Keeping Pace with AI, SMS, and TCPA Compliance in a Changing Regulatory Environment

    Convoso
    8 min. read

    Key takeaways

    • Honor opt-outs through "any reasonable means": Recognize more than just standard keywords and process revocation requests within 10 business days.

    • Treat AI voice like a robocall: Use the right consent, required disclosures, DNC screening, and opt-out processes before launching AI campaigns.

    • Treat texts as calls: Manage text messages with the same consent, DNC, and revocation policies as phone calls.

    • Document everything: Keep records of where consent came from, what the consumer agreed to, and when consent was revoked.

    • Don't overlook DNC compliance: Follow both National and internal DNC requirements, even for manually dialed campaigns, and check reassigned numbers.

    • Vet your technology vendors: Make sure your platforms support consent management, DNC enforcement, opt-out processing, and audit-ready documentation.

    Three TCPA issues every outbound team should watch 

    Every outbound call or text comes with compliance risk, and that risk is becoming more difficult to manage as AI, SMS, and consumer privacy rules continue to evolve.

    In “Beyond the TCPA: Navigating the New AI Compliance Landscape,” a webinar hosted by Convoso partner PossibleNOW, TCPA attorney John Henson highlighted three areas shaping compliance today: 

    1. Revocation requests: The FCC's expanded rules for recognizing and honoring consumer opt-out requests

    2. AI-powered outbound calling: AI voice is subject to the same TCPA requirements as prerecorded calls

    3. SMS compliance: Recent court decisions impact the way businesses should approach text messaging under the TCPA

    The sections below unpack each of these topics and the practical guidance Henson shared to help you stay compliant. 

    TCPA basics: A quick refresher

    Before looking at recent regulatory changes, it's worth reviewing a few TCPA fundamentals that shape the discussion. 

    • Regulated technology: Calls made using an ATDS, prerecorded voice, or AI voice require consent. Informational calls require prior express consent, while marketing calls require prior express written consent. 

    • National Do Not Call (DNC) rules: Marketing calls to numbers on the National Do Not Call Registry are generally prohibited unless you have an exception, such as prior express written consent or an Established Business Relationship (EBR).

    • Two compliance buckets: The TCPA's regulated technology and Do Not Call rules operate independently. Even if you're manually dialing and the regulated technology rules don't apply, DNC requirements still do.

    • Established Business Relationship: An inquiry creates a 90-day EBR. A completed transaction creates an 18-month EBR. 

    • Financial exposure: TCPA violations carry penalties of $500 per call or text or $1,500 per call or text for willful violations. 

    Opt-out requests are no longer black and white

    One of the biggest TCPA changes took effect in April 2025, when the FCC enabled consumers to revoke consent using "any reasonable means," requiring businesses to honor revocation requests within a specified timeframe. [The FCC has delayed until January 31, 2027 a provision of the ruling pertaining to cross-channel consent revocation.]

    While standard opt-out requests like "Stop," "Quit," "End," "Revoke," "Opt out," "Cancel," and "Unsubscribe" should always be recognized, consumers can revoke consent in many other ways. 

    "Stop" isn't the only way to opt out

    A message like "Please don't text me anymore," "Take me off your list," or "Don't contact me again" can also qualify as a valid opt-out request.

    "The problem is they have stated 'any reasonable means.' You've got to be able to identify—is this a reasonable request?" Henson said.

    Some requests are easy to identify. Others require judgment. 

    Henson pointed to "I never signed up for this" as an example that could reasonably be considered an opt-out. 

    By contrast, "Now is not a good time" may not be an opt-out because it suggests the consumer may still want to hear from you, just not at that moment. 

    Your team needs a consistent way to identify, review, and respond to these types of requests.

    Consider the scope of an opt-out request 

    If your business operates under multiple brands, has affiliated companies, or works with agents representing more than one carrier, determining who an opt-out applies to can get more complicated.

    "You've got to take the context of their application into account. What's the consumer responding to? How's the consumer saying that? What would the consumer be thinking that they are opting out of?" Henson said.

    For example, if an agent sends messages as "Bob Smith for Allstate," an unsubscribe request could reasonably apply to both the agent and Allstate

    But if the agency represents multiple insurance companies and the text is from “Bob Smith Insurance,” a revocation could just be meant for Bob Smith’s agency and Allstate could still contact them. 

    AI voice scales both outreach and risk

    The FCC has made it clear that AI-generated voices are treated as artificial or prerecorded voices under the TCPA, and businesses are already facing lawsuits over how they're using the technology.

    "AI and outbound calling has become probably almost half of my practice now," Henson said. “One thing AI voice does is it allows you to call at scale. And because TCPA [violations] are $500 minimum per call, that increases your risk significantly.” 

    Here’s how to navigate AI calls to limit compliance risk as your outreach scales. 

    Treat AI voice like a robocall 

    Treat AI voice calls exactly like an “old-school” robocall. The same consent rules and penalties apply. 

    Build these requirements into your program: 

    • Get the right consent: Obtain prior express consent for informational calls and prior express written consent for marketing calls. “The single biggest thing I hear all the time is, ‘We’re going to use AI voice to cold call.’ You can’t, because you have to have consent, period,” Henson said. 

    • Confirm your consent covers AI voice: Make sure your consent language specifically authorizes AI or automated voice outreach, not just generic "calls."

    • Build required disclosures into the call: Identify the caller and the company they represent at the beginning of the call, provide an automated interactive opt-out, and disclose call recording where required by state law.

    • Honor DNC and opt-out requests: Scrub against National and internal DNC lists before placing calls, follow calling-hour restrictions, and make sure your AI can recognize and process verbal opt-out requests.

    How to navigate SMS uncertainty 

    The rules governing SMS are becoming less consistent. Some courts continue to treat text messages like phone calls under the TCPA, while others are questioning whether certain TCPA provisions apply to texts at all. 

    “Everything we thought we knew about the TCPA is now in the air. You're seeing it in several areas, and texting is one of these areas,” Henson said.

    So what does that mean for your SMS strategy? 

    Treat text messages like phone calls

    The court decisions about how to treat text messages are ongoing and often differ between districts. 

    While the legal landscape is complex, Henson's recommendation is simple: “For TCPA purposes, don’t treat voice and text differently.” 

    “Get consent, follow DNC rules, follow revocation rules. You’ve got to honor those reasonable means [for revocation]. You have 10 days. That all has to be done today,” he said. 

    If a consumer revokes voice consent, apply that to text. If they’re on the Do Not Call list, don’t text them. 

    Defaulting to the strictest interpretation of the TCPA will help limit your compliance risk, especially if you’re calling in multiple court districts that come to differing conclusions about SMS rules. 


    Learn why you need a DNC policy and what it should include: How to Develop a DNC Compliance Policy for Your Call Center


    Compliance practices that apply across every channel

    Whether you're managing AI voice, SMS, or consumer revocation requests, these recommendations apply across every part of your compliance program. 

    Keep an audit trail

    If a consumer challenges your outreach, you need to be able to show exactly what happened. That starts with documenting every stage of the customer journey, from consent to revocation.

    "You want a good audit trail," Henson said. 

    "You need to be able to say, 'I'm calling John Henson at this phone number. I got consent to call him at this phone number on this date. It came from this website. This is what he consented to.'" 

    This is especially important when you're collecting leads from multiple sources, where consent language may vary from one campaign to another.


    RELATED: Convoso’s Long Term Call Storage helps contact centers retain recordings, connect them to call data, and quickly access the conversations needed for compliance, QA, coaching, and dispute resolution.


    Comply with DNCs and check reassigned numbers

    Businesses often assume DNC requirements only apply to automated calls, but the National DNC Registry and your internal do-not-call list still apply even if you aren’t using regulated technology. 

    "That's where we see a lot of people mess up," Henson said. 

    It’s also important to check the FCC's Reassigned Numbers Database

    Around 3 million phone numbers are reassigned every year, so consent you received for a number in the past may now belong to someone else.

    Keeping DNC lists current and checking reassigned numbers helps prevent calls or texts to consumers who shouldn't be contacted. 

    The right platform can automate DNC management and reassigned number checks, helping reduce compliance risk without adding manual work. 

    Vet your vendors

    Using a third-party platform doesn't shift TCPA responsibility away from your business. Understanding how your vendors support compliance is just as important as understanding your own internal processes. 

    "Your vendor doesn't necessarily have to know chapter and verse of TCPA, but they have to be confident in what they're disclosing," he said. "You've got to do a good job of vetting your vendors. Double check and make sure they're doing things the right way."

    When evaluating vendors, ask how they handle:

    • Consent: How is consent captured, stored, and verified?

    • Disclosures: What AI, prerecorded voice, and call recording disclosures are presented?

    • DNC compliance: How are National and internal do-not-call lists enforced?

    • Opt-outs: Can the platform recognize, record, and process revocation requests?

    • Compliance records: What documentation is available to support audits or legal challenges?

    Compliance isn't just about understanding the rules—it's about putting them into practice every day. See how Convoso helps outbound teams operationalize consent management, DNC compliance, AI voice outreach, and audit-ready recordkeeping at scale.

    Frequently Asked Questions About AI and TCPA Compliance

    • Yes. The FCC treats AI-generated voices the same as artificial or prerecorded voices under the TCPA. Businesses generally need the appropriate level of consumer consent, must follow Do Not Call requirements, provide required disclosures, and honor opt-out requests.

    • Yes. FCC rules recognize revocation through "any reasonable means." Consumers are not limited to keywords like "STOP" or "UNSUBSCRIBE." Businesses should have processes to identify and respond to clear requests such as "Don't contact me anymore" or "Take me off your list."

    • Although court decisions continue to evolve, many compliance professionals recommend treating SMS the same as voice outreach by obtaining appropriate consent, honoring revocation requests, and following Do Not Call requirements.

    • Maintaining records of consent, revocation requests, disclosures, and communication history can help demonstrate compliance during audits or legal disputes. An audit trail becomes especially important when leads come from multiple sources.

    • Look for capabilities that support consent management, National and internal Do Not Call enforcement, reassigned number checking, opt-out processing, and audit-ready documentation to help streamline compliance efforts.

    Schedule a demo

    Supercharge your sales with our AI-powered contact center platform.

    4x your contact rates today!