TCPA After Lowrey v. OpenAI: What AI Voice Agencies Must Change Right Now (May 2026)

On December 29, 2025, a Virginia consumer named William Lowrey sued OpenAI and Twilio under the Telephone Consumer Protection Act for AI-generated robocalls and texts pitched by a company called Fresh Start Group. He did not just sue the agency making the calls. He sued the platform layer underneath. That single filing rewired how every AI voice agency in the United States has to think about compliance in 2026. Platform liability is no longer a law-review hypothetical. It is a docketed case with a certified class on the table. The TCPA already carries $500 to $1,500 per call with no aggregate cap, per the FCC's February 2024 Declaratory Ruling that confirmed AI-generated voices fall inside the statute. The FCC's pending AI-disclosure NPRM, the Fifth Circuit's February 2026 reset of the written-consent rule, the A2P 10DLC carrier block on unregistered traffic, and a stack of new state laws all landed on the same calendar quarter. If you run an AI voice agency, the compliance posture you were running in late 2025 is not the posture the regulators, the carriers, and the plaintiff bar are pricing in today. This post is the 12-point audit, the named cases, the penalty math, and the agency owner's action list for the week of May 19, 2026.

The shorter way to say it. AI voice now has the same legal surface area as a debt collector cold-calling a cell phone. Treat it that way. Consent before dial. Disclosure in the first two seconds. Opt-out honored across channels. DNC scrubbed. Sender registered. Logs ready for discovery. Anything less is a bet against a plaintiff firm with a templated script and a hungry contingency lawyer.

By builders, for builders. I am not a lawyer and this is not legal advice. I run an AI voice infrastructure platform and this is the operator posture we run on Hermes itself, vetted against the public guidance from Henson Legal's 2026 AI voice compliance guide, the FCC's own rulings, and the post-Lowrey commentary across the TCPA bar.

What actually happened in Lowrey v. OpenAI?

Filed December 29, 2025, in the U.S. District Court for the Western District of Virginia, case caption Lowrey v. Twilio, Inc. et al., docket number 6:2025-cv-00116. The plaintiff alleges he received more than 30 unsolicited texts and several voice-AI robocalls promoting estate planning services. The calls and texts originated from a company called Fresh Start Group, which the complaint says used OpenAI infrastructure to generate the AI voice content and Twilio infrastructure to deliver the messages. When the campaigns hit their spending cap, the plaintiff received messages stating that the campaign had run out of credits or hit their maximum monthly spend, with a link redirecting to an OpenAI-controlled domain. That detail anchors the platform-liability theory.

The complaint, summarized by the National Law Review's December 2025 analysis, does not argue OpenAI personally picked up a phone. It argues OpenAI had the technical means to require, verify, and enforce consent, the technical means to scrub the federal DNC, and the technical means to throttle obvious unconsented outreach, and that OpenAI chose not to. Twilio gets a similar theory on the messaging layer. The proposed class is every U.S. consumer who received an AI-generated marketing message through OpenAI's platform on a number that was DNC-listed or without OpenAI holding consent. At $500 per call statutory minimum and a four-year lookback, the named plaintiff's bar has publicly priced the theoretical exposure in the trillion-dollar range.

"The Lowrey complaint is an attempt to reach over the proximate caller and pull the foundation model and the telecom infrastructure into the same TCPA case. If certified, it changes how every voice AI vendor prices consent enforcement into the contract." [John Henson, Henson Legal, December 2025]

Will Lowrey win? Unclear. Class certification fights are brutal, OpenAI has the budget to drag this for years, and the causation chain between a foundation model and a specific dial is not trivial to prove. None of that matters for the operator decision today. The case is filed, the theory is public, and the plaintiff bar is watching. The cost of being wrong on the consent posture jumped one order of magnitude the day Lowrey hit the docket.

What does the TCPA actually require for AI voice calls in 2026?

Three rules, stacked. First, the consent rule. Any artificial or prerecorded voice call to a U.S. residential or wireless number for marketing purposes requires prior express written consent (PEWC). The FCC's 2024 Declaratory Ruling extended that rule to AI-generated voices explicitly. Informational and transactional calls require prior express consent (PEC), which can be oral and is easier to capture, but the moment the call has a sales angle it crosses into PEWC territory. Penalties run $500 to $1,500 per call with no cap, per the statutory damages framework cited in the FCC's own ruling.

Second, the DNC rule. The federal Do Not Call registry, currently sitting north of 245 million numbers, must be scrubbed before each call. Most states maintain their own DNC overlays. AI voice calls to numbers on either list, absent an existing business relationship that the agency can document, are presumptively unlawful regardless of consent posture.

Third, the calling-window rule. Outbound marketing calls are limited to 8 a.m. to 9 p.m. in the called party's local time zone. AI agents do not get an exception. Multi-state campaigns must enforce per-recipient calling windows or accept the per-call risk on every violation. The Retell 2026 TCPA outbound playbook breaks the calling-window math down per state and is a useful operator reference for the dial-list cleanup work.

How did the Fifth Circuit's February 2026 ruling change the picture?

The Fifth Circuit ruling in Insurance Marketing Coalition v. FCC (February 2026) held that the TCPA statute itself does not require written consent for prerecorded or artificial-voice telemarketing calls. The court concluded that 'prior express consent' encompasses both oral and written consent. The ruling applies only inside the Fifth Circuit, which covers Texas, Louisiana, and Mississippi.

Practical effect for AI voice operators. Inside the Fifth Circuit, oral consent captured at the start of an inbound call can support a subsequent outbound marketing call. The evidentiary burden on the agency does not disappear. You still have to prove the consent was given, by whom, when, and on what call. Outside the Fifth Circuit, the FCC's PEWC framework remains the operating default and every plaintiff firm will plead PEWC violations until the Supreme Court resolves the circuit split. Until then, the safest national posture is to keep capturing written, timestamped, source-tracked consent on every marketing program regardless of geography. Designing for the lowest common denominator is cheaper than designing for jurisdictional shopping.

What is the one-to-one consent rule and is it still in force?

The FCC's one-to-one consent rule, finalized in 2023, held that consent to receive a marketing call or text must apply to a single, specifically identified seller, not to a long list of partners hidden behind a 'we and our partners' checkbox. The compliance date most lead-gen and agency operators had on their calendar was January 27, 2026. The Eleventh Circuit vacated portions of the underlying rule in early 2024. The Fifth Circuit's 2026 decision narrowed it further inside its own jurisdiction.

The net effect today is messy. Most agencies are continuing to operate under one-to-one as a best practice, even as the federal rule is contested, because the alternative is defending an FTSA, CEMA, or state UDAP claim under a shared-list theory. The Consumer Attorneys February 2026 consent breakdown walks the operator implications across the major circuit splits and is the cleanest plain-English summary published this quarter.

What about A2P 10DLC for the SMS side of the agent?

As of February 1, 2025, the major U.S. wireless carriers moved from throttling unregistered application-to-person (A2P) 10DLC traffic to blocking 100% of it. Unregistered traffic does not arrive. AI agents that send SMS follow-ups, appointment confirmations, or any text from a 10-digit long-code must run through a registered Brand and a registered Campaign, with sample message templates approved in advance. The Apten 2026 A2P 10DLC compliance update documents the blocking change and the dynamic-content matching rules that now run carrier-side in real time. If your AI-generated SMS deviates from the registered template language, the carrier filter blocks it regardless of campaign approval status.

The other shoe. Carrier fines for non-compliance run up to $10,000 per violation, separate from any TCPA liability. Multiple carriers also reserve the right to suspend or permanently ban the Brand from the network, which on a tier-1 carrier kills SMS delivery for every agency client on that registration. The agencies that survived the 2025 cutover registered every sub-account brand under the correct EIN, scrubbed every template before submission, and instrumented per-campaign opt-out monitoring before the first message went out.

Which state laws stack on top of TCPA right now?

The federal TCPA is the floor, not the ceiling. The state layer is what catches operators who optimize for federal compliance only.

Operating multi-state means complying with the strictest applicable rule per call, not picking the friendliest one and hoping. The Henson Legal 2026 state-by-state matrix is the most current operator reference I have found, and the firm updates it as new state bills move. Bookmark it.

The 12-point AI voice agency compliance audit

Run this on every campaign, every client, every platform you touch. Each item is a yes-or-no question, not a maybe. A clean audit scores 12 of 12. Below 10 is a live liability.

1. Consent capture before dial. Every outbound marketing call has a documented prior express written consent record, with timestamp, source URL, IP, and exact consent text stored in the calling platform. Yes or no.
2. AI disclosure in first two seconds. Every AI call opens with a clear, plain-English statement that the caller is an AI agent. Phrasing must not bury the disclosure inside a longer greeting.
3. Automated opt-out within two seconds. The opt-out path is reachable by voice command or DTMF in the first scripted exchange, not buried at the end. Test it weekly.
4. Federal DNC scrub. Every dial list is scrubbed against the federal Do Not Call registry within 24 hours of the call. Subscription active and current.
5. State DNC overlays. Every state in which you operate has its DNC overlay applied. Florida, Texas, and Indiana are the obvious ones operators forget.
6. Calling-window enforcement. The dialer enforces 8 a.m. to 9 p.m. in the called party's local time zone, with state-specific carve-outs honored.
7. A2P 10DLC Brand and Campaign registered. Every SMS sending number runs through a registered Brand and a registered Campaign under the correct legal entity.
8. Opt-out propagation across channels. An SMS opt-out also stops the voice agent and vice versa. A cross-channel suppression list is wired and tested.
9. State AI disclosure compliance. California AB 2905 natural-voice preroll, Utah generative AI disclosure, and any other applicable state-specific disclosure language is present and current.
10. Consent log retention and discovery readiness. Consent records are stored for at least four years and exportable in the format the plaintiff bar will subpoena.
11. Recorded-call notice and two-party consent states. The agent discloses recording at the start of every call in two-party consent states like California, Florida, Illinois, Massachusetts, Pennsylvania, and Washington.
12. Platform contract language. Your contract with the underlying voice AI platform names the compliance posture each party owns. If the platform does not commit to consent enforcement, DNC scrub, or disclosure at the protocol layer, the deployer-side liability for those gaps now sits on your agency.

"The framework allocates fault between developers and deployers based on relative responsibility under a several liability model, with deployers sharing exposure if they use technology as intended and contracted for. If you are deploying someone else's AI, you cannot assume the platform has solved compliance for you." [Henson Legal, 2026 Voice AI TCPA Compliance Guide]

What concrete steps should an agency owner take this week?

In priority order. The first three items take less than four hours combined and remove most of the immediate exposure.

1. Audit the disclosure script on every live agent. Listen to the first ten seconds of a recorded call. Confirm the AI disclosure is present, the opt-out path is offered, and recording is announced in two-party states. Fix the script today on any agent that fails.
2. Export the last 90 days of consent records. If the platform cannot produce a per-call consent record with timestamp, source, and exact text, the discovery exposure on a plaintiff letter is immediate. Pull the export, store it somewhere you control, and confirm completeness.
3. Scrub every dial list against the federal DNC and the state overlays you operate in. Most platforms charge a few cents per number scrubbed. The penalty for a single DNC violation is $500 to $1,500. The ROI on the scrub is unambiguous.
4. Verify A2P 10DLC registration on every SMS sender. Check the Brand status and Campaign status in the carrier portal. If anything is in 'pending' or 'rejected', fix it before the next send. Unregistered traffic gets 100% blocked.
5. Map the platform-liability split in your contract. Read the master services agreement with your voice AI platform. If the platform does not commit to consent enforcement, DNC scrub support, or AI disclosure at the protocol layer, you own that obligation. Write the agency policy that closes the gap.
6. Add a per-state calling-window check to the dialer. If your platform cannot enforce 8-to-9 local-time windows per state, the manual workaround is segmenting the dial list by area code and scheduling per time zone. Tedious, but cheaper than the per-call penalty.
7. Stand up a cross-channel suppression list. One opt-out stops voice and SMS for that contact across every campaign and every client workspace. Test the propagation end to end. Document who owns the test.
8. Update the consent capture form on every lead source. Add explicit language naming AI voice technology, the identified seller (one-to-one), the channels the consumer consents to, and the right to withdraw. Capture the page URL and IP at submission.
9. Brief every client. One-page memo. What changed. What your agency is doing. What the client is asked to do (usually: forward all consumer complaints to you within 24 hours). Send it this week. Document send.
10. Schedule the quarterly review. TCPA, A2P, and state AI rules move every quarter. Put a calendar reminder on the first Monday of each quarter to rerun this audit, refresh the scripts, and resubmit any A2P templates that drift from approved language.

How does your current platform compare on compliance?

Most agency owners do not realize how much of the compliance posture sits at the platform layer until they try to switch. The audit becomes a procurement question. The grid below is the operator's checklist.

For the agency owner picking a platform in May 2026, the compliance grid is now table stakes. The pricing comparison and full platform feature breakdown lives at the Hermes vs the Vapi + GHL stack page. The white-label posture, which interlocks with consent-record ownership, lives at the 14-point white-label audit. The economic case for moving off a wrapper stack onto a native agency platform is in the five-invoice cost-transparency post.

What if you discover an existing violation?

Stop the bleed first. Pause the campaign before the next dial. Preserve every log. Notify the client in writing the same day, naming the rule, the affected number range, and the corrective action. Bring a TCPA defense attorney in before you talk to anyone outside the agency. Plaintiff firms run templated demand letters that are designed to extract a quick settlement before the operator gets counsel. A two-week head start on legal advice usually changes the settlement math by an order of magnitude. The Hermes TCPA compliance reference page lists the framework we use internally and links to the outside counsel resources we recommend to operators on the platform.

What is the regulatory direction for the rest of 2026?

Three trajectories are worth tracking. The first is the FCC's July 2024 NPRM on AI-generated call disclosure, which proposes a specific AI-identification requirement separate from the underlying consent rule. The pending rule has not been finalized under the current FCC. If finalized, expect a first-two-seconds AI disclosure obligation, codified in regulation rather than relying on the 2024 declaratory ruling alone.

The second is the state AI law wave. Colorado SB 26-189 passed both chambers May 7 to May 9, 2026, and replaces the earlier Colorado AI Act with a high-risk AI framework that brings high-volume AI voice systems inside the documentation, impact-assessment, and bias-testing obligations. California, Texas, New York, Illinois, and Washington all have 2026 bills in motion that touch AI disclosure, voice cloning, or consumer-side opt-out rights. The Softcery 2026 founders' guide to US voice AI regulations tracks the bill calendar and is the cleanest source I have found for state-law watchlists.

The third is the plaintiff-bar templating. Once a class certifies or a major settlement lands in a Lowrey-style case, the demand-letter playbook propagates across the TCPA bar within weeks. Agencies that have the consent log already exportable, the disclosure script already running, and the per-state calling-window enforcement already wired do not lose money on the demand letter. Agencies without those primitives pay the settlement to make the letter go away.

Frequently asked questions

Where this leaves you

Lowrey v. OpenAI does not have to win to change the cost of non-compliance. It already changed it. Every voice AI platform vendor's legal team is repricing the consent posture into the next master services agreement. Every agency operator's contract risk just moved up the stack. The floor for compliance is no longer 'we wrote a TCPA paragraph on the consent form.' It is timestamped consent records, enforced disclosure scripts, federal and state DNC scrub, cross-channel opt-out propagation, A2P 10DLC registration under the correct entity, per-state calling windows, and a contract that names which party owns each piece of the compliance chain.

By builders, for builders. The audit above is the one we run on Hermes itself before every release. If you find a compliance gap in the platform, the bounty is on the record. Email me. If you want to compare your current platform's compliance posture to the one we run, the beta door is open and the migration team will walk the audit with you in the first onboarding session.