Compliance

TCPA Compliance for AI Voice Agents: 2026 Legal & Operational Guide (Texas TCPA, Branded Caller ID, DNC, Recording Across State Lines)

AI voice agents are subject to the same TCPA, DNC, and state-level rules as any other autodialed call — and the FCC is enforcing aggressively in 2026. This guide covers what TCPA actually says about AI calls, Texas TCPA and SB140 specifics, branded caller ID requirements, recording calls across state lines, and how HIPAA-compliant VoIP integrates with TCPA compliance.

Utkarsh Mohan

Published: May 23, 2026

TCPA Compliance for AI Voice Agents: 2026 Legal & Operational Guide (Texas TCPA, Branded Caller ID, DNC, Recording Across State Lines) - Ringlyn AI voice agent blog
Table of Contents

Table of Contents

The fastest way to turn an AI voice agent deployment into a six-figure legal expense is to assume TCPA doesn't apply because 'it's just AI.' It does. The Telephone Consumer Protection Act of 1991 (47 U.S.C. § 227) regulates autodialed calls regardless of whether a human or an AI is on the line, and the FCC's 2024 ruling explicitly confirmed that AI-generated voice calls count as 'artificial or prerecorded voice' under TCPA — triggering the strictest tier of consent requirements.

This guide is the practical compliance reference for teams running AI voice agents in 2026. It covers federal TCPA basics, who enforces it, the federal DNC registry, the layered state rules (Texas TCPA, SB140, Florida FTSA, Oklahoma, Washington), branded caller ID and STIR/SHAKEN attestation, recording phone calls across state lines, and how HIPAA-compliant VoIP integrates with TCPA compliance for healthcare deployments.

This article is general information, not legal advice. TCPA, FCC, FTC, and state telemarketing rules change frequently — including through new rulemakings, court rulings, and stays — and how they apply depends on your specific facts. Nothing here describes a guaranteed legal outcome. Consult a qualified TCPA attorney before launching any AI voice campaign. The penalties for getting this wrong are large enough that legal review is cheap insurance.

Compliance disclaimer

What the TCPA Actually Says About AI Voice Calls

The TCPA (47 U.S.C. § 227) prohibits four specific call types without prior consent:

  • Autodialed calls to cell phones without prior express consent — applies to calls made using an 'automatic telephone dialing system' (ATDS). Statutory damages: $500 per call, $1,500 per willful violation.
  • Artificial or prerecorded voice calls to cell phones without prior express consent — applies regardless of whether the call was placed by ATDS. AI-generated voice falls in this category per the FCC's 2024 ruling.
  • Artificial or prerecorded voice calls to residential landlines for marketing — requires prior express written consent. Non-marketing calls (informational, transactional) require prior express consent (oral or written).
  • Telemarketing calls to numbers on the DNC Registry — independent of consent type, calls to registered DNC numbers for telemarketing purposes are prohibited.

Consent tiers matter. 'Prior express consent' (oral or written) is enough for informational/transactional calls. 'Prior express written consent' (a specific signed agreement disclosing the consent) is required for marketing calls. Most AI voice deployments doing outbound sales need written consent — not just opt-in checkbox language.

The 2024 FCC ruling (FCC 24-17, In re Implications of Artificial Intelligence Technologies on Protecting Consumers from Unwanted Robocalls and Robotexts) explicitly classified AI-generated voice calls as 'artificial or prerecorded voice' under TCPA. This means the higher consent bar applies — AI doesn't get a pass.

Call ScenarioChannelConsent Required (general rule)
Marketing / sales call with AI/artificial voice to a cell phoneOutboundPrior express WRITTEN consent
Marketing / sales call with AI/artificial voice to a residential landlineOutboundPrior express WRITTEN consent
Informational / transactional AI call to a cell phone (e.g., appointment reminder)OutboundPrior express consent (oral or written)
Autodialed (ATDS) non-AI call to a cell phone for marketingOutboundPrior express WRITTEN consent
Autodialed (ATDS) non-AI call to a cell phone, informationalOutboundPrior express consent
Telemarketing call to a number on the National DNC RegistryOutboundProhibited absent written consent or an exemption
Caller dials YOU and requests a callback / books serviceInbound-initiatedConsent generally established by the inbound request (scope-limited)

Consent-type matrix: which tier of consent generally applies by call type. General information only — exemptions and state overlays may change the answer; confirm with counsel.

The single most litigated question in TCPA is whether you had the right kind of consent. There are three tiers, and AI voice marketing calls sit at the strictest end of the spectrum. Getting the tier wrong is the most common way well-intentioned teams end up as defendants.

Prior express consent can be oral or written and generally covers informational or transactional calls — an appointment reminder (see our guide to automated appointment reminder calls with AI), a delivery update, a fraud alert. Prior express written consent is a higher bar: it requires a signed agreement (an e-signature under E-SIGN counts) that clearly authorizes marketing or advertising calls using an autodialer or an artificial/prerecorded voice, and it cannot be a condition of purchase. Because the FCC treats AI-generated voice as 'artificial,' most outbound AI sales calls need this written tier — a buried checkbox or a vague 'we may contact you' clause typically does not qualify.

The FCC adopted a one-to-one consent framework intended to close the 'lead generator loophole,' under which a single consent could be sold to many sellers. The rule's core idea: consent should be specific to one identified seller and logically related to the interaction in which it was given. Its effective date and legal status have been the subject of litigation and delay — in early 2025 a federal appeals court issued a ruling affecting the rule before it took effect, and the FCC adjusted timing. Because the status of one-to-one consent has shifted and may shift again, treat this as a moving target and confirm the current rule with counsel before relying on purchased or shared leads. The durable best practice regardless of the rule's final form: collect consent directly, name your business specifically, and keep the proof.

Established Business Relationship (EBR) Nuances

An established business relationship can create a limited exemption from the National DNC Registry for live telemarketing calls — typically up to 18 months after a purchase or 3 months after an inquiry. But two cautions matter for AI deployments: the EBR exemption does not authorize artificial/prerecorded-voice marketing calls (which still require written consent), and it does not override a consumer's company-specific opt-out. In practice, an EBR rarely gives an AI marketing campaign the cover teams hope it does.

Who Enforces the TCPA: The FCC, the FTC, and Private Plaintiffs

The independent US agency that enforces the TCPA is the Federal Communications Commission (FCC). The FCC has rulemaking authority under TCPA and issues civil penalties for violations. The Federal Trade Commission (FTC) has parallel enforcement authority for the Telemarketing Sales Rule (TSR) and the National Do Not Call Registry, which overlaps heavily with TCPA in practice.

But the most common enforcement path isn't either agency — it's private litigation. TCPA has a private right of action: any individual receiving a violating call can sue for $500–$1,500 per call. Plaintiffs' law firms specialize in TCPA class actions, aggregating thousands of recipients into a single suit. Multi-million-dollar TCPA settlements are common (Capital One $75M, Bank of America $32M, Dish Network $61M).

State attorneys general also enforce TCPA-adjacent state laws. Texas, Florida, Washington, and Oklahoma each have aggressive state-level enforcement on top of federal TCPA.

Penalties, Class-Action Risk, and Statutory Damages

TCPA is dangerous precisely because damages are per call (or per text) and do not require the plaintiff to prove any actual harm. The statutory amounts are small individually but compound brutally across a campaign — and the private right of action turns that math into class-action fuel.

Violation TypeStatutory DamagesNotes
Negligent TCPA violation$500 per call/textNo proof of actual damages required
Willful or knowing TCPA violationUp to $1,500 per call/textCourt may treble the $500 base amount
DNC Registry violation (private action)$500–$1,500 per callPer 47 U.S.C. § 227(c) for repeated calls
FCC civil forfeiture (agency action)Six- to eight-figure agency finesSeparate from private litigation
State-law violation (e.g., Florida FTSA)$500–$1,500 per call (state)Stacks on top of federal exposure

Illustrative TCPA and related statutory damages. Amounts and availability depend on the claim and jurisdiction — not a prediction of any specific case outcome.

A 5,000-contact AI campaign with a consent defect is not a $500 problem — at $500 per call it is a $2.5M theoretical exposure before any willfulness multiplier. That asymmetry is exactly why plaintiffs' firms aggregate recipients into classes, and why a single mis-targeted list can dwarf the cost of the legal review that would have prevented it.

Federal DNC Registry and Internal DNC Suppression

Two DNC layers, both required:

  1. Federal DNC Registry: Maintained by the FTC, contains 240M+ phone numbers as of 2026. Any outbound list must be scrubbed against the federal DNC within 31 days of dialing for telemarketing purposes. Subscription costs: free for the first 5 area codes; $79/area code/year above that (Q1 2026 pricing).
  2. Internal DNC Suppression: Every business must maintain its own internal DNC list of anyone who has asked the business to stop calling — verbally, in writing, or via opt-out URL. Internal DNC requests must be honored within a reasonable time (FCC guidance: 30 days) and persist indefinitely. AI voice agents must capture opt-out requests during calls ('please don't call me again' must trigger internal DNC add).

Modern AI voice platforms (Ringlyn AI included) handle both layers automatically: federal DNC scrubbing runs on every list upload, and the AI agent's opt-out detection writes the caller's number to internal DNC suppression in real time during the call. If you are building an outbound program, our 2026 guide to AI cold calling software covers how list hygiene and consent capture fit into the broader workflow.

Calling Windows, Frequency Caps, and Opt-Out Handling

Even with perfect consent and clean DNC lists, you can still violate TCPA on timing, frequency, identification, or opt-out handling. These operational rules are where AI voice agents either shine (consistent, automated enforcement) or fail spectacularly (a bug that ignores 'stop calling me' across thousands of calls).

Calling-Time Windows

Federal rules generally restrict telemarketing calls to 8:00 AM–9:00 PM in the called party's local time zone. The critical AI-specific trap: the time zone that matters is the recipient's, inferred from area code or, better, address — not your server's clock. Several states are stricter (see Texas below), so a campaign that spans time zones must throttle and schedule per-recipient, not in one batch.

Identification and Disclosure Requirements

Prerecorded/artificial-voice telemarketing calls must identify the caller (the business responsible for the call) at the start and provide a callback number, and they must offer an automated, interactive opt-out mechanism during the call. For an AI voice agent this means the script must state who is calling and the agent must recognize and honor an opt-out request the moment it is spoken — not at the end of a queued list.

Opt-Out Handling and Frequency

A 2024 FCC clarification reinforced that consumers can revoke consent through any reasonable means — saying 'stop,' 'don't call me,' 'remove me,' or replying STOP to a text — and businesses must honor revocation promptly (the FCC pointed to a 10-business-day outer limit for processing, while best practice is real-time). Opt-outs must persist indefinitely on your internal suppression list. There is no single federal numeric 'calls per day' cap for voice, but excessive frequency feeds harassment and state-law claims, so most disciplined programs throttle attempts per contact and stop after a defined number of unanswered tries.

Texas TCPA and SB140: The State Layer Most Teams Miss

Texas TCPA (Texas Business and Commerce Code Chapter 305) layers state-specific requirements on top of federal TCPA. Texas SB140 (effective 2023, expanded 2024–2025) further tightened the state framework:

  • Texas calling hours: Telemarketing calls to Texas residents are restricted to 9 AM–9 PM local time on weekdays, 12 PM–9 PM on Sundays. Stricter than federal TCPA's 8 AM–9 PM standard.
  • Texas no-call list: Texas maintains its own state DNC registry in addition to federal. Must scrub against both.
  • Caller ID requirements: Texas SB140 requires accurate caller ID display on all marketing calls into the state. Spoofed or misleading caller ID is a separate violation with separate damages.
  • Recording disclosure: Texas is a one-party consent state for recording, but if the recording will be used in commerce (call analytics, training), Texas Business and Commerce Code requires disclosure at call start.
  • Private right of action: Texas TCPA mirrors federal TCPA's $500/call statutory damages and creates a state-court class action path for Texas residents.

Florida's FTSA (Florida Telephone Solicitation Act, 2021) is similarly aggressive — automated calls to Florida residents require prior express written consent independent of federal TCPA consent. Oklahoma (Telephone Solicitation Act, effective 2023) and Washington (RCW 80.36.400) layer similar restrictions. The practical compliance stance is to either geo-restrict to states where you have clear consent or upgrade your consent capture to meet the strictest state's requirements globally. Industry-specific rules can add yet another layer — for regulated verticals see our breakdown of AI voice agents in fintech, PCI, and fraud workflows.

Federal vs State Rules: The Layered Compliance Map

Federal TCPA is the floor, not the ceiling. A growing number of states have passed their own 'mini-TCPA' statutes — often with their own consent definitions, calling windows, registries, and private rights of action — that layer on top of federal law. The safest operating posture is to comply with the strictest rule that applies to any number you dial, or to geo-restrict to states where your consent and processes clearly meet the bar.

LayerApplies ToRepresentative Requirements
Federal TCPA (47 U.S.C. § 227)All US calls/textsConsent tiers, DNC, 8 AM–9 PM, artificial-voice rules, private action ($500–$1,500/call)
Federal TSR (FTC) / National DNCTelemarketingDNC scrubbing, caller ID transmission, abandoned-call limits, record-keeping
Texas (Bus. & Com. Code Ch. 302/305, SB140)Texas residentsState registration/no-call list, accurate caller ID, tighter Sunday hours, private action
Florida FTSA (2021, as amended)Florida residentsConsent for automated/AI calls; sales-call windows; private action
Oklahoma Telephone Solicitation Act (2023)Oklahoma residentsConsent for automated calls, restrictions on solicitation, private action
Washington (RCW 80.36.400 / CEMA)Washington residentsAutomatic-dialing restrictions, disclosure, deceptive-practice liability

Federal-plus-state compliance layers an AI voice program must reconcile. State frameworks evolve frequently — verify current requirements with counsel for each state you call.

Compliance-Ready AI Voice — Built In

Ringlyn AI ships with native federal DNC scrubbing, internal DNC suppression, Texas TCPA compliance overlay, branded caller ID, and HIPAA-compliant infrastructure. Deploy without legal review headaches.

Branded Caller ID: STIR/SHAKEN and Why It's Now Mandatory

Since 2021, US carriers have required STIR/SHAKEN call attestation on all outbound calls. Calls with low attestation (B or C tier) get tagged as 'Spam Likely' on the recipient's iPhone or Android within hours. By 2026, this isn't optional — calls without proper attestation get answered at <15% of the rate of attested calls.

Branded caller ID (also called branded calling ID or branded call display) goes one step further. It registers your business name, logo, and call reason to display on the recipient's phone before they answer. Providers: First Orion (Engage), TNS (TrustedCall), Hiya (Connect), Neustar (TrueLine). Cost: $5–$20/month per outbound DID + one-time registration ($500–$2,000).

Branded caller ID is technically a marketing/UX feature, but it has compliance implications: Texas SB140 requires accurate caller ID display; branded calling ensures the display is unambiguously your business. STIR/SHAKEN A-attestation is functionally required for any commercial outbound program in 2026.

Recording Phone Calls Across State Lines: One-Party vs Two-Party

Recording phone calls across state lines is one of the most misunderstood areas of US telecom law. The rules vary by state, and federal law (the Federal Wiretap Act, 18 U.S.C. § 2511) sets the floor, not the ceiling:

  • Federal law: One-party consent — only one party to the call needs to consent to recording (which can be the recording party themselves).
  • One-party consent states (38+ states): Match federal — one party consent is enough.
  • All-party (two-party) consent states (12): California, Connecticut, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, Nevada, New Hampshire, Pennsylvania, Washington. All parties to the call must consent to recording.

The cross-state-line wrinkle: when a call crosses state lines (caller in TX → recipient in CA), the safe rule is to comply with the stricter state's law. A caller in one-party-consent Texas calling a recipient in two-party-consent California must disclose recording and get consent from the California party.

Operational compliance: every recorded AI voice call should open with a recording disclosure — 'This call may be recorded for quality and training purposes.' The disclosure satisfies the all-party consent requirement under the constructive-consent doctrine (continuing the call after disclosure = consent). The 'this call will be recorded' standard line works for every state.

HIPAA-Compliant VoIP and HIPAA-Compliant Call Center Stack

For healthcare deployments, TCPA compliance is necessary but not sufficient — you also need HIPAA-compliant VoIP and a HIPAA-compliant call center stack. The HIPAA Security Rule requires:

  • Encryption in transit and at rest: All voice data (SIP signaling, RTP audio, transcripts, recordings) must be encrypted end-to-end. TLS 1.3 for signaling, SRTP for audio, AES-256 for storage.
  • Business Associate Agreement (BAA): Every vendor in the stack that touches PHI — telephony provider, STT provider, LLM provider, TTS provider, CRM, transcription storage — must sign a BAA. This is non-negotiable; no BAA = HIPAA violation.
  • Access control + audit logs: Role-based access to call recordings, transcripts, and PHI. Audit logs for every PHI access.
  • Breach notification readiness: Process to notify affected individuals and HHS within 60 days of any breach involving 500+ patients.

Ringlyn AI ships HIPAA-compliant by default at standard tiers — encryption, BAA, access controls, audit logs all included. Many competing platforms charge HIPAA tier as a premium upgrade ($500–$2,500/month surcharge); verify your platform's BAA terms before deploying any healthcare workflow.

Note: Google Voice is not HIPAA-compliant for clinical use (Google won't sign a BAA for the consumer Google Voice product). Slack is HIPAA-compliant only on Slack Enterprise Grid with a BAA. Most consumer VoIP products fail HIPAA review.

AI-Specific Disclosure Requirements: Do You Have to Say 'This Is an AI'?

As of 2026, federal law does not require AI voice agents to proactively disclose their AI nature in every call. However:

  • California (SB 1001, Bot Disclosure Law): Requires disclosure if a bot is used to communicate with a person in California for the purpose of incentivizing a commercial transaction or influencing a vote. Practical reading: outbound sales AI calls into California must disclose AI nature.
  • If the caller asks: Every state's consumer protection law and common-law fraud rules require honest answers. If the caller asks 'Am I talking to a person?' the AI must say no. This is non-negotiable.
  • Texas, Florida emerging legislation: Several states have proposed bot-disclosure bills mirroring California's SB 1001. Track state-level developments via the National Conference of State Legislatures (NCSL) telemarketing law tracker.

Best practice regardless of legal requirement: have the AI disclose its AI nature at the start of marketing/sales calls. Caller trust drops sharply when callers later realize they were talking to AI without disclosure, even if it was legally compliant. The conversion-rate hit from being seen as deceptive is larger than the conversion-rate hit from upfront disclosure.

Inbound vs Outbound: How Obligations Differ

TCPA's heaviest obligations target outbound calls and texts you initiate. When a consumer calls you — or asks you to call them back — much of the consent burden is satisfied by that inbound request, though it is scope-limited to the reason they reached out and does not become blanket marketing consent. Knowing which side of the line a given AI workflow sits on tells you which controls you must enforce.

ObligationOutbound AI CallsInbound AI Calls
Prior express (written) consentRequired for marketing; documented per contactGenerally established by the inbound contact, scope-limited
National + state DNC scrubbingRequired before dialingNot applicable to the inbound leg
Calling-window enforcement (8 AM–9 PM local)Strictly appliesNot applicable; consumer initiated
Caller identification + callback numberRequired at call startBest practice; identify your business
Real-time opt-out / revocation handlingRequiredRequired — honor 'stop' / do-not-call requests
Recording disclosure (two-party states)RequiredRequired
Internal suppression list write-backRequired on opt-outRequired on opt-out

How core TCPA obligations differ between outbound and inbound AI voice flows. Inbound is lighter on consent, but opt-out, recording, and identification duties still apply.

Operational Compliance Checklist for AI Voice Deployments

  1. Document consent for every contact in your outbound list. What's the consent source? When was it obtained? What was the consent language? Store this evidence — TCPA defendants who can't produce consent records lose.
  2. Scrub against federal DNC every 31 days. Automated via your AI platform or a compliance vendor (Contact Center Compliance, Convoso Compliance, Gryphon).
  3. Maintain internal DNC suppression. Every opt-out request (verbal during call, email, web form, SMS reply) writes to internal DNC and persists forever.
  4. Geo-restrict or geo-comply for state rules. Either exclude high-restriction states (CA, FL, TX, WA, OK) or upgrade your consent and calling-hour discipline to meet the strictest state.
  5. Register branded caller ID and maintain STIR/SHAKEN A-attestation. Without these, your numbers get spam-flagged within weeks of launch.
  6. Open every recorded call with the recording disclosure. 'This call may be recorded for quality and training purposes.' Solves two-party consent in all 12 stricter states.
  7. Disclose AI nature when asked, and proactively in California. Best practice: disclose upfront in all marketing calls.
  8. For healthcare: verify HIPAA-compliant VoIP and signed BAAs across the entire stack. Telephony, STT, LLM, TTS, CRM, recording storage — every link.
  9. Maintain call logs for 4+ years. TCPA statute of limitations is 4 years; FTC TSR is 5; CA SB 1001 is 4. Default to 5-year retention.
  10. Annual TCPA training for the operations team. The compliance landscape changes every year. Build a habit of annual review.
Compliance ControlOwnerHow to Operationalize It
Consent capture + proof of recordYou (with platform tooling)Log source, timestamp, exact consent language; retain 5+ years
National + state DNC scrubbingPlatform automates; you verifyScrub on every list upload and re-scrub within required windows
Real-time opt-out / revocationPlatform detects; you define rulesAgent writes 'stop'/'remove me' to suppression instantly, persists forever
Calling-window enforcementPlatform enforces per time zoneSchedule by recipient local time, not server time
Caller ID + STIR/SHAKEN attestationYou + carrierRegister branded caller ID; maintain A-attestation
Recording disclosurePlatform script; you approveOpen recorded calls with the disclosure line in two-party states
Audit logging + retentionPlatform stores; you governImmutable logs of consent, calls, opt-outs; 5-year default
Legal review of campaigns + listsYou (with counsel)Attorney sign-off before launch and on material changes

Compliance checklist with ownership. The platform can automate enforcement, but the customer remains legally responsible for compliance.

How a Compliance-Ready Platform Helps (And Where You Stay Responsible)

A capable AI voice platform turns most of the checklist above from manual discipline into automatic enforcement. Ringlyn AI provides the operational controls that make TCPA-aware programs practical: consent capture and record-keeping, federal and state DNC scrubbing on every list, real-time opt-out and revocation handling that writes to a persistent internal suppression list, calling-window controls scheduled by the recipient's local time zone, recording-disclosure prompts, branded caller ID support, and immutable audit logging. Competing platforms vary widely here — some leave DNC and opt-out logic to the customer entirely. When you evaluate Ringlyn AI, Bland AI, Retell AI, Vapi, or Synthflow, ask each vendor to show exactly which of these controls are native versus do-it-yourself.

A platform can give you the controls, the scrubbing, and the audit trail — but it cannot grant you valid consent, choose which states you call, or substitute for legal review. Under TCPA, the entity that initiates the calls is responsible for compliance. Ringlyn AI provides the tooling; you and your counsel remain responsible for using it lawfully.

Shared-responsibility model

Don't Be a TCPA Test Case.

Ringlyn AI ships TCPA-aware: federal + state DNC scrubbing, branded caller ID, recording disclosure prompts, AI disclosure logic, and HIPAA-compliant VoIP infrastructure — all built in.

Frequently Asked Questions

The Federal Communications Commission (FCC) is the independent US agency that enforces the TCPA. The FCC has rulemaking authority under 47 U.S.C. § 227 and issues civil penalties for violations. The Federal Trade Commission (FTC) has parallel authority for the Telemarketing Sales Rule and the National Do Not Call Registry. Most TCPA enforcement, however, comes from private litigation — the TCPA provides a private right of action with $500–$1,500 statutory damages per violating call, which plaintiffs' law firms aggregate into class actions.

Yes — explicitly. The FCC's 2024 ruling (FCC 24-17) classified AI-generated voice calls as 'artificial or prerecorded voice' under TCPA, triggering the strictest consent requirements. AI voice calls to cell phones require prior express consent (informational) or prior express written consent (marketing). AI voice calls to residential landlines for marketing require prior express written consent. There is no AI carve-out from TCPA.

Texas TCPA (Texas Business and Commerce Code Chapter 305) layers state-specific rules on top of federal TCPA. Texas SB140 (2023, expanded 2024–2025) requires: telemarketing calls only between 9 AM–9 PM weekdays / 12 PM–9 PM Sundays Texas local time, accurate caller ID display (no spoofing), scrubbing against the Texas state no-call list in addition to federal DNC, and recording disclosure if the recording will be used in commerce. Private right of action mirrors federal TCPA at $500/call statutory damages.

Yes, but you must comply with the stricter state's law. Federal law and 38+ states are one-party consent (only one party needs to consent — which can be the recording party). 12 states are all-party (two-party) consent: California, Connecticut, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, Nevada, New Hampshire, Pennsylvania, Washington. When a call crosses state lines, comply with the stricter state's rule. Operational fix: open every recorded call with 'This call may be recorded for quality and training purposes' — disclosure plus continued participation constitutes consent in all states.

No. Google does not sign a Business Associate Agreement for the consumer Google Voice product, which is a prerequisite for HIPAA compliance. Google Workspace with the appropriate tier and a signed BAA covers some Google products, but Google Voice specifically is excluded. For HIPAA-compliant phone systems, use platforms that specifically advertise HIPAA-compliant VoIP and a signed BAA — Ringlyn AI, RingCentral with the BAA add-on, and Twilio's HIPAA-eligible products are common choices.

Federally, not yet — there's no general AI disclosure requirement. California's SB 1001 (Bot Disclosure Law) requires disclosure for bots used to incentivize commercial transactions or influence votes in California. Several states have proposed similar bot-disclosure bills. Regardless of legal requirement, two rules are firm: (1) if a caller asks 'Am I talking to a person?' the AI must answer honestly — this is consumer protection law and common-law fraud, not optional; (2) best practice is to disclose AI nature at the start of marketing calls — the conversion-rate hit from being seen as deceptive after the fact is larger than the upfront disclosure cost.

Prior express consent can be oral or written and generally covers informational or transactional calls (appointment reminders, delivery updates, fraud alerts). Prior express written consent is the higher bar required for marketing or advertising calls placed with an autodialer or an artificial/prerecorded voice — including AI-generated voice. It must be a signed agreement (e-signature counts) that clearly authorizes such calls, and it cannot be a condition of purchase. Most outbound AI sales calls need the written tier; a buried checkbox or vague 'we may contact you' language typically does not qualify. This is general information, not legal advice.

TCPA statutory damages are $500 per call or text for a negligent violation and up to $1,500 per call or text for a willful or knowing violation, with no requirement to prove actual harm. Damages accrue per call, so a single mis-targeted campaign across thousands of contacts can create six- or seven-figure theoretical exposure, which is why TCPA is a magnet for class actions. The FCC can also impose separate civil forfeitures, and state mini-TCPA statutes can stack their own per-call damages on top. These figures describe the statutory framework, not a prediction of any specific case outcome — consult counsel.

Generally, when a consumer calls you or explicitly asks you to call them back, that inbound contact establishes consent for the reason they reached out — it is scope-limited and does not become blanket marketing consent. DNC scrubbing and calling-window rules do not apply to the inbound leg. However, opt-out/revocation handling, caller identification, and recording disclosure in two-party-consent states still apply. If you later use that contact for unrelated marketing, you are back into prior-express-written-consent territory.

The FCC adopted a one-to-one consent framework to close the lead-generator loophole, requiring consent to be specific to a single identified seller and logically related to the interaction. Its effective date and legal status have been affected by litigation and FCC timing adjustments — in early 2025 a federal appeals court issued a ruling affecting the rule before it took effect. Because the status has shifted and may shift again, treat it as a moving target and confirm the current rule with counsel before relying on purchased or shared leads. The durable best practice is to collect consent directly, name your business specifically, and keep the proof.

Ringlyn AI provides the operational controls that make a compliant program practical — consent capture and record-keeping, federal and state DNC scrubbing, real-time opt-out handling with a persistent internal suppression list, calling-window controls by recipient time zone, recording-disclosure prompts, branded caller ID support, and audit logging. But a platform cannot grant you valid consent, decide which states you call, or replace legal review. Under TCPA the entity that initiates the calls is responsible for compliance, so you and your counsel remain responsible for using the tooling lawfully.