Originally published on BuildWithHermes, the operating platform for AI voice agencies.
On December 29, 2025, a Virginia consumer named William Lowrey sued OpenAI and Twilio under the TCPA for AI-generated robocalls and texts pitched by a company called Fresh Start Group. He did not just sue the agency making the calls. He sued the platform layer underneath.
That single filing rewired how every AI voice agency in the United States has to think about compliance in 2026. Platform liability is no longer a law-review hypothetical. It is a docketed case (W.D. Va., 6:2025-cv-00116) with a certified class on the table. The TCPA carries $500 to $1,500 per call with no aggregate cap, and the FCC's February 2024 Declaratory Ruling confirmed AI-generated voices fall inside the statute.
The shorter way to say it: AI voice now has the same legal surface area as a debt collector cold-calling a cell phone. Treat it that way.
(Not legal advice. This is the operator posture we run on Hermes itself.)
What actually happened in Lowrey v. OpenAI
The plaintiff alleges 30+ unsolicited texts and several voice-AI robocalls promoting estate planning. The calls originated from Fresh Start Group, which allegedly used OpenAI infrastructure to generate the voice content and Twilio to deliver it. When campaigns hit their spending cap, messages redirected to an OpenAI-controlled domain. That detail anchors the platform-liability theory.
The complaint argues OpenAI had the technical means to require, verify, and enforce consent, to scrub the federal DNC, and to throttle obvious unconsented outreach, and chose not to. The proposed class: every U.S. consumer who received an AI-generated marketing message through OpenAI's platform on a DNC-listed number or without consent. Four-year lookback. The plaintiff bar has priced theoretical exposure in the trillion-dollar range.
Will Lowrey win? Unclear. None of that matters for the operator decision today. The theory is public and the plaintiff bar is watching. The cost of being wrong on consent posture jumped an order of magnitude the day it hit the docket.
The three stacked rules for AI voice calls in 2026
- Consent. Any artificial or prerecorded voice marketing call to a U.S. number requires prior express written consent (PEWC). The FCC extended that explicitly to AI voices. Informational calls need prior express consent (oral OK), but any sales angle crosses into PEWC.
- DNC. The federal registry (245M+ numbers) must be scrubbed before each call, plus state overlays. Calls to listed numbers absent a documented business relationship are presumptively unlawful.
- Calling windows. 8 a.m. to 9 p.m. in the called party's local time. AI agents get no exception.
The February 2026 Fifth Circuit reset
Insurance Marketing Coalition v. FCC held the TCPA statute itself does not require written consent for prerecorded telemarketing. Applies only inside the Fifth Circuit (TX, LA, MS). Everywhere else, PEWC remains the operating default, and plaintiff firms will plead PEWC violations until the Supreme Court resolves the split. The safest national posture: keep capturing written, timestamped, source-tracked consent everywhere. Designing for the lowest common denominator is cheaper than defending jurisdictional shopping.
A2P 10DLC: the SMS side
Since February 1, 2025, carriers block 100% of unregistered A2P 10DLC traffic. Every AI-agent SMS must run through a registered Brand and Campaign with pre-approved templates. Carrier-side dynamic-content matching now runs in real time: if your AI-generated SMS drifts from the registered template language, it gets blocked regardless of campaign approval. Carrier fines run up to $10,000 per violation, separate from TCPA liability.
The state layer stacking on top
| State | Rule | Exposure |
|---|---|---|
| California (AB 2905) | Natural-voice disclosure before AI message plays | $500/call, private right of action |
| Florida (FTSA) | PEWC for prerecorded, restrictive windows | $500-$1,500/call, PRA |
| Washington (CEMA) | Strict opt-in, AI no exemption | $500/msg, $1,000 if intentional |
| Utah (S.B. 149) | AI disclosure at outset of verbal interaction | $2,500/violation, AG enforcement |
| Colorado (SB 26-189) | High-volume AI voice = high-risk AI | AG enforcement |
| Virginia (SB 1339) | SMS opt-outs honored 10 years | Civil penalties, PRA |
Multi-state means complying with the strictest applicable rule per call.
The 12-point compliance audit
Yes-or-no on every campaign, client, and platform. Below 10 of 12 is a live liability.
- Consent capture before dial, with timestamp, source URL, IP, and exact consent text stored
- AI disclosure in the first two seconds of every call
- Automated opt-out reachable by voice or DTMF in the first exchange
- Federal DNC scrub within 24 hours of dialing
- State DNC overlays applied (FL, TX, IN are the ones operators forget)
- Calling windows enforced per called-party time zone
- A2P 10DLC Brand and Campaign registered under the correct entity
- Opt-out propagation across channels (SMS opt-out stops voice, and vice versa)
- State AI disclosure language current (CA preroll, UT disclosure)
- Consent logs retained 4+ years, exportable in discovery format
- Recording disclosed at call start in two-party consent states
- Platform contract names which party owns each compliance obligation
What to do this week, in priority order
The first three items take under four hours combined and remove most immediate exposure:
- Audit the disclosure script on every live agent. Listen to the first ten seconds of a recorded call.
- Export the last 90 days of consent records. If your platform can't produce per-call consent with timestamp, source, and text, the discovery exposure is immediate.
- Scrub every dial list against federal DNC plus state overlays. Cents per number vs. $500-$1,500 per violation.
- Verify A2P 10DLC status on every SMS sender.
- Read your platform MSA and map the liability split. If the platform doesn't commit to consent enforcement at the protocol layer, you own that gap.
- Add per-state calling-window checks to the dialer.
- Stand up a cross-channel suppression list and test propagation end to end.
- Update consent forms: name the AI voice technology, the identified seller, channels, and withdrawal rights. Capture URL and IP.
- Brief every client with a one-page memo. Document the send.
- Calendar a quarterly re-run of this audit.
If you find an existing violation
Pause the campaign before the next dial. Preserve every log. Notify the client in writing the same day. Get a TCPA defense attorney before talking to anyone outside the agency. Plaintiff firms run templated demand letters designed to extract quick settlements before the operator gets counsel; a two-week head start on legal advice usually changes the settlement math by an order of magnitude.
Where this leaves you
Lowrey does not have to win to change the cost of non-compliance. It already changed it. The floor is no longer "we wrote a TCPA paragraph on the consent form." It is timestamped consent records, enforced disclosure scripts, federal and state DNC scrub, cross-channel opt-out propagation, A2P 10DLC under the correct entity, per-state calling windows, and a contract that names which party owns each piece.
The full version, with the named cases, the FCC docket links, the platform compliance comparison grid, and the state-law matrix, is on the BuildWithHermes blog.
Top comments (0)