AI Notetakers and The Legal Exposure Hiding in Plain Sight

The AI notetaker that joined your last Zoom meeting brought murky compliance exposure with it. As these tools settle into company culture, privacy teams are once again closing the governance gap with limited legal direction.  

This month, DataGrail invited Founder and AI Regulatory Counsel Amanda Busse (Amanda Busse Law LLC), Chief Privacy Officer Dennis Dayman (Atmospherik), Senior Privacy Analyst Jamie Massaro (SpectroCloud), and Senior Data Privacy Manager Amanda DeLuke (HigherLogic) to explore what the law says about AI notetakers and what good governance looks like in practice.

The discussion covered the legal framework governing AI notetakers and the relative risks of different technical approaches. Read on for the main takeaways.

The fragmented legal framework governing AI notetakers

The legal framework governing AI notetakers spans federal laws, state laws, biometric privacy laws, and international data protection regulations. They all apply simultaneously across jurisdictions, and often inconsistently.

U.S. federal and state laws

The federal baseline is the Electronic Communications Privacy Act (ECPA), which operates on a one-party consent standard. Under this law, recording is lawful if at least one participant knows about it.

Some states go a step further, requiring all parties consent to recording. This includes California, Connecticut, Delaware, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, Nevada, New Hampshire, Pennsylvania, and Washington. The one-party consent standard is frequently overridden by stricter state standards, and in interstate calls, the strictest state effectively governs every call.

Biometric laws 

AI notetakers tools that use speaker identification features can capture voiceprints which trigger biometric privacy laws. States like Colorado, Illinois, Texas, and Washington require consent prior to collecting biometric information and impose restrictions on its retention and disclosure.

GDPR

For EU operations, the requirements go further: 

• Recording is considered  a processing activity under GDPR article 4 and requires a lawful basis.  
• Consent from the meeting host does not transfer to all participants.
• If a call involves health information, union membership, or political views, stricter GDPR protections apply, and general business interest is not a sufficient legal basis for processing.
• Data subject access requests add another layer. Participants can request access to, correction of, or deletion of their voice data and derived summaries.

Active litigation

Three cases anchored the litigation discussion:

In re Otter.AI Privacy Litigation, No. 5:25-cv-06911

Four class action suits consolidated before Judge Eumi K. Lee, alleging violations of California and Illinois law along with federal wiretap law. The common thread across all four cases is Otter’s design choice: placing the burden of obtaining consent on the account holder rather than building it into the product.

Ambriz v. Google LLC, No. 3:23-cv-05437

Plaintiffs alleged that Google’s Cloud Contact Center AI intercepted and transcribed customer service calls in real time without all-party consent, in violation of California Invasion of Privacy Act (CIPA). Google’s motion to dismiss was denied because the court adopted a capability test. The vendor doesn’t have to misuse the data. Under the court’s capability test, the ability to do so is enough.

Cruz v. Fireflies.AI Corp., No. 3:25-cv-03399

A BIPA case alleging that Fireflies.AI’s speaker recognition feature collects and stores voiceprints from all meeting participants including non-users who never consented  without written notice, a retention policy, or a destruction schedule. 

These cases will shape how courts define legal exposure for every organization using AI notetakers.

What your AI notetaker governance strategy must cover

Regardless of how the litigation above resolves, the risk categories AI notetakers introduce are consistent across tools and jurisdictions. If your organization seeks to adopt AI notetakers safely, plan a mitigation approach for each of these risks: 

1. Consent: Most meeting participants haven’t explicitly agreed to be recorded. Hosts assume participants know, and that assumption is increasingly hard to defend in court.
   
   Sample Risk Mitigation: Confirm consent verbally at the start of a recording. 
2. Biometrics: Speaker identification features can collect voice data from every participant, with no defined policy for how long that data is kept.
   
   Sample Risk Mitigation: Prepare a data deletion schedule for all voice recordings.
3. Accuracy and discrimination: AI transcription has known accuracy issues for accented speech and speech impairments. Sentiment analysis and emotion recognition features may produce outputs that are less accurate for certain demographic groups.
   
   Sample Risk Mitigation: Don’t make decisions or implement scoring models based on AI-generated summaries without a human review step. 
4. Attorney-client privilege: An outside vendor processing a confidential legal conversation can void that protection.
   
   Sample Risk Mitigation: Implement additional protections for privileged conversations. 
5. Call content & confidentiality: Calls can easily slip into confidential or sensitive topics like performance discussions or trade secrets that need to be protected differently.
   
   Sample Risk Mitigation: Prohibit free tools that may use recordings for model training, risking your confidentiality. 

Not all AI notetakers carry the same risk

You can shape how much risk your organization takes on from AI notetakers with how you approach procurement. AI notetakers are typically offered as either independent cloud solutions, platform-native tools, or open source models. Each comes with its own impact on your legal exposure, but note that the panel also warned if a system is too difficult or limiting, employees may simply turn to free outside tools. Explore their differences below:

Cloud (Otter.ai, Fireflies, Fathom, etc.)

Cloud-based AI notetakers join your meeting as an additional participant, recording and processing conversation data on servers owned and operated by the vendor. 

These tools are typically the highest risk option. The vendor stores your data for you, ultimately controlling your data retention and security, and freemium models often train on your call data. The vendor may only seek consent from the account holder, creating a GDPR compliance gap. Because the vendor becomes a third party in the call, this approach can also compromise confidential legal communications. 

Platform-native (Zoom AI, Teams Copilot, Google Meet)

Platform-native tools keep the recording within the platform you are already using, subject to the same controls as your existing enterprise agreement. The data never leaves a controlled environment, mitigating much of the risk prevented by AI notetakers. For organizations using these services’ AI notetaking features, the key question is whether your Data Processing Agreements (DPAs), Business Associate Agreements (BAAs), or Master Service Agreements (MSAs) were written to cover AI processing. 

Regardless, it’s still important to address recording consent with these tools. Even if the platform’s terms permit AI processing, meeting participants might not be aware and still need an opportunity to provide meaningful consent. 

Open source (Whisper-based pipelines, local deployments)

Self-hosted open source tools remove the risks that come with sending data to a third-party vendor.

However, you also do not benefit from a vendor building consent notices directly into the product or nudging you towards more compliant consent structures. The responsibility falls entirely on your organization.

The right tool category for your organization depends on your risk tolerance, your existing vendor relationships, how much governance infrastructure you have in place, and your cultural climate towards notetakers.

Your AI Notetaker Governance Checklist

Panelists made the following recommendations to stay ahead of growing AI notetaker compliance requirements:

1. Require SOC 2 Type II documentation from every AI notetaker vendor.
2. Review vendor terms and conditions, and require a Data Processing Agreement.
3. For EU operations, confirm data residency or that Standard Contractual Clauses are in place.
4. Log explicit consent from all participants. Apply all-party standards regardless of jurisdiction.
5. Require verbal notice at the start of every recorded meeting
6. Record intentionally, not by default. Limit AI notetakers in sensitive discussions
7. Make sure transcripts, raw audio, and AI summaries are stored securely and protected when sharing. Your IT or security team can confirm whether your current vendor or infrastructure meets that bar.
8. Define separate retention periods for raw audio, transcripts, and summaries.
9. Mandate human review of all AI-generated summaries before they are applied to decision-making.

While the legal landscape is still taking shape, internal policy is one of the few things organizations can act on today. Policies covering approved tools, how and when AI notetakers can be used, disclosure requirements, retention schedules, and prohibited use cases are all decisions you can make now. Organizations that build this governance early will be far better positioned to demonstrate responsible use when those rulings arrive.

AI notetaker governance starts with visibility

The governance steps above require knowing what you’re governing. DataGrail for AI Governance continuously discovers AI tools across your organization, including ones that were never formally reviewed, and connects that visibility to risk assessment, vendor documentation, and data subject request fulfillment in one platform. Vera, DataGrail’s AI privacy agent, brings that picture together across 2,500+ integrations so your team can act on AI risk without building a separate program from scratch. 

Talk to an expert to see how DataGrail can support your AI governance program.