AI Cold Calling Compliance EU 2026: ePrivacy, GDPR, AI Act Disclosure Guide
Last updated: May 2026 · Category: Compliance · Author: Knowlee Team
Conflict of interest disclosure. Knowlee publishes this on its own domain and operates Knowlee 4Sales. Knowlee 4Sales does not currently operate a native AI voice dialer; this article reviews the compliance landscape for AI voice outbound including third-party vendors. We score each vendor where data is available and note where information is not disclosed.
AI voice agents — systems that initiate, conduct, or partially conduct outbound sales calls with minimal human involvement — are entering sales stacks in 2026. The technology has matured enough that vendors including Aircall AI, Salesloft Dialer with AI assist, and specialist AI voice platforms can hold structured qualification conversations without a human SDR on the line per call.
The compliance picture for AI voice outbound is materially more complex than for AI email outbound. Three separate regulatory instruments apply: the ePrivacy Directive (2002/58/EC) for the act of making the call; GDPR (2016/679) for processing the personal data involved in and produced by the call; and the EU AI Act (2024/1689) for the disclosure requirement when the caller is an AI system. And unlike email, where one set of rules applies across the EU with minor national variation, the ePrivacy transposition for voice calls differs significantly by member state — Germany and France have strict opt-in requirements for B2B; Ireland and the Netherlands are more permissive.
This article is structured for legal, compliance, and revenue operations teams who need to make a go/no-go decision on AI voice outbound for EU markets. It maps the three regulatory instruments, explains the country-level variation that will determine whether AI cold calling is viable in each target market, covers GDPR obligations specific to call recording, and scores vendor compliance tooling.
For the parallel email compliance guide, see /blog/eu-ai-act-cold-outbound-2026 and /blog/gdpr-compliant-cold-email-2026. For the AI SDR category context, see /glossary/ai-sdr.
Regulatory instrument 1: ePrivacy Directive Article 13 — the right to make the call
The ePrivacy Directive (2002/58/EC, EUR-Lex) Article 13 governs unsolicited communications for direct marketing purposes via electronic communications — which includes voice calls. Article 13(3) specifically addresses automated calling systems and fax: it requires prior consent of the subscriber for automated calls.
The critical distinction for AI voice outbound: an automated calling system under Article 13(3) is a system that initiates calls without human involvement. A human SDR using an AI-assisted script or an AI that supports the conversation once connected is different from an AI that autonomously dials and conducts the call. The legal treatment depends on whether the call initiation and conduct are automated or human-led.
The B2B carve-out: Article 13(5) of the ePrivacy Directive allows member states to provide exemptions for legal persons — companies, not individuals — permitting unsolicited marketing calls to business subscribers under national law. Most EU member states implement this exemption for B2B voice outbound. However, the exemption applies to the subscriber (the company), not necessarily the individual receiving the call. Calling a mobile number that belongs to an individual professional — which is the common target in modern B2B outbound — may be subject to the consumer protections even if the call is business-related.
Country-level variation: where AI cold calling is viable in 2026
This is the most operationally significant section of this guide. The ePrivacy Directive is transposed differently in each member state, and the variations are significant enough to determine whether AI cold calling is legally viable in a given market.
Germany — strict opt-in, high enforcement risk.
Germany's telecommunications marketing framework (§ 7 UWG — Unfair Competition Act, and the Telekommunikation-Telemedien-Datenschutz-Gesetz) takes the strictest position in the EU on unsolicited outbound calls. Cold calling for commercial purposes to individuals requires prior consent. For B2B targets, there is a qualified exception for calls that are demonstrably relevant to the recipient's professional activities, but enforcement by the Bundesnetzagentur (Federal Network Agency) and by competitors using injunction proceedings has been aggressive. Adding an AI voice agent to the call — without disclosure that the caller is an AI — creates additional exposure under both the UWG (unfair commercial practice) and, from August 2026, EU AI Act Article 50.
Verdict for Germany: AI cold calling to individual mobile numbers without prior consent is high-risk. Calls to company landlines in a clearly B2B context are lower risk but not exempt from the UWG. AI disclosure is required. Legal counsel is strongly recommended before any AI cold calling program targeting German contacts.
France — moderate, with clear disclosure requirements.
France's ePrivacy transposition (Loi Informatique et Libertés + Arcep guidance) permits B2B outbound calls to professional numbers under legitimate interest, but the CNIL has issued clear guidance that cold callers must identify the caller, the commercial purpose, and — for AI systems — the automated nature of the call. France's national "Bloctel" opt-out register must be checked before calling consumer numbers; B2B contacts on business numbers are generally not subject to Bloctel but are subject to the GDPR legitimate interest framework and AI Act disclosure requirements.
Verdict for France: AI cold calling to professional numbers is viable with proper identification and disclosure. The AI disclosure obligation (see AI Act Article 50 below) is non-negotiable. Bloctel compliance is required for any calls that might reach a consumer number.
Italy — data protection authority scrutiny of automated calls.
Italy's Garante (data protection authority) has been active in enforcement against unsolicited automated marketing calls. The Garante's position on AI-assisted calling is that the automated nature must be disclosed at the outset. Italy requires registration with the Registro delle Opposizioni (opposition register) for any outbound call to Italian mobile and fixed numbers; B2B exemptions are limited and require that the calling party can demonstrate a genuine, pre-existing business relationship or a documented legitimate interest basis.
Verdict for Italy: AI cold calling without prior relationship is high-risk. Registro delle Opposizioni compliance is mandatory. AI disclosure at call outset is required.
Spain — AEPD focus on consent for marketing calls.
Spain's AEPD (Agencia Española de Protección de Datos) has issued guidance that marketing calls to individuals require consent under LOPDGDD, and that B2B exemptions apply only where there is a genuine business relationship. The AEPD has fined companies for automated marketing calls without proper consent. For AI voice outbound, the AEPD's interpretation of "automated" likely includes AI-conducted calls even where a human initiated the connection.
Verdict for Spain: AI cold calling to new contacts without prior consent is high-risk. Warm lead calling with AI assistance (human initiates, AI supports) is lower risk but still requires disclosure.
Ireland — most permissive B2B environment in the EU.
Ireland's Data Protection Commission (DPC) has issued guidance that B2B cold calling to professional numbers under legitimate interest is permissible where the caller can demonstrate relevance to the recipient's professional activity. Ireland does not have a national TPS (Telephone Preference Service) equivalent for B2B numbers. The DPC's one-stop-shop competence for many large tech companies has made Ireland familiar with nuanced data processing questions, and its guidance on legitimate interest for B2B outreach is the most permissive in the EU.
Verdict for Ireland: AI cold calling to professional numbers is viable with proper identification, legitimate interest basis, and AI disclosure. The most accessible EU market for AI voice outbound pilots.
Netherlands — balanced, Autoriteit Persoonsgegevens guidance.
The Dutch AP (Autoriteit Persoonsgegevens) permits B2B cold calling under legitimate interest where the call is relevant to the recipient's professional role. The AP requires opt-out management and discourages high-volume automated calls to personal mobile numbers even in a B2B context.
Verdict for Netherlands: AI cold calling to professional landlines and verified business contacts is viable with disclosure and opt-out. High-volume AI dialing to mobile numbers is higher risk.
Regulatory instrument 2: GDPR obligations specific to call recording
Cold calls by AI voice agents involve recording and processing of voice data, which is personal data under GDPR (Regulation 2016/679, EUR-Lex). The GDPR obligations for call recording are specific and frequently mishandled:
Lawful basis for recording. Recording a call requires a lawful basis under Article 6 GDPR. For B2B sales calls, legitimate interest (Article 6(1)(f)) is the most common basis. The recording must be necessary for the legitimate purpose (quality control, legal documentation, training), and the contact's rights must not override that interest. Routine recording of all calls without a purpose-specific assessment does not automatically pass the legitimate interest test.
Transparency at the start of the call. Article 13 GDPR requires transparency about data processing at the point of collection. For call recording, this means informing the contact at the start of the call that the call is being recorded, the purpose of recording, and how long the recording will be retained. "This call may be recorded for quality and training purposes" is the minimum; naming the data controller and providing a way to exercise data subject rights (access, erasure) is better compliance practice.
Retention limits. GDPR's storage limitation principle (Article 5(1)(e)) requires that recordings are not kept longer than necessary for the stated purpose. Quality control recordings: 3–6 months is commonly defensible. Legal dispute documentation: retention for the duration of the relevant limitation period. Indefinite retention of all sales call recordings is not compliant.
Special category data exposure. Voice recordings may inadvertently capture information about health, religion, political views, or other special categories of data (Article 9 GDPR) if the contact mentions such information in the call. AI voice agents that transcribe and analyse call content must be designed to detect and appropriately handle potential special-category content — either by not retaining it or by ensuring a higher level of protection.
Regulatory instrument 3: EU AI Act Article 50 — disclosure that you are talking to an AI
This is the provision that most directly distinguishes AI voice outbound from human voice outbound under EU law from August 2026.
EU AI Act (Regulation 2024/1689, EUR-Lex) Article 50(1) requires that deployers of AI systems that interact with natural persons ensure those persons are informed that they are interacting with an AI system — "in a clear and distinguishable manner" — at the beginning of the interaction, unless the AI nature is "obvious from the context."
For AI voice outbound, this is a hard obligation. A contact receiving a call from what sounds like a human voice but is actually an AI system must be told they are speaking to an AI before the call proceeds to substance. The disclosure cannot be buried at the end of the call, cannot be in fine print on a website, and cannot be waived by the contact's failure to ask.
The "obvious from context" exemption does not apply to AI voice agents that are designed to sound human. An AI dialer that introduces itself as "Hi, this is Sarah from Company X" without disclosing its AI nature is violating Article 50 from August 2026, regardless of how natural-sounding the voice is. The exemption applies to contexts like AI chatbots on websites clearly labelled as automated, or to calls that are obviously automated (robocall-style voice recordings) — not to conversational AI designed to simulate human interaction.
Practical implementation of Article 50 for voice outbound:
- The AI must identify itself as an AI at the start of the call: "Hi, this is an AI calling on behalf of [Company Name]."
- The identification must be in a clear, distinguishable manner — not mumbled, not in fast legal disclaimer style.
- The deployer (the company running the AI dialer, not the platform vendor) is responsible for compliance.
- A record that the disclosure was made (ideally a call log with timestamp of disclosure) should be maintained as part of the audit trail.
The disclosure requirement is likely to reduce response rates for AI cold calls — many contacts will hang up when told they are speaking to an AI. This is a design constraint that outbound teams must accept and plan for, not a compliance requirement to work around.
Vendor scorecard: AI dialer compliance tooling
| Requirement | Aircall AI | Salesloft AI Dialer | Convin.ai | JustCall AI | Knowlee 4Sales* |
|---|---|---|---|---|---|
| Art. 50 AI disclosure capability (configurable opening) | Partial | Partial | Partial | Partial | N/A (no native AI dialer) |
| GDPR call recording consent notice | Partial | Partial | Native | Partial | N/A |
| Country-level B2B opt-out registry integration | Buyer-responsible | Buyer-responsible | Buyer-responsible | Buyer-responsible | N/A |
| Retention policy controls (auto-delete) | Partial | Partial | Partial | Partial | N/A |
| Per-call audit trail | Partial | Native | Native | Partial | N/A |
*Knowlee 4Sales does not currently operate a native AI voice dialer. For AI voice outbound, Knowlee customers use third-party dialer integrations. Knowlee 4Sales provides the governance layer (job-registry audit trail, human-oversight approval) that wraps third-party AI dialer calls as managed jobs.
Notes: No vendor in the current market provides fully native EU compliance tooling for AI cold calling — specifically, Article 50 disclosure configuration, per-call disclosure logging, and country-level opt-out registry integration in a single platform. Buyers must assemble these components across platform capability and external process.
Compliance checklist for AI voice outbound to EU contacts
Before deploying AI cold calling to any EU market:
Map the target territories against the country matrix above. Germany and Italy are high-risk without prior consent. Ireland and Netherlands are lower risk for B2B professional numbers. France and Spain are in between.
Configure the Article 50 disclosure opening. The AI must state it is an AI at the start of every call to an EU contact. Test the disclosure with native speakers of the target market language. Log that the disclosure was made per call.
Set up the GDPR recording consent notice. Every recorded call to an EU contact must include an in-call notice that the call is being recorded, the purpose, and the retention period.
Define and enforce call recording retention limits. Configure auto-delete policies. Retention beyond 6 months for routine quality control is difficult to justify under GDPR's storage limitation principle.
Check national opt-out registries. Italy (Registro delle Opposizioni), France (Bloctel for consumer numbers), and Germany (TPS equivalents) have mandatory opt-out registry checks before calling. Automate the check as part of the dialing workflow.
Document the legitimate interest assessment for each campaign territory. Include in the LIA: the automated nature of the call, the AI system involved, the disclosure procedure, and the relevance test for the target ICP.
Establish an override and opt-out procedure for voice. A contact who says "remove me from your list" during an AI call must be suppressed immediately from all future AI calls. The suppression must propagate to human-led follow-up sequences as well.
Use /tools/ai-act-compliance-scorer to assess your voice outbound stack against the AI Act requirements and /tools/gdpr-cold-email-checker for the GDPR data processing layer (applicable to voice as well as email).
Frequently asked questions
Is AI cold calling to EU contacts legal in 2026? It depends on the member state and the implementation. AI cold calling to professional business numbers under a documented legitimate interest basis is legally viable in Ireland, the Netherlands, and France with proper disclosure. It is high-risk in Germany and Italy without prior consent or an established business relationship. The EU AI Act Article 50 disclosure requirement — that the contact is informed they are speaking to an AI — applies across all member states from August 2026.
What exactly must the AI say to comply with Article 50? Article 50 requires disclosure "in a clear and distinguishable manner" that the person is interacting with an AI. The minimum compliant opening: "Hi, I'm an AI assistant calling on behalf of [Company Name]. Is this [Contact Name]?" The disclosure must be the first substantive statement of the call, not buried in a later part of the conversation. The deployer (your company) is responsible for this disclosure, not the platform vendor.
Does call recording require consent from the contact? GDPR does not require explicit consent for call recording in all cases — legitimate interest is a valid lawful basis for recording B2B sales calls for quality control purposes. However, transparency at the point of recording (informing the contact the call is recorded) is required under Article 13 GDPR regardless of the lawful basis. Some member states (Germany, France) have telecommunications laws that impose additional requirements beyond GDPR for recording consent. Check local law for each market.
How long can we retain AI call recordings? GDPR's storage limitation principle (Article 5(1)(e)) requires retention no longer than necessary for the stated purpose. For quality control: 3–6 months is commonly defensible. For legal dispute documentation: the applicable statutory limitation period (varies by member state; typically 3–5 years for contract disputes). Indefinite retention of all AI call recordings without a purpose-specific retention assessment is not compliant.
Can AI voice agents handle objections and continue calls after the contact says they are not interested? An AI voice agent that continues a sales call after a contact has clearly indicated they want to end the call is creating GDPR and ePrivacy exposure — the contact's opt-out right is being ignored. The AI must be configured to recognise clear objections or refusals and to end the call gracefully, logging the opt-out. An AI that argues past a refusal or ignores "please take me off your list" is both bad practice and non-compliant.
Related reading
- EU AI Act cold outbound 2026 — the full AI Act compliance guide for outbound, including email.
- GDPR compliant cold email 2026 — the data protection framework for outbound more broadly.
- AI SDR vs human SDR 2026 — the channel coverage dimension of the AI SDR comparison.
- Agentic AI for sales teams 2026 — the operating model for multi-channel AI outbound.
- Agentic AI governance 2026 — governance requirements for AI systems in production.
- Best sales engagement platforms 2026 — vendor landscape including dialer-integrated platforms.
- AI SDR glossary — AI SDR category definition.
- AI Act glossary — EU AI Act key provisions.
- GDPR and AI glossary — GDPR + AI interaction overview.
- Multi-channel outreach glossary — voice as part of a multi-channel strategy.
- 4Sales vs Handhold — comparison including voice channel coverage.
- 4Sales vs Amplemarket — EU compliance comparison.
- AI Act compliance scorer — score your voice outbound stack.
- GDPR cold email checker — GDPR data processing validation.