Guides
A practical guide to TCPA compliance for revenue teams using AI voice agents for outbound follow-up. Covers the FCC's AI voice ruling, one-to-one consent rule, DNC requirements, calling windows, recording consent, and a ready-to-use compliance checklist.
Last updated
If your revenue team uses AI voiceAI voiceAn artificially generated, natural-sounding voice produced by a TTS model. Thoughtly supports a library of AI voices and brand-specific cloning. agents for outbound calls — speed-to-lead follow-ups, appointment confirmations, re-engagement campaigns, or renewal reminders — the Telephone Consumer Protection ActTCPAUS federal law governing telemarketing calls and SMS. Thoughtly enforces consent capture, time-of-day windows, and DNC scrubbing automatically. (TCPA) applies to every dial. The consequences of getting it wrong are not abstract: statutory damages of $500 to $1,500 per call, class action exposure, and carrier-level blocking that can shut down your outbound program overnight.
This guide walks through what the TCPA actually requires for AI-powered outbound calling, what changed with the FCC's 2024 rulings on AI-generated voices and one-to-one consent, and how to build a defensible compliance workflowWorkflowAn automated, multi-step process — usually triggered by an event (form fill, new lead) and orchestrating one or more voice / SMS / email actions. without slowing down your pipeline.
The TCPA (47 U.S.C. § 227) was enacted in 1991 to protect consumers from unsolicited telemarketing calls. It has been updated multiple times — and in 2024, the FCC issued two rulings that directly affect AI voice agent deployments.
On February 8, 2024, the FCC issued a Declaratory Ruling (FCC-24-17) confirming that AI-generated voices — including text-to-speech systems — qualify as "artificial or prerecorded voice" under the TCPA. This means any call that uses an AI voice agent to deliver a message requires the same level of consent as a traditional robocall.
This applies regardless of how natural the voice sounds. If the voice is generated by software rather than spoken live by a human, the TCPA's consent requirements apply.
The TCPA distinguishes between two types of consent, depending on the purpose of the call:
| Consent type | When required | What it means |
|---|---|---|
| Prior Express Consent (PEC) | Informational or transactional calls (appointment reminders, order updates, account alerts) | The consumer has given permission to be called at the number in question. Oral consent or providing their number in a form can suffice. |
| Prior Express Written Consent (PEWC) | Telemarketing or advertising calls (sales follow-ups, promotional offers, re-engagement campaigns) | A signed written agreement (electronic signatures count) that clearly authorizes calls from a specific seller, includes the phone number, and discloses that the consumer may receive autodialed or prerecorded calls. |
Most AI outbound calling for lead conversion falls into the PEWC category. Even if the lead filled out your form, if the follow-up call includes any sales or promotional content, you need prior express written consent — not just an implied opt-in.
In December 2023, the FCC adopted a Second Report and Order that closed the "lead generator loophole." Previously, a single consent checkbox on a comparison-shopping site could authorize robocalls from dozens of sellers. Under the new one-to-one consent rule — which took effect on January 27, 2025 — each seller must obtain its own separate prior express written consent.
This rule has significant implications for teams that buy leads from aggregators or comparison-shopping sites:
For revenue teams in insurance, mortgage, real estate, home services, and other industries that rely on aggregator leads, this rule requires a careful review of how leads are sourced and what consent records accompany each lead.
Under FCC rules, consumers can revoke consent at any time using any reasonable method. A 2024 FCC Order strengthened revocation rights by requiring callers to implement opt-out requests within a reasonable time, generally interpreted as no more than 10 business days.
Your AI agent must be able to handle mid-call opt-out requests. If someone says "take me off your list" or "stop calling me," that is a valid revocation of consent. The system must log the revocation, suppress that number from future campaigns, and honor the request across all channels.
Separately from the consent framework, the FCC and FTC enforce National Do Not Call Registry rules. Telemarketing calls to numbers on the registry are prohibited unless the consumer has given prior express written consent to the specific seller.
Key requirements:
Federal TCPA rules restrict telemarketing calls to between 8:00 AM and 9:00 PM in the consumer's local time zone. Many states impose tighter windows. For example, some states prohibit calls before 9:00 AM or after 8:00 PM.
Recording consentRecording consentState-by-state legal requirement to disclose call recording. Some states require all-party consent; Thoughtly enforces the right script per state. adds another layer. The federal standard for call recording is one-party consent (only one participant needs to consent), but 11 states and the District of Columbia require all-party consent. If your AI voice agent records calls for quality assurance, training, or compliance logging — and most do — you must disclose this at the beginning of the call in all-party consent jurisdictions.
All-party consent states include California, Connecticut, Delaware, Florida, Illinois, Maryland, Massachusetts, Montana, New Hampshire, Oregon, Pennsylvania, Vermont, and Washington. Requirements vary by state; some apply only to electronic or phone conversations. Check the specific statute for each state where you operate.
Use this checklist to audit your current outbound AI voice program.
| Area | Requirement | Status |
|---|---|---|
| Consent collection | Prior express written consent (PEWC) collected for each lead before sales or promotional calls | |
| One-to-one consent | Consent records tie to your specific organization — not a shared lead-gen checkbox | |
| Consent documentation | Consent records stored with timestamp, source URL, IP address, and exact disclosure language | |
| Consent revocation | Opt-out requests processed within 10 business days and honored across all channels | |
| National DNC scrub | Outbound lists scrubbed against the National DNC Registry within the past 31 days | |
| Internal DNC list | Internal do-not-call list maintained and honored indefinitely | |
| Calling windows | Outbound calls restricted to 8 AM – 9 PM in the consumer's local time zone (or stricter state rules) | |
| Recording disclosure | Recording consent disclosure delivered at the start of calls in all-party consent states | |
| AI disclosure | Agent identifies itself and the business within the first few seconds of the call | |
| Mid-call opt-out | AI agent can recognize and process opt-out requests during the conversation | |
| Suppression propagation | Opt-outs propagate across voice, SMS, email, and any other outbound channel | |
| Record retention | Call recordings, transcripts, and consent records retained for at least 5 years |
Thoughtly is not a compliance certification body — no platform can guarantee regulatory compliance for your specific use case. But Thoughtly builds compliance-supporting features into the product so teams can implement defensible workflows without bolting on third-party tooling. Here is what is available in the platform today, as documented in the Thoughtly product docs.
Thoughtly's consent mode setting lets you choose between universal suppression (if a contact opts out on any channel, all outbound is blocked) or granular suppression (per-channel enforcement). Suppression entries are created automatically when a contact sends a standard opt-out keyword like STOP, UNSUBSCRIBE, or CANCEL, or manually by an admin. Every suppression entry logs the identifier, channel, reason, source, and timestamp.
The dark windows feature lets you block outbound calls, SMS, and other channels during configurable quiet hours, weekends, or holidays. Dark windows are enforced based on the contact's time zone, so a 9 PM cutoff in Eastern time does not mean your West Coast contacts stop receiving calls at 6 PM.
Branded calling displays your verified business name on the recipient's phone when supported by the carrierCarrierA telecommunications provider that routes phone calls and SMS over its network. Twilio, Telnyx, and Bandwidth are the three most common in the AI voice space.. Call screening bypass helps your AI agent respond to automated screening prompts. Together, these features improve answer rates on legitimate, consent-based outbound without resorting to number spoofing or misleading caller ID.
The Start node in Thoughtly's Agent Builder delivers its script exactly as written — no paraphrasing, no variation. This makes it the right place for required compliance disclosures: recording consent notices, business identification, and AI usage disclosure.
Every call made through Thoughtly is logged with a full transcriptTranscriptThe text record of a voice conversation, used for review, training, compliance audit, and search., recording (when enabled), timestamps, and outcome data. These records are available through the platform's History view and can be exported for compliance audits.
Using Thoughtly's integrations with HubSpot, Salesforce, and other CRMs, you can write consent status, opt-out timestamps, and call outcomes directly back to the contact record. This creates a defensible audit trail without manual data entry.
The TCPA's consent requirements primarily govern outbound calls made using an autodialer or artificial/prerecorded voice. If a consumer calls your business and your AI agent answers, the inbound call itself is not a TCPA violation. However, call recording consent laws still apply in all-party consent states, and any subsequent outbound calls triggered by the inbound interaction require appropriate consent.
The FCC treats autodialed or prerecorded text messages as "calls" under the TCPA. If your workflow includes both AI voice follow-up and automated SMS, your consent disclosure should cover both channels. Consent obtained for voice calls does not automatically extend to text messages unless the disclosure explicitly includes both.
Appointment confirmations are generally considered informational or transactional, not telemarketing. These calls typically require only prior express consent (PEC), not the higher PEWC standard — as long as the call does not include promotional or sales content. If you add a cross-sell pitch to an appointment confirmation call, the entire call may be reclassified as telemarketing.
Under the one-to-one consent rule, the consent must be specific to your organization. A lead provider's blanket consent that covers multiple sellers no longer satisfies the PEWC requirement. Request documentation showing that the consumer specifically authorized calls from your company, with a clear and conspicuous disclosure. If the provider cannot produce this, the consent may not be defensible.
The TCPA's statute of limitations for private lawsuits is four years, and some state laws extend longer. Industry best practice is to retain consent records, call logs, and transcripts for at least five years. Thoughtly retains call recordings and transcripts within the platform, but you should also maintain consent records in your CRMCRMThe system of record for leads, contacts, deals, and activity. Thoughtly reads from and writes to your CRM continuously. or compliance system.
This article is informational and does not constitute legal advice. Consult qualified legal counsel for compliance decisions specific to your organization.
