Recording meetings has become essential for documentation, training, and accountability. But hit that record button without proper consent, and you could face fines up to EUR 20 million under GDPR or criminal charges in certain US states.
This guide breaks down everything you need to know about recording meetings legally in 2025. You'll learn the specific requirements under GDPR, understand which US states require all-party consent, and discover how tools like LocalMeetNotes can help you stay compliant while capturing valuable meeting content.
Why Legal Compliance Matters
Meeting recordings contain personal data: voices, names, opinions, and sometimes sensitive business information. Under privacy laws like GDPR, this data requires protection.
The Real Cost of Non-Compliance
GDPR penalties aren't theoretical. As of January 2025, total fines have reached EUR 5.88 billion since the regulation took effect in 2018. In 2024 alone, regulators imposed EUR 1.2 billion in fines across Europe.
The penalty structure is serious:
- Up to EUR 20 million or 4% of global annual turnover (whichever is greater)
- Criminal liability in some jurisdictions for willful violations
- Reputational damage that can harm business relationships
- Invalid evidence since illegally recorded meetings may be inadmissible in legal proceedings
Major companies have learned this the hard way. TikTok was fined EUR 530 million for improper data transfers. LinkedIn received a EUR 310 million penalty for processing data without proper legal basis. These cases show that regulators are actively enforcing the rules.
GDPR Requirements for Meeting Recording
If your organization operates in the EU or serves EU customers, GDPR applies to your meeting recordings. The regulation treats recorded audio and video as personal data, triggering specific obligations.
Lawful Basis for Recording
GDPR requires one of six lawful bases before you can record:
- Consent: Participants have explicitly agreed to be recorded for specific purposes
- Contract: Recording is necessary to fulfill a contractual obligation
- Legal obligation: You're required by law to maintain records
- Vital interests: Recording protects someone's life (rare for meetings)
- Public interest: Recording serves a public function
- Legitimate interests: Your business needs outweigh privacy concerns (requires careful balancing)
For most business meetings, consent is the safest and most straightforward approach. But GDPR consent isn't just asking "is everyone okay with recording?" It must be freely given, specific, informed, and unambiguous.
What Valid Consent Looks Like
To meet GDPR standards, your consent process should include:
- Advance notice: Mention recording in the meeting invite, not just at the start
- Clear explanation: State who is recording, why, and how long data will be stored
- Active confirmation: Get verbal agreement or visible acknowledgment (silence isn't consent)
- Opt-out option: Participants must be able to decline without penalty
- Documentation: Keep records of when and how consent was obtained
Importantly, participants can withdraw consent at any time. You need a process to handle this, including the ability to delete specific recordings when requested.
Want to simplify GDPR compliance?
LocalMeetNotes processes everything locally on your Mac. No cloud uploads, no third-party processors, no complex data transfer agreements.
Download Free NowData Subject Rights
People you record have specific rights under GDPR:
- Right of access (Article 15): They can request copies of recordings featuring them. You have 30 days to comply.
- Right to erasure (Article 17): They can request deletion of their data, including their voice in recordings.
- Right to rectification: They can correct inaccurate information in transcripts.
- Right to data portability: They can request their data in a machine-readable format.
Your meeting recording system needs to support these rights. Can you extract one person's audio from a group recording? Can you delete specific recordings on request? These are questions you'll need to answer.
Storage and Retention
GDPR's storage limitation principle means you can only keep recordings as long as necessary. Set clear retention periods and automate deletion when possible. Recordings should also be encrypted and access-controlled.
If you use cloud-based tools, you'll need Data Processing Agreements (DPAs) with your vendors. If data transfers outside the EU are involved, you need approved transfer mechanisms like Standard Contractual Clauses (SCCs).
This is where local processing tools offer a compliance advantage. When everything stays on your device, there's no international data transfer to worry about.
US State Laws: One-Party vs All-Party Consent
The United States has a patchwork of recording laws that can trip up even careful organizations. Federal law requires only one-party consent, but state laws can be stricter.
Federal Law (Wiretap Act)
Under the federal Electronic Communications Privacy Act, you can legally record a conversation if you're a participant. You don't need to tell the other parties. But this is the minimum standard, and many states go further.
All-Party Consent States (as of January 2025)
Eleven states require consent from everyone being recorded:
- California
- Delaware
- Florida
- Illinois
- Maryland
- Massachusetts
- Montana
- Nevada
- New Hampshire
- Pennsylvania
- Washington
Recording without consent in these states can result in criminal prosecution. California and Pennsylvania have particularly strict enforcement.
The Interstate Problem
Here's where it gets complicated: when participants are in different states, the stricter law applies. If you're in New York (one-party consent) recording a call with someone in California (all-party consent), you need California-level consent from everyone.
For remote teams spread across multiple states, the safest approach is to always get explicit consent from all participants. Treat every recording as if all-party consent is required.
Other Jurisdictions
Beyond the EU and US, many countries have their own rules:
- Germany: Two-party consent required, violations are criminal offenses
- France: All-party consent under Article 226-1 of the Penal Code
- UK: Similar to GDPR under UK-GDPR post-Brexit
- Canada: One-party consent federally, but provincial laws may differ
- Australia: Generally one-party consent, but varies by state
For international meetings, apply the strictest standard that applies to any participant.
Best Practices for Legal Meeting Recording
Following these practices will help you record meetings legally while building trust with participants.
Before the Meeting
- Include recording notice in invitations: Don't surprise people. Mention that you plan to record and explain why.
- Link to your privacy notice: Provide easy access to information about how recordings will be handled.
- Offer alternatives: If someone objects, can they participate without being recorded? Can their audio be excluded?
- Document your legal basis: Know which GDPR lawful basis applies and have it documented.
At Meeting Start
- Announce recording clearly: "This meeting will be recorded for [specific purpose]. Is everyone okay with that?"
- Wait for active consent: Get verbal confirmation or visible acknowledgment from each participant.
- Explain the process: Tell participants how they can request access to or deletion of the recording.
- Allow opt-out: If someone declines, either don't record or let them leave without consequence.
During Recording
- Be mindful of sensitive topics that might create higher-risk data
- If someone joins late, pause and get their consent too
- If participants request "off the record" moments, honor them
After Recording
- Secure storage: Encrypt recordings and limit access to authorized personnel
- Set retention limits: Delete recordings when they're no longer needed
- Enable access requests: Have a process for responding to data subject requests within 30 days
- Audit trail: Keep records of who accessed recordings and when
Tools for Compliant Meeting Recording
The tool you choose significantly impacts your compliance burden. Here's how different approaches compare.
Cloud Recording Services
Tools like Zoom's built-in recording, Microsoft Teams recording, or third-party services like Otter.ai and Fireflies.ai upload your audio to external servers. This creates additional compliance obligations:
- You need DPAs with each vendor
- International data transfers may require SCCs
- You're responsible for your vendors' compliance
- Subscription costs add up ($10-39/month per user typically)
Major platforms like Zoom do offer EU data residency options for paid enterprise accounts, which helps with GDPR compliance.
Local Processing Tools
LocalMeetNotes takes a different approach. Everything happens on your Mac, and nothing leaves your device. No cloud servers. No third-party processors. No international data transfers.
From a compliance perspective, this simplifies things considerably:
- No DPAs needed: You're not sharing data with processors
- No transfer mechanisms: Data stays in your jurisdiction
- Full control: You can delete recordings instantly and completely
- No ongoing costs: LocalMeetNotes is free with no subscription fees
The app uses Whisper large-v3 for transcription and Llama 3.2 for AI summaries, all running locally on Apple Silicon. It automatically detects Microsoft Teams meetings and separates speaker audio for accurate transcription.
You still need proper consent from participants, but you've eliminated one major category of compliance complexity.
Comparison Table
| Feature | Cloud Services | LocalMeetNotes |
|---|---|---|
| Data location | External servers | Your Mac only |
| DPA required | Yes | No |
| International transfers | Possible | None |
| Deletion control | Depends on vendor | Instant, complete |
| Monthly cost | $10-39/user | Free |
Ready for compliant meeting recording?
LocalMeetNotes keeps your recordings on your device. No cloud uploads means fewer compliance headaches.
Download Free NowFrequently Asked Questions
Do I need consent to record a meeting under GDPR?
Yes, GDPR requires a lawful basis for recording meetings. The most common approach is explicit consent from all participants. You must inform attendees before recording, explain why you're recording, how long data will be stored, and how they can withdraw consent. Silence or implied consent is not sufficient under GDPR.
What are the penalties for illegal meeting recording?
GDPR violations can result in fines up to EUR 20 million or 4% of global annual turnover, whichever is greater. As of January 2025, total GDPR fines have reached EUR 5.88 billion since 2018. Beyond financial penalties, illegal recordings may be inadmissible as evidence and could damage business relationships.
Which US states require all-party consent for recording?
As of 2025, 11 US states require all-party consent: California, Delaware, Florida, Illinois, Maryland, Massachusetts, Montana, Nevada, New Hampshire, Pennsylvania, and Washington. When recording across state lines, the stricter law applies.
Can I use local AI tools for GDPR-compliant recording?
Yes, local AI tools like LocalMeetNotes offer significant compliance advantages. Since all processing happens on your device, there's no data transfer to external servers, simplifying GDPR requirements around data processing agreements, international transfers, and third-party processors. You still need proper consent, but you eliminate one major compliance category.
How long can I keep meeting recordings under GDPR?
GDPR's storage limitation principle says you can only keep personal data as long as necessary for your stated purpose. There's no fixed time limit, but you must define and document your retention periods. Many organizations set 90-day or 1-year limits for meeting recordings, with automatic deletion afterward.
What if someone withdraws consent after I've recorded them?
You must honor withdrawal requests. Under Article 17, data subjects can request erasure of their personal data. You'll need to delete the recording or, if technically possible, remove their voice from the file. This is easier with local tools where you have full control over the files.