AI Calling and TCPA Compliance in 2026: What You Must Have Before You Dial

Why this matters more than ever

The Telephone Consumer Protection Act (TCPA) was passed in 1991. It governs how businesses can call US consumers using auto-dialers and prerecorded messages.

In 2024-2025, the FCC and FTC made several updates that specifically target AI-generated voice calls. The penalties haven't gotten smaller: $500-$1,500 per violation, multiplied by every call.

Hundreds of class-action TCPA lawsuits hit businesses every year. Settlements range from hundreds of thousands to tens of millions of dollars.

If you're running outbound AI calls without compliance, you're betting your business.

---

The core requirements

1. Prior express written consent

For calls to mobile phones using auto-dialers or prerecorded/AI voice, you need prior express written consent from the consumer.

What that means:

• The consumer signed something (digital or physical) explicitly agreeing to receive calls
• The consent is specific (mentions calls, mentions automated calls if applicable, mentions the company)
• Consent is voluntary (not buried in terms of service)

2. Disclosure language

Compliant consent forms typically include:

"By submitting this form, I authorize [Company Name] to contact me at the phone number provided, including via automated technology (auto-dialer or prerecorded/AI voice messages), regarding [products/services]. I understand consent is not a condition of purchase. I can opt out at any time."

3. Time-of-day restrictions

Calls only between 8:00 AM and 9:00 PM in the consumer's local time zone.

Calling at 11 PM = TCPA violation, even if you have consent.

4. Opt-out handling

Consumer must be able to opt out during any call. Honor opt-outs immediately and across systems.

5. Caller ID

Display accurate caller ID. Spoofing is illegal under separate FCC rules.

6. Do-Not-Call (DNC) registry

Don't call numbers on the National DNC Registry without prior express written consent. The DNC list is at donotcall.gov.

---

What's new in 2024-2026 (AI-specific)

FCC declaratory ruling (Feb 2024)

The FCC ruled that AI-generated voice calls are subject to TCPA. They count as "artificial or prerecorded voice."

Implication: AI voice calls require the same prior express written consent as prerecorded robocalls.

FCC AI disclosure rule (proposed/finalized 2024-2025)

Requirement: AI-generated voices must be disclosed in calls. Wording varies by final rule, but expect requirements like:

"This call is using AI-generated voice technology."

This must be communicated near the start of the call.

State-specific rules

• Florida Telephone Solicitation Act (effective 2021, amended 2023): explicit consent required for sales calls; private right of action available
• California: stricter consumer protections; CA AB-2905 limits AI voice calls without disclosure
• Texas, Oklahoma, others: similar consumer protection statutes

If you're calling consumers across multiple states, you need to comply with the strictest state's rules in your call mix.

---

Building compliant consent capture

On forms

Every form that captures phone numbers should include:

☑️ By providing my phone number, I consent to receive calls and texts 
from [Company Name], including AI-generated voice calls and SMS, 
regarding my inquiry. Standard message and data rates may apply. 
I can opt out anytime by replying STOP. Consent is not required for 
purchase. View our [Privacy Policy].

Required:

• Specific to phone calls AND SMS
• Mentions automated/AI technology
• Identifies the company
• Notes opt-out availability
• Notes consent is not required for purchase

Consent capture timestamp

Store:

• Date/time of consent
• IP address (for digital forms)
• Form URL where consent was given
• Exact text of the consent language

This is your legal evidence if challenged.

Pre-existing leads (the migration problem)

If you have a list of leads from before you implemented compliant consent:

• Don't AI-call them. Period.
• Either re-consent them via opt-in form, or use them only for non-auto-dialer outreach (manually-dialed calls might qualify, depending on state)

The upside of starting fresh with compliant consent is you avoid the legal risk of grandfathering in non-compliant data.

---

Operating compliantly

1. Time zone awareness

Your calling system must:

• Track each contact's time zone (geocode by area code or capture on form)
• Restrict calls to 8 AM - 9 PM in their local time
• Not just your office hours — the consumer's local time

2. Opt-out across systems

When a consumer opts out:

• Mark in CRM (don't call again)
• Mark in calling platform (VAPI, Twilio config)
• Mark in SMS platform
• Mark in email platform (different opt-out, but courtesy)

A single opt-out should propagate across all communication channels.

3. DNC scrubbing

Before any outbound campaign:

• Scrub the list against the National DNC registry
• Scrub against state DNC lists where applicable
• Scrub against your internal opt-out list

Tools: PossibleNOW DNC.com (paid service), or free DNC lookup APIs.

4. Caller ID configuration

Display your business name (CNAM) and a number people can call back. Twilio + STIR/SHAKEN attestation helps avoid spam labels.

5. Recording consent

For recorded calls (which AI calling typically is):

• One-party-consent states: only one party (you) needs to consent
• Two-party-consent states (CA, FL, MA, others): both parties must consent

Add at start of call: "This call is being recorded for quality and training purposes. Is that okay?"

In two-party states, you must get an affirmative response.

---

Penalties for violations

• $500 per violation (per call/text)
• Up to $1,500 per willful or knowing violation
• Class action exposure: thousands of plaintiffs joining
• Total settlements: $1M-$50M+ for major violations

Examples of recent TCPA settlements:

• Various major retailers and lenders: $40M+ settlements
• Smaller businesses: $1M-$10M typical class action settlements

For an SMB, a TCPA class action is existential.

---

Building a compliant AI calling system

Pre-call

1. Verify lead has TCPA-compliant consent (timestamp, language, IP)
2. Verify number is not on DNC list (yours or national)
3. Verify time zone allows calling now
4. Verify number isn't on internal "do not call" list

During call

1. Identify yourself and your company
2. Disclose AI nature when asked
3. Record consent for recording (in two-party states)
4. Honor any opt-out request immediately
5. End call if consumer requests

Post-call

1. Log call outcome
2. If opt-out occurred, propagate across all systems
3. Update DNC list internally
4. Maintain logs for 4+ years (typical TCPA statute of limitations)

---

Lower-risk alternatives

If full TCPA compliance feels heavy:

1. Inbound-only

Don't make outbound calls. Only respond when consumers call you. No TCPA exposure.

2. Manual dialing

Manually-dialed calls (not auto-dialed, not prerecorded/AI voice) have lighter TCPA requirements. A human dialing each call manually is generally exempt from many TCPA restrictions.

This eliminates AI calling but is a legitimate alternative.

3. SMS-first outreach with explicit phone opt-in

SMS rules are similar but more workable:

• Capture consent for SMS
• Send SMS first, ask if they want a call
• Only call those who explicitly request a call

This shifts the consent burden — they're asking for the call, not you cold-calling.

---

Working with counsel

This article is general information, not legal advice. For your specific business:

• Consult a TCPA-knowledgeable attorney for your consent language
• Consult on state-specific exposure for your call markets
• Have legal review your processes before launching
• Maintain ongoing legal review as rules change

For a deployment doing 1,000+ AI calls/day, legal review is non-negotiable.

---

My honest take

TCPA compliance feels onerous. It is. It also exists for legitimate reasons — robocalls have plagued consumers for decades.

For SMBs:

• Take it seriously
• Capture proper consent on every form
• Operate within time-of-day and DNC rules
• Build opt-out propagation correctly
• Document everything

This isn't optional infrastructure. It's the foundation for any AI calling deployment.

---

Sources

47 U.S. Code § 227 (TCPA), 47 CFR § 64.1200 (FCC implementing regulations). FCC Declaratory Ruling on AI-generated voice (Feb 8, 2024 Order). Florida Telephone Solicitation Act (FL Stat. 501.059). California Consumer Privacy Act and AB-2905. Settlement amounts from publicly reported TCPA class action settlements (2023-2025). FCC fact sheets at fcc.gov/general/telephone-consumer-protection-act-1991. State-specific consumer protection statutes per each state's official code.

Need help reviewing your AI calling compliance posture? Let's talk. For specific legal advice, consult a TCPA-knowledgeable attorney — I can refer you to several.