Compliance · May 2026

TCPA Compliance for AI Outbound Calls: The 2026 Practical Guide

What the Telephone Consumer Protection Act actually requires for AI-generated calls, what changed in 2024 and 2025, and the practices that keep a B2B outbound program on the right side of the law.

By Kiya GoreMay 8, 202610 min read

This is not legal advice. TCPA interpretation is unsettled and fact-specific. Consult qualified counsel before designing a calling program. This guide explains the landscape as of May 2026; FCC rules are subject to change.

The Telephone Consumer Protection Act is 35 years old and was written for fax machines. It has been continuously interpreted, re-interpreted, and amended to cover technologies that didn't exist when Congress passed it in 1991 — including, most recently, AI-generated voice calls. If you're running outbound phone campaigns in 2026, the TCPA is the law with the most direct teeth: statutory damages of $500–$1,500 per violation, class action exposure, and an FCC that has made AI calling a stated enforcement priority.

Here is what the statute actually says, where the current interpretation stands for B2B use cases, and what a compliant outbound AI program looks like in practice.

What the TCPA prohibits — the baseline

The TCPA's core prohibition is on using an automatic telephone dialing system (ATDS) or a prerecorded or artificial voice to call or text a telephone number without prior express consent. The statute carves out different consent standards for different call types:

  • Informational calls to landlines: Prior express consent required.
  • Telemarketing calls to landlines: Prior express written consent required (higher bar).
  • Calls to cell phones using ATDS or prerecorded voice: Prior express consent required for informational; prior express written consent for telemarketing.
  • Calls to numbers on the National Do Not Call Registry: Prohibited unless the recipient has an established business relationship with the caller or has given written consent.

How AI voice calls fit into this framework

The FCC confirmed in early 2024 that AI-generated voices used in phone calls constitute "artificial voices" under the TCPA. This was largely expected — the statutory language always covered any call using a voice other than a live human — but the explicit ruling closed a loophole some vendors had been exploiting by arguing their AI was sufficiently "conversational" to not qualify.

The practical consequence: any outbound call made with an AI voice, to any number, to any person, for any purpose that could be characterized as telemarketing, requires prior express written consent if calling a cell phone.

The definition of "telemarketing" under the TCPA is broader than most sales teams assume. It covers not just direct sales pitches but any call that encourages the recipient to purchase, rent, or invest — which includes meeting-booking calls, product-availability calls, and demo-scheduling calls in most courts' readings.

The B2B exemption: what it is and what it isn't

Here is the most commonly misunderstood aspect of TCPA compliance in the sales context. There is no categorical "B2B exemption" in the TCPA. The statute applies to phone numbers, not to the nature of the call recipient's employer.

What does exist: an FCC ruling that calls to "business lines" — numbers registered to a business, answered by a business — carry lower TCPA risk because they are less likely to be personal cell phones subject to the statute's heightened protections. But if you're calling a contact's direct mobile number (which is the overwhelming majority of modern outbound sales calls), the cell phone provisions apply regardless of the fact that you reached them in their capacity as a business person.

The practical rule: Assume any mobile number you dial is covered by TCPA's full cell-phone provisions. The burden of proving a number was a "business line" in any enforcement action or litigation falls on you.

What "prior express written consent" requires

For calls that require the written consent standard (telemarketing to cell phones, which covers most B2B outbound), the FCC requires consent that:

  • Is signed (digital signature accepted; a checkbox on a web form qualifies if the disclosure language is clear)
  • Clearly authorizes the specific company doing the calling — you cannot use a lead's consent given to a third-party data vendor unless the consent specifically names you or a sufficiently described category of callers
  • Discloses that consent is not a condition of purchase
  • Describes the content of the calls being authorized
  • Provides a phone number or method of contact for opt-out

The 2024 FCC AI-voice ruling added a further requirement specific to AI-generated calls: the consent disclosure must specifically disclose that calls may be made using artificial intelligence voice technology. Generic "we may contact you by phone" language is insufficient.

The established business relationship (EBR) defense

Calls to people with whom you have an existing business relationship — a prior purchase, a service inquiry, a signed contract — are treated more permissively for Do Not Call Registry purposes. An EBR allows you to call a number on the DNC Registry for up to 18 months after a transaction or 3 months after an inquiry.

The EBR defense does not eliminate the requirement for consent to use an ATDS or artificial voice to call a cell phone. These are separate statutory provisions. EBR addresses the DNC Registry restriction only. This distinction matters especially if your outbound program includes AI-led lead qualification calls — the qualification purpose doesn't change the consent requirement on the cell phone provision.

What a compliant AI outbound program looks like

For inbound-sourced leads (web form, ad click, product inquiry)

This is the lowest-risk scenario. The lead has already engaged with your property. To be clean:

  • Your consent language on the form must explicitly mention AI voice calls and name your company
  • Consent must be unchecked by default (pre-checked boxes are consistently held non-compliant)
  • Store the consent record — timestamp, form version, IP address — in your CRM
  • Honor opt-outs immediately; 10-business-day processing window is the maximum under FCC rules

For purchased or rented lists

This is the highest-risk scenario. To use a third-party list for AI voice outbound to cell phones:

  • Obtain written representation from the list vendor that each record includes consent specifically authorizing calls from your company (not just the vendor's clients generally)
  • Understand that vendor indemnification clauses rarely survive a real class action; the liability ultimately lands on the company making the calls
  • Scrub against the National DNC Registry before every campaign, not just at list purchase
  • Maintain your own internal DNC list and honor it for 5 years minimum

For AI-specific disclosures on the call itself

Multiple state laws (California, Illinois, Colorado, and others) require disclosure at the beginning of a call if the call is being handled by an AI. Best practice — and the direction the FCC has indicated it will require federally — is to disclose early in the call that the caller is an AI. This does not require a robotic "this is an automated call" disclaimer. A natural disclosure works: "This is Assay, an AI agent calling on behalf of [Company]. Do you have a few minutes?"

The state law layer

TCPA is federal, but it does not preempt state laws that are more protective. Calling into California means CCPA data-handling requirements. Calling into Illinois means the Biometric Information Privacy Act (BIPA) is in scope if your AI does any voice biometric processing. Florida's Mini-TCPA (FTSA) has a broader ATDS definition that covers some dialers the federal TCPA has been interpreted to exclude post-Facebook v. Duguid.

The practical upshot: design your calling program to comply with the most restrictive state law applicable to your target geography, not the federal minimum.

What Assay does on the compliance side

Our security and compliance page covers this in detail, but the summary: Assay operates on US infrastructure, processes call data under your instructions as data processor, and supports CCPA-compliant data handling workflows. HIPAA-eligible workflows are on the roadmap. We do not offer legal advice about your specific calling program, and we document that limitation explicitly in our terms of service.

What we do that most dialers don't: every call includes a natural early disclosure that the caller is an AI agent. Your script configuration controls the exact wording, but the disclosure is non-optional. This is intentional — it's the right practice, and we expect it will be federally required within the next compliance cycle.

We also maintain internal DNC list support, honor opt-outs within minutes (not the 10-business-day window the law allows), and provide call recording and full transcripts for every conversation so you have the documentation to support your consent records in any audit.

TCPA class actions averaged $6.8M in settlements in 2024 according to WebRecon. The companies in those cases were not necessarily running egregious programs — many were one consent-record gap or one unscrubbbed list away from compliance. The documentation infrastructure matters as much as the substantive practice.

The five things to do before your next AI outbound campaign

  1. Audit your consent records. For every number in your calling list, confirm you have a timestamped consent record that meets the 2024 AI-specific requirements. Numbers without compliant records should be re-engaged through a channel where you can get proper consent, or removed.
  2. Scrub your list against the current National DNC Registry. The registry updates daily; your scrub from six months ago is not current. Subscribe to the registry directly, not through a vendor who may have a lag.
  3. Update your web form consent language to explicitly disclose AI voice contact and name your company. Have counsel review the updated language.
  4. Implement real-time opt-out processing. When a call recipient says "take me off your list," that should propagate to your DNC list before the next campaign batch runs — not at end of day, not weekly.
  5. Document everything. The consent record, the scrub timestamp, the call recording, the transcript, the opt-out timestamp. TCPA litigation turns on documentation gaps, not always on substantive non-compliance.
How Assay handles compliance by default.

AI disclosure on every call, instant DNC processing, full transcripts for your audit record. The infrastructure you need to run outbound without the documentation gap.

Read our security & compliance overview →