TCPA Compliance for AI Voice Agents: The Full Breakdown
Date
Jul 16, 26
Reading Time
12 Minutes
Category
AI Voice Agents

TL;DR
- The FCC's February 2024 ruling settled the question: an AI-generated voice counts as a robocall under the TCPA, no matter how human it sounds or who's dialing it.
- The law has flipped direction four times since 2021, from Facebook v. Duguid, which narrowed autodialer rules, to the one-to-one consent rule being vacated, to Bradford v. Sovereign Pest, which allowed oral consent in three states.
- Violations range from $500 to $1,500 per call, with no cap. 2026 settlements against Gen Digital, QuoteWizard, and Albertsons prove that math isn't theoretical.
- You can't outsource the liability. Lamb v. Mortgage One and Lowrey v. OpenAI both show vendors and infrastructure platforms getting named right alongside the marketer.
- Consent runs in two tiers: written for marketing calls; oral or written for informational ones; and an Established Business Relationship, which covers a human rep but not your AI agent.
- Disclosure, opt-out handling, calling windows, and real-time DNC checks are the federal floor. States like Texas, Florida, and Colorado stack more rules on top.
- A defensible deployment runs on system behavior, not paperwork: real-time suppression, audit-ready logs, and consent checks that block a dial outright rather than being reviewed after the fact.
You just shipped an outbound AI voice agent. It's booking appointments, running follow-ups, maybe closing a few deals over the phone. TCPA compliance is somewhere on the roadmap. Below "add more voices." Below "shave 200ms off latency." Filed under someday.
And that's backward.
The Telephone Consumer Protection Act was written in 1991. Congress had auto-dialers in mind, machines blasting the same tape-recorded message to a thousand numbers a minute. Nobody in that room pictured a language model that can hold a real conversation, read a customer's tone, and improvise past the script. But that's the law your outbound AI voice agent has to answer to now.
TCPA compliance for AI voice agents isn't a someday problem. Voice AI regulation doesn't wait for your product roadmap. It's the difference between a working outbound program and a lawsuit that costs more than the product ever made you.
And the reason it applies has nothing to do with how human your agent sounds.
The voice is the trigger, not the dialer
TCPA compliance for AI voice agents comes down to one idea. If a machine generates the voice on the other end of the call, the law treats that call the same way it treats a robocall from 1998. Doesn't matter how the machine works. Doesn't matter what's under the hood.
On February 8, 2024, the FCC settled this with a ruling that most operators still haven't fully absorbed. The Commission classified AI-generated and AI-cloned voices as "artificial or prerecorded voice" under Section 227(b) of the TCPA, the same section that's governed telemarketing robocalls for over three decades.
The ruling doesn't care how the voice sounds. That's the part that trips people up. A flat, robotic text-to-speech voice and a voice that can banter, laugh, and catch sarcasm get treated identically under the TCPA. Production method is what counts, not polish. Real-time generation from a language model, or a voice stitched from prerecorded clips, makes no difference. If a machine makes the sound, you're in TCPA territory.
I get why this feels backward. A more human-sounding voice seems like it should earn you some kind of pass. It doesn't. If anything, a better voice just means more people pick up and stay on the line, which means more calls that need consent sitting behind them.
The FCC was blunt about shutting this loophole before anyone could argue their way around it. Their language, in effect, made clear the statute carves out no exception for technology built to sound like a live agent.
The voice itself is what triggers consent. Not the dialer, not the script, not how human it sounds.
That single fact is the foundation on which TCPA compliance for AI voice agents now rests. It also reshaped how outbound AI agents that make calls must be built. And it quietly killed the defense most teams were leaning on.
A 1991 law, rewritten for AI in three years
Rewind to 2021. The Supreme Court decided Facebook v. Duguid and narrowed what counts as an autodialer, ruling that an ATDS has to store or produce numbers using a random or sequential number generator. Most CRM-based dialers and list-based outreach tools don't do that, so they walked out from under federal autodialer liability, and half the industry breathed a sigh of relief.
That ruling became the excuse. Teams built outbound programs on the theory that a conversational AI voice agent, something that thinks and responds instead of blasting a fixed message, sat outside the old robocall rules. If it's not an autodialer, the thinking went, TCPA compliance doesn't apply.
Then February 2024 happened, and the dialer stopped mattering.
The FCC's ruling made the voice itself the trigger, not the machine dialing it. And regulators haven't stopped moving the goalposts since.
In December 2023, the FCC adopted a one-to-one consent rule, tightening things further. The Eleventh Circuit vacated it in January 2025, days before it was set to take effect, in Insurance Marketing Coalition v. FCC. Then in February 2026, the Fifth Circuit ruled the other way in Bradford v. Sovereign Pest, holding that the TCPA text only requires "prior express consent," not written consent, which makes oral consent enough in Texas, Louisiana, and Mississippi.
2021 to 2023, Feb 2024 to Jan 2025, Feb 2026. Five years, four reversals. That's not a settled body of law. That's a moving target.
The rules keep flipping in both directions, sometimes within the same year. Strict this year, loose the next, then strict again somewhere else. No settling point in sight. The only posture that survives that kind of whiplash is capturing consent at maximum detail, every time, no matter which way the wind blows that quarter.
That's what TCPA compliance for AI voice agents means in practice: architecture that holds up no matter which way voice AI regulation swings next. It has to work the same for inbound and outbound voice AI programs alike, because the next reversal won't ask which one you're running.
None of this matters, though, until you see what one bad campaign costs.
The cost of getting it wrong
Nobody runs this math before they hit send on a campaign.
TCPA violations run $500 to $1,500 per call, with no aggregate cap, calculated on a per-call basis rather than per campaign or per customer.
Run that across a 50,000-record list, and you're looking at theoretical exposure between $25 million and $75 million for one campaign. That kind of number ends companies. It's exactly why TCPA compliance for AI voice agents earns the two extra weeks of engineering time everyone wants to skip.
And 2026 turned this from theoretical into documented.
Filings are up 95% year over year, and aggregate verdicts across the docket have crossed $925 million. This is routine now.
This is the part that changes how buyers should think about vendors. You can't hand off the liability because someone else built the platform.
Lamb v. Mortgage One, filed February 24, 2026, defines its class to reach calls placed by "vendors, lead generators, or agents." Translation: hiring someone else to make the calls doesn't get you out of the room.
Lowrey v. OpenAI, filed in Virginia, names Twilio and OpenAI directly as defendants alongside the marketer running the campaign. Part of the evidence against OpenAI was its own error message, a URL that told the recipient the marketer had run out of credits. But that's the kind of billing and routing control that looks a lot less like a passive API and a lot more like running the calls yourself.
The precedent is clear: shipping an API doesn't exempt you if you retain control over the execution of the outgoing calls.
Expert Tip: Before you sign with any vendor for AI cold calling or outbound voice, ask who owns the consent record for every number on the list. A vague answer becomes your exposure, not theirs.
Every one of these cases traces back to the same failed question, and it's the exact question TCPA compliance for AI voice agents exists to answer at dial time: did we have consent for this number, right now?
Consent is the whole game
Voice AI consent rules get complicated fast, but TCPA compliance for AI voice agents comes down to one question you have to answer before every single call: what kind of consent do you actually have for this number?
Two tiers. Mix them up, and it's the most expensive mistake in this whole space.
This tiered system is the backbone of TCPA compliance for AI voice agents, more than any script or opt-out button. Written consent stays the safer default everywhere else. Bradford only moved the needle in three states, and I wouldn't build a nationwide program betting it holds anywhere beyond them.
Now the misunderstanding that costs people the most money. An Established Business Relationship gets you around the Do Not Call registry, but only for manual calls. It does nothing for your AI voice agent. Your live sales rep can call a customer from 16 months back even if that number's on the DNC list. Your AI agent calling that same person, same relationship and all, still needs separate consent. The voice is what triggers the requirement, not your history with the customer.
But watch for scope creep too. An appointment reminder that drifts into a pitch mid-call just became marketing, and PEC stops covering it right there. This is exactly where lead qualification calls go sideways: a script that wanders from confirming a booking into upselling without anyone noticing.
The safest move is treating every AI call as marketing until proven otherwise, whether that's a clinic confirming an appointment (its healthcare intake numbers are a classic trap) or an insurance agent following up on a quote.
Consent is only the first checkpoint your call flow has to clear before it dials.
The operational rules that quietly sink teams
Nail consent and you've cleared the easy part. TCPA compliance for AI voice agents lives or dies in the mechanics of the call itself, and this is where most builds fall apart.
Start with disclosure. Your agent needs to say, out loud, in the first 30 seconds, that it's AI. One sentence covers most jurisdictions at once. And this part surprises people: calls that disclose upfront tend to complete better than the ones that don't. People stay on the line more when they're not wondering if they're being tricked.
Then there's revocation. The FCC's April 2025 rule killed keyword-only opt-out systems for good. A caller doesn't need to say "STOP" in capital letters. "Please stop calling me" counts just as much, and your system has to catch it, log it, and honor it across every channel within 10 business days. This is one of the most heavily litigated pieces of TCPA compliance for AI voice agents right now.
Mark this date: January 31, 2027. That's when the revoke-all rule kicks in, where an opt-out on one type of call becomes an opt-out from everything you send that number. Build for it now. Retrofitting suppression logic under a deadline is a miserable way to spend a quarter.
Calling windows are easy to get backward too. The 8 am to 9 pm rule runs on the called party's time zone, not yours. A campaign in New York can't legally ring someone in California at 7am their time just because it's already 10am on the East Coast. Some states stack stricter hours on top of that.
DNC scrubbing needs to run in real time, not as a nightly batch job, and this is exactly where voice AI compliance quietly becomes a paperwork exercise rather than a live system. Numbers get added to registries daily, so a batch from last night is already stale by lunch. The Reassigned Numbers Database gives you a safe harbor here. Query it before you dial, and you're covered even if the data turns out to be wrong.
Last one, and it's sneaky: the two-second dead air rule. If your speech-to-text or your model takes too long to respond after someone says hello, that's technically call abandonment. That makes voice agent latency a legal requirement, not just a nice-to-have for the user experience. I'd treat sub-second response time as non-negotiable, not an optimization for later.
Expert Tip: A line like "This call uses an AI voice, and this call may be recorded. Is now a good time?" covers your recording consent obligation and your AI disclosure obligation in one breath, and it belongs in the first line of every call script, not buried in a guardrail nobody reads.
And all of that is just federal. Cross a state line, or a border, and the list gets longer.
The state and international patchwork
Federal TCPA compliance for AI voice agents sets the floor. States keep stacking rules on top of it, and some go a lot further than the FCC ever did.
Texas got there first with SB 140, requiring AI voice disclosure within the first 30 seconds. TRAIGA followed, tightening things further for regulated industries. Florida went even stricter, demanding written consent that specifically names AI use. A generic marketing disclosure won't cut it there.
Colorado's the one to watch closest. Its new ADMT framework replaces the old SB 24-205 and covers insurance, lending, healthcare, and a few other sectors. If your voice agent qualifies leads or influences a lending or coverage decision, you owe a point-of-interaction notice, a 30-day adverse-outcome notice if things go against the caller, and three years of records proving both.
Then there's the one most teams miss completely: BIPA. Illinois treats a voiceprint as a biometric identifier, same bucket as a fingerprint, and violations run $1,000 to $5,000 each with a private right of action attached. May 2026 brought a wave of class actions against Adobe, Google, ElevenLabs, Meta, and Samsung over exactly this. If your agent does any voice based caller authentication, keep that data pipeline on its own standalone consent, separate from your calling consent.
Recording adds another layer. Some states need consent from both parties before you can record a call, others only need it from one side. Get that wrong, and the recording meant to protect you in a dispute becomes Exhibit A against you instead.
Cross a border, and you add GDPR obligations too. The UK runs calls through PECR, the ICO, Ofcom, and TPS screening. The EU AI Act adds a transparency duty for any call that reaches an EU resident, regardless of where you're dialing from.
I won't pretend every state's mini-TCPA fits into one voice AI compliance rundown. It doesn't. What matters here is the shape of the trend, not a checklist of fifty states.
Knowing every rule on this list is worthless if your architecture running multilingual calls can't enforce TCPA compliance for AI voice agents at the volume you're dialing.
What a defensible deployment actually looks like
Strip away the case law and the state overlays, and TCPA compliance for AI voice agents comes down to six things a call has to get right before it goes out. Build these into your voice AI stack and most of what we've covered so far takes care of itself.
The compliant call checklist
1. Documented consent tied to that exact number, not the list it came from
2. Real-time suppression spanning every channel, not just the dialer
3. AI disclosure delivered in the opening seconds, every single time
4. Calling hours and frequency limits enforced automatically, not reviewed by hand
5. Free-form opt-out recognition, with the revocation propagating everywhere at once
6. Audit-ready records held for four to seven years
None of these are policy documents sitting in a drive somewhere. They're system behavior. This is what TCPA compliance for AI voice agents actually looks like once it's built into the pipeline instead of written up after the fact.
A pre-dial consent check should query the record before the call fires and refuse the dial outright if nothing valid comes back. No consent, no ring. Suppression needs to run as a sub-50 millisecond allow or deny check, not an overnight batch someone kicks off before coffee. A verbal opt-out on a Tuesday afternoon call has to hit your suppression list in seconds, not by end of day.
Then there's the attestation layer, which gets skipped constantly.
Expert Tip: Most CPaaS platforms hand you B-level STIR/SHAKEN attestation by default. A-level, where the carrier has actually verified you own the number you're dialing from, completes more calls and keeps your abandonment math honest. When a chunk of calls get blocked before they connect, your abandonment rate skews on numbers you never even reached. Push your carrier on this specifically. Don't assume it's handled.
Every call also needs an immutable log. Consent citation, full transcript, any revocation event, all encrypted at rest, with PII and PHI redacted anywhere it touches sensitive data. Your monitoring setup should track abandonment continuously, not reconstruct it after a regulator asks for it.
And none of this holds up if it can't run at the volume you actually dial at. Scaling a voice agent program means scaling every one of these six checks alongside the call volume, not bolting them on after.
Which leaves one real decision left. And it's a procurement decision.
Build the compliance layer, or buy infrastructure that already has it
At some point, TCPA compliance for AI voice agents stops being an engineering question and becomes a vendor question. Ask any voice AI platform these and watch how fast they answer.
Is HIPAA covered through a self-service BAA, or does it need a sales call and three weeks of back and forth? Is a current SOC 2 Type II report sitting behind an NDA, ready today? Does the platform redact PII in stored transcripts by default? Can you check consent through a precall API, or does it only get logged after the call already happened? How fast does a revocation actually propagate, and can retention be set per industry?
Vendors who built voice AI compliance in from day one answer each of those in a sentence. The ones who bolted it on later hand you a 40-slide deck and a promise.
Building this consent-first layer yourself is real work, more than most teams budget for going in. If you'd rather have TCPA compliance for AI voice agents built in from the start, that's what our AI voice agent development team does, custom builds with this wired in rather than patched on after a scare. Worth comparing options first either way, here's how the platforms actually stack up.
A few questions people always ask
Is AI cold calling legal in the US?
Not without consent specific to your business. The Feb 2024 FCC ruling pulled AI voices into TCPA's artificial voice framework, so cold dialing without documented consent risks $500 to $1,500 per call, no cap. What most teams call "AI cold calling" should really mean warm outreach to leads who already consented.
Does an existing business relationship cover AI calls to past customers?
No. An EBR gets you around the Do Not Call registry, but only for manual calls. Your AI voice agent still needs separate consent, no matter how long the relationship has run.
Do I need consent for every number on a bought list? Yes, every one. Bought lists rarely carry consent that actually transfers, and co-registration consent that names "partners" generically has become hard to defend in court. No documented consent for a number means cutting it from the campaign.
Do I have to tell people they're talking to an AI?
Several states already require it, and it's smart practice everywhere. Texas requires disclosure inside 30 seconds, and a federal rule is likely coming. Disclosed calls also tend to complete better. People stick around more when they're not left wondering if they've been tricked.
The programs surviving 2026's TCPA compliance landscape for AI voice agents aren't the ones betting on the loosest reading of the law. They're the ones with the tightest documentation.


