June’s regulatory landscape was defined by mounting legal uncertainty, escalating enforcement, and a federal government still sorting out how to govern AI, consent, and robocalls. For compliance teams in contact centers, financial services, and telemarketing, the month brought more open questions than closed ones, and more reasons to keep controls dynamic rather than static.
This is a marketing blog and is not intended, nor should it be interpreted, as legal advice. Please seek legal counsel for full interpretations of all rules and laws outlined in this blog.
Reminders:
| Date | Event |
|---|---|
| June 2 | Comments Due on FCC Proposal on Offshore Call Center Standards |
| June 8 | Comments Due on FCC’s Phone Number Recycling Proposal |
| June 9 | Federal Ban on Reputation Risk as a Basis for Account Closures |
| June 25 | Comments Due on FCC Know-Your-Customer Requirements |
| July 1 | Tennessee SB 2408 Effective Date |
Tennessee HB 2408 Update: TPUC Weighs In on Entity Scope and Consent Exemption
In our May Regulatory Report, we flagged that TN’s HB 2408 leaves “entity” undefined and warned that the ambiguity wasn’t a minor issue for multi-brand organizations. We took that question, along with a request to confirm if prior-express-permission calls fall outside the law’s scope, directly to bill sponsor TN Representative Charlie Baum’s office and a response was provided by the Tennessee Public Utility Commission (TPUC).
Entity scope: still no bright line, but a fair warning.
TPUC confirmed “entity” isn’t separately defined because it’s already captured by the existing definition of “person” under Tenn. Code Ann. § 65-4-401(4), making the word effectively redundant.
Does the volume cap (and other rules) apply enterprise-wide or per brand/business unit?
TPUC pointed to Rule 1220-04-11-.01, which defines “Telephone Solicitor” to include a parent, subsidiary, or affiliate, and separately defines “Affiliate,” “Parent,” and “Subsidiary” based on how much ownership or control one entity has over another.
Read plainly, that framework weakens the case for treating each brand as fully independent: if one brand meets the Parent, Subsidiary, or Affiliate conditions relative to another, the rule treats them as a single “Telephone Solicitor,” pointing toward the cap being counted across affiliated brands together, not separately.
Bottom line for multi-brand organizations: this is a real exposure, not a settled answer. Legal counsel should map your specific brand/ownership structure against Rule 1220-04-11-.01 asap.
Prior express permission: a consent exemption.
TPUC directly confirmed that communications made with a residential subscriber’s prior express permission are excluded from the definition of “Telephone Solicitation” under Rule 1220-04-11-.01.
In practice, that means if consent is properly on file, HB 2408’s volume cap and reporting obligations don’t apply to those communications at all.
This validates the interpretation we shared with Rep. Baum’s office and is good news for organizations with documented consent programs.
As always, verify your own consent records and call flows against the rule’s specific terms before relying on the exemption.
TPUC’s full rule set is available at publications.tnsosfiles.com/rules/1220/1220.htm.
With July 1 nearly here, the consent exemption gives compliant, well-documented programs solid footing – but the enterprise-scope question still needs a legal read against your organization’s specific structure.
The Reassigned Numbers Database Is Now Shaping Litigation Itself
In the Gryphon AI February Regulatory Report, two cases were covered where the Reassigned Numbers Database (RND) moved beyond a compliance best practice into settlement terms: Jackson v. Gen Digital ($10 million, with RND scrubbing mandated to prevent recurrence) and Puckett v. Western Express ($1.25 million, with an RND subscription required for future telemarketing). Both signaled something new: courts and settling parties were beginning to treat RND certification not just as a defensive tool, but as a condition of resolution.
In 2023, Ceteris Portfolio Services settled for $761,850 over 8,465 wrong number calls, an early signal that courts would hold companies accountable for contacts to numbers they believed were consented but had since been reassigned. The Womble Bond Dickinson analysis at the time pointed directly at the RND as the tool that could have prevented it.
The lesson didn’t fully land, but it has been making progress. Lewis v. Register.com received preliminary approval for a $1.5 million settlement, covering 1,652 calls to just 453 numbers, every one confirmed against the RND as disconnected and reassigned before contact was made. Here the RND did something different from Gen Digital and Western Express: it didn’t just appear in the going-forward compliance provisions. It defined the class itself, serving as the evidentiary mechanism that identified every affected number.
Three settlements. Three distinct ways the RND is reshaping litigation. The database is no longer just a safe harbor or data validation tool. It is becoming the evidentiary standard by which wrong number exposure is built, measured, and resolved.
The Race for Federal AI Regulation: Navigating the Legislative Landscape
Three federal proposals are vying to set the terms for AI regulation, and all three share one common aim: displace state-level AI rules with a federal standard. How much to regulate in exchange is where they diverge sharply.
The Great American AI Act (GAAIA), a bipartisan House discussion draft released June 4, 2026 by Reps. Obernolte (R-CA) and Trahan (D-MA), is the most technically focused. It targets frontier AI developers (>$500M revenue), mandates transparency, safety incident reporting, third-party audits (up to $1M/day in penalties), and whistleblower protections. Its preemption is narrow: a 3-year freeze on state laws regulating AI development only. Critically, it explicitly preserves common law product liability claims and leaves state AI deployment rules intact.
The TRUMP AMERICA AI Act (Sen. Blackburn, R), a Republican-only discussion draft from March 2026, casts a far wider net, covering children’s safety, creator rights, Section 230 repeal, and a broad duty-of-care liability framework. It absorbed the AI LEAD Act (Hawley/Durbin), which treats AI as a product subject to negligence and strict liability, as Title VII. Its state preemption is broad, covering both development and deployment.
The National Policy Framework (White House, March 2026) is non-binding and calls for sweeping preemption with minimal regulatory burden. It is a wish list, not a law.
President Trump’s June 2 Executive Order on AI runs on a separate track, covering cybersecurity and national security rather than commercial deployment, liability, or state preemption. It does not move the needle on any of the three proposals above.
None of the legislative proposals are enacted, and this is not the first time Congress has tried. Federal AI preemption has already been rejected twice, stripped from both the One Big Beautiful Bill Act and the National Defense Authorization Act. The GAAIA is considered unlikely to advance before the August recess, with the next realistic window in the 2027 Congress.
In the meantime, state deployment rules not only survive all three proposals, they are accelerating. Colorado’s comprehensive AI Act, the first of its kind in the U.S., takes effect June 30, 2026. AI deployers: take notice.
Brian Johnson Nominated to Lead a CFPB That Barely Resembles the One He Left
The CFPB finally has a permanent director nominee, and the broader picture of where the bureau is headed is coming into focus as well.
On June 10th, President Trump nominated Brian Johnson to lead the CFPB as its permanent director, tapping a familiar face. Johnson served as the bureau’s deputy director during President Trump’s first term and most recently held a senior role at Capital One.
The timing is not incidental: Russell Vought’s tenure as acting director was approaching its legal expiration, and the White House needed a confirmed nominee in place. If confirmed, Johnson would be the first permanent CFPB director since January 2025.
Johnson’s Capitol Hill background and prior CFPB experience make Senate confirmation a more straightforward path than McKernan’s, whose nomination was withdrawn earlier this year.
The nomination drew broad industry support. AFSA welcomed it, citing Johnson’s direct familiarity with the bureau’s rulemaking, supervision, and enforcement functions. The Mortgage Bankers Association also moved quickly to welcome the pick, with MBA President Bob Broeksmit citing Johnson’s deep experience in consumer financial services policy and his prior bureau leadership as grounds for confidence.
What Johnson would inherit is a significantly diminished agency. The CFPB quietly scrubbed roughly 3,800 articles, consumer advisories, supervisory highlights, congressional testimony, and press releases from its website since mid-May, erasing over a decade of public guidance that regulated firms and state regulators had long used as compliance benchmarks. The deleted material includes content from Trump’s own first term.
On the Hill, Senate Banking Democrats have moved to establish a funding floor for the bureau, attempting to lock in minimum operating capacity before the new director is seated.
For financial services and collections operations, the practical reality is that federal oversight is pulling back, and the state-level activity stepping in to replace it varies enough by jurisdiction to create new and increased compliance complexity.
TCPA Consent in Flux: What Telephone Marketers Need to Know Now
The Telephone Consumer Protection Act (TCPA)’s consent framework isn’t just evolving. It’s in a period of genuine legal uncertainty, where years of established Federal Communications Commission (FCC) guidance has been judicially dismantled and no clear replacement standard has yet emerged. Contact centers and sales teams don’t have the luxury of waiting for the courts to sort it out.
The FCC operated for years on a two-track consent regime:
- Informational calls could proceed on presumed consent when a consumer provided their number in a related context.
- Marketing calls required prior express written consent meeting specific requirements.
That framework is cracking.
Following the Supreme Court’s McLaughlin v. McKesson ruling, which removed court deference to FCC orders under the Hobbs Act, the Fifth Circuit and multiple district courts have ruled the FCC’s written consent requirement for marketing calls lacks any basis in the TCPA’s actual text, effectively striking it down.
Telephone and text marketing carries compliance obligations well beyond consent, and each layer carries its own litigation exposure. DNC scrubbing, calling hour restrictions, telemarketer registration, caller identification, and upsell disclosures are all separately enforced at both federal and state levels, and vary enough across jurisdictions to make a single national compliance program difficult to maintain. State laws increasingly require AI disclosures on outbound calls, adding another obligation that many programs haven’t yet addressed.
Back to the Statute
Courts are returning to the statute’s original standard: consent that is “clearly and unmistakably stated.”
What that means in practice remains an open question. Until courts provide clearer definition, real-time GRC guardrails at the point of contact are the most reliable line of defense.
Too Many Unanswered Questions
Courts have not yet addressed whether consent must specify the technology used (autodialer, AI, prerecorded voice), identify the caller, or define the scope and timing of permitted calls.
The definition of “called party” is also unsettled. Three appellate courts require consent from the account subscriber, not merely the phone’s regular user.
States Close the Gap
The FCC’s one-to-one consent rule was vacated by the Eleventh Circuit in January 2025 and never took effect, leaving a gap that states are filling on their own terms.
Maryland, Florida, and others have enacted broader autodialer definitions and AI disclosure requirements that apply regardless of where federal rules land.
Maryland’s Stop the Spam Calls Act, for example, prohibits call and text solicitations made with an “automated system” without prior written consent, a definition broad enough to capture technology the federal ATDS standard would not.
With courts actively rewriting the rules, consent verification and call governance need to be dynamic, not fixed. Real-time GRC controls at the point of contact are the most practical response to a compliance environment this unsettled.
Is a Text a Call? A Growing Court Split Is Putting SMS Compliance at Risk
The question of whether a marketing text message qualifies as a “telephone call” under the TCPA’s Do Not Call provisions is unresolved and is moving up the appellate chain. Unfortunately, the answer is no longer predictable.
As noted in our April Regulatory Report, district courts began splitting on this issue following McLaughlin v. McKesson, which freed judges from deferring to FCC interpretations of the TCPA. At that time, the overall scorecard favored texts-as-calls, roughly 2-to-1.
The courts continue to read the statute’s 1991 text independently, reaching different conclusions, and the split is still sharpening.
Two recent rulings landed against defendants:
- Arizona: An Arizona court let DNC claims proceed over 349 unwanted marketing texts, 146 of which arrived before 8 a.m. The court found the TCPA covers text messages under Ninth Circuit precedent.
- Illinois: An Illinois court reached the same conclusion, allowing a class action against a car dealership to move forward. The court held that DNC protections apply to texts sent to cell phones, not just residential landlines.
The appellate picture is where things get consequential. A Seventh Circuit panel heard oral argument in Steidinger v. Blackstone Medical Services on May 21, 2026, with two of three judges appearing skeptical that Congress intended “telephone call” to cover text messages when the TCPA was enacted in 1991. A decision is expected late summer. If the Seventh Circuit rules against plaintiffs, it creates a direct split with the Ninth Circuit and likely puts the question before the Supreme Court.
Until there is a definitive ruling, treat every marketing text as carrying full DNC exposure. A circuit split does not reduce litigation risk. It increases it.
S.2666 Foreign Robocall Elimination Act: Renewed Momentum Amid a Wave of Foreign Call Rulemaking
S.2666 is positioned for a Senate floor vote after clearing the Commerce Committee unanimously in October 2025, with rare bipartisan support and endorsements from AARP and USTelecom, and landing on the Legislative Calendar on June 1, 2026. It is the most significant anti-robocall legislation since the TRACED Act of 2019.
The bill’s core requirements:
- Interagency task force: FCC, FTC, DOJ, and seven private-sector experts established within 270 days of enactment to analyze the foreign robocall threat and recommend enforcement strategies
- $100,000 bond: required from foreign carriers before registering in the U.S. Robocall Mitigation Database, providing a concrete financial stake in compliance. Notably absent from the original Budd introduction, this requirement was added in the Cruz substitute amendment during committee markup, aligning the bill with the broader wave of foreign-call regulatory activity including the FCC’s Offshore Call Centers NPRM, which proposes a similar bond mechanism for foreign-originating calls
- Traceback consortium stability: Industry Traceback Group designation extended from one to three years, reducing operational uncertainty caused by short reauthorization cycles
- Legal immunity: granted to the Industry Traceback Group for publishing data on suspected illegal callers, removing a long-standing chilling effect on naming bad actors
- DOJ enforcement office: directs study of whether a dedicated robocall prosecution office is needed within the Justice Department
- International cooperation framework: incentives for foreign governments to adopt STIR/SHAKEN call authentication
- Congressional reporting: task force must report to Congress within 360 days of establishment on call volumes, origins, technical effectiveness, and agency resource needs
The bill’s momentum reflects six months of accelerating FCC activity targeting foreign call traffic. The 9th FNPRM on foreign-originated calls and caller identity, the Know Your Customer and Know Your Upstream Provider proceedings, the Non-IP Authentication gap closure, the Numbering Policy NPRM, and the Offshore Call Centers NPRM, which directly echoes S.2666’s foreign carrier bond mechanism, are all running simultaneously. S.2666 provides the legislative scaffolding those rulemakings cannot build alone: international cooperation mandates, dedicated DOJ enforcement infrastructure, and traceback immunity. These tracks are intentionally complementary, and the timing is not coincidental.
The FCC Keeps Swinging the RMD Hammer
The Federal Communications Commission’s (FCC) Robocall Mitigation Database (RMD) started as a certification requirement. It has quietly grown into the FCC’s most consequential enforcement hammer, and providers who treat it as a formality are learning that lesson the hard way.
The progression speaks for itself:
- 1,203 certifications pulled in August 2025
- Provisional reinstatements granted as a one-time courtesy
- 35 providers still non-compliant by March 2026 and facing final cure-or-remove orders
- The FCC explicitly warns that provisional reinstatements should not be expected again
June’s actions are the next chapter in that progression. The RMD is not something to revisit when it’s convenient. It is something to get right the first time.
Two Providers Cited for Illegal Robocall Traffic: RMD Removal on the Table
On June 11, the FCC’s Enforcement Bureau issued notices to two voice service providers, Callsto, LLC and Aspireistic Inc., for originating illegal robocall traffic to Public Safety Answering Points (911 centers) and consumer wireless numbers, with RMD removal on the table for both.
- Callsto, LLC originated 32 illegal calls across three campaigns, including 10 to emergency lines in Kentucky and Georgia, one of which received 8 calls within 24 hours from 8 different numbers, plus 22 Medicare-related scam calls, all traced to India-based customers. This is not Callsto’s first brush with the FCC; the company was named in a 2024 Show Cause Order for prior RMD deficiencies.
- Aspireistic’s 12 traced calls included hits on a Virginia 911 center and Medicare-related calls to wireless numbers, with customers traced to India and Egypt.
- Both companies claimed to have terminated responsible customer accounts, and both continued originating traffic from those same customers afterward.
- The FCC also flagged potential ties between the two companies, suggesting they may be related entities operating under separate RMD filings.
Notably, March 1, 2026 marked the first annual RMD recertification deadline under the FCC’s tightened filing rules, and the June enforcement actions against Callsto, Aspireistic, and SK Teleco suggest the FCC is now working through providers who missed or failed that requirement.
SK Teleco: Removed from RMD
SK Teleco LLC was removed from the RMD on June 12 after repeated failures to respond to traceback requests for Walmart-impersonation robocalls traced to its network. All downstream providers must block SK Teleco traffic within 30 days. The company cannot re-enter the RMD without prior FCC approval, a significant hurdle.
KYUP and RMD: The Filing Bar Just Got Higher
As noted in our May Regulatory Report, the FCC adopted the Know-Your-Upstream-Provider FNPRM on May 20, proposing to replace the existing “reasonable steps” KYUP standard with five mandatory baseline compliance categories. What deserves additional attention is the direct RMD implication: providers would be required to describe their KYUP practices in their RMD filings and maintain supporting records. An already demanding RMD certification just got more demanding.
Call Spoofing: $9.9M Fine, RMD Removal Next?
The Ninth Circuit upheld a $9.9M FCC forfeiture in United States v. Rhodes for spoofed robocall campaigns under the Truth in Caller ID Act (TICIDA), the largest upheld spoofing penalty on record. The ruling confirms courts will back FCC enforcement at scale; with willful misconduct now on record, there’s a strong case for RMD removal.
Covered List and RMD: Proposed Ban on Blanket Authority
On April 30, the FCC voted to launch a proceeding to ban entities on the Covered List from receiving blanket authority under Section 214 to provide domestic interstate telecommunications services, authority that has been automatically granted to most domestic carriers since 1999.
The proposal also seeks comment on revoking existing Section 214 authority for any Covered List entities already operating under it, and whether to prohibit carriers from interconnecting with Covered List entities absent FCC approval. On June 2, the Department of War posted conditional exemptions for certain routers and unmanned aircraft systems. The national security and network access tracks are converging, and the RMD sits squarely in the middle.
The RMD is no longer just a compliance checkbox. It is the FCC’s primary enforcement hammer, and the FCC has made clear it intends to keep swinging.
Texas Telemarketing Registration: The Insurance Exemption Holds
A routine TCPA add-on claim (the allegation that a company made telemarketing calls without a Texas registration certificate) just met a decisive defeat in Texas, and the reasoning extends beyond insurance.
In Sutton v. Senior Life Insurance Co., the Western District of Texas dismissed with prejudice a claim that Senior Life violated Texas Business and Commerce Code § 302.101 by making telephone solicitations without a registration certificate. The statute requires solicitors to register before making telemarketing calls, but it contains multiple exemptions that plaintiffs routinely ignore.
The court’s reasoning:
- Senior Life was a licensed insurer
- The calls concerned life insurance
- The statute expressly exempts licensed insurers when the transaction is governed by the Insurance Code
- The plaintiff’s own allegations established both facts
Sutton is one of the first decisions to reject the registration add-on at the motion to dismiss stage. The claim appears regularly in Texas TCPA template complaints, often without any analysis of whether Chapter 302 actually applies. It does not apply universally. For any business operating in Texas under a regulatory license, the exemption that protected Senior Life may protect others as well, so it should be raised early.
Email Litigation Is Rising, and Washington Is Just the Beginning
Washington’s Commercial Electronic Mail Act (CEMA) has produced over 100 class action lawsuits since the state Supreme Court’s April 2025 ruling in Brown v. Old Navy, holding that any false or misleading email subject line violates the statute, including routine promotional language like “Sale Ends Tonight” when the sale continues.
Prior to that ruling, only eight CEMA lawsuits had ever been filed.
At $500 per email with no requirement to prove actual harm, aggregate exposure from a single campaign can reach into the tens of millions.
Any retailer or consumer-facing business with customers in Washington faces potential exposure, even with no physical presence in the state.
Washington’s legislature responded with HB 2274, effective June 11, 2026, reducing statutory damages to $100 per email and adding a knowledge requirement. The catch: it applies only to lawsuits filed on or after June 11. Plaintiffs raced to file before that date to preserve the higher damages and strict liability standard.
The complaints are also evolving. Beyond false urgency claims, plaintiffs are now challenging discount representations and “free gift” subject lines where conditions appear only in the email body, with courts reaching inconsistent conclusions. A Washington fintech referral program is already facing a putative class action under the same framework. Maryland and California cases are already filed. Indiana, Florida, and others are next.
CEMA may be the template for future email litigation.
New York State of Emergency Issued Through July 18, 2026
Consistent with prior communications, Executive Orders declaring disaster emergencies in the State of New York trigger telemarketing restrictions under the Nuisance Call Act.
The Nuisance Call Act makes it unlawful for any telemarketer to make unsolicited telemarketing sales calls to areas of the state under an emergency declaration.
Executive Order 47.19 declaring a State Disaster Emergency in the State of New York, ordering into active service the New York National Guard to assist authorities in guaranteeing public order (correctional facilities), is in effect through July 18, 2026.
Gryphon AI has extended State of Emergency blocks for New York to July 18, 2026, to ensure compliance with the above Executive Orders.
Contact the Gryphon AI Helpdesk with any questions at 866-366-6822.
July 2026 Holiday Telephone Solicitation Bans
Please be aware of the following U.S. holiday telephone solicitation bans for the month of July 2026:
- On July 3, 2026, Alabama, Louisiana*, Nebraska**, Pennsylvania^, and Utah prohibit unsolicited marketing calls to residents in observance of Independence Day.
- On July 4, 2026, Louisiana and Pennsylvania prohibit unsolicited marketing calls to residents in observance of Independence Day.
- On July 6, 2026, Rhode Island^^ prohibits unsolicited marketing calls to residents in observance of Independence Day.
- On July 24, 2026, Utah prohibits unsolicited sales and marketing calls to residents in observance of Pioneer Day.
Other holidays may be proclaimed by the Governor in each state throughout the year.
For LA, PA, RI: the Independence Day holiday is officially July 4th, but is observed on July 3, or July 6 in 2026, based on the applicable statute.
*Louisiana: If holiday falls on Saturday, the preceding Friday is the holiday when the governing authorities so declare by ordinance.
**Nebraska does not prohibit calls on Sundays or legal holidays; however, it does restrict the use of prerecorded messages between 1pm to 9pm on these days (subject to certain exceptions).
^Pennsylvania: Pursuant to Sections 221 and 709(e.1) of The Administrative Code of 1929. 2026 State holidays.
^^Rhode Island: If holiday falls on a Saturday or Sunday, the following Monday is the holiday.
Please be aware of the following Canadian holiday telephone solicitation bans for the month of July 2026:
- On July 1, 2026, unsolicited sales and marketing calls to residents in all provinces are prohibited in observance of Canada Day.
Gryphon AI has updated its existing service parameters to reflect these solicitation bans. Please contact us with any questions at 866-366-6822.
June 2026 brought a consistent through-line: the rules that contact centers, marketers, and compliance teams have operated under are being rewritten faster than any single tracking effort can capture. From the CFPB’s diminished footprint and unsettled TCPA consent standards, to rising email litigation risk and the RND’s expanding role in defining class membership, the compliance burden is shifting to real-time controls and jurisdiction-by-jurisdiction monitoring. The teams best positioned to navigate this environment are those treating GRC as an active function, not a periodic review.
About Gryphon AI
Staying updated with the latest regulatory changes is crucial for any enterprise aiming to minimize risk and maximize reach.
With Gryphon AI, enterprises can stay ahead of the regulatory curve and efficiently manage all regulatory changes, ensuring seamless compliance and operational excellence.
To learn more about how Gryphon AI can help you manage these updates, reach out to us today.