AI Meeting Notetakers: HIPAA, GDPR, and Privacy Compliance in 2026

AI meeting notetakers have become standard infrastructure for distributed teams in 2026. Otter.ai, Fireflies.ai, Grain, Read.ai, Zoom AI Companion, Microsoft Teams Copilot, and a growing list of competitors all promise automatic transcription, meeting summaries, action-item extraction, and searchable archives of every conversation. The productivity case is real. The privacy and compliance case requires careful thought — especially for organisations in healthcare, legal, financial services, and any sector operating under European privacy law.

This guide addresses the four questions that regulated organisations most often get wrong: consent to record, HIPAA implications, GDPR implications, and the specific risks created by AI notetakers that generic call-recording tools do not.

What AI notetakers do that regular call recording does not

Traditional call recording captures audio (and sometimes video). AI notetakers do substantially more:

• Transcription. The audio is converted to searchable text, making spoken content indexable by the notetaker's systems and any integrated tools.
• Participant identification. Most notetakers attempt to identify who said what, using voice profiles, calendar integration, or participant name inputs.
• Summarisation and analysis. AI models generate summaries, action items, sentiment indicators, and topic extractions from the transcript.
• Integration with CRM, project management, and other systems. Meeting content is often pushed to Salesforce, HubSpot, Notion, or similar platforms, multiplying the locations where the content lives.
• Searchable archives. The notetaker builds a searchable database of meeting content across the organisation.

Each of these features creates additional privacy surface area. A recording can be deleted. A summary that has been pushed to a CRM, synthesised into a training dataset, or indexed in a third-party archive is harder to erase.

Consent to record: the legal floor

Recording consent is not an AI issue — it is a statutory requirement that predates AI notetakers and has produced substantial litigation.

In the United States, recording consent laws are state-level and divide into two categories:

• One-party consent states: A participant can record a call without notifying others. Federal law (18 U.S.C. § 2511) also requires only one-party consent for interstate calls.
• Two-party (all-party) consent states: All participants must consent before a call may be recorded. California, Florida, Illinois, Maryland, Michigan, Oregon, Pennsylvania, and Washington are the prominent all-party states. Violation can be a criminal offense.

Otter.ai has faced class-action litigation in California alleging that it joined meetings as a bot without disclosing its recording function to all participants, triggering the California Invasion of Privacy Act (CIPA). Whether or not the specific claims succeed, the litigation reflects real risk: deploying a bot that records without proper all-party disclosure in a two-party state is a statutory violation.

Fireflies.ai has faced claims under the Illinois Biometric Information Privacy Act (BIPA) relating to its voice-fingerprinting feature (used to attribute statements to specific speakers), which Illinois courts have found can be actionable when biometric identifiers are captured and stored without written consent and a retention policy.

The practical baseline for US organisations:

• [ ] Disclose at the start of every recorded meeting that the meeting will be recorded and transcribed by an AI tool. This satisfies one-party consent and, with proper all-party notification, satisfies two-party requirements.
• [ ] Do not use voice-fingerprinting or biometric speaker identification without reviewing state-specific BIPA/CIPA obligations and obtaining appropriate consent.
• [ ] For external meetings with participants in unknown locations: default to all-party disclosure standards.

In the European Union and UK, GDPR and UK GDPR apply to the recording and processing of meeting participants' personal data (voice, name, statements). The recording consent analysis differs from US statute because the GDPR generally does not recognise consent alone as an adequate basis for employment-related processing — employers cannot rely on employees' consent where consent is not freely given. Appropriate bases are typically contract performance, legitimate interest, or legal obligation, each of which requires a balancing test and documentation.

HIPAA and AI notetakers

Any meeting that includes protected health information (PHI) — patient names, diagnoses, treatment plans, scheduling details, insurance information — is subject to HIPAA's security and privacy requirements. This covers:

• Telehealth appointments recorded for clinical documentation purposes.
• Clinical team meetings that discuss specific patients.
• Administrative meetings that include patient names or identifiers.
• Any meeting where a healthcare worker describes a patient's case.

The BAA requirement. HIPAA requires a Business Associate Agreement (BAA) between a covered entity (or business associate) and any vendor that creates, receives, maintains, or transmits PHI on its behalf. A notetaker that transcribes a meeting containing PHI is a business associate. If no BAA is in place, using the notetaker is a HIPAA violation.

| Tool | BAA available? | Notes (as of 2026) | | --- | --- | --- | | Zoom AI Companion | Yes — Zoom offers BAA for Healthcare plans | Requires Zoom for Healthcare subscription | | Microsoft Teams (Copilot transcription) | Yes — covered under Microsoft's BAA for healthcare | Requires appropriate M365 SKU | | Otter.ai | Yes — OtterPilot for HIPAA with Business/Enterprise plan | BAA available; confirm scope covers AI features | | Fireflies.ai | Not publicly offered as of 2026 | Not suitable for meetings with PHI | | Grain | Not publicly offered as of 2026 | Not suitable for meetings with PHI | | Read.ai | Enterprise tier — verify current BAA availability | Check current documentation |

The BAA table above reflects the general posture as of mid-2026; always verify with the vendor directly before relying on it for a HIPAA program. Product offerings and BAA availability change.

Minimum necessary. Even with a BAA, HIPAA's minimum necessary principle applies. Recording every clinical meeting and archiving it indefinitely in a searchable AI database is hard to reconcile with minimum necessary unless there is a documented clinical or administrative purpose that requires it.

De-identification before AI processing. Some organisations use AI notetakers for administrative meetings but route clinical meeting content through a different, more controlled path. Where AI notetaking is used for clinical meetings, configuring the tool to delete transcripts after a defined retention period and to not integrate with general CRM or productivity systems reduces the PHI footprint.

GDPR and AI notetakers

For meetings involving EU data subjects — employees, clients, counterparties, or any natural person located in the EEA — the GDPR applies to the AI notetaker's processing.

The core GDPR requirements:

• DPA with the notetaker vendor. If the AI notetaker processes personal data on behalf of your organisation (which it does — it transcribes the words of natural persons, identifies who said what, and stores that content), a Data Processing Addendum under Article 28 is required. Without a DPA, using the notetaker for meetings involving EU personal data is an Article 28 breach.
• Lawful basis. Legitimate interest is the most common basis for recording business meetings, but requires a documented balancing test. For employee meetings, consent is generally not an appropriate basis because employees' consent cannot be freely given under employment relationships in the GDPR's framework.
• Transparency. Meeting participants must be informed about the recording, who the recipient is (the notetaker vendor), how long recordings are retained, and their rights. A verbal disclosure at the start of a meeting may satisfy this if it covers the required elements.
• Data subject rights. Participants can request access to transcripts in which they appear and can request erasure. The controller must be able to honour these requests — which means knowing where every transcript is stored, including any integrations with third-party tools the notetaker has pushed content to.
• International transfers. Most AI notetaker vendors are US-based. Transfers of meeting transcripts (personal data) from EU controllers to US processors require Standard Contractual Clauses or an equivalent transfer mechanism.
• DPIA. Systematically recording, transcribing, and AI-summarising all meetings involving EU data subjects is likely to constitute "systematic monitoring of employees" — one of the categories explicitly listed in Article 35(3)(c) as DPIA-triggering. A DPIA should be completed before organisation-wide rollout.

DPA availability by tool (as of 2026):

| Tool | GDPR DPA available? | | --- | --- | | Otter.ai | Yes — Business and Enterprise plans | | Fireflies.ai | Not clearly documented for GDPR purposes; verify with vendor | | Zoom AI Companion | Yes — covered by Zoom's standard DPA for commercial accounts | | Microsoft Teams Copilot | Yes — Microsoft Online Services DPA | | Grain | Not clearly documented; verify | | Read.ai | Enterprise tier — verify current state |

As with the HIPAA table, verify directly with the vendor. These are general assessments, not legal opinions.

The specific privacy risks of AI notetakers

Beyond consent and regulatory compliance, AI notetakers create privacy risks that are different in kind from passive recording:

1. Verbatim transcripts of privileged conversations. Attorney-client privileged discussions, healthcare consultations, M&A negotiations, and whistleblower reports all typically occur in meetings. If those meetings are being transcribed and stored in a third-party AI platform, the privileged or confidential content is now in a third-party system, potentially with retention settings beyond the organisation's control.

2. The integration proliferation problem. AI notetakers push summaries and action items to Slack, email, CRM, and project management tools. A single meeting involving a client's personal data may generate seven downstream records across seven different systems. Data subject erasure requests become very difficult to honour when the personal data has propagated this broadly.

3. Indefinite searchable archives. The default retention setting in many AI notetaker tools is indefinite — the tool builds a persistent, searchable database of all recorded meetings. For regulated organisations, this creates discovery and litigation-hold obligations for an archive that may not have been intended as a business record.

4. Participant identification across meetings. Some tools build voice profiles that link statements across different meetings over time. This is a form of biometric processing under both GDPR and state BIPA laws, with its own consent and retention requirements.

5. Training data questions. Review the vendor's terms for whether meeting transcripts may be used to train or improve AI models. Consumer tiers of some tools have used content for model improvement. Enterprise tiers typically exclude this, but the terms require verification.

A practical compliance checklist for AI notetakers

Before deployment:

• [ ] Identify which meetings will be recorded (all? only certain types?) and which will be excluded (clinical consultations? legal calls? M&A discussions?).
• [ ] Select a tool with BAA coverage (for HIPAA workloads) and GDPR DPA coverage (for EU personal data).
• [ ] Sign the BAA and DPA before first use.
• [ ] Complete a DPIA if the deployment involves systematic monitoring of EU data subjects (almost always required for organisation-wide rollout).
• [ ] Review the tool's data retention defaults and configure them to match your retention policy rather than the vendor's default.
• [ ] Review and restrict integrations — disable push to CRM, project management, and other tools unless there is a documented business purpose and the integration is covered by appropriate data-sharing agreements.

For each meeting:

• [ ] Disclose at the start that the meeting is being recorded and transcribed by an AI tool, naming the tool.
• [ ] In two-party consent states, obtain affirmative confirmation from all participants before starting the recording.
• [ ] In meetings with EU data subjects, provide the Article 13 transparency disclosures (can be done by reference to a linked privacy notice if the notice is current).
• [ ] For meetings involving PHI: confirm the tool operates under your BAA for this meeting type.
• [ ] Exclude highly sensitive meetings (privilege, M&A, clinical consultations beyond the scope of the BAA) from AI notetaking unless specifically appropriate.

Ongoing:

• [ ] Establish a process for honouring data subject access and erasure requests against meeting transcripts.
• [ ] Review vendor terms annually for changes to training-data use, retention defaults, and integration partners.
• [ ] Add the notetaker vendor to your vendor risk management program, including annual SOC 2 report review.
• [ ] Maintain litigation-hold procedures that cover meeting transcripts in addition to email and documents.

Frequently asked questions

Does Zoom AI Companion require a separate BAA for HIPAA?

Yes. The Zoom for Healthcare plan and its associated BAA covers Zoom's AI Companion features for eligible healthcare customers, but you must be on the Healthcare plan and have executed the BAA. Standard Zoom Business/Enterprise plans do not come with a BAA by default. Contact Zoom directly to confirm current plan requirements.

Can we record meetings with clients in California without all-party consent?

Not without disclosure. California's Invasion of Privacy Act requires all parties to consent to recording. Disclosure and affirmative consent (or non-objection after disclosure) at the start of the meeting is the standard approach for all-party compliance. An AI bot that joins a meeting without announcing itself and begins recording may violate CIPA in California regardless of the host's consent.

Is a transcript a "medical record" under HIPAA?

It depends on what it contains. A transcript of a meeting in which a clinician discusses a patient's diagnosis, treatment plan, or test results, with the patient's name identifiable, is almost certainly PHI and thus a medical record under HIPAA if it is created or maintained by a covered entity or business associate. The format (audio, text, AI summary) does not determine HIPAA status — the presence of PHI does.

What retention period should we set for AI notetaker transcripts?

It depends on jurisdiction and use case. As a starting point: HIPAA's record-retention requirements apply to medical records (typically 6 years under the Privacy Rule). Financial services records have their own schedules. For general business meeting transcripts, the retention period should be defined in your records management policy and configured in the notetaker. Indefinite retention is almost always inappropriate and makes data-subject rights and litigation holds substantially harder to manage.

Our employees use Otter.ai on personal devices. Is that a problem?

Potentially a significant one. An employee using Otter.ai on a personal device without a company DPA or BAA is processing meeting participants' personal data (and potentially PHI) under consumer terms. The employer is still the data controller for any processing that occurs in the course of employment. If the employee's Otter account is not covered by the company's DPA, any meetings involving EU personal data or PHI are processed without the required agreements.

The bottom line

AI meeting notetakers are a legitimate and useful productivity tool — and they create real privacy compliance obligations that most organisations have not fully addressed. The minimum requirements for regulated use are straightforward: a BAA for any meeting that could include PHI, a GDPR DPA and appropriate lawful basis for any meeting involving EU data subjects, all-party consent disclosure, and retention settings configured to match policy rather than vendor defaults.

The deeper risks — integration proliferation, indefinite archives, biometric voice profiles, and the difficulty of honouring erasure requests across multiple downstream systems — require more deliberate configuration choices at deployment time. The organisations that get this right treat the notetaker's settings and integrations as part of a data-minimisation strategy: capture what is needed, route it only where it belongs, and retain it only as long as required.