EU e-commerce brands ask the same question before testing AI voice calling: is this legal under GDPR? The direct answer: yes, when every call goes to a consenting inbound lead. Outcraft has live clients in Germany - one of the strictest GDPR enforcement jurisdictions in the EU - running AI voice campaigns right now, fully compliant, with zero issues. The framework is not complex: collect consent before calling, disclose that AI may reach them, and keep all data encrypted. Once those rules are in place, nothing goes wrong. The problem most brands face is not the regulation itself - it is not knowing what the rules actually say.
Key takeaways
- GDPR permits AI voice calling when the recipient has consented to receive calls from that company
- The consent requirement is a single plain-language disclosure at sign-up: "We will email, text, and call you" - that is enough
- Article 50 of the EU AI Act requires AI voice systems to disclose their nature at the start of the interaction, unless this is obvious; this takes full effect August 2, 2026
- Outcraft does not allow cold outreach - every call goes to an inbound lead who already expressed interest
- Outcraft runs AI voice campaigns for clients in Germany, the strictest GDPR enforcement market in the EU
- All data is encrypted in Outcraft
- Outcraft is currently completing SOC 2 Type II certification
This post reflects Outcraft's operational model and compliance experience. It is not legal advice - consult qualified EU legal counsel before deploying AI voice calling in your jurisdiction.
What GDPR Actually Requires for AI Voice Calls
GDPR does not prohibit calling customers. It requires a lawful basis for processing their personal data. For marketing calls to EU consumers, consent is the most defensible basis - and the one Outcraft's model is built on.
Two conditions must be met before an AI voice agent calls anyone in the EU:
1. Express consent at sign-up. When a lead fills out a form, creates an account, or opts into a promotion, the company must tell them they will be contacted by email, text, and phone. No legal jargon is needed. A plain statement covering all three channels is all it takes. Will Nauseda, CEO at Outcraft AI, describes it this way: "They have to make sure that they are letting them know that we will be emailing, texting, and calling them. And that's the most important thing. Once you do that, then everything is good."
2. Timestamped consent records. GDPR requires companies to demonstrate consent was collected. This means a CRM record with a timestamp, the source of the opt-in, and the exact language used. A checkbox removed from a form three months ago does not count.
That is the GDPR bar for voice calling. Outcraft enforces both conditions structurally - no client can run a call campaign to leads who have not cleared these steps.
GDPR also governs what happens to data after the call. Call recordings must be stored securely, kept only as long as legally necessary, and deleted on request. Outcraft handles retention and deletion at the infrastructure level.
The EU AI Act and AI Voice Calls in 2026
The EU Artificial Intelligence Act (Regulation 2024/1689) entered into force on August 1, 2024. The transparency obligations most relevant to AI voice agents take full effect on August 2, 2026.
The key provision for e-commerce calling is Article 50: AI voice systems must inform users they are interacting with an AI at the start of the interaction, unless this is obvious. Outcraft's agents meet this by default - and in practice the disclosure rarely disrupts calls, because as Will Nauseda puts it: "people forget it's AI by the end of the call."
The EU AI Act also expects companies deploying AI in customer-facing roles to maintain basic guardrails. Outcraft's agents are blocked from:
- Asking for sensitive personal data (health status, age, financial account details)
- Making claims about the customer or the product that the AI cannot verify
- Processing data categories that fall under GDPR Article 9 special protections
These restrictions are built into the system, not left to client configuration.
Why "No Cold Outreach" Is a Feature, Not a Limitation
Every voice AI provider talks about compliance. Outcraft enforces it structurally: cold outreach is not possible on the system. Every call must go to someone who already expressed interest and consented to contact from that specific company.
This sounds like a constraint. It is the reason results are strong.
When an AI agent calls someone who raised their hand - filled a checkout form, started a free trial, registered for a webinar - the call starts with real intent behind it. That person was expecting to hear from the brand. Complaint rates are near zero. Engagement rates are high.
The no-cold-outreach rule also makes GDPR compliance the default, not a setting. There is no configuration path that allows a client to accidentally run a campaign to unconsented leads. The system architecture prevents it.
The Consent Checklist: What EU E-Commerce Brands Must Do Before Going Live
The legal complexity that scares most brands turns out to be 4-5 operational decisions. Here is the full pre-launch checklist:
| Step | What to do | Who handles it |
|---|---|---|
| 1. Consent language | Add plain disclosure to all opt-in forms: "We will email, text, and call you about your order/interest" | Brand (marketing/legal team) |
| 2. Consent records | Ensure CRM records timestamp, source, and consent language version for every lead | Brand (CRM setup) + Outcraft integration |
| 3. Data Processing Agreement | Sign Outcraft's DPA before any lead data flows to the system | Outcraft provides; brand signs |
| 4. Privacy policy update | Reference AI calling in your privacy policy, including data retention periods | Brand (legal team) |
| 5. AI disclosure readiness | Agents disclose AI nature at the start of each interaction, unless context makes it obvious (EU AI Act Article 50) | Outcraft default - no action required |
| 6. Opt-out mechanism | Give leads a clear way to remove themselves from the call list | Brand workflow + Outcraft suppression list |
Outcraft handles steps 3 and 5. Steps 1, 2, 4, and 6 require action from the brand before the first call goes out.
Outcraft's Compliance Infrastructure
Outcraft is built for EU deployment. Here is what is in place on the system side:
Legal coverage. Outcraft has legal counsel in Lithuania (EU) and in the United States, covering GDPR, TCPA (US Telephone Consumer Protection Act), and CAN-SPAM (US email anti-spam law) under a single commercial relationship. Both EU and US regulations are addressed.
Data processing documentation. Outcraft provides a Data Processing Agreement, Terms of Service, and Privacy Policy. The DPA defines the data controller / data processor relationship required under GDPR Article 28 for any vendor handling personal data on a company's behalf.
Encryption. All data is encrypted in Outcraft.
SOC 2. Outcraft is currently in the SOC 2 Type II approval process. SOC 2 is increasingly requested by EU enterprise buyers as evidence of security program maturity alongside GDPR documentation.
AI guardrails. The AI is blocked from requesting sensitive personal information or making claims it cannot verify. These guardrails are enforced at the system level.
EU AI Act. The transparency obligation under Article 50 is met by default.
Germany as a Proof Point
Germany has the most active GDPR enforcement culture in the EU. German data protection authorities (Datenschutzbehörden) issue fines more consistently than most other national regulators, and German consumers are among the most likely to file formal complaints. If AI voice calling operates without issues in Germany, it works everywhere in the EU.
Outcraft has live clients in Germany running AI voice campaigns today. Those campaigns follow the same consent model: inbound leads who opted in at the time of contact, clear disclosure language at sign-up, all data processed on EU infrastructure. The result is zero compliance issues.
"We do have clients in Germany that are all compliant and everything is great there," says Nauseda. "It's just a matter of following the rules, following the documents, investing in good lawyers that are giving you good advice, and then having tech people and clients educated on what needs to be done. And then there are zero problems."
US Companies Expanding to Europe: What to Change
US e-commerce brands entering the EU market consistently underestimate GDPR enforcement, especially in Germany, France, and the Netherlands. Here is what changes compared to a standard US outreach setup:
Consent standard. Under TCPA, consent to call can be bundled into terms of service. Under GDPR, consent must be specific, informed, freely given, and separately indicated. A checkbox buried in a 40-page document is not valid GDPR consent for calling.
No cold lists. Calling purchased lists is common practice in the US when TCPA rules are followed. Under GDPR, calling anyone without specific prior consent is prohibited. Outcraft's inbound-only model already meets EU standards, but US brands must remove cold outreach entirely before using AI calling in Europe.
Data residency. US-hosted customer data accessible to US staff may trigger concerns under EU-US data transfer rules. Outcraft's infrastructure keeps EU call data within EU borders. Standard Contractual Clauses govern any remaining cross-border transfers where needed.
Documentation. EU regulators expect to see a signed DPA, an updated privacy policy, and consent records. The documentation requirement is higher than most US D2C brands are used to. Outcraft provides the DPA; the brand handles the rest.
The right move for US brands is one good legal review of their consent language before the first EU call goes out. After that, the process is the same as the US setup - just with a cleaner consent record behind it.
GDPR compliance for AI voice calling is a solvable problem, not a blocker. The rules are clear, and companies following the consent-first model are already live in Germany. Outcraft's compliance setup covers legal counsel in both the EU and US, a signed DPA, encrypted data, and an inbound-only calling policy. To see how this works for your business, talk to our team at outcraft.ai.
FAQ
Is AI voice calling GDPR compliant?
AI voice calling is GDPR compliant when the call recipient has given prior, specific consent to be contacted by phone. GDPR requires a lawful basis for processing personal data, and consent is the most direct basis for marketing calls to EU consumers. Calls to inbound leads who opted in and agreed to be contacted by email, text, and phone meet this standard. Cold calls to people who did not request contact do not.
What does a company need to do to use AI calling in the EU?
Three things before the first call goes out: (1) add clear disclosure language to every opt-in form stating the company will call, text, and email the lead; (2) ensure the CRM records that consent with a timestamp and source; (3) sign a Data Processing Agreement with the AI calling vendor. Outcraft provides the DPA as standard. EU AI Act Article 50 requires AI agents to disclose their nature at the start of the interaction - Outcraft's agents handle this by default.
Does the EU AI Act affect AI voice agents for e-commerce?
Yes. The EU AI Act's transparency obligations (Article 50) take full effect on August 2, 2026. Article 50 requires AI voice systems to inform users they are interacting with an AI at the start of the interaction, unless this is obvious. Outcraft's agents meet this requirement by default.
Is Outcraft GDPR compliant for EU e-commerce?
Yes. Outcraft has legal counsel in Lithuania (EU), provides a GDPR-required Data Processing Agreement, all data is encrypted in Outcraft, and enforces an inbound-only calling policy that blocks cold outreach. Outcraft is currently completing SOC 2 Type II certification.
Can I use AI to call customers in Germany?
Yes. Outcraft has live clients in Germany running AI voice campaigns with no compliance issues. Germany has the strictest GDPR enforcement culture in the EU. The model that works there: inbound leads only, plain-language opt-in consent at the point of lead capture, AI disclosure at the start of the interaction, and all data processed on EU infrastructure. Follow those rules and there are no problems.
Last reviewed: 2026-07-07. EU AI Act Article 50 transparency obligations take full effect August 2, 2026. This post will be updated following any enforcement guidance issued after that date.
Outcraft AI develops autonomous revenue agents that convert, retain and grow customers across voice, SMS, email and messaging.
Summarize with AI