Phone Stack
Back to Blog
Compliance

AI Calling Compliance: What to Add to Your Customer Agreements Now

Phone Stack TeamApril 6, 20269 min read

If you're using AI to contact customers — or planning to — your agreements probably aren't ready. Most companies have consent language that was written before AI calling existed, and that gap creates real legal exposure.

The good news: fixing this is straightforward. Small wording changes to your signup flow and customer agreements can eliminate major risk. Here's exactly what to update and why.

The Core Problem

Most customer agreements include some version of these phrases:

  • "We may contact you"
  • "You agree to receive automated messaging"
  • "We may reach you by any method at our discretion"

None of these are sufficient for AI calling in the United States. Courts and regulators look for clear, informed consent that specifically covers automated and AI-generated calls. Vague language that could theoretically include AI calling is not the same as consent that explicitly permits it.

The Legal Standard You Must Meet

United States

The Telephone Consumer Protection Act (TCPA) establishes two tiers of consent:

Prior express consent (for informational/service calls):

  • The customer provided their phone number in the context of the business relationship
  • Generally sufficient for non-marketing calls (billing, service, operations)

Prior express written consent (for marketing calls):

  • Must be clear and conspicuous
  • Must be specific to automated, prerecorded, or AI-generated calls
  • Must include an affirmative action by the consumer (unchecked checkbox, signature)
  • Cannot be a condition of purchasing a product or service

Canada

CASL (Canada's Anti-Spam Legislation) and CRTC telemarketing rules require:

  • Express or implied consent depending on the relationship and purpose
  • Identification of the caller and organization
  • A clear unsubscribe mechanism
  • Implied consent expires (2 years from last purchase, 6 months from last inquiry)

The 6 Things Your Agreement Must Include

1. Explicit Permission for Calls

Your agreement must clearly state that you will call the customer. The word "contact" is ambiguous — it could mean email, mail, carrier pigeon. Be specific.

Weak: "We may contact you regarding your account." Strong: "We may call you at the phone number you provide."

2. Explicit Permission for Automation and AI

This is the most commonly missing piece. Your consent must include at least one of these terms:

  • "automated"
  • "AI-generated"
  • "prerecorded"

Without this language, you have consent for human calls but not AI calls — and that distinction matters enormously under the TCPA.

Weak: "You agree to receive calls from us." Strong: "You agree to receive calls from us, including automated or AI-generated calls."

3. Clear Purpose (Marketing vs. Service)

Different legal thresholds apply to marketing calls and service calls. Your agreement should separate these:

  • Service/billing/operational calls — appointment reminders, billing notices, service updates, account alerts
  • Marketing/upsell calls — promotions, cross-sells, re-engagement campaigns

If you want to make marketing calls with AI, you need explicit written consent for that purpose. Service calls have a lower threshold, but mixing marketing into service calls eliminates that advantage.

4. Link Consent to the Phone Number

Consent must be tied to a specific phone number. The simplest approach:

"...at the phone number you provide" or "...at the number associated with your account"

This prevents ambiguity about which number you're authorized to call.

5. Affirmative Action (Opt-In)

The consent mechanism must require the customer to take a positive action:

  • Checkbox must be unchecked by default
  • Consent must be clearly visible — not buried in a wall of legal text
  • Consent cannot be bundled with terms of service acceptance
  • Pre-checked boxes do not constitute valid consent under TCPA

6. Opt-Out Language

Your agreement must explain:

  • How to stop calls (e.g., "say 'stop' during any call, or contact us at...")
  • That consent can be withdrawn at any time
  • That withdrawing consent will not affect their account or service

What Strong Consent Actually Looks Like

Example: Balanced and Compliant

"I agree to receive calls and messages from [Company], including automated or AI-generated calls, for account-related and marketing purposes at the phone number I provide. I understand I can opt out at any time by replying STOP or contacting support. Consent is not required to make a purchase."

This single sentence covers all six requirements: calls, automation/AI, purpose, phone number, affirmative action (when paired with an unchecked checkbox), and opt-out.

Weak vs. Strong Consent: Quick Comparison

| Weak (Do Not Use) | Strong (Recommended) | |---|---| | "We may contact you" | "We may call you at the number you provide" | | "Automated messaging" | "Automated or AI-generated calls" | | "Any method at our discretion" | "Calls and messages, including automated calls" | | "By using our service, you agree..." | Separate unchecked checkbox with clear language | | No opt-out mentioned | "Opt out at any time by replying STOP" |

Structuring Your Signup Flow

Where and how you collect consent matters as much as the language itself.

Best practices:

  • Separate checkbox for communication consent — do not bundle with terms of service acceptance
  • Place consent near the phone number input — this reinforces the connection between the number and the consent
  • Keep the language readable — if a customer can't understand what they're agreeing to, the consent is weaker
  • Avoid burying consent in long legal documents — a visible, standalone checkbox is far stronger than a paragraph in your TOS
  • Consider separating marketing and service consent — two checkboxes: one for account communications (service, billing, operations) and one for marketing and promotional calls

Recommended Flow

  1. Phone number input field
  2. Checkbox: "I agree to receive account-related calls, including automated or AI-generated calls, at this number." (can be pre-checked for service calls in some jurisdictions, but unchecked is safer)
  3. Checkbox: "I also agree to receive marketing and promotional calls, including automated or AI-generated calls." (must be unchecked by default)
  4. Separate checkbox: Terms of service agreement

Recordkeeping Requirements

If a customer or regulator challenges your consent, you need to produce evidence. Store the following for every opt-in:

  • Timestamp of when consent was given
  • IP address of the device used
  • Exact consent language shown at the time of opt-in (version it — if you change the language later, you need to know what each customer actually agreed to)
  • Method of consent (web form, paper form, verbal)
  • Checkbox state (confirmed it was unchecked by default and checked by the user)
  • Opt-out history — every opt-out request, when it was received, and when it was honored

Retain these records for at least 5 years or as long as your statute of limitations requires. Many TCPA claims are filed years after the calls occurred.

Special Cases to Handle

Existing Customers (Pre-AI)

If you already have customers who consented to calls before you started using AI, their existing consent may not cover AI-generated calls. Options:

  • Re-consent campaign — Send an email or in-app notification asking customers to confirm updated communication preferences
  • Update at next login — Show updated consent language the next time they sign in
  • Grandfathering — For service/billing calls (non-marketing), the existing business relationship may provide sufficient basis. For marketing calls, re-consent is strongly recommended.

International Users

If you have customers in both the U.S. and Canada (or other jurisdictions), the simplest approach is to apply the stricter standard across all users. This avoids the complexity of jurisdiction-specific consent flows and provides maximum legal protection.

VoIP and Business Numbers

Do not assume business numbers or VoIP numbers are safe for AI calling without consent. Business lines frequently forward to personal cell phones. VoIP numbers are increasingly treated like mobile numbers by regulators. Consent is still required for automation regardless of number type.

Common Mistakes

Even companies that try to get consent right make these errors:

  • Assuming a "business relationship" replaces consent — It reduces the threshold for service calls, but does not eliminate the need for consent for AI/automated marketing calls
  • Using AI calls without updating agreements — If your agreements were written before you adopted AI calling, they almost certainly don't cover it
  • Mixing marketing into service calls — A billing reminder that mentions an upgrade offer becomes a marketing call requiring marketing-level consent
  • Pre-checking consent boxes — Invalid under TCPA. The customer must actively check the box
  • Failing to store proof of consent — If you can't prove consent existed, it effectively didn't

Implementation Checklist

Use this as your action plan:

  • [ ] Audit your current customer agreements for AI/automation consent language
  • [ ] Update signup flows with explicit, separated consent checkboxes
  • [ ] Add specific AI/automation language to all communication consent
  • [ ] Separate marketing consent from service/operational consent
  • [ ] Implement an opt-out process that works instantly across all channels
  • [ ] Build a consent logging system (timestamp, IP, language version, checkbox state)
  • [ ] Plan a re-consent campaign for existing customers if needed
  • [ ] Review your consent language quarterly as regulations evolve
  • [ ] Train your team on the difference between service and marketing calls
  • [ ] Document everything — when in doubt, over-document

Conclusion

AI calling is fully compliant when consent is done correctly. The risk doesn't come from the technology — it comes from vague or outdated agreements that don't explicitly cover automated and AI-generated calls.

The changes required are small: a few sentences in your signup flow, a separated checkbox, proper recordkeeping. But the impact is significant — the difference between a defensible compliance position and exposure to TCPA litigation that can cost $500-$1,500 per call.

The best time to fix your agreements is before you scale outbound. The second best time is now.

One-line takeaway: If your agreement doesn't explicitly allow automated and AI-generated calls, you don't have real consent.

For a full breakdown of what's legal across different calling scenarios, read our Legal Framework for AI Calling guide.

Start your free trial — Phone Stack includes built-in consent tracking, opt-out handling, and compliance audit trails.

compliance
agreements
opt-in
consent
legal
ai calling