EU AI Act for Voice Agents – What changes for enterprise call flows in 2026

‍Two TCPA developments reveal where voice AI risk is heading—and what to do about it now.

The TCPA litigation playbook just changed.

Two cases from the past month signal a fundamental shift in how plaintiffs' attorneys are thinking about voice AI liability. If you're deploying conversational AI for outreach, these cases aren't just news—they're a preview of arguments that will be used against you.

Here's our take on what's actually happening, and what you should do about it.

The OpenAI + Twilio Lawsuit: Our Opinion

The case: William Lowry v. OpenAI, et al. (E.D. Va., December 2025). A consumer is suing OpenAI and Twilio directly for TCPA violations committed by a third party (Fresh Start Group) that used their platforms.

The theory: OpenAI and Twilio knew or should have known their technology was being used for illegal robocalls—and did nothing to stop it.

Why We Think This Matters

This lawsuit will probably fail. But the legal theory won't go away.

The class definition is absurdly broad. The causation arguments are weak. OpenAI will likely argue it's a neutral technology provider with no knowledge of individual users' compliance practices.

But here's what keeps us up at night: the theory is plausible enough to survive a motion to dismiss. And that's all plaintiffs' attorneys need.

Once discovery opens, OpenAI would have to produce internal communications about TCPA risks. Any email where someone at OpenAI discussed "robocall concerns" or "compliance risks" becomes Exhibit A. Any acceptable use policy that wasn't enforced becomes evidence of knowledge.

Our prediction: Even if OpenAI wins this case, they'll respond by tightening restrictions on voice AI API usage. Expect:

• Mandatory compliance attestations for telephony use cases
• Audit rights written into terms of service
• Faster termination for users flagged in TCPA complaints
• Possible restrictions on outbound calling applications entirely

If you're building on OpenAI or similar platforms, your vendor relationship is about to get more complicated.

What You Should Do Now

1. Read your API terms of service. Today.

Most voice AI operators have never actually read their vendor agreements. Do it now. Look for:

• Indemnification clauses (who pays if the vendor gets sued?)
• Compliance representations (what did you promise when you signed up?)
• Termination rights (can they cut you off if you're named in litigation?)
• Audit provisions (can they demand your consent records?)

2. Document your compliance program—and make it visible to your vendors.

If platform providers start facing liability, they'll protect themselves by requiring customers to demonstrate compliance. Get ahead of this:

• Create a written TCPA compliance policy specific to your AI deployment
• Document your consent collection and verification process
• Keep records of DNC scrubbing and suppression list management
• Be prepared to show this to your AI vendor if asked

3. Assume your vendor will change the rules.

Build flexibility into your architecture. If OpenAI restricts outbound calling tomorrow, can you switch providers? If Twilio requires new compliance certifications, can you produce them quickly?

The OptumRx Settlement: Our Opinion

The case: Patterson v. OptumRx, Inc. (S.D. Ind.). OptumRx paid $1.86M to settle claims that it placed prerecorded "clinical adherence" calls to non-customers without consent.

The facts: ~155,000 phone numbers. $72-135 per claimant. Calls were about medication adherence—arguably helpful healthcare outreach.

Why We Think This Matters

OptumRx did nothing unusual. That's the problem.

These weren't scam calls. They weren't aggressive sales pitches. They were healthcare reminders that probably helped some people take their medications correctly.

OptumRx almost certainly had a compliance program. They almost certainly believed they were operating legally. They're a sophisticated company with real legal resources.

And they still paid $1.86 million.

The uncomfortable truth: Most voice AI compliance programs are built on the same assumptions OptumRx made. "We're calling about something beneficial." "We have consent from somewhere in our system." "These are operational calls, not marketing."

None of those assumptions provide TCPA protection.

What You Should Do Now

1. Audit your non-customer outreach immediately.

The OptumRx class was limited to people who were not OptumRx customers. This is where consent chains break down:

• Leads purchased from third parties
• Numbers from partner referrals
• Contacts inherited from acquisitions
• "Warm transfer" scenarios where consent doesn't follow the call

If you're calling people who haven't directly opted in to receive automated calls from your specific organization, you're in OptumRx territory.

2. Stop relying on "beneficial purpose" as a defense.

We hear this constantly: "But we're calling to help people!"

The TCPA doesn't have a "good intentions" exception. Healthcare reminders, appointment confirmations, fraud alerts, delivery notifications—all require consent for automated calls to cell phones. The FCC's emergency exception is narrow and heavily litigated.

If your compliance program includes any variation of "these calls are helpful so we're probably fine," fix that assumption now.

3. Treat prerecorded and AI-generated voices identically.

The FCC ruled in February 2024 that AI-generated voices are "artificial voices" under the TCPA. Whatever consent requirements apply to prerecorded messages now apply to your conversational AI.

OptumRx used traditional prerecorded messages. Your AI-powered voice agent carries the same legal requirements—plus additional risks from dynamic content that prerecorded messages don't have.

The Bigger Picture: Three Compliance Shifts We're Watching

1. Liability is moving upstream.

The OpenAI lawsuit represents a broader trend. Plaintiffs' attorneys are looking beyond the entity that made the call to everyone who enabled it: AI providers, telephony platforms, lead generators, technology vendors.

Our tip: Map your entire call stack. Who provides your AI? Who provides your telephony? Who provides your numbers? Who provides your leads? Each one is a potential co-defendant—and a potential source of discovery that could be used against you.

2. "Consent on file" isn't good enough anymore.

OptumRx presumably had consent records somewhere in their system. It didn't matter because the consent didn't cover the specific calls at issue.

Our tip: Consent must be specific, documented, and traceable to the exact call. Can you produce, for any given call, a timestamped consent record that shows:

• What the consumer agreed to
• When they agreed
• How they agreed
• That it covers automated calls from your organization
• That it covers the specific type of call you made

If you can't produce this in 48 hours for any number a plaintiff's attorney asks about, your consent program has gaps.

3. What your AI says is now a liability surface.

Neither of these cases involved AI behavior issues—but the next wave will. When your AI:

• Fabricates a consent claim when challenged
• Expands beyond the consented call purpose
• Confirms a DNC removal that didn't process
• Delivers an incomplete disclosure

...you've created a TCPA violation that your compliance tools never detected.

Our tip: Test your AI's actual behavior, not just your policies. What does it say when interrupted during a disclosure? What does it say when a customer asks "how did you get my number?" What does it say when someone requests DNC removal? These are the moments that create litigation.

Our Bottom Line

These two cases tell the same story from different angles.

The OpenAI lawsuit says: The companies that enable non-compliant calling may start sharing liability for it.

The OptumRx settlement says: Even "legitimate" callers with compliance programs get sued and pay millions.

Put them together and the message is clear: the compliance surface for voice AI is expanding, and traditional approaches aren't keeping up.

Static compliance tools check lists and verify records. They don't know what your AI actually says in production. They can't detect consent scope creep, hallucinated consent claims, or disclosure failures.

That's the gap we built VoiceLint to fill.

Quick Checklist: 5 Things to Do This Week

1. Pull your AI vendor agreements and find the indemnification, compliance, and termination clauses. Know your exposure.
2. Identify all outbound calls to non-customers (leads, referrals, acquired contacts). These are your highest-risk calls.
3. Audit your consent records for one day's worth of calls. Can you produce compliant consent documentation for every number?
4. Document your TCPA compliance program in writing. If your vendor asks for it tomorrow, can you send it?
5. Test what your AI actually says when challenged on consent, DNC requests, or call purpose. Not the script—the actual output.

References

1. Troutman, Eric J. "OPENAI LIABLE FOR ROBOCALLS/TEXTS???" National Law Review, December 31, 2025. Link
2. Patterson v. OptumRx, Inc., No. 1:24-cv-00689-TWP-KMB (S.D. Ind.). Settlement website: optumrxtcpaclassactionsettlement.com
3. "$1.86M OptumRx Settlement Ends Litigation Over Alleged Prerecorded Voice Messages." ClassAction.org, December 22, 2025. Link
4. "FCC Confirms that TCPA Applies to AI Technologies that Generate Human Voices." FCC, February 8, 2024. Link

This analysis reflects VoiceLint's opinions on industry developments and does not constitute legal advice. Consult qualified legal counsel for guidance on your specific compliance obligations.

‍