What is California CIPA?

The California Invasion of Privacy Act (CIPA), codified at Cal Penal Code Sections 630 to 638, is California's two-party (all-party) consent statute. It requires consent from all parties before a confidential communication can be recorded or intercepted. Violations carry both criminal penalties (up to one year imprisonment under Section 631(a) and 632(a)) and civil damages (Section 637.2 provides for $5,000 per violation or three times actual damages, whichever is greater).

Does CIPA apply to AI call recording?

Yes. CIPA was written before AI but the language about recording confidential communications without consent applies equally to AI-driven recording (Fathom, Fireflies, Otter, Gong, Chorus, Avoma) as to traditional cassette or digital recording. Plaintiffs have been actively pursuing CIPA class actions against AI-meeting-tool vendors and against the customers who deploy them on calls with California-resident prospects.

What is the Ambriz v. Google case?

Ambriz et al. v. Google LLC is an active California class action arguing that Google Meet's AI features that listen to calls constitute interception under CIPA Section 631 even when no traditional recording is created. The theory extends CIPA exposure from recording vendors to any AI listener processing call audio. Filed in 2024, ongoing in 2025-2026 federal court. The legal theory has not yet been resolved on the merits but has driven settlement of related cases and is the most-cited current AI-call interception theory.

Is a 'this call may be recorded' notice enough under CIPA?

The minimum compliant notice is debated, but the conservative reading is that 'this call may be recorded' is insufficient if AI is also processing the call audio. The Ambriz-theory-safer disclosure is 'this call is handled by an AI assistant and may be recorded; if you do not consent, please disconnect now or request a human agent.' Plaintiffs' bar has aggressively pursued cases where the AI processing component was not explicitly disclosed.

Does CIPA apply if I am calling from outside California?

Yes. California courts have applied CIPA to inbound calls into California regardless of the caller's location. The conservative compliance posture is: any call where any participant is a California resident or located in California falls under CIPA. For inside sales teams calling California prospects, this means CIPA compliance applies to most of the prospect pool regardless of where the SDR is located.

What are the CIPA penalties for AI sales-call violations?

Civil penalties under Section 637.2 are $5,000 per violation or three times actual damages, whichever is greater. Each individual recorded call can constitute a separate violation. Class actions in this space have settled at $5 million to $50 million depending on call volume. Criminal penalties under Sections 631-632 reach up to one year imprisonment though prosecution is rare. The civil-damages plaintiffs' bar drives the actual enforcement risk.

California CIPA and AI Sales Calls: The 2026 Operator Guide

California is the highest-risk jurisdiction in the US for AI call recording and AI listening. CIPA (Cal Penal Code 631-632) requires all-party consent, and the active Ambriz v. Google interception theory extends exposure to AI listeners that do not even record. Here is what sales teams need to know.

Last verified May 2026. This page is informational only; consult qualified California counsel for your specific deployment.

Disclaimer: This is editorial coverage of California CIPA. It is not legal advice. Statutes, case law, and enforcement positions change. Always confirm current compliance posture with qualified counsel licensed in California before deploying AI on calls with California residents.

§The CIPA Statute in Plain English

The California Invasion of Privacy Act sits at Cal Penal Code Sections 630 to 638. The two sections that drive AI call-recording risk are:

Section 631: Wiretapping (interception of communications)

Prohibits intentional intercept, eavesdrop, or wilful disclosure of confidential communications without consent of all parties. The Ambriz theory leans on this section to argue that AI processing of call audio constitutes interception regardless of whether traditional recording occurs.

Section 632: Recording of confidential communications

Prohibits recording of confidential communications without consent of all parties. This is the section that catches Fathom, Fireflies, Otter, Gong, Chorus, and Avoma if call recording happens without disclosure to all participants. The conservative reading is that all participants must affirmatively consent or have constructive notice; mere participation is not consent.

Section 637.2 provides the private right of action: $5,000 per violation or three times actual damages. This is the section that funds the plaintiffs' bar class actions and drives the bulk of enforcement risk. Section 638 covers unauthorised connection to telephone lines but is less commonly invoked in AI-call cases.

§The Ambriz v. Google Interception Theory

Ambriz et al. v. Google LLC, filed in 2024 in the Northern District of California, alleges that Google Meet's AI summary, transcription, and caption features constitute interception of confidential communications under CIPA Section 631 even when no traditional recording is created. The theory is novel and consequential.

Traditional CIPA interpretation focused on recording (the physical or digital capture of audio for replay). The Ambriz theory argues that any AI system that listens to call audio for processing, whether or not the audio is persisted, intercepts the communication and triggers CIPA Section 631. If accepted by courts, this expands CIPA exposure from recording-tool vendors to any AI-listener vendor including Microsoft Teams Copilot, Zoom AI Companion, Webex Audio Intelligence, plus all sales-side vendors (Gong, Chorus, Clari Copilot, Avoma, Fathom, Fireflies).

As of May 2026 the Ambriz case has not been decided on the merits. Settlements in adjacent cases (Williams v. DDR Media, Calhoun v. Cookies SF) signal that defendants are taking the theory seriously and settling rather than litigating to final judgment. The conservative compliance posture for AI sales tools is to operate as if the Ambriz theory will prevail.

§Compliance Posture Recommendations

Based on the conservative reading of CIPA plus the Ambriz theory, sales teams calling California prospects with AI-equipped tools should adopt the following posture. None of this is legal advice; confirm with qualified counsel.

1. Explicit AI disclosure in the call opener

Replace "this call may be recorded" with "this call is handled by an AI assistant and may be recorded; if you do not consent, please disconnect now or ask for a human agent." The explicit AI mention plus the disconnect/opt-out option is the conservative compliant posture.

2. Affirmative consent capture for outbound voice AI

For outbound AI voice calls (Vapi, Retell, Bland, Synthflow deployed for outbound), prior express written consent is required not just for CIPA but for TCPA per FCC Ruling 24-17. The CIPA layer adds requirement that the consent specifically mention AI processing, not just recording.

3. Geographic-routing detection at call setup

Detect California area codes (and resident self-disclosure during the call) at call setup. Apply the explicit AI disclosure plus opt-out for any call where any party is California. Some teams apply the disclosure universally to avoid the per-call routing complexity; this is the safest posture.

4. AI processing of recording must be disclosed even when call is recorded with consent

Consent to recording is not automatically consent to AI processing of the recording under the Ambriz theory. Disclose AI processing of stored recordings (call summaries, AI scorecards, AI search) in privacy notices and in the recording disclosure itself.

5. Audit trail of consent capture

Maintain a verifiable audit trail of consent (recording of the disclosure plus consent acknowledgement, timestamped, retained for the statute-of-limitations period plus margin, typically 4 years from call). The audit trail is the primary defence against a CIPA class action alleging that consent was not obtained.

§Vendor Posture on CIPA

Major AI sales-tool vendors have varying postures on CIPA disclosure. None of these vendors will guarantee CIPA compliance for the customer; the operator carries the compliance burden. The vendor posture is about what features are available to support compliance.

Vendor	Auto-disclosure feature	CIPA-specific notes
Gong	Yes (configurable per-org)	Customisable opening disclosure; consent log available
Chorus by ZoomInfo	Yes (default opt-in)	Standard disclosure; consent log via ZoomInfo admin
Clari Copilot	Yes (configurable)	Manual configuration of California-specific notice; consent log available
Avoma	Yes (default)	Standard call-start disclosure; consent capture optional add-on
Fathom	Yes (default)	Mandatory bot announcement at meeting join; consent log via account
Fireflies	Yes (default)	Bot announcement at join; consent log via account
Otter.ai	Yes (default)	Bot announcement; consent log via account
Vapi	Operator configures	Disclosure must be implemented in the agent's opening script
Retell AI	Operator configures	Disclosure must be implemented in the agent's opening script
Bland AI	Operator configures + templates	Disclosure templates available but operator implements

§The B2B Call Exception (And Why It Does Not Save You)

A common misconception in sales: "CIPA only applies to consumers; B2B sales calls are exempt." This is not correct. CIPA applies to all confidential communications, not just B2C. The relevant distinction is whether the communication is confidential, not whether the parties are individual consumers or business representatives.

California courts have repeatedly held that a typical business sales call (where the prospect would have a reasonable expectation that the conversation is not being broadcast or recorded) is confidential under CIPA. The fact that both parties are at work, calling business numbers, with business email addresses, does not strip the call of confidential status.

Some California courts have carved out narrower exceptions for calls where the prospect has clear notice that recording is happening (an inbound customer service line with prominent IVR disclosure, for example). These exceptions do not extend to outbound sales calls where the AE initiates contact without prior disclosure.

§Settlement and Litigation Reference

Several CIPA settlements in the last 24 months have established the financial weight of the risk:

+ Calhoun v. Cookies SF (2023): $9.75 million class settlement over website session-replay CIPA claims. While not an AI-call case directly, established the financial template for CIPA class action damages.
+ Williams v. DDR Media (2024): $7.5 million settlement involving session replay and AI-adjacent listener technology. Cited by Ambriz plaintiffs as analogue.
+ Salesloft v. State of California (regulatory, 2024): California AG inquiry into sales call recording practices; not a class action but established regulatory interest in the category.
+ Ambriz v. Google (ongoing, filed 2024): The current bellwether case for AI-listener-as-interception theory.

None of these cases have produced a clear judicial determination on AI-listener-as-interception in the sales-call context. Sales teams should assume the most plaintiff-favourable reading until a higher court resolves the theory.

§FAQ

I'm an SDR in New York calling California prospects. Does CIPA apply to me?

Yes. California courts apply CIPA to calls where any participant is in California, regardless of where the SDR is physically located. The conservative posture is that any call with a California prospect is a CIPA call.

Can I rely on the disclosure my CRM or sequencer adds automatically?

Be careful. Standard 'this call may be recorded' disclosures from sequencers may not be CIPA-compliant under the Ambriz theory because they do not mention AI processing specifically. Confirm the disclosure language with counsel and customise per your AI tool stack.

Does Zoom's built-in 'this meeting is being recorded' announcement count?

It establishes notice of recording but does not necessarily establish consent. The Ambriz theory also questions whether notice of recording covers AI processing of the recording. The conservative posture is to add explicit verbal disclosure plus opt-out in addition to Zoom's default announcement.

What about CIPA exceptions for emergency or law-enforcement calls?

CIPA Section 633 exempts certain government and law-enforcement activities. These exceptions do not apply to private sales calls. There is no equivalent exception for commercial sales activity in CIPA.

If a California prospect explicitly says they consent to AI on the call, am I safe?

Verbal consent during the call, captured on the recording, is the cleanest defence. Whether it is fully sufficient depends on whether the consent is informed (the prospect understood AI was involved and what AI was doing). Best practice: explicit AI disclosure, then explicit verbal confirmation, captured on the recording and logged in your consent audit trail.

What is the statute of limitations on CIPA claims?

CIPA Section 637.2 claims generally have a 1-year statute of limitations from the date of the alleged violation. Class actions can extend this through tolling doctrines. Retain consent audit trails for at least 4 years to cover statute plus tolling margin and to support defence in class certification.

Full legal guide (TCPA + CIPA + GDPR) →TCPA + AI voice →GDPR + AI calls →HIPAA + AI sales calls →