--- title: "AI Voice Agent Call Recording: TCPA, CCPA, and GDPR Compliance" description: "Call recording compliance for AI voice agents — TCPA two-party consent states, CCPA disclosure, GDPR, and audit trails." canonical: https://callsphere.ai/blog/ai-voice-agent-call-recording-compliance category: "Technical Guides" tags: ["AI Voice Agent", "Technical Guide", "Compliance", "TCPA", "CCPA", "GDPR", "Call Recording"] author: "CallSphere Team" published: 2026-04-08T00:00:00.000Z updated: 2026-05-07T16:15:37.498Z --- # AI Voice Agent Call Recording: TCPA, CCPA, and GDPR Compliance > Call recording compliance for AI voice agents — TCPA two-party consent states, CCPA disclosure, GDPR, and audit trails. ## Recording is the easy part, compliance is not Hitting "record" on a voice agent call takes one line of code. Staying legal across all US states, the EU, and the UK takes policy, disclosure logic, retention schedules, and audit trails. This post walks through the technical implementation of call recording compliance for AI voice agents, focused on TCPA two-party consent states, CCPA disclosure requirements, and GDPR lawful basis. Disclaimer: this is engineering guidance, not legal advice. Work with counsel for your specific jurisdiction. ``` incoming call │ ▼ detect jurisdiction from caller ID / IP │ ▼ two-party state? ── yes ──► play consent prompt, wait for "yes" │ no │ ▼ play one-party disclosure ("this call may be recorded") │ ▼ start recording + log consent event ``` ## Architecture overview ``` ┌───────────────────────┐ │ Voice agent runtime │ │ • consent state │ │ • recording on/off │ └──────────┬────────────┘ │ ▼ ┌───────────────────────┐ │ Consent log (Postgres)│ └──────────┬────────────┘ │ ▼ ┌───────────────────────┐ │ Recording storage │ │ (S3 + KMS encryption) │ └───────────────────────┘ ``` ## Prerequisites - A jurisdiction mapping (NANPA area code → state, IP → country for WebRTC). - A consent log table in Postgres. - Encrypted storage for recordings (S3 + SSE-KMS or equivalent). - Legal-reviewed disclosure scripts per jurisdiction. ## Step-by-step walkthrough ### 1. Identify jurisdiction on ring ```python def jurisdiction_for_caller(caller_number: str) -> str: # Lookup NPA → state npa = caller_number[2:5] if caller_number.startswith("+1") else None return NPA_STATE.get(npa, "unknown") TWO_PARTY_STATES = {"CA", "CT", "DE", "FL", "IL", "MD", "MA", "MI", "MT", "NV", "NH", "OR", "PA", "VT", "WA"} def needs_two_party_consent(state: str) -> bool: return state in TWO_PARTY_STATES ``` ### 2. Play the appropriate disclosure ```python async def run_disclosure(oai_ws, state: str): if needs_two_party_consent(state): script = "This call will be recorded for quality and training. Is that okay with you?" else: script = "Just so you know, this call may be recorded for quality purposes." await oai_ws.send(json.dumps({ "type": "response.create", "response": {"instructions": f"Speak this exactly: {script}"}, })) ``` ### 3. Wait for explicit consent in two-party states Set a flag on the session: `awaiting_consent = true`. Only start recording when the caller says yes. ```mermaid flowchart LR REQ(["Inbound request"]) PII["PII detection regex plus NER"] POL{"Policy engine OPA or rules"} REDACT["Redact or mask"] LLM["LLM call"] OUT["Response"] AUDIT[("Append only audit log")] BLOCK(["Block plus notify DPO"]) REQ --> PII --> POL POL -->|Allow| REDACT --> LLM --> OUT --> AUDIT POL -->|Deny| BLOCK style POL fill:#4f46e5,stroke:#4338ca,color:#fff style AUDIT fill:#ede9fe,stroke:#7c3aed,color:#1e1b4b style BLOCK fill:#dc2626,stroke:#b91c1c,color:#fff style OUT fill:#059669,stroke:#047857,color:#fff ``` ```python CONSENT_YES = {"yes", "sure", "okay", "ok", "yeah", "fine", "that's fine"} CONSENT_NO = {"no", "nope", "don't", "do not"} async def handle_consent_turn(transcript: str, session): t = transcript.lower().strip() if any(w in t for w in CONSENT_YES): session.consent = True await log_consent(session.call_id, "granted") await start_recording(session) elif any(w in t for w in CONSENT_NO): await log_consent(session.call_id, "refused") await end_call_politely(session) ``` ### 4. Log the consent event with immutable timestamp ```sql CREATE TABLE consent_events ( id BIGSERIAL PRIMARY KEY, call_id TEXT NOT NULL, caller_number TEXT, jurisdiction TEXT, consent_status TEXT NOT NULL, disclosure_script TEXT NOT NULL, recorded_at TIMESTAMPTZ NOT NULL DEFAULT now() ); ``` ### 5. Store recordings encrypted with per-tenant keys ```python import boto3 s3 = boto3.client("s3") async def upload_recording(tenant_id: str, call_id: str, wav_bytes: bytes): key = f"tenants/{tenant_id}/calls/{call_id}.wav" s3.put_object( Bucket="cs-recordings", Key=key, Body=wav_bytes, ServerSideEncryption="aws:kms", SSEKMSKeyId=tenant_kms_key(tenant_id), ) ``` ### 6. Honor deletion requests (CCPA, GDPR) ```python async def delete_caller_data(caller_number: str): call_ids = await db.fetch("SELECT call_id FROM calls WHERE caller_number = $1", caller_number) for cid in call_ids: await s3.delete_object(Bucket="cs-recordings", Key=f"calls/{cid}.wav") await db.execute("UPDATE calls SET transcript = NULL, deleted_at = now() WHERE call_id = $1", cid) ``` ## Production considerations - **Retention schedules**: MiFID II = 5 years, HIPAA = 6 years, GDPR = "no longer than necessary". Store per-tenant policy. - **Access control**: recordings are sensitive; gate playback behind signed URLs with short TTLs. - **Audit logs**: who accessed a recording, when, and why. - **Breach notification**: GDPR requires 72h breach notice. - **Cross-border transfer**: EU recordings must stay in EU-region storage unless SCCs are in place. ## CallSphere's real implementation CallSphere builds consent detection, per-state disclosure scripts, and encrypted recording storage into every production deployment. The voice plane runs on the OpenAI Realtime API (`gpt-4o-realtime-preview-2025-06-03`) at 24kHz PCM16 with server VAD, and the consent gate fires before the first tool call. Recordings land in per-tenant S3 buckets with SSE-KMS, and access is gated through signed URLs from the admin UI. The pattern applies uniformly across healthcare (14 tools, HIPAA-aware retention), real estate (10 agents), salon (4 agents), after-hours escalation (7 tools), IT helpdesk (10 tools + RAG), and the ElevenLabs sales pod (5 GPT-4 specialists). A GPT-4o-mini post-call pipeline redacts PII from transcripts before they flow into the analytics store. CallSphere supports 57+ languages with locale-specific consent scripts and maintains sub-second latency through the disclosure flow. ## Common pitfalls - **Blanket "this call is recorded" in two-party states**: not sufficient for consent. - **Forgetting consent logs**: regulators will ask for proof. - **Global S3 bucket**: violates GDPR data residency. - **No deletion API**: CCPA and GDPR both require it. - **Unencrypted storage**: this is a breach waiting to happen. ## FAQ ### Does TCPA apply to inbound calls? Yes — recording rules apply regardless of direction. ### Is IP-based jurisdiction detection reliable? Good enough for WebRTC, but combine it with explicit disclosure everywhere. ### What if a caller refuses consent in a two-party state? End the call politely without recording and log the refusal. ### How long can I keep recordings? It depends on the jurisdiction and vertical; store a policy column per tenant. ### Can I train on customer recordings? Only with explicit opt-in consent spelled out in the disclosure. ## Next steps Need a compliance-ready voice agent? [Book a demo](https://callsphere.tech/contact), read the [technology page](https://callsphere.tech/technology), or see [pricing](https://callsphere.tech/pricing). #CallSphere #Compliance #TCPA #GDPR #CCPA #CallRecording #AIVoiceAgents --- Source: https://callsphere.ai/blog/ai-voice-agent-call-recording-compliance