fineGreater of $100/day or $1,000 + fees
Illinois720 ILCS 5/14-2 + BIPA (740 ILCS 14)All-party + biometric consentClass 4 felony$1,000 negligent / $5,000 intentional per voiceprint
MassachusettsMass. Gen. Laws ch. 272 § 99All-party (always felony)5 years, always felonyActual + punitive + fees
MarylandMd. Code, Cts. & Jud. Proc. § 10-402All-party5 years, $10,000$100/day or $1,000
Pennsylvania18 Pa. C.S. § 5703All-party7 years, third-degree felonyActual + $1,000 min + punitive
WashingtonRCW 9.73.030All-partyGross misdemeanor$100/day or $1,000
ConnecticutConn. Gen. Stat. § 53a-187All-party (phone only)Class D felonyActual damages + fees
DelawareDel. Code tit. 11, § 2402All-partyClass E felonyStatutory + punitive
MontanaMont. Code § 45-8-213All-party (notification-based)MisdemeanorActual damages
New HampshireN.H. Rev. Stat. § 570-A:2All-partyClass B felonyActual + punitive
OregonORS § 165.540All-party (in-person only)Class A misdemeanorActual + $1,000 min

Cross-referenced against Recording Law's per-state pages and the NextPhone statute citations. Massachusetts is unique for treating every illegal recording as a felony with no misdemeanor option.

Regulatory Scenarios: What to Do in Each Industry

Legal professionals: attorney-client privilege risk

The Mayer Brown insight is blunt: when AI notetakers are deployed in meetings involving legally privileged discussions, the recordings, transcripts, and summaries generated by these tools may compromise that privilege. The core risk is that inputting privileged information into an AI tool operated by a third-party vendor may amount to disclosure to a third party, waiving the privilege that would otherwise attach. Courts have already declined to extend attorney-client privilege to materials prepared using consumer-grade generative AI, per the ruling in United States v. Heppner in the Southern District of New York (Feb. 17, 2026). Firms in California, Illinois, or Massachusetts should default to on-device transcription for any privileged call. See our deeper analysis of the Heppner and Warner v. Gilbarco split on AI meeting notes and work product.

Healthcare: HIPAA plus BIPA compounding exposure

If a clinician joins a Teams call with an Illinois-resident patient and Live Transcription is enabled, the voiceprint capture may violate both BIPA and — depending on what's discussed — trigger HIPAA disclosure obligations to a business associate that has not signed a BAA. HHS's HIPAA guidance requires covered entities to execute a business-associate agreement with any vendor that creates, receives, maintains, or transmits PHI. Cloud AI notetakers rarely qualify without an explicit BAA — and even then, the underlying voiceprint issue remains.

Sales and customer success: interstate calls every day

The scenario is common. A Denver AE demos a product to a prospect team spread across San Francisco, Miami, and Chicago. Under Kearney, the California participant alone triggers CIPA. The Florida participant triggers § 934.03. The Illinois participant triggers 720 ILCS 5/14-2 and, if voiceprints are extracted, BIPA. A single 30-minute call can implicate three statutes simultaneously. The only defensible posture is a universal 'we're recording this call and using an AI note tool — is that okay for everyone?' script and, for the safest posture, a tool that doesn't extract biometric data or transmit audio to a cloud subprocessor.

HR and talent: candidate interviews

The HR Executive analysis of the Otter litigation quotes Bradford Kelley of Littler Mendelson noting that HR teams should be 'very interested in this case,' particularly employers operating in all-party consent states. Recording a candidate interview with an AI bot that captures voiceprints creates BIPA exposure whether or not the candidate is ever hired.

Cloud vs. On-Device: Where Consent Risk Actually Lives

Architecture Audio Interception Voiceprint Extraction Cloud Transmission Training on Data Wiretap Exposure BIPA Exposure
Otter (cloud bot)Yes (server)YesYesDefault opt-outLitigated (Brewer)Litigated (Walker)
Fireflies (cloud bot)Yes (server)YesYesAllegedYesLitigated (Cruz)
Zoom AI CompanionYes (server)Yes (Teams-style)YesPer policyEmergingEmerging
Microsoft Teams Live TranscriptionYes (Azure)YesYesDeniedYesLitigated (Basich)
Granola (bot-free cloud)Yes (device to Deepgram/Assembly)Yes (via subprocessors)YesEnterprise offUntestedUntested
Basil AI (on-device)No (local ANE)No (local only)NoNeverStructurally avoidedStructurally avoided

The Cruz and Walker complaints both hinge on the same technical mechanic: cloud services extract vocal characteristics — pitch, formant frequencies, prosody, cadence — from short audio windows and cluster them into speaker identities. That vector is a voiceprint. If diarization happens locally on your device via Apple's Speech framework and the audio never leaves the Neural Engine, there is no third-party interception to litigate and no biometric identifier for a class-action complaint to name.

How Basil AI Solves This

Basil AI is designed so that every process the Otter and Fireflies plaintiffs are litigating never happens in the first place. Audio is captured by your iPhone, iPad, or Mac and transcribed by Apple's SFSpeechRecognizer with requiresOnDeviceRecognition set to true, meaning the request is processed by the Apple Neural Engine without any network round trip. See Apple's Speech framework documentation for the technical primitives and Apple's platform privacy overview for the architectural commitments.

Because the audio never leaves your device:

This is the structural difference that our Apple Neural Engine deep dive explores in more technical detail, and it's why the Granola vs. Basil comparison reaches a different conclusion than bot-free cloud tools: bot-free is not the same as on-device.

A Compliance Checklist for AI Notetaker Buyers

Before deploying any AI meeting tool in an all-party consent state, run through this checklist. Adapted from the framework in the DataGrail May 2026 privacy huddle and the Mayer Brown emerging-risk analysis:

  1. Does the tool process audio on-device, or does it transmit to a cloud subprocessor?
  2. If cloud, is a Data Processing Agreement in place, and does it name biometric data as a category?
  3. Does the vendor extract voiceprints via speaker diarization? If yes, is there a written BIPA-compliant consent flow that reaches every participant, not just the account holder?
  4. Is model training opt-out or opt-in? Otter's default remains opt-out per the consolidated complaint's allegations.
  5. Is there an audible bot-join notification, and can it be configured to include the statutory language required in the participants' states?
  6. What is the audio retention period, and is there a published destruction schedule (BIPA § 15(a) requires one)?
  7. Under Kearney, does your workflow presume the strictest applicable law when interstate calls occur?

For a broader competitor breakdown, see our AI meeting notetaker comparison guide, which covers the same architectural questions across the top eight products in the category.

What Happens Next: The Otter Ruling

As of the most recent Recording Law verification, Judge Lee had not yet issued a ruling on Otter's motion to dismiss, which was argued on May 20, 2026. When the ruling comes, it will not decide the merits — a motion to dismiss tests only whether the complaint states a legal claim — but it will signal whether decades-old wiretap statutes reach automated AI participants. A ruling that lets the case proceed will accelerate enterprise procurement scrutiny across the category. A ruling for Otter will not retire the question, because the parallel Illinois BIPA cases (Cruz, Fricker, Basich v. Microsoft) sit in a different circuit and BIPA's private right of action does not depend on federal precedent.

Either way, on-device is the architecture that survives both outcomes.

Record Meetings Without the Wiretap Risk

Basil AI transcribes on-device using the Apple Neural Engine. No cloud, no voiceprints, no interception — nothing to litigate.

Download on the App Store Download on the Mac App Store

Frequently Asked Questions

Which states require all-party consent to record a meeting in 2026?

As of 2026, 12 states require all-party (two-party) consent: California, Connecticut, Delaware, Florida, Illinois, Maryland, Massachusetts, Montana, New Hampshire, Oregon, Pennsylvania, and Washington. Connecticut and Oregon apply mixed rules depending on whether the conversation is by phone or in person. Michigan reads all-party on its face but courts recognize a participant exception under Sullivan v. Gray.

If I'm in a one-party state calling someone in California, whose law applies?

California's stricter law almost certainly applies to you. In Kearney v. Salomon Smith Barney (2006), the California Supreme Court held that California's two-party consent statute reaches out-of-state callers who record California residents. Most federal circuits and state attorneys general apply the same 'strictest law wins' rule, so any interstate call with a California, Florida, or Illinois participant should be treated as all-party.

Does having an AI notetaker like Otter or Fireflies in a meeting count as recording?

Yes — and the plaintiffs' bar is testing this theory in court. The consolidated In re Otter.AI Privacy Litigation alleges Otter's bot intercepts conversations in violation of the federal Wiretap Act and California's Invasion of Privacy Act. Cruz v. Fireflies.AI raises parallel BIPA voiceprint claims. Both cases treat AI transcription of non-consenting participants as unlawful recording under existing wiretap statutes.

What are the penalties for violating a two-party consent law?

They're significant. Florida Stat. § 934.03 makes unauthorized recording a third-degree felony punishable by up to 5 years in prison and a $5,000 fine per conversation. California CIPA allows $5,000 in statutory damages per violation. Illinois BIPA adds $1,000–$5,000 per voiceprint captured. Class actions stack those figures across every affected participant, quickly reaching hundreds of millions of dollars.

Is an audible 'this meeting is being recorded' notice enough consent?

Usually yes for wiretap statutes, but not for BIPA. Announcing at the start of a call, with all parties remaining on the line, generally establishes implied consent in all-party consent states. However, BIPA requires written notice and a written release before biometric voiceprints are extracted — a spoken disclaimer alone will not satisfy 740 ILCS 14/15(b).

How can I record meetings across state lines without breaking any law?

Apply the strictest law that touches the call and disclose at the start. Better still, use an on-device transcription tool that never sends audio off your machine, so no interception, transmission, or biometric extraction takes place. On-device apps like Basil AI process everything locally through Apple's Speech framework, so wiretap and BIPA exposure never accrues.