Phone Stack
Back to Blog
Compliance

Legal Framework for AI Calling: What's Allowed in the U.S. and Canada

Phone Stack TeamApril 6, 20268 min read

AI voice agents are rapidly becoming a standard tool for outbound calling. But with adoption comes a critical question: what is actually legal, and what creates risk?

The answer depends on three things: who you're calling, whether you have consent, and what kind of call it is. This guide breaks down the legal framework in the United States and Canada across three core use cases — from the safest to the most legally exposed.

The Three Core Use Cases

Before diving into regulations, it helps to understand the three main scenarios businesses face:

  1. Calling customers who opted in to automated or AI-generated marketing calls
  2. Calling customers for service, billing, operations, or feedback (non-marketing)
  3. Cold calling businesses (B2B outreach to non-customers)

Each carries a different level of legal risk. Let's break them down.

Use Case 1: AI Calls to Customers with Consent (Marketing and Upsell)

This is one of the safest and most scalable approaches to AI calling — but only when consent is done correctly.

United States

AI marketing calls to customers are governed by the Telephone Consumer Protection Act (TCPA).

Key requirements:

  • Prior express written consent is required for marketing or sales calls using automated, prerecorded, or AI-generated voice
  • Consent must explicitly include automated or AI-generated calls — vague language like "we may contact you" is not sufficient
  • Consent must be clear, conspicuous, and documented (timestamp, method, language shown)
  • The consumer must take affirmative action (e.g., checking an unchecked box)
  • Consent cannot be bundled as a condition of purchase or service

Canada

Governed by Canada's Anti-Spam Legislation (CASL) and CRTC telemarketing rules.

Key requirements:

  • Express or implied consent is required depending on the context
  • Express consent is needed for marketing calls to consumers
  • Implied consent may exist through an existing business relationship (purchase within last 2 years, inquiry within last 6 months)
  • Calls must identify the caller and company at the start
  • An unsubscribe mechanism must be provided

Key Takeaways

  • This is one of the safest and most scalable approaches when done right
  • Consent must be explicit, clear, and well-documented
  • Weak or vague consent language creates significant legal exposure
  • See our companion guide: What to Add to Your Customer Agreements Now

Use Case 2: AI Calls for Service, Billing, and Operations

This is the safest category overall. When you're calling an existing customer about their account, order, appointment, or balance — not to sell them something — the legal threshold is significantly lower.

United States

  • These calls are considered informational or transactional, not marketing
  • A lower consent threshold applies — the phone number provided in the context of the business relationship is generally sufficient
  • AI and prerecorded calls are generally allowed for these purposes
  • However, you must avoid introducing marketing content into what is positioned as a service call — this is a common compliance trap

Canada

  • Covered under the existing business relationship exemption
  • Must still identify the caller and avoid harassment
  • Frequency and timing restrictions apply

Key Takeaways

  • Safest category for AI calling — high utility, low risk
  • Excellent for collections reminders, appointment confirmations, service updates, and account notifications
  • The critical rule: do not mix marketing content into service calls — if you cross-sell during a billing call, it becomes a marketing call and requires marketing-level consent

Use Case 3: Cold Calling Businesses (B2B)

This is where the legal picture gets more complicated.

United States

  • Cold calling businesses is generally permitted — the TCPA's strictest rules apply to consumer cell phones, not business lines
  • However, AI or prerecorded calls to cell phones are restricted regardless of whether the number belongs to a business contact
  • Many business contacts use personal cell phones as their primary number
  • State-level laws increasingly require AI disclosure at the start of calls

Canada

  • B2B telemarketing is allowed under CASL and CRTC rules
  • Must comply with the National Do Not Call List (DNCL)
  • Must identify the caller and company at the start of every call
  • Some provinces have additional requirements

The Core Risk

The fundamental problem with B2B cold calling using AI is the inability to reliably determine if a number is a cell phone. Business directories list landlines that may forward to personal devices. Direct-dial numbers may be cell phones. There is no reliable public database that distinguishes the two.

This means:

  • Human cold calls to businesses are standard practice and low risk
  • AI cold calls to businesses introduce regulatory uncertainty because you cannot guarantee you're not calling a cell phone with a prerecorded or AI-generated voice
  • Phone number filtering reduces but does not eliminate this risk

Key Takeaways

  • Human B2B cold calling remains standard and relatively low risk
  • AI-powered B2B cold calling introduces meaningful regulatory risk
  • The risk stems from the cell phone identification problem, not from the act of calling itself
  • If pursuing AI cold calling, implement robust number filtering and AI disclosure

The Core Legal Principles (Cross-Border)

Regardless of whether you're operating in the U.S. or Canada, four principles hold true:

  1. Consent enables automation — with proper consent, AI calling is broadly legal
  2. Customers are safer than prospects — existing relationships provide legal cover
  3. Service calls are safer than marketing calls — transactional communication has lower barriers
  4. Cell phones carry higher regulatory protection — in both countries, mobile numbers trigger stricter rules

Risk Categories

Understanding where your use case falls on the risk spectrum:

Lowest Risk

Customer service and billing calls — Existing customer, non-marketing purpose, phone number provided in context of relationship. AI calling is broadly permitted.

Low Risk

Customers with explicit AI/automation consent — You have documented, specific consent for automated and AI-generated calls. This is the gold standard for marketing outreach.

Moderate Risk

Human B2B cold calling — Standard sales practice with well-established rules. Comply with DNC lists, calling hours, and identification requirements.

High Risk

AI cold calling without consent — Using AI-generated voice to call prospects (especially consumers) who have not consented to automated calls. This is the primary legal risk zone and the area where enforcement and litigation are most active.

Common Mistakes

Even well-intentioned companies make these errors:

  • Assuming "business number" means safe — Business numbers frequently route to personal cell phones
  • Using AI voice without explicit consent — "We may contact you" is not consent for AI-generated calls
  • Mixing marketing into service calls — A billing reminder that mentions an upgrade offer becomes a marketing call
  • Failing to store proof of consent — If you can't produce the timestamp, IP address, and exact consent language, you effectively don't have consent
  • Ignoring opt-outs or complaints — Every opt-out must be honored immediately and permanently

Practical Compliance Checklist

Use this as a starting point for your compliance review:

  • [ ] Obtain clear, explicit consent for automated and AI-generated calls
  • [ ] Include specific AI/automation language in your opt-in forms
  • [ ] Maintain records of consent (timestamp, IP address, consent text shown, checkbox state)
  • [ ] Identify the caller and company at the start of every call
  • [ ] Provide a clear opt-out mechanism on every call
  • [ ] Separate marketing calls from service/billing calls in your systems and consent flows
  • [ ] Filter mobile numbers where possible for cold outreach
  • [ ] Scrub against the National Do Not Call Registry (U.S.) and DNCL (Canada)
  • [ ] Follow calling hour restrictions in the recipient's time zone
  • [ ] Disclose AI use when required by state or provincial law
  • [ ] Review and update consent language regularly as regulations evolve

Conclusion

AI calling is not inherently illegal. The legality depends entirely on consent, context, and call type.

The safest strategy is straightforward: combine an existing customer relationship with explicit consent. When you're calling your own customers, about their own accounts, with their documented permission to use AI — you're on solid legal ground.

Risk increases significantly when you move toward AI-powered cold outreach to people who haven't consented to automated calls. This is where enforcement action, class-action litigation, and regulatory scrutiny are concentrated.

The bottom line: Customers plus consent enables safe automation. AI cold calling without consent remains the primary legal risk zone.

Ready to build compliant AI outreach? Read our companion guide on what to add to your customer agreements to make your consent bulletproof.

Start your free trial — Phone Stack includes built-in compliance tools, consent tracking, and automatic opt-out handling.

compliance
TCPA
CASL
legal
ai calling
regulations