Before starting any recording, play a consent announcement to the caller using TwiML <Play> or <Say> informing them the call may be recorded; in all-party consent jurisdictions (12 US states, EU, California, etc.) require an affirmative response (e.g. key press) before proceeding.
Start the recording only after consent is obtained; use <Record> or the Recordings REST API to begin capture, and set the beep attribute to signal start of recording to both parties.
Configure a recordingStatusCallback URL on the <Record> verb to receive the recording SID, duration, and URL when the recording is available; handle this webhook to persist metadata.
Store recordings in a compliant environment: for HIPAA, enable HTTP Authentication and store in a HIPAA-eligible bucket; for PCI compliance, enable Twilio PCI Mode in the console before recording calls that involve card data.
Implement a retention policy: HIPAA requires six years retention; PCI DSS limits cardholder data storage; honour deletion requests under GDPR within 30 days and maintain an audit log.
Known gotchas
Two-party (all-party) consent is required in 12 US states and under GDPR — recording without consent exposes you to criminal liability in those jurisdictions.
Twilio call recordings are not PCI compliant by default; PCI Mode must be explicitly enabled in the console — mixing non-PCI and PCI calls on the same account is not recommended.
GDPR requires explicit affirmative consent with a stated purpose — implied consent from a generic announcement is insufficient under strict GDPR interpretation.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp