For years, whether an AI receptionist should say it’s an AI was treated as a UX debate. Some vendors disclosed; many quietly didn’t, on the theory that a bot sounds more impressive when callers mistake it for a person.
That debate is over. In 2026, disclosure became law — and for law firms specifically, the exposure from a non-disclosing bot is no longer hypothetical.
The statutes, plainly
California SB 243 (effective January 1, 2026) requires operators of AI systems that engage users in human-like conversation to clearly disclose that the user is not talking to a human. The teeth: a private right of action with statutory damages of at least $1,000 per violation, plus attorney’s fees. Read that again as a plaintiff’s lawyer: every undisclosed bot conversation with a California consumer is a self-documenting claim, with the transcript as Exhibit A.
California AB 489 prohibits AI from implying it holds professional credentials and requires disclosure when AI communicates in certain professional contexts. The logic extends naturally to legal intake: a bot must never sound like it is the lawyer.
Utah SB 452 requires disclosure when generative AI is used in high-risk consumer interactions — and the statute explicitly includes legal services — at the start of the interaction, and again on request. This one is squarely on point for any firm running AI intake.
The EU AI Act’s Article 50 transparency obligations apply from August 2026 for any EU-facing deployment. Most US plaintiff firms won’t be touched by it, but it confirms the direction of travel: disclosure requirements are converging globally, not receding.
Meanwhile the TCPA still governs the telephony layer. AI-generated voices are treated as “artificial or prerecorded” voices under FCC rulings regardless of how human they sound — which is why inbound-first architectures, where the consumer initiates the call, remain the low-risk foundation for legal intake AI.
Why this lands differently for law firms
Any business with an undisclosed bot has SB 243 exposure. A law firm has three problems the average business doesn’t:
First, professional responsibility sits on top of the statute. ABA guidance treats AI tools as the equivalent of non-lawyer assistants — supervised by, and the responsibility of, the lawyers who deploy them. A bot that misleads callers about its nature is not just a consumer-protection issue; it’s an ethics conversation with your bar.
Second, the duty of confidentiality attaches at intake. Under Model Rule 1.6, a prospective client’s information is protected from the first sentence — before any retainer is signed. Whatever AI touches your intake must be architected for that duty: encryption, access controls, and — critically — AI providers on zero-data-retention tiers so client information never trains anyone’s model.
Third, the unauthorized practice of law is one confident sentence away. An intake agent that gathers facts and books consultations is fine. An agent that tells a caller “you have a strong case” or floats a settlement range has crossed into UPL — and the firm, not the vendor, answers for it.
The compliant design, in five rules
The encouraging news: compliance here is not expensive. It’s architectural. A well-designed intake agent satisfies all of these by construction:
- Disclose in the first sentence. Firm name, AI disclosure, recording disclosure — before anything else, on every call, with no toggle to turn it off. This satisfies SB 243 and Utah SB 452 and, in our experience, costs nothing in conversion: injured callers care that someone answered and helped, not whether the helper has a pulse.
- Stay inbound-first. When the consumer places the call, consent for the conversation is inherent. Outbound automation is a different risk universe under the TCPA; treat missed-call return calls (returning a call the consumer just made) as the defensible boundary.
- Gather and book — never advise. No case evaluations, no value estimates, no “you should.” Anything advice-shaped routes to an attorney. The disclaimer should be verbatim and invariant: “I can’t give legal advice — an attorney will review your information.”
- Handle recording consent as if every state were two-party. Around a dozen states require all-party consent to record. Disclosing recording in the greeting, everywhere, is cheaper than maintaining a map of exceptions.
- Demand zero-data-retention AI in writing. If your vendor can’t produce documentation that caller data is not retained or used for training by the model provider, that’s your answer about the vendor.
The uncomfortable question for your current vendor
If your firm already uses an AI receptionist, an answering bot, or a chat widget, three questions will tell you most of what you need to know:
- Does it disclose it’s an AI in the first sentence — and can you show me the greeting text?
- Which statutes was it designed against, and what changed in the design when SB 243 took effect?
- Can you provide written confirmation of zero-data-retention AI processing?
A vendor who answers all three crisply is doing this properly. A vendor who hesitates has made your firm the compliance experiment.
Disclosure as advantage
Here’s the reframe worth leaving with: for firms, disclosure-by-design is not a burden — it’s a filter. The wave of generic AI vendors who bolted a voice onto a chatbot will spend 2026 retrofitting greetings and hoping their deployed base doesn’t get tested in court. Firms that chose compliant-by-design systems get the opposite experience: their intake AI becomes something they can put in front of their compliance counsel proudly, not something they hope counsel never asks about.
That’s precisely how Sophura’s platform was built — disclosure in the first sentence of every call, inbound-first, fact-gathering only, zero-retention AI, with the statute names ready for your counsel’s questions. The full posture is documented on our Trust & Security page, and we’ll happily walk your compliance counsel through it on an audit call.
This article is industry analysis, not legal advice. Statutes summarized: California SB 243 (2026) and AB 489; Utah SB 452; EU AI Act Article 50 (transparency obligations from August 2026); FCC rulings classifying AI voices under the TCPA. Firms should confirm application to their specific practice with licensed counsel.