The detailed breakdown
Why the inbound/outbound distinction matters
TCPA, FCC rules, and state law treat inbound and outbound calls as fundamentally different categories. The same AI voice technology operating in each direction triggers different consent requirements, different disclosure rules, different DNC obligations, and different audit trail expectations.
The classification is determined by who placed the call, not by who initiated the relationship:
- Inbound — the consumer dialed your number. They are physically calling you in this specific moment.
- Outbound — your system dialed their number. You are physically calling them in this specific moment.
This distinction is the entire game. The most common misconception in 2026, and the source of most TCPA violations by AI voice operators in insurance, is described in the next section.
“Inbound leads” are not inbound calls
When an agency markets a “speed-to-lead” AI voice product, the workflow typically looks like this:
- Prospect fills out a form on the agency’s website.
- The agency’s system fires an outbound call to the prospect’s phone number within seconds.
- The AI voice agent runs qualification, books an appointment, hands off to a producer.
This is outbound calling, in every legal sense.
The fact that the prospect filled out a form does not change the call’s classification. The prospect did not dial the agency’s number. The agency dialed the prospect’s number. Full TCPA applies, including the strictest tier of consent (Prior Express Written Consent), the one-to-one consent rule, the federal DNC scrub requirement, the calling-window restrictions, and the per-call statutory damages.
This matters because many agencies operate the speed-to-lead model under the assumption that the form fill itself constitutes consent. In some narrow cases that is true, but only if the consent captured at the form meets every requirement in the outbound section below. A generic “you agree to be contacted” line on a form does not legally authorize an AI voice call in 2026. It also does not authorize the agency to call if the consent named a different entity, such as a lead aggregator the agency bought from.
If you are running a speed-to-lead AI voice product against form-fill leads, you are operating an outbound program and the outbound rules apply in full.
Inbound AI voice agents
When a consumer dials into the agency, they have initiated the contact in real time. This removes most of the TCPA consent framework that governs outbound calling.
What still applies to inbound
AI disclosure laws. Multiple states require disclosure when a consumer is interacting with AI rather than a human, including California (SB 1001), Colorado, Texas (TRAIGA), Washington, Iowa, Oregon, Idaho, Nebraska, Connecticut, Maine, and New York. A single AI disclosure at the start of every call satisfies all of these.
Two-party recording consent. If the AI records the call, and it should, for QA and dispute defense, fourteen states require all-party consent: California, Connecticut, Delaware, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, Nevada, New Hampshire, Pennsylvania, Vermont, and Washington. Bundling the recording disclosure into the call opener satisfies this requirement.
Producer licensing. Universal regardless of inbound or outbound. Restrictions described in the “applies to both” section below apply equally to inbound.
State privacy and CCPA/CPRA obligations. The AI is collecting personal information during the call. Standard data handling rules apply, including privacy notice availability, deletion requests honored, data minimization, and reasonable security.
Accessibility (ADA). The AI should handle TTY relay calls and offer a path to a human on request.
What does NOT apply to inbound
- TCPA consent rules
- The FCC’s one-to-one consent rule
- Federal and state DNC registries
- TCPA calling windows
- Autodialer and ATDS rules
- State mini-TCPAs like Florida FTSA, Oklahoma TCPA, Washington’s law
What an inbound AI deployment looks like compliance-wise
The opener handles most of the compliance work in the first ten seconds:
“Thanks for calling [Agency]. This is [name], an AI assistant. This call is being recorded. How can I help?”
That single sentence covers AI disclosure and recording disclosure. Beyond that, the AI operates within the producer licensing wall and hands off substantive conversations to a licensed human.
For inbound-only deployments, the compliance posture is genuinely cleaner than most agencies expect. The TCPA risk surface is essentially zero.
Outbound AI voice agents (including all form-fill callbacks)
When the agency’s system places a call to a consumer, the full TCPA framework activates. This includes any AI voice system that calls back form-fill leads, no matter how recent the form submission or how strong the consumer’s apparent interest.
Outbound is conditional, not default
An outbound AI voice call to a consumer is illegal unless every one of the following conditions is met:
- The consumer provided prior express written consent (PEWC) before the call was placed.
- The consent named the specific agency that placed the call, not a partner network, not an aggregator, not “affiliates.”
- The consent explicitly authorized AI or artificial voice technology, not just “calls” or “automated calls” generically.
- The consent was captured at the time the consumer provided the phone number being called.
- The consent stated that agreement is not a condition of purchase.
- The consent was captured in writing (digital signature, affirmative click, or equivalent, not a pre-checked box).
- The recipient’s phone number is not on the agency’s internal Do Not Call list.
- The call is placed within 8am to 9pm in the recipient’s local time, verified by real-time timezone lookup, not area code inference.
- The agency has logged the consent record and can produce it for any specific call.
If any of these conditions fails, the call is statutorily a TCPA violation regardless of the consumer’s apparent interest, the recency of the form submission, or the quality of the AI’s behavior on the call.
This is the operative legal reality in 2026. The form fill alone does not authorize an outbound call. The form fill plus a consent flow meeting all of the above does.
What changed in 2026 for outbound
One-to-one consent (effective January 27, 2026). The FCC’s one-to-one consent rule eliminated bundled consent through lead aggregators. Before this rule, a lead form authorizing “the seller and its marketing partners” was enough for any partner to legally call. That practice is dead.
The practical implication for agencies buying leads: aggregator consent likely does not transfer to your agency. Calls placed under aggregator consent are statutorily violations. Agencies running form-fill callback programs need to verify the consent flow on every lead source they ingest from, including their own forms, names the agency specifically and authorizes AI voice explicitly.
AI voice classified as artificial or prerecorded voice. In February 2024, the FCC issued a declaratory ruling confirming that AI-generated voices fall under TCPA’s existing definition of “artificial or prerecorded voice.” This places AI voice calls under the strictest tier of TCPA consent (PEWC), the same standard that applies to traditional robocalls. State attorneys general were granted explicit enforcement authority in the same ruling.
The penalty structure for outbound
TCPA statutory damages apply to every non-compliant outbound call:
- $500 per call for unintentional violations
- $1,500 per call for willful or knowing violations
- No cap on aggregate damages
- Private right of action: plaintiffs can sue without regulator involvement
A 10,000-call campaign placed under invalid consent represents $5,000,000 to $15,000,000 in statutory exposure even when the case is won.
Required call disclosures for outbound
Every outbound AI call must include the following in the opening seconds:
- Entity identification — the agency name responsible for the call.
- AI disclosure — clear statement that the caller is AI.
- Recording disclosure — required as a practical baseline in all 50 states.
- Opt-out mechanism — the consumer must be able to request the calls stop and have that request honored immediately.
Calling windows for outbound
Federal TCPA prohibits outbound calls outside 8am to 9pm in the recipient’s local time, not the caller’s local time. Mobile number portability means area code is not a reliable proxy for timezone. A compliant system performs a real-time lookup of the recipient’s actual timezone before dialing.
A common failure case: a prospect fills out a form at 11pm Eastern from a California-area-code phone that is actually in California. The system fires the call at 11:01pm Eastern (8:01pm Pacific), which is compliant, but only if the system correctly identified the recipient’s actual local time.
DNC requirements for outbound
Federal DNC registry. Must be scrubbed before every outbound telemarketing call. PEWC technically overrides DNC registration, but the scrub log itself is part of TCPA defense; it demonstrates a good-faith compliance program.
Internal DNC list. Anyone who opts out, verbally on a call, by replying STOP to a text, or by emailing, must be added to a permanent suppression list. All future outbound contact across all systems must check against this list. This catches the common “different form, same person” scenario that defeats per-form consent.
State mini-TCPAs (outbound only)
Several states have outbound-specific statutes stricter than federal TCPA:
- Florida (FTSA) — broader autodialer definition, private right of action, currently the most aggressive plaintiff jurisdiction.
- Oklahoma TCPA — similar private-action structure.
- Washington — stricter consent and DNC rules.
Outbound calls into these states should be treated as the highest-risk segment of any program.
What applies to both inbound and outbound
Producer licensing
Every state has adopted some version of the NAIC Producer Licensing Model Act. The licensing trigger is universal: a license is required to sell, solicit, or negotiate insurance. This applies regardless of call direction.
An AI voice agent is not a licensed producer. It therefore cannot:
- Quote a premium, even as an estimate or range
- Compare carriers or products
- Explain coverage terms or interpret policies
- Recommend a specific policy
- Accept an application or take payment
- Urge the prospect to apply for any particular policy
What an AI agent can do, mirroring what unlicensed CSRs are permitted to do in most states:
- Confirm caller identity and the reason for contact
- Collect basic intake information
- Schedule an appointment with a licensed producer
- Provide general administrative information
- Hand off to a licensed human
The line between qualification and solicitation has some state-by-state variation, but the bright lines above are consistent across all 50 states.
NAIC Model Bulletin
In December 2023, the NAIC adopted a Model Bulletin on the Use of AI Systems by Insurers. As of early 2026, more than half of states have adopted it or substantially similar guidance, including Delaware, Hawaii, Kentucky, Maryland, Massachusetts, Nebraska, New Jersey, North Carolina, Oklahoma, Pennsylvania, Rhode Island, Vermont, and Wisconsin.
The bulletin applies to insurers, but the requirements flow down to agencies through carrier appointment agreements. This applies whether your AI is inbound or outbound. Carriers in bulletin states are increasingly asking appointed agencies for documentation covering:
- What the AI does and does not do
- Call and consent logging practices
- Bias and fairness testing
- Human oversight in the decision loop
- Vendor governance documentation
Compensation rules
PLMA Section 13 in every state prohibits paying commissions or per-policy compensation to non-licensed parties for sale, solicitation, or negotiation of insurance. AI vendors and any non-licensed staff supporting the AI must be paid flat fee or hourly, never per-policy.
Audit trail
For both inbound and outbound, a defensible operation retains the following for every call:
- Audio recording
- Full transcript with timestamps
- Recording disclosure verification
- AI disclosure verification
- Opt-out events captured during the call
- The telephony provider’s call ID for cross-referencing
Outbound calls require additional records:
- The matching consent record (timestamp, IP, exact consent text shown)
- Federal and internal DNC scrub log
- Calling-window verification (recipient’s local time at dial)
Recommended retention: minimum 4 years, ideally 7.
Self-audit checklist
Run your current setup against the section that matches your deployment. Anything you cannot check off is a gap that needs to be closed before your next live call.
If your AI calls back form-fill leads, you are operating an outbound program. Use the outbound checklist.
Inbound deployments — the call
- The AI agent identifies the agency by name in the opener
- The AI agent discloses it is AI in the opener
- The AI agent discloses the call is recorded in the opener
- The AI never quotes premiums, recommends policies, or explains coverage
- The AI offers a path to a human producer on request
Inbound deployments — audit trail
- Every call generates: recording, transcript, AI disclosure verification
- Records are retained for at least 4 years
- Any specific call’s full record can be produced on demand
Inbound deployments — vendor and governance
- AI vendors are paid flat fee or hourly, never per-policy
- Carrier appointment agreements have been reviewed for AI-related restrictions
- A one-page AI compliance posture document exists for carrier requests
Outbound — form and consent (the gate)
- The consent text on your form names your agency specifically, not “and our partners” or any other generic phrase
- The consent text explicitly mentions AI, automated, or artificial voice technology
- The consent text appears above or next to the submit button, in plain visible text, not buried in a privacy policy link
- The consent text states that consent is not a condition of purchase
- Consent capture requires an affirmative act (submit click, signed signature, unchecked checkbox the user checked), never a pre-checked box
- Every form submission stores IP address, user agent, timestamp, exact consent text shown, and a consent version identifier
- Consent records are retained for at least 4 years
- If you ingest leads from any aggregator, you have verified the aggregator’s consent flow names your agency specifically and authorizes AI voice, and you have written documentation of this from the aggregator
Outbound — pre-call checks
- Federal DNC registry is scrubbed before every outbound call
- An internal DNC list exists and is scrubbed before every outbound call
- Outbound calls are restricted to 8am to 9pm in the recipient’s local time, verified by real-time timezone lookup, not area code
Outbound — opt-out handling
- Mid-call opt-outs are detected from the transcript in real time
- The AI confirms the opt-out verbally and ends the call
- The number is added to the internal DNC list immediately
- The number is blocked across all future outbound campaigns from any system
Outbound — audit trail (additional records)
- Every call links to the consent record that authorized it
- DNC scrub results are logged per call
- Calling-window checks are logged per call
- Opt-out events are logged separately and timestamped
Outbound — state exposure
- Florida, Oklahoma, and Washington calls are flagged for enhanced compliance scrutiny
If more than three boxes go unchecked in your applicable section, the setup is not defensible under 2026 TCPA standards. The legal exposure scales linearly with call volume.
This piece is for educational purposes and is not legal advice. ClickedTools builds to the current state of TCPA, FCC, NAIC, and state law as we understand it, and we share what we know. For agencies running high lead volume or operating in high-litigation states like Florida, a TCPA-focused attorney reviewing the deployed system is good practice.