VoIP Call Recording Compliance — US + Canada Reality Check

The legal answer for call recording in the US is "it depends on the state" and in Canada it's "it depends on whether the recording leaves the country." Most VoIP buyers don't realize this until they get a complaint. Here is the working summary we hand to customers asking whether to enable always-on recording.

US — one-party vs. two-party consent

One-party consent (38 states + DC): if you're on the call, you can record without telling the other party. Two-party / all-party consent (12 states): every party on the call must be informed.

The 12 two-party states as of 2026: California, Connecticut, Delaware, Florida, Hawaii, Illinois, Maryland, Massachusetts, Michigan, Montana, Nevada, Pennsylvania, Washington. Some lists count Hawaii as one-party with carveouts; treat it as two-party for safety.

The trap: the call crosses state lines. If you're in Texas (one-party) calling someone in California (two-party), most courts apply the stricter standard. Default to two-party consent for ALL recordings if you operate cross-state.

Canada — single-consent + cross-border data

Canada is single-consent at the federal level (PIPEDA). One party on the call must be aware. Most VoIP customers in Canada are fine recording.

The complication: where does the recording sit? If your VoIP provider stores it in a US data center, PIPEDA's "adequate protection" requirement kicks in. Most major providers (RingCentral, 8x8, Dialpad) have Canadian data residency available on enterprise plans. SMB plans usually default to US storage. Read the fine print.

Practical setup that works in both jurisdictions

  1. Always play a recorded notice at call start: "This call may be recorded for quality and training purposes." That covers two-party consent in any US state.
  2. For inbound calls, set the IVR to play the notice BEFORE routing. "Press 1 to continue" creates an explicit consent moment if a regulator ever asks.
  3. For outbound calls (sales, support callbacks), train reps to say it in the first 10 seconds. Don't bury it.
  4. Set a retention policy. 90 days is common for support, 7 years for regulated industries (financial, healthcare). Not infinite.
  5. Disable recording on personal/HR-flagged extensions. "Always on" creates discoverable evidence.

Provider compliance posture (verified 2026-04)

RingCentral: SOC 2 Type II + HIPAA-eligible BAA on Ultra. Recording stored in US-East by default; Canada-resident option on enterprise.

8x8: SOC 2 + HIPAA + ISO 27001. Canadian data residency available.

Dialpad: SOC 2 + HIPAA-eligible. AI transcription is encrypted in transit + at rest.

DialPhone: SOC 2 in-progress, HIPAA-aligned. Recording can be disabled per-team via admin policy. Compliance docs available on request.

The honest gap

None of these providers will tell you definitively "you're compliant" — they tell you their platform supports compliant USE. The compliance is on YOU: notice, consent, retention, disposal. The platform is just the storage layer.

For a side-by-side feature comparison including compliance posture across 13 providers, our comparison tool covers it. The compliance column is one of the weight knobs.

Maintained by Darshan M, Growth Operations at DialPhone. Last verified 2026-04. Not legal advice — consult counsel for your jurisdiction.