TCPA in 2025: Revocation Rules, AI Voice, and the State Mini-TCPA Landscape

The FCC's revocation window just compressed from 30 days to 10 business days. AI voice calls now officially count as artificial voice for consent purposes. And at least two federal courts are questioning whether texts are even covered by TCPA at all.

If your consent language was drafted in 2022, it's likely no longer sufficient for the regulatory environment of 2025.

The New Revocation Framework

The revocation rules are new. They went into effect partially in April, and another portion of the rule has been punted to next April. Two main things matter operationally.

1. The processing window. That timeframe has shifted from a 30-day window to a 10 business day window when a consumer requests you stop calling them. This has caused a lot of organizations to make sure they've updated their systems.

2. What is a revocation? The FCC has said any reasonable request by a consumer to revoke their consent must be honored within that 10 business day window. And it's up to the caller to prove that the revocation was not reasonable.

The FCC gave a list of 7 words in the rule: if a consumer texts back stop, or end, or quit, or unsubscribe, those are per se reasonable and have to be honored immediately.

But the rule extends beyond keywords. What happens when a consumer texts back and says "don't call me anymore"? Is that a reasonable request? 

Probably. How are you going to process that non-standard request? 

This is the biggest operational takeaway: your systems need to handle non-standard revocation language, and you need to handle those requests across channels. If someone calls in and says "you guys text me too much," how do you make sure that gets orchestrated across channels?

AI Voice Is Now Regulated

The FCC came out last year and said that as we think about the use of AI voice for outbound calls, AI voice is an artificial voice. It's right there in the name: artificial intelligence, artificial voice. Those AI voice calls have to follow the rules for artificial voice calls.

This matters because pre-recorded and artificial voice calls require prior express written consent for marketing purposes. If you're using AI voice bots for outbound marketing calls, you need the same consent you would need for pre-recorded messages.

The consent language matters. If your consent says "you give us your consent to text you at the number above," that's great for texting. But what if six months from now you want to go back to your list and use your new artificial voice to reach out to these consumers? You don't have consent to do that. You've bucketed that consent under just text messages, and it doesn't necessarily open the door to other channels you may want to use later.

That's the kind of thing to think through: where do you want to go with the relationship with the consumer? How do you get the right consent to make sure you're leaving some options open?

State Mini-TCPAs Continue Proliferating

Nature abhors a vacuum, and there's nothing like the federal government taking a step back for the states to step up. The Supreme Court's 2021 auto-dialer decision reduced one category of TCPA exposure. State legislatures responded by creating state-level telephone consumer protection laws with their own wrinkles and variations.

Lots of states now have what are called mini-TCPAs. Each state law has specific requirements that may exceed federal TCPA. The compliance burden compounds when you're calling across multiple states.

The private right of action is the critical element. TCPA provides $500 to $1,500 per call. State laws often provide additional penalties on top of that. If you're calling 100 people a day, that's $500 times 100. That gets really big, really quick, especially when you add on top of that the state-level penalties. This makes compliance even more important.

The Text vs. Call Question

One thing that has changed a lot over the last 6 months: in 2012, there was an agency decision that said text messaging or SMS messaging is the same as a call. That is being questioned by some courts.

There are at least 2 federal cases that have said a text is not a call, and therefore it's not subject to TCPA. That is very much a minority position. However, when you look at the actual wording in the TCPA, there's a pretty strong argument to make that texts are not calls and therefore should not be subject to the TCPA as written.

What does that mean from a compliance standpoint? For now, nothing. By continuing to treat a text as a call, it's really just a belt and suspenders situation. You're going above and beyond probably what's required to get proper consent. Even if it's not a call for TCPA purposes, you're still taking the steps like it was. That's a prudent and somewhat conservative approach right now, just because it's really up in the air.

The One-to-One Consent Rule (That Almost Was)

The FCC's one-to-one consent rule would have required consumers to affirmatively select individual companies when providing consent through lead generation forms. No more checking one box to consent to contact from multiple lenders or insurance providers. That caused a lot of problems across the industry, not just mortgage but in other verticals as well.

In the week it was supposed to go into effect, the rule was struck down by the 11th Circuit in Insurance Marketing Coalition v. FCC. The court found that the FCC had overstepped its bounds, creating more hurdles that were unnecessary to do what the statute said.

For organizations that rely on multi-party consent forms and lead generation, this was significant relief. The one-to-one requirement would have fundamentally changed lead acquisition economics.

The one-to-one rule is probably dead, and probably not coming back in the near future. For the FCC to follow the guidelines from the IMC case, it would take a lot of time, with a lot of hurdles to jump through. Between the Supreme Court cases on agency deference and the current regulatory environment, there's a lot of uncertainty, but this particular rule appears to be settled.

Audit Your Consent Infrastructure

Internal audit should cover several dimensions:

1. Consent capture points: Where are consumers providing phone numbers, and what consent language accompanies that collection? Is the consent specific enough to cover every channel and message type you're using?

2. Contact methods: How are you contacting consumers? Personal phone calls from agents have different requirements than auto-dialed or AI voice calls. Make sure your consent matches your contact method.

3. Established business relationships (EBRs): Are you relying on EBRs? Inquiry-based EBRs are 3 months from the date of the inquiry. Transaction-based EBRs are 18 months after the transaction. Make sure your systems track when those windows close. And remember: the EBR is specific to where the business relationship is. If you have a loan relationship with a customer, you can't use that EBR to call them about insurance.

4. Do Not Call (DNC) safe harbor: Make sure you're following those DNC safe harbor rules so you can take advantage of them.

For third-party vendors and lead generators, the audit extends to their practices. If you're using a third party to generate leads or do calling on your behalf, you're buying that third-party's compliance program. 

You want to make sure they're doing it right. What consent language did they use? You want to make sure your contracts require them to sell you leads with consent, that they're going to indemnify you when they screw up, and that you have the ability to do some auditing of them.

Need to assess your TCPA consent framework? Our team at FLLR Consulting can evaluate your current consent language and contact practices against current requirements.

Reach out today to learn more.