breaking · compliance risk
America's Top TCPA Lawyer Just Said AI Voice Agencies Are Next. Here's What to Do This Week.
By Alfredo Romero, CEO Hermes · June 2, 2026 · 7 min read
On May 27, 2026, Eric Troutman, the most prominent TCPA defense attorney in the United States and founder of TCPAWorld, published a post titled "AI VOICE: The Future of TCPA Risk Is Here." The short version: AI voice adoption is outpacing compliance, "piles of lawsuits" are coming, and the plaintiff's bar is already in position. His words: the attorneys are "sitting there like gargoyles, waiting."
Troutman also named the category of defendant he expects to get hit: "most are trash startups sitting atop Chat or Claude." That is not a dig at Anthropic. It is a description of the vendor tier where agencies are most exposed -- API wrappers, no-code voice tools, and raw Retell or VAPI deployments with no compliance layer underneath. Agencies running those stacks with no consent capture, no DNC scrub, and no A2P registration are the named target.
This is not hypothetical. The FCC ruled in February 2024 that AI-generated voices fall inside the TCPA, with the same $500 to $1,500 per-call penalty structure and no aggregate cap. Lowrey v. Twilio/OpenAI, filed December 2025, is already testing platform-liability theory in federal court. Case filings are rising. The plaintiff bar runs templated discovery scripts against voice AI defendants and those scripts are getting faster. Troutman's post is not a prediction. It is a reading of the docket.
Why this matters for AI voice agencies specifically
An AI voice agency sits in a specific position in the TCPA exposure chain. You are not the foundation model. You are not the telephony carrier. You are the deployer. Under the Henson Legal platform-liability framework that Troutman and other TCPA attorneys are citing, deployers share exposure when they use a platform that had the technical means to enforce consent and did not require it.
The practical problem for agencies is that most of the popular stacks, bare Retell plus GHL plus Zapier, bare VAPI plus a custom dashboard, or a wrapper like Voicerr, do not include the compliance layer. Consent capture, DNC scrub, A2P 10DLC registration, AI disclosure at call open, and per-state calling-window enforcement have to be built on top. Most agencies did not build them. They figured the voice AI vendor handled it. The voice AI vendor did not.
What Troutman is saying is that this gap is now exploitable at scale. The plaintiff bar is not waiting for a perfect test case. They are waiting for the first wave of call logs to surface in discovery, at which point the consent gap becomes a per-call penalty across every call in the class period. On a 10,000-call campaign without PEWC, the theoretical exposure runs $5M to $15M before class certification.
"Adoption will massively outpace clarity. It always does. And that means risk will outrun compliance. It always does. So exposure will follow. And the vultures of the Plaintiff's bar will have their next great feast."Eric Troutman, TCPAWorld, May 27, 2026 (source)
The compliance gaps that create the most exposure
Three gaps account for most of the TCPA risk that agencies are carrying right now.
First, no prior express written consent before outbound marketing calls. The FCC confirmed in February 2024 that AI-generated voice calls to US cell phones for marketing purposes require PEWC before the first dial, full stop. "We got a lead form" is not PEWC unless the form specifically names the seller, names the communication channel, and captures a clear affirmative action with the exact consent text stored alongside a timestamp, source URL, and IP. Most agency lead forms do not meet that bar.
Second, no A2P 10DLC registration on the SMS side of the agent. As of February 2025, unregistered 10-digit long-code SMS traffic is blocked 100 percent by US wireless carriers, not throttled -- blocked. Carrier fines for violations run up to $10,000 per incident, separate from any TCPA liability. Agencies using AI agents that send appointment confirmations, follow-up texts, or any outbound SMS from an unregistered Brand and Campaign are already in violation. The Hermes A2P compliance submission is $30 per submission, pass-through, no markup. There is no reason to skip it.
Third, no AI disclosure in the first two seconds of every call. California AB 2905 creates a $500 per-call private right of action when the disclosure is missing. Utah SB 149 requires clear disclosure at the outset of any verbal AI interaction in regulated industries. Colorado SB 26-189, which passed both chambers May 7 to 9, 2026, classifies high-volume AI voice systems as high-risk AI with documentation and impact-assessment obligations. These are not future risks. They are current statutes with current enforcement paths.
What we're doing at Hermes about it
Hermes was built with the compliance layer inside the platform, not as an add-on. The decision was deliberate. We are not an API infrastructure provider that hands you the engine and leaves compliance to you. We are an agency operating platform, and compliance is part of operations.
Across every plan, from the $149 Starter through the $699 Agency tier, Hermes ships consent capture with timestamped logs, federal and state DNC scrub, AI disclosure prompts configured per state, two-second opt-out path enforcement as a platform default, A2P 10DLC registration support at $30 per submission, per-state calling-window enforcement, and cross-channel opt-out propagation across voice and SMS.
The consent log exports the evidence package that plaintiff discovery scripts request first: timestamp, source URL, IP, and exact consent text on every outbound contact. Agencies on Hermes do not have to build or maintain that infrastructure. It is part of the operating layer.
Troutman's post also makes a structural point worth noting. He says AI voice vendors are "trash startups sitting atop Chat or Claude." Hermes controls its own voice infrastructure. We are not a wrapper sitting on top of Retell or VAPI, inheriting their pricing risk and their compliance posture gaps. When a wrapper's upstream provider changes the rules, the wrapper has no recourse. We do. That is a different risk profile for every agency on the platform.
By builders, for builders. Compliance is not a feature we are adding. It is the operating posture we run on our own stack.
Action steps for agencies affected this week
- Audit the first ten seconds of every live agent today. Pull a recorded call from each active campaign. Confirm the AI disclosure is present before the first sales exchange, the opt-out path is offered within two seconds, and recording is announced in California, Florida, Illinois, Massachusetts, Pennsylvania, and Washington. Fix any agent that fails before the next scheduled campaign run.
- Export your consent records and check for the PEWC elements. Pull a consent log from your current platform. Confirm it includes, per contact, the timestamp of consent, the source URL where consent was captured, the IP address, and the exact consent language as displayed. If your platform cannot produce this export, the discovery exposure is immediate. The plaintiff bar's templated demand letters target this gap first.
- Check every SMS sending number against A2P 10DLC registration. Log into your carrier portal and verify Brand status and Campaign status for every 10DLC number in active use. Anything in "pending" or "rejected" status means your SMS traffic is either blocked or running outside registered parameters. Fix it before the next send. The $30 Hermes A2P submission covers this at the platform layer.
- Scrub your next dial list against the federal DNC and your state overlays. The federal DNC sits north of 245 million numbers. Most states maintain their own overlays. Florida, Texas, and Indiana are the ones operators forget most often. A DNC scrub costs pennies per number. A DNC violation costs $500 to $1,500 per call. The math is not close.
- Brief your clients in writing this week. One-page memo. What the Troutman warning means. What your agency is doing in response. What you need from each client: forward any consumer complaints within 24 hours, confirm their lead source captures PEWC, and notify you of any state-specific calling restrictions for their market. Send it, document the send date, and keep a copy. A client who was briefed and did not disclose a compliance problem shifts significant liability back to them in a later dispute.
The wrapper tax on compliance
One detail in Troutman's framing deserves its own paragraph. He is not warning about Retell or VAPI specifically. He is warning about the vendor tier that sits on top of them: wrappers, no-code builders, and agencies using bare API access to power client campaigns. The exposure flows down the stack to wherever the deployer sits.
Voicerr is the recent data point on wrapper risk, raising prices 7 to 10 times overnight in early 2026 because their upstream costs changed and they had no pricing floor. The TCPA version of that same dynamic is that a wrapper inherits the compliance posture of its upstream provider. If the upstream provider has no consent capture, no DNC scrub, and no AI disclosure enforcement, the wrapper deploys on top of that gap. The agency running the campaign inherits the exposure.
This is the structural argument for using a platform that controls its own compliance infrastructure rather than inheriting it from an API it cannot modify. Hermes controls the compliance layer. What the platform enforces is what the agency gets. No upstream surprises.
Frequently asked questions
Who is Eric Troutman and why does his warning matter?
Eric 'The Czar' Troutman runs TCPAWorld, the most widely read TCPA defense publication in the United States. He is a plaintiff-turned-defense attorney who has handled hundreds of TCPA class actions and writes the guidance that the plaintiff bar reads to understand what defenses will work and which companies are exposed. When Troutman publicly identifies a category of defendants as targets, plaintiff firms take note. His May 27, 2026 post titled 'AI VOICE: The Future of TCPA Risk Is Here' is the clearest public signal to date that AI voice agencies are on the plaintiff bar's radar. It is not speculation. It is a practicing attorney reading the docket landscape and calling the shot.
What specific TCPA risks do AI voice agencies face right now?
Three main buckets. First, outbound calls without prior express written consent. Any AI voice call to a US cell phone for marketing purposes requires PEWC, per the FCC's February 2024 declaratory ruling that extended the TCPA to AI-generated voices. Penalties run $500 to $1,500 per call with no aggregate cap. Second, the A2P 10DLC registration gap. As of February 2025, unregistered SMS traffic is blocked 100 percent by US carriers, and carrier fines for violations run up to $10,000 separately from TCPA liability. Third, state law stacking. California AB 2905 ($500 per call, private right of action for missing AI disclosure), Utah SB 149 (disclosure at outset of verbal AI interaction), Colorado SB 26-189 (passed May 7-9, 2026, classifies high-volume AI voice as high-risk AI), and Florida FTSA all add per-call exposure on top of the federal floor. Agencies running multi-state campaigns without per-state compliance logic are exposed on every call in every non-compliant state.
Does Hermes handle TCPA compliance so agencies don't have to build it themselves?
Hermes builds the compliance layer into the platform across all tiers, from the $149 Starter through the $699 Agency plan. That includes consent capture with timestamped logs, federal and state DNC scrub, AI disclosure prompts at call open, two-second opt-out path enforcement, A2P 10DLC registration support at $30 per submission (pass-through, no markup), per-state calling-window enforcement, and cross-channel opt-out propagation across voice and SMS. The platform logs consent provenance with timestamp, source URL, and IP on every outbound contact. That is the evidence package the plaintiff bar's discovery scripts request first. Agencies on Hermes do not need to build or maintain this infrastructure themselves. It is part of the operating platform. By builders, for builders.
The bottom line
Troutman has been right about TCPA trend lines for two decades. When he says the plaintiff bar is positioned for AI voice, that is not a risk to monitor over the next twelve months. It is a posture problem to fix this week.
The agencies that will be fine are the ones who already have timestamped consent logs, enforced disclosure scripts, DNC scrub running before every campaign, A2P 10DLC registrations current, and a compliance contract with their platform that names who owns each piece of the chain. Those agencies can respond to a plaintiff demand letter with evidence in 24 hours. The agencies without those primitives pay the settlement to make the letter go away.
One platform. Your brand. Your margins. From $149 per month. The compliance layer is included because it was never optional.
Sources: Eric Troutman, TCPAWorld: "AI VOICE: The Future of TCPA Risk Is Here" (May 27, 2026) · FCC February 2024 Declaratory Ruling, TCPA applies to AI-generated voices · Henson Legal: Platform liability in AI voice TCPA cases · Apten 2026: A2P 10DLC 100% block rule, carrier enforcement · Voicerr vs full platforms: wrapper risk documentation (Trillet, 2026)
next step
Compliance built in. Not bolted on.
Hermes ships consent capture, DNC scrub, AI disclosure, two-second opt-out, A2P 10DLC support, and per-state calling-window enforcement at every tier from $149/month. Your clients never see the word Hermes. Your compliance posture is no longer a DIY project.
Alfredo Romero is CEO of Hermes, the operating platform for AI voice agencies. This post is operator commentary, not legal advice. Connect on LinkedIn.
written by
Alfredo Romero
CEO and Co-Founder, Hermes
Alfredo runs sales, operations, and strategy at Hermes. Before founding Hermes he ran agencies for nine years and spent the last three building the AI voice operations side. He writes the operator playbook from real builds, not theory.