FCC One-to-One Consent Rule: What Every AI Voice Agent Operator Needs to Know (2026)

The Federal Communications Commission closed what it called the "lead generator loophole" in the Telephone Consumer Protection Act. Before 2026, a consumer could tick one box on a lead-gen form and that single consent covered calls from dozens of partner companies. That no longer works.

Under the new rule, prior express written consent must be given to **one seller at a time**, with that seller named in the disclosure language the consumer agreed to. Generic "our marketing partners" language is no longer sufficient. The rule applies to any call made using an autodialer or artificial voice — which includes every AI voice agent in the market.

Violations carry statutory damages of $500 per call, trebled to $1,500 for willful violations, with no cap. Class actions and private right of action remain available. For companies running AI voice campaigns at scale, even a small compliance gap can turn into a seven-figure liability exposure quickly.

The FCC scope is broader than many operators realize. The rule covers:

- **Outbound AI voice calls** to residential or mobile numbers — qualification calls, appointment reminders, event confirmations, post-sale follow-ups. - **Artificial voice technologies** — including synthesized voice, prerecorded messages, and AI-generated speech (GPT-Realtime, ElevenLabs, and similar). - **Autodialed calls** where a system selects and dials numbers from a stored list. - **Text messages** sent via similar technologies, under the same consent standard.

The rule does *not* apply to calls manually dialed one at a time by a human, or to calls where the recipient has an established business relationship and initiated the contact. It also does not apply to informational calls without a marketing component (e.g. a post-visit survey that makes no offers). The gray area that trips people up is the "mostly operational with a soft CTA" call — confirm-the-appointment-and-also-mention-our-promotion flows — which the FCC has said falls under the rule.

If you run a lead gen business, the rule is an existential pivot. You can no longer sell a single lead to multiple buyers under one consent. Buyers each need their own consent record, or they cannot legally call the lead using automated means.

The FCC adopted specific requirements for prior express written consent (PEWC). Every compliant consent record should include:

- **Written signature** (electronic signatures count — a checkbox paired with form submission satisfies this). - **Clear disclosure** that consent is for marketing/automated calls, not a condition of purchase. - **Named seller** — the specific legal entity that will make the calls. "Acme HVAC, LLC" is compliant. "Acme and our partners" is not. - **Named technology type** — automated, artificial voice, text message — whichever applies. - **Phone number** — the specific number being consented for. - **Timestamp and metadata** — for audit: IP, user-agent, form URL, and the exact disclosure text shown at the time.

The practical implication: you need per-seller consent capture at the form level. If you resell leads, each downstream buyer either needs their own consent flow on your form, or they cannot call the lead via automated means. The FCC explicitly rejected workarounds like "broad consent that attaches to whichever buyer claims the lead."

Plaintiffs' attorneys have spent a decade building templated TCPA class actions. The new rule gives them a cleaner attack surface because the named-seller requirement is easier to prove or disprove than past consent standards.

When a consumer files a TCPA claim, defendants must produce the consent record. Courts increasingly want to see:

1. The **exact disclosure text** as rendered to the consumer at the moment of submission. 2. The **form URL** and a way to reproduce what the consumer saw. 3. **Metadata** — IP address, user-agent, timestamp — proving the submission came from a human user, not a script. 4. **The seller name in the disclosure** matches the caller.

A boolean "consent: true" column in your CRM won't cut it anymore. Modern compliance platforms store the consent text as a versioned snapshot so you can reproduce exactly what a specific consumer saw at a specific time. At Stellar we built this into the trigger layer: every outbound call job is stamped with a pointer to the consent record that authorized it, and every consent record captures the disclosure text, metadata, and submission evidence at capture time. Under strict mode, calls without a matching active spec simply don't fire.

The most common way operators fall out of compliance isn't a missing checkbox. It's an integration that bypasses the consent capture entirely.

Typical failure modes:

- **CRM webhook fires a trigger** before the consent record propagates from the form provider. - **Zapier or Make workflow** transforms the payload in a way that drops the consent field. - **Legacy CSV import** of existing leads where the consent history is unknown. - **Form field changes** — renaming the consent checkbox breaks the evidence-field-path mapping downstream.

The right mitigation is to gate outbound trigger calls on consent verification, not just CRM presence. That means: before an AI voice agent calls a number, the system confirms a valid consent record for that phone × seller × timestamp exists. If it doesn't, the call fails loud (visible error) rather than fails silent (legal exposure).

This is the posture Stellar ships by default for the `/api/v1/triggers/*` endpoints under compliance strict mode. Integrations via form webhooks still need manual consent spec mapping — full coverage of every integration pathway ships over the course of 2026.

For operators running AI voice in production, here's the minimum viable 2026 compliance posture:

1. **Audit every form** that generates leads. List the consent checkboxes, their exact disclosure text, and the seller named. Replace any "and our partners" language with named-seller disclosures.

2. **Version the consent text**. Every time you change the disclosure, bump the version. Store old versions so you can produce them on demand for leads captured under prior text.

3. **Attach consent to every trigger**. Your calling platform should accept a `consentProof` object (spec ID, capture timestamp, IP, user-agent, exact snapshot) with every campaign trigger, and refuse to dial numbers without one.

4. **Log the decision**. When a call fires, log the consent record ID that authorized it. When a call is rejected, log why. Discovery is cheap when the audit trail is already structured.

5. **Train your team on the gray areas**. Informational calls (appointment confirmations for existing customers) are usually fine without PEWC under the established business relationship exemption — but mix in a promotional offer and you've crossed the line.

6. **Honor opt-out in real time**. The FCC strengthened opt-out requirements too. STOP replies must stop all campaigns from the named seller within a reasonable time (seconds, not days).

7. **Plan for enforcement**. The FCC gave itself new enforcement powers alongside the rule. Expect consent-audit subpoenas to arrive faster than under previous TCPA regimes.

The rule is strict, but the compliance path is clear. Operators who build per-seller consent capture into their form layer and gate outbound calls on consent verification at trigger time can continue running AI voice at scale. The ones who treat consent as a CRM metadata afterthought are the ones who will be writing class-action checks by Q3.