Volume Reach/Docs

How Volume Reach handles consent and regulatory responsibility for outbound calls triggered via the Public API.

Short version

You are legally responsible for having documented consent to call the phone numbers you pass to Volume Reach. The Public API uses a tenant-attestation model — when you set knownConsent: true, you are attesting that:

  1. You have a prior written or verbal agreement from the recipient to be contacted at this phone number for this purpose.
  2. You have complied with applicable regulations (TCPA in the U.S., CASL in Canada, GDPR/PECR in the EU/UK, equivalent laws elsewhere).
  3. You maintain your own DNC scrubbing and suppression lists.

Volume Reach does not enforce platform-side TCPA floors (time-of-day restrictions, per-number caps, DNC lookup) in the Public API MVP. This will change when customer demand warrants it.

Why this matters

The TCPA (47 U.S.C. § 227) imposes statutory damages of $500 to $1,500 per call for violations. Common violation types:

  • Calling a number on the Federal Do-Not-Call Registry without a valid business relationship.
  • Using an auto-dialer or prerecorded voice to call a cellular phone without prior express consent.
  • Calling outside the permitted hours (8 a.m. – 9 p.m. local time of the recipient).
  • Calling after the recipient has revoked consent.

Plus state-level statutes (Florida Telephone Solicitation Act, Oklahoma Telephone Solicitation Act, Washington's CEMA, etc.) that may impose additional restrictions and damages.

Attestation via the API

Every call you trigger should include:

{
  "knownConsent": true,
  "consentRecordId": "your-internal-consent-row-id-or-uri"
}

Both fields are stored on the call record and echoed in every webhook so you have a clean audit trail linking each dialed call to the consent record that authorized it.

Passing "knownConsent": false (the default if omitted) is not a license to call without consent — it simply means "my system did not attest consent at call-trigger time." Your legal responsibility is the same either way; knownConsent: true just creates a cleaner audit log.

What Volume Reach does not do (MVP)

To make this explicit so you can plan:

  • No time-window enforcement. If you POST a call at 11 p.m. local time, Volume Reach will attempt it.
  • No per-number daily cap. You can call the same number many times in a single day if your code does so.
  • No DNC lookup. We don't check the FTC registry or carrier-level DNC lists.
  • No prior-consent verification. We trust your knownConsent flag; we don't ask how you obtained consent.

These will be added as opt-in guardrails in a future release when customers request them. For now, you are responsible for implementing them in your own code before you call the API.

What Volume Reach does do

  • Every call is logged (call ID, phone numbers, timestamps, audio, transcript, outcome, knownConsent, consentRecordId) and retained per your account's retention setting (default 30 days for recordings).
  • Every call uses an A2P-registered sender phone number.
  • Caller ID is set to the user-selected outbound number.
  • Call recordings respect your account's recording-retention configuration.
  • If the recipient says "stop calling me", "take me off your list", "put me on do not call", or similar language that our outcome classifier recognizes, the call is marked DNC and we will not automatically re-call that number from our dialer.

Recommendations

  • Implement quiet hours before calling the API. Your CRM likely already knows the recipient's timezone — gate calls to 9 a.m. – 8 p.m. local time as a safety margin.
  • Store consent records with durable IDs and pass consentRecordId on every call. When you respond to a complaint, you want to be able to produce the consent record that authorized each specific call in under a minute.
  • Maintain your own suppression list. Anyone who asks to stop being called, or requests deletion of their data, or whose consent has lapsed, belongs in your suppression list before they hit our API.
  • Review the DNC and NOT_INTERESTED outcomes in your webhook handler and feed them back into your suppression list automatically.
  • Keep the call recording on file for at least the applicable statute of limitations (4 years federal, varies by state). Volume Reach retains recordings per your account setting; if you need longer retention, download recordings and archive them yourself.

International notes

  • Canada (CASL) — express consent required; implied consent windows are much narrower than the U.S. DNC rules also apply. consentRecordId should link to the CASL-compliant consent form / checkbox timestamp.
  • EU / UK (GDPR + PECR) — you need a lawful basis (usually consent or legitimate interest with opt-out). DPAs have fined businesses for unsolicited marketing calls; document consent thoroughly.
  • Australia (Do Not Call Register Act) — check the DNCR before calling Australian numbers. Marketing to consumers requires prior consent or recent business relationship.

Volume Reach can dial any number you pass it — you're responsible for verifying the call is legal in the recipient's jurisdiction.

When this will change

When we onboard tenants whose risk profile or volume requires platform-side enforcement, we will add opt-in controls:

  • Platform-enforced quiet hours (configurable per-agent).
  • Per-number daily attempt caps.
  • Pluggable DNC scrubbing (TCPA registry, carrier-level, custom suppression lists).
  • A complianceMode field on Voice Agents (PLATFORM_ENFORCED vs TENANT_MANAGED).

These are documented in the spec as deferred features. If your use case requires them, open a support ticket with your volume and timeline — we prioritize based on demand.

Structured ExtractionFAQ