About to turn on an AI notetaker for a client call? Quick pause. The big question in 2025 is whether you need everyone’s consent before any bot listens in or transcribes. Short answer: in most real‑world situations, yes.

Why? Two buckets of rules collide here—state call‑recording laws (one‑party vs two‑party consent) and attorney ethics on confidentiality and client communication. We’ll walk through what counts as “recording,” how mixed‑state and cross‑border calls work, and what the Model Rules expect from you. You’ll also get short scripts, engagement letter language, an easy workflow you can actually follow, and a checklist to vet tools and settings. We’ll close with how LegalSoul fits a law firm’s privacy and audit needs without creating busywork.

Quick answer and who this applies to

Wondering, “do lawyers need consent to record client calls 2025?” Play it safe and get explicit consent from every participant before using any AI notetaker, captions, or transcript feature. That applies whether you’re a solo, at a boutique, in BigLaw, or in‑house, and it covers client calls, expert chats, witness prep, and internal meetings touching client work.

Here’s the logic. State recording laws can require all‑party consent, and the ethics rules expect you to protect confidences and explain material tech choices. Even in one‑party states, the mix of jurisdictions, platform terms, corporate policies, or court orders can bump you into all‑party consent. Treat consent as a repeatable process: note who agreed, when, and for which matter, and link that record to your retention settings.

What counts as “recording” or “interception” with AI notetakers

Recording isn’t just saving a .mp3. If a bot joins the call, taps a live transcript API, or captures captions so an AI can summarize, you’ve likely crossed into “recording” or “interception.” Many laws focus on the contents of a conversation, not the file format.

Example: turning on Zoom or Teams live transcription and piping that stream to an AI for real‑time notes can still require consent. Same goes for cloud recordings, third‑party bots, and browser plugins that capture audio. A good gut check: would a normal participant think the conversation disappears after the call? If you’re preserving or processing it, treat it as recording and disclose it up front with an opt‑out and clear retention limits.

One more wrinkle: post‑call “enrichment.” If you feed transcripts into an LLM to pull deadlines or issues, that’s extra processing. Cover it in your engagement terms or renew consent when the use changes.

One-party vs all-party consent: 2025 legal landscape

States split. Some allow one party to consent to recording. Others require all parties to agree—frequent examples include California, Florida, Illinois, Maryland, Massachusetts, Montana, Nevada, New Hampshire, Pennsylvania, and Washington.

On mixed‑state calls, many teams follow a simple rule: the strictest regime wins. If someone dials in from California and someone from Texas, announce and get consent from everyone. Also watch for protective orders or court rules that ban any recording, human or AI. You can keep a states map handy, but the cleanest policy is: always disclose, always ask, always log. It removes guesswork and stops last‑minute law‑checking during the waiting room small talk.

Federal law, platform terms, and private rights

Federal law (Wiretap Act/ECPA) bars intercepting communications but allows it with consent. Helpful, but state law can be stricter, and conferencing platforms often require notice to all participants anyway.

Most platforms flash a banner when recording/transcription starts. That’s helpful, but say it out loud too. Civil claims are a real risk—privacy suits around “third‑party interception” have multiplied, and a silent vendor grabbing your call content is a lawsuit waiting to happen.

Also, think evidence. If a recording is captured improperly, expect fights over suppression or side litigation you don’t need. The boring, reliable method: pre‑call notice, a quick in‑call consent request, and a stored record tied to the matter and your retention timeline.

Attorney ethics, confidentiality, and privilege

Three duties matter most: competence (1.1), communication (1.4), and confidentiality (1.6), plus supervision of nonlawyers (5.3). An AI provider functions like a nonlawyer assistant, so you need reasonable safeguards—encryption, access controls, data isolation, and a firm “no, you may not train on our client data.”

Privilege can hold if the vendor is a necessary intermediary and access is limited to what’s needed. Document that role in your engagement and vendor agreement. Picture this: your trial team uses AI transcription to tag issues during witness prep; keep access tight and retention short for raw audio, and you’re on stronger privilege footing. “Privilege by configuration” helps—default to least‑privilege roles, no data sharing, and brief raw audio retention.

Client communications: when and how to disclose

Clients want straight talk. Tell them you may use AI transcription for accuracy and faster follow‑ups, explain the guardrails (encryption, isolation, no public model training), who can view outputs, and how long you keep audio or transcripts. Give a clear opt‑out.

Good places to say this: a short clause in your engagement letter and a single line in calendar invites. In the meeting, use a 15‑second script, confirm consent, and log it. For sensitive matters—criminal, family, government work—consider written consent up front or just skip the bot. Many clients accept ephemeral captions but not stored audio. Name that difference and ask what they prefer.

Special scenarios and edge cases

Witnesses, experts, regulators, and opposing counsel aren’t clients, and they often have different rules or expectations. Ask first. Opposing counsel will usually say no—don’t push it. For experts and consultants, fold consent into your SOW or engagement.

Watch out for minors, protected persons, or unionized employees—extra policies or laws may apply. Mediation or settlement talks often bar recording entirely, and some agencies forbid it without written permission. Add a quick pre‑flight checklist for non‑client meetings: consent needs, protective orders, HR/union policies, international issues. If anything is unclear, switch to human notes and move on.

International and cross-border meetings

EU/UK calls bring privacy laws into the mix. Under GDPR, you need a lawful basis to process personal data; explicit consent is the cleanest route for recording. Cross‑border transfers? Use SCCs (EU) or the UK addendum, and honor any data residency requirements.

Example: UK board call with U.S. counsel—announce transcription, get explicit consent, store transcripts in the EU/UK if the client asks, and sign a DPA with SCCs. Some countries (like Germany) read recording rules strictly, so treat those as all‑party, fully documented consent. In Canada, check PIPEDA and provincial rules. Also track vendor subprocessors and where they store data. If your client runs a global incident response, match your retention to their timelines so privacy and evidence needs don’t fight each other.

Operational playbook: consent-first workflow

• Pre‑call:
  • Calendar invite includes a one‑line notice about AI transcription/summarization and an opt‑out link.
  • For high‑risk matters, get written pre‑approval from the client contact.
• In‑call:
  • Deliver a 15‑second disclosure and ask for consent; if any objection, disable the bot and proceed with human notes.
  • For multi‑state meetings, announce that you’re seeking all‑party consent to comply with call recording laws for multi-state conference calls.
• Post‑call:
  • Store proof of consent (time-stamped note or recorded acknowledgement) in the matter file.
  • Apply a data retention policy for audio and transcripts in law firms: short raw audio retention (e.g., 7–14 days), longer transcript retention tied to the matter lifecycle, with legal holds honored.
• Governance:
  • Quarterly audits of access logs and retention.
  • Exceptions process: who approves departures, and how they’re documented.

Bonus tip: segment your meetings—client strategy, expert/witness, internal planning—and default the bot off where objections are common. Fewer awkward toggles, fewer slipups.

Model language you can adapt

Calendar invite snippet:
“For accuracy and follow‑up, our firm may use secure AI‑assisted transcription on this call. We seek consent from all participants. If you prefer we do not use it, reply ‘opt out’ and we’ll take human notes only.”

In‑meeting script:
“Quick heads‑up: To improve accuracy, we use a secure AI notetaker to transcribe and summarize. Only the matter team can access it. It’s not used to train public models and we retain it briefly under our policy. Does everyone consent?”

Engagement letter clause:
“We may use confidential, access‑controlled AI tools to assist with transcription and summarization. These tools do not use your data to train public models. We will seek consent before use and you may opt out at any time.”

Third‑party email:
“We plan to use a secure AI transcription tool for our upcoming session. Please reply to confirm consent from all attendees, or let us know if you prefer we proceed with human notes only.”

Short, clear, and easy to reuse—so the practice actually sticks.

Vendor due diligence checklist for law firms

• Strong encryption, data isolation, SSO/MFA, granular roles, and audit logs.
• Default “no training” on your data, plus a contractual ban on model training.
• SOC 2/ISO 27001 attestations and a solid DPA with subprocessors listed.
• Data flow diagrams: where audio/transcripts live, how they move, and in which regions.
• Subprocessor transparency and an objection process for high‑risk ones.
• Configurable retention with hard delete and easy export on request.
• Incident response SLAs and timely breach notification.
• EU/UK data residency options and SCCs/UK IDTA for transfers.
• BAAs where needed (e.g., health‑related matters).

Ask to see the privacy controls in the product, not just a PDF. Per‑matter workspaces and legal holds are the features that save you from DIY fixes later.

Configuration best practices to reduce risk

• Turn off auto‑join and auto‑record; require an explicit start with a visible notice.
• Use “join on consent” for external calls.
• Keep raw audio for as little time as possible; make the transcript the working file with tight access.
• Set least‑privilege roles; log and review who opens transcripts.
• Disable “auto‑share with participants” to prevent accidental distribution.
• Enable redaction for sensitive items (SSNs, bank details) if available.
• Separate matters into their own workspaces; use legal holds without inflating default retention.
• Block model improvement on your data and verify that setting after upgrades.

These settings support defensible retention and help you stay within consent and confidentiality expectations. If you travel, keep a “strict jurisdiction” profile ready for places like California or Germany.

Documentation, audits, and training

• Documentation: file the consent proof (invite, email, or timestamped verbal note) in the DMS and link it to the transcript record.
• Audits: quarterly spot checks—confirm consent exists, retention is applied, and access is limited to the team.
• Training: quick onboarding plus annual refreshers on multi‑state recording rules, disclosure scripts, and how to switch to human notes.
• Exceptions: short form noting why automation was off (objection, protective order, agency rule), who approved, and follow‑ups.
• Metrics: track opt‑outs, time saved, and client feedback to refine defaults.

Neat side effect: when billing teams or clients ask how AI was used, you’ll have clean records ready, which cuts down on back‑and‑forth.

If consent is refused: compliant alternatives

• Human notetaker with a simple template (issues, decisions, action items).
• Shared document for live notes (ask before turning it on).
• Post‑call recap email to confirm key points and next steps.
• Split the meeting: do the discussion off‑record, then a short recap by counsel.
• Use tools that only help with typed notes (no audio capture) if allowed.

Keep the pivot smooth: “No worries, we’ll go with human notes.” After the call, circulate a short summary for confirmation so nothing gets lost.

Common mistakes and risk traps to avoid

• Relying on one‑party rules during mixed‑state calls—assume the strictest law applies.
• Treating live captions as “not recording.” If content is captured or processed, assume consent is needed.
• Leaving auto‑join or auto‑record on; silent bots are trouble.
• Letting vendors train models on client data—switch it off in contracts and settings.
• Holding raw audio too long; prefer transcripts with access control.
• Forgetting late‑added participants—reconfirm consent when attendees change.
• Using an outdated state map; laws and interpretations shift—review regularly.
• Ignoring protective orders, mediation rules, or agency policies that forbid recording.
• Failing to keep proof of consent; if you can’t show it, it didn’t happen.

A short pre‑flight checklist catches most of these before they trip you up.

How LegalSoul supports a consent-first approach

• Consent‑first flows: invite notices, in‑meeting prompts, and “join on consent” so nothing connects until approval is recorded.
• Matter‑centric setup: per‑matter workspaces, least‑privilege roles, and audit logs that match your DMS and billing.
• Privacy by default: data isolation, encryption, no training on your data, and optional redaction.
• Retention you control: short raw audio windows, matter‑based transcript retention, one‑click holds and purge.
• Audit‑ready: exportable consent proof, access logs, and config snapshots for client reviews.
• Global options: EU/UK residency with SCCs/UK addendum in the DPA.

If you’re building a consent‑first practice, LegalSoul gives you practical levers and clear guardrails, with the paperwork your risk committee expects.

FAQ

Do we need written consent or is verbal enough?
Verbal on the record usually works, but written (email or engagement) is better for sensitive matters.

Do live captions trigger consent?
If captions or transcripts are saved or processed beyond the call, treat them as recording and get all‑party consent.

Can we use AI notes for internal, non‑client meetings?
Yes, but follow company policy and platform terms, and let attendees know.

What about the federal consent exception?
Federal law allows interception with consent, but stricter state laws and contracts still control the outcome.

What proof of consent should we keep and for how long?
A timestamped note or short clip tied to the matter. Keep raw audio briefly (e.g., 7–14 days) and retain transcripts under your matter policy with legal holds as needed.

Key Points

• Default to all‑party consent. Treat captions and transcripts as recording, apply the strictest rule for mixed‑state or international calls, and keep a clear record of consent.
• Ethics and privilege matter. Explain AI note‑taking in your engagement, vet vendors, get informed consent with an opt‑out, and protect confidentiality.
• Run a simple workflow. Invite notice, quick in‑call script, proof of consent, short retention. If anyone objects, switch to human notes and send a recap.
• Choose legal‑grade tools and set them up right. Look for isolation, encryption, “no training,” SOC 2/ISO, DPAs/SCCs, and EU/UK residency. Enable join‑on‑consent and disable auto‑record. LegalSoul checks these boxes.

Conclusion

Bottom line for 2025: treat AI notetaking as recording, follow the strictest rule on multi‑state calls, and get clear, documented consent from everyone. Ethics and privilege push you to disclose, vet vendors, lock down access, keep retention short, and always offer an opt‑out.

Ready to put this on rails? Update your engagement letters, adopt the short scripts, and use a tool built for law firms. Book a LegalSoul demo to enable join‑on‑consent, matter‑based access, EU/UK residency, and exportable audit trails—so you get the benefits without the headaches.