Is Your AI Phone System Wiretapping Your Customers?

Mar 10, 2026

Heartland Dental adopted an AI-powered phone system. Now it is defending a federal wiretap suit over how that system handled patient calls.
The claim is not just “this call was recorded.” It is that AI tools transcribed, summarized, and analyzed calls without adequate consent.
The bigger pattern: as companies add AI to ordinary communications, they are colliding with privacy statutes written long before real-time call analytics existed.

Mid-century style illustration showing two businessmen talking on rotary phones at their desks, smiling and relaxed. Between them, a cartoonish robot sits in a small booth wearing headphones, listening to their conversation. The style evokes 1960s magazine illustrations. — They think it’s a private call. The AI in the middle is not so sure.

A dental chain upgraded its phones. Now it’s defending a wiretap lawsuit.

Heartland Dental adopted RingCentral’s AI-powered phone system — transcription, call summaries, scheduling optimization. Nobody asked whether it might be wiretapping their patients.

The Case

In July 2025, a patient sued Heartland Dental and RingCentral in federal court, claiming that RingCentral did not have proper consent to capture and transcribe patient calls in real time.

In January 2026, the court dismissed the complaint. The court ruled that AI transcription was “core” to RingCentral’s phone product and so fell within ECPA’s “ordinary course of business” exception. The court also ruled that any improvement to the AI was “incidental” to providing the service, not a separate business purpose.

But in February, the plaintiff filed an amended complaint with a sharper theory: the AI tools are optional add-ons, not core phone functions, and RingCentral’s use of patient call data to train its models is a separate business purpose.

Courts are not yet aligned on this. The Heartland court took a broad view of what counts as “ordinary course of business.” But the same two arguments — that AI features are optional add-ons, not core services, and that model training is a separate business purpose — are being tested elsewhere, and at least one court has let those claims proceed.

The Pattern

The same theory is showing up across the country. Still too early to say whether courts will agree on the answer.

Galanter v. Cresta Intelligence — AI call-analysis tools used in customer service challenged as unlawful interception. The case settled before the court ruled.
In re Otter.AI Privacy Litigation — AI meeting transcription challenged where non-account participants allegedly did not consent. A motion to dismiss is pending.
Ambriz v. Google — a California court denied Google’s motion to dismiss claims that its Cloud Contact Center AI wiretapped customer service calls.

The common thread is simple: a company deploys a tool that records, transcribes, summarizes, or analyzes conversations, and a plaintiff argues that the tool is doing more than the law allows.

What to Ask

Before deploying AI tools that process live conversations, ask:

Does our phone system’s disclosure mention AI processing and model training — or just “quality assurance”? The standard language most companies use was written before these tools existed. “This call may be recorded for quality assurance” probably does not cover real-time AI transcription and sentiment analysis.
Which states’ consent rules apply to the calls we receive? Twelve states require all parties to consent to recording. Your vendor’s terms of service do not substitute for that.
Is the vendor using call data only to provide the service, or also to improve its models? If your vendor uses customer conversations to train its algorithms, that is a separate business purpose — and the “ordinary course of business” defense gets much harder. Ask the vendor directly. Check the contract.

The Point

The risk is not that these tools fail. It is that they work exactly as advertised inside statutes written for a different era.

Go Deeper

Go deeper: The Troutman Pepper team has written a detailed analysis of the ordinary-course-of-business exception as applied to AI call analytics under ECPA.

You can also follow the case directly on CourtListener, courtesy of the (tremendous!!) Free Law Project.

On Our Radar

California wants to pay privacy whistleblowers. A new bill (AB 2021) would let employees report their employer’s privacy violations to California’s privacy agency — and collect 15-33% of any resulting fines. Think SEC whistleblower program, but for data practices.
An AI health company acquired a genetics lab. Now it’s facing a genetic privacy class action. Tempus AI bought Ambry Genetics for $600 million, then allegedly shared patient genetic data with 75 third parties without consent — triggering Illinois’s Genetic Information Privacy Act. Another statute nobody thought applied until it did.
Australia is going after app stores and search engines that distribute AI without age verification. The eSafety Commissioner may compel platforms to block non-compliant AI services, with fines up to A$49.5 million. Notable because they’re targeting the gatekeepers, not the AI developers.

Trying to make sense of all this? I help law firms and companies navigate the legal side of AI implementation. Email me at adam@lawsnap.com or click here to schedule a short, no-pressure call.

Thanks for reading LawSnap by Adam David Long! This post is public so feel free to share it.

LawSnap by Adam David Long

Discussion about this post

Ready for more?