Call Recording Disclosure Policy & Compliance Manual

Document Owner: Office of the General Counsel · Iberlux LLC Drafted by: External counsel — TCPA / Telecommunications / Privacy practice Version: 2.0 (counsel-grade rewrite) Effective Date: 2026-05-01 Last Updated: 2026-04-30 Next Mandatory Review: 2026-10-31 (semi-annual) and immediately upon any state wiretap statute amendment, FCC/FTC enforcement action against an insurance call center, or material change to Iberlux’s calling operations. Cross-References: _docs/legal/tcpa-disclosure.md (consent for outbound contact), _docs/legal/privacy-policy.md, _docs/data-retention-policy.md.

---

1. Purpose, Scope and Authority

1.1 Purpose

This document is the definitive, counsel-supervised Recording Disclosure Policy for Iberlux LLC (“Iberlux,” “we,” or “the Company”). It governs:

1. The disclosure required at the outset of every call placed or received by Iberlux or any agent acting on its behalf;
2. The technical, retention, access, and audit controls applicable to recorded calls;
3. The legal framework within which Iberlux records 100% of voice traffic across its multi-state operations, including AI-mediated calls placed by Vapi.ai prior to human-agent transfer.

This policy is binding on every Iberlux employee, contractor, vendor (including Vapi.ai, CallTools, Twilio, and any successor telephony provider), and downstream lead-buyer that handles calls that originate from or are routed through Iberlux infrastructure.

1.2 Scope

The policy applies to:

• Outbound dials to consumers (live agent and Vapi AI pre-qualification);
• Inbound calls from consumers responding to ads, prior outreach, or warm transfers;
• Internal transfers between agents, between Vapi AI and live agent, or between Iberlux and carrier representatives;
• Conference calls with multiple consumer-side parties (spouses, household members);
• Voicemails left by Iberlux agents on consumer voicemail systems;
• Voicemails received by Iberlux from consumers.

1.3 Authority

This policy implements the following bodies of law (each addressed in detail below):

• Federal: Title III of the Omnibus Crime Control and Safe Streets Act of 1968, codified at 18 U.S.C. §§ 2510–2523 (the “Federal Wiretap Act”);
• State: wiretap, eavesdropping, and electronic communications privacy statutes of all 50 states and the District of Columbia;
• Federal Communications Commission (FCC) TRACED Act and STIR/SHAKEN attestation rules;
• California SB 1001 (Bot Disclosure Law, Cal. Bus. & Prof. Code § 17940 et seq.);
• Colorado AI Act (SB 24-205, “Colorado Consumer Protections for Artificial Intelligence,” effective February 1, 2026);
• State insurance department record-retention regulations applicable to producers in Iberlux’s licensure footprint.

---

2. Legal Framework Overview

2.1 Federal — One-Party Consent

18 U.S.C. § 2511(2)(d) establishes that a person not acting under color of law may intercept a wire, oral, or electronic communication “where such person is a party to the communication or where one of the parties to the communication has given prior consent to such interception,” unless the interception is for the purpose of committing a criminal or tortious act.

Practical effect: Federal law alone permits Iberlux (a party to every Iberlux call) to record that call without notifying the consumer. Federal law sets a floor, not a ceiling.

2.2 State Two-Party (All-Party) Consent — Statutes Iberlux Treats as Mandatory

The following states require consent of all parties before a phone conversation may be recorded. Iberlux treats each as mandatory two-party. Where the statute is ambiguous in commercial-call context, Iberlux applies the more protective rule.

State	Statute	Civil / Criminal	Notes
California	Cal. Penal Code § 632 (and § 632.7 for cordless/cellular)	Both — criminal misdemeanor + civil $5,000/violation or 3× damages	Strictest civil exposure in the country; PAGA-style class actions common.
Connecticut	Conn. Gen. Stat. § 52-570d (civil) and § 53a-189 (criminal)	Both	§ 52-570d explicitly addresses telephone recording.
Florida	Fla. Stat. § 934.03	Both — third-degree felony if intentional	”Security of Communications Act.” All-party.
Illinois	720 ILCS 5/14-2 (post-2014 Clipper / Melongo fix)	Both	”Eavesdropping Act,” all-party for “private” conversations.
Maryland	Md. Code, Cts. & Jud. Proc. § 10-402	Both — felony, up to 5 years	Strictest criminal exposure. Explicit “yes” required.
Massachusetts	Mass. Gen. Laws ch. 272 § 99	Both — felony if intentional	”Wiretap Statute.” Strictest interpretation in U.S. — applies to secret recording even with one-party consent.
Montana	Mont. Code Ann. § 45-8-213	Criminal misdemeanor	Notification (not full consent) required, but Iberlux treats as two-party.
New Hampshire	N.H. Rev. Stat. § 570-A:2	Criminal felony class B	Two-party.
Pennsylvania	18 Pa. Cons. Stat. §§ 5703–5704	Both — felony	§ 5704(4) business-use exception requires all-party consent.
Washington	Wash. Rev. Code § 9.73.030	Both	All-party; “announcement” recorded into the call satisfies if heard.
Oregon	Or. Rev. Stat. § 165.540	Both	Phone calls: one-party with announcement OK. Iberlux treats as two-party for safety in commercial context.

2.3 Ambiguous States — Iberlux Treats as Two-Party

The following five states have ambiguous statutes or evolving case law that has been read by some courts to require all-party consent. Iberlux applies the two-party disclosure script in each:

State	Statute / Authority	Why Ambiguous
Nevada	NRS 200.620	Statute is one-party on its face; Lane v. Allstate (Nev. 1996) and McLellan v. State (Nev. 2008) construed phone-call recording to require all-party consent.
Vermont	No single wiretap statute; State v. Geraw, 173 Vt. 350 (2002), and State v. Brooks	Vermont Supreme Court has held warrantless recording of a private conversation by a party violates the state constitution in some contexts.
Hawaii	Haw. Rev. Stat. § 803-42	One-party for telephone, all-party for in-person; line is fact-intensive in commercial context.
Delaware	Del. Code tit. 11, § 2402	One-party criminal statute, but Delaware’s older Privacy Act § 1335(a)(4) prohibits intercepting “without consent of all parties.” Conflict unresolved.
Michigan	Mich. Comp. Laws § 750.539c	One-party in Sullivan v. Gray (1982) reading; AFT Mich. v. Project Veritas (E.D. Mich. 2018) signaled possible all-party reading.

2.4 Inter-State Calls — Choice of Law

When call participants sit in different states, Iberlux applies the most protective state’s rule. This is consistent with Kearney v. Salomon Smith Barney, 39 Cal. 4th 95 (2006), where the California Supreme Court held that a California resident receiving a call from a Georgia broker was entitled to California’s two-party protection, notwithstanding Georgia’s one-party rule.

Rule of practice: Iberlux always uses the two-party / universal disclosure script for every call regardless of state, eliminating choice-of-law risk.

2.5 Federal Preemption

The Federal Wiretap Act sets a floor, not a ceiling. Section 2511(2)(d)‘s one-party rule does not preempt stricter state wiretap statutes. Every federal circuit to reach the question has confirmed states may require all-party consent. Iberlux therefore must comply with the most protective applicable state statute on every call.

---

3. State Classification Schedule (50 states + DC)

#	State	Citation	Classification	Civil/Criminal	Recommended Script Variant
1	Alabama	Ala. Code § 13A-11-30 et seq.	One-party	Criminal	Universal
2	Alaska	Alaska Stat. § 42.20.310	One-party	Both	Universal
3	Arizona	Ariz. Rev. Stat. § 13-3005	One-party	Both	Universal
4	Arkansas	Ark. Code § 5-60-120	One-party	Criminal	Universal
5	California	Cal. Penal Code §§ 632, 632.7	Two-party	Both	Universal + CA add-on
6	Colorado	Colo. Rev. Stat. § 18-9-303	One-party	Both	Universal + CO AI Act add-on (for Vapi)
7	Connecticut	Conn. Gen. Stat. §§ 52-570d, 53a-189	Two-party	Both	Universal
8	Delaware	Del. Code tit. 11 § 2402; tit. 11 § 1335	Ambiguous — treat as two-party	Both	Universal
9	District of Columbia	D.C. Code § 23-542	One-party	Both	Universal
10	Florida	Fla. Stat. § 934.03	Two-party	Both — felony	Universal + FL emphasis
11	Georgia	Ga. Code § 16-11-66	One-party	Criminal	Universal
12	Hawaii	Haw. Rev. Stat. § 803-42	Ambiguous — treat as two-party	Both	Universal
13	Idaho	Idaho Code § 18-6702	One-party	Both	Universal
14	Illinois	720 ILCS 5/14-2	Two-party (post-Clipper)	Both	Universal
15	Indiana	Ind. Code § 35-33.5-5-5	One-party	Criminal	Universal
16	Iowa	Iowa Code § 808B.2	One-party	Both	Universal
17	Kansas	Kan. Stat. § 21-6101	One-party	Criminal	Universal
18	Kentucky	Ky. Rev. Stat. § 526.010	One-party	Criminal	Universal
19	Louisiana	La. Rev. Stat. § 15:1303	One-party	Both	Universal
20	Maine	Me. Rev. Stat. tit. 15 § 710	One-party	Both	Universal
21	Maryland	Md. Code, Cts. & Jud. Proc. § 10-402	Two-party — strictest	Both — felony	Universal + Maryland-specific
22	Massachusetts	Mass. Gen. Laws ch. 272 § 99	Two-party	Both — felony	Universal + MA emphasis
23	Michigan	Mich. Comp. Laws § 750.539c	Ambiguous — treat as two-party	Both	Universal
24	Minnesota	Minn. Stat. § 626A.02	One-party	Both	Universal
25	Mississippi	Miss. Code § 41-29-531	One-party	Criminal	Universal
26	Missouri	Mo. Rev. Stat. § 542.402	One-party	Both	Universal
27	Montana	Mont. Code Ann. § 45-8-213	Two-party (notification)	Criminal	Universal
28	Nebraska	Neb. Rev. Stat. § 86-290	One-party	Both	Universal
29	Nevada	NRS 200.620	Ambiguous — treat as two-party	Both	Universal
30	New Hampshire	N.H. Rev. Stat. § 570-A:2	Two-party	Criminal felony	Universal
31	New Jersey	N.J. Stat. § 2A:156A-4	One-party	Both	Universal
32	New Mexico	N.M. Stat. § 30-12-1	One-party	Criminal	Universal
33	New York	N.Y. Penal Law § 250.05	One-party	Criminal	Universal
34	North Carolina	N.C. Gen. Stat. § 15A-287	One-party	Both	Universal
35	North Dakota	N.D. Cent. Code § 12.1-15-02	One-party	Criminal	Universal
36	Ohio	Ohio Rev. Code § 2933.52	One-party	Both	Universal
37	Oklahoma	Okla. Stat. tit. 13 § 176.4	One-party	Both	Universal
38	Oregon	Or. Rev. Stat. § 165.540	Two-party (modified)	Both	Universal
39	Pennsylvania	18 Pa. Cons. Stat. §§ 5703–5704	Two-party	Both — felony	Universal + voicemail variant
40	Rhode Island	R.I. Gen. Laws § 11-35-21	One-party	Criminal	Universal
41	South Carolina	S.C. Code § 17-30-30	One-party	Both	Universal
42	South Dakota	S.D. Codified Laws § 23A-35A-20	One-party	Criminal	Universal
43	Tennessee	Tenn. Code § 39-13-601	One-party	Both	Universal
44	Texas	Tex. Penal Code § 16.02	One-party	Both	Universal
45	Utah	Utah Code § 77-23a-4	One-party	Both	Universal
46	Vermont	State v. Geraw, 173 Vt. 350 (2002)	Ambiguous — treat as two-party	Civil/constitutional	Universal
47	Virginia	Va. Code § 19.2-62	One-party	Both	Universal
48	Washington	Wash. Rev. Code § 9.73.030	Two-party	Both	Universal + WA emphasis
49	West Virginia	W. Va. Code § 62-1D-3	One-party	Both	Universal
50	Wisconsin	Wis. Stat. § 968.31	One-party	Both	Universal
51	Wyoming	Wyo. Stat. § 7-3-702	One-party	Both	Universal

Operating rule: Universal disclosure script (Section 5) is delivered on every call regardless of state. State-specific add-ons stack on top of the universal script in the listed states.

---

4. Iberlux Recording Policy

4.1 Recording Coverage

Iberlux records 100% of voice calls placed or received on Iberlux infrastructure or by Iberlux personnel acting in the course of business, including:

• Vapi.ai pre-qualification calls;
• Live-agent outbound dials (CallTools);
• Inbound calls into Iberlux DIDs (Twilio + CallTools ACD);
• Warm transfers to/from carrier representatives;
• Internal coaching calls between agent and supervisor where a consumer is on the line.

4.2 Lawful Bases for Recording

Iberlux records calls for the following independently sufficient lawful bases:

1. Compliance and legal-defense: documentary evidence of TCPA consent, sales-suitability disclosures, customer-stated facts (age, product preferences, license status), and Iberlux’s regulatory representations.
2. Quality assurance and training: sample-based QA review (Section 14), agent coaching, model-conversation curation.
3. Fraud detection: identity-impersonation, license-misrepresentation, and replacement-business detection.
4. Carrier audit response: carriers periodically audit producers and may request original call evidence supporting a sale.
5. Subpoena response and litigation: TCPA, FDCPA, state UDAP, and wiretap class-action defense.

4.3 Retention

Record type	Retention period	Basis
Call audio	7 years from call end	TCPA 4-year SOL + state insurance regulator audit cycles + IRS record-keeping; longest applicable rule.
Call transcript (Whisper/AI-generated)	7 years	Travels with audio.
Call metadata (CDR, timestamps, agent ID, disposition)	7 years	Same.
Disclosure-delivery flag (Y/N)	7 years	Defense evidence.
Recordings under active litigation hold	Indefinitely	Spoliation exposure.

Recordings are never deleted on consumer demand once captured; this is a regulatory record. Consumers may obtain a copy of their own recording under CCPA/CPRA, GLBA Privacy Rule, or applicable state law.

4.4 Storage

• Provider: Cloudflare R2 (SOC 2 Type II attested).
• Encryption at rest: AES-256.
• Encryption in transit: TLS 1.3.
• Geographic controls: U.S.-region buckets only.
• Backup: cross-region replication; tape-out for litigation-hold material.
• Integrity: SHA-256 hash captured at write; verified on every retrieval.

4.5 Access

• Compliance team and counsel only by default.
• All access is logged (caller identity, timestamp, recording ID, justification code).
• Access logs retained 7 years.
• Annual access audit (Section 12.5).
• No agent has the ability to delete a recording.
• Quarterly attestation by IT security that access list matches HR roster.

---

5. Disclosure Scripts — Mandatory At Start of Every Call

The following scripts are load-bearing legal text. Agents and Vapi system prompts must deliver them verbatim. Permitted variation: caller name, agent name, phone number for callback. Prohibited variation: omitting the recording disclosure, paraphrasing, accelerating delivery to render the disclosure unintelligible.

5.1 Universal Outbound Disclosure (safe for all 50 states · two-party-grade)

ENGLISH:

“Hi [Customer Name], this is [Agent Name] calling from Iberlux Insurance Agency. Before we continue, please note this call is being recorded for quality assurance, training, and compliance purposes. If you do not consent to recording, please let me know now and I will end the call. Otherwise, by continuing this call you consent to being recorded. May I continue?”

ESPAÑOL:

“Hola [Nombre del Cliente], soy [Nombre del Agente] llamando de Iberlux Insurance Agency. Antes de continuar, le informo que esta llamada está siendo grabada para fines de calidad, capacitación y cumplimiento legal. Si no da su consentimiento para que la llamada sea grabada, por favor avíseme ahora y terminaré la llamada. Si continúa con la llamada, está dando su consentimiento para ser grabado. ¿Puedo continuar?”

Delivery instruction: Wait for an affirmative response. In Maryland, Massachusetts, and California, the agent must receive an explicit “yes,” “sí,” “okay,” “ok,” “go ahead,” or “siga” before proceeding to substantive discussion. A non-response, “uh-huh,” or silence does not satisfy the explicit-consent requirement in Maryland.

5.2 Universal Inbound Greeting (live agent)

ENGLISH:

“Thank you for calling Iberlux Insurance Agency, this is [Agent Name]. Please note this call is being recorded for quality assurance, training, and compliance purposes. If you would prefer not to be recorded, let me know and I can transfer you to a non-recorded line. Otherwise, how may I help you today?”

ESPAÑOL:

“Gracias por llamar a Iberlux Insurance Agency, soy [Nombre del Agente]. Le informo que esta llamada está siendo grabada para fines de calidad, capacitación y cumplimiento legal. Si prefiere que no se grabe, dígame y le transfiero a una línea sin grabación. De lo contrario, ¿en qué le puedo ayudar hoy?“

5.3 IVR Pre-Greeting (every inbound number, both languages, plays before agent)

ENGLISH then SPANISH (concatenated audio):

“Thank you for calling Iberlux Insurance Agency. Your call will be recorded for quality, training, and compliance purposes. To continue in English, press 1. Para continuar en español, marque 2.”

“Gracias por llamar a Iberlux Insurance Agency. Su llamada será grabada con fines de calidad, capacitación y cumplimiento legal. Para continuar en español, marque 2. To continue in English, press 1.”

The IVR disclosure satisfies the “announcement” prong in Washington and Oregon and creates supplemental evidence of consent in two-party states. It does not eliminate the live-agent universal disclosure under § 5.2.

5.4 Vapi AI — Outbound Start (live AI before human transfer)

ENGLISH:

“Hello, this is Iberlux Insurance Agency. I am an automated assistant — an artificial intelligence — calling on behalf of Iberlux. This call is being recorded for quality assurance, training, and compliance purposes. I am calling about your recent insurance quote request. If you do not consent to speaking with an automated assistant or to being recorded, please let me know now and I will end the call. Otherwise, by continuing, you consent to both. Is now a good time to talk for two minutes?”

ESPAÑOL:

“Hola, le habla Iberlux Insurance Agency. Soy una asistente automatizada — una inteligencia artificial — llamando en nombre de Iberlux. Esta llamada está siendo grabada para fines de calidad, capacitación y cumplimiento legal. Le llamo sobre su solicitud reciente de cotización de seguro. Si no da su consentimiento para hablar con una asistente automatizada o para ser grabado, por favor avíseme ahora y terminaré la llamada. De lo contrario, al continuar, da su consentimiento a ambos. ¿Es buen momento para hablar dos minutos?“

5.5 Vapi AI — “Are You a Robot / Human / AI?” Mandatory Truthful Answer

If the consumer asks any variant of “are you a robot,” “are you a real person,” “is this a recording,” “am I talking to a computer,” “¿eres una persona?” “¿es una grabación?” “¿estoy hablando con una máquina?” — Vapi must answer truthfully and immediately:

ENGLISH:

“Yes — I am an automated assistant powered by artificial intelligence, working on behalf of Iberlux Insurance Agency. I am not a human. If you would prefer to speak with a human agent, I can transfer you right now.”

ESPAÑOL:

“Sí — soy una asistente automatizada con inteligencia artificial, trabajando en nombre de Iberlux Insurance Agency. No soy una persona humana. Si prefiere hablar con un agente humano, le puedo transferir ahora mismo.”

Delivery instruction (mandatory): Vapi system prompt must include this answer as a hard rule. Any deviation — including hedging (“I’m here to help”) or false denial — is a terminating compliance violation triggering immediate disablement of the Vapi flow pending counsel review. This is required by California SB 1001, by the FTC Act § 5 (deceptive practices), and as a defensive matter against fraud claims.

5.6 Vapi AI — Hand-Off to Human Agent

ENGLISH:

“Thank you. I’m going to connect you with [Agent Name], a licensed human insurance agent at Iberlux. Please hold for just a moment. The call will continue to be recorded.”

ESPAÑOL:

“Gracias. Le voy a conectar con [Nombre del Agente], un agente de seguros humano y licenciado de Iberlux. Manténgase en línea un momento. La llamada continuará siendo grabada.”

5.7 Voicemail Variant (agent leaves message)

ENGLISH:

“Hi [Name], this is [Agent Name] from Iberlux Insurance Agency, calling about the insurance quote you requested. Please note that when you call back, that call will be recorded for quality, training, and compliance purposes. You can reach me at [direct number] or visit iberluxseguros.com. Thank you.”

ESPAÑOL:

“Hola [Nombre], soy [Nombre del Agente] de Iberlux Insurance Agency, llamando sobre la cotización de seguro que solicitó. Le informo que cuando me devuelva la llamada, esa llamada será grabada para fines de calidad, capacitación y cumplimiento legal. Me puede contactar al [número directo] o visitar iberluxseguros.com. Gracias.”

The voicemail itself is also a recording captured by Iberlux’s outbound dialer; the disclosure satisfies Pennsylvania (§ 5704) and Massachusetts (ch. 272 § 99) authorities that read voicemail as a “communication” subject to the wiretap statute when the agent’s words are captured by the dialer.

5.8 Transfer Variant — Re-Disclosure on Internal Hand-Off

When a call is transferred from one Iberlux agent to another (e.g., qualification agent → licensed sales agent → carrier underwriter), the receiving agent re-discloses:

ENGLISH:

“Hi [Customer Name], this is [Receiving Agent Name] taking over from [Prior Agent]. Just to confirm: this call continues to be recorded for quality, training, and compliance purposes, as my colleague mentioned. I’d like to continue helping you with your [product]. Is that okay?”

ESPAÑOL:

“Hola [Nombre del Cliente], soy [Nombre del Agente Receptor], tomando la llamada de [Agente Anterior]. Le confirmo: esta llamada continúa siendo grabada para fines de calidad, capacitación y cumplimiento legal, como mi colega le mencionó. Me gustaría continuar ayudándole con su [producto]. ¿Está bien?”

Required for two-party states. In one-party states, optional but recommended. When the transfer is to a third-party carrier representative (outside Iberlux), the disclosure must be repeated and the carrier’s own disclosure may stack:

“I’m transferring you to [Carrier]‘s underwriting line. They will likely also tell you that they record calls. The Iberlux side of the conversation will continue to be recorded as well.”

5.9 Conference / Three-Way Variant (additional party joins)

ENGLISH:

“Hello [Joining Party Name], welcome. Before we continue, please note this call is being recorded for quality, training, and compliance purposes, the same disclosure I gave [original consumer] at the start. If you do not consent to recording, please tell me now. Otherwise, by continuing, you consent. Is that okay?”

ESPAÑOL:

“Hola [Nombre del Que Se Une], bienvenido. Antes de continuar, le informo que esta llamada se está grabando para fines de calidad, capacitación y cumplimiento, la misma información que le di a [cliente original] al inicio. Si no da su consentimiento, dígame ahora. De lo contrario, al continuar, está dando su consentimiento. ¿Está bien?“

---

6. Vapi AI / Robocall Specific Disclosures

6.1 Mandatory Identification as Automated

Every Vapi-placed or Vapi-answered call must, in its first sentence, identify the speaker as an automated AI assistant. Compliance with Section 5.4 satisfies this requirement.

6.2 California SB 1001 (Bot Disclosure Law) — Add-On

California Bus. & Prof. Code § 17941 prohibits using a bot to communicate with another person in California “with the intent to mislead the other person about its artificial identity for the purpose of knowingly deceiving the person about the content of the communication in order to incentivize a purchase.” For California consumers, append at the start of any Vapi flow:

ENGLISH:

“I want to make sure you know — I am a software bot, an artificial intelligence, not a human. I am not pretending to be a person.”

ESPAÑOL:

“Quiero asegurarme de que sepa — soy un bot de software, una inteligencia artificial, no una persona. No estoy fingiendo ser humano.”

This add-on plays after Section 5.4 and before substantive discussion.

6.3 Colorado AI Act 2026 — Add-On

The Colorado AI Act (SB 24-205) takes effect February 1, 2026 and imposes affirmative-disclosure obligations on deployers of “high-risk artificial intelligence systems” interacting with Colorado consumers. Insurance-eligibility-influencing AI conversations are within the statute’s scope. For Colorado consumers, append:

ENGLISH:

“Because you are in Colorado, I want to give you an additional notice required by Colorado law: I am an artificial intelligence system, and I am being used to gather information that may be used in connection with an insurance quote. You have the right to ask for a human review of any decision that affects your insurance eligibility or pricing. You can also request information about how this AI system works by emailing privacy@iberlux.com.”

ESPAÑOL:

“Como usted está en Colorado, le doy un aviso adicional requerido por la ley de Colorado: soy un sistema de inteligencia artificial y me están usando para recopilar información que puede ser utilizada en conexión con una cotización de seguro. Usted tiene derecho a pedir revisión humana de cualquier decisión que afecte su elegibilidad o precio de seguro. También puede pedir información sobre cómo funciona este sistema de IA enviando un correo a privacy@iberlux.com.”

6.4 Hand-Off to Human Agent

See § 5.6.

6.5 STIR/SHAKEN Attestation

All Vapi outbound calls must originate from numbers registered with Numeracle (or equivalent caller-ID reputation registrar), with A-level STIR/SHAKEN attestation, displayed caller ID “Iberlux Insurance,” and TRACED-Act-compliant call-blocking response posture.

6.6 Federal Do-Not-Call and Internal DNC

Vapi must respect:

• Federal DNC registry (scrubbed daily);
• State DNC registries (scrubbed weekly per state);
• Iberlux internal DNC / suppression list (real-time);
• Per-call STOP/quita-me/no-llamen requests captured during the call.

---

7. Two-Party Consent State Special Procedures

7.1 Maryland — Strictest

Maryland’s wiretap statute (Md. Code, Cts. & Jud. Proc. § 10-402) carries up to 5 years’ imprisonment for intentional violations. The Maryland Court of Appeals has held that implied consent is insufficient in commercial contexts. For any call where any party is in Maryland (caller area code 301, 410, 443, 240, 667, or stated location of Maryland):

Mandatory procedure:

1. Deliver Universal disclosure (§ 5.1).
2. Pause for explicit affirmative response.
3. Receive an unambiguous “yes,” “sí,” “ok,” “go ahead,” or “yes, please continue.”
4. Do not proceed on a non-response, “uh-huh,” cough, or silence.
5. If consumer does not affirm, agent says: “Thank you. Because you have not given consent to be recorded, I’m going to end the call. You may call back at [non-recorded line] if you would like to speak without recording. Have a good day.” Then end call.
6. Note in CRM: MD_explicit_consent = TRUE with timestamp.

Maryland-specific add-on script:

ENGLISH:

“Because you are in Maryland, Maryland law requires me to receive your explicit verbal consent before I record this call. Do you consent to this call being recorded — yes or no?”

ESPAÑOL:

“Como usted está en Maryland, la ley de Maryland requiere que reciba su consentimiento verbal explícito antes de grabar esta llamada. ¿Da su consentimiento para que esta llamada sea grabada — sí o no?“

7.2 California — Penal Code §§ 632 and 632.7

§ 632 covers “confidential communications.” § 632.7 addresses the cellular/cordless prong and applies to any non-consensual interception of a cell or cordless call regardless of whether confidential. Statutory damages: $5,000 per violation or 3× actual damages, whichever is greater. Class actions are common.

For California-located consumers (area codes 209, 213, 310, 408, 415, 424, 442, 510, 530, 559, 562, 619, 626, 628, 650, 657, 661, 669, 707, 714, 747, 760, 805, 818, 820, 831, 858, 909, 916, 925, 949, 951 + others):

1. Deliver Universal disclosure (§ 5.1).
2. If Vapi-placed, also deliver SB 1001 add-on (§ 6.2).
3. Wait for affirmative response.
4. Document CA_consent = TRUE and exact disclosure version delivered.

7.3 Florida — § 934.03 Felony Exposure

Florida’s Security of Communications Act makes intentional unconsented recording of a wire communication a third-degree felony punishable by up to 5 years. Civil action also available with statutory damages of $1,000 per day or $100/day per violation, plus punitive damages and fees.

Florida-specific procedure:

• Universal disclosure (§ 5.1) is sufficient when delivered audibly and not buried.
• Wait for affirmative response; “may I continue?” followed by “yes” creates explicit two-party consent.
• Florida agents log FL_consent_received_explicit = TRUE.

7.4 Pennsylvania — § 5704

PA’s Wiretap Act § 5704(4) provides a business-extension exception only when all parties consent. The law-enforcement carve-out at § 5704(2) does not apply to commercial recording. PA also enforces the disclosure on voicemail messages an agent leaves on a consumer’s machine when the dialer captures the agent’s spoken disclosure.

PA procedure:

• Universal disclosure (§ 5.1) delivered live.
• Voicemail variant (§ 5.7) delivered if the call rolls to voicemail.
• Document PA_voicemail_disclosed = TRUE if applicable.

7.5 Massachusetts — Ch. 272 § 99

Massachusetts is unique in that its statute prohibits “secret” recording — the standard is whether the recording was secret to the other party, not whether the recording party consented. A clearly delivered disclosure that the consumer audibly hears suffices. Felony exposure exists.

Procedure:

• Universal disclosure (§ 5.1) delivered audibly, not at high speed, not over background noise.
• For voicemail, voicemail variant (§ 5.7) delivered.

7.6 Washington — RCW 9.73.030

Washington allows the all-party consent requirement to be satisfied by an announcement that is recorded as part of the conversation and audible to all parties (RCW 9.73.030(3)). Iberlux’s Universal disclosure (§ 5.1) and IVR pre-greeting (§ 5.3) both satisfy this. Document WA_announcement_in_recording = TRUE.

7.7 Illinois — 720 ILCS 5/14-2

After People v. Clipper and the 2014 amendment, Illinois requires all-party consent for recording of “private” conversations. Consumer-facing commercial calls are deemed private. Universal disclosure (§ 5.1) suffices.

7.8 Connecticut — § 52-570d

Connecticut civil statute requires either (a) verbal consent, (b) a recorded notice at the start, or (c) a periodic warning tone. Iberlux uses (a) + (b). Connecticut also has a separate criminal statute (§ 53a-189) requiring consent for “private telephonic communication.”

7.9 New Hampshire, Oregon, Montana

Universal disclosure (§ 5.1) suffices for each.

7.10 Ambiguous States (DE, HI, MI, NV, VT)

Universal disclosure delivered; treat as two-party.

---

8. Revocation of Consent (Mid-Call)

8.1 Trigger Phrases

Any of the following from the consumer triggers immediate revocation processing:

• “Stop recording.”
• “I don’t want to be recorded.”
• “Turn off the recording.”
• “Pare la grabación.”
• “No quiero que graben.”
• “Apague la grabación.”
• Any reasonably equivalent phrase.

8.2 Required Response (verbatim)

ENGLISH:

“Understood. I am stopping the recording now. Please hold for just a moment while I do that. … The recording is now paused. Please note that the portion of our call up to this point has been recorded and that recording will be retained per our compliance policy. From here forward, the call is not being recorded. How would you like to proceed?”

ESPAÑOL:

“Entendido. Voy a detener la grabación ahora. Manténgase en línea un momento mientras hago eso. … La grabación está pausada. Le informo que la parte de nuestra llamada hasta este punto ha sido grabada y esa grabación se conservará según nuestra política de cumplimiento. De aquí en adelante, la llamada no se está grabando. ¿Cómo quiere proceder?“

8.3 Technical Requirements

• CallTools / Vapi recording must be paused within 5 seconds of the trigger phrase (recording stop API call by agent or AI).
• Pause event captured in CRM: recording_paused_at, recording_paused_by_agent_id, revocation_phrase_quoted, state_of_caller.
• The portion of recording already captured cannot be deleted — it is a regulatory record. Iberlux’s policy on this is disclosed in the response above.
• If the caller insists on deletion, escalate to compliance officer; do not promise deletion. Counsel reviews subpoena-and-statute-driven retention obligations in each instance.
• Resumption: only if the consumer expressly invites recording to resume (“you can record again”); otherwise the remainder of the call stays unrecorded.

8.4 Documentation

A revocation event creates a row in recording_revocations:

Field	Notes
call_id	FK
revoked_at_utc	timestamp
revoked_at_seconds_into_call	ms offset
revocation_phrase	verbatim consumer text
agent_id	who handled
state_of_caller	per § 19
recording_resumed	bool
compliance_review_required	bool (true if deletion was demanded)

---

9. Voicemail Disclosure

9.1 When the Agent Leaves a Voicemail

The voicemail is a one-way recording of the agent’s voice plus the act of the agent’s dialer recording the agent’s outgoing audio. PA and MA case law has repeatedly held the agent’s outgoing voicemail is captured by the agent’s own recording system and is therefore subject to wiretap statutes.

Iberlux rule: every voicemail uses § 5.7 voicemail variant. Voicemail length kept under 30 seconds.

9.2 When a Consumer Leaves a Voicemail to Iberlux

Inbound voicemail is captured automatically with consent established by the IVR pre-greeting (§ 5.3) heard by the consumer before they were prompted to leave a message. Iberlux’s IVR voicemail prompt:

ENGLISH:

“We are unable to take your call right now. Please leave a message after the tone. Your message will be recorded and retained for quality, training, and compliance purposes.”

ESPAÑOL:

“No podemos atender su llamada en este momento. Por favor deje un mensaje después del tono. Su mensaje será grabado y conservado para fines de calidad, capacitación y cumplimiento.”

9.3 Ringless Voicemail

Iberlux does not use ringless voicemail technology. Multiple courts (most prominently Saunders v. Dyck O’Neal, 319 F. Supp. 3d 907 (W.D. Mich. 2018)) have construed RVM as a TCPA-prohibited “call.” Use is prohibited regardless of recording-disclosure compliance.

---

10. Inbound Call Handling

10.1 IVR Greeting

§ 5.3 plays before any human agent or Vapi response.

10.2 Live Agent Greeting

§ 5.2 delivered as the first agent utterance.

10.3 Consumer Opt-Out of Recording on Inbound

If a consumer requests not to be recorded on an inbound call, the agent:

1. Confirms: “Understood. I am going to transfer you to a non-recorded line. Please hold.”
2. Transfers to the compliance non-recorded line (a single CallTools queue with recording disabled, staffed by senior agents).
3. The transferring agent’s portion of the call (up to transfer) was already recorded with the consumer’s IVR-confirmed consent and is retained.

10.4 No Available Non-Recorded Line

If non-recorded staff are unavailable, the agent offers: “I can call you back from a non-recorded line at [time]. Would that work?” Schedule callback in CRM with non_recorded_line = TRUE.

---

11. Transfer / Conference Call Handling

11.1 Internal Transfer (Iberlux to Iberlux)

§ 5.8 re-disclosure. Required in two-party states. Best-practice in all states.

11.2 External Transfer (Iberlux to carrier rep)

§ 5.8 re-disclosure. Iberlux’s recording continues. The carrier likely also records — communicate this to the consumer.

11.3 Three-Way / Conference

§ 5.9 re-disclosure to each new joining party. Choice-of-law: each party’s home state law applies to that party, so the universal two-party-grade script accommodates the most protective rule.

11.4 Vapi → Live Agent Hand-Off

§ 5.6 disclosure delivered by Vapi at hand-off. Live agent then delivers § 5.8 (transfer) variant when picking up.

---

12. Recording Storage & Access

12.1 Retention

7 years, per § 4.3.

12.2 Encryption

• At rest: AES-256-GCM.
• In transit: TLS 1.3 minimum.
• Key management: Cloudflare R2 customer-managed keys; rotation annually.

12.3 Access Controls

• Role-based: compliance, counsel, qa-lead, auditor only.
• All access logged: identity, timestamp, recording ID, justification.
• No write/delete permissions outside compliance-admin (two-person rule).
• Quarterly reconciliation of role membership against HR roster.

12.4 Subpoena Response Procedure

1. Subpoena, civil discovery request, or government inquiry routed to General Counsel within 24 hours of receipt.
2. Counsel determines scope, validity, jurisdiction, privilege.
3. Litigation hold placed on the call record(s) (suspends 7-year clock and any deletion).
4. Production via secure, encrypted, hash-verified delivery (SFTP or secure download with chain-of-custody log).
5. Notify consumer if and only if law permits and counsel approves.
6. Response logged in subpoena_response table with copy of subpoena, scope of production, production timestamp, recipient identity.

12.5 Annual Access Audit

Each calendar year, an internal audit verifies:

• All access events have a justification code;
• Justification codes match active matter / QA project / authorized counsel request;
• No anomalous access patterns (off-hours, outside-IP, bulk download);
• Role membership matches active employment.

Audit report retained 7 years; presented to General Counsel.

---

13. Employee / Agent Training Requirements

13.1 At Hire

Every agent (employee or contractor) must, before placing or receiving any consumer call:

1. Read this Recording Disclosure Policy and the TCPA Disclosure document.
2. Pass a 20-question quiz covering:
   • Federal vs. state consent rules,
   • Universal disclosure script (verbatim recall),
   • Maryland-specific procedure,
   • California SB 1001 and Colorado AI Act add-ons,
   • Revocation procedure,
   • Voicemail and transfer rules. 100% required to pass; up to 3 attempts.
3. Practice the disclosure aloud with supervisor (cadence test — disclosure must be delivered at intelligible speed, audible volume, in correct language).
4. Sign acknowledgment (electronic, captured in HR record).

13.2 Annually

Recertification — refresher training and re-quiz. Same passing standard.

13.3 Spot-Check QA

Compliance team listens to 5% of recorded calls per agent per month and scores disclosure delivery on a 0–4 rubric (Section 14.1).

13.4 Discipline for Non-Disclosure

Offense	Consequence
1st missed/inaudible disclosure	Coaching session + re-quiz.
2nd within 30 days	Written warning + daily QA review for 14 days.
3rd within 30 days	Suspension pending compliance retraining.
Any missed disclosure on a two-party-state call exceeding 30 seconds of substantive conversation	Immediate review for termination.
Egregious — e.g., 30-minute call in CA, MA, MD without disclosure	Termination and counsel review of corresponding consumer’s exposure.
False answer to “are you a robot”	Termination (Vapi flow disablement if AI).

---

14. Compliance Audit Schedule

14.1 Daily

Automated detection: any call without recognized disclosure-language audio in the first 30 seconds is flagged in real-time and routed to a compliance reviewer.

Detection method: Whisper transcript scanned for required keywords (recording, recorded, grabada, grabando, quality, training, compliance, calidad, capacitación, cumplimiento) plus state-specific add-on keywords. False positives reviewed within 24 hours.

14.2 Monthly

• 5% random sample audit (spot-check QA);
• Aggregate compliance scorecard by agent, by team, by Vapi flow version;
• Trend analysis (is any state’s compliance rate degrading?);
• Report to General Counsel.

14.3 Quarterly

• Full integrity check of recording_metadata table;
• Reconciliation of CallTools / Vapi recordings vs. Cloudflare R2 storage (no missing files);
• Hash verification on a 1% random sample.

14.4 Annually

• Full external compliance audit (vendor of counsel’s choice);
• Recording-policy review against current case law and statutes;
• Update of state classification schedule;
• Counsel-signed certification.

14.5 Auto-Flag Triggers

Trigger	Action
No disclosure keyword within first 30s	Real-time flag → compliance review within 4 hours.
Call > 30 seconds with no disclosure	Immediate supervisor escalation.
Vapi answers “are you a robot” with denial or hedge	Terminating compliance event → Vapi flow disabled pending counsel.
Revocation event without recording pause within 5s	Engineering ticket P0; compliance flagged.
Subpoena received	General Counsel notified within 24h.

---

15. Special Rules for Specific Products

15.1 Final Expense / Senior

Per AARP best-practices and FTC senior-protection guidance:

• Disclosure delivered at slower cadence and higher volume;
• Agent explicitly asks “Do you understand that this call is being recorded?” and waits for verbal yes;
• If consumer appears confused or asks repeatedly about recording, agent confirms understanding before proceeding;
• Mandatory two-party-style explicit consent regardless of state.

15.2 Medicare-Related Calls

• CMS marketing rules (42 C.F.R. § 422.2274 and § 423.2274) overlay TCPA and wiretap rules;
• Recording retention extended to 10 years for any Medicare Advantage or Part D enrollment call (CMS audit cycle);
• “Scope of appointment” disclosure is a separate compliance item — see _docs/legal/medicare-marketing.md (TBD);
• Disclosure must include CMS-required disclaimer that “Iberlux is not Medicare or affiliated with the federal government.”

15.3 ACA Marketplace Enrollment

• 45 C.F.R. § 155.220 imposes specific marketing-conduct rules;
• Recording retention extended to 10 years;
• Disclosure must clarify Iberlux is a licensed insurance agency, not the Marketplace, not CMS, not the federal government;
• See _docs/legal/tcpa-disclosure.md Variant B.

---

16. State-by-State Schedule (Operational Cheat Sheet)

See full table at § 3 above. The operational rule remains: every call uses Universal disclosure (§ 5.1). State-specific overlays:

State	Add-On
California	SB 1001 (§ 6.2) on every Vapi call.
Colorado	CO AI Act (§ 6.3) on every Vapi call.
Maryland	Maryland-specific add-on (§ 7.1). Explicit “yes” mandatory.
Florida	Slow, audible delivery; explicit affirmative response logged.
Massachusetts	Slow, audible delivery — secrecy is the test.
Pennsylvania	Voicemail variant (§ 5.7) on every voicemail.
Washington	IVR + universal both retained as “announcements.”

---

17. California SB 1001 Compliance Detail

Cal. Bus. & Prof. Code §§ 17940–17943.

Triggers: any “online platform” (broadly construed to include AI voice) using a bot to communicate with a person in California for the purpose of incentivizing a sale or influencing a vote.

Iberlux compliance:

1. Disclosure at first interaction (§ 5.4 + § 6.2).
2. No false denial of bot status if asked (§ 5.5).
3. System prompt enforcement: Vapi flow definition contains a hard-coded rule to deliver bot-disclosure verbatim and to truthfully answer any “are you a robot” question. Deviation triggers automatic flow disablement.
4. Audit trail: every CA-routed Vapi call logs SB1001_disclosure_delivered = TRUE with timestamp.

Exposure if non-compliant: SB 1001 itself does not create a private right of action, but violations create derivative claims under (i) California UCL, Bus. & Prof. Code § 17200; (ii) CLRA, Civil Code § 1750; (iii) FTC Act § 5; (iv) CA wiretap § 632 if the bot is also recording without consent.

---

18. Colorado AI Act 2026 Compliance Detail

Colo. Rev. Stat. §§ 6-1-1701 to 6-1-1707 (effective 2026-02-01).

Triggers: “deployer” of a “high-risk artificial intelligence system” used to make or be a “substantial factor” in making a “consequential decision” — including insurance eligibility, pricing, or coverage decisions.

Iberlux scope: Vapi’s pre-qualification flow gathers data that may inform downstream insurance-eligibility decisions. Iberlux treats Vapi as a high-risk AI system for Colorado consumers and complies with the deployer obligations:

1. Disclosure to consumer (§ 6.3) of AI use and right to human review.
2. Risk management policy maintained per § 6-1-1703(2).
3. Annual impact assessment for the AI system per § 6-1-1703(3); first assessment due Q1-2027.
4. Human review pathway: consumer-initiated path documented at iberluxseguros.com/ai-review and answered by privacy@iberlux.com within 30 days.
5. Algorithmic discrimination monitoring: quarterly review of pre-qualification dispositions disaggregated by protected class proxies.
6. Notification to AG: any “algorithmic discrimination” event reported within 90 days of discovery per § 6-1-1703(7).

---

19. Audit Trail Requirements (Per-Call Schema)

Each call produces a call_compliance row containing at minimum:

Field	Description
call_id	UUID, primary key.
direction	inbound / outbound.
call_started_at_utc	timestamp.
call_ended_at_utc	timestamp.
duration_seconds	integer.
agent_id	Iberlux personnel ID, or vapi-flow-{name}-{version}.
consumer_phone_e164	E.164 phone number.
consumer_state_inferred_from_npa	state derived from area code.
consumer_state_self_reported	state reported by consumer in call.
state_of_record	most-protective of inferred + self-reported (default for compliance).
disclosure_script_version	e.g., recording-disclosure-v2.0.
disclosure_delivered_yn	bool.
disclosure_delivered_at_seconds	seconds-into-call when disclosure occurred.
disclosure_language	en / es / both.
ai_disclosure_delivered_yn	bool (Vapi only).
sb1001_addon_delivered_yn	bool (CA only).
co_ai_act_addon_delivered_yn	bool (CO only).
md_explicit_consent_received_yn	bool (MD only).
revocation_event_yn	bool.
revocation_handled_correctly_yn	bool.
transfer_event_yn	bool.
transfer_re_disclosure_delivered_yn	bool.
recording_storage_uri	Cloudflare R2 URI.
recording_sha256	hash of audio.
transcript_storage_uri	URI.
qa_score	0–4 rubric.
compliance_flag	null / yellow / red.
compliance_review_id	FK if reviewed.

Records retained 7 years (10 for Medicare/ACA), encrypted at rest.

---

20. Liability & Penalties Summary

20.1 Federal

• Civil: 18 U.S.C. § 2520 — actual damages, statutory damages of greater of $100/day or $10,000, punitive damages, attorneys’ fees;
• Criminal: 18 U.S.C. § 2511 — up to 5 years per violation.

20.2 State Civil — Selected Maxima

State	Per-violation civil exposure
California § 637.2	$5,000 per violation or 3× actual damages, plus injunctive relief. Class actions common; per-call damages aggregate quickly.
Connecticut § 52-570d(c)	Actual + punitive + attorneys’ fees.
Florida § 934.10	Greater of $1,000 or $100/day per violation; punitive; fees.
Illinois § 14-6	Actual + $50,000 statutory cap or actual, whichever greater.
Maryland § 10-410	Greater of $100/day or $1,000; punitive; fees.
Massachusetts § 99(Q)	Actual + punitive + fees.
Pennsylvania § 5725	Actual + $100/day or $1,000; punitive; fees.
Washington § 9.73.060	Actual + $100/day or $1,000; fees.

20.3 State Criminal — Felony Exposure

CA, CT, FL, IL, MD, MA, NH, PA all carry felony exposure for willful violations. Maryland and Massachusetts have the harshest practical track records.

20.4 Class-Action Aggregation Risk

A single compliance failure played out across an entire calling campaign can produce class-action exposure of $500–$1,500 per call in two-party states. A 50,000-call California campaign without disclosure can expose Iberlux to $25M–$75M in statutory damages before fees and punitives.

---

21. Defense Strategy in Wiretap Lawsuits

When a wiretap or recording claim is asserted against Iberlux, defense rests on:

1. Recorded disclosure itself — the recording captures Iberlux’s verbatim disclosure and the consumer’s affirmative response (best evidence of consent).
2. Disclosure-script version control — disclosure_script_version field tied to call timestamp proves what script was in effect.
3. Agent-training records — completed quizzes, signed acknowledgments, recurring recertifications.
4. QA / spot-check audit trail — monthly audit reports demonstrating systemic compliance.
5. Auto-flag detection logs — proof Iberlux affirmatively monitors, escalates, and remediates.
6. IVR consent layering — for inbound calls, IVR greeting plus live disclosure creates a defense-in-depth.
7. Consent-management database — TCPA consent (per tcpa-disclosure.md) layered with recording consent.
8. Subpoena-response protocol — clean chain of custody.
9. Counsel-signed annual certification — evidence of supervised compliance program.
10. Prompt remediation evidence — when an incident is detected, documented response, retraining, and (where applicable) consumer notification.

A counsel-supervised compliance program is the difference between a defensible record and unbounded class-action exposure.

---

22. Document Control

• Version 2.0 · 2026-04-30 · counsel-grade rewrite (supersedes v1.0 dated 2026-04-30).
• Owners: Daniel · Nelson · External Counsel.
• Approver: Iberlux General Counsel (signature required before deployment).
• Next scheduled review: 2026-10-31.
• Triggers for immediate review: any state wiretap statute amendment; FCC, FTC, or state AG enforcement action against an insurance call center; any internal incident; introduction of new AI calling capability; entry into a new state.