TCPA Compliance for AI Calling: What You Need to Know

For years, there was genuine legal ambiguity about whether AI-generated voice calls were covered by the Telephone Consumer Protection Act. The TCPA, signed in 1991, regulated "prerecorded or artificial voice" calls. AI-generated speech is neither prerecorded (it is generated in real time) nor traditionally "artificial" (it sounds natural). Some companies argued that AI calls fell outside the statute.

The FCC settled the question in February 2024 with a declaratory ruling: AI-generated voice calls are "artificial voice" calls under the TCPA. The ruling was explicit. If software generates the voice that a consumer hears on a call, TCPA rules apply in full. It does not matter how natural the voice sounds or whether the AI can hold a conversation. The legal obligations are identical to those for robocalls and prerecorded messages.

This ruling matters because the TCPA carries real penalties. Statutory damages are $500 per violation (per call). Willful violations triple to $1,500. In class action lawsuits, which are common under TCPA, these per-call damages multiply across every affected consumer. WebRecon's 2023 annual report tallied over $1.2 billion in TCPA settlements that year alone. DISH Network paid $210 million in a single case.

If you are building or buying AI calling capability, compliance is not optional. It is a cost-of-doing-business requirement, and the consequences of getting it wrong can be existential for a small business.

The TCPA defines two levels of consent, and which one you need depends on what kind of call you are making.

Prior express consent is required for informational calls made using automated technology. This covers appointment reminders, delivery notifications, and service updates. The consent can be verbal or written, and it is often implied by the business relationship (a patient who books an appointment has implicitly consented to a reminder call about that appointment). However, the consent must be for calls to that specific phone number, and the consumer must have provided the number voluntarily.

Prior express written consent is required for marketing or sales calls made using automated technology. This is a higher bar. Written consent must clearly authorize the calls, must include the phone number to be called, and cannot be a condition of purchasing a product or service. Website form submissions count as written consent if the form language explicitly states that the submitter agrees to be contacted by phone, including by automated means. A checkbox that says "I agree to the Terms of Service" buried in fine print does not qualify.

The distinction matters for AI calling platforms. If your AI agent calls leads who submitted a "Contact Me" form that includes clear consent language, you are likely covered. If your AI agent calls a purchased lead list where you have no direct consent relationship, you are likely in violation.

Record your consent evidence. Keep the form submission data, the timestamp, the IP address, the exact language the person agreed to, and the phone number they provided. If challenged, you need to prove consent for each specific number called.

The TCPA requires compliance with the National Do Not Call Registry, managed by the FTC. Any business making telemarketing calls must scrub its call lists against the registry before calling. The registry must be checked at least every 31 days (you cannot download the list once and use it forever).

Beyond the federal registry, many states maintain their own do-not-call lists with additional requirements. States including Indiana, Louisiana, and Pennsylvania have registries that may include numbers not on the federal list. If you are calling consumers in multiple states, you need to check both federal and applicable state lists.

Internal do-not-call lists are also required. When someone asks to be removed from your call list (during a call, via email, or through any channel), you must add them to your internal DNC list and stop calling within a "reasonable time," which the FCC has interpreted as 30 days. In practice, implement it immediately. There is no benefit to waiting.

Established Business Relationship (EBR) exemptions exist but are narrower than many businesses assume. An EBR allows calls to existing customers for 18 months after the last transaction or 3 months after an inquiry. But the exemption does not override a specific do-not-call request. If a customer says "stop calling me," the EBR exemption is gone.

For AI calling systems, DNC compliance should be automated. Before every call, the system should check the contact number against federal, state, and internal DNC lists. If the number appears on any list, the call should not be placed. This is not a manual process that can rely on human judgment. It needs to be systematic.

The TCPA restricts telemarketing calls to between 8:00 AM and 9:00 PM in the recipient's local time zone. Not your time zone. The recipient's. This means your system needs to determine the time zone associated with each phone number before placing the call.

For US numbers, time zone lookup is straightforward using area code databases, though number portability means area codes are not always accurate (someone with a 212 area code may live in Denver). The safest approach is using a phone intelligence API that provides the registered location of the number.

Several states impose stricter windows. Some restrict calls to 9 AM to 8 PM. When federal and state rules conflict, you must follow the stricter standard. For AI calling at scale, implementing per-state calling windows is a technical requirement, not a nice-to-have.

Caller ID requirements are explicit: you must transmit an accurate caller ID number and, when requested, provide your name, the name of the entity on whose behalf you are calling, and a phone number or address where you can be reached. Spoofing caller ID, showing a fake number, or blocking caller ID on telemarketing calls violates both the TCPA and the Truth in Caller ID Act.

For AI calls specifically, the caller ID should show a real, working phone number that connects to your business when called back. Consumers increasingly research numbers that call them. If your AI agent calls from a number that goes nowhere when called back, it creates a spam impression and potential regulatory issues.

Healthcare providers get some TCPA relief for appointment reminders, but the exemption is narrower than many practices assume.

The FCC's 2015 ruling established that calls to wireless phones about healthcare appointments, exams, and prescription reminders are permissible under prior express consent (not the higher written consent standard) if the call is from, or on behalf of, a healthcare provider. The calls must be purely informational: reminders, follow-ups, or instructions. The moment the call includes any marketing content ("and we are offering 20% off teeth whitening this month"), the exemption evaporates and full written consent is required.

HIPAA adds a parallel layer of compliance for healthcare. AI calling systems that handle patient information must comply with HIPAA privacy and security rules. This means the AI platform must have a Business Associate Agreement (BAA) with the healthcare provider, call recordings and transcripts containing PHI must be encrypted and access-controlled, and the content of reminder calls should not disclose the nature of the appointment in a voicemail or to someone other than the patient.

Debt collection calls have their own regulatory framework under the Fair Debt Collection Practices Act (FDCPA) in addition to TCPA. Real estate has state-specific rules. Financial services face additional CFPB oversight.

The takeaway: TCPA is the baseline, not the ceiling. Industry-specific regulations may add requirements on top of TCPA compliance.

Compliance is not a checklist you run once. It is a system design requirement.

Here is what a compliant AI calling workflow looks like in practice. Before the call: verify prior express written consent exists for the specific number, check the number against federal DNC, state DNC, and internal DNC lists, confirm the current time is within permitted calling hours in the recipient's time zone, and log the compliance check results. During the call: transmit accurate caller ID, identify the caller and the business, state the purpose of the call, and provide a clear opt-out mechanism ("You can ask me to stop calling at any time"). After the call: honor any opt-out request immediately (add to internal DNC), retain call records and consent documentation for at least 5 years (the TCPA statute of limitations is 4 years), and flag any compliance issues for review.

Common mistakes to avoid: buying lead lists and calling them without independent consent verification, using a single generic consent checkbox for multiple communication channels, not re-checking DNC lists regularly, placing calls outside of permitted hours due to incorrect time zone handling, and not providing a clear opt-out during AI-generated calls.

Platforms like Stellar build these compliance checks into the calling infrastructure: consent verification, DNC checking, time-zone enforcement, and opt-out handling are all automated. This does not replace the need for legal counsel (every business should have a lawyer review their consent language and calling practices), but it ensures the technical system does not allow non-compliant calls to go out.

Note: This article is informational and does not constitute legal advice. Consult a TCPA-qualified attorney for guidance specific to your business and calling practices.