Compliance basics for AI cold calling in 2026

TCPA: the United States baseline

The Telephone Consumer Protection Act governs almost every automated call placed in the US. The key rule for AI voice agents: you need prior express written consent before placing a marketing call to a mobile number using any kind of automated system. 'Automated' includes AI voice agents.

Consent must be unambiguous, separate from other terms, and easy to revoke. A pre-checked box on a signup form does not count. Documented opt-in via a clear checkbox or signed agreement does.

Disclosure: tell people they're talking to AI

As of the 2024 FCC declaratory ruling and several state-level laws (California, Texas, Florida), AI voice agents must disclose that they are AI at the start of the call. The disclosure must be clear, conspicuous and in language the recipient understands.

A compliant opening: 'Hi, this is Sage, an AI assistant calling on behalf of [Company]. Is now a good time to chat for a minute?' That single sentence covers the disclosure, identifies the calling party, and asks for permission to continue.

Time windows: when you can and cannot call

TCPA restricts outbound marketing calls to 8am-9pm in the recipient's local time zone. Many states tighten this further. Always use the recipient's time zone, not the calling team's. Callable enforces this automatically when you upload leads with a phone number, but you should still set explicit campaign windows.

Do-not-call lists

The US National Do Not Call Registry is mandatory for marketing calls. You must scrub your list against the registry at least every 31 days. You also need to maintain an internal DNC list: if a recipient asks not to be called again, that request applies across your entire organization for at least five years.

AI agents must be programmed to recognize opt-out language — 'remove me', 'don't call me', 'take me off your list' — and immediately add the number to your internal DNC. Callable does this by default; make sure any prompt overrides you write don't break it.

GDPR: the European overlay

If you're calling EU residents, GDPR applies on top of national telemarketing rules. The core obligations: lawful basis for processing (usually consent or legitimate interest), a privacy notice the recipient can access, and the right to request deletion. AI-specific: recipients have the right to object to fully automated decision-making, so the handoff path to a human must be clearly available.

HIPAA: the healthcare lane

Calling patients or scheduling medical appointments? You're handling PHI. You need a signed Business Associate Agreement with every vendor in the chain, your voice provider included, and your recordings, transcripts and CRM data all need to live in HIPAA-eligible infrastructure. Callable offers HIPAA-eligible workspaces on the Business plan and above.

A 60-second compliance checklist

Before launching any campaign, confirm:

• You have documented consent for every number on the list (marketing only).
• Your opening line discloses the AI in the first sentence.
• Campaign call windows are set to recipient local time, 8am-9pm.
• Your list has been scrubbed against the National DNC in the last 31 days.
• Opt-out handling is tested end-to-end on a sample call.
• If healthcare: BAA is signed and workspace is HIPAA-eligible.
• If EU: privacy notice link is in any pre-call email or SMS.