IMPORTANT: Legal Disclaimer
This is not legal advice. TCPA and call-recording rules are complex, evolve rapidly, and vary by state and jurisdiction. Consult a qualified attorney licensed in your state before deploying any AI phone answering system, especially if you make outbound calls or record calls. OnCallClerk is not a law firm, and this guide is educational only.
What Changed in 2024: The FCC Ruling on AI Voices
In February 2024, the FCC issued a significant Declaratory Ruling treating AI-generated voices as "artificial or prerecorded" under the Telephone Consumer Protection Act (TCPA). This categorization dramatically expanded compliance obligations for outbound robocalls.
What the ruling says:
- AI-generated or synthesized voices are "prerecorded" under TCPA rules
- This triggers the same consent requirements as traditional prerecorded robocalls
- Prior express written consent is required for most outbound calls to cell phones
- Time-of-day restrictions apply (8 AM to 9 PM recipient's local time)
- Caller ID must display a real business phone number (not masked, not spoofed)
- Do-not-call list obligations apply
What this means practically:
- INBOUND is mostly unaffected. If you're operating an AI receptionist that *answers* calls from customers, you're on inbound. Inbound is subject to different, generally less restrictive rules.
- OUTBOUND is heavily regulated. If your AI agent *places* calls (callbacks, follow-ups, outreach), you need prior express written consent and must comply with time-of-day restrictions.
- Consent is not implied. The fact that someone called you first does not give you blanket consent to use an AI to call them back.
The full FCC ruling is available in the official Federal Register notice.
TCPA Basics: The Four Core Rules
Even if you don't make outbound calls, understanding the TCPA framework is essential because inbound operations have compliance obligations too.
| Rule | What It Requires |
|---|---|
| Prior Express Written Consent | For outbound calls to cell phones (especially with AI/prerecorded), written consent must exist before calling |
| Do-Not-Call List Compliance | Scrub outbound lists against the National Do-Not-Call Registry and internal do-not-call lists |
| Time-of-Day Restrictions | Outbound calls only 8 AM to 9 PM in the recipient's local time zone |
| Caller ID Accuracy | Display your real business phone number; no spoofing, no masking |
Violations are expensive. The TCPA allows damages of $500 to $1,500 per call, and many suits are class-action (hundreds or thousands of affected consumers). Even a small outbound auto-dial system can attract litigation. This is not theoretical. Private attorneys regularly file TCPA suits on behalf of callers.
Inbound vs Outbound: Vastly Different Rules
This distinction is everything. Most AI phone answering services operate on inbound (you answer calls), not outbound (you make calls).
| Aspect | INBOUND | OUTBOUND |
|---|---|---|
| Prior consent | Generally not required | REQUIRED (PEC = prior express consent) |
| Time-of-day restrictions | None | 8 AM-9 PM recipient's local time |
| Do-not-call list | Not applicable | REQUIRED compliance |
| Caller ID requirements | Must display a real business number | REQUIRED: real number, no spoofing |
| Prerecorded message restrictions | Limited | Extensive |
| Recording consent | Varies by state | Varies by state |
| Typical use case | AI receptionist answering incoming calls | AI making callbacks or outreach |
Inbound compliance focus: Call recording consent (state law), caller privacy.
Outbound compliance focus: Consent, do-not-call, caller ID, time-of-day, prerecorded message rules.
If your AI phone answering service handles only inbound calls (customers call you, AI answers), your TCPA obligations are relatively straightforward. If you also make outbound calls, obligations increase significantly.
Source: Estimated risk exposure based on FCC ruling and typical litigation patterns
State-by-State Call Recording Laws
If you record calls (which most AI phone platforms do, for quality and dispute resolution), you must comply with state recording-consent laws. This is separate from TCPA but equally important.
The US is split into two categories: one-party-consent and all-party-consent states.
One-party-consent states (38 states): You may record a call if at least one party (you) consents. The other party(ies) don't need to know or agree. You can record inbound calls from customers without their explicit permission.
All-party-consent states (12 states): Every party to the call must consent to recording. You must inform callers that you're recording and get affirmative consent before recording.
Source: NRMC recording-consent map, current as of 2026
The 12 all-party-consent states:
- California
- Connecticut
- Delaware
- Florida
- Illinois
- Maryland
- Massachusetts
- Montana
- Nevada
- New Hampshire
- Pennsylvania
- Washington
If you take inbound calls from customers in any of these states, you must disclose recording and get consent. Typical disclosure: *"This call may be recorded for quality and training purposes. By continuing, you consent to recording."*
If a caller is in an all-party-consent state and you record without consent, you've violated state wiretapping law. The penalties are steep, often $500-$1,000 per violation plus criminal liability in some states.
Recording Consent: The Practical Setup
| Your Call Pattern | Required Disclosure |
|---|---|
| Inbound only, customers in one-party-consent state | Optional but recommended ("This call may be recorded...") |
| Inbound, customers in all-party-consent state | REQUIRED before recording begins |
| Outbound callbacks from captured inbound leads | REQUIRED in all-party-consent states; recommended in all others |
| Outbound proactive outreach (marketing, surveys) | REQUIRED everywhere + TCPA outbound compliance (consent, do-not-call, etc.) |
Recommended setup for inbound-only operations: Add a greeting that discloses recording upfront. Example:
*"Thanks for calling OnCallClerk. This call may be recorded for quality and training purposes. Press 1 to continue, or hang up to exit."*
This single disclosure covers one-party-consent states and satisfies the consent requirement in all-party-consent states (by-continuing-you-consent pattern).
For outbound calls in all-party-consent states, disclosure must happen *before* any substantive conversation. An interactive greeting that asks consent works.
Do-Not-Call List Obligations (Outbound Only)
If you place outbound calls or callbacks, you're subject to the National Do-Not-Call Registry.
| Rule | Details |
|---|---|
| Scrub before calling | Remove numbers registered on the National Do-Not-Call Registry (www.donotcall.gov) |
| Scrub frequency | At least every 31 days for continuous outbound campaigns |
| Internal do-not-call list | Maintain a list of callers who've asked not to be called again |
| Respect requests immediately | If someone says "put me on do-not-call," remove them within 30 days |
| Penalties | Up to $43,000+ per violation |
Exceptions: Do-not-call rules don't apply to:
- Calls from political organizations, charities, or surveys
- Calls to existing customers (though they can still ask not to be called)
- Calls where prior express written consent exists
If you're running an inbound-only operation (customers call you, AI answers, you call them back), the do-not-call obligation applies only to outbound callback calls, not to the original inbound call.
Caller ID and Number Registration
Whether inbound or outbound, your phone number must pass caller ID verification.
Requirements:
- Display your real business phone number, not a masked number or random pool number
- Register your business with STIR/SHAKEN-compliant number registries
- Avoid numbers with poor reputation (previously used for spam or robocalls)
Practical implications:
- Use a dedicated business phone number for your AI agent
- Register the number with FCC-approved caller ID verification services (most major carriers offer this)
- If you use a white-label platform, ensure the provider is handling registration correctly
Numbers that fail caller ID verification are increasingly flagged as spam by carriers and consumer apps (Hiya, Truecaller, AT&T Call Protect). This kills inbound customer calls.
The Practical Operator Checklist
If you're operating an AI phone answering service, here's what you should verify:
| Item | For Inbound Only | For Inbound + Outbound |
|---|---|---|
| Call recording disclosure | Add disclosure greeting | Add disclosure greeting + consent capture on outbound |
| All-party-consent states | Ensure disclosure before recording starts | Ensure disclosure before recording starts |
| Caller ID registration | Register number with carrier verification services | Register number with carrier verification services |
| Do-not-call scrubbing | N/A | Scrub outbound lists before calling; maintain internal DNC list |
| Time-of-day enforcement | N/A | Enforce 8 AM-9 PM recipient's local time on all outbound |
| Prior express consent | For callbacks, document consent from original inbound call | For outbound campaigns, obtain written consent beforehand |
| Legal review | Have attorney review inbound operation | Have attorney review full operation including outbound rules |
| Call recording retention | Comply with retention policies (typically 3-7 years for business records) | Comply with retention policies |
| HIPAA/PCI considerations | If handling health/payment data, see next section | If handling health/payment data, see next section |
PCI and HIPAA: Brief Callouts
Two regulatory frameworks overlap with AI phone answering:
PCI DSS (Payment Card Industry Data Security Standard):
- If your AI asks for credit card information (payment, booking deposit), you must comply with PCI Level 1 standards
- Recording calls that contain card data is risky and typically violates PCI rules
- Better to avoid collecting card data on AI calls; transfer to a compliant payment system instead
- This is complex; consult a PCI-compliance specialist if you're collecting payments
HIPAA (Health Insurance Portability and Accountability Act):
- If your AI handles patient data or health information (appointments, symptoms, prescriptions), HIPAA applies
- HIPAA has specific requirements for call recording, data handling, and breach notification
- Medical practices should have their attorney review HIPAA compliance before deploying any AI phone system
Both of these deserve full separate posts, not summary callouts. If you operate in healthcare or payments, get legal review before recording calls.
State Variations: An Attorney Checklist
Beyond the 12 all-party-consent states, several states have additional phone-call rules:
- New York: Has specific anti-robocall rules and caller ID requirements
- Texas: Has additional telemarketing restrictions
- Michigan: Requires consent for robotext and certain robo-calls
- Various states: Have specific business-licensing requirements for telemarketing operations
The safest approach: Have an attorney licensed in your home state review your operation before going live, especially if you're making outbound calls.
Penalties for Violations
The TCPA is a private right of action, meaning individual callers can sue you without waiting for government enforcement. Typical damages:
| Violation Type | Penalty Per Call | Example |
|---|---|---|
| Outbound call without consent | $500-$1,500 | 100 calls without consent = $50,000-$150,000 |
| Outbound call outside 8-9 PM window | $500-$1,500 | 50 calls outside window = $25,000-$75,000 |
| Call to do-not-call number | $500-$1,500 | 20 calls = $10,000-$30,000 |
| Recording without consent (state law) | $500-$1,000+ (per state) | Varies by state; can include criminal liability |
| Spoofed or false caller ID | $500-$1,500 | Can reach $100,000+ in class-action |
These are not per-incident penalties; they're per-call penalties. A single campaign with 500 outbound calls without proper consent can expose you to $250,000-$750,000 in liability.
Most platforms and operators insurance policies exclude TCPA violations, so you're personally liable. This is worth taking seriously.
FAQ
Is my inbound AI receptionist legal?
Almost certainly yes, if you disclose call recording. Most AI receptionist operations are inbound (customers call you). Inbound is subject to TCPA's lighter regime. You need to:
- Disclose that calls may be recorded
- Comply with state call-recording consent laws (especially in the 12 all-party-consent states)
- Keep your caller ID accurate and registered
Consult an attorney to be certain, but inbound-only operations are generally safe from TCPA liability.
Can my AI make outbound callbacks to customers?
Yes, if you have prior express written consent. When a customer calls your inbound AI and leaves a message requesting a callback, they're giving you implied consent. You can call them back. For outbound callback calls, still disclose recording and respect time-of-day restrictions.
If you're making outbound calls to lists you've purchased or prospects you haven't talked to, you need written consent in advance. This is much more restrictive.
Do I need written consent from every caller?
For inbound-only operations: No. Callers are calling you, so they're consenting to communication. For recording, you need to disclose (especially in all-party-consent states), but explicit written consent isn't required for inbound.
For outbound: Yes, generally. Prior express written consent must exist before you call, especially for AI/prerecorded calls or to cell phones.
What about international calls?
Don't. If you're operating an AI phone service in the US, only take calls from US numbers. International calling rules are fragmented and complex (EU GDPR, Canada's CASL Act, etc.). Most small operators exclude international calls entirely.
If someone asks not to be called again, what do I do?
Add them to your internal do-not-call list immediately. Honor the request within 30 days. For inbound-only operations, you're unlikely to call them back anyway unless they request it.
What if I accidentally record someone in an all-party-consent state without disclosing?
You've created potential liability. Notify the caller, delete the recording, document the mistake, and consult an attorney. A single accidental violation is unlikely to trigger litigation, but patterns of non-compliance are prosecutable. The best defense is proactive disclosure to everyone upfront.
Do I need to register with the FCC?
Not directly. The FCC doesn't require registration of AI phone agents or businesses using them. However, if you're making automated outbound calls or robocalls, you may need to register with the FCC's Robocall Mitigation Database. Consult your platform provider or an attorney about whether you fall into this category.
Attorney Consultation Checklist
Before deploying any AI phone answering service, especially if you make outbound calls, get answers to these questions from a licensed attorney:
- ✅ Does my inbound operation comply with call-recording laws in my state and all states where I take calls?
- ✅ If I make outbound calls, what kind of consent do I need?
- ✅ Am I subject to do-not-call scrubbing and compliance?
- ✅ What caller ID registration requirements apply?
- ✅ Do any industry-specific regulations (HIPAA, PCI, etc.) affect my operation?
- ✅ What documentation should I maintain to defend against TCPA claims?
- ✅ Should I obtain insurance coverage specifically for TCPA/telemarketing risks?
- ✅ Are there state-specific rules I'm missing?
Resources
- FCC Declaratory Ruling on AI Robocalls — The official 2024 ruling
- FTC Telemarketing Sales Rule — Outbound call rules
- National Do-Not-Call Registry — Scrub lists here
- FCC Robocall Mitigation Database — Registration for automated calls
- NRMC Recording Consent Laws Map — State-by-state recording consent reference
- American Bar Association - TCPA Resources — General legal research
Bottom Line
AI-generated voices are now legally treated as prerecorded, triggering the TCPA's strict outbound rules. If you operate an inbound-only AI receptionist that answers customer calls, you're in relatively safe territory as long as you disclose call recording and comply with state recording-consent laws. If you make outbound calls, you must have prior express written consent, scrub do-not-call lists, enforce time-of-day restrictions, and comply with caller ID rules.
Either way, consult a qualified attorney before deploying any AI phone answering system. TCPA violations are expensive, private-right litigation is common, and the rules evolve rapidly.
Use the Compliance Checklist and Privacy Policy as starting points, but get professional legal review for your specific operation.
Keep Reading
- AI Receptionist Call Transfers: When To Transfer vs Capture-and-Callback — How to route calls compliantly
- AI Receptionist Phone Numbers: Forward, Port, or Get a New One? — Caller ID and number setup
- How to Forward Calls to AI — Technical setup for your phone forwarding
- Privacy Policy — OnCallClerk's data handling and recording policies
- Data Processing Agreement — For HIPAA and other regulatory compliance
- How It Works — Overview of AI receptionist call handling