SwiftCallSwiftCall
11 min readCompliance

TCPA Compliance for AI Outbound Calling: What Small Businesses Need to Know

TCPA AI calling compliance is a minefield of $500-$1,500-per-call penalties. Here's what small businesses actually need to know before turning on an AI dialer.

AI voice agents have gotten cheap and good enough that almost any small business can turn on an outbound campaign in a weekend. Which means almost any small business can also, in that same weekend, write themselves into a seven-figure class action. The Telephone Consumer Protection Act is not a gentle statute. Statutory damages run from $500 to $1,500 per call, per recipient, with no cap, and plaintiffs' attorneys run automated searches looking for fresh targets. This post is a practical walkthrough of what the rules actually say in 2026, where the AI-specific landmines are, and how to run an outbound program that doesn't blow up.

This is not legal advice. Consult a TCPA attorney before launching an outbound campaign. Seriously. The statute is old, the case law is a mess, and FCC rules keep shifting under everyone's feet. A two-hour consult with a qualified telecom attorney costs less than one class-action demand letter.

What the TCPA actually is

The Telephone Consumer Protection Act of 1991 lives at 47 U.S.C. § 227. In plain English, it regulates how businesses can call, text, or fax consumers, and it gives consumers a private right of action — meaning an individual can sue you without involving the government. That private right of action is what makes TCPA different from most other consumer protection statutes. Plaintiffs don't need regulators. They sue directly, usually as class actions, and attorneys work on contingency.

The core prohibitions, simplified:

  • No calls or texts to cell phones using an autodialer or pre-recorded/artificial voice without prior express consent (and for marketing, prior express written consent)
  • No calls to numbers on the National Do Not Call Registry for marketing purposes
  • No calls outside the recipient's local 8 a.m. to 9 p.m. window
  • No caller ID spoofing with intent to defraud or cause harm
  • You must identify yourself and your business at the start of the call
  • You must honor opt-outs

The penalties: $500 per violation, tripled to $1,500 if the violation is willful or knowing. Multiply by every call in a campaign and the math gets ugly fast.

The FTC's Telemarketing Sales Rule adds another overlapping layer, especially around abandoned-call rates, record-keeping, and disclosures. Most outbound operators need to comply with both.

The ATDS question, post-Duguid

For two decades, the single biggest TCPA question was: what counts as an autodialer? The statute defines an Automatic Telephone Dialing System ("ATDS") as equipment with the capacity "to store or produce telephone numbers to be called, using a random or sequential number generator, and to dial such numbers." Courts disagreed for years about whether a system that dialed from a stored list — basically every modern CRM-driven dialer — counted as an ATDS.

In April 2021, the Supreme Court resolved this in Facebook, Inc. v. Duguid. The Court held that a system only qualifies as an ATDS if it uses a random or sequential number generator. Dialing from a curated list of customer-provided numbers, by itself, doesn't make a system an ATDS.

What this means for AI voice platforms: most modern AI dialers that work from a fed list of numbers are probably not ATDS under Duguid. That's the good news.

The bad news: Duguid doesn't get you off the hook. Three other restrictions still apply with full force to AI calling:

  1. The artificial or pre-recorded voice restriction. This one is separate from the ATDS rule. Any call to a cell phone using an artificial or pre-recorded voice still requires prior express consent, and marketing calls require prior express written consent. An AI voice agent is, by any reasonable reading, an artificial voice.
  2. The DNC registry rules for marketing calls. Those apply regardless of how you dial.
  3. State-level mini-TCPA statutes, some of which (Florida, Oklahoma, Washington) have their own ATDS definitions that are broader than the federal one.

So the ATDS narrowing helped, but if you're using an AI voice, you're in the artificial-voice lane and you need consent.

The FCC's February 2024 AI ruling

On February 8, 2024, in the aftermath of a fake-Biden robocall that hit New Hampshire primary voters, the FCC issued a Declaratory Ruling making explicit what most lawyers already believed: AI-generated voices in calls fall under the TCPA's existing "artificial or pre-recorded voice" rules. The ruling didn't create new law. It confirmed that AI-cloned and AI-generated voices are "artificial voices" for TCPA purposes.

Practical takeaway: if your agent's voice is synthesized, cloned, or generated — and virtually all commercial AI voice platforms produce synthesized voices — you're subject to the artificial-voice rules. For marketing calls to cell phones, that means prior express written consent from the recipient before the call goes out.

For purely informational, non-marketing calls (appointment reminders, account notifications, delivery updates), the standard is lower — prior express consent, which can be oral — but you still need consent.

For B2B calls to businesses, the rules are less strict, though not non-existent. Calls to a published business main line for legitimate B2B purposes have more room than calls to a cell.

In December 2023, the FCC adopted a rule often called the "one-to-one consent rule," which would have required lead-generation consent to be specific to a single seller rather than shared across a list of partners. It was scheduled to take effect January 27, 2025.

Eleven days before the effective date, on January 24, 2025, the Eleventh Circuit vacated the rule in Insurance Marketing Coalition v. FCC, holding that the FCC had exceeded its statutory authority. The rule never took effect.

But — and this is the part operators miss — the compliance infrastructure the lead-gen industry built in anticipation of the rule largely stuck. Most serious lead aggregators tightened their consent language, kept per-partner consent records, and stopped selling "shared-consent" leads to random buyers. If you're buying third-party leads and calling them with AI, the old practice of relying on a generic "partners and affiliates" checkbox is increasingly risky even without the rule. The safer path is buyer-specific consent. Ask any lead vendor exactly how the consent was captured and what the recipient was told before you dial.

The National DNC registry and internal DNC lists

Two separate lists, both mandatory.

The National Do Not Call Registry (donotcall.gov) is maintained by the FTC and lists consumers who've opted out of marketing calls. You must scrub your list against it before each campaign — generally within 31 days of calling. Calling a registered number for marketing purposes without an existing business relationship or prior express written consent is a violation.

Your internal DNC list is everyone who's ever asked you to stop calling them. This one is on you to maintain. Any opt-out request — by phone, text, email, written letter, psychic transmission — has to be honored and logged.

On opt-out timing: per the FCC's 2024 rule, SMS opt-outs must be honored essentially immediately, with a hard outside limit of 10 business days. Call opt-outs have historically been 30 days; practical guidance is to honor immediately. There's no upside to sitting on an opt-out.

Calling windows, caller ID, and disclosures

A few more hard rules:

  • Calling hours. 8 a.m. to 9 p.m. in the recipient's local time zone, not yours. If you're in Chicago calling San Diego, you can't start until 10 a.m. your time.
  • Caller ID. You must transmit an accurate caller ID with a working callback number. STIR/SHAKEN rules now require voice providers to attest to caller ID authenticity; spoofing an unrelated number will likely get your traffic blocked before it gets you sued.
  • Identification. At the start of the call, the agent must identify itself and the business on whose behalf it's calling, and — for pre-recorded or artificial voice calls — provide a callback number where opt-outs can be processed.
  • AI disclosure when asked. Nothing in federal law currently requires proactive "this is a bot" disclosure on every call, but if the recipient directly asks whether they're speaking to a human, honesty is the only defensible answer. Several states are moving toward mandatory AI disclosure; California's SB 1001 bot-disclosure law is already on the books for certain contexts.

Federal law is one-party consent for call recording. Most states match that, but about 11-12 states require all-party consent. The commonly cited list includes California, Connecticut, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, Nevada, New Hampshire, Pennsylvania, and Washington, though details vary.

A note on Illinois specifically, since SwiftCall is Illinois-based. The Illinois Eavesdropping Act was struck down by the state Supreme Court in 2014 in People v. Clark and People v. Melongo, and the amended statute that replaced it is more nuanced than the old flat two-party rule. The safer read is that Illinois still treats recording as requiring consent in contexts where there's a reasonable expectation of privacy — which a sales call often is.

The operational rule that covers you everywhere: at the start of every recorded call, say that the call may be recorded for quality and training purposes. If the recipient objects, stop recording. Log the consent. Done.

The compliance checklist

If you're about to turn on an AI outbound campaign, here's the order of operations:

  1. Confirm the legal basis for each number on your list. Prior express written consent for marketing to cells with AI voice. Document where and when it was captured. Keep the actual form language.
  2. Scrub against the National DNC Registry within 31 days of calling. Use a compliance service — Blacklist Alliance, TCPAShield, DNC.com, Contact Center Compliance, or equivalent. Don't rely on an in-house CSV.
  3. Scrub against your internal DNC list. Every number that's ever opted out. No exceptions, across brands, across campaigns.
  4. Scrub against state-specific lists where applicable (Florida, Oklahoma, and several others maintain their own).
  5. Set calling windows by recipient local time. Your dialer should enforce this automatically.
  6. Record calls, disclose the recording at the top, and store recordings securely.
  7. Identify the business at the start of every call and make sure the agent can repeat it on request.
  8. Honor opt-outs immediately. "Take me off your list," "stop," "don't call again" — all of it routes to the internal DNC list the same day.
  9. Maintain per-number consent logs for at least 4 years. The federal statute of limitations on TCPA claims is 4 years; some states are longer. Keep everything.
  10. Train your AI agent's scripts with the compliance guardrails baked in, not bolted on. The opening, the identification, the opt-out handling, the recording disclosure — all prompt-level, not hoped-for-behavior-level.
  11. Audit your traffic. Pull a random sample of calls weekly. Listen for drift. Fix the prompt. Repeat.
  12. Get TCPA insurance. Specialized E&O policies cover TCPA defense costs and (in some cases) settlements. Premiums are not trivial but are a fraction of one class action.

Common AI-specific mistakes

A short list of the failure modes we see most often:

  • Using a fresh list from a lead vendor without reading the exact consent language the lead saw
  • Assuming B2B carve-outs apply when the number is actually a cell phone registered to a sole proprietor
  • Letting the AI agent "sound human" to the point of denying it's automated when directly asked
  • Running calls 24/7 because the AI can, and landing dials at 7:14 a.m. local time
  • Not logging the specific consent artifact — the URL, the timestamp, the IP, the form text
  • Treating an opt-out like a CRM status change instead of a legal event with a clock on it
  • Buying "aged" leads (90+ days old) and treating the original consent as still valid for AI calls

The last one is underappreciated. Consent doesn't have a federal expiration date, but a consent captured three years ago on a generic marketing checkbox is a much harder defense than one captured last Tuesday for your specific product.

When in doubt, call a lawyer, not a vendor

Your AI voice platform — Retell, Vapi, Bland, whoever — is not your compliance officer. They provide infrastructure. You own the outbound list, the consent, and the liability. A TCPA-literate attorney reviewing your consent flow, your list sources, and your agent script will cost you a few thousand dollars and save you from the kind of mistake that ends a small company.

If you're also planning outbound campaigns in specific verticals, the compliance mix shifts. Our post on AI cold calling for real estate investors covers the specific wrinkles around skip-traced lists and homeowner outreach. And AI recruitment automation has its own set of candidate-consent considerations that overlap with TCPA but also pull in state privacy law. Both are worth reading before you flip a dialer on in those niches.

For baseline federal guidance, the FCC's main robocall page and its robocalls consumer guide are updated as rules change and are the most reliable plain-English references the government puts out.

Bottom line

The TCPA turns 35 next year and it has more teeth now than when it was written. Running an AI outbound program without tight consent practices, clean lists, and an attorney on speed-dial is not aggressive growth — it's a class action waiting to get served. Do the checklist, keep the logs, honor the opt-outs, and the rest of the program takes care of itself.

Keep reading