Federal Recording Laws: ECPA, SCA, and CIPA Explained

Federal recording law is not one statute. It has three layers: the federal Wiretap Act sets a one-party consent floor for live conversations, the Stored Communications Act governs data already in storage, and state laws like California's CIPA can require more consent than the federal floor for in-state recordings.
Information last verified on 2026-07-08. This article has not yet been reviewed by a licensed lawyer.
Jurisdiction scope: This hub addresses US federal electronic-surveillance and recording law: the federal Wiretap Act / ECPA Title I (18 U.S.C. §§ 2510-2523), the Stored Communications Act / ECPA Title II (18 U.S.C. §§ 2701-2713), and California's Invasion of Privacy Act (Cal. Penal Code § 630 et seq.) as the leading example of a stricter state statute layered on top of the federal floor. It does not re-derive the Wiretap Act's one-party consent analysis in depth; for that, see the Federal Wiretap Act and ECPA: The Complete Guide. It does not cover all 50 states' consent statutes; for those, see US recording laws by state.
The three layers of federal recording law
When someone asks whether a recording is legal, the honest answer is "which law are you asking about." US recording and electronic-surveillance law is built from three distinct layers, each with its own trigger, its own exceptions, and its own damages scheme. The Wiretap Act governs communications intercepted while they are happening, in real time. The Stored Communications Act governs communications that already exist somewhere, an inbox, a cloud drive, a voicemail box, and someone accessing them without authorization. State law sits on top of both and can require more consent than the federal floor, though it cannot require less. A single business practice, an AI notetaker joining a Zoom call, for example, can implicate all three layers at once: the live audio capture is a Wiretap Act question, the indefinite retention of the transcript is a Stored Communications Act question, and whether every California participant consented is a CIPA question. Understanding which layer governs which fact is the starting point for any recording-law analysis.
These three layers did not arrive at once. The original Wiretap Act was Title III of the Omnibus Crime Control and Safe Streets Act of 1968, Pub. L. 90-351, aimed squarely at telephone wiretapping. The Electronic Communications Privacy Act of 1986, Pub. L. 99-508, rebuilt that framework for a world with email, pagers, and computer networks, splitting it into the three titles this hub organizes around: Title I amended and modernized the Wiretap Act, Title II created the Stored Communications Act from scratch, and Title III added the pen register and trap-and-trace rules. State legislatures, meanwhile, had been regulating recording and eavesdropping since well before 1968, and the federal statute expressly preserves their authority to go further. That layering, federal floor plus optional stricter state ceiling, is why a recording that is perfectly legal under the Wiretap Act can still expose the person who made it to liability under a state statute like CIPA.
Layer one: the Wiretap Act and ECPA's one-party consent baseline
The federal Wiretap Act, 18 U.S.C. § 2511(2)(d) (Title I of the Electronic Communications Privacy Act of 1986, Pub. L. 99-508), permits a participant in a phone call, an in-person conversation, or a video call to record it without telling the other participants, unless the recording is carried out for the purpose of committing a crime or a tort. That one-party consent floor, its exceptions, the criminal penalties (up to five years under 18 U.S.C. § 2511(4)(a)), and the civil damages scheme (a $10,000 per-violation floor under 18 U.S.C. § 2520) are covered in full in Federal Wiretap Act and ECPA: The Complete Guide (2026), which also explains the constitutional Katz backdrop and the Title III law-enforcement super-warrant procedure. For a plain-English definition of the ECPA itself and how its three titles fit together, see What Is the ECPA? What matters for this hub is narrower: the Wiretap Act is only one of three layers, and it governs live, real-time interception and nothing else.
Layer two: the Stored Communications Act governs data at rest
The Stored Communications Act, 18 U.S.C. §§ 2701-2713 (ECPA Title II), makes it a federal offense to intentionally access a facility through which an electronic communication service is provided and thereby obtain, alter, or block authorized access to a communication in electronic storage, without authorization (18 U.S.C. § 2701(a)). The dividing line from the Wiretap Act is timing, not content: the Wiretap Act covers communications caught in transit; the SCA covers communications that already came to rest in storage, an email sitting in an inbox, a voicemail, a backed-up text thread, a cloud file. The SCA also sets the framework government investigators must follow to compel a provider to hand over stored content or records, a framework the Supreme Court narrowed in Carpenter v. United States, 585 U.S. 296 (2018). Because this distinction is the single most common point of confusion in recording law, we cover it in full depth in Stored Communications Act Explained.
The SCA matters to more people than the criminal-hacking scenario suggests. It governs an employer reading a former employee's work email archive without a documented policy, a service provider deciding whether it may hand a customer's messages to a marketing partner, and a government prosecutor deciding whether a subpoena is enough or a warrant is required to obtain a suspect's cloud-stored photos. Because the SCA's rules change depending on what kind of data is at issue and how old it is, and because a landmark Sixth Circuit decision effectively rewrote part of the statute's practical application without changing its text, this is not an area where a general summary substitutes for the full treatment.
Layer three: state law can require more than one-party consent
The Wiretap Act's one-party consent rule is a floor, not a ceiling. Congress did not intend the Wiretap Act to preempt more protective state legislation, and roughly 12 states have done exactly that: California, Connecticut, Delaware, Florida, Illinois, Maryland, Massachusetts, Montana, New Hampshire, Oregon, Pennsylvania, and Washington. For the full 50-state breakdown, see US recording laws by state, one-party consent states, and two-party (all-party) consent states. California's version, the California Invasion of Privacy Act (CIPA), Cal. Penal Code § 630 et seq., deserves its own treatment inside this federal cluster because it is, by volume of litigation, the most active wiretap-adjacent statute in the country: plaintiffs have extended it well beyond phone calls to website chat widgets, session-replay software, and AI meeting notetakers. See CIPA: California Invasion of Privacy Act Explained for the all-party consent rule, the statutory damages, and the current litigation wave, including the In re Otter.AI Privacy Litigation class action.
It is worth being precise about what "state law" means in this layer, because it is not limited to phone-call consent statutes. CIPA's pen register and trap-and-trace provisions, for example, were written decades ago for physical telephone surveillance equipment, but plaintiffs' firms have argued in recent litigation that the same provisions apply to modern website analytics and tracking code. That theory has produced a genuine split among California courts, and it has become a rapidly growing source of recording-adjacent litigation risk for any business with a California-facing website, well outside the phone-call context most people associate with wiretap law. Any business-facing compliance review of "recording law" that stops at phone calls is incomplete.
Why businesses get this wrong
The most common mistake is treating "recording law" as a single rule to check once and move on. In practice, a business that records customer calls, stores customer communications, and operates a website with chat or analytics tools is simultaneously subject to all three layers, and a compliance step that satisfies one layer does nothing for the other two. Posting a privacy policy, for instance, addresses neither the Wiretap Act's prior-consent requirement for live calls (a policy the caller has not yet seen when the call starts does not create prior consent) nor CIPA's separate all-party consent requirement for California callers. Similarly, restricting who can access a stored email archive addresses Stored Communications Act exposure but says nothing about whether the underlying calls or website interactions were recorded with proper consent in the first place. Each layer needs its own compliance answer.
Comparing the three layers
| Layer | Statute | What it governs | Consent standard | Civil damages floor |
|---|---|---|---|---|
| Wiretap Act (ECPA Title I) | 18 U.S.C. §§ 2510-2523 | Communications intercepted in real time | One-party consent (federal floor) | $10,000 per violation (§ 2520) |
| Stored Communications Act (ECPA Title II) | 18 U.S.C. §§ 2701-2713 | Unauthorized access to communications already in storage | Access-based, not consent-based | $1,000 per violation (§ 2707) |
| CIPA (California, example state law) | Cal. Penal Code § 630 et seq. | Real-time recording, plus website tracking under the pen-register theory | All-party consent | $5,000 per violation (§ 637.2) |
How the three layers interact: an illustrative scenario
Composite scenario for illustration; not a real case or client. A California business records customer support calls, uses an AI notetaker to transcribe internal meetings, and stores three years of customer emails in a cloud archive. Three separate legal questions arise, governed by three separate statutes. Whether the business can record the support call without every customer's advance consent is a CIPA question under Cal. Penal Code § 632, not a federal one, because California is an all-party consent state. Whether an employee at the company can read a coworker's stored email archive without authorization is a Stored Communications Act question under 18 U.S.C. § 2701, regardless of the recording-consent rules that apply to live calls. Whether a government investigator can compel the cloud provider to turn over those stored emails, and under what process, is also a Stored Communications Act question, governed by 18 U.S.C. § 2703 and shaped by Carpenter. None of these three questions is answered by looking at only one statute.
Frequently asked questions
Disclaimer
This hub provides general legal information about federal US recording and electronic-surveillance law, as verified on 2026-07-08. It does not constitute legal advice and does not create an attorney-client relationship. The application of this law depends on specific facts, including the jurisdiction where a recording or access occurs and the nature of the communication involved. Readers should consult a lawyer licensed in their jurisdiction before recording a conversation or accessing stored communications.
Related articles
- Federal Wiretap Act and ECPA: The Complete Guide (2026)
- What Is the ECPA?
- Stored Communications Act Explained
- CIPA: California Invasion of Privacy Act Explained
- US recording laws by state: the complete 50-state guide
- One-party consent states: full list and rules
- Two-party (all-party) consent states: full list and rules
Last updated: 2026-07-08. Statutes cited reflect their in-force version as of 2026-07-08.
Frequently Asked Questions
What is the difference between the Wiretap Act and the Stored Communications Act?
The Wiretap Act, 18 U.S.C. 2510-2523, covers communications intercepted while they are being transmitted, in transit. The Stored Communications Act, 18 U.S.C. 2701-2713, covers communications that already came to rest in storage, such as email sitting in an inbox or files in cloud storage. Accessing a live phone call is a Wiretap Act issue. Reading someone's stored emails without authorization is a Stored Communications Act issue.
Does federal law let me record a phone call without telling the other person?
Yes, as a floor. Under 18 U.S.C. 2511(2)(d), a participant in a call may record it without informing the other party, unless the purpose is to commit a crime or a tort. But roughly 12 states, including California, require the consent of every party, which overrides the federal floor for recordings made in those states. See our Federal Wiretap Act and ECPA guide for the full analysis.
What is the ECPA in one sentence?
The Electronic Communications Privacy Act of 1986, Pub. L. 99-508, is the federal law with three titles that together govern intercepting live communications (the Wiretap Act), accessing stored communications (the Stored Communications Act), and installing pen register or trap-and-trace devices.
Is CIPA a federal law?
No. The California Invasion of Privacy Act, Cal. Penal Code 630 et seq., is a California state statute. It sits alongside the federal Wiretap Act rather than replacing it, and it can require more consent (all-party, rather than one-party) than federal law requires for recordings made in California.
Can a website violate a wiretap-type law?
Plaintiffs have argued yes, under CIPA's pen register and trap-and-trace provisions, Cal. Penal Code 638.50-638.51, applying them to chat widgets, session-replay tools, and tracking SDKs. Federal and state courts in California are split on whether that theory holds up. See our CIPA guide for the current case law.
Which law applies if someone reads my old emails without permission?
That is a Stored Communications Act question, 18 U.S.C. 2701, not a Wiretap Act question, because the emails already came to rest in storage rather than being intercepted in transit. See our Stored Communications Act guide for the access framework and civil remedy.
Do all US states follow the federal one-party consent rule?
No. Federal law sets a one-party consent floor under 18 U.S.C. 2511(2)(d), but roughly 12 states require the consent of every party to a conversation before it can be recorded. See our one-party consent states and two-party (all-party) consent states guides for the full state-by-state list.
Sources and References
- 18 U.S.C. § 2510: Wiretap Act definitions (wire, oral, and electronic communication; electronic storage)(uscode.house.gov).gov
- 18 U.S.C. § 2511: Wiretap Act core prohibition and one-party consent exception at § 2511(2)(d)(uscode.house.gov).gov
- 18 U.S.C. § 2520: Wiretap Act civil action; $10,000 minimum statutory damages per violation(uscode.house.gov).gov
- 18 U.S.C. § 2701: Stored Communications Act, unauthorized access to stored communications(uscode.house.gov).gov
- 18 U.S.C. § 2703 via Cornell LII: required disclosure of stored communications and records(law.cornell.edu)
- Cal. Penal Code § 632: California all-party consent for confidential communications(leginfo.legislature.ca.gov).gov
- Cal. Penal Code § 637.2: civil action and statutory damages under CIPA(leginfo.legislature.ca.gov).gov
- Electronic Communications Privacy Act of 1986, Pub. L. 99-508, three-title ECPA structure(congress.gov).gov