AI insurance sales calls: TCPA and NAIC compliance explained

AI-generated insurance sales calls face TCPA liability up to $1,500 per call and new NAIC model rules. Learn what consent, disclosure, and DNC rules apply.

LeadCompliant Team
26 min read
In This Article

Last updated 2026-07-09

Insurance compliance officer reviewing call records at a conference table
Insurance compliance officer reviewing call records at a conference table

TL;DR

AI-powered insurance sales calls have to follow the TCPA (47 U.S.C. § 227), which allows $500 to $1,500 in damages per illegal call, plus emerging NAIC model rules requiring disclosure of AI use. You need prior express written consent before using an AI voice, you must honor Do Not Call requests, and state insurance rules layer on top of federal telemarketing law.

What telemarketing laws actually apply to AI insurance sales calls?

Three bodies of law hit an AI insurance call at once: the federal Telephone Consumer Protection Act, the FCC's implementing rules in 47 C.F.R. Part 64, and state insurance regulations shaped by NAIC model guidance. A single non-compliant call can trip all three.

The TCPA (47 U.S.C. § 227) is the foundation. It bars any call using an automatic telephone dialing system (ATDS) or an artificial or prerecorded voice to a wireless number without the called party's prior express consent [1]. Insurance sales calls sit squarely inside the statute's 'telephone solicitation' definition, which covers calls made to encourage a purchase of goods or services [1].

The FCC's 2024 declaratory ruling settled a long-running argument: AI-generated voices count as 'artificial' voices under the TCPA [2]. That killed the theory that a synthetic voice from a large language model was somehow different from the robocall voices the statute was written to stop. If your dialing platform uses an AI voice for any part of a sales pitch, you are in TCPA territory whether or not a human agent joins the call later.

On the insurance side, the NAIC Artificial Intelligence Governance Model Bulletin (adopted by most states starting in 2024) does not create a private right of action. It tells state insurance departments what to look for [3]. Carriers and licensed producers are expected to run governance programs for any AI system used in marketing and sales, call technology included. When a department opens a market conduct exam, it now checks how AI tools are supervised and whether they produce unfair discrimination or consumer deception.

Here is the practical shape of it. One compliance failure in one AI call can produce TCPA liability from a private plaintiff, an FCC or state AG enforcement action, and a state insurance department market conduct finding. Same phone call, three problems.

What did the FCC's 2024 AI voice ruling actually say?

On February 8, 2024, the FCC released a unanimous declaratory ruling holding that calls made with AI-generated voices are 'artificial' voices under 47 U.S.C. § 227(b)(1)(A) [2]. The trigger was robocall campaigns using AI voice clones of public figures. The ruling's text is not limited to that.

The FCC stated that AI-generated voices used in calls are 'artificial' voices under the TCPA [2]. That matters operationally. Any outbound call using AI voice synthesis, a full AI agent or just an AI-voiced intro before a live transfer, needs the same consent as a prerecorded message call to a mobile number.

Insurance marketers feel this downstream. Many lead-generation flows used an AI or IVR system to screen leads, then transferred a 'warm' prospect to a licensed agent. Under the ruling, the screening step itself is now a covered artificial voice call if it uses synthesized speech. You cannot argue the AI portion was just infrastructure rather than a telemarketing call.

The ruling also confirmed that state laws banning AI voice calls without consent are not preempted by the TCPA. States can go further. Several already have.

The standard turns on two things: the type of number you are calling and whether the call is for marketing. For an AI voice marketing call to a cell phone, you need the highest tier of consent, and nothing less will hold up.

For calls to wireless numbers using an ATDS or an artificial/prerecorded voice for telemarketing, the FCC requires 'prior express written consent' [4]. The consumer has to sign (electronically or in ink) a clear and conspicuous disclosure that authorizes calls from the named seller to a specific number, and the disclosure has to say the call may use an autodialer or artificial/prerecorded voice [4].

For residential landlines, a lower standard (prior express consent) applies to non-telemarketing informational calls. Marketing calls still need prior express written consent.

Carriers that buy internet leads face a specific trap. The FCC's one-to-one consent rule requires consent granted to one named company at a time [5]. Lead forms that said 'I consent to be contacted by our marketing partners' and then sold that lead to dozens of carriers no longer work. Each carrier needs its own separate written consent before making an AI-voice or ATDS call.

The one-to-one rule took effect January 27, 2025 for new consent captures [5]. Leads collected before that date under multi-party language are arguably grandfathered for their existing scope. Using them with AI voice technology for fresh outreach is risky without new consent.

What prior express written consent has to contain, per FCC rules:

  • The name of the specific seller authorized to call
  • The telephone number to which calls may be made
  • A clear statement that the consumer agrees to receive autodialed or prerecorded calls
  • A statement that consent is not a condition of buying anything [4]

Miss any one of those and your consent is defective. Courts do not treat that as a rounding error.

What are the NAIC AI governance requirements for insurance sales?

The NAIC Artificial Intelligence Governance Model Bulletin, first published in 2023 and updated in 2024, is not a statute. It is a model bulletin that state insurance regulators use as a template [3]. By mid-2025, most states had adopted the substance of it through regulatory guidance, market conduct exam procedures, or formal rulemaking.

The bulletin asks insurers and other licensees that use AI in 'core business functions' to maintain a written AI governance program. Sales and marketing are listed as core functions. The program has to cover:

  • Accountability: a named senior officer responsible for AI oversight
  • Transparency: documentation of what AI systems are used and how they decide
  • Fairness and non-discrimination: testing so AI systems do not produce unfair outcomes for protected classes
  • Vendor management: carriers cannot outsource accountability for AI to a vendor
  • Consumer disclosure: consumers should know when they are dealing with an AI system

The consumer disclosure piece is the one that touches AI sales calls most directly. The bulletin does not mandate script language, but it expects a consumer to be able to tell they are speaking with or getting a call from an AI system rather than a human agent [3]. Some state departments read this as requiring an early-in-call disclosure, close to the California rule below.

Market conduct examiners now fold AI governance questions into standard exam checklists. A carrier with no written AI policy, or one that uses a dialing vendor without auditing that vendor's compliance, is the easy mark in an exam cycle.

Smaller independent agents and MGAs using third-party dialing platforms carry a due diligence duty here. If your vendor's platform generates AI voices, you need to know that, disclose it, and document your oversight. 'I didn't know the platform did that' is not a defense in a market conduct exam.

How much can an AI insurance call violation actually cost?

TCPA statutory damages run $500 per violation, trebled to $1,500 for willful or knowing violations [1]. Every call or text is a separate violation. A campaign that dials 10,000 AI voice calls to cell phones without proper consent faces $5 million to $15 million in statutory damages before a single plaintiff attorney's fee lands on top.

Insurance companies have sat on the wrong end of this. UnitedHealthcare paid $2.5 million to resolve alleged TCPA violations in one action, a number that shows how fast per-call damages pile up at enterprise scale.

The table below shows how TCPA damages scale with call volume:

Calls made without consentMin. damages ($500/call)Max. damages ($1,500/call if willful)
1,000$500,000$1,500,000
10,000$5,000,000$15,000,000
50,000$25,000,000$75,000,000
100,000$50,000,000$150,000,000

Those numbers are why TCPA class actions settle. A plaintiff attorney needs a named representative, evidence of a non-consented call, and class certification to put heavy pressure on even a mid-size carrier.

State insurance law adds more. An unfair trade practices finding under a state insurance code can bring license suspension, fines separate from TCPA damages, and required corrective action plans. Those fines vary by state and can reach $50,000 per violation per day in the most aggressive jurisdictions.

Want to see what real settlements look like? The Credit One TCPA settlement and the Truist Bank TCPA class action settlement both show how financial services firms with large outbound programs end up in class action territory.

TCPA damages by call volume: AI insurance calls without consent Statutory minimum ($500/call) vs. maximum for willful violations ($1,500/call) under 47 U.S.C. § 227(b)(3) 1,000 calls, min. $500k 1,000 calls, max. (willful) $1.5M 10,000 calls, min. $5M 10,000 calls, max. (willful) $15M 50,000 calls, min. $25M 50,000 calls, max. (willful) $75M 100,000 calls, min. $50M 100,000 calls, max. (willful) $150M Source: 47 U.S.C. § 227, U.S. Code (Cornell LII)

Do AI insurance calls have to be disclosed to consumers?

Yes, at several levels. The FCC's existing rule is the floor: any call using a prerecorded or artificial voice must identify the caller and give a phone number the called party can use to reach them during or right after the message [4]. That baseline predates AI voice tech and applies no matter what.

The NAIC AI Governance Model Bulletin adds an expectation that a consumer dealing with an AI system in an insurance context knows it [3]. The bulletin does not fix exact timing or script language. The working standard most state departments apply in exams is simple: tell the consumer at the start, before any sales content.

California goes further. Under Business and Professions Code Section 17538.41, a caller using an artificial or prerecorded voice has to say within the first 30 seconds that the call is automated [6]. California also enacted B&P Code Section 17538.45, which requires disclosure when an AI is used in a conversation to solicit sales.

So a compliant AI insurance opening does three things: names the company, says the call uses an automated or AI system, and states the purpose. That single block satisfies the FCC baseline, the NAIC expectation, and the California rule at once.

One mistake keeps showing up in enforcement actions. Carriers use AI to build a 'personalized' intro with the consumer's name and local references, then bury or skip the disclosure, arguing the personalization makes it feel human. Wrong direction. The more realistic the AI voice, the more clearly you have to say it is not a person.

How do Do Not Call rules apply specifically to AI insurance calls?

The National Do Not Call Registry applies to every telephone solicitation, AI voice calls included [7]. If a number is on the federal DNC registry, the consumer has not given your specific company prior express written consent, and no business relationship exception applies, calling that number for insurance sales is a TCPA violation.

The pre-existing business relationship (EBR) exception allows calls to a consumer who bought from, or inquired to, the seller inside set windows: 18 months for a purchase, 3 months for an inquiry [7]. Insurance agents miscalculate this constantly. A consumer who quoted your competitor and landed in a shared lead pool has no relationship with your agency. The relationship has to be with you.

State DNC lists add another layer. Indiana, Texas, Colorado, and Wyoming, among others, keep their own DNC registries that apply to insurance calls independent of the federal list [8]. An agent calling from a state with its own list, or into one, has to scrub against both.

AI calls raise the documentation bar higher than human calls because there is no real-time override. A human agent can hear 'I never asked for this call' and try to fix it on the spot. An AI system cannot. The consent record has to be clean before the call goes out, not patched afterward.

Want more on how robocall and DNC complaints get handled? The how to stop robocalls guide covers the consumer side, which helps you see how complaints flow to the FCC and plaintiffs' firms.

What state laws go beyond federal TCPA rules for AI insurance calls?

Federal TCPA compliance is the floor. States build ceilings that vary a lot.

California has the most developed framework. Beyond the automated call disclosure rules above, the California Consumer Privacy Act (CCPA) covers personal data used in AI call targeting, giving consumers rights to know, delete, and opt out of the sale or sharing of their phone numbers and contact data [9]. Carriers using AI-driven lead scoring or behavioral targeting to prioritize calls need a CCPA program that covers those data flows.

Florida's Telephone Solicitation Act (FTSA) went past the TCPA in some respects after its 2021 amendment, requiring consent for calls and texts made with an automated system to Florida numbers, with a private right of action for $500 per call [10]. Florida plaintiffs' attorneys got very busy under it. A 2023 amendment now requires a single named plaintiff before a class can be certified, which cut the litigation risk without ending it.

Texas requires telemarketers to register with the secretary of state, keep an internal DNC list, and honor requests for 30 days [8]. Agents selling across state lines miss Texas registration all the time.

Illinois, New York, and Maryland have proposed or passed AI-specific disclosure bills that could reach insurance sales calls. The Illinois Insurance Code already bars unfair discrimination, and the state department has signaled it treats AI systems that produce disparate marketing outcomes as a possible violation [3].

Honest summary. If you run a multi-state AI insurance call program, TCPA compliance is not the whole answer. You need a state-by-state review covering insurance department rules, telemarketing statutes, and consumer data laws. It is not a one-time project. It updates regularly.

The burden of proving consent falls on the caller, not the consumer [4]. That is a stated FCC rule, not a hope. When a plaintiff says 'I never consented,' you have to produce proof they did. If you cannot, the presumption runs against you.

For prior express written consent to AI voice telemarketing calls, your records have to show:

1. The exact consent language the consumer saw and agreed to, plus the date and version of the form 2. The consumer's signature or electronic confirmation, with a timestamp and IP address for web forms 3. The specific telephone number the consent covers 4. Your company name as it appeared in the disclosure 5. The source or lead vendor if a third party collected the consent

That last point matters a lot for carriers buying leads. If you rely on consent collected by a lead aggregator, get the aggregator's source documentation, more than their word that the lead is 'TCPA compliant.' The one-to-one consent rule means the consumer had to name your company [5]. A blanket consent to 'insurance carriers' fails that standard for leads captured after January 27, 2025.

Retention period: the FTC's Telemarketing Sales Rule requires consent and call records to be kept for 24 months [7]. Many TCPA practitioners recommend keeping records for the full four-year federal statute of limitations, because a plaintiff can file up to four years after the violation.

For AI governance under NAIC guidance, also keep the AI system version used for each campaign, any bias testing or fairness audits, and the name of the officer accountable for the program [3]. State market conduct examiners have started asking for exactly these documents.

LeadCompliant's free consent record checker helps you audit whether your lead intake forms capture the required elements. Run your forms through a checklist before the next dialing campaign, not after a demand letter shows up.

What operational steps reduce TCPA and NAIC risk for AI insurance calls?

Risk reduction here is not about finding a clever argument to defend a bad call. It is about not making the bad call.

Scrub lists before every campaign. The national DNC registry updates daily. State DNC lists run on their own schedules. Run your list through the federal registry within 31 days of the call date (the safe harbor window) and against any applicable state lists at least as recently [7]. Write down when you scrubbed, which list version, and how many numbers dropped out.

Audit consent on every lead before first AI contact. This step separates teams that get sued from teams that do not. For every record you plan to call with an AI voice, confirm you hold prior express written consent that names your company, covers that specific number, and was collected after the one-to-one effective date if this is the first call to that number under the new standard.

Write a compliant opening. First 30 seconds: company name, a statement that this is an automated or AI call, the purpose, and how to opt out. That is it. Do not park the AI disclosure behind any sales content.

Honor opt-outs immediately and permanently. The TCPA requires opt-out requests to AI or prerecorded calls to be honored within a reasonable time. Do not batch them for the end of a campaign. When someone presses a key or says stop, that suppression has to hit your dialing list before the next call attempt.

Vet your dialing vendor. The NAIC vendor management expectation means a written agreement with your AI calling platform covering what data they hold, how they handle consent records, whether they scrub DNC, and what indemnification they provide if their platform causes a violation [3]. A vendor that will not sign a data processing agreement or hand over DNC scrub documentation is a liability, not a partner.

Keep an audit trail. Log every step: consent records, scrub runs, call logs, opt-out processing. If a class action attorney sends a demand letter two years out, your defense is built from what you documented, not what you remember.

What does a TCPA class action against an insurance AI caller actually look like?

The pattern is predictable, and seeing it shows you exactly where the gaps get exploited.

A plaintiff, often recruited by a firm that watches FCC complaints, gets an AI-voiced insurance sales call. They flag it as unsolicited. They file a TCPA complaint, then a class action, naming themselves as representative of everyone who got similar calls from the defendant carrier over the prior four years.

Discovery is brutal for defendants. The plaintiff's attorney subpoenas the dialing platform for call logs. The logs show thousands or millions of AI voice calls. The defendant then has to produce prior express written consent for every number on those logs. Missing records for a meaningful fraction of the calls means the class is enormous.

The Cash App TCPA class action settlement and Albertsons/Safeway TCPA settlement show how large consumer-facing companies settle even when they believe their practices were defensible, because the cost and reputational risk of trial beats the cost of settling.

For insurance, the treble damages provision for willful violations is the real multiplier. If your company knew about TCPA requirements (hard to deny, given the mountain of case law) and ran an AI calling program without proper consent, a court can award $1,500 per call instead of $500. Plaintiffs establish 'willfulness' more easily than most compliance teams expect.

The best protection is not a good litigation strategy. It is a documented, pre-call process that makes it impossible to argue the calls were unsolicited.

How is NAIC AI governance likely to evolve for insurance sales calls?

The 2023-2024 model bulletin is a first step, not a final answer. The NAIC's Innovation, Cybersecurity, and Technology (H) Committee has ongoing AI governance workstreams, and several state departments have signaled interest in formal rulemaking rather than guidance bulletins alone [3].

Colorado enacted SB 21-169 (effective 2023) requiring insurers to guard against algorithmic discrimination in insurance decisions, and Colorado regulators have said AI systems used in marketing and sales targeting are within scope [11]. If a carrier uses an AI model to decide which consumers to call, that targeting function may trip algorithmic fairness review duties.

Federal legislation aimed at AI in insurance has been proposed but not enacted as of mid-2025. The more likely near-term move is the FCC keeps refining its AI voice rulings while states keep layering disclosure and fairness rules through their insurance departments.

Plan for this direction: disclosure rules get more specific on timing and exact language, consent records get more granular, and vendor accountability grows. Companies that build governance programs now, even imperfect ones, land in better shape than companies that wait for a final rule.

Check TCPA news updates for regulatory developments. The FCC has been issuing AI-related guidance fast enough that annual reviews miss things. Quarterly is more realistic.

Frequently asked questions

Does the TCPA apply to insurance agents who use AI voice calls?

Yes. The TCPA applies to any caller, licensed insurance agents included, who uses an artificial or prerecorded voice to make a telemarketing call to a cell phone without prior express written consent. The FCC's February 2024 ruling confirmed AI-generated voices are 'artificial' voices under the statute. A producer license creates no exemption.

What is the NAIC AI governance model bulletin and does it have legal force?

The NAIC AI Governance Model Bulletin is a template state insurance departments use to set expectations for how carriers and producers manage AI systems. It does not itself create a private right of action, but departments enforce it through market conduct exams and can pursue unfair trade practice findings under state insurance codes. Most states had adopted its substance by 2024-2025.

Can I use AI voice calls to follow up with life insurance leads I purchased?

Only if you hold prior express written consent that names your company and covers the consumer's phone number. The FCC's one-to-one consent rule, effective January 27, 2025, means consent from a multi-seller lead form no longer counts. You need consent granted directly to your company. Without it, an AI voice call to a cell phone is a TCPA violation no matter where the lead came from.

What disclosures are required at the start of an AI insurance sales call?

The FCC requires identification of the caller and a callback number. The NAIC bulletin expects consumers to know they are dealing with an AI. California law requires disclosure within the first 30 seconds. Best practice: state the company name, that this is an automated AI call, and the purpose, all before any sales content. That covers the federal baseline and most state rules at once.

For leads captured after January 27, 2025, each insurance company needs its own named written consent from the consumer before an ATDS or AI voice call. Lead forms that bundled consent across multiple carriers or 'marketing partners' no longer provide valid consent for those carriers. Carriers buying leads must verify the consent record names them specifically before starting AI calls.

What TCPA damages are possible for an illegal AI insurance sales call campaign?

Statutory damages are $500 per call, trebled to $1,500 per call for willful or knowing violations under 47 U.S.C. § 227(b)(3). A campaign of 10,000 non-consented AI voice calls to cell phones creates $5 million to $15 million in potential liability. These cases run as class actions, so damages aggregate across every similar call made over a four-year lookback period.

Is there a safe harbor if an insurance carrier relies on a third-party dialing vendor's compliance claims?

No clear statutory safe harbor exists in the TCPA for relying on vendor compliance representations. The FCC has indicated carriers stay liable for calls made on their behalf. NAIC guidance states plainly that carriers cannot outsource accountability for AI systems to vendors. Your indemnification clause matters, but it does not stop you from being named in a TCPA lawsuit.

Do state insurance department AI rules apply to independent agents and MGAs, or only carriers?

They apply to both. The NAIC model bulletin covers 'regulated entities,' which includes carriers, managing general agents, and licensed producers using AI in core functions like sales and marketing. An MGA running AI-powered outbound calls for multiple carriers needs its own governance program, not a pass-through from a carrier's compliance team.

The FTC's Telemarketing Sales Rule requires consent and call records for at least 24 months. Given the TCPA's four-year statute of limitations on private claims, most practitioners recommend keeping records for the full four years. For NAIC governance, AI system audit records and bias testing documentation should also be retained, with no clear expiration standard set yet.

What is the Florida FTSA and how does it affect AI insurance calls to Florida numbers?

Florida's Telephone Solicitation Act, amended in 2021, requires consent for automated calls and texts to Florida numbers with a $500 per violation private right of action. A 2023 amendment requires a single named plaintiff before class certification. Carriers calling Florida cell numbers with AI voice technology need FTSA-compliant consent separate from federal TCPA consent, since Florida's definition of automated systems can differ from the TCPA's ATDS definition.

Can an insurance company use the existing business relationship exception to call DNC-listed numbers with AI?

The pre-existing business relationship exception allows calls within 18 months of a purchase or 3 months of an inquiry to that specific company. It does not clear numbers on the federal DNC list in all circumstances, and it does not override the TCPA's prior express written consent requirement for AI voice calls to cell phones. The EBR exception is narrower than most insurance marketers assume.

What should an insurance company's AI call governance program include to satisfy NAIC requirements?

A written program should name a senior officer accountable for AI oversight, document which AI systems run in sales and marketing, include evidence of fairness and non-discrimination testing, cover vendor audit procedures, and set a consumer disclosure process. State market conduct examiners actively review for these elements. A program that exists on paper but has no operational records behind it will not satisfy an examiner.

Are there specific script requirements for AI insurance calls under TCPA rules?

No mandated word-for-word script exists, but FCC rules require the call to state the name of the business calling and give a telephone number or address where the called party can reach the seller. The AI or prerecorded nature of the call must be disclosed, and an opt-out mechanism must be provided. A compliant opening covers all of this in the first 30 seconds before any product pitch.

How does Colorado's algorithmic discrimination law affect AI insurance marketing calls?

Colorado SB 21-169, effective 2023, requires insurers to guard against unfair discrimination from algorithmic decision-making. State regulators have said AI systems used to target consumers for marketing calls fall within scope if those systems use personal data to make targeting decisions. Carriers using AI-driven call list selection in Colorado should document their fairness testing and be ready to show results to examiners.

Sources

  1. U.S. Code, 47 U.S.C. § 227, Telephone Consumer Protection Act: TCPA prohibits artificial/prerecorded voice calls to wireless numbers without prior express consent; damages are $500 to $1,500 per violation
  2. NAIC, Model Bulletin on the Use of Artificial Intelligence Systems by Insurers: NAIC AI Governance Model Bulletin sets expectations for written AI governance programs covering accountability, transparency, fairness, vendor management, and consumer disclosure in core functions including sales and marketing
  3. FCC, 47 C.F.R. Part 64 Subpart L, Restrictions on Telemarketing: Prior express written consent required for telemarketing calls using ATDS or artificial voice to wireless numbers; consent must name the specific seller and telephone number; caller bears burden of proving consent
  4. California Legislative Information, Business and Professions Code Section 17538.41: California requires automated call disclosure within first 30 seconds of the call
  5. FTC, Telemarketing Sales Rule, 16 C.F.R. Part 310: National DNC registry applies to all telephone solicitations; 31-day safe harbor for scrubbing; records must be retained 24 months; pre-existing business relationship lookback windows are 18 months (purchase) and 3 months (inquiry)
  6. Texas Secretary of State, Telemarketing Registration Requirements: Texas requires telemarketer registration and maintenance of internal DNC list with 30-day honor period; Texas maintains its own state DNC registry
  7. California Attorney General, California Consumer Privacy Act (CCPA): CCPA applies to personal data including phone numbers used in AI call targeting; consumers have rights to know, delete, and opt out of sale or sharing
  8. Florida Legislature, Florida Telephone Solicitation Act, Fla. Stat. § 501.059: Florida FTSA requires consent for automated calls/texts to Florida numbers; $500 per violation private right of action; 2023 amendment requires single named plaintiff before class certification
  9. Colorado General Assembly, SB 21-169, Restrictions on Insurers' Use of External Consumer Data: Colorado SB 21-169, effective 2023, requires insurers to guard against unfair discrimination from algorithmic and AI decision-making, including in marketing

Disclaimer: LeadCompliant is a compliance review tool, not a law firm. We do not provide legal advice. Consult with a TCPA attorney for legal guidance on specific compliance questions. Compliance scores, audits, and risk assessments are informational only.

LeadCompliant Team

LeadCompliant provides expert guidance and tools to help you succeed. Our content is reviewed for accuracy and kept up to date.

Related Articles

Related Glossary Terms

LeadCompliant
Build My Kit