TCPA compliance AI calling — what the law actually requires before your agent dials out
The TCPA (Telephone Consumer Protection Act) is the US federal law that governs how you can call and text people, and in February 2024 the FCC confirmed that AI-generated voices count as an "artificial or prerecorded voice" — so the moment your AI agent dials a consumer outbound, the strictest rules apply: you generally need prior express consent for transactional calls and prior express written consent for marketing, plus a working opt-out, calling-time limits, and clear identification. This guide explains what that means in plain English so you can brief your team and your lawyer; if your use case is inbound only, most of this never triggers, which is why MapleVoice runs as an inbound answering service by default.
General information, not legal advice
This guide explains the TCPA in plain English so you can have a smarter conversation with your attorney. It is general information, not legal advice, and it is not a substitute for counsel who knows your industry, your channels, and your state. Your business owns its own consent policy and its own TCPA liability — no platform, including MapleVoice, can give you consent you didn't collect or sign off on a campaign on your behalf. Confirm your specifics with a qualified TCPA lawyer before you launch outbound. For the healthcare-privacy cousin of this topic, see our HIPAA voice AI explainer and how we approach HIPAA.
- AI voices are "artificial or prerecorded" under the TCPA — the FCC confirmed this in 2024, so outbound AI calls face the strictest consent rules, not the relaxed ones for live agents.
- Match consent to purpose: prior express consent for transactional calls, prior express WRITTEN consent for marketing calls and text messages.
- Opt-out is now broad: since April 2025 a consumer can revoke in any reasonable manner and you must stop within ~10 business days, across both calls and texts.
- Penalties are $500 per violation (up to $1,500 if willful), per call or text, and they stack fast — which is why most businesses keep AI on inbound until outbound consent is airtight.
What the TCPA actually governs
The TCPA is a 1991 federal law, enforced by the FCC and through private lawsuits, that restricts how businesses can contact consumers by phone. In practice it covers four things that matter for AI: calls made with an autodialer to wireless numbers, calls using an artificial or prerecorded voice, text messages (which courts treat as "calls" for these purposes), and the Do-Not-Call regime. It is not a general "don't be annoying" rule — it is a specific consent-and-conduct framework with statutory damages attached, which is why the tcpa outbound calling rules are litigated so heavily.
The pivotal development for voice AI came in February 2024, when the FCC issued a Declaratory Ruling confirming that calls using AI technologies that generate human-sounding voices fall within the TCPA's restriction on "artificial or prerecorded voice." The plain-English version: an AI agent does not get the lighter treatment a live human caller might. The same consent, disclosure, time-window, and opt-out obligations that apply to a prerecorded robocall apply to your AI dialer — and the FCC signaled it intends to enforce this. If you want to hear how a careful, identified inbound agent actually sounds, you can listen to real calls.
One honest caveat: the TCPA is an unusually active area of law. The FCC's one-to-one consent rule was vacated by a court in 2025 before it took effect, and at least one federal appeals court has questioned how strictly written consent is required for certain telemarketing. The headline obligations below are stable and well-settled, but the edges move — another reason to confirm the current state of play with counsel before you launch outbound.
Express vs. prior express written consent
Almost every TCPA mistake starts here: treating all consent as the same. The law recognizes two tiers, and the tier you need depends entirely on why you're calling. Getting this wrong is the difference between a clean campaign and a class action. The same tcpa consent ai logic governs your workflows whether the agent is a human or a model.
Prior express consent (PEC)
The lower tier, for non-marketing / transactional and informational AI calls — think appointment reminders, fraud or account alerts, delivery and service updates. Generally, the consumer gave you their number in connection with the matter you're calling about. It can often be oral, but you still must be able to prove it. PEC does NOT authorize marketing.
Prior express written consent (PEWC)
The higher tier, required before any AI or autodialed/prerecorded MARKETING call or text. It must be a written agreement (e-signature counts), signed by the consumer, that clearly authorizes calls/texts using an automated system or artificial/prerecorded voice to a specific number, and discloses it isn't required as a condition of purchase.
The treatment / transactional distinction
Ask: is this call's PURPOSE to sell, advertise, or promote? If yes, it's telemarketing and needs PEWC. If it's purely servicing an existing transaction or relationship (a reminder, a status, a safety alert), it can fall under PEC. Mixed-purpose calls are the danger zone — a single sales line in an "informational" call can reclassify the whole call as marketing.
Where consent lives
Valid consent is specific, documented, and tied to a number. A pre-checked box, a number harvested from a third-party list, or consent buried in unrelated terms generally will not hold up. Capture the disclosure text, timestamp, and source at the moment of opt-in and store it so you can reproduce it on demand.
Not sure if your outbound idea is TCPA-safe?
We'll walk through your use case, what consent you actually have, and whether inbound-first is the cleaner path — flat monthly, no per-minute meter, no pressure.
Which consent does your call type need?
Use this as a quick lookup, then verify the specifics with counsel. The pattern is consistent: the closer a call gets to selling, the higher the consent bar — and AI voice never lowers it. For the inbound equivalents that mostly sidestep these rules, see our solutions library.
| Likely consent needed | Notes | ||
|---|---|---|---|
| Appointment reminder to an existing patient/client | Prior express consent (PEC) | Informational; the number was given for this purpose. Healthcare reminders have a narrow allowance — keep them purely informational. | |
| "Your order shipped" / delivery update | Prior express consent (PEC) | Transactional, tied to a purchase the consumer made. | |
| Fraud / account security alert | Prior express consent (PEC) | Informational and often time-sensitive; do not bolt a sales pitch onto it. | |
| "We have a special offer for you" sales call | Prior express WRITTEN consent (PEWC) | Telemarketing. Needs a signed, specific authorization for automated/AI calls. | |
| Marketing / promotional text message | Prior express WRITTEN consent (PEWC) | Texts are treated as calls; same written-consent bar plus clear opt-out language. | |
| Cold outreach to a purchased lead list | High risk — usually NO valid consent | Third-party lists rarely carry transferable PEWC. This is where most lawsuits start. |
Opt-out and revocation: the 2025 rules that tightened everything
Consent isn't permanent. Effective April 11, 2025, the FCC's revocation rule made opting out broad and consumer-friendly: a person can revoke consent "in any reasonable manner." That means you can't force them through a specific keyword or portal — if they say "stop calling me" to your AI agent, reply STOP to a text, or tell a human rep, that counts. Designing a narrow, hard-to-find opt-out is now itself a compliance risk under these tcpa do not call expectations.
Once a valid revocation comes in, you must honor it within a reasonable time — the FCC treats that as no more than 10 business days — and the opt-out generally applies across channels tied to that request, so a "stop" on calls should also stop the related marketing texts. Your AI agent has to recognize natural-language opt-outs in the moment, log them, and propagate the suppression to every system that might dial or text that number. This is exactly the kind of cross-system honoring that's easy to get wrong if opt-outs live in three different tools that don't talk to each other; tight integrations are what make it reliable.
There's a single, narrow exception worth knowing: the rules allow a one-time confirmation message acknowledging the opt-out, as long as it doesn't include marketing and matches what the consumer previously agreed to. Beyond that, silence is the requirement. The cleanest way to never mishandle a revocation is to not be in the outbound-marketing business at all — which is why a default inbound virtual receptionist setup sidesteps most of this entirely.
Identification, calling windows, and the rest of the conduct rules
Consent gets the headlines, but a big share of TCPA and related Do-Not-Call claims come from conduct rules — when you call, what you say, and whether you scrubbed. AI agents have to follow every one of these the same way a live telemarketer would.
Identify yourself, every call
Artificial/prerecorded-voice calls must state the name of the business responsible for the call at the start, and provide a callback number (a real one a human or system answers) during or after the message. Spoofing or hiding caller ID is separately illegal under the Truth in Caller ID rules.
Respect the 8 a.m.–9 p.m. window
No telemarketing calls outside 8 a.m. to 9 p.m. in the called party's local time, based on their number's area code/location — not your office hours. Some states are stricter. Your dialer must reason about the recipient's time zone, not yours.
Scrub the Do-Not-Call lists
Before marketing calls, scrub against the National Do Not Call Registry and your internal company-specific DNC list, and keep it current. Honor internal opt-outs even for numbers not on the federal registry. Keep records of your scrubs.
Mind state mini-TCPA laws
Florida (FTSA), Oklahoma, Washington and a growing list of states add tighter windows, extra consent, or AI-specific disclosure. The strictest applicable rule controls. If you call into many states, build to the strictest, or segment by state and confirm with counsel.
Why the penalties get businesses' attention
These are statutory damages set by the TCPA itself, not MapleVoice figures — the point is that they are per-violation and they multiply. A modest list and a small mistake can become a very large number, which is the whole reason outbound consent discipline matters.
Hear what a careful, identified AI call sounds like
Transparent identification, natural opt-out handling, and a human-feel that doesn't cut corners — listen to real MapleVoice calls.
A practical path to TCPA-ready outbound AI
If you do decide to run outbound AI calls or texts, here's a defensible sequence. None of it replaces your lawyer — it's the operational scaffolding that makes their job easier and your campaign cleaner.
Classify every campaign by purpose first
Before anything else, label each call/text flow as transactional or marketing. That single decision sets your consent bar (PEC vs PEWC). Document the reasoning so it's reviewable. When a flow is genuinely mixed, treat the whole thing as marketing to be safe.
Build consent capture that produces evidence
Use clear, unbundled disclosure language at opt-in, store the exact text shown, the timestamp, the channel, and the number. Sync it to your CRM so any number your AI dials can be traced back to a provable consent record.
Wire opt-out suppression across every system
Make sure a "stop" captured anywhere — AI call, text reply, a human rep, your website — propagates to every dialer and texting tool within the reasonable-time window. One shared suppression list beats five disconnected ones.
Encode time windows, DNC, and identification into the dialer
The agent should refuse to dial outside 8 a.m.–9 p.m. local to the recipient, check DNC lists before marketing calls, and open every artificial-voice call with the responsible business name and a callback number. See how this is configured.
Have counsel review before you launch — and keep records
Get a qualified TCPA attorney to review your scripts, disclosures, consent flow, and state coverage. Then retain consent and scrub records; in a dispute, the documentation you can produce is your defense. When ready, talk to us about scoping it safely.
Inbound vs. outbound: very different TCPA exposure
The single biggest lever on your TCPA risk is direction of the call. When the consumer calls you, the consent question largely answers itself. When you call them, the full framework switches on. This is why MapleVoice defaults to inbound answering.
| Inbound (consumer calls you) | Outbound (you call the consumer) | ||
|---|---|---|---|
| Core TCPA consent rules | Largely not triggered — they initiated contact | Fully triggered — PEC or PEWC required by purpose | |
| AI-voice / prerecorded restriction | Generally not the same concern on a call they placed | Applies directly — AI voice = artificial/prerecorded | |
| Calling-time windows | Not applicable — they chose when to call | 8 a.m.–9 p.m. recipient-local, plus state rules | |
| Opt-out / revocation handling | Honor any do-not-contact request as a courtesy + DNC | Mandatory, any reasonable manner, within ~10 business days | |
| Typical posture | Answer, qualify, book, route — low TCPA exposure | Requires consent program, records, counsel review |
Texts count as calls
It surprises people, but courts and the FCC treat SMS and MMS as "calls" for TCPA purposes. That means the tcpa text message rules mirror the voice rules: marketing texts need prior express written consent, every campaign needs a clear opt-out (STOP), and a revocation by text or by voice should suppress both channels. If you're scripting outbound text flows, the same purpose-classification discipline from the call-flow templates applies — and a single non-consented promotional text is its own $500 violation.
Best practices that keep you out of trouble
Beyond the black-letter rules, a handful of habits separate operators who sleep well from those who get sued. Most cost nothing but discipline.
Default to inbound-first
The simplest TCPA risk reduction is to let the consumer initiate. An AI answering service that captures, qualifies, and books inbound calls delivers most of the business value of automation with a fraction of the outbound legal surface.
Be transparent that it's AI
Identify the business and, increasingly, the fact that the caller is an automated agent. Transparency aligns with state AI-disclosure trends and builds trust — and a well-tuned agent doesn't need to hide what it is. You can hear that balance on real calls.
Keep marketing and servicing separate
Don't smuggle an offer into an appointment reminder. Mixed-purpose calls reclassify to marketing and need PEWC. Run distinct flows so each carries the right consent and the right disclosures.
Document everything, retain it long
Consent records, disclosure text, scrub logs, opt-out timestamps. TCPA claims can arrive long after the call. Store records where you can pull them fast — your CRM and calendar stack is the natural home.
How MapleVoice is positioned on all this
We're not a TCPA compliance vendor and we won't pretend the law is simpler than it is. Here's our honest posture so you know exactly what you're getting — and where your responsibility starts. See our pricing for the flat-monthly model referenced below.
| MapleVoice | What stays yours | ||
|---|---|---|---|
| Primary mode | Inbound-first answering — the lowest-TCPA-exposure setup | Deciding whether to run any outbound at all | |
| Identification | Agents identify the business and can disclose they're AI | Approving the exact script and disclosure language | |
| Opt-out handling | Recognizes and logs natural-language do-not-contact requests | Owning the suppression policy across all your systems | |
| Consent | We don't manufacture consent — we work with what you have | Collecting, proving, and storing valid PEC/PEWC | |
| Pricing | Flat monthly, no per-minute meter | Your legal review and final TCPA sign-off |
“We came in wanting outbound AI calls. They walked us through the consent reality, showed us an inbound-first setup that did 90% of what we needed, and saved us a compliance headache.”Illustrative
Talk through your use case with a human
Tell us what you're trying to do. We'll show you the inbound-first path that gets the business result with far less legal surface — and flag where you'll want your own counsel.