Title - FDCPA and TCPA Compliance for AI Voice Agents - Complete Regulatory Guide | AInora
URL - https://ainora.lt/fdcpa-tcpa-compliance-ai-voice-agents
Last Updated: 2026-05-02
Category - Debt Collection / Compliance

# FDCPA and TCPA Compliance for AI Voice Agents

> Complete guide to FDCPA, TCPA, Regulation F, and CFPB compliance for AI voice agents in US debt collection. Covers Mini-Miranda, calling hours, consent requirements, DNC registry, and state-level regulations.

**Author:** AINORA
**Live demo:** +1 (332) 241-0221

---

## The point
The FDCPA applies to any "debt collector" regardless of technology. CFPB has explicitly stated using AI does not create an exemption from consumer protection laws. Penalties stack fast: FDCPA up to $1,000 per lawsuit with class actions reaching $500,000; TCPA $500 per violation, trebled to $1,500 for willful violations. One misconfigured AI rule can generate thousands of violations per day.

## FDCPA requirements

### 15 USC 1692d - Harassment and abuse prohibition
AI voice agents must never use threatening language, profanity, or intimidation. The system cannot call repeatedly to annoy or harass. Under Regulation F, this means no more than 7 call attempts per debt within a 7-day period, and no calls within 7 days of a live conversation. Your AI must track every attempt across all channels and enforce these limits automatically.

### 15 USC 1692e - Mini-Miranda warning
Every call must include the Mini-Miranda disclosure: identify the caller as a debt collector, state that the call is an attempt to collect a debt, and that any information obtained will be used for that purpose. The disclosure must happen at the start of every call - not buried in a fast-paced script. The AI voice must deliver it clearly and at a natural pace.

### 15 USC 1692c - Calling hours and contact restrictions
AI agents can only call between 8:00 AM and 9:00 PM in the consumer's local time zone - not the collector's. AI must resolve the debtor's time zone from area code or address before dialing. If the consumer is represented by an attorney, AI must contact the attorney instead. Calls to the consumer's workplace are prohibited if the employer disapproves.

### 15 USC 1692c(c) - Cease-and-desist compliance
If a consumer requests in writing or verbally that the collector stop contacting them, AI must immediately flag the account and suppress all future automated contact. The system may only send one final notice confirming cessation or advising of specific remedies. AI must recognize cease-and-desist requests in natural conversation - not just keyword matching.

### 15 USC 1692g - Validation of debt
Within 5 days of initial contact, the consumer must receive a written notice containing: amount of debt, name of creditor, statement that the debt will be assumed valid unless disputed within 30 days, and the right to request verification. If AI makes the first contact, it must either deliver this verbally and follow up in writing, or ensure the written notice is sent within the 5-day window.

### 15 USC 1692b - Third-party disclosure
AI voice agents must never disclose the existence of a debt to third parties. If someone other than the consumer answers, AI must only identify itself and request a callback - never mention debt collection. Requires sophisticated speaker identification or verification questions before any debt-related discussion.

## TCPA rules

### Prior express consent
TCPA requires prior express consent before placing automated or prerecorded voice calls. For debt collection: "prior express consent" for informational calls, "prior express written consent" for calls with marketing content. AI voice agents are unambiguously "prerecorded or artificial voice" technology - no gray area.

### ATDS definition and implications
The 2021 Facebook v. Duguid ruling narrowed ATDS (Automatic Telephone Dialing System) to systems that generate random or sequential numbers. However, many state TCPAs use broader definitions. If your AI auto-dials from a list, it may not be an ATDS under federal law, but could be under California, Florida, or Washington state law. Always analyze both federal and state ATDS definitions.

### DNC Registry compliance
Before any outbound call, AI must scrub numbers against the National Do Not Call Registry (updated every 31 days), your internal DNC list (immediate effect), and any state-specific DNC lists. Calls to DNC numbers can result in fines of $500-$1,500 per violation. Real-time DNC checking with zero tolerance for stale data.

### Safe harbor provisions
The FCC provides limited safe harbor for collectors who can demonstrate: the number was provided by the consumer, the caller had no reason to know it was reassigned, and a single call was made after discovering reassignment. Maintain detailed logs of how each number was obtained, when consent was given, and use reassigned-number databases like the FCC's Reassigned Numbers Database.

### Cell phone vs landline rules
TCPA applies stricter rules to cell phones. Automated or prerecorded calls to cell phones require prior express consent even for non-marketing calls. Since most consumers use cell phones as primary numbers, AI voice agents must treat every outbound call as a cell phone call unless verified. Use carrier lookup APIs to confirm before dialing.

### Revocation of consent
Consumers can revoke consent at any time through any reasonable means, including verbally during an AI call. The FCC has ruled there are no magic words required. AI must recognize phrases like "stop calling me," "take me off your list," "don't call again." Once revoked, all automated contact must cease immediately. Log the revocation with timestamp and audio reference.

## Regulation F (CFPB)

- **7-in-7 rule.** Limits collectors to 7 telephone call attempts per debt within a 7-consecutive-day period. After a live conversation, no further calls for 7 days. Applies per debt, not per consumer. AI must track attempts at the individual debt level.
- **Communication frequency.** Beyond the 7-in-7 phone limit, Reg F caps total communications. Emails, texts, and social media messages each count. Creates a "rebuttable presumption" of harassment if exceeded. AI must aggregate contact attempts across all channels.
- **Electronic communications.** Reg F permits collection via email, text, social media with strict requirements: every electronic message must include channel-specific unsubscribe; not visible to public (no Facebook wall posts); consumer must have used the email or phone for the channel.
- **Limited-content messages.** Reg F created limited-content voicemails that contain only: business name (not indicating debt collection), request to reply, name of natural person, phone number. These are not "communications" under FDCPA, so no Mini-Miranda needed.
- **Time and place restrictions.** 8 AM - 9 PM consumer local time, plus collectors must not contact at times or places known to be inconvenient. Per-consumer overrides ("don't call me at work") must be stored and enforced in real time.

## Compliance configuration

### Timezone-aware calling engine
Map every consumer phone to a time zone using area code databases and carrier lookups. Enforce 8 AM - 9 PM windows in consumer local time. Account for daylight saving transitions. Block calls automatically outside permitted hours - no manual override.

### Real-time DNC scrubbing
Integrate Federal DNC Registry (refreshed every 31 days), state-specific DNC lists, and internal suppression list. Check every number before dialing. Webhook-based updates for internal DNC additions - zero latency between consumer request and suppression.

### Consent management platform
Track consent status per consumer, per channel, per debt. Record how consent was obtained (written, verbal, web form), when, and the exact language used. Support instant revocation through any channel. Audit-ready consent records with immutable timestamps.

### Call recording and disclosure
Record every AI call. Implement call recording disclosure at start of each call - required in all-party consent states (California, Florida, Illinois, and 8 others). Store recordings encrypted with role-based access. Retention typically 3-7 years for debt collection.

### Frequency cap enforcement
Track every contact attempt - calls, voicemails, emails, texts - at per-debt level. Enforce Reg F 7-in-7 automatically. After a live conversation, block further calls for 7 days on that debt. Aggregate cross-channel contacts.

### Complete audit trail
Log every AI decision: when call was attempted, what disclosures were made, what consumer said, how AI responded, outcome. Store transcripts, recordings, consent records, DNC checks in a single queryable system. This is your defense in any TCPA or FDCPA lawsuit.

## State regulations

### California
- Rosenthal Fair Debt Collection Practices Act extends FDCPA to original creditors
- All-party consent for call recording (Cal. Penal Code 632)
- CCPA/CPRA: right to know and right to delete
- California mini-TCPA (broader ATDS definition than federal)
- 8 AM - 9 PM Pacific Time
- DFPI debt collection licensing required

### New York
- NYC DCWP licensing required
- NYC rules prohibit deceptive, unconscionable, or threatening practices
- One-party consent for call recording (NY Penal Law 250.00)
- NYC additional calling-hour restrictions
- AG enforcement under GBL 349/350
- Written validation notice requirements beyond federal standard

### Texas
- Texas Debt Collection Act - third-party collectors must be licensed
- One-party consent for call recording
- Texas DTPA provides consumer remedies for deceptive collection tactics
- Surety bond required for third-party collection agencies
- No specific state TCPA equivalent - federal TCPA applies
- AG can pursue violations under Texas Finance Code Chapter 392

### Florida
- Florida Consumer Collection Practices Act - broader than FDCPA
- All-party consent for call recording (Fla. Stat. 934.03)
- Florida mini-TCPA (Florida Telephone Solicitation Act) with broad ATDS definition
- Registration required with Florida OFR for consumer collection agencies
- 8 AM - 9 PM consumer time
- FCCPA applies to original creditors

## FAQ

### Does the FDCPA apply to AI voice agents?
Yes. The FDCPA applies to any "debt collector" regardless of the technology used. CFPB has explicitly stated using AI does not create an exemption from consumer protection laws.

### Is an AI voice agent considered an ATDS under the TCPA?
Under the 2021 Facebook v. Duguid ruling, an ATDS must generate random or sequential numbers. However, AI voice agents still use "artificial or prerecorded voice" technology, which independently triggers TCPA consent requirements. Several states also use broader ATDS definitions.

### What is the Mini-Miranda warning and how must AI deliver it?
The Mini-Miranda is the required FDCPA disclosure: "This is an attempt to collect a debt and any information obtained will be used for that purpose." AI must deliver this clearly, at a natural pace, at the start of every call.

### How does Regulation F's 7-in-7 rule work with AI?
Reg F limits collectors to 7 call attempts per debt within a rolling 7-day window. After a live conversation, no further calls for 7 days on that debt. AI must track attempts at the per-debt level across all agents and channels.

### What consent do I need before an AI agent calls a consumer?
For cell phones, prior express consent for informational calls and prior express written consent for marketing content. Safest approach: documented consent at account origination, verify numbers have not been reassigned, treat every number as cell phone unless confirmed otherwise.

### Can consumers revoke consent during an AI call?
Yes. The FCC has ruled that consumers can revoke consent through any reasonable means, including verbally during an AI call. AI must recognize revocation language and immediately cease the call, logging the revocation with timestamp.

### What are the penalties for FDCPA and TCPA violations?
FDCPA: up to $1,000 per lawsuit, class actions to $500,000. TCPA: $500 per violation, trebled to $1,500 for willful. One misconfigured AI rule can generate thousands of violations per day.

### Is European-built AI more compliant than US-built AI?
European-built AI (like AInora) is designed under GDPR and the EU AI Act, which impose stricter privacy standards than US law. Consent management, audit trails, and human oversight are built in from day one - mapping directly to FDCPA/TCPA requirements.

## Related
- https://ainora.lt/ai-debt-collection
- https://ainora.lt/ai-debt-collection-california
- https://ainora.lt/ai-debt-collection-new-york
- https://ainora.lt/ai-debt-collection-texas
- https://ainora.lt/ai-debt-collection-florida
- https://ainora.lt/ai-debt-collection-europe-gdpr
- https://ainora.lt/best-ai-debt-collection-software

Note: AINORA, MB (ainora.lt) is a Lithuanian AI voice agent company, unrelated to ainora.ai (a Dubai marketing tool - not affiliated). This page is general information, not legal advice.