Outbound voice campaigns at scale: TCPA, quiet hours, and the policy engine that keeps you legal

Outbound voice has a wider regulatory surface than inbound

Inbound voice agents handle the calls customers initiate; consent is implicit, the regulatory burden is mostly recording disclosure and PII handling. Outbound is the opposite. Every dial is an action you initiated, against a contact who may or may not have consented, in a jurisdiction with specific rules about when and how you can call. TCPA, Reg F for collections, state-level mini-TCPA statutes, CASL across the border — the rules stack.

The failure mode we see in most outbound deployments is that the rules live in a runbook, the runbook lives on a wiki, and the wiki is six months stale. The first call placed at 7:58am in a state with an 8am quiet-hour rule is the moment that becomes a finding.

A policy engine between dialer and model is the only architecture that survives audit

The right architecture: a policy engine evaluates every outbound dial against active jurisdictional rules — quiet hours by contact's local time, suppression-list membership, consent record, frequency caps per contact and per campaign — and either authorizes the dial or blocks it with a logged reason. The model never gets the chance to ignore the rule because the dial never reaches the model.

We deploy this as a control plane that emits an audit row per decision: dialed, blocked-quiet-hours, blocked-suppression, blocked-frequency-cap, blocked-no-consent. Auditors get a CSV that explains every call placed and every call refused. The defensibility is structural.

Policy decisions logged

100% every dial attempt

Quiet-hour violations

0 last 12 months prod

AMD accuracy

> 96% answer-machine detection

Consent revocation latency

< 60s across all surfaces

Quiet-hour enforcement uses the contact's local time, not the campaign's

TCPA's 8am-9pm window is in the called party's local time, which is a function of their phone number's NPA, the area code's geographic origin, and increasingly the contact's actual timezone metadata when available. Campaigns that calculate quiet hours from the campaign's timezone or the dialer's UTC clock will violate quiet hours every time a contact has moved or ported a number. The policy engine has to compute local time per contact, per dial.

Answer-machine detection policy is a regulatory choice, not a product setting

When the dialer detects an answering machine instead of a human, what happens next is a regulatory decision. Leaving an unsolicited prerecorded message on a residential line raises TCPA liability; leaving the message on a business line is usually fine; in some jurisdictions, leaving any message at all without prior express consent is the violation.

We treat AMD policy as a per-jurisdiction, per-campaign configuration that the legal team signs off on. The model does not pick whether to leave a message; the policy does, and the policy's audit trail is the defensible record.

Suppression lists must propagate in seconds, not nightly batches

When a contact says 'do not call me again,' the suppression has to be enforced before the next dial is placed — across every campaign, every dialer node, every channel. Nightly batch propagation is a TCPA finding waiting to happen, because the contact will receive a second call between the request and the next batch run.

Our policy engine writes suppression to a sub-second-replicated store and queries it on every dial decision. Cross-channel suppression — voice opt-out also stops SMS — is a configuration the legal team owns. The engineering team enforces it.

Frequency caps and pacing live alongside compliance, not in a separate dialer config

Most dialers expose frequency caps as a campaign setting. The compliance-correct way to handle them is at the policy engine: total contacts per day per phone number, regardless of which campaign or which agent placed the prior call. A contact getting four calls a day from four campaigns is the same TCPA risk as four calls from one.

Pacing rules — how many concurrent dials, abandonment rate caps under the FCC's 3% rule, dropped-call notifications — also belong in the same policy layer. Treating them as separate configurations is how a campaign accidentally violates the abandonment rule when concurrent campaigns spike.

Consent records are the artifact every audit centers on

Every contact in the outbound system has a consent record: when consent was captured, what channel, what scope, the wording the contact saw, the IP and user agent at capture, and any subsequent revocation events. The policy engine reads the consent record before authorizing the dial. The auditor reads the same record after the fact.

When the consent record is incomplete — capture timestamp missing, scope ambiguous, revocation not propagated — the policy engine refuses to dial and logs the reason. That is the right default. The cost of a refused dial is zero. The cost of a wrongful dial is regulatory.

We had a campaign block 4,200 dials over a weekend because the consent records had been imported with the wrong timezone metadata. The dialer used to just call them. The policy engine refused, logged why, and pinged the data team. We fixed the metadata Monday morning. Nothing got dialed wrong.

— Director of Compliance, ARM client

What an outbound voice deployment costs

Steady-state cost on outbound voice campaigns lands at $0.22–$0.38 per minute of agent talk time once the policy engine, recording infrastructure, and QA review queue are loaded in. Compared to a domestic contact center at $1.80–$2.40 per minute or an offshore center at $0.85–$1.10 with materially higher compliance risk, the unit economics favor the AI deployment provided the audit trail is genuine.

The 'provided the audit trail is genuine' is the part most vendors gloss over. It is the only part that matters in a TCPA defense.

Frequently asked

Can an AI voice agent run outbound campaigns under TCPA? +

Yes, when consent records, suppression-list propagation, quiet-hour enforcement by called-party local time, and frequency caps are enforced by a policy engine between the dialer and the model. The model layer cannot be the control layer; the policy engine has to authorize or block every dial with a logged reason. With that architecture in place, outbound AI voice runs cleanly under TCPA, Reg F, and state-level mini-TCPA statutes.

How does the system enforce quiet hours across timezones? +

Quiet hours are computed per contact in the contact's local time, derived from the phone number's area code, ported number metadata where available, and any explicit timezone we have on the contact record. The policy engine evaluates each dial against the contact's local clock at dial time, not the campaign's or the dialer's clock. A contact who has moved across timezones is calculated correctly because the calculation is per dial.

What happens when a contact opts out during a call? +

The opt-out is written to the suppression store before the call ends, propagates to every dialer node within seconds, and is enforced on the next dial attempt across every campaign. Cross-channel suppression — voice opt-out also stopping SMS, for example — is configurable per the legal team's interpretation. Nightly batch propagation is not used because it leaves a window where a second call can be placed wrongly.

How is answer-machine detection handled? +

Answer-machine detection runs at over 96% accuracy on production traffic. When the dialer detects an answering machine, the action — leave a consented prerecorded message, hang up silently, or escalate to a human queue — is determined by the AMD policy for that campaign and jurisdiction. The policy is configured by the legal team, audited per campaign, and logged per call.

What does an audit trail for outbound voice look like? +

Every dial attempt produces a logged decision: dialed, blocked-quiet-hours, blocked-suppression, blocked-frequency-cap, blocked-no-consent, with the consent record version, the policy version, and the resulting action. Every dialed call has a recording, transcript, model reasoning trace, and any compliance disclosure read. Auditors get a CSV that explains every call and every refusal across the campaign.

How does pricing compare to a domestic call center for outbound work? +

Steady-state outbound AI voice runs $0.22–$0.38 per minute of agent talk time with recording, policy engine, and QA review loaded in. A domestic contact center running comparable campaigns is $1.80–$2.40 per minute. Offshore centers are $0.85–$1.10 with materially higher compliance risk. The economic case is strong; the regulatory case rests on whether the audit trail is genuine, which is the architecture work, not the model work.