AI receptionist compliance is not a checkbox you skip on the way to going live. As of 2025, the FCC has tightened its one-to-one consent rule, carriers block unregistered SMS numbers without warning, and eleven states require all-party consent before recording a call. The fines are real. ‘I didn’t know’ is not a defense the FCC accepts.
Key Takeaways:
- TCPA violations carry statutory damages of $500–$1,500 per illegal call or text, per the FCC, a single bad SMS blast to 500 contacts can cost $750,000.
- A2P 10DLC registration is required by all major US carriers for business-to-consumer text messaging; unregistered numbers face filtering or outright blocking, not just fines.
- Eleven US states require all-party consent for call recording, deploying an AI answering service across state lines without checking your recording disclosure exposes you to state-level liability that TCPA does not govern.
Is an AI Receptionist Legal? The Short Answer (and the Long One)
An AI answering service is a system that handles inbound calls, captures caller information, books appointments, and in many configurations sends follow-up texts, all without a human on the line. This means ‘is it legal?’ is the wrong question. The right question is: which laws apply to which parts of the system, and are you operating within them?
AI customer service for small business sits inside a regulatory stack, not outside it. Federal law governs automated calling and texting through the Telephone Consumer Protection Act (TCPA), enforced by the FCC. State law governs call recording through wiretapping statutes, enforced by state attorneys general. HIPAA governs protected health information, enforced by the HHS Office for Civil Rights. Each framework is independent. Complying with one does not exempt you from the others.
Here is the practical picture. AI receptionists that answer inbound calls are legal under federal law. The mechanics layered on top, recording the call, sending an AI-triggered SMS after the call, auto-dialing outbound, storing caller health information, each triggers a separate regulatory framework. That is the compliance posture question every small-business owner needs to answer before going live.
The TCPA was enacted in 1991 and has been amended multiple times, most recently with FCC one-to-one consent rule changes effective January 2025 per FCC rulemaking. Those changes matter specifically because many SMBs built their consent capture on blanket marketing-partner checkboxes that no longer satisfy the standard.
This article maps those frameworks: TCPA rules for AI calls and texts, A2P 10DLC registration for business SMS, call-recording consent by state, and HIPAA considerations for medical and dental businesses. Each section points toward the dedicated content that goes deeper on that topic. None of this article is legal advice. Consult a communications attorney familiar with your state and industry before deploying any AI call or text system.
TCPA Basics: What the Law Actually Requires for AI Calls and Texts
The TCPA restricts automated calls and texts to consumers without prior express consent. That is the statute’s core obligation. What counts as ‘automated,’ what counts as ‘consent,’ and what counts as a ‘consumer’ are where most small businesses run into trouble.
Four requirements matter most for SMB AI deployments.
Prior express written consent for marketing texts. Before sending any promotional or marketing text via an AI SMS system, you need written consent from the recipient. A verbal ‘sure, text me’ during a phone call does not qualify. Valid consent requires a written record, a clear disclosure of what the customer is agreeing to receive, and the customer’s signature or electronic equivalent, per 47 U.S.C. § 227.
Informational versus promotional texts. Not every text carries the same consent burden. Appointment confirmations, service reminders, and transactional updates for a service the customer already requested carry a lower bar, prior express consent rather than prior express written consent. The distinction matters for AI answering service deployments that auto-send confirmations after booking. The moment a text includes a promotional offer, a discount, or a cross-sell, you have crossed into written-consent territory.
Do-Not-Call registry obligations. The National Do Not Call Registry applies to outbound AI calls. Businesses must scrub outbound call lists against the registry and must honor internal do-not-call requests within 30 days, per FCC rules. The established business relationship exception exists, but it is narrower than most SMBs assume: it applies for 18 months after a purchase or transaction and 3 months after an inquiry, and it does not override a consumer’s direct opt-out request.
Statutory damages stack fast. TCPA statutory damages run $500 per violation for negligent violations, up to $1,500 per willful violation, per 47 U.S.C. § 227(b)(3). These are per-call and per-text figures. An SMS campaign to 500 unverified contacts without documented consent does not produce one $500 fine. It produces 500 potential violations.
The compliance picture for AI SMS is distinct from the compliance picture for AI calls, the dedicated TCPA article on AI calls covers outbound dialing rules and the reassigned-number problem in detail. For now, the table below maps common SMB use cases to their consent requirement and risk level.
| Use Case | Consent Required | Consent Type | Risk if Missing |
|---|---|---|---|
| Inbound call answered by AI | None for answering | N/A | Low (but recording triggers separate rules) |
| Appointment confirmation text | Prior express consent | Verbal or written OK | Medium, civil TCPA claim possible |
| Marketing/promotional text via AI SMS | Prior express written consent | Written only | High, $500–$1,500 per text |
| Outbound AI call to existing customer | Prior express consent | Verbal or written | High if DNC registry not scrubbed |
| Outbound AI call to new lead | Prior express written consent | Written only | Very high, no relationship established |
| Missed-call follow-up text | Prior express written consent | Written only | High if consent not captured at opt-in |
Consult a communications attorney before deploying any outbound AI call or text campaign. The table above is an orientation, not a compliance sign-off.
A2P 10DLC: What It Is and Why Unregistered Numbers Get Blocked
A2P 10DLC registration enables business SMS delivery on major US carrier networks. A2P stands for Application-to-Person. 10DLC stands for 10-Digit Long Code, the standard local-looking phone number that businesses use for texting. The registration standard was mandated by US carriers, AT&T, T-Mobile, and Verizon, through an industry body called The Campaign Registry (TCR). The Campaign Registry launched A2P 10DLC in 2021, and by 2023 all major US carriers required registration for business SMS on 10-digit numbers, per CTIA industry guidelines.
This means two things. First, registration is not optional if you want your texts to arrive. Second, registration and TCPA compliance are separate obligations that stack on top of each other. Registering your number does not make a non-compliant message legal under TCPA.
What happens to unregistered numbers is the part most guides bury. Carriers do not wait for a regulatory finding before acting. They filter and block SMS traffic from unregistered 10-digit numbers at the network level. Your messages do not bounce with an error. They disappear. Customers never see them, you never see a failure notice, and your AI SMS system appears to be working while producing zero results. That is the practical risk SMBs face before any regulatory penalty enters the picture.
CTIA guidelines also govern content standards for A2P messaging. Required opt-out keywords (STOP, CANCEL, UNSUBSCRIBE) must be honored. Prohibited content categories include firearms sales, cannabis, hate speech, and certain financial services. Violating content standards can result in carrier-level suspension of your messaging campaign independent of any FCC action.
The A2P 10DLC registration walkthrough, including how to handle campaign vetting for specific use cases like appointment booking, is covered in the dedicated A2P 10DLC registration article. The steps below are the sequence every business needs to complete before sending a single AI-triggered text.
- Register your business brand with The Campaign Registry (TCR) by submitting your legal business name, EIN, and business type.
- Create a messaging campaign within TCR that describes your specific use case, appointment reminders, lead follow-up, customer service, or other category.
- Link the approved campaign to the specific phone number or numbers your AI SMS system will send from.
- Submit the campaign for carrier vetting and await approval from each major carrier before sending any traffic.
- Configure required opt-out handling so that any customer who texts STOP is immediately removed from future AI-triggered messages.
Call Recording Consent: The State-by-State Rule That Catches Businesses Off Guard
Call-recording consent laws vary by state, creating multistate liability exposure for any AI answering service that records calls. The federal baseline is one-party consent under the Electronic Communications Privacy Act (ECPA), which means the business itself can count as the consenting party. Under federal law alone, recording a call you are a party to is legal without telling the other person.
That federal floor does not protect a business operating in an all-party consent state. Eleven states require every party on a call to consent before recording begins. California’s Penal Code § 632 is the most litigated version of this requirement. Civil penalties under California’s Invasion of Privacy Act can reach $5,000 per violation. A Phoenix HVAC company that runs Google ads targeting Californians and records those inbound AI-handled calls without a disclosure is not covered by Arizona’s one-party consent rule. California law follows the caller.
The dedicated article on Arizona call recording laws covers the specific framework for in-state calls in detail. For businesses with any national reach, the state-by-state picture below is where to start.
| State | Consent Rule | Key Statute | Notes |
|---|---|---|---|
| California | All-party | Penal Code § 632 | Most litigated; civil penalties up to $5,000/violation |
| Connecticut | All-party | C.G.S. § 52-570d | Applies to in-state parties |
| Florida | All-party | Fla. Stat. § 934.03 | Felony criminal exposure for willful violations |
| Illinois | All-party | 720 ILCS 5/14-2 | Eavesdropping Act; broad application |
| Maryland | All-party | Md. Code Cts. & Jud. Proc. § 10-402 | Applies to wire and oral communications |
| Massachusetts | All-party | M.G.L. c. 272 § 99 | Criminal penalties possible |
| Michigan | All-party | MCL § 750.539c | Applies to private conversations |
| Montana | All-party | Mont. Code Ann. § 45-8-213 | Misdemeanor for first offense |
| Nevada | All-party | NRS § 200.650 | Civil and criminal exposure |
| New Hampshire | All-party | RSA § 570-A:2 | Felony exposure for willful recording |
| Oregon | All-party | ORS § 165.540 | Includes electronic communications |
| Pennsylvania | All-party | 18 Pa. C.S. § 5703 | Wiretapping and Electronic Surveillance Act |
| Washington | All-party | RCW § 9.73.030 | Includes consent for all parties |
The safe practice for any AI answering service is a disclosure played at the start of every AI-handled call: ‘This call may be recorded for quality purposes.’ That language satisfies consent requirements in all states because it gives the caller notice before the recording begins and gives them the choice to continue or end the call. Callers who stay on after a clear disclosure have provided implied consent in all-party states.
AI receptionists that record calls without any disclosure in an all-party state create state-level liability independent of anything TCPA governs. Consult an attorney familiar with your state’s wiretapping statute, and verify your disclosure script before your AI answering service goes live.
HIPAA-Adjacent Caution: What AI Receptionists Can and Cannot Handle for Medical Businesses
HIPAA governs protected health information handled by business associates, including AI systems. Protected Health Information (PHI) is any individually identifiable health information held or transmitted by a covered entity or its business associates, per 45 CFR Parts 160 and 164. This means an AI receptionist handling calls for a dental office, medical clinic, or mental health practice is not automatically exempt from HIPAA just because it is a phone system rather than an electronic health record.
The line that matters most for AI deployments runs through what information the system touches. An AI answering service can route calls, confirm office hours, take a name and callback number for a staff member to return, and tell a caller when the office opens next. None of that crosses into PHI territory if the system does not connect a name to a medical condition, appointment type at a covered entity, insurance detail, or treatment record.
What crosses into PHI: any conversation where the AI captures a caller’s name alongside their diagnosis, medication, test results, specific treatment details, or the nature of their visit at a medical or dental practice. The combination of a name and a health condition is PHI. The AI does not need to store it in a structured database for HIPAA to apply.
Under 45 CFR § 164.308, any third-party vendor handling PHI on behalf of a covered entity must sign a Business Associate Agreement (BAA) with that covered entity before PHI flows through their system. HHS Office for Civil Rights enforces HIPAA penalties up to $1.9 million per violation category per year. Covered entities that skip the BAA requirement and later face a breach face penalties that compound by category and duration.
Dental, medical, and legal clients should ask any AI vendor point-blank whether a BAA is available before going live with a system that will handle patient or client calls. If the vendor cannot or will not sign a BAA, the system should not touch calls where PHI might be exchanged. This is not a question to defer until after deployment. Covered entities should verify BAA availability during vendor evaluation, not after contract signing.
This article does not assess any specific vendor’s HIPAA posture. Consult a HIPAA compliance officer or healthcare attorney before deploying any AI communication system in a covered entity setting.
SMB Compliance Checklist: What to Verify Before Your AI Receptionist Goes Live
An SMB compliance checklist reduces regulatory exposure from AI call and text deployments. The items below map to the five regulatory areas covered in this article. Each item is a verification step, not a legal opinion. This checklist is a starting point and does not substitute for legal counsel from a communications attorney.
Confirm your AI vendor records calls and verify that a disclosure plays at call start. Ask your vendor directly whether calls are recorded and request a sample of the opening disclosure language. If no disclosure exists and your callers may be in all-party consent states, treat this as a live liability issue.
Identify every state your callers may be calling from. If your marketing runs in California, Florida, Illinois, Washington, or any other all-party consent state listed in this article, your call disclosure script must be in place before you go live, not after you accumulate recorded calls.
Confirm A2P 10DLC brand and campaign registration is complete before sending any AI-triggered SMS. Log into The Campaign Registry, verify your brand status, and confirm your campaign has carrier approval. Assuming registration is complete because your vendor set it up is not the same as verifying it yourself.
Audit your SMS consent capture. Trace the exact moment a customer agrees to receive texts from your business. Find the written language they agreed to. Confirm it names your business and describes the type of messages they will receive. A generic ‘I agree to terms’ checkbox does not meet TCPA’s written consent standard.
If your business is a HIPAA covered entity or business associate, ask your AI vendor whether they sign a BAA before any PHI flows through the system. Do this during vendor evaluation, not after you have deployed the system to patient-facing calls.
Review your vendor’s terms of service for TCPA indemnification language. Many SaaS platforms place TCPA liability on the customer, not the vendor. If your vendor’s terms say you are responsible for ensuring compliance with applicable laws, you own that exposure regardless of what the vendor’s sales team told you.
Set a calendar reminder to review your consent language annually. The FCC’s one-to-one consent rule, effective January 2025, requires that consent for AI-generated marketing contacts be obtained for each business specifically. A single checkbox covering ‘marketing partners’ no longer satisfies the standard. Rules change, and consent language that was adequate in 2023 may not be adequate today.
Frequently Asked Questions
Do I need consent before my AI receptionist texts a customer back?
Yes. Under TCPA (47 U.S.C. § 227), sending a marketing or promotional text via an AI system requires prior express written consent from the recipient. Transactional texts, such as appointment confirmations for a service the customer already requested, carry a lower consent bar, but you should document how and when that consent was captured. Consult a communications attorney to review your consent language before deploying any AI SMS campaign.
Is it legal for an AI to answer business calls without telling callers it’s an AI?
Federal law does not currently require AI disclosure on inbound business calls, but the FTC has signaled scrutiny of deceptive AI personas and several states are exploring disclosure mandates. Separately, if your AI records the call, all-party consent states like California and Florida require a disclosure at the start of the call regardless of whether the answering party is human or AI. Playing a brief ‘this call may be recorded’ notice at call start satisfies recording consent requirements in all states and reduces risk on both fronts.
What happens if I send business texts without A2P 10DLC registration?
AT&T, T-Mobile, and Verizon filter and block SMS traffic from unregistered 10-digit numbers at the network level, which means your messages may never reach customers with no error notification on your end. Beyond deliverability, sending commercial texts without proper registration also creates TCPA exposure if those messages lack documented consent. Register your brand and campaign through The Campaign Registry before sending any AI-triggered business texts.
