Are AI Voice Calls Legal? Compliance and Consent Guide (2026)

TL;DR

AI voice calls are legal if you get the right consent, disclose AI usage, scrub against DNC lists, and achieve A-level STIR/SHAKEN attestation. Marketing calls require prior express written consent. Informational calls require prior express consent. Penalties reach $500 to $1,500 per call under the TCPA with no cap, and DNC violations can hit $53,088 per call under FTC enforcement. This guide walks through every federal and state requirement so you can deploy AI voice agents without legal risk in 2026.

What Are AI Voice Calls?

AI voice calls are telephone calls where an artificial intelligence system generates or delivers speech using text-to-speech synthesis, voice cloning, or large language models. Unlike traditional pre-recorded messages that play a static audio file, AI voice calls can hold dynamic conversations, respond to questions, and adapt their responses in real time.

The FCC defines an "AI-generated call" as any call that uses computational technology, machine learning, predictive algorithms, or large language models to produce voice content and communicate with a called party over an outbound telephone call. This definition is broad enough to cover:

• Text-to-speech (TTS) systems that convert written scripts into spoken audio
• Voice cloning tools that replicate a specific person's voice
• Conversational AI agents that use LLMs to generate and speak responses dynamically
• Hybrid systems where AI handles part of a call and a human handles the rest

If any portion of the call uses AI-generated voice, the entire call falls under AI voice regulations.

Why AI Voice Call Compliance Matters

The financial and legal stakes for non-compliant AI voice calls are severe, and enforcement is accelerating.

Statutory penalties are uncapped. The TCPA allows consumers to claim $500 per violation for negligent violations and $1,500 per willful violation, with no aggregate cap. A 10,000-call campaign with compliance failures creates $15 million in potential exposure.

DNC violations carry separate penalties. Calling numbers on the Do Not Call registry costs up to $53,088 per call under FTC enforcement guidelines (adjusted annually for inflation).

Regulators are actively pursuing AI-specific cases. In 2024, the FCC issued a $6 million forfeiture order against the individuals behind the Biden deepfake robocalls that targeted New Hampshire primary voters. The FTC launched Operation AI Comply, a coordinated enforcement sweep targeting companies using AI for deceptive practices. Lingo Telecom settled with the FCC for $1 million for transmitting spoofed AI-generated robocalls.

Carrier-level blocking can kill your campaigns. Without proper STIR/SHAKEN attestation, carriers flag and block your calls before they reach the recipient. A low attestation level (C-level) means only 25% to 45% of your calls actually connect.

Compliance directly determines whether your AI voice calls reach real people or get blocked at the carrier level.

The Federal Legal Framework for AI Voice Calls

AI voice calls in the US are governed by four overlapping federal frameworks. Understanding each one is essential before making a single call.

The TCPA (Telephone Consumer Protection Act)

The TCPA is the foundational law governing AI voice calls. After the FCC's February 2024 Declaratory Ruling, AI-generated voices are classified as "artificial or prerecorded voice" under the TCPA. This closed the loophole that companies might have exploited by arguing that AI-generated speech is neither artificial nor prerecorded.

The TCPA establishes two consent tiers:

• Prior Express Consent (PEC): Required for informational calls (appointment reminders, delivery notifications, account alerts). The consumer must give verbal or written permission to receive calls at their number.
• Prior Express Written Consent (PEWC): Required for marketing or telemarketing calls. The consumer must sign a clear, written agreement that specifically authorizes the calls, identifies the caller, and discloses that AI-generated voice may be used. Pre-checked boxes and buried fine print do not count.

Key TCPA rules for AI voice calls:

• Consent is company-specific. Consent given to Company A does not transfer to Company B. Each entity must obtain its own consent.
• Consent can be revoked at any time through any reasonable method, including saying "stop calling me" during an AI call.
• Established Business Relationships (EBR) do not exempt AI calls. Even if a customer bought from you last week, the AI voice itself triggers the consent requirement.
• Consent records must be retained for at least 5 years after the last call made under that consent.

The FCC's February 2024 Declaratory Ruling

This ruling specifically confirmed that the TCPA's restrictions on "artificial or prerecorded voice" encompass current AI technologies that generate human voices. The ruling was unanimous across all FCC commissioners, signaling strong regulatory consensus.

Any call where AI generates the voice requires the same consent as a traditional robocall, regardless of how advanced or human-sounding the AI is.

FCC Proposed AI-Specific Rules (NPRM)

In July 2024, the FCC issued a Notice of Proposed Rulemaking (NPRM) that would add AI-specific requirements beyond the existing TCPA framework:

• In-call disclosure: Callers using AI-generated voices must disclose at the beginning of each call that the call uses AI technology.
• Separate AI consent: Consent for AI-generated calls must be obtained separately from consent for human-made calls.
• Caller identification: AI calls must provide information enabling the called party to identify the person or entity initiating the call.

These rules are not yet finalized as of mid-2026, but the FCC has signaled they are a priority. Best practice is to comply now rather than scramble when they take effect.

STIR/SHAKEN Call Authentication

STIR/SHAKEN (Secure Telephone Identity Revisited / Signature-based Handling of Asserted Information Using toKENs) is the FCC-mandated call authentication framework that determines whether carriers deliver or block your AI calls.

There are three attestation levels:

For AI voice campaigns, anything below A-level attestation means a significant portion of your calls never reach the intended recipient. Work with your voice service provider to ensure full attestation on every outbound AI call. Our guide on how to choose a voice agent platform covers what to evaluate.

Know Your Upstream Provider (KYUP) Rules

On May 20, 2026, the FCC adopted its KYUP proposal extending due-diligence obligations across the entire call path. Downstream providers must now vet the upstream providers from which they accept traffic.

The proposal requires five baseline measures: information collection, compliance review, information verification, monitoring, and responsive action. If you are building on a voice AI platform, verify that your provider chain is KYUP-compliant. The liability flows downstream.

How to Make AI Voice Calls Legally (Step-by-Step)

Follow this sequence before launching any AI voice campaign. Skipping a step creates liability exposure. This step-by-step framework is best for teams deploying AI voice agents for the first time and need a repeatable compliance checklist.

Step 1: Classify Your Call Purpose

Determine whether each call is informational or marketing/telemarketing. This classification dictates the consent level required.

• Informational: Appointment reminders, order status updates, account security alerts, service outage notifications, customer support calls
• Marketing/Telemarketing: Sales pitches, promotional offers, lead qualification, upsells, event invitations with a sales component

When in doubt, classify as marketing. The penalty for under-classifying is the same as having no consent at all.

Step 2: Obtain the Correct Level of Consent

For informational calls, collect Prior Express Consent (PEC):

• Verbal agreement recorded and stored
• Written opt-in via web form, email, or text
• Must specify the phone number to be called

For marketing calls, collect Prior Express Written Consent (PEWC):

• A signed written agreement (electronic signatures qualify)
• The agreement must clearly identify the calling party
• It must disclose that AI-generated voice technology may be used
• It must state that the consumer is authorizing telemarketing calls
• It must not be a condition of purchasing goods or services
• Pre-checked consent boxes are invalid

Store all consent records for a minimum of 5 years after the last call placed under that consent.

Step 3: Scrub Against DNC Registries

Before placing any call, scrub your contact list against:

• The National Do Not Call Registry (scrub at least every 31 days)
• Your company's internal DNC list (updated in real time as opt-outs come in)
• State-specific DNC registries (34 states maintain separate lists as of 2026)

Even with valid consent, calling a number on the DNC registry for marketing purposes violates federal law unless the consumer gave you specific written permission.

Step 4: Configure AI Disclosure and Identification

Program your AI voice agent to:

• Disclose AI usage at the start of every call. Best practice: "This call is being conducted by an AI assistant on behalf of [Company Name]."
• Identify the calling business by name within the first few seconds.
• Provide a callback number where the consumer can reach a human.

Step 5: Implement Opt-Out Handling

Your AI agent must:

• Recognize opt-out phrases like "stop calling me," "remove me from your list," "I don't want these calls," and "do not call"
• Immediately honor the request and end the call
• Add the number to your internal DNC list within the same business day
• For text messages, recognize STOP, QUIT, UNSUBSCRIBE, CANCEL, and END

Step 6: Comply With Calling Windows

The TCPA restricts calling hours to 8:00 AM to 9:00 PM in the recipient's local time zone. Several states impose tighter windows:

• Florida: 8:00 AM to 8:00 PM
• Some states: Restrict weekend and holiday calls

Always calculate calling windows based on the recipient's time zone, not yours.

Step 7: Verify STIR/SHAKEN Attestation

Confirm with your voice service provider that your outbound AI calls receive A-level attestation. Request documentation showing their STIR/SHAKEN certification status and Robocall Mitigation Database filing.

Step 8: Document Everything

Maintain records of:

• Consent collection (method, timestamp, content of disclosure)
• DNC scrub dates and results
• Call logs with timestamps, durations, and outcomes
• Opt-out requests and processing timestamps
• AI disclosure scripts used on each campaign

State Laws That Add Extra Requirements

Federal TCPA rules set the floor, not the ceiling. Several states impose additional requirements that apply on top of federal law.

Which States Require Two-Party Consent for Call Recording?

If your AI voice agent records calls, you need consent from all parties in these states: California, Connecticut, Florida, Illinois, Maryland, Massachusetts, Montana, Nevada, New Hampshire, Pennsylvania, and Washington. Most other states follow one-party consent rules, but best practice is to disclose recording to all callers regardless of state.

How Does Illinois BIPA Affect AI Voice Systems?

If your AI system processes voiceprints for speaker identification or authentication, Illinois BIPA (Biometric Information Privacy Act) requires written consent before collecting biometric identifiers. Penalties are $1,000 per negligent violation and $5,000 per intentional violation.

Illinois amended BIPA in August 2024 (SB 2979) so that collecting the same biometric identifier from the same person by the same method counts as a single violation rather than per-scan.

What Does the Colorado AI Act Require?

Colorado's SB 24-205 was originally set for a June 30, 2026 effective date. However, in May 2026 the state signed replacement legislation (SB 26-189) that scales back the original requirements in favor of a narrower notice-and-transparency framework. The replacement law takes effect January 1, 2027, with enforcement contingent on attorney general rulemaking.

What Are Florida's AI Voice Call Rules?

Florida requires AI-specific written consent for automated voice calls regardless of federal interpretations. The Fifth Circuit's Bradford decision (February 2026), which held that only "prior express consent" rather than written consent is needed, does not override Florida's stricter state requirement.

What Emerging State Legislation Should You Monitor?

As of early 2026, Texas, Georgia, Pennsylvania, and New York all have AI voice proposals in their legislative pipelines. These proposals focus on voice cloning transparency, synthetic-voice identifiers, and mandatory AI-agent notification tones. Monitor your target states' legislative activity quarterly.

What Are the Most Common AI Voice Compliance Mistakes?

These are the compliance failures that generate the most lawsuits and enforcement actions:

• Assuming an EBR exempts AI calls. An established business relationship exempts you from DNC rules for manual calls, but it does NOT exempt AI voice calls from consent requirements. The AI voice itself triggers the obligation.
• Using blanket consent forms. Consent must be given to a single, specific company. A form that obtains consent for "Company A and its partners" is not valid PEWC for the partners.
• Ignoring state-level requirements. A campaign legal under federal TCPA can still violate Florida's written consent rules or Illinois BIPA.
• Failing to disclose AI usage. Even before the FCC finalizes its in-call disclosure rules, failing to disclose creates risk under state consumer protection and deceptive practices statutes.
• Scrubbing DNC lists too infrequently. The 31-day scrub cycle is a maximum, not a suggestion. Numbers get added to the DNC registry daily.
• Not retaining consent records. If a consumer sues and you cannot produce consent documentation, you lose. The 5-year retention period is mandatory.
• Treating B2B calls as fully exempt. B2B calls to business landlines are exempt from the National DNC Registry, but calls to an employee's personal cell phone are not. Many business contacts list cell numbers.

How Do AI Voice Calls Differ From Traditional Robocalls?

AI voice calls and traditional robocalls share the same legal classification under the TCPA, but they differ in ways that affect compliance strategy.

Traditional robocalls play a pre-recorded audio file, much like legacy IVR systems. The message is fixed, and the "artificial or prerecorded" classification is straightforward.

AI voice calls use real-time speech generation powered by a multi-stage architecture pipeline. The content changes based on the conversation, which creates unique compliance considerations:

• Dynamic consent scope: If your AI agent deviates from the consented purpose (informational) into sales territory during a call, you may violate consent requirements mid-conversation.
• Recording obligations: AI calls that adapt in real time generate unique content on every call. You need to log or record what was actually said, not just the script template.
• Disclosure timing: With traditional robocalls, the entire message is known in advance. With AI calls, the disclosure must happen before the dynamic conversation begins.

The legal treatment is identical, but the operational compliance burden for AI voice calls is higher because of their dynamic nature.

What Tools Help With AI Voice Compliance?

A handful of platforms handle different pieces of the compliance stack.

The best AI voice agent platforms like Retell AI, Bland AI, Vapi, and Voiceflow provide the infrastructure for building and deploying AI voice agents. These handle speech generation, natural language understanding, and call management. Evaluate whether each platform supports built-in consent collection, AI disclosure scripts, and opt-out detection before committing.

Comparing AI voice agent pricing upfront helps you budget for a compliant deployment.

Compliance platforms like Gryphon, PossibleNOW, and ActiveProspect specialize in DNC scrubbing, consent management, calling-window enforcement, and audit logging. For teams running large outbound AI campaigns, pairing a voice AI platform with a dedicated compliance layer reduces the risk of human error in consent management.

Key Regulations at a Glance

For quick reference, here is a summary of the major regulatory frameworks:

What the Bradford Decision Means for AI Voice Calls

In February 2026, the Fifth Circuit decided Bradford v. Sovereign Pest Control of Texas, Inc., holding that the TCPA's text only requires "prior express consent," not "prior express written consent," for any artificial-voice call. This created a circuit split.

What this means in practice:

• In the Fifth Circuit (Texas, Louisiana, Mississippi): Courts may only require verbal consent rather than written consent for AI voice calls.
• In the other 47 states: Federal courts continue to apply the FCC's written-consent interpretation.
• State law is not displaced. Florida, for instance, still requires AI-specific written consent regardless of any federal court interpretation.

The safest approach: always obtain Prior Express Written Consent for marketing AI calls regardless of which circuit you operate in. A circuit-split strategy that relies on the Bradford ruling creates inconsistent compliance across campaigns and increases litigation risk.