IVR Compliance: What Matters Other Than Payment Processing

Disclosure: Our content is reader-supported, which means we earn commissions from links on Crazy Egg. Commissions do not affect our editorial evaluations or opinions.

Most online resources about Interactive Voice Response (IVR) compliance only focus on the Payment Card Industry Data Security Standard (PCI DSS).

That’s usually a mistake, as they’re ignoring other requirements that are equally important for keeping people’s data safe.

While PCI DSS is a must-follow regulation for any company that accepts, transmits, or stores customer credit card information, it’s not the only one you should consider. You also need to account for other security policies and laws to ensure your IVR is legal and protects confidential information.

In other words, your IVR should be compliant with a lot more than just payment processing. Some of the main regulations to consider include the following:

Telephone Consumer Protection Act (TCPA)

The TCPA is a federal law in the United States that regulates telephone solicitations. Since its implementation in 1991, it aims to protect consumers from unwanted communications and harassment. If your organization uses IVR, you must comply with the TCPA.

In essence, this act makes it illegal for businesses to make robocalls or send pre-recorded telemarketing messages to consumers at any time without their prior express written consent. It covers voice calls, faxes, VoIP calls, and text messages.

How to comply with the TCPA?

To ensure your business complies with the TCPA, you must know its requirements and provisions.

  • You must obtain written consent from consumers before sending auto-dialed marketing calls and texts.
  • You can only call consumers between 8:00 AM and 9:00 PM in the recipient’s time zone.
  • You must provide accurate identification information, like the name of the business or individual making the call.
  • You should have an opt-out or do-not-call IVR option.
  • You shouldn’t call anyone in the national Do Not Call Registry.
  • You should keep an internal do-not-call list and connect your IVR to it.

Some provisions—like those related to avoiding unsolicited calls and sending pre-recorded messages without explicit consent—only apply to outbound IVR systems rather than inbound ones. This makes sense, of course, because if someone calls you, for example, their consent is sort of implied. 

In other words, since an outbound IVR system handles outbound calls, meaning the company initiates communications rather than the customer, that’s when it’s the company’s responsibility to check every single box. 

What are the consequences of not complying with the TCPA?

Non-compliance with the TCPA can result in significant penalties, including fines and lawsuits. These fines range from $500 to $1,500 per violation.

However, failing to follow TCPA requirements doesn’t just come with monetary sanctions. It also comes with potential damage to your company’s reputation. 

For example, if your company is known for calling numbers on the national Do Not Call Registry, it could lead to negative publicity, loss of customer trust, and less business.

Call Recording Compliance

If you want to record calls with your IVR system, you must comply with call recording laws. These laws differ depending on the country or state in which your business is located, as well as the location of the recipient of your call. Knowing how these regulations work is particularly important when using Smart and Conversational IVRs.

In most U.S. states, you must inform parties that you’re recording a call. Some states require consent from all parties involved in the call, while others only require consent from one.

One-party consent states—38 states and the District of Columbia—allow only one participant in the call to be aware and consent to the call being recorded.

For example, if both your business and the person you’re calling are in one-party consent states, you are the only one who has to consent for the recording to be lawful. The customer doesn’t need to agree before you can start recording.

The remaining dozen two-party consent states require all parties engaged in the conversation to consent to call recording. These are California, Connecticut, Delaware, Florida, Illinois, Maryland, Massachusetts, Michigan, Nevada, New Hampshire, Pennsylvania, Vermont, and Washington.

Keep in mind that there may be intricacies to each state’s individual laws, so it’s best to consult with an attorney in your state to ensure your business complies with the latest legislation.

How to comply with call recording laws?

Besides verifying whether your company is located in a one-party or two-party consent state, you need to configure your IVR to comply with the law.

When transferred to a live agent, it’s a good practice to inform the customer that the call will be recorded by adding a pre-recorded message and allowing them time to acknowledge that the recording will take place.

Here’s an example of a message you can use:

“Please note that this call may be recorded for quality assurance purposes. Press 1 to consent to the recording, or press 2 to decline. Your choice will not affect the assistance we provide.”

These messages are even recommended for businesses in one-party consent states, though many of them will proceed without providing the option to turn off the recording. While the company doesn’t necessarily need the customer’s approval, it demonstrates good ethical conduct and respect for privacy. 

What are the consequences of not complying with call recording laws?

Not following call recording compliance can have severe repercussions for your business, including civil and criminal penalties.

For example, customers can sue you for damages due to invasion of privacy or emotional distress. Also, in some states, breaking recording laws can result in financial fines and even jail time. 

Once again, noncompliance can also incur reputational damage and negative publicity, which can impact your company’s public perception, customer loyalty, and bottom line. 

Industry-Specific Regulations

When complying with IVR regulations, you may need to adhere to certain requirements that affect your business’s particular niche or sector. 

For example, if you run a business in the healthcare industry, you must comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

The HIPAA law is a federal regulation that ensures patient health information remains confidential and disclosed only with permission. In other words, you can’t share patients’ private data without their knowledge or consent.

Another industry-specific example of IVR compliance is the Gramm-Leach-Bliley Act (GLBA), which is a federal law that affects financial businesses. It requires any financial institution to disclose how it shares and protects private customer information. For example, if a bank IVR collects and shares data with internal teams or a third party, that information must be disclosed to customers.

How to comply with industry-specific regulations?

Complying with industry-specific regulations depends on what your business is all about. For example, the laws that an ecommerce company needs to stay compliant with are not all the same as the ones required for a travel and hospitality company.

Following the HIPAA law, for example, could apply to a dermatological clinic that uses a Voice over Internet Protocol (VoIP) phone system to make and receive patient calls. In this case, the clinic would need to use a HIPAA-compliant VoIP.

Complying with HIPAA means that all the information shared in a doctor-patient interaction via VoIP is protected via encryption, which is one of the best methods to prevent data leaks.

Among other requirements, a HIPAA-compliant VoIP also guarantees that only authorized personnel can use the system, and all interactions are recorded and stored so they can be checked for compliance.

A financial company looking to remain compliant with the GLBA law, on the other hand, may want to add a pre-recorded message to its IVR, stating that customer data will be collected and shared.

This is an example of a message you can use:

“Thank you for calling [Financial Institution Name]. This call may be recorded or monitored for quality assurance and compliance with the Gramm-Leach-Bliley Act. Please note that your personal information is protected under our strict privacy policies and will only be used for authorized purposes.”

When customers hear this statement, they instantly know their information is secure and that the interaction with their financial institution complies with the law. 

What are the consequences of not complying with industry-specific regulations?

The consequences of not complying with industry-specific regulations depend on your industry and the specific laws surrounding it.

For instance, not complying with HIPAA can lead to fines anywhere from $1,000 to $50,000 per incident and up to $1.5 million annually.

Not following the GLBA, meanwhile, can result in financial institutions paying fines of up to $100,000 per infraction, and individual officers and directors can personally be fined $10,000. In extreme cases, sanctions could result in imprisonment for up to five years.

Generally speaking, the HIPAA and the GLBA are among the strictest industry-specific regulations, especially compared to other laws like the TCPA. In any case, if your business needs to comply with any industry-specific rules, it behooves you to make sure your IVR is prepared.


IVR is an excellent solution to enhance customer interaction, but it’s imperative that your system complies with the latest laws—which include much more than adhering to payment processing rules like the PCI DSS.

  • In case you engage in telemarketing activities or use automated calling systems, you must comply with TCPA regulations to avoid significant legal and reputational consequences.
  • Call recording compliance establishes you are obliged to tell customers you’re recording calls.
  • Industry-specific regulations include requirements such as HIPAA and the GLBA, which you may need to follow for your IVR to be fully compliant.

Make your website better. Instantly.

Over 300,000 websites use Crazy Egg to improve what's working, fix what isn't and test new ideas.

Free 30-day Trial