AI transcription is colliding with decades-old anti-wiretapping statutes. Two matters now shape the risk landscape: Brewer v. Otter.ai and Ambriz v. Google. This explainer unpacks how plaintiffs are using the Electronic Communications Privacy Act (ECPA) and the California Invasion of Privacy Act (CIPA) against modern voice tools and what product, legal, and compliance teams should do next. The short and easy answer is to use the Captain Compliance software to avoid these legal headaches but a deeper explanation is below.
Why Anti-Wiretapping Laws Are Back In Focus
Class actions have become a preferred vehicle for privacy enforcement because alleged harms are diffuse and small at an individual level. Plaintiffs’ firms are adapting ECPA and CIPA to today’s AI-enabled recording, transcription, and analytics capabilities, arguing that vendors can be unauthorized third parties when they capture or reuse conversational data.
ECPA and CIPA: A Short Primer
ECPA
ECPA section 2511(a) prohibits intentional interception of wire, oral, or electronic communications using a device. There is a one-party consent exception, but it does not apply if the interception is for the purpose of committing a criminal or tortious act, such as intrusion upon seclusion or conversion.
CIPA
CIPA is stricter on consent, often requiring consent of all parties for recording or eavesdropping, and it targets interception in transit as well as confidential communications. Recent cases also examine whether a technology vendor counts as an unauthorized third party and whether real-time analysis makes the vendor the statutory actor.
Brewer v. Otter.ai: The One-Party Consent Defense Meets Tort Allegations
In Brewer v. Otter.ai, the plaintiff alleges Otter’s meeting bot joined a virtual meeting, captured the conversation without his consent, and transmitted data to Otter to transcribe and to improve its speech recognition and machine-learning models. The complaint pleads violations of ECPA and CIPA, plus intrusion upon seclusion, conversion, and other claims.
The theory attempts to neutralize ECPA’s one-party consent exception by asserting the interception was for tortious purposes, namely using private conversational data to train models and derive commercial benefit. If accepted, that would defeat the exception under section 2511(2)(d). The complaint also characterizes the bot as a device and Otter as a non-party interceptor, underscoring that non-subscribing participants allegedly did not receive notice or have an opportunity to consent.
On the CIPA side, Brewer invokes sections 631 (interception in transit) and 632 (eavesdropping on confidential communications) and argues that Otter is a distinct legal person acting as a third party, not merely a passive tool of the meeting host. The pleading also raises deidentification concerns, questioning whether training on “deidentified” audio actually avoids privacy impact. The merits have not yet been adjudicated, but deadlines to respond were extended into November 2025.
Ambriz v. Google: Capability As A Path To Third-Party Status Under CIPA
In Ambriz v. Google, the U.S. District Court for the Northern District of California denied Google’s motion to dismiss, holding the plaintiffs adequately alleged Google acted as an unauthorized third party to calls under CIPA. Plaintiffs said they phoned businesses like Verizon and Home Depot whose contact centers used Google Cloud Contact Center AI, which generated transcripts and smart replies. They alleged callers were not informed and did not consent to Google’s transcription and analysis.
The court emphasized two points. First, for CIPA section 631(a) claims based on the first and second clauses, the court found the capability test more appropriate than the extension test: alleging the vendor had the capability to use intercepted data for its own purposes could suffice, even absent proof of actual use. Second, the court treated Google as the statutory actor doing real-time recording and reading in transit, and it rejected arguments that smartphone calls fell outside CIPA’s scope.
The court also allowed claims tied to section 637.5 to proceed, reasoning that Verizon qualified as a cable or satellite television provider and that subscriber information could be implicated during customer-service calls placed from a residence. Google’s answer preserved defenses including consent and necessity and disputed privacy interests and standing.
Key Legal Questions Emerging From These Cases
Who Counts As A Third Party
Under CIPA, courts are scrutinizing whether an AI vendor is a distinct entity with the capability to exploit call data for its own purposes. Ambriz suggests capability alone can be enough at the pleading stage for certain section 631(a) theories. That lowers the bar for plaintiffs to survive dismissal and forces vendors to address contract terms, product architecture, and disclosures up front.
What Qualifies As Interception In Transit
Real-time transcription and analysis can make the vendor the statutory “person” performing the prohibited act while communications are in transit. That characterization can expand exposure beyond hosts and carriers to include software and cloud providers participating in the signal path.
How ECPA’s One-Party Consent Exception Can Fail
If plaintiffs plausibly allege the interception furthers a tort, the one-party consent exception may be unavailable. Brewer’s complaint uses the alleged training and commercialization of captured audio to support intrusion upon seclusion and conversion, aiming to defeat ECPA’s safe harbor.
Deidentification And Model Training
Brewer highlights the unsettled line between deidentified and identifiable data for model training. Even when notices assert deidentification, regulators and courts may question techniques like hashing or aggregation if there remains a non-zero risk of reidentification or if training materially benefits the vendor in ways not disclosed to participants.
Practical Implications For Product, Legal, And Compliance Teams
For AI Transcription And Contact Center Vendors
- Assess whether your service touches communications in transit and whether any component performs real-time recording, reading, or analysis that could make your entity the statutory actor.
- Reevaluate consent models. If you rely on one-party consent, examine any downstream use that could be framed as tortious, including model training or product improvement that goes beyond the host’s immediate purpose.
- Harden contracts and technical controls to prohibit vendor reuse absent express, robust consent; log enforcement; and avoid ambiguous terms that imply capability to self-use call data.
- Consider off-by-default training, narrow retention, and clear opt-in pathways for any reuse beyond transcription delivery to the host.
For Enterprises Using These Tools
- Map all recording and transcription touchpoints in contact centers, virtual meeting workflows, and support channels. Identify vendors that can access, store, or process call audio and transcripts.
- Provide conspicuous, timely notice to all participants, including non-account guests. Align notice with actual uses, especially any model-training claims. :
- Update vendor agreements to confine processing to your purposes, prohibit vendor training without explicit opt-in, and require downstream deletion and suppression.
- Test flows for consent symmetry and ease of refusal across phone, web, and app. Capture evidence of consent and suppression states in audit-ready logs.
A Concise Readiness Checklist
- Inventory recording, transcription, and real-time analytics functions across channels and vendors.
- Classify which uses occur in transit and who, technically, performs them.
- Align disclosures to actual uses; add explicit language on training and reuse.
- Adopt all-party notice and consent where feasible; implement simple refusal options for non-account participants.
- Amend contracts to restrict vendor reuse and to allocate liability if self-use occurs.
- Shorten retention and implement suppression for training corpora tied to consumer requests.
- Establish audit logging for consent events, vendor access, and training toggles.
- Monitor evolving precedent on capability versus extension tests and on smartphone telephony coverage.
Plaintiffs are in Control
Brewer and Ambriz illustrate how plaintiffs can reach beyond meeting hosts and contact-center brands to target vendors that capture or can self-use conversational data. ECPA’s one-party consent is not a cure-all if plaintiffs plausibly plead a tort purpose, and CIPA claims may proceed where a vendor’s capability to use data supports third-party status. The safest path is transparent, all-party notice and consent, tight vendor restrictions on reuse, and product designs that avoid undisclosed training on customer conversations.
