Mic Check: Deploying AI-Powered Transcription Best Practices in Your Organization

The widespread adoption of AI-powered transcription features in video conferencing platforms like Zoom and Microsoft Teams—and their integration into modern iOS and Android operating systems—has introduced new compliance considerations for legal teams. 

While these tools enhance efficiency by generating written transcripts, summaries, and translations, they also create potential risks related to data privacy, confidentiality, retention, and consent. To reduce compliance risks, legal teams must proactively assess how these features are used across the organization. 

Here are some of the most important best practices when it comes to handling AI transcription tools and output:

Review Transcripts: Manually review AI-generated transcripts for accuracy immediately after the meeting. While the accuracy of generative AI technology output has improved significantly, AI-powered transcription features are still not perfect. Correcting mistakes in the initial transcript is essential as inaccuracies are often amplified in summaries and other transcript-based derivative content. 

Label AI-Generated Content: Clearly label all AI-generated transcripts (e.g., “Transcript generated by artificial intelligence”). This label alerts downstream users that the transcript may include hallucinations and/or other inaccuracies. 

Follow Storage/Retention Guidelines: Store transcripts in compliance with all internal data security and data retention requirements. Ideally, all transcripts/derivative content should be stored on existing document management systems in accordance with the organization’s document retention policies. Organizations should prepare for the reality that transcripts/derivative materials may be subject to future litigation holds. Call participants should also remain cognizant of the fact that transcripts are often furnished to all internal and external meeting attendees.

Designate Approved Providers: Carefully screen transcript providers to ensure their practices align with your organization’s internal policies and external regulatory obligations. Once vetted, publish the list of approved providers and appropriately notify employees. Providing employees with approved option(s) reduces the temptation to use unapproved tools/features, particularly on personal devices. Unless retention requirements apply, employees should be instructed to delete transcripts/derivative materials generated on unapproved platforms.

Obtain Required Consent: Many of these features capture live audio that is processed on the provider’s own cloud-based systems to generate transcripts/derivative content. In many instances, this processing activity triggers state “wiretapping” laws. Over a dozen state wiretapping laws, including California, Florida, and Pennsylvania, have “all-party consent” requirements under which every call/meeting participant must agree to be recorded. To ensure compliance, consent should be obtained from all call/meeting attendees when a resident of an all-party consent jurisdiction is participating. To facilitate compliance with these requirements, many providers now offer organizations consent-related tools that account admins can opt to activate by default for all recorded/transcribed meetings.

Disclose When Active: In addition to complying with any applicable recording consent requirements, employees should verbally disclose the name and nature of the feature in use. Microsoft Teams and Zoom provide a visual indicator when these features are active; however, we still recommend providing a verbal disclosure to ensure all participants are aware. In the absence of express written consent, a record of verbal consent should be logged in writing.

Limit Transcription of Sensitive Information: These features should not be used to transcribe meetings that involve the discussion of confidential information, trade secrets, login credentials, HR records, or other sensitive information. Many of these features rely on third-party cloud processing and therefore pose some level of data protection risk. To reduce the risk of transcribing sensitive content externally, do not use AI-powered transcription features during closed sessions of board meetings, job interviews, hiring committee meetings, or security incident response team meetings. 

Watch Out for Privileged Communications: The use of an AI transcription feature may jeopardize attorney-client privilege or other privilege claims that may have otherwise applied. The law is not fully settled on this topic. Privilege is more likely to be considered waived if no confidentiality agreement is in place, transcripts are being processed by a third party, and/or the data is transmitted/stored in an unsecure manner. 

Update Employee Training: Provide employees with regular training that instructs and clarifies when and how these features may be used. When feasible, tailor training and messaging to ensure that higher-risk users (e.g., legal and human resources personnel) are aware of the potential pitfalls.

Validate Compliance: Organizations should not assume that all providers of AI-powered transcription features are processing their data in a fully compliant manner. Organizations should ensure that the contracts governing the provision of these features adequately address all relevant regulatory obligations. Furthermore, when third-party storage is in scope, organizations should ensure that the relevant agreements address data protection measures and deletion requirements. Finally, in many instances, the settings of these features may need to be configured to ensure contractually agreed upon protections are activated (e.g., many platforms give users the option to disable model training). 

Monitor Regulatory Developments: Organizations should closely monitor federal and state law developments relevant to their use of AI-powered transcription technology. This includes legal requirements related to call recording consent, data privacy, and the use of AI features generally.

AI-powered transcription features present organizations with a complex array of longstanding and emerging compliance risks. By adopting best practices now, organizations can mitigate these risks and better position themselves for future compliance.