TCPA Express Written Consent for AI Calling in the US 2026: The Compliance Playbook That Holds Up in Court

A Chief Marketing Officer at a Series-B US fintech sat in a Tuesday afternoon legal review with two questions she needed answers to before Thursday's go-live decision on AI outbound. One — is the consent we capture on our web form legally enforceable as TCPA express written consent for AI-driven calls? And two — if we go live and a debtor or recipient sues us under TCPA, what does our audit trail need to look like to win the case? The lawyer pulled up a Bluebeam PDF and said: both questions have a 14-page answer, but if you cut me off at three things you'd most need to know, here's what they are.

This guide is those three things — plus the rest. We walk through what TCPA "express written consent" actually requires under 47 CFR §64.1200, what changed with the FCC's 2024 one-to-one consent rule (and what stayed the same when courts struck parts of it down in 2025), what state mini-TCPA frameworks layer on top of the federal floor (especially Florida's TCPA and Washington's CEMA-related grid), how the audit trail needs to be structured to be court-admissible in a TCPA class action, and what consent-language templates have actually held up in 2025-2026 case law.

If you operate an AI voice agent that dials US consumers — for any non-healthcare-exempt purpose — this guide is the threshold you have to cross before going live. The TCPA class action bar in the US is the most active consumer-protection plaintiff bar in the country; a single defective consent flow can produce $1,500 per call statutory damages aggregated across thousands of recipients.

What TCPA express written consent actually requires

The federal floor is 47 CFR §64.1200(a)(2) and §64.1200(f)(9). For autodialed or prerecorded calls to wireless numbers for marketing purposes (or for non-marketing purposes to landline numbers in some contexts), the consumer's "prior express written consent" must:

1. Be written and signed by the consumer (electronic signatures count — clicking an opt-in checkbox or a clearly affirmative button can qualify if the disclosure language is right)
2. Include a clear and conspicuous disclosure that the consumer is authorizing the seller to deliver advertisements or telemarketing messages using an automatic telephone dialing system or an artificial / prerecorded voice
3. Identify the specific seller(s) authorized to make those calls
4. State the specific number(s) the consumer is authorizing
5. State that consent is not a condition of any purchase
6. Be recordable and reproducible at the consumer-disclosure level — meaning the seller has to be able to produce, on demand, the exact disclosure language shown to the consumer, the time it was shown, the consumer's exact response, the IP, and the device

Failure to meet any of these six requirements means the consent is not "express written" for TCPA purposes, regardless of what the consumer actually agreed to. The bar is procedural, not substantive.

What is NOT express written consent:

• Pre-checked opt-in checkboxes
• Disclosures buried in a 12-page terms-of-service
• "By clicking Submit, you agree to..." language that doesn't specifically call out autodialed / prerecorded marketing calls
• Consent obtained as a condition of purchase
• Verbal consent ("yes, you can call me") given over the phone without simultaneous written or electronic confirmation
• Consent obtained 18+ months ago (some states impose recency requirements; FCC orders impose post-2025 freshness expectations)

A vendor selling AI calling who can't walk you through, in two minutes, how their disclosure flow meets each of the six requirements above — and produce a sample audit row showing the disclosure language, IP, timestamp, and consumer response — is not TCPA-grade.

The 2024 one-to-one rule and what survived in 2025

In December 2023 the FCC adopted the "one-to-one consent" rule (47 CFR §64.1200(a)(10)), which required consumers to consent to calls from a single, specifically-identified seller on a single specifically-identified subject. The rule was set to take effect in early 2025. In January 2025, the Eleventh Circuit Court of Appeals vacated portions of the rule in IMC v. FCC, removing the strictest one-to-one identification requirements for some lead-generation scenarios.

What survived: the disclosure must still specifically identify the seller(s), the call must still be "logically and topically associated" with the consumer's original interaction (the form they submitted, the website they were on), and the recordable audit trail requirement is unchanged.

What did not survive: the broadest reading of "one seller per consent" — lead-generation platforms can still capture consent that flows to a defined set of partner sellers as long as the partners are specifically identified at the consumer-disclosure level. The audit row has to show which partner was identified in the disclosure that the consumer saw.

The operational implication for AI calling deployments: if your consent flow predates 2025 and was built for a multi-seller lead-gen disclosure model, you need to confirm it still meets the post-IMC v. FCC standard. If your consent flow is for a single-seller direct-to-consumer interaction (e.g., a SaaS company's web form, a clinic's intake), you are likely fine — the IMC v. FCC ruling primarily affects lead-aggregator models.

State mini-TCPA — the overlay you can't skip

Several states have enacted their own TCPA-equivalent frameworks that are sometimes stricter than the federal floor. Three are particularly consequential:

Florida (FTSA, 2021): Florida's mini-TCPA imposes additional consent and call-restriction requirements. Statutory damages are similar to federal TCPA ($500-$1,500 per violation), but the Florida statute provides for class actions with no cap. Florida law has been the basis for some of the largest TCPA-equivalent class settlements in 2024-2025. Operational consequence: any AI voice agent dialing Florida residents needs Florida-specific consent language and audit-trail structure. The default "federal TCPA-compliant" consent flow is often insufficient.

Washington (CEMA + WPA): Washington's Consumer Electronic Mail Act (CEMA) plus the Washington Privacy Act framework establishes specific requirements for commercial electronic communications including AI-initiated calls. The state's "Do Not Email" registry has been extended in concept to autodialed voice calls in 2025 enforcement actions.

Oklahoma, Maryland, California: Each has unique additional requirements. California's calling-window grid is stricter than federal (8am-9pm with additional weekend restrictions for some debt classes), Maryland requires additional opening-disclosure language for collection calls, Oklahoma has a custom DNC list separate from the federal registry.

For multi-state AI deployments, the operational pattern is to maintain a state-by-state grid as configuration: the consent language shown to consumers in each state matches that state's requirements; the calling-window grid filters by state-of-residence; the DNC scrubbing includes state-specific lists in addition to the federal DNC.

The court-admissible audit trail — what every call needs to log

For each call, the audit row needs to capture:

Field	Why
Consumer's stated phone number	Match to consent record
Consumer's state-of-residence (from address)	State mini-TCPA + calling-window overlay
Consent record reference (link to original consent capture)	Proves prior express consent existed
Disclosure language shown to consumer at consent capture (exact text)	§64.1200(f)(9) requires reproducibility
Consumer's affirmative response (checkbox click, signature, etc.)	§64.1200(f)(9) requires recordability
Consumer's IP address at consent capture	Identity / fraud-defense
Consumer's device / user-agent at consent capture	Identity / fraud-defense
Timestamp of consent capture	Freshness + temporal correlation with calls
Timestamp of each subsequent call	Frequency + time-window compliance
Calling party (seller identity)	§64.1200(f)(9) identification
Call purpose (marketing, transactional, healthcare, collections, etc.)	Determines applicable TCPA rules
Federal DNC scrubbing result at dial-time	Defensive evidence for §227(c)(3)(F)
State DNC scrubbing result at dial-time	State-specific compliance
Calling window compliance (recipient local time)	Time-of-day compliance
Cease-communication flag (if applicable, with propagation timestamp)	Real-time opt-out compliance
Call recording (encrypted at rest)	Disposition + dispute evidence
Full transcript	Cease-communication recognition evidence
AI vs human-escalated supervisor identity per turn	§227(b) ATDS / prerecorded voice clarity

This row needs to be exportable in a court-admissible format within 5 business days of a subpoena or discovery request. A vendor whose audit infrastructure can't produce it that fast is not TCPA-class-action-defensible.

Consent-language templates that have held up in 2025-2026 case law

The following disclosure has been the basis of successful TCPA defenses in 2025-2026 (variations adapted to specific seller / call purpose):

By providing my phone number and clicking "[Submit/Sign Up/Continue]" below, I expressly authorize [Specific Seller Name] and its authorized representatives to contact me at the phone number(s) I provided using an automatic telephone dialing system, an artificial or prerecorded voice, or a live agent, for the purposes of [Specific Purpose — e.g., "delivering appointment reminders related to my care," "informing me about the products and services I requested information about," "completing my loan application process and related servicing communications"]. I understand that this consent is not required as a condition of any purchase, and I can revoke consent at any time by replying "STOP" to any text or by saying "stop calling" on any call. I have read and agree to the [Privacy Policy] and [Terms of Service].

The critical structural elements: specific seller name (not "us" or "our partners"), specific phone number (not "any number"), specific purpose (not "marketing communications"), clear disclosure of ATDS / prerecorded voice / live agent, clear "not a condition of purchase" language, clear revocation mechanism, link to privacy policy that itself complies with CCPA / CPRA / state privacy laws.

What courts have ruled insufficient in 2025-2026:

• Generic "We may contact you using automated means" language without ATDS / prerecorded voice specificity
• Disclosure language presented in lowest-readable font sizes or buried below the submit button
• "Our partners" or "third parties" identification without specific seller names
• Disclosure flows where the consumer must affirmatively scroll to see the consent language (must be in the visible field of the submit button)

Operational implementation — what the AI calling pipeline must do

Before any call fires, the AI voice agent's dial pipeline runs the following validation chain:

1. Lookup the consent record for the destination phone number in the consent management system. If no record exists, the call is suppressed and audit-logged as "no consent."
2. Validate the consent purpose matches the call purpose. If the consumer consented to "appointment reminders" and the call is marketing, the call is suppressed.
3. Validate the consent freshness. Federal floor has no hard expiration but some courts have found that 18+ months without re-engagement weakens consent; production-grade vendors flag consent older than 18 months for re-confirmation.
4. Validate state-specific consent requirements. If the consumer is in Florida, validate that the Florida-specific disclosure was shown. If California, check the CA-specific calling-window and DNC list.
5. Scrub against federal DNC list at dial-time (not queue-time — DNC updates daily, so queue-time scrubbing can fire stale-DNC calls).
6. Scrub against state DNC lists at dial-time.
7. Check the recipient's state-of-residence's calling window (8am-9pm recipient local time minimum, state-specific overrides applied).
8. Validate against the cease-communication flag. If set, suppress and audit-log.
9. If all checks pass, fire the call. Capture call recording, transcript, disposition, agent identity, full audit row.
10. On call end, write the audit row. Available for subpoena / discovery within 5 business days.

A production-grade AI calling vendor automates this chain — it is not configurable optional; it is the dial pipeline. Vendors who treat steps 1-8 as "best practices" rather than mandatory pre-dial validation are creating liability for the seller that deploys them.

What happens in a TCPA class action — and what wins

The plaintiff bar in US TCPA class actions typically targets:

• Companies running AI-initiated calls without compliant consent capture
• Companies whose consent flow was compliant in principle but whose audit trail can't reproduce the specific disclosure shown to the named plaintiff
• Companies with stale consent (consumers who consented 24+ months ago and never re-engaged)
• Companies who continued calling after a cease-communication request (the propagation-time evidence is critical here)
• Companies who dialed outside the calling window
• Companies who couldn't show federal + state DNC scrubbing results at dial-time

What wins TCPA defenses (or settles them favorably) in 2025-2026:

• A clean audit row for each plaintiff's call showing the disclosure language they saw, when they consented, their IP / device, their affirmative response
• DNC scrubbing logs showing the federal + state DNC databases were queried at dial-time and returned no match for the plaintiff
• Cease-communication audit logs showing that any opt-out requests were honoured within the SLA
• Calling-window logs showing the call was within 8am-9pm recipient local time with state overrides applied
• Sub-processor disclosure showing the AI vendor was contractually compliant under the BAA / MSA

What loses: vendors whose audit trail can't produce these elements, or whose dial pipeline did not validate them pre-dial.

The 14-day TCPA readiness audit

If you're about to deploy AI calling in the US, run this 14-day pre-deployment audit:

Day 1-3: External counsel reviews your consent flow. Specifically: does the disclosure language meet §64.1200(f)(9)? Is the seller-specificity sufficient? Is the audit trail captured at consent-time?

Day 4-6: Vendor demonstrates the per-call pre-dial validation chain (steps 1-8 above) on a sandbox. You verify each step fires before any call is initiated.

Day 7-9: Vendor produces a sample audit row for a test call. External counsel reviews format and confirms court-admissibility — can this row be produced for a subpoena in 5 business days?

Day 10-12: State-specific overlays are reviewed for any states with material call volume. Florida, California, Washington, Oklahoma, Maryland get extra scrutiny.

Day 13-14: Steering committee + General Counsel sign off. Pilot deployment goes live at limited volume.

Bottom line

TCPA express written consent for AI calling in the US in 2026 is a high-bar but knowable compliance threshold. Sellers who treat the disclosure language, consent capture, audit trail, and pre-dial validation chain as configurable optional best-practices will face TCPA class actions they can't defend. Sellers who treat them as mandatory dial-pipeline requirements — automated, audited, reviewable by counsel within 5 business days — operate with statistical safety in a litigious environment. The vendor selection bar is whether the AI calling platform builds the validation chain into the dial pipeline by default, with audit-row reproducibility that meets §64.1200(f)(9), and with state-specific overlay configuration for Florida, California, Washington and the other consequential mini-TCPA frameworks.

If you'd like the 14-day TCPA readiness audit templated, the consent-language template adapted to your seller and call purpose, or a sandbox demonstration of the pre-dial validation chain on your CRM, talk to us at caller.digital/us. We run this evaluation with US SaaS, fintech, healthcare, and retail clients every month.

Deeper reads: /us (US sub-site overview), /us/use-cases/past-due-collections (FDCPA + TCPA in collections), /us/pricing (USD outcome-based pricing with TCPA compliance included), original TCPA AI calling deep-dive blog.