Fieldtested
GUIDE

Voice agent procurement: TCPA, GDPR, call quality, and the legal layer that matters more than the platform

Published May 30, 2026

A buyer's guide to evaluating voice AI agent platforms in 2026 — what to test, what to negotiate, and why the legal compliance work above the platform usually dominates the procurement decision.

Voice AI agents have moved from gimmick to production reality in 2026. The platforms — Retell, Vapi, Bland — are technically mature enough that a competent team can ship a working voice agent in weeks. The procurement decision sounds simple: pick the platform with the best latency, voice quality, and price. It isn’t simple. The legal layer above the technology dominates the decision more than the platform comparison does, and most procurement processes I see underweight it badly.

The procurement framing most teams get wrong

The standard voice agent evaluation looks like this:

  • Pick three vendors (typically Retell, Vapi, Bland)
  • Run latency tests
  • Run voice quality A/B tests with real users
  • Compare per-minute pricing
  • Pick the winner

This framing is technically correct and strategically wrong. It treats the platform comparison as the project’s center of gravity when it almost always isn’t. The harder work — and the work that determines whether the deployment is legal, sustainable, and successful — happens upstream and downstream of the platform.

The upstream work: figuring out whether your specific use case is lawful, what consent infrastructure you need, what disclosure requirements apply, and how regulators will view AI-generated calls in your jurisdiction.

The downstream work: designing call flows that work for your users, integrating with your CRM and telephony, handling failure modes, training operators to interpret agent transcripts.

These two workstreams typically cost 5-10x more than the platform itself in the first year of a serious voice agent deployment. The platform comparison is real but it’s the smaller part.

Inbound vs outbound: the dominant axis

Before any other procurement consideration, classify your use case as inbound or outbound. The legal weight differs by an order of magnitude.

Inbound voice agents. A customer dials your number. The agent picks up. The legal complexity is significantly lower because the user initiated the contact — consent is implicit in the call. Most regulatory frameworks treat inbound calls more permissively than outbound. Disclosure requirements still apply (you usually have to tell the caller they’re speaking with an AI), but the structural compliance lift is manageable.

Outbound voice agents. Your system dials the user’s number. The agent speaks first. The legal complexity is enormous. TCPA in the US, GDPR + ePrivacy in the EU, CASL in Canada, and equivalent frameworks elsewhere place hard constraints on outbound AI-generated calls. The platform doesn’t help with these constraints; it only provides the technical capability.

If your use case is inbound, you can procure on technology fit reasonably. If it’s outbound, the legal layer needs to come first — and it should determine whether the project happens at all, before you compare platforms.

The outbound legal checklist (US — TCPA)

For US outbound voice agent deployments, the TCPA layer requires:

  • Prior express written consent for marketing calls to mobile numbers. The standard for what counts as “written consent” is strict — opt-in checkbox, recorded consent, or signed document.
  • Do Not Call (DNC) list scrubbing — both the federal Do Not Call Registry and state-level lists. Most platforms integrate with DNC providers but you’re responsible for ensuring it’s done.
  • Time-of-day restrictions — generally no calls before 8 AM or after 9 PM local time.
  • Identification requirements — the caller must identify themselves and the entity on whose behalf the call is made.
  • AI disclosure — many states now require explicit disclosure that the caller is an AI agent, not a human. California, New York, and others have specific rules; check your operating states.
  • Automatic Telephone Dialing System (ATDS) considerations — court rulings have shifted what counts as ATDS, but assume conservatively that AI voice systems may be classified as such, which triggers additional consent requirements.

Penalties under TCPA can range from $500 to $1,500 per call. A single outbound campaign that violates TCPA at scale can produce nine-figure exposure. This isn’t theoretical — TCPA class actions are a substantial industry.

The outbound legal checklist (EU — GDPR + ePrivacy)

For EU outbound voice agent deployments:

  • Lawful basis under GDPR Article 6 — typically consent for marketing, contract for service-related outbound.
  • ePrivacy Directive consent — separate from GDPR; required for unsolicited marketing calls.
  • Article 22 considerations — if the AI agent makes decisions with legal or significant effects, additional protections apply (right to human review, right to contest).
  • Cross-border data transfer — voice data, transcripts, and call recordings often flow through US-based processors (model providers, telephony providers). Standard Contractual Clauses (SCCs) and transfer impact assessments apply.
  • AI Act compliance — the EU AI Act classifies certain AI uses as high-risk; voice agents that interact with users in ways that could cause significant harm may fall under additional obligations.
  • National implementations — France, Germany, Italy, Spain all have specific national rules on telemarketing that may add requirements beyond the EU framework.

GDPR penalties can reach 4% of global revenue. Member-state telemarketing rules add their own enforcement.

Platform comparison criteria that actually matter

Once you’ve cleared the legal layer (or decided your use case is inbound and the legal layer is light), the platform comparison narrows to specific criteria:

Latency and conversation feel

Sub-800ms response latency is roughly the threshold below which conversations feel natural and above which they feel robotic. Retell’s defaults achieve this consistently; Vapi achieves it when tuned with the right stack (Deepgram Nova + Groq + Cartesia); Bland is competitive but not class-leading.

How to test honestly: run 20-30 real calls with the agent answering follow-up questions, interruptions, and ambiguous statements. Subjective feel matters more than aggregate latency numbers.

Voice quality and naturalness

ElevenLabs and Cartesia produce the most natural voices in 2026. PlayHT is competitive. Deepgram Aura is improving but generally a step behind. The platform’s defaults may or may not use the best provider.

How to test honestly: have voice quality compared by 5-10 listeners blind. Mark which sound human, which sound AI. The variance between listeners is meaningful and worth seeing.

STT accuracy on your audio profile

Speech-to-text accuracy depends on the audio profile: phone line quality, accent diversity, background noise, technical vocabulary. Industry-standard benchmarks are misleading because they don’t match your specific profile.

How to test honestly: run 100 sample calls through each platform’s default STT, compare transcripts to ground-truth manually. Look at error rate AND error type — missing a customer name is worse than missing a filler word.

Compliance feature depth

Beyond the legal-layer work, the platform’s specific compliance features matter:

  • Call recording with consent capture
  • Transcript storage and retention controls
  • PII/PCI redaction in real-time
  • BAA availability for HIPAA workloads
  • Geographic data residency options

Retell tends to lead on compliance documentation polish. Vapi gives you composable choice (pick HIPAA-eligible providers per leg). Bland is functional but less marketed-toward-compliance buyers.

Telephony integration

Most platforms support Twilio, Vonage, Telnyx, and direct SIP. The integration depth and pricing structure varies. For high-volume deployments, evaluate the bring-your-own-trunk economics carefully — telephony is often the largest cost line.

Bulk outbound tooling (if outbound)

If your use case is outbound at scale, the platform-level tooling differs dramatically. Bland has purpose-built bulk-campaign infrastructure — list upload, scheduling, concurrency control, DNC integration, retry policies. Vapi and Retell can do outbound but you’ll build the campaign infrastructure yourself. See Vapi vs Bland for the full comparison.

Cost modeling for voice agents

Voice agent unit economics work better than chat agent unit economics, but only because they replace expensive labor (contact-center agents at $25-50/hour) rather than cheap labor.

A typical inbound support call:

  • 5 minutes connected time
  • $0.10-0.30/minute platform cost = $0.50-1.50
  • $0.05/minute LLM tokens = $0.25
  • $0.01-0.05/minute telephony = $0.05-0.25
  • All-in: $0.80-2.00 per call

Compared to a human contact-center agent at $40/hour = $0.67/minute = $3.33 for a 5-minute call. Voice agents save 40-75% per call even at the high end of platform pricing.

For outbound:

  • 3 minutes average connected time (lower because of declines)
  • Similar per-minute costs
  • All-in: $0.48-1.20 per connected call

Outbound economics are dominated by connect rates (typically 5-15% of dialed numbers connect to a real person). The unit cost per dialed number is much lower because most calls don’t connect.

Hidden cost: call flow design. Voice flows that handle interruptions, accents, ambiguity, and edge cases take 2-4 weeks of dedicated design work per major flow. Skipping this produces broken experiences that damage brand more than they save labor.

When voice agents fail in production

The recurring failure modes:

The agent doesn’t handle ambiguity. Real callers don’t speak like prompts. They interrupt themselves, change topics mid-sentence, ask off-topic questions. Agents tested only with clean dialogue fall apart on the first real call.

Latency feels wrong even when measured right. A 750ms latency that’s consistent feels better than a 600ms latency that occasionally spikes to 1.5s. Variability matters more than the average.

Compliance breaks under scale. A 10-call pilot is compliant. A 10,000-call campaign is compliant. The 100,000-call escalation hits a state-specific rule nobody checked, and the program shuts down.

Operator interpretation gaps. Voice agent transcripts go to human operators for follow-up. If the operators don’t trust or can’t interpret the transcripts, the agent’s work doesn’t translate into pipeline action.

The voice sounds wrong for the brand. Generic AI voices sound generic. Premium voice cloning costs extra and varies in quality by language. Budget for voice selection as a real design decision, not a checkbox.

What to do this quarter

If you’re evaluating voice agent platforms right now:

  • Classify your use case as inbound or outbound. Treat this as a strategic decision, not a tactical one.
  • For outbound: engage telephony-specialist counsel BEFORE platform evaluation. The legal layer determines whether the project is viable.
  • For inbound: run a 2-week pilot with the most promising platform on your specific call types. The technology fit becomes clear quickly.
  • Budget for call flow design as 30-40% of total project effort. The platform doesn’t replace this work.
  • Track voice agent quality with the same rigor as any production system. Sample 5-10% of calls weekly for manual review, especially in months 1-3.

The teams that ship voice agents successfully in 2026 are the ones that respected the legal layer, invested in call flow design, and picked the platform that matched their team’s center of gravity. The teams that got stuck did one or more of those wrong. The platform decision matters; it’s just not the decision that determines success.

Stéphane Viaud-Murat

Stéphane Viaud-Murat

CEO, mi4.fr