Key TCPA Compliance Risks and What Outbound Call Centers Must Do Now: Insights from the 2025 TCPA Summit

Key takeaways from the 2025 Florida TCPA Summit:

• FCC and state attorneys general are increasing enforcement, with greater scrutiny on KYC practices and call origination behavior.

• Deceptive tactics such as caller ID mislabeling and “snowshoeing” are active targets of FCC traceback investigations.

• State privacy laws continue to expand, adding new requirements for opt-outs, risk assessments, and automated decision-making technologies.

• TCPA litigation is rising year over year, driven largely by prerecorded and AI-generated voice outreach.

• Emerging AI tools and inconsistent call branding standards are creating new compliance and operational risks for outbound programs.

The 2025 TCPA Summit brought together regulators, attorneys, carriers, and industry leaders to discuss how enforcement, privacy regulation, and technology are reshaping outbound communications. I attended this year’s summit to better understand where regulators are focusing their attention—and what contact centers should be doing now to reduce risk.

While no single session introduced a dramatic rule change, the overall message was clear: compliance expectations are rising across multiple fronts at once. From KYC and call origination practices to privacy obligations, TCPA litigation trends, and the use of AI in outbound outreach, businesses need to ensure their compliance programs are both current and enforceable at scale.

Below are the most relevant takeaways from the summit, viewed through the lens of outbound contact center operations.

Increased regulatory scrutiny and KYC enforcement expectations

Multiple speakers emphasized that both the FCC and state attorneys general are taking a more aggressive posture toward enforcement. A recurring focus was Know Your Customer (KYC) obligations, particularly for voice service providers issuing STIR/SHAKEN attestation.

The message was direct: inadequate KYC documentation and controls can result in serious consequences, including deauthorization and enforcement action. This is not theoretical risk—we have already seen enforcement proceedings in this area, and more are expected.

Improper call origination behavior is also under heightened scrutiny. Practices such as mislabeling caller ID information are actively being monitored, with new traceback investigations already underway.

One tactic specifically called out by speakers was “snowshoeing.” Snowshoeing refers to spreading a high volume of calls across many phone numbers or providers in an effort to evade detection, reputation scoring, or call-blocking tools. Regulators view this as a deceptive origination practice, and it is firmly on their radar.

With the right tools and outbound strategies, businesses can simultaneously manage caller ID reputation and support compliance, leading to greater efficiency, higher productivity, and lower costs.

Expanding state privacy laws and the future of CCPA compliance

Privacy regulation continues to expand rapidly at the state level, with approximately 16 state privacy laws currently in effect and more coming online.

Two developments highlighted at the summit:

• California AB 566 (effective January 1, 2027)

• Connecticut SB 1295

Both introduce requirements around consumer-configurable opt-out signals, risk assessments, and enhanced disclosures for sensitive data handling.

In parallel, the evolving CCPA framework will introduce new rules governing automated decision-making technologies (ADMT), profiling, and biometric data usage. Businesses using these technologies should expect requirements for cybersecurity audits and formal risk assessments by early 2027.

Speakers also noted that enforcement efforts around opt-out friction and minor data sales are expected to increase, reinforcing the importance of clear, consumer-friendly opt-out mechanisms.

TCPA litigation trends and common compliance pitfalls

TCPA litigation continues to rise year over year, and several sessions focused on reducing class action exposure. A consistent theme: pre-recorded and AI-generated voice messages remain the most common drivers of litigation due to the relatively low pleading burden for plaintiffs.

Common compliance failures cited included:

• Calling reassigned or wrong numbers

• Failing to honor opt-out requests

• Misclassifying marketing messages as transactional

Recommended risk mitigation strategies included stronger lead source validation, consistent internal recordkeeping, and, where appropriate, the use of arbitration clauses with class action waivers. Speakers also encouraged businesses to involve experienced TCPA counsel early and to engage in motion practice to narrow discovery and limit exposure.

For insights on expected regulatory changes ahead, check out my conversation with compliance attorney Michele Shuster in this recorded webinar: 2026 Outbound Compliance Shakeup: FCC Rule Changes, Caller ID + STIR/SHAKEN Updates, Stronger State Laws

AI, call branding, and emerging compliance risks

The summit also addressed compliance risks associated with generative AI, outbound AI, and the limitations of current call branding tools.

Key takeaways included:

• Outbound AI tools (such as SMS bots and synthetic voice) require clear consumer disclosures under state laws in jurisdictions including California, Colorado, Utah, and Maine.

• Generative AI used for compliance support should not be relied upon without legal oversight. Pre-recorded voice calls, even when paired with partial live agent interaction or soundboard technology, remain high-risk under both TCPA and state laws.

• Branded Caller ID (BCID) shows promise as a trust signal for consumers, but adoption remains slow due to carrier inconsistency and lack of ecosystem coordination. It remains to be seen how the FCC will ultimately address Rich Call Data (RCD).

Businesses were encouraged to actively monitor how their calls appear downstream and to push carriers and analytics providers for greater transparency and consistency.

Practical compliance reminders for outbound teams

Two themes from the summit were significant enough to warrant continued emphasis in our ongoing compliance discussions.

First, lead source vetting is not optional. Courts are increasingly holding contact centers responsible for the actions of third-party lead providers, regardless of contractual assurances. If your compliance strategy relies on “the vendor said it was compliant,” you likely have unmitigated risk.

Second, a robust and well-trained Do-Not-Call (DNC) policy remains a foundational requirement. Verbal opt-outs count, state-level DNC rules continue to change, and a stale or poorly enforced policy can quickly become a litigation liability. Just as importantly, strong DNC practices help demonstrate good-faith compliance and protect your business if challenged.

Summing it up

The 2025 TCPA Summit reinforced a simple reality: compliance is no longer static. Regulatory expectations, privacy frameworks, and technology risks are evolving simultaneously, and businesses that fail to adapt will find themselves exposed.

Strong compliance programs today require proactive monitoring, documented processes, and coordination across legal, compliance, operations, and technology teams. Done well, compliance is not just about avoiding enforcement—it can be a competitive advantage in an increasingly scrutinized outbound environment.

As regulatory scrutiny increases, compliance requires more than policy—it requires guardrails. Manual processes and disconnected systems introduce risk at scale. Platforms with compliance guardrails built in can help enforce opt-outs, support proper call origination, and promote consistent, compliant behavior across outbound operations.

Organizations that treat compliance as an operational system—not just a written policy—will be better positioned to adapt as enforcement and technology continue to evolve.