Skip to main content
AI Automation

Is Your AI Phone System Legal in California? CIPA, Consent, and the Lawsuits Hitting Businesses Right Now

California businesses are being sued over AI voice agents. What CIPA and the TCPA actually require — and how to deploy an AI receptionist legally in 2026.

Chad McCluskey · Founder, Stack Consulting AI10 min read
AI phone system California CIPA compliance: a business owner reviews a recording-disclosure and consent-confirmed card on her phone, California map outline behind.

AI phone agents are the best thing to happen to small service businesses in a decade. They answer every call, book appointments at 9 PM, and never put a customer on hold. We build AI receptionists for businesses across South Orange County, and the results speak for themselves.

But there's a conversation most AI vendors skip during the sales pitch, and it's the one that determines whether your shiny new AI receptionist is an asset or a lawsuit: California has the strictest call-privacy law in the country, and plaintiffs' firms have discovered that AI phone systems are an extremely profitable target.

This article explains what California law actually requires, what the recent wave of lawsuits means for you, and the specific configuration decisions that separate a compliant deployment from an exposed one. It's written for business owners, not lawyers — though to be clear up front: this is general information, not legal advice. For your specific situation, talk to an attorney. What we can tell you is how we configure systems in the field and why.

The Law: CIPA in Plain English

The California Invasion of Privacy Act (CIPA) is a wiretapping statute from 1967 — older than touch-tone dialing — that has become the weapon of choice against modern AI phone technology.

Two sections matter for anyone deploying an AI phone system:

Section 631 prohibits intercepting or reading the contents of a communication while it's in transit without consent. Plaintiffs' attorneys use this against third-party technology vendors — the argument being that when your AI platform processes a caller's audio, a company the caller never agreed to talk to is "listening in."

Section 632 prohibits recording a confidential communication without the consent of all parties. This is the famous "two-party consent" rule. Federal law only requires one party's consent; California requires everyone's. A phone call to a business can qualify as confidential if the caller reasonably expects it isn't being recorded.

The part that makes CIPA a magnet for class actions: statutory damages of up to $5,000 per violation — potentially per call, per recording — with no requirement that the caller prove any actual harm. Multiply that across every California caller your system handled, and the math explains why plaintiffs' firms are filing these cases in waves.

The Lawsuits: What's Actually Happening in Court

This isn't theoretical risk. Here's the recent case law every business deploying voice AI should know about.

Taylor v. ConverseNow: the "capability test"

A California woman called a Domino's location to order a pizza. Her call was answered by an AI virtual assistant from a vendor called ConverseNow — without, she alleged, any notice that she was talking to an AI or being recorded. She sued under CIPA sections 631 and 632, and in August 2025 a federal court in Northern California refused to dismiss the case.

The vendor's defense was intuitive: we're just a service provider acting as an extension of the restaurant, not a third-party eavesdropper. The court didn't buy it. The reasoning that carried the day is what lawyers now call the capability test: because the AI vendor had the capability to use recorded call content for its own purposes — like training its models — that alone was enough to keep the eavesdropping claim alive. It didn't matter whether the vendor had actually done so.

Read that again, because it's the single most important sentence in this article for anyone choosing an AI phone vendor: if your platform's terms give it the right to use your callers' audio for model training or "product improvement," you may have a CIPA problem baked into your vendor contract before your system takes its first call.

Galanter v. Cresta: "this call may be monitored" may not be enough

In mid-2025, a caller to United Airlines' support line sued Cresta — an AI "conversation intelligence" vendor analyzing those calls in real time — under CIPA. Here's the twist: she was told the call "may be monitored or recorded for quality purposes." Her claim is that this boilerplate disclosure never mentioned that a third-party AI company would receive, transcribe, and analyze her conversation — potentially for its own commercial benefit.

Worth being precise: this case was filed in June 2025 and is still at the pleading stage, so this is the plaintiff's argument, not yet a court holding. But the direction is clear enough to plan around: the generic recording disclaimer businesses have used for thirty years may not cover AI. If a third-party AI system is part of the call, the emerging standard is that callers need to be told that, specifically.

Sharp HealthCare: the healthcare escalation

In November 2025, San Diego's Sharp HealthCare was hit with a class action alleging its AI "ambient documentation" tool recorded doctor–patient conversations without proper all-party consent — with the audio transmitted to an outside vendor's cloud. The complaint layers CIPA on top of California's medical-confidentiality statute (CMIA), and the proposed class may exceed 100,000 patients.

If you run a dental or medical practice, this case is your warning shot: AI tools that capture patient conversations sit at the intersection of CIPA, CMIA, and HIPAA. All three have to be handled — and "the vendor said it was fine" is not a defense.

The federal layer: TCPA and AI voices

Separately from California law, the FCC ruled in February 2024 that AI-generated voices count as "artificial or prerecorded" voices under the federal TCPA. For outbound AI calling — sales calls, appointment-setting campaigns — that means you need the caller's prior express consent before an AI voice ever dials them, and for marketing or telemarketing calls that consent has to be in writing. Violations carry statutory damages of $500 to $1,500 per call. Plaintiffs' firms are actively targeting AI voice campaigns because the violation is easy to prove: if the AI voice called without consent, the call itself is the evidence.

What a Compliant Deployment Actually Looks Like

Here's the good news: none of this makes AI phone systems illegal in California. Every one of these lawsuits is, at its core, about the same failure — capturing audio before the caller knew and agreed. That failure is preventable, and prevention is a set of concrete configuration decisions made at build time.

This is the checklist we work through on every California voice deployment:

1. Disclosure before capture — not during, not after. The very first thing a caller hears must accomplish two things: identify that they've reached an automated/AI assistant, and disclose that the call is recorded. Critically, the system must be architected so that audio processing begins after that disclosure, not before. Some platforms start streaming caller audio to the AI the instant the call connects; that architecture is exactly what the ConverseNow plaintiff attacked. This is a technical configuration, and it's the first thing we verify on any platform we deploy.

2. Meaningful consent path. After disclosure, continuing the call constitutes implied consent under a common reading of California law — but the disclosure has to be clear enough that continuing means something. A caller who says "I don't want to be recorded" needs a path: transfer to a human, an unrecorded mode, or a callback option. Your AI should be scripted to handle that response gracefully, because it will happen.

3. Vendor contract audit — the capability test problem. Before we deploy on any AI platform, we read its data terms. Does the vendor claim rights to use call audio or transcripts for model training? Is there a setting to opt out? Can you get a contractual commitment that call data is used solely to provide the service to you? After ConverseNow, the vendor's rights on paper are the exposure, not just its actual behavior. The major platforms have been rolling out zero-retention and no-training configurations precisely because of this litigation — but they're rarely on by default. Someone has to turn them on. That someone is us.

4. Update your disclosure language for AI specifically. Per the Cresta case, "this call may be recorded for quality purposes" is legacy language. The modern version discloses the AI's involvement: something in the spirit of "You've reached [Business]. This call is answered by an automated assistant and is recorded." Short, honest, and it closes the gap the Galanter suit is built on.

5. Healthcare: HIPAA BAA plus CIPA plus CMIA. For practices, compliant deployment means a signed Business Associate Agreement with the AI platform, the platform's HIPAA mode explicitly activated (it is never on by default), disclosure and consent handled before any patient information is spoken, and retention policies that align with your obligations. We treat this as a gating requirement: the system does not take a live patient call until every item is verified.

6. Outbound is a different animal — treat it that way. Everything above concerns inbound calls, where the customer called you. Outbound AI calling to consumers triggers the TCPA's consent requirement, do-not-call scrubbing, calling-window rules, and in-call opt-out handling. It can be done compliantly, but it's a substantially heavier lift. If a vendor offers to have an AI "just start dialing your lead list," walk away — that pitch is a class action with a monthly subscription fee.

7. Keep records. Consent language, the date each disclosure script went live, platform data-handling settings, signed BAAs. If a demand letter ever arrives, your defense is documentation that the caller was informed and the data was handled as promised.

The Uncomfortable Question to Ask Your Current Vendor

If you already have an AI phone system, or you're evaluating one, ask the vendor these four questions and watch how they respond:

  1. Does audio capture begin before or after the recording disclosure plays?
  2. Do your terms of service permit you to use our call data for model training or product improvement? Can that be disabled in writing?
  3. What exactly does the caller hear in the first five seconds, and can we control it?
  4. (Healthcare) Will you sign a BAA, and is HIPAA mode a documented, verifiable setting?

A vendor who has real answers has thought about California. A vendor who says "don't worry, everyone uses this" has not — and under CIPA's per-violation damages, you are the defendant with the deep pockets in your caller's eyes, not them.

Why This Is Actually an Opportunity

Here's the reframe we give every client: California's strict rules are a moat, not a burden.

Most AI phone deployments in this market are done by out-of-state agencies reselling a platform they configured in an afternoon. They don't know CIPA exists. Their clients' systems start capturing audio at connect, run boilerplate disclosures, and sit on vendor contracts with wide-open training rights. Every one of those deployments is a liability their owner doesn't know about.

A properly built system — disclosure-first architecture, updated AI-specific consent language, a scripted opt-out path, and documented vendor terms — costs barely anything more to deploy. It just requires knowing that it matters. That's the difference between buying AI software and hiring someone who deploys business automation for a living in the state with the toughest rules in the country.

Frequently Asked Questions

Is it legal to use an AI receptionist in California?

Yes — with proper disclosure and consent. California doesn't prohibit AI answering your phone; it prohibits recording or intercepting calls without all parties' knowledge and consent. A system that discloses the AI and the recording before capturing audio, and whose vendor handles data appropriately, operates on solid ground.

Does my AI have to tell callers it's an AI?

Increasingly, yes — treat it as required. The FCC classifies AI voices as artificial voices, state enforcers expect AI disclosure at the start of a conversation, and the ConverseNow suit was built partly on the caller not knowing she was talking to a machine. Beyond the legal question, hiding it is bad business: callers who discover they were fooled trust you less, while a clear "automated assistant" disclosure sets expectations and still gets the appointment booked.

What are the penalties if I get this wrong?

CIPA provides statutory damages up to $5,000 per violation, and plaintiffs don't have to prove they were harmed. Because an AI system handles every call the same way, a single configuration mistake replicates across thousands of calls — which is exactly why these cases are filed as class actions.

My AI vendor says they're "fully compliant." Am I covered?

No platform is compliant out of the box, because compliance depends on how your deployment is configured: your disclosure script, your capture timing, your data settings, your vendor terms. "Compliant platform" claims describe capabilities, not your configuration. And note that in the current lawsuits, the business that deployed the AI gets named alongside the vendor.

Does this apply to missed-call text-back and automated texting too?

Different rules, same theme. Automated business texting is governed by the TCPA and enforced by carriers through A2P 10DLC registration — unregistered business texting gets filtered or blocked, and texting consumers without consent creates TCPA exposure. We cover this in our guide to business automation consulting.

I already have an AI phone system. How do I know if I'm exposed?

Three checks you can do today: call your own number and listen to the first five seconds — is there a clear AI/recording disclosure before the conversation starts? Read your vendor's terms for "model training" or "product improvement" data rights. And if you're a healthcare practice, confirm you have a signed BAA on file. If any of those checks fails, get it fixed — the fix is configuration, not a rebuild.

Deploy Voice AI in California Without the Legal Headache

Deploying voice AI in California without a compliance headache is exactly what we do. Stack Consulting AI builds AI phone systems for service businesses and practices in South Orange County and North San Diego County — disclosure-first architecture, audited vendor terms, HIPAA-ready configurations. If you want a second set of eyes on an existing deployment, we'll do a free compliance walkthrough of your current setup. Book a call →

This article is general information about a fast-moving area of law, current as of July 2026, and is not legal advice. Consult a California attorney about your specific circumstances.

Sources & Further Reading

Want this in your inbox every two weeks?

The Stack Report is biweekly. No fluff. Real tools small businesses actually use.