Navigate voice AI compliance requirements. Call recording consent, TCPA regulations, GDPR, and state-by-state rules with implementation checklists.
AI call recording consentTCPA voice AIvoice bot regulationsautomated calling lawsAI phone compliance
TCPA violations cost $500-$1,500 per call. One lawsuit can destroy your voice AI program before it starts. But compliance isn't complicated—it just requires the right systems. This guide covers the regulations that matter, the consent you need, and the implementation patterns that keep you safe.
Voice AI Compliance Overview
Voice AI compliance involves three main areas: (1) consent for automated calls and recordings, (2) disclosure that the caller is an AI, and (3) data protection for voice data and transcripts. Key regulations include TCPA (US), GDPR (EU), state recording laws, and industry-specific rules (HIPAA, PCI-DSS).
1. Key Regulations Overview
Regulation Landscape
| Regulation | Scope | Key Requirement | Penalty |
|---|---|---|---|
| TCPA | US federal | Consent for automated calls | $500-$1,500/call |
| State Recording Laws | State level | Consent for recording | Varies by state |
| GDPR | EU + UK | Consent for processing | Up to €20M or 4% revenue |
| CCPA/CPRA | California | Disclosure + opt-out rights | $2,500-$7,500/violation |
| HIPAA | Healthcare | PHI protection | $100-$50,000/violation |
| PCI-DSS | Payments | Card data protection | Fines + loss of processing |
Applicability Matrix
| Scenario | TCPA | Recording Law | GDPR | Industry |
|---|---|---|---|---|
| Outbound sales (US) | ✅ | ✅ | ❌ | — |
| Outbound sales (EU) | ❌ | — | ✅ | — |
| Inbound support (US) | ❌ | ✅ | ❌ | Maybe |
| Healthcare calls | ✅ | ✅ | ✅ | HIPAA |
| Payment collection | ✅ | ✅ | ✅ | PCI-DSS |
2. TCPA Compliance
What TCPA Requires
The Telephone Consumer Protection Act regulates automated calls to US numbers.
| Requirement | Details |
|---|---|
| Prior Express Consent | Required for automated calls to cell phones |
| Prior Express Written Consent | Required for telemarketing/sales calls |
| Do-Not-Call List | Must scrub against National DNC + internal DNC |
| Time Restrictions | No calls before 8am or after 9pm local time |
| Caller ID | Must display valid callback number |
Consent Documentation
class TCPAConsent:
def __init__(self, db):
self.db = db
def record_consent(self, phone: str, consent_type: str, source: str):
consent = {
"phone": phone,
"consent_type": consent_type,
"source": source,
"timestamp": datetime.now().isoformat(),
"revoked": False
}
self.db.insert("tcpa_consent", consent)
def check_consent(self, phone: str) -> bool:
consent = self.db.find_one("tcpa_consent", {"phone": phone})
if not consent or consent["revoked"]:
return False
return True
def revoke_consent(self, phone: str, source: str):
self.db.update("tcpa_consent",
{"phone": phone},
{"$set": {"revoked": True, "revoked_at": datetime.now().isoformat()}}
)
DNC List Integration
class DNCChecker:
def __init__(self):
self.national_dnc = load_national_dnc()
self.internal_dnc = load_internal_dnc()
def can_call(self, phone: str) -> tuple[bool, str]:
if phone in self.national_dnc:
return False, "national_dnc"
if phone in self.internal_dnc:
return False, "internal_dnc"
return True, "ok"
3. Recording Consent by State
Two-Party vs One-Party Consent
| State | Consent Required | Notes |
|---|---|---|
| California | All parties | Two-party consent |
| Florida | All parties | Two-party consent |
| Illinois | All parties | Two-party consent |
| Pennsylvania | All parties | Two-party consent |
| Washington | All parties | Two-party consent |
| New York | One party | One-party consent |
| Texas | One party | One-party consent |
| All other states | One party | One-party consent |
Implementation
TWO_PARTY_STATES = [
"CA", "CT", "DE", "FL", "IL", "MA", "MD",
"MI", "MT", "NH", "NV", "PA", "WA"
]
async def handle_recording_consent(self, caller_state: str):
if caller_state in TWO_PARTY_STATES:
await self.speak(
"This call may be recorded. Do you consent to being recorded?"
)
response = await self.listen()
if self.is_affirmative(response):
await self.start_recording()
else:
await self.speak("No problem, we won't record this call.")
else:
await self.speak("This call may be recorded for quality purposes.")
await self.start_recording()
4. AI Disclosure Requirements
Disclosure Best Practices
AI_DISCLOSURE_SCRIPT = """
Hi, this is an AI assistant calling on behalf of {company_name}.
I can answer questions and help with your account.
If you'd prefer to speak with a person at any time, just say "transfer me."
"""
async def introduce_ai(self, company_name: str):
disclosure = AI_DISCLOSURE_SCRIPT.format(company_name=company_name)
await self.speak(disclosure)
self.log_event("ai_disclosure", {"timestamp": datetime.now().isoformat()})
State-Specific Requirements
| State | AI Disclosure Requirement |
|---|---|
| California (proposed) | Must disclose AI in commercial calls |
| New York (proposed) | Must disclose AI to consumers |
| EU AI Act | Transparency for AI systems |
Recommendation: Disclose AI status on all calls regardless of state—it's coming everywhere.
5. Data Protection (GDPR/CCPA)
GDPR Requirements for Voice AI
| Requirement | Implementation |
|---|---|
| Lawful Basis | Consent or legitimate interest |
| Purpose Limitation | Only use data for stated purpose |
| Data Minimization | Don't collect more than needed |
| Storage Limitation | Delete when no longer needed |
| Right to Erasure | Must delete on request |
| Right to Access | Must provide data on request |
Voice Data Handling
class VoiceDataCompliance:
async def store_recording(self, call_id: str, audio: bytes, transcript: str):
record = {
"call_id": call_id,
"audio_encrypted": self.encrypt(audio),
"transcript_encrypted": self.encrypt(transcript),
"expires_at": (datetime.now() + timedelta(days=90)).isoformat(),
"consent_recorded": True
}
await self.storage.save(record)
async def handle_deletion_request(self, customer_id: str):
recordings = await self.storage.find({"customer_id": customer_id})
for recording in recordings:
await self.storage.delete(recording["call_id"])
self.log_event("data_deletion", {"records_deleted": len(recordings)})
6. Industry-Specific Requirements
HIPAA (Healthcare)
class HIPAACompliance:
REQUIRED_MEASURES = [
"encryption_at_rest",
"encryption_in_transit",
"access_controls",
"audit_logging",
"baa_with_vendors"
]
async def handle_phi(self, call_id: str, phi_detected: bool):
if phi_detected:
await self.redact_unnecessary_phi(call_id)
self.log_phi_access(call_id, "voice_ai_processing")
self.set_retention(call_id, days=30)
PCI-DSS (Payments)
class PCICompliance:
async def handle_payment(self, call_id: str):
await self.pause_recording()
await self.speak("Please enter your card number using your keypad.")
card_number = await self.collect_dtmf(16)
result = await self.payment_processor.charge(card_number)
await self.resume_recording()
return result
7. Implementation Checklist
Before Deployment
- TCPA Consent System: Consent collection, verification, revocation
- DNC Integration: National DNC subscription, internal DNC, real-time checking
- Recording Consent: State detection, two-party consent script, logging
- AI Disclosure: Opening disclosure script, transfer option, logging
- Data Protection: Encryption at rest/transit, retention policies, deletion procedures
Ongoing Compliance
- Quarterly consent audit
- Monthly DNC list refresh
- Annual compliance review
- Vendor BAA maintenance
8. Compliance Code Examples
Complete Compliant Call Start
async def compliant_call_start(self, phone: str, company: str):
# 1. Check DNC
can_call, reason = self.dnc_checker.can_call(phone)
if not can_call:
self.log_blocked_call(phone, reason)
return False
# 2. Verify TCPA consent
if not self.tcpa.check_consent(phone):
self.log_blocked_call(phone, "no_consent")
return False
# 3. Check time restrictions
caller_tz = self.get_timezone(phone)
local_hour = datetime.now(caller_tz).hour
if local_hour < 8 or local_hour >= 21:
self.log_blocked_call(phone, "time_restriction")
return False
# 4. Place call
call = await self.telephony.dial(phone)
if call.answered:
# 5. AI disclosure
await self.speak(
f"Hi, this is an AI assistant calling on behalf of {company}. "
"If you'd like to speak with a person, just say transfer."
)
# 6. Recording consent
caller_state = self.get_state(phone)
if caller_state in TWO_PARTY_STATES:
await self.speak("This call may be recorded. Do you consent?")
consent = await self.listen()
if not self.is_affirmative(consent):
self.disable_recording()
else:
await self.speak("This call may be recorded.")
# 7. Log compliance events
self.log_compliance({
"phone": phone,
"dnc_checked": True,
"tcpa_consent_verified": True,
"ai_disclosed": True,
"recording_consent": self.recording_enabled
})
return True
return False
Next Steps
- Enterprise Voice AI Guide → - Complete technical implementation
- Voice AI for Sales → - Outbound compliance specifics
- Voice AI for Support → - Inbound compliance requirements
Need help with voice AI compliance?
At Cognilium, we build compliant voice AI systems from day one. Let's discuss your compliance requirements →
Share this article
Muhammad Mudassir
Founder & CEO, Cognilium AI
Muhammad Mudassir
Founder & CEO, Cognilium AI
Mudassir Marwat is the Founder & CEO of Cognilium AI, where he leads the design and deployment of pr...