CIPA § 632.7 and Mobile Communications

What CIPA § 632.7 actually covers

When most businesses think about CIPA liability, they think about website tracking — Meta Pixel firing before consent, session replay tools capturing keystrokes, chat widgets routing messages through third-party servers. That is where the litigation volume is concentrated, and it is the attack surface most compliance programs are built around.

Section 632.7 of CIPA targets a different and growing attack surface: the recording of communications transmitted to or from a cellular phone without the consent of all parties. As brands deploy SMS marketing platforms, AI-powered phone agents, cloud contact center tools, and automated customer service systems that handle calls from California residents, the § 632.7 exposure is growing — quietly, without the visibility of the website tracking litigation wave, but with the same $5,000-per-violation statutory damages and the same all-party consent requirement.

This post explains what § 632.7 covers, how it differs from § 631(a) wiretapping and § 632 eavesdropping, what the 2025 cases on AI phone agents established, and what businesses with California customers need to audit in their mobile and telephony stack.

Section 632.7 was added to CIPA specifically to address cellular and cordless phone communications — a technology that did not exist when the 1967 statute was written. The provision prohibits the intentional recording of a communication transmitted between any of the following without the consent of all parties: two cellular radio telephones, a cellular radio telephone and a landline telephone, two cordless telephones, a cordless telephone and a landline telephone, or a cordless telephone and a cellular radio telephone.

The practical scope: any phone call made to or from a mobile phone where one or both parties are in California is potentially within § 632.7's reach. A California customer calling your customer service line from their iPhone. A California resident receiving an outbound call from your sales or collections team. An automated SMS conversation that involves the recording or storage of the California customer's responses. All of these are potentially within the provision.

§ 632.7 is distinct from § 631(a) and § 632 in one critical respect: the California Supreme Court has clarified that § 632.7 applies not only to third-party eavesdroppers but also to participants in the communication. Under § 631(a), the party exception means a website operator cannot eavesdrop on its own communications with visitors. Under § 632.7, a party to a cellular phone communication can be liable for recording it without the consent of all parties. This means your business — as a party to the call — can be liable under § 632.7 for recording a call with a California customer without providing adequate prior notice and obtaining consent.

The consent requirement under § 632.7 is the same all-party consent standard that runs through the rest of CIPA. The California Supreme Court in Smith v. LoanMe, Inc. (2021) confirmed that § 632.7's prohibition applies to all parties to the communication. Recording a call without notifying the California party and obtaining their consent violates the provision regardless of whether you are the business that initiated the call or the business that received it.

The four mobile and telephony deployments that create § 632.7 exposure

1. SMS marketing platforms with conversation logging

Two-way SMS marketing platforms — platforms that send promotional messages and allow California recipients to respond — create § 632.7 exposure when the platform logs or stores the content of the recipient's replies. The recipient's response is a communication from a cellular phone. If that response is recorded by the platform vendor's infrastructure without the recipient's consent to the recording, the three-party structure that § 632.7 addresses is present.

One-way SMS blasts — messages sent without expecting replies — have a lower § 632.7 risk profile because there is no recording of a cellular communication. Two-way conversational SMS platforms, automated SMS flows that capture responses for CRM population, and SMS customer service tools that archive message threads are the configurations that warrant § 632.7 analysis.

The § 632.7 consent mechanism for SMS: a clear disclosure in the initial message that responses may be recorded, with an opt-out mechanism. For marketing SMS flows, TCPA consent for commercial messaging and § 632.7 consent for recording are separate obligations that must both be satisfied.

2. AI phone agents and virtual assistants

AI-powered phone agents that handle inbound customer service calls, drive-thru orders, or outbound sales calls create the most acute § 632.7 exposure. The call is a communication transmitted from a cellular telephone. The AI system records, transcribes, and in many cases uses the communication to train its models or improve its product. If the California caller did not consent to that recording — and specifically did not consent to the involvement of a third-party AI vendor in the call — the § 632.7 and § 632 exposure is significant.

Taylor v. ConverseNow Technologies (N.D. Cal. Aug. 2025) is the clearest articulation of this risk. A California customer called a Domino's Pizza location. Her call was redirected to ConverseNow's AI assistant without her knowledge. She provided her name, address, and credit card number — personally identifiable and financial information that she had a reasonable expectation would be confined to her and Domino's. The court found she had adequately alleged a § 632 confidential communication claim — rejecting ConverseNow's argument that a pizza order was not confidential — and allowed the claim to proceed.

For any business using an AI phone agent: the caller must know, before the call begins, that they are communicating with an AI system operated by a third-party vendor, and they must have consented to that recording. A generic "this call may be recorded for quality assurance" notice does not constitute consent to a third-party AI vendor's recording of the call and potential use of that recording for AI model training.

3. Cloud contact center platforms with AI transcription

Ambriz v. Google LLC (N.D. Cal. Feb. 2025) directly addresses cloud contact center AI. Plaintiffs alleged that Google's Cloud Contact Center AI — which transcribes calls, provides smart replies, and assists human agents in real time — constituted an unauthorized third-party eavesdropper under CIPA. The court denied Google's motion to dismiss, applying the capability test: Google's CCAI system had the capability to use the transcribed call data for its own purposes, including AI model improvement, regardless of whether Google actually used it that way. Capability alone, without proof of actual independent use, was sufficient to survive dismissal.

The cloud contact center liability pattern applies broadly. Any platform that transcribes or analyzes customer calls in real time — regardless of whether the primary purpose is to assist your agents — creates § 632.7 and § 632 exposure if the platform vendor has the capability to use that data independently. The vendor DPA must specifically address and restrict that independent use capability, not merely describe the vendor as a processor.

4. Meeting transcription and AI note-taking tools

Brewer v. Otter.ai is an emerging case involving Otter's OtterPilot product, which joins virtual meetings as a participant and transcribes the conversation for account holders. When a California participant in a virtual meeting has not consented to Otter's presence, the recording of their voice constitutes an interception of their communication in transit. The case names not just Otter but the class of account holders who deployed OtterPilot in meetings without notifying other participants.

This pattern extends to any AI meeting tool that records participants who have not been informed of and consented to the recording: Fireflies.ai, Gong, Chorus, and similar platforms all carry this exposure when deployed in calls or meetings involving California participants who did not consent. The § 632 confidential communication analysis applies: was the California participant in circumstances indicating a reasonable expectation that the conversation would be confined to the parties present?

The capability test and what it means for your vendor contracts

The most significant legal development in the § 632.7 and cloud telephony context is the emergence of the capability test as the dominant standard in federal courts. The capability test holds that a third-party vendor is an unauthorized interceptor under CIPA whenever it has the technical capability to use the communication data for its own purposes — regardless of whether it actually does so.

Ambriz v. Google established this standard for cloud contact center AI. Taylor v. ConverseNow applied it to AI phone agents. The pattern across both cases is consistent: the question is not what the vendor contractually promises to do with the data, and not what the vendor actually does with the data. The question is whether the vendor's system is technically capable of using the data for the vendor's own purposes. If it is, the vendor is a third party under CIPA, not an extension of your business.

For vendor contract purposes, this creates a higher bar than most DPAs are currently written to satisfy. A DPA that describes the vendor as a data processor and prohibits independent data use is a contractual restriction. It does not eliminate the technical capability. Courts applying the capability test are not asking whether the contract prohibits independent use. They are asking whether the technology is capable of it.

The practical implication: for any phone, SMS, or meeting transcription tool you deploy that touches California customers, the DPA must be supplemented by technical verification. What data does the vendor's system actually retain? Does the retention architecture permit the vendor to access transcripts or recordings independently of your data export? Does the vendor's AI model training pipeline receive any data from your customer interactions? These questions require answers from your vendor's engineering team, not just your vendor's legal team.

The § 632.7 consent mechanism: what it requires and what it doesn't

CIPA's all-party consent requirement for § 632.7 means that every party to a cellular phone communication must consent to its recording — including the California customer on the other end of the line. This is a more demanding standard than the federal one-party consent rule under the Electronic Communications Privacy Act, which permits recording when one party consents.

What satisfies § 632.7 consent: an explicit notification, received by the California party before the recording begins, that the call will be recorded, by whom, and for what purposes. For AI phone agents, the notification must specifically disclose that the call will be handled by an AI system and that the AI vendor's infrastructure will record and process the call. For SMS platforms, the notification must disclose that responses will be logged and retained by the platform vendor.

What does not satisfy § 632.7 consent: generic "this call may be recorded" notices that do not identify the recording party or the purpose. Consent buried in website terms of service that a caller never saw. Implied consent from the act of placing a call. Retroactive consent obtained after the call has begun and after the recording has started. The California Supreme Court in Smith v. LoanMe confirmed that the call recording must be consented to by all parties before it begins — not inferred from behavior or implied from a prior relationship.

For outbound calls and SMS: the consent mechanism must be affirmative and specific. A California recipient of a marketing SMS must be informed that their responses will be logged. A California recipient of an outbound call must be notified at the call's outset if the call will be recorded and if an AI system will process the call.

The "this call may be recorded for quality assurance" standard varies in the Ninth Circuit, but the trend in cases applying § 632.7 to AI-enhanced calls is clear: courts are scrutinizing whether the caller was actually informed of the third-party vendor's involvement, not just whether a generic recording notice was provided. The disclosure must match the reality of who is recording and for what purpose.

How § 632.7 interacts with your existing CIPA compliance program

If you have a consent management platform correctly configured for CIPA § 631(a) compliance on your website, that configuration does not cover § 632.7 exposure. The mechanisms are different. Website consent architecture gates tag execution behind a banner interaction. Telephony consent requires verbal disclosure at the outset of a call or written disclosure at the initiation of an SMS conversation.

The two compliance programs must run in parallel. A business with exemplary website consent architecture that routes California customer service calls through an AI phone agent with no disclosure of the AI vendor's presence has a gap. The website is compliant. The phone channel is not.

The compliance audit for § 632.7 covers a different technology inventory than the website audit: inbound customer service phone system, outbound call platforms, SMS marketing and customer service tools, CRM integrations that log call transcripts or SMS content, AI phone agents and voice assistants, cloud contact center platforms, meeting transcription tools used in California-facing sales or support calls.

For each tool in this inventory, the audit asks three questions. Does this tool record or transcribe calls or messages involving California parties? Does the vendor's system have the technical capability to use that data independently? And is there a documented consent mechanism that notifies California parties of the recording and the vendor's involvement before the recording begins?

The compliance bottom line for mobile and telephony

CIPA § 632.7 is not a niche provision with limited practical scope. It is the provision that applies every time a California customer makes or receives a phone call to or from your business — and every time they respond to an SMS marketing message on their mobile phone. As brands deploy AI phone agents to handle order intake and customer service, cloud contact center platforms with AI transcription to improve agent performance, and SMS marketing platforms with two-way conversation logging, the § 632.7 exposure is growing in direct proportion to the adoption of these tools.

The 2025 cases on AI phone agents — Taylor v. ConverseNow, Ambriz v. Google CCAI — establish that the capability test applies to telephony the same way it applies to website tools. A vendor's technical capability to use call data independently, without proof of actual use, is sufficient to classify the vendor as a third-party interceptor. Vendor DPAs that prohibit independent use are contractual, not technical, restrictions and may not defeat the capability test.

The compliance program for § 632.7 is parallel to, not the same as, the website consent architecture that addresses § 631(a). Both are required for businesses with California customers who interact through both channels. The CIPA compliance checklist covers both the website tracking and the telephony/SMS audit in a single compliance review.