RevOps12 min read

TCPA, Consent, and AI Calls: What US Teams Should Document in 2026

Non-legal primer on TCPA, FCC rules, state recording consent, and DNC registry compliance for AI voice agents in US sales and marketing. Checklist included.

Disclaimer up front

This article is not legal advice. It is an operational checklist written for US revenue ops teams deploying AI voice agents in 2026. Rules change, state attorneys general get creative, and your specific fact pattern matters. Talk to qualified telecom counsel before you launch. That said, most compliance failures are not exotic edge cases — they are teams skipping basic documentation. That is what this article helps fix.

The four rule sets every US AI call program must respect

1. **TCPA (Telephone Consumer Protection Act).** The big one. Governs autodialed calls, prerecorded messages, and (since 2024) AI-generated voice calls. Enforced by the FCC and through a private right of action that has funded thousands of class-action lawsuits. 2. **FCC rules on AI-generated voice.** In February 2024, the FCC ruled that AI-generated voices in robocalls are “artificial” voices under TCPA. That means the same consent rules apply — arguably with a higher standard. 3. **State two-party consent recording laws.** California, Florida, Illinois, Massachusetts, Maryland, Michigan, Montana, Nevada, New Hampshire, Pennsylvania, and Washington require all parties to consent to recording. A one-party-consent federal framework does not save you if the lead is in California. 4. **National Do Not Call Registry (DNC).** Residential numbers listed on the DNC are off-limits for telemarketing calls unless you have prior express written consent or an established business relationship.

What counts as “prior express written consent” under TCPA

For autodialed or AI calls to cell phones for marketing purposes, TCPA requires **prior express written consent**. That is a specific legal term. It means:

  • The consent is in writing (a physical signature, electronic signature, or clear checkbox counts).
  • The consent clearly discloses that the consumer will receive **automated calls or texts**.
  • The consent is not a condition of purchase (you cannot require it to buy your product).
  • The consent identifies the specific company that will be calling.

In practice, that looks like a lead capture form with a checkbox that says something like:

> *By checking this box, I agree that BookFlow AI and its partners may contact me via automated phone calls and text messages at the phone number I provided, including by AI voice agents, about products and services. I understand this consent is not required to make a purchase.*

If your current lead forms do not have that language, every AI call you place to cell phones is at risk.

What is the penalty for TCPA violations?

The TCPA allows statutory damages of **$500 per violation**, trebled to $1,500 per violation for willful violations. That is per call. A 10,000-lead campaign where consent was sloppy is a $5 million–$15 million exposure before you even factor in class-action multipliers.

This is not theoretical. TCPA class actions against Facebook, Uber, and Capital One have settled for tens of millions of dollars. The only reliable defense is documented, auditable consent.

The minimum operational checklist

Before you go live with any AI voice program calling US consumers or cell phones, document the following:

1. Lead source provenance

For every lead your AI will call, you must know:

  • Where the lead came from (form URL, partner, list purchase, referral)
  • What the consent language said at the moment of capture
  • The IP address, timestamp, and user agent of the consent action
  • Whether the consent specifically mentioned AI/automated calls

Store this in an immutable audit log. Do not rely on “we always use the same checkbox” — form versions change and plaintiffs will request git history.

2. DNC scrubbing

Scrub every outbound list against:

  • The National Do Not Call Registry (updated at least monthly — BookFlow does this automatically)
  • Your internal DNC list (leads who have requested no contact)
  • State-specific DNC lists where applicable

Log the scrub timestamp and the list version used.

3. Identity disclosure at the start of every call

The FCC requires that automated callers clearly identify themselves at the start of the call. BookFlow AI opens every call with a configurable identity script — make sure yours includes:

  • The name of the business on whose behalf the call is being made
  • A statement that this is an automated/AI-assisted call
  • An immediate way for the recipient to opt out

4. Recording consent in two-party states

If the lead is in a two-party consent state (based on area code or collected timezone), the AI must disclose recording at the start of the call and get explicit consent. Example: *This call may be recorded for quality and training purposes — do you consent to continue?*

5. Opt-out honoring

When a lead says “stop,” “remove me,” “do not call,” or similar, the AI must:

  • End the call respectfully within a few seconds
  • Mark the lead as DNC in your CRM
  • Propagate the DNC to all connected systems (email, SMS, other dialers)
  • Honor the DNC for at least 5 years (TCPA requirement)

6. Data retention and deletion policies

Document what you keep, for how long, and why. Transcripts, recordings, phone numbers, consent records — each has its own retention logic. Publish a clear privacy policy and align operational reality to it.

How BookFlow AI helps

BookFlow AI bakes in the following defaults for US deployments:

  • Identity disclosure at the start of every call (configurable script)
  • Recording-consent prompt in two-party states (automatic based on lead area code)
  • DNC registry scrubbing before every dial
  • Opt-out detection and immediate call termination
  • Audit log of every dial, consent check, and opt-out event

These defaults do not substitute for legal review, but they mean the operational basics are handled correctly out of the box.

Common mistakes

  • **Assuming opt-in on one form covers all brands.** Consent is specific to the company named in the disclosure. If you operate multiple brands, you need consent for each one.
  • **Ignoring B2B exemptions you do not actually qualify for.** TCPA exemptions for B2B calls are narrow and fact-specific. Do not assume.
  • **Treating DNC as a one-time scrub.** Scrub before every campaign, not once a quarter.
  • **Not propagating opt-outs across systems.** If a lead opts out of calls but keeps getting emails, your defense gets harder.

Talk to counsel

Again: this is not legal advice. If you are running US outbound at any scale, engage qualified telecom/privacy counsel before launch. The ROI on a $5,000 legal review compared to a $5M class action is obvious.

For product questions about how BookFlow AI handles compliance defaults, contact us.

Frequently asked questions

Does TCPA apply to AI voice calls?+
Yes. In February 2024 the FCC formally ruled that AI-generated voices in automated calls are \"artificial\" voices under TCPA. That means prior express written consent is required for AI calls to cell phones for marketing purposes, identity disclosure is required, and all the standard TCPA protections apply. Some practitioners argue that AI calls may require even more explicit consent given the ruling.
What are the penalties for TCPA violations in the US?+
TCPA allows statutory damages of $500 per violation, trebled to $1,500 per violation for willful or knowing violations. Because each call is a separate violation, a sloppy 10,000-lead campaign can create $5M–$15M of exposure. TCPA class actions against large companies have settled for tens of millions of dollars.
Which US states require two-party consent for call recording?+
Eleven states currently require all-party consent for call recording: California, Florida, Illinois, Massachusetts, Maryland, Michigan, Montana, Nevada, New Hampshire, Pennsylvania, and Washington. If the lead is in one of these states, the AI must disclose recording and get explicit consent at the start of the call before proceeding.
How does BookFlow AI help with TCPA compliance?+
BookFlow AI includes several defaults: identity disclosure at the start of every call, automatic recording-consent prompts in two-party states based on lead area code, National DNC registry scrubbing before every dial, opt-out detection and call termination, and a full audit log of dials, consent checks, and opt-outs. These defaults cover the operational basics but do not replace legal review of your specific consent flows.
What should prior express written consent language look like on a US lead form?+
Best practice is a clear unchecked checkbox with language like: \"I agree that [Company] may contact me via automated phone calls and text messages, including by AI voice agents, at the number provided. This consent is not required to make a purchase.\" Capture IP address, timestamp, user agent, and the exact text shown, and store it in an immutable audit log.

People also search for

Related articles

Ready to turn inbound leads into booked meetings? Start a trial or see pricing.

← All posts