California Invasion of Privacy Act (CIPA) requirements for recording phone calls 


Photo of author

Donata Stroink-Skillrud

Co-founder and President of Termageddon

“This call may be monitored and recorded for quality assurance and training purposes.” Sound familiar? This notice is ubiquitous, regardless of the company that you call, and informs you that the call is recorded and that it may be replayed and used in the future. If you record calls in your business, you may be wondering whether you also need to present such a message and whether your website’s Privacy Policy needs to acknowledge this fact as well. In this article, we will discuss a privacy law that governs the recording of phone calls, the California Invasion of Privacy Act (CIPA), including who it applies to, its requirements, and how to update your Privacy Policy to help avoid fines. 

Note: CIPA also has requirements for websites that use trackers as well. You can read about those requirements here.

Does your business record phone calls? 

Many business owners assume that they do not record phone calls or do not even collect phone numbers, but that is usually not the case. Businesses will frequently collect phone numbers through the following features: 

  • Contact forms on websites; 
  • eCommerce and order placement forms; 
  • Calendar booking features; 
  • Support portals where customers can send you a message; 
  • Emails (most signature lines contain a phone number); and 
  • When customers call your business. 

In addition, many businesses record phone calls as well through the following: 

  • Calling customers through a customer relationship management system (e.g. Hubspot or Salesforce) that allows for the recording of phone calls; 
  • Calling customers through a support portal (e.g. FreshDesk or ZenDesk) that allows you to record phone calls; 
  • Allowing customers to leave a voicemail; 
  • Hitting “record” on a call (whether through an online service such as Zoom or Google Meets or through your phone). 

The truth is that collecting phone numbers and recording phone calls is pretty common, you just need to follow some rules to make sure that you are doing so properly to avoid fines. 

What is the California Invasion of Privacy Act? 

CIPA is a privacy law that went into effect in 1994 with the aim of protecting residents of California from privacy violations that occur when communications are recorded without knowledge or consent. CIPA applies to any communications with a resident of California, whether through telegraph, telephone, line, cable or instrument, including calls placed through the Internet, as well as more traditional phone calls. CIPA also applies if one party to the communication is a resident of California, meaning that your business does not need to be located in the State for the law to apply to you. 

To comply with this law, you will need to obtain the consent of the individual to record the phone call and can do so through the following processes: 

  • Playing a message at the start of the call stating that the call will be recorded; 
  • Asking an individual whether they consent to the call being recorded at the beginning of the call; 
  • Stating in your Privacy Policy that all calls will be recorded; and 
  • Asking individuals to consent to the Privacy Policy prior to them submitting a phone number (e.g. through a checkbox on your contact form). 

How do you create a CIPA Privacy Policy? 

Thankfully, CIPA does not require you to have a separate Privacy Policy that is exclusive to the law so you can include CIPA disclosures within your existing Privacy Policy. If you are currently using the Termageddon Privacy Policy generator, make the following selections to ensure that your Privacy Policy includes disclosures regarding the recording of phone calls: 

  • What information do you collect? Answer this question by selecting “voice recordings”; 
  • Purpose for using this information. Answer this question by selecting “recording phone calls”; 
  • What third parties do you share this information with? Answer this question by selecting “voice recording vendors.” Please make this selection only if you use a third party vendor to record the phone calls or if you share the recordings with anyone outside of your company. 

Once you make these selections, answer the remaining questions and click “submit” to generate your Privacy Policy, your Privacy Policy will include the disclosures necessary to inform users that any phone calls with you will be recorded. 

What are the penalties for violating CIPA?

CIPA is a bit different from other privacy laws in how the punishment for non-compliance is set. While a first-time conviction will garner a fine of $5,000 per violation and a subsequent conviction can cost up to $10,000 per violation, the law also includes the consequence of imprisonment. If an individual is convicted of a CIPA violation, they can be punished with up to a year in county jail. Thus, it is imperative to obtain the proper consent for phone call recordings with residents of California, whether that be through a pre-recorded message, asking for consent, and/or updating your Privacy Policy to state that calls will be recorded.

Photo of author
About the Author
Donata Stroink-Skillrud

Donata is the Co-founder and President of Termageddon and a licensed attorney and Certified Information Privacy Professional. She serves as the Vice-Chair of the American Bar Association's ePrivacy Committee and the Chair of the Chicago Chapter of the International Association of Privacy Professionals.

Search the Site
Popular Articles
Browse by Category

Comparing Policy Generators

Cookie Consent Banner

Cookie Policy




How To's

Privacy Policy

Terms of Service

Subscribe for Updates