The STIR/SHAKEN framework was deliberately designed as a federal system. Voice traffic is inherently interstate and often international — authentication decisions are made before a call's routing path is fully known, and well before any determination of state boundaries is possible. Congress directed the FCC to govern caller ID authentication on a uniform, nationwide basis precisely because a patchwork of state-by-state rules would be technically unworkable.
That framework is now under pressure. In the 2026 legislative sessions, Virginia, Florida, and Missouri have each introduced bills that impose their own caller ID authentication obligations — obligations that in several respects go beyond, and in some cases conflict with, the federal regime. For wholesale voice operators and their carrier customers, understanding what these bills require and what the compliance implications are is increasingly urgent.
Why states are moving into this space
The multistate Attorneys General robocall task force has been the driving force behind this legislative activity. The task force has prioritised caller ID spoofing, traceback obligations, and provider-level duties, and has increasingly used both enforcement and legislation to assert parallel authority over the authentication layer. The three bills introduced in 2026 reflect a coordinated approach, with similar structures and enforcement mechanisms that suggest a common playbook across state AGs.
The stated rationale is consumer protection — combating spoofed robocalls that the federal framework has not eliminated. The practical effect, however, is to impose additional compliance obligations on every provider that originates, carries, routes, or terminates calls involving consumers in those states — which, for any operator with meaningful US traffic volumes, means almost everyone.
Virginia
Virginia's bill imposes an affirmative duty of care on any provider in the call chain — originating, intermediate, or terminating — to take "reasonable and effective measures" to prevent unlawful calls. This duty extends to violations of state and federal robocall, spoofing, and solicitation laws.
The bill requires implementation of STIR/SHAKEN authentication in all IP network segments under the provider's control, and "functionally equivalent" authentication in non-IP segments to the extent technically feasible. Critically, this requirement does not track the federal exemption for providers who lack control of the necessary network infrastructure — the exemption that allows resellers and intermediaries to rely on their upstream carrier's STIR/SHAKEN implementation rather than deploying their own.
Virginia's bill also imposes three-year record retention obligations for attestation decisions, call detail records, traceback communications, and mitigation actions. And it treats any violation as a "prohibited practice" under the Virginia Consumer Protection Act, with joint and several liability across all providers in the call chain and no safe harbour for federal law compliance.
That last point is significant. A provider that is fully compliant with FCC rules — including all robocall mitigation requirements — would have no safe harbour under the Virginia bill if a call involving a Virginia consumer was found to violate the state's broader definition of an "unlawful call."
Florida
Florida's bills (SB 1516 and HB 1299) take a different approach. They prohibit any person or entity from causing a caller ID service to transmit misleading or inaccurate caller ID information with intent to defraud, cause harm, or wrongfully obtain value — similar to existing federal law. But they go further by requiring telecommunications companies to provide the telephone number and location from which each telephone call originates, and to block all calls containing "manipulated" caller ID information that does not match that number or location.
The blocking mandate is the operationally significant provision. It does not clearly distinguish between intentional spoofing — the behaviour it is ostensibly targeting — and legitimate business practices that display different callback numbers. Multi-location businesses that present a single customer service number regardless of where the caller is physically located, and contact centres that present local numbers for offshore-originated calls, could both fall within the scope of a "manipulated" caller ID under a broad reading of the bill.
If enacted, Florida's law would take effect October 1, 2026 — a short implementation window. Florida's consumer litigation environment also creates indirect exposure even without an express private right of action: plaintiffs' counsel may attempt to recast alleged violations as unfair or deceptive conduct under the Florida Deceptive and Unfair Trade Practices Act.
It is worth noting that Florida's earlier Caller ID Anti-Spoofing Act, passed in 2008, was struck down by a federal court as a violation of the Commerce Clause of the US Constitution, on the grounds that it impermissibly burdened interstate commerce. The 2026 bills may face similar constitutional challenges if enacted.
Missouri
Missouri's bill follows a similar pattern to Virginia and Florida — imposing provider-level STIR/SHAKEN obligations, expanding the definition of prohibited spoofing, and empowering the state AG to enforce requirements that overlap with federal obligations. Like the Virginia bill, it does not provide a safe harbour for federal compliance.
The structural problem for wholesale operators
The core difficulty these bills create for wholesale operators is the joint and several liability structure. A wholesale carrier that provides SIP trunking to a reseller, who in turn provides calling services to a contact centre, who places calls to consumers in Virginia or Florida, could find itself in the liability chain for calls it had no direct role in originating or controlling the content of.
The Virginia bill's removal of the federal reseller exemption is particularly significant. Under federal rules, a pure reseller — a provider that purchases voice services and resells them without controlling the underlying network — is not required to implement its own STIR/SHAKEN capability. Under the Virginia bill, that exemption disappears. Every provider in the chain, regardless of their role, is subject to the duty of care obligation.
This creates pressure to move further up the compliance chain than federal law requires — to implement attestation at the provider level rather than relying on upstream carriers, and to maintain more detailed records of authentication decisions and traceback responses than the FCC currently mandates.
What to watch
The FCC's pending caller ID verification proceeding is the most important development to monitor. The Commission has the opportunity to confirm that its STIR/SHAKEN rules occupy the field for interstate and IP-based authentication, and to preempt state laws that impose conflicting or duplicative obligations. Several industry participants have urged exactly this in comments to the proceeding. Whether the Commission acts — and how — will determine whether state-level STIR/SHAKEN obligations become a permanent compliance feature or a temporary legislative experiment that falls to preemption.
In the meantime, operators with significant US traffic volumes should be reviewing their call chain documentation, their attestation level records, and their contractual arrangements with downstream customers in light of the potential for state-level enforcement activity that operates outside the federal safe harbour framework.
This article is for informational purposes and does not constitute legal or regulatory advice. Requirements change over time. Consult a qualified telecommunications lawyer for advice specific to your situation.