Do I need consent for every AI call?

For inbound calls, no -- the caller initiated the contact. For outbound calls, yes, but the type of consent varies. Informational calls to existing customers require basic consent. Marketing calls to cell phones require prior express written consent.

Can I use AI to call people on the Do-Not-Call Registry?

Only if you have an established business relationship (customer called you within the past 18 months or purchased within the past 3 months) or if the person gave you prior express written consent. Otherwise, it is a direct TCPA violation.

What if my AI accidentally calls a wrong number?

A wrong number call can still be a violation if the unintended recipient's number is on the DNC list or if you lack consent. Use accurate, verified contact data and implement number validation to minimize wrong-number calls.

How do I handle consent for calls across multiple countries?

Comply with the strictest regulation that applies. If you are calling both US and EU numbers, build your consent flow to meet GDPR standards, which are stricter than TCPA for most scenarios.

Is it enough to say 'this call may be recorded' or do I also need to disclose the AI?

You need both. Recording disclosure satisfies call recording consent requirements. AI disclosure satisfies state-level AI transparency laws and FCC guidance.

What records should I keep for compliance documentation?

Maintain records of: consent, DNC list scrub dates, call recordings with defined retention periods, opt-out requests, campaign configurations, and compliance audit results. Store these for a minimum of 5 years.

AI Calling Compliance Guide: TCPA, GDPR, and Best Practices

AI calling is legal, powerful, and growing fast. It is also heavily regulated. The Telephone Consumer Protection Act (TCPA) alone has generated over 4 billion dollars in settlements since its inception. Individual violations can cost 500 to 1,500 dollars per call. For a business making 10,000 AI calls per month, non-compliance is not just a legal risk -- it is an existential one.

This guide covers the regulations that apply to AI calling in the United States and internationally, what they require, and how to build a compliance program that protects your business without slowing you down.

What Is the TCPA and How Does It Apply to AI Calling?

The Telephone Consumer Protection Act (1991) was written decades before AI calling existed, but its provisions apply squarely to modern AI voice agents.

Key TCPA Provisions for AI Calling

Prior Express Consent: You must have consent before making automated calls to any phone number. The type of consent required depends on the call type.

•Informational calls (appointment reminders, order confirmations): Prior express consent is sufficient. The consumer gave you their number in the context of doing business.
•Marketing calls to landlines: Prior express consent is sufficient.
•Marketing calls to cell phones using an autodialer or prerecorded/artificial voice: Prior express written consent (PEWC) is required. This is a higher standard -- the consent must be in writing (including electronic forms) and clearly state that the consumer agrees to receive automated marketing calls.

Do-Not-Call Compliance: You must maintain an internal do-not-call list and honor requests within 30 days. You must also scrub your calling lists against the National Do-Not-Call Registry before every campaign.

Calling Hours: Telemarketing calls may only be made between 8 AM and 9 PM in the recipient's local time zone.

Caller Identification: You must transmit your phone number and, when possible, your name to the recipient's caller ID. Spoofing caller ID for deceptive purposes is prohibited.

Artificial Voice Disclosure: Calls using artificial or prerecorded voices must include a disclosure at the beginning of the call. For AI voice agents, this means disclosing that the caller is an AI at the start of the conversation.

TCPA Penalties

•500 dollars per violation for negligent violations
•1,500 dollars per violation for willful or knowing violations
•Violations are calculated per call, not per campaign. A 10,000-call campaign with a compliance defect could result in 5 to 15 million dollars in penalties.

What Are the FCC's Recent Rules on AI Calling?

In February 2024, the FCC issued a declaratory ruling that AI-generated voices qualify as "artificial or prerecorded voice" under the TCPA. This ruling clarified that:

•All existing TCPA rules apply to AI voice agents
•Using AI does not create a loophole around consent requirements
•Companies using AI voice technology bear the same compliance obligations as those using traditional autodialer systems

The practical impact: if your AI voice agent calls consumers without proper consent, you face the same TCPA penalties as a traditional robocaller.

Ready to try AI voice agents?

Deploy in minutes with 119+ pre-built templates. No code required.

Start Free Trial

What State-Level AI Calling Laws Should You Know?

Several states have enacted or are considering laws specific to AI in phone calls.

California

California's SB 1001 (in effect since 2019) requires bots to disclose that they are not human when communicating with California residents for the purpose of influencing a commercial transaction or vote. AI voice agents calling California residents must disclose their AI nature at the start of the call.

Colorado

Colorado's Artificial Intelligence Act (effective 2026) requires businesses to disclose when AI is making consequential decisions. For AI calling, this means disclosing the use of AI and providing a mechanism for consumers to request human interaction.

Illinois

Illinois has strong biometric privacy laws (BIPA) that may apply if your AI system collects voiceprints for speaker verification. If you are using voice biometrics in Illinois, consult with a privacy attorney.

Washington

Washington state requires disclosure of AI use in customer-facing communications. AI voice agents must identify themselves as AI at the start of every call to Washington residents.

General Trend

The trend is clear: more states are requiring AI disclosure. Even in states without specific AI calling laws, the safest practice is to disclose AI at the start of every call. This eliminates jurisdiction-by-jurisdiction compliance complexity.

If you call prospects or customers in the European Union, GDPR applies regardless of where your business is located.

GDPR Requirements for AI Calling

Lawful Basis: You need a lawful basis for processing the individual's personal data (their phone number, name, and any information collected during the call). For marketing calls, consent is typically required. For calls related to an existing contract (appointment reminders for existing patients), legitimate interest may suffice.

Data Minimization: Collect only the data necessary for the purpose of the call. If you are confirming an appointment, you do not need to ask for the caller's home address.

Transparency: Inform the individual what data you are collecting, why, and how it will be used. This is typically accomplished through a privacy notice reference during the call.

Right to Object: Individuals have the right to object to automated processing, including AI phone calls. Your AI must honor opt-out requests immediately.

Data Protection Impact Assessment (DPIA): For large-scale automated processing of personal data, a DPIA may be required before launching AI calling campaigns.

Country-Specific Rules Within the EU

GDPR sets the floor, but individual EU countries add their own telemarketing rules. Germany, for example, requires explicit consent for marketing calls. The UK (post-Brexit, under UK GDPR) has its own nuances. France requires registration with Bloctel (the French do-not-call list). Check the specific rules for each country you are calling.

What Are the Compliance Best Practices for AI Calling?

1. Always Disclose AI at the Start of Every Call

Do not bury the disclosure mid-conversation. Within the first 10 seconds, the AI should state: "Hi, this is an AI assistant calling on behalf of [Company Name]. This call may be recorded for quality purposes." This satisfies state disclosure laws, builds caller trust, and demonstrates good faith.

TurboCall includes configurable disclosure messages as a standard feature. You set the message once and it plays at the start of every call automatically.

2. Implement Robust Consent Management

For outbound campaigns, maintain a consent database that records: who consented, when they consented, what they consented to, and how they consented (web form, verbal, written). This documentation is your defense if a complaint is filed.

For inbound calls, consent is generally implied by the act of calling your business. But if you plan to call the person back or add them to outbound campaigns, obtain explicit consent during the initial call.

3. Scrub Lists Before Every Campaign

Before every outbound campaign, scrub your contact list against the National Do-Not-Call Registry (updated monthly), your internal do-not-call list, and any state-specific do-not-call lists. TurboCall integrates with DNC list providers to automate this scrubbing process.

4. Honor Opt-Outs Immediately

When a recipient says "take me off your list," "do not call me again," or any variation, the AI must acknowledge the request, confirm it, and add the number to your suppression list before the call ends. No arguments, no "before you go" attempts, no delays.

5. Respect Calling Hours

Program your AI to call only during permitted hours in the recipient's time zone. TurboCall automatically detects time zones from area codes and enforces calling hour restrictions at the campaign level.

6. Record and Retain Calls Appropriately

Record calls for quality assurance and compliance documentation, but follow retention policies. Do not store call recordings indefinitely -- define a retention period (typically 90 days to 2 years depending on your industry) and automatically purge recordings after that period.

7. Provide Human Transfer on Request

If a caller asks to speak to a human, the AI must comply immediately. This is a legal requirement under some regulations and a best practice under all of them. Configure your agent with a low-friction transfer mechanism.

8. Audit Your Compliance Regularly

Conduct quarterly compliance audits: review a sample of call recordings, verify that consent records are current, check that DNC scrubbing is happening before every campaign, and confirm that opt-out requests are being processed within the required timeframe.

How Do You Build a Compliance Program for AI Calling?

Step 1 -- Appoint a Compliance Owner

Someone in your organization must own AI calling compliance. This person is responsible for staying current on regulations, conducting audits, and ensuring that operational practices match legal requirements.

Step 2 -- Document Your Consent Flows

Map every path through which a phone number enters your system and document the consent associated with each path. Web form submissions, trade show badge scans, referrals, purchased lists -- each has different consent implications. Purchased lists are the highest risk; many compliance attorneys recommend avoiding them entirely for AI cold calling.

Step 3 -- Configure Your Platform for Compliance

Set up your AI calling platform with compliance as the default: mandatory AI disclosure, automatic DNC scrubbing, time zone enforcement, opt-out processing, and call recording with consent prompts. TurboCall provides all of these features out of the box, configurable through the dashboard.

Step 4 -- Train Your Team

Everyone involved in AI calling campaigns -- from the marketing team designing campaigns to the sales team reviewing results -- needs to understand the compliance requirements. Annual training with quarterly updates when regulations change is a reasonable cadence.

Step 5 -- Establish an Incident Response Plan

If a compliance violation occurs (a call to a number on the DNC list, a campaign launched without proper consent documentation), you need a plan: stop the campaign, assess the scope, document the incident, remediate the root cause, and determine whether regulatory notification is required.

What About Industry-Specific Regulations?

Healthcare (HIPAA)

AI calls that involve protected health information (appointment reminders that mention provider names, prescription refill confirmations) must comply with HIPAA. The AI platform must sign a Business Associate Agreement, encrypt all PHI, and maintain audit logs. TurboCall offers HIPAA-eligible infrastructure for healthcare clients.

Financial Services (GLBA, Reg E)

Financial institutions using AI calling must comply with the Gramm-Leach-Bliley Act for customer information privacy and Regulation E for electronic fund transfer disclosures. AI agents discussing account information must verify caller identity before disclosing account details.

Debt Collection (FDCPA)

AI used for debt collection calls must comply with the Fair Debt Collection Practices Act: proper identification, mini-Miranda warnings, validation notices, and restrictions on call frequency. The CFPB has issued guidance on the use of AI in debt collection that adds additional requirements.