A recently filed class action lawsuit in San Diego highlights a major risk for any company deploying AI tools that listen, record or summarize customer or patient conversations. On November 26, Sharp HealthCare was hit with a sweeping privacy lawsuit alleging that it secretly used an AI-powered “ambient clinical documentation” tool to record doctor-patient conversations without proper consent. And while healthcare may be the target of this lawsuit, any consumer-facing company using AI voice tools, quality assurance recordings, or conversation analytics engines should take note. This overview covers what happened, why plaintiffs see these cases as high-value opportunities, and six steps your company can take now before your own AI tools become the headline in tomorrow’s class action lawsuits.
Lawsuit Highlights Key Risks of AI Recording Tools
According to the complaint, Sharp deployed an AI vendor in April 2025 to automatically record clinical encounters on clinicians’ devices and generate draft notes for the electronic health record. The lawsuit alleges:
- Sharp did not get consent of all parties before recording confidential doctor-patient conversations, as required by California’s strict wiretap law (CIPA). The plaintiffs claim that ambient AI documentation amounts to wiretapping, even though the vendor never “eavesdrops” in the human sense. Simply capturing audio and sending it outside the organization (even for transcription) is enough to create liability, they argue.
- Medical information (symptoms, diagnoses, medications, treatment plans, personal identifiers) was transmitted to the provider’s cloud system where the provider’s personnel could have accessed the data, in violation of the California Health Information Privacy Act (CMIA).
- False documentation appeared in patient records indicating that patients “had been informed” and “consented” to the AI recording even though they had not done so. The plaintiffs accuse Sharp of failing to use specific verbal consent for the encounter, pre-visit notices, on-screen or auditory indicators that the recording was active, or written authorizations.
- Sharp allegedly told the patient that the seller kept the audio for approximately 30 days and could not be removed immediately upon request.
The complaint seeks statutory sanctions, punitive damages, injunctive relief and a full correction of allegedly inaccurate medical records for a class of up to 100,000 patients.
Why this case matters beyond health care
There are several reasons why businesses across all industries need to pay attention to these disputes.
AI Registration Tools Create Potential CIPA Exposure
CIPA is one of the most plaintiff-friendly wiretapping laws in the country, as you can see from the FP. Map of digital wiretapping disputes. It can provide $5,000 per violation, per call and per recording. That’s why plaintiff companies continue to file lawsuits against retailers, banks, hotel brands, and service providers using call center recording, chatbot summarization, or “voice intelligence” platforms.
AI Vendors Announce Customer Earnings
As more AI vendors publicize their partnerships with major customers (“Over 1,000 vendors use our ambient AI tools”), the plaintiffs’ companies see it as a simple road map. The plaintiffs use the existence of public customer lists as predefined class definitions.
Theories apply to all sectors
The allegations raised in this case (wiretapping, inappropriate disclosure to third-party AI vendors, false or misleading consent statements, retention failures, lack of opt-out, etc.) are exactly the theories we see emerging in other industries. These include:
- Retail Customer Service Records
- Any call to take clients
- Analysis of financial service calls
- Chat/voice systems for hospitality and travel agencies
- Any company piloting “AI-powered note-taking”
6 Practical Steps Businesses Can Take Now
Here are six practical steps you can consider deploying today to minimize the risk of becoming the victim of a class action lawsuit tomorrow.
1. Audit any technology that captures or transmits voice or text during customer interactions
The most common areas we see now include AI note-taking toolswhisper transcription/API tools, “agent assist” or “quality assurance analysis” and virtual agents that record audio or text input. Map where audio goes, who receives it, and how long providers keep it.
2. Implement clear consent protocols
Your business should consider:
- Notice prior to interaction (on websites, intake forms, appointment reminders, IVR prompts)
- Real-time consent at the start of the meeting
- Visible/audible indicators if recording is active
- Separate written authorization if medical or financial information is involved in California
3. Rewrite supplier contracts now
Check if contracts with transcription or AI analytics providers include:
- Customer-controlled retention and deletion
- No secondary use of data (training, quality assurance, model development) without explicit consent
- Immutable logging of accesses and deletions
- Requirements for certificates of destruction
- Prohibiting provider personnel from accessing identifiable records unless specifically authorized
4. Make sure suppliers don’t take liberties
Do not allow your vendor to use your name as a customer or issue a press release about a case study about your company’s use of its AI tool, without consulting your AI legal counsel about the implications. It’s common for companies to call on their marketing and public relations teams when these opportunities arise, but it’s less common for companies to ask the legal department to step in – until the inevitable lawsuit arises. Other times, the vendor relationship manager approves the vendor’s request to list the company as a customer on its website or provide a testimonial without obtaining approval from the legal department. Make sure this doesn’t happen in your organization.
5. Turn off all “consent” autofill by default
If your AI system inserts boilerplate such as “customer consent,” make sure it is turned off. You should aim to require manual confirmation, audit trails, and separation between consent capture and documentation fields.
6. Create a Fast, Verifiable Removal Workflow
The courts increasingly consider deletion on request to be part of the basic rules of privacy, particularly in California. For this reason, companies should be able to immediately interrupt processing, submit a verified deletion request to the provider and provide the customer with written confirmation of deletion.