Originally published on the BuildWithHermes blog.
On May 27, 2026, Eric Troutman, the most prominent TCPA defense attorney in the United States and founder of TCPAWorld, published a post titled "AI VOICE: The Future of TCPA Risk Is Here." The short version: AI voice adoption is outpacing compliance, "piles of lawsuits" are coming, and the plaintiff's bar is already in position. His words: the attorneys are "sitting there like gargoyles, waiting."
Troutman also named the category of defendant he expects to get hit: "most are trash startups sitting atop Chat or Claude." That is not a dig at Anthropic. It is a description of the vendor tier where agencies are most exposed: API wrappers, no-code voice tools, and raw Retell or VAPI deployments with no compliance layer underneath. Agencies running those stacks with no consent capture, no DNC scrub, and no A2P registration are the named target.
This is not hypothetical. The FCC ruled in February 2024 that AI-generated voices fall inside the TCPA, with the same $500 to $1,500 per-call penalty structure and no aggregate cap. Lowrey v. Twilio/OpenAI, filed December 2025, is already testing platform-liability theory in federal court. Case filings are rising. The plaintiff bar runs templated discovery scripts against voice AI defendants and those scripts are getting faster. Troutman's post is not a prediction. It is a reading of the docket.
Why this matters for AI voice agencies specifically
An AI voice agency sits in a specific position in the TCPA exposure chain. You are not the foundation model. You are not the telephony carrier. You are the deployer. Under the platform-liability framework that Troutman and other TCPA attorneys are citing, deployers share exposure when they use a platform that had the technical means to enforce consent and did not require it.
The practical problem for agencies is that most of the popular stacks, bare Retell plus GHL plus Zapier, bare VAPI plus a custom dashboard, or a wrapper like Voicerr, do not include the compliance layer. Consent capture, DNC scrub, A2P 10DLC registration, AI disclosure at call open, and per-state calling-window enforcement have to be built on top. Most agencies did not build them. They figured the voice AI vendor handled it. The voice AI vendor did not.
What Troutman is saying is that this gap is now exploitable at scale. The plaintiff bar is not waiting for a perfect test case. They are waiting for the first wave of call logs to surface in discovery, at which point the consent gap becomes a per-call penalty across every call in the class period. On a 10,000-call campaign without PEWC, the theoretical exposure runs $5M to $15M before class certification.
"Adoption will massively outpace clarity. It always does. And that means risk will outrun compliance. It always does. So exposure will follow. And the vultures of the Plaintiff's bar will have their next great feast."
โ Eric Troutman, TCPAWorld, May 27, 2026
The compliance gaps that create the most exposure
Three gaps account for most of the TCPA risk that agencies are carrying right now.
First, no prior express written consent before outbound marketing calls. The FCC confirmed in February 2024 that AI-generated voice calls to US cell phones for marketing purposes require PEWC before the first dial, full stop. "We got a lead form" is not PEWC unless the form specifically names the seller, names the communication channel, and captures a clear affirmative action with the exact consent text stored alongside a timestamp, source URL, and IP. Most agency lead forms do not meet that bar.
Second, no A2P 10DLC registration on the SMS side of the agent. As of February 2025, unregistered 10-digit long-code SMS traffic is blocked 100 percent by US wireless carriers, not throttled. Blocked. Carrier fines for violations run up to $10,000 per incident, separate from any TCPA liability. Agencies using AI agents that send appointment confirmations, follow-up texts, or any outbound SMS from an unregistered Brand and Campaign are already in violation.
Third, no AI disclosure in the first two seconds of every call. California AB 2905 creates a $500 per-call private right of action when the disclosure is missing. Utah SB 149 requires clear disclosure at the outset of any verbal AI interaction in regulated industries. Colorado SB 26-189, which passed both chambers May 7 to 9, 2026, classifies high-volume AI voice systems as high-risk AI with documentation and impact-assessment obligations. These are not future risks. They are current statutes with current enforcement paths.
Action steps for agencies this week
Audit the first ten seconds of every live agent today. Pull a recorded call from each active campaign. Confirm the AI disclosure is present before the first sales exchange, the opt-out path is offered within two seconds, and recording is announced in two-party consent states (California, Florida, Illinois, Massachusetts, Pennsylvania, Washington). Fix any agent that fails before the next scheduled campaign run.
Export your consent records and check for the PEWC elements. Per contact: timestamp of consent, source URL where consent was captured, IP address, and the exact consent language as displayed. If your platform cannot produce this export, the discovery exposure is immediate. The plaintiff bar's templated demand letters target this gap first.
Check every SMS sending number against A2P 10DLC registration. Verify Brand status and Campaign status for every 10DLC number in active use. Anything in "pending" or "rejected" status means your SMS traffic is either blocked or running outside registered parameters.
Scrub your next dial list against the federal DNC and your state overlays. The federal DNC sits north of 245 million numbers. Most states maintain their own overlays. Florida, Texas, and Indiana are the ones operators forget most often. A DNC scrub costs pennies per number. A DNC violation costs $500 to $1,500 per call. The math is not close.
Brief your clients in writing this week. One-page memo. What the Troutman warning means. What your agency is doing in response. What you need from each client: forward any consumer complaints within 24 hours, confirm their lead source captures PEWC, and notify you of any state-specific calling restrictions for their market. Send it, document the send date, and keep a copy.
The wrapper tax on compliance
One detail in Troutman's framing deserves its own paragraph. He is not warning about Retell or VAPI specifically. He is warning about the vendor tier that sits on top of them: wrappers, no-code builders, and agencies using bare API access to power client campaigns. The exposure flows down the stack to wherever the deployer sits.
Voicerr is the recent data point on wrapper risk, raising prices 7 to 10 times overnight in early 2026 because their upstream costs changed and they had no pricing floor. The TCPA version of that same dynamic is that a wrapper inherits the compliance posture of its upstream provider. If the upstream provider has no consent capture, no DNC scrub, and no AI disclosure enforcement, the wrapper deploys on top of that gap. The agency running the campaign inherits the exposure.
This is the structural argument for using a platform that controls its own compliance infrastructure rather than inheriting it from an API it cannot modify.
Where Hermes fits
Hermes builds the compliance layer into the platform across every plan, from the $149 Starter through the $699 Agency tier: consent capture with timestamped logs, federal and state DNC scrub, AI disclosure prompts configured per state, two-second opt-out path enforcement as a platform default, A2P 10DLC registration support at $30 per submission (pass-through, no markup), per-state calling-window enforcement, and cross-channel opt-out propagation across voice and SMS.
The consent log exports the evidence package that plaintiff discovery scripts request first: timestamp, source URL, IP, and exact consent text on every outbound contact.
The bottom line
Troutman has been right about TCPA trend lines for two decades. When he says the plaintiff bar is positioned for AI voice, that is not a risk to monitor over the next twelve months. It is a posture problem to fix this week.
The agencies that will be fine are the ones who already have timestamped consent logs, enforced disclosure scripts, DNC scrub running before every campaign, A2P 10DLC registrations current, and a compliance contract with their platform that names who owns each piece of the chain. Those agencies can respond to a plaintiff demand letter with evidence in 24 hours. The agencies without those primitives pay the settlement to make the letter go away.
Full breakdown, state statute table, and the compliance checklist live on buildwithhermes.com.
Sources: Eric Troutman, TCPAWorld (May 27, 2026) ยท FCC Feb 2024 Declaratory Ruling
Top comments (0)