Twilio provides tools that you can use to programmatically manage communications between your users, including voice calls, text-based messages (e.g., SMS), and chat. Below is a discussion of legal compliance considerations and best practices for using Twilio to manage and record communications between your users, such as when using Twilio Proxy.
If you are not managing communications between your users, but still use Twilio to send or receive communications to or from them, you should consider other potentially applicable legal requirements, such as those imposed by the Telephone Consumer Protection Act, and best practices for providing notice and obtaining consent from your users for these communications.
Notice: The information provided in this post is not legal advice, and Twilio recommends that you consult with your legal counsel to make sure that you are complying with all applicable laws in connection with communications you transmit and receive using Twilio. Ultimately, you are responsible for ensuring that your use of Twilio complies with all applicable laws and regulations. Please also refer to our Terms of Service and Acceptable Use Policy for more information.
Laws Relating to Managing and Recording Communications Between Your Users
There are various laws and regulations in the United States and internationally that may apply to managing and recording communications between your users, including California’s Invasion of Privacy Act and similar laws. These laws may require that you disclose your use of third parties (e.g., Twilio) to manage communications between your users and that you obtain the consent of one or all participants to a communication before recording the communication.
In addition to legal requirements regarding disclosure and consent, there may also be laws governing how you use and secure your recorded communications between your users depending not only on where your users are located, but also on business sector specific laws or industry standards.
Determining which laws apply to managing and recording communications between your users can be complicated when participants are in multiple states or countries, or if you cannot be sure about the location of one or more of the participants. For these reasons, it is important to familiarize yourself with the laws and standards that may apply to your specific use case.
Some best practices for managing and recording communications between your users
Getting Consent to Manage and Record Communications: Twilio requires its customers to comply with all applicable laws. Because the consent laws vary and it can be difficult to determine the location of participants to a communication, it is best practice to comply with the strictest consent laws and obtain consent from all participants before managing communications between your users. In doing so, it is best practice when using Twilio Proxy (or a similar service powered by Twilio) to make clear to your users that they are not communicating directly with each other but that their communications are being managed by you and your service provider, Twilio.
If you record phone calls or store user to user communications with Twilio, you should also clearly disclose it to your users and obtain consent from all participants before recording or storing the communications. More information on recording phone and video communications can be found here.
It is also best practice to respect a participant’s choice, and it may be legally required, if they decline or revoke their consent to receive communications from you or through your service. Twilio tools are available to help you manage consent, as discussed here for SMS and here for Voice. Keeping adequate records of how you obtained consent is also advisable.
The appropriate way to obtain consent will depend on your use case and your relationship to the communication participants being recorded. If you have a contract with your users, it may be appropriate to have them agree in the contract to let you manage and record or store their communications using a service provider (i.e., Twilio). In some situations, the best practice may be to provide a disclosure message to users before they are permitted to send or receive communications that you manage. The right approach for your use case will depend on your specific situation and should be decided in consultation with legal counsel familiar with your business.
Storage, Use and Sharing: You should secure your communication records appropriately based on the level of sensitivity of the information in those records. Information on various security tools can be found in the documentation for the specific Twilio product(s) you use. In addition, you should describe how you plan to use and/or share communication records (or any information derived from them) in your privacy policy, and make sure that you follow both your privacy policy and all applicable laws. Finally, you should not keep recorded communications you do not need. Information on deleting communications can be found in the product documentation.