Compliance
7 min readJanuary 4, 2026

AI voice agent compliance. TCPA, GDPR, EU AI Act explained

TL;DR

Three regulations cover AI voice in 2026: TCPA (US), GDPR (EU), and the EU AI Act (extra-territorial). Here's what each requires, what's a real risk vs paper concern, and how Callsy handles each by default so you don't have to architect compliance yourself.

TCPA (US). The practical risks

The Telephone Consumer Protection Act is the US federal law governing telemarketing, automated dialers, and SMS. Penalties: $500–$1,500 per violation. Class actions are common.

The critical distinction: TCPA differentiates between marketing and informational/transactional contact. A cold marketing call to a prospect requires prior express written consent. An abandoned-cart recovery call to a customer who entered their phone at checkout typically qualifies for the transactional/informational carve-out.

  • Marketing call to a cold list → strict express written consent required
  • Cart recovery / order update / appointment confirmation → transactional carve-out generally applies
  • Quiet hours rule. No calls before 8am or after 9pm in recipient's local time
  • Opt-out. Must honor 'stop' requests instantly, cross-channel

GDPR (EU). Your standard SaaS compliance

GDPR governs personal data of EU residents. AI voice triggers all the standard SaaS obligations: lawful basis (contract or legitimate interest), data minimization, processor agreements, breach notification, right to erase.

What matters operationally: your voice vendor must be a GDPR-compliant processor with a signed DPA, a published sub-processor list (annex), and EU data residency options. Callsy ships all three by default; lower-tier vendors often skip the DPA and only add it under enterprise contracts.

EU AI Act. The new one for 2025–2026

The EU AI Act came into force in 2025 with phased compliance. AI voice agents fall into the 'transparency' tier. They're not classified as 'high-risk' (unlike, say, AI in hiring), but they DO require:

  • Explicit disclosure at the start of any voice interaction that the user is talking to an AI
  • Disclosure in the user's language
  • Logged disclosure (for audit)

What Callsy handles by default

Out of the box, every Callsy agent ships with:

  • TCPA quiet hours respected by recipient timezone
  • Cross-channel instant opt-out (voice 'stop' / SMS 'STOP' / WhatsApp 'STOP')
  • Pre-wired AI disclosure in every call's opening line, in the customer's language
  • DPA + annex + EU data residency available on signup
  • Audit logs for every disclosure, every opt-out, every consent reference

What you still need to do

Three things compliance doesn't outsource:

  • Confirm your phone collection at checkout has the right consent text for your jurisdictions
  • Decide your lawful basis (contract for paying customers, legitimate interest for cart abandoners. Most stores use both)
  • Have a written privacy notice that mentions voice as a contact channel

Key takeaways

  • 1.TCPA covers US. Transactional/informational carve-out applies to most e-com voice
  • 2.GDPR is standard SaaS compliance. Sign the DPA, choose EU residency if needed
  • 3.EU AI Act requires AI disclosure on every call. Callsy ships this by default
  • 4.Compliance is mostly vendor-handled; you still own consent collection and privacy notice

Keep reading

Glossary·TCPAGlossary·GDPRGlossary·EU AI ActGlossary·DPA

Put this into action on your store.

70% off launch promo. Live in 5 minutes. No credit card.

Get started freeBook a demo