Guides
How revenue teams should handle PII, call recordings, and data retention in AI voice and SMS workflows — with regulatory requirements, a compliance checklist, and platform features that help.
Last updated
Every AI voiceAI voiceAn artificially generated, natural-sounding voice produced by a TTS model. Thoughtly supports a library of AI voices and brand-specific cloning. call creates a trail of personally identifiable information (PII)Personally Identifiable Information (PII)Any data that can identify an individual — name, phone, SSN, account number. Voice agents must redact and protect PII per privacy law.: names, phone numbers, account details, and sometimes payment or health data. For revenue teams deploying AI agents at scale across insurance, mortgage, healthcare, legal, and financial services, the question is not whether PII is collected — it is how that data is stored, retained, and eventually disposed of in a way that satisfies regulators, customers, and internal security teams.
This guide covers the core regulations governing PII retention, practical steps for keeping AI call data compliant, and how Thoughtly's platform features help teams manage sensitive information without slowing down lead conversion.
AI voice agents process conversations at a volume that human teams cannot match. A single deployment might handle thousands of calls per day across inbound lead follow-upLead follow-upThe calls, texts, and emails sent after a lead raises their hand, with the goal of reaching them quickly and moving them to a booked or transferred conversation., appointment scheduling, and re-engagement workflows. Each call generates a transcriptTranscriptThe text record of a voice conversation, used for review, training, compliance audit, and search., call recordingCall recordingCapturing audio from a phone conversation for review, QA, training, compliance, dispute resolution, or supervised retention., and structured data — all of which may contain PII such as:
Without explicit retention controls, this data accumulates indefinitely — expanding breach surface area, complicating subject access requests, and creating audit liabilities. Regulators across the US and EU have made clear that data minimization and purposeful retention are not optional.
GDPR Article 5 requires that personal data be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed (data minimisation), and kept in a form which permits identification of data subjects for no longer than is necessary (storage limitation). For AI call workflows, this means transcripts and recordings should be retained only as long as needed for the documented business purpose — quality assurance, dispute resolution, or regulatory compliance — and then deleted or anonymized.
The California Consumer Privacy Act (CCPA), as amended by the CPRA, gives California residents the right to know what personal information businesses collect about them, request deletion of that information, and limit the use of sensitive personal data. AI call recordings, transcripts, and extracted fields are all in scope. Teams operating AI voice agents for California residents need processes to surface and fulfill deletion requests within 45 days.
The FTC's Safeguards Rule under the Gramm-Leach-Bliley ActGLBAUS federal law governing financial-services privacy. Thoughtly's controls and retention policies are aligned with GLBA's safeguards rule. (GLBA) requires financial institutions to develop, implement, and maintain an information security program to protect customer information. The rule applies to mortgage lenders, insurance carriers, financial advisors, and debt collectors who use AI voice agents. Covered institutions must designate a qualified individual to oversee the program, conduct risk assessments, and implement access controls, encryption, and secure disposal practices.
The HIPAAHIPAAThe US health privacy law that governs protected health information. Healthcare voice and SMS workflows must handle PHI with appropriate safeguards. Privacy Rule requires covered entities and their business associates to limit uses, disclosures, and requests of protected health information to the minimum necessary amount needed to accomplish the intended purpose. For AI voice agents handling healthcare intake or insurance verification, this means collecting only the health data required for the specific workflowWorkflowAn automated, multi-step process — usually triggered by an event (form fill, new lead) and orchestrating one or more voice / SMS / email actions. — not capturing a full medical history when scheduling an appointment.
All 50 US states have data breach notification laws that require organizations to notify affected individuals when personal information is compromised. Many states — including New York (SHIELD Act), Massachusetts (201 CMR 17.00), and Texas (TxRMP) — impose specific data protection standards that apply to PII collected through voice and SMS channels. These laws typically require reasonable retention limits, encryption of stored data, and documented disposal schedules.
The Telephone Consumer Protection ActTCPAUS federal law governing telemarketing calls and SMS. Thoughtly enforces consent capture, time-of-day windows, and DNC scrubbing automatically. (TCPA) and related FCC rules require organizations to maintain records of prior express consent for telemarketing calls and SMS messages. While TCPA does not mandate a specific retention period, industry practice and FTC guidance suggest retaining consent records for at least four years. AI voice platforms that auto-capture consent at the start of a call should ensure those records are preserved for the full retention window.
Use this checklist to evaluate your AI voice and SMS data handling practices across the full call lifecycle:
| Category | Requirement | Implementation tip |
|---|---|---|
| Data minimization | Collect only PII needed for the specific call purpose | Configure agent prompts to request necessary fields only; avoid open-ended questions that elicit extra PII |
| Consent capture | Record consent at call start before collecting PII | Use a verbatim compliance line in the Start node; store consent timestamp and call metadata on the contact record |
| Encryption in transit | All PII transmitted over encrypted channels | Verify TLS 1.2+ on all API endpoints, webhooks, and carrier connections |
| Encryption at rest | Stored call recordings, transcripts, and extracted fields encrypted | Confirm your platform encrypts stored data; verify key management practices |
| Access controls | Restrict access to call data on a need-to-know basis | Use role-based access; limit transcript/recording access to QA, compliance, and authorized agents |
| Retention schedule | Define and document retention periods by data type | Set retention limits for recordings, transcripts, and contact attributes; automate deletion or anonymization |
| Subject access requests | Process deletion and access requests within statutory deadlines | Build a workflow to locate and export/delete a contact's data across call logs, transcripts, and CRM |
| Vendor due diligence | Ensure sub-processors handle PII per your policy | Review BAAs, DPAs, and sub-processor lists; verify SOC 2 or equivalent certifications |
| Breach response | Document incident response procedures for call data | Maintain an incident response plan covering call recordings, transcripts, and extracted PII |
| Disposal verification | Confirm deleted data is irrecoverable | Verify deletion across primary storage, backups, and any integrated CRM or analytics tools |
Thoughtly's platform includes features that help teams implement PII-conscious workflows without sacrificing lead conversion speed or coverage. These capabilities should be verified against your specific compliance requirements and configured during deployment.
Thoughtly distinguishes between Metadata (short-lived, per-call context) and Attributes (persistent facts stored on the contact record). This separation lets teams control what PII persists across calls versus what stays in a single call session. As a best practice, Thoughtly's documentation advises: do not store PII you do not need, and do not rely on Metadata to be available on future calls.
Thoughtly's Start node supports verbatim compliance lines — spoken exactly as written — which is ideal for consent disclosures at the beginning of a call. The platform's consent mode and suppression list features enforce opt-outs across voice, SMS, and email channels. Suppression entries can be created manually, via keyword opt-outOpt-outA recipient’s request to stop receiving calls or messages. Compliant systems must capture opt-outs and suppress future outreach where required., or through automation workflows, and they record the identifier, channel, reason, source, and timestamp.
All Thoughtly CRMCRMThe system of record for leads, contacts, deals, and activity. Thoughtly reads from and writes to your CRM continuously. and tool integrations — including Salesforce, HubSpot, Zoho, Pipedrive, and others — use scoped OAuthOAuthAn authentication standard that lets Thoughtly connect to your CRM or app without storing your password. tokens that can be revoked at any time. Call recordings, transcripts, and data passed to integrations are encrypted in transit and at rest. Thoughtly is SOC 2 Type II certified and HIPAA-ready, with alignment to GLBA and FINRAFINRAThe self-regulatory body governing US broker-dealers. Voice agents in FINRA-regulated firms must support recording retention and supervised review. controls for financial services workflows.
Thoughtly's automation engine routes call outcomes, transcripts, and extracted data to your CRM or downstream tools via webhooks and native integrations. Teams can control which fields are written back — for example, writing a lead qualificationLead qualificationThe process of capturing fit signals — intent, urgency, location, eligibility, consent, and availability — before routing a lead to the right next step. outcome and next step to Salesforce without transferring the full transcript. This helps enforce data minimization by limiting what PII leaves the call platform.
Thoughtly's quiet hoursQuiet hoursTime windows when outbound calls or texts should not be sent, based on legal rules, customer preferences, or business policy. controls prevent outbound calls and messages during restricted time windows, aligned with TCPA and state-level calling time restrictions. This reduces the volume of PII collected during non-compliant hours and demonstrates operational discipline to auditors.
AI agents are conversational and can elicit information beyond what the specific use case requires. A mortgage intake call does not need a full Social Security number spoken aloud — a last-4 confirmation may suffice for pre-qualificationPre-qualificationCapturing the qualifying details — income, credit-score range, LTV, timeline — before a licensed officer engages. Thoughtly automates this.. Configure prompts and outcomes to capture only the fields the downstream workflow actually uses.
Many teams enable call recording by default and never set a deletion schedule. Recordings are the most PII-dense artifact in any AI call workflow — they may contain names, addresses, account numbers, and verbal authorizations. Define a retention period based on your regulatory requirements (typically 90 days to 7 years depending on industry) and automate deletion.
Pasting full call transcripts into free-text CRM fields makes PII difficult to locate, redact, or delete when a subject access request arrives. Instead, store structured call outcomes (qualification status, next step, appointment time) in defined CRM fields, and keep transcripts in the call platform where retention controls can be enforced.
Inbound AI calls are not exempt from consent requirements. If the call is recorded, two-party consent states require disclosure. If PII is collected, the caller should be informed. Configure the Start node with a brief compliance line — for example, 'This call may be recorded for quality and training purposes' — and ensure it plays before any data collection begins.
Regulators expect organizations to know what data they collect, where it lives, how long it is kept, and who can access it. If your team cannot answer 'How long do we keep call recordings?' or 'Where are transcripts stored?' in an audit, the gap itself is a compliance finding. Document the policy, even if it is simple.
There is no single answer. TCPA consent records should be retained for at least four years. Financial services regulations may require 5-7 years. Healthcare records are typically 6 years under HIPAA. For quality assurance purposes, 90-180 days is often sufficient. The key is to document your retention schedule and enforce it with automated deletion.
GDPR applies if you process personal data of EU residents, regardless of where your organization is based. If your AI voice agents handle calls from EU callers — even occasionally — GDPR's data minimization, storage limitation, and individual rights provisions apply. Most US-focused revenue teams are more directly affected by CCPA/CPRA, state breach notification laws, and industry-specific regulations like HIPAA or GLBA.
PCI-DSS applies to any organization that processes, stores, or transmits payment card data. Collecting full card numbers via an AI voice agent creates significant compliance burden. Most platforms — including Thoughtly — are not PCI-DSS certified for card data storage. Route payment collection to a PCI-compliant processor or use tokenized payment links instead of capturing card details in the conversation.
Data minimization means collecting only the personal information needed for the specific purpose of the call. If the goal is appointment scheduling, the agent needs name, contact details, and preferred time — not a full medical history or financial statement. Configure your AI agent's prompts, outcomes, and data extraction fields to capture only what the downstream workflow requires.
Thoughtly maintains a current sub-processor list available on request and notifies customers 30 days in advance of any material changes. This supports vendor due diligence obligations under GLBA, HIPAA, and GDPR. Teams should review the sub-processor list during onboarding and reassess periodically as part of their compliance program.
This article is informational and does not constitute legal advice. Consult qualified legal counsel for compliance decisions specific to your organization.
