Last updated 2026-07-09

TL;DR
American telemarketing runs on three rulebooks: the TCPA (47 U.S.C. § 227), the FTC's Telemarketing Sales Rule, and the National Do Not Call Registry. Illegal calls and texts cost $500 to $1,500 each. Get written consent before autodialing, honor opt-outs within 30 days, call only between 8 a.m. and 9 p.m. local time, and identify yourself in the first breath.
What federal laws govern American telemarketing?
Two federal frameworks do most of the work. They come from different agencies, and that split confuses a lot of teams.
The Telephone Consumer Protection Act (TCPA), codified at 47 U.S.C. § 227, is the big one. Congress passed it in 1991 and the FCC runs it. It restricts autodialed calls, prerecorded voice messages, and texts to cell phones. The statute makes it unlawful to make calls "using any automatic telephone dialing system or an artificial or prerecorded voice" to a cell phone without the called party's prior express consent [1]. That single phrase has been litigated thousands of times. The definition of an "automatic telephone dialing system" (ATDS) is still contested after the Supreme Court's 2021 ruling in Facebook v. Duguid.
The FTC's Telemarketing Sales Rule (TSR), at 16 C.F.R. Part 310, covers deceptive and abusive telemarketing in sales calls. It forces sellers to make specific disclosures, bans misrepresentation, sets calling hours, and (with the FCC) created the National Do Not Call Registry. The TSR covers interstate commercial calls. Banks and airlines get partial carve-outs. Most outbound sales teams are fully covered [2].
The two frameworks overlap on the DNC Registry, so you comply with both at once. The FCC also issues orders that add to the statute. A 2023 FCC ruling tightened "one-to-one consent" so a single opt-in checkbox can no longer cover an unlimited list of sellers [3].
State attorneys general can enforce the TCPA on their own, and many states stack their own laws on top. More on those below.
What is the National Do Not Call Registry and who has to follow it?
The National Do Not Call Registry launched in 2003 under a joint FTC-FCC rulemaking. Consumers register their residential and cell numbers for free at donotcall.gov [4]. Once a number has sat on the registry for 31 days, telemarketers generally cannot call it.
Who has to follow it: any person or entity placing telephone solicitations to residential numbers in the U.S. B2C outbound sales is squarely in scope. Debt collection calls fall under separate FDCPA rules, but commercial sellers get no pass.
The exemptions are real but narrow. You can call a DNC-listed number if the consumer gave you prior express written consent, if you have an existing business relationship (EBR), or if the call comes from a tax-exempt nonprofit. The EBR window is 18 months from the last purchase and 3 months from the last inquiry [2].
Scrub your call lists against the registry before you dial. The FTC sells access to the registry data for a fee that scales by how many area codes you need. Access to the full national database costs $17,676 per year as of 2024 [4]. Many teams push the scrub onto a dialer or data vendor, but the legal obligation stays with you.
Do not confuse the national registry with your internal DNC list. The TCPA requires you to keep your own company-specific DNC list and honor opt-out requests within 30 days. Someone can opt out of your calls even when their number is nowhere near the national registry.
For a closer look at how cold calling fits these registry rules, including which call types are genuinely exempt, read that breakdown before you build your dialing workflow.
What are the TCPA consent rules for calls and texts?
TCPA consent comes in three tiers. Using the wrong tier for the wrong call type is how most small teams get sued.
Prior express consent (informational calls): covers non-marketing autodialed or prerecorded calls to cell phones. Appointment reminders. Shipping updates. Bank fraud alerts. The FCC has said this consent can be established simply by giving your number in connection with a transaction [3].
Prior express written consent (marketing calls and texts): required before any autodialed or prerecorded call with a commercial purpose. The FCC's 2012 order made this mandatory. The written consent has to clearly authorize calls from the specific seller, describe the program, and state that the consumer is not required to consent as a condition of purchase. Keep the IP address, a timestamp, and the exact language shown at opt-in.
One-to-one consent (effective January 2025): the FCC's 2023 order requires written marketing consent to name each company. A single lead-gen form that says "you consent to calls from our partners" no longer covers downstream callers. Each seller needs its own separately stated consent [3].
Texts follow the same tiers. A text counts as a "call" under the TCPA. Send an autodialed marketing text to a cell number without prior express written consent and you have a violation. Full stop.
Oral consent does not cut it for marketing. If your script asks for a verbal "yes, call me back" on a recorded line, that works for informational calls but not for your next autodialed sales campaign.
If you are building cold calling scripts with text follow-ups, the consent language in your opt-in flow has to be airtight before the script ever goes live.
What are the legal calling hours under American telemarketing law?
You may only call consumers between 8 a.m. and 9 p.m. local time at the consumer's location. Both the TCPA and the TSR set that window, and they match [1][2]. Local time means where the consumer sits, not where you sit.
Here is the trap. A sales team in Phoenix calling a New York area code in November (Arizona skips daylight saving time) has to account for the gap, or it dials at 7 a.m. Eastern. That is a violation before anyone says hello.
The rule covers every call: live agent, prerecorded, or autodialed. Weekend calls are fine inside the same window. No federal ban on Saturday or Sunday calls exists as long as you stay between 8 a.m. and 9 p.m. local.
Some states go further. Florida restricts calls to the same 8 a.m. to 9 p.m. window and bars Sunday calls in certain contexts under the Florida Telephone Solicitation Act [5]. Check the state law for the consumer's location, more than the federal rule.
One practical note: area codes are a lousy proxy for time zone. VoIP and number porting mean a 212 number can belong to someone in Los Angeles. If you dial any real volume, use a time-zone lookup service keyed to the number itself, not the area code prefix.
What disclosures are required at the start of a telemarketing call?
The TSR requires specific disclosures at the start of every outbound telemarketing call. You cannot bury them later in the pitch [2].
Within the first few seconds, state three things: your name, the name of the company you are calling for, and that the purpose is to sell goods or services if that is true. For prize-promotion calls, you also disclose that no purchase is necessary to win and that a purchase will not improve the odds.
Prerecorded messages carry an extra requirement under the FCC's rules. They must include an automated opt-out the consumer can use during the call, like pressing a key to land on your do-not-call list [3].
The TCPA also requires anyone calling for telemarketing purposes to give their name and a telephone number or address, and that contact info has to stay available for 30 days after the call so consumers can request DNC treatment [1].
Caller ID spoofing is illegal under the Truth in Caller ID Act (47 U.S.C. § 227(e)). You cannot transmit misleading or inaccurate caller ID. If you use a callback number different from the outbound line, that number still has to be accurate and reachable. The FCC has assessed forfeitures topping $100 million against spoofing operations, including a 2021 case that produced a proposed penalty in the hundreds of millions.
How much do TCPA violations actually cost?
This is where the law bites hardest.
The TCPA creates a private right of action. Any consumer who gets an illegal call or text can sue you directly in federal or state court, no government agency required first. That is unusual, and it is why TCPA class actions pile up [1].
Statutory damages run $500 per violation. Find a willful or knowing violation and the court triples it to $1,500 per violation [1]. Each call or text is its own violation. A campaign that fires 10,000 texts without proper consent is not one violation. It is 10,000, and $15 million of exposure at the willful rate.
The FTC can also chase civil penalties under the TSR. The maximum is $51,744 per violation as of 2024, adjusted for inflation each year [2]. The FCC can issue forfeiture orders on top of private lawsuits.
Real settlements show the scale. Capital One agreed to pay $75.5 million in 2019 to settle a TCPA class action over debt collection calls [6]. Dish Network paid $9.25 million in 2022 to settle TSR and DNC violations [7]. Those are giant companies, but the per-call math is identical for a 10-person sales team.
TCPA filings have climbed since 2010. WebRecon counted more than 4,000 TCPA cases in federal court in 2019 alone [8]. The plaintiffs' bar treats this as a paying practice, and professional plaintiffs register numbers specifically to catch illegal calls and sue.
If you want to understand how an AI cold calling tool shifts your exposure, note that the ATDS question and the autodialer consent rules get sharper when the system generates or sequences calls on its own.
What are the rules for autodialed and prerecorded calls specifically?
The TCPA treats autodialed calls, prerecorded voice calls, and texts to cell phones as the highest-risk category. Consent rules are stricter. Per-call damages are the same, but the class action risk is much larger. The defenses are narrower.
Automatic Telephone Dialing System (ATDS): the Supreme Court in Facebook, Inc. v. Duguid (2021) held that an ATDS must have the capacity to store or produce numbers using a random or sequential number generator [9]. Systems that dial from a static pre-loaded list, with no random or sequential generation, may fall outside that definition. But the FCC has signaled it may revisit its own reading, and several lower courts still read ATDS broadly. Do not treat the Duguid distinction as a compliance strategy without a lawyer signing off.
Prerecorded calls to residential landlines: the TSR and TCPA both restrict these. A prerecorded message to a landline is allowed for non-commercial purposes or for commercial messages from tax-exempt nonprofits. A for-profit marketing prerecorded call to a residential line needs prior written consent.
Prerecorded calls to cell phones: always require prior express written consent for marketing. No exceptions.
Texts: treated as calls. Mass marketing texts sent through any automated system require prior express written consent. Even peer-to-peer texting through an agent-initiated platform can trigger TCPA liability if the volume and automation look like a system rather than individual manual sends.
Fax: the TCPA also restricts unsolicited commercial faxes under a separate provision. Fax rules sit outside most outbound sales work today, but they exist.
Which states have their own telemarketing laws that go beyond federal rules?
Federal law sets the floor. States raise the bar, and you comply with both.
Florida: the Florida Telemarketing Act and the Florida Telephone Solicitation Act (FTSA) are aggressive. The FTSA was amended in 2021 to create a private right of action, much like the TCPA. It covers autodialed calls and texts, carries its own consent requirements, and reaches calls to Florida residents no matter where the caller sits [5]. Florida plaintiffs have filed hundreds of FTSA cases since 2021.
California: the Automatic Renewal Law intersects with telemarketing consent, and the California Consumer Privacy Act (CCPA) shapes how you collect and store consent records. The CCPA is not a telemarketing law, but it governs what you can do with consumer data used in dialing campaigns [10].
Texas: the Texas Business and Commerce Code Chapter 305 requires telemarketers to register with the state and keep their own DNC lists. Penalties reach up to $10,000 per violation.
New York: state rules require licensing for certain telemarketing activities and set calling hours that mirror federal law.
Washington: has its own Commercial Electronic Mail Act and a telephone solicitation statute with per-violation penalties.
The working rule: find the state where each consumer lives, then apply whichever law (state or federal) is stricter on that specific point. If you call nationally, build your program to the strictest combination across the states you reach, or run a state-by-state assessment for your top markets.
| State | Private Right of Action | Own DNC | Registration Required | Stricter Hours |
|---|---|---|---|---|
| Federal (TCPA/TSR) | Yes | Yes (internal) | No | 8am-9pm local |
| Florida | Yes (FTSA) | No (uses federal) | Yes | 8am-9pm local |
| Texas | No (AG only) | Yes | Yes | 9am-9pm local |
| California | No (AG/FTC) | No (uses federal) | No | 8am-9pm local |
| New York | No (AG only) | No (uses federal) | Yes (some) | 8am-9pm local |
What records do you need to keep to defend a TCPA claim?
Get sued and the burden effectively shifts to you to prove you had consent and followed the rules. You cannot do that without records.
Consent records: for every marketing text or autodialed marketing call, keep the consumer's name, the number they consented on, the date and time of consent, the IP address of the device used to submit the form, the URL of the opt-in page, and the exact language displayed at the time. Screenshots of the form as it looked that day beat screenshots taken later. Store these for at least 4 years, because the TCPA's statute of limitations is 4 years [1].
DNC scrub logs: record when you pulled the DNC registry data, which version you used, and when your list was scrubbed against it. If a consumer on the DNC list claims you called, your defense is that you scrubbed and they were not listed at the time, or that you had their consent. Neither defense holds without a dated log.
Internal DNC list: log every opt-out request with the date, the number, who took the request, and when it was actioned. The 30-day window to honor opt-outs starts when the request comes in, not when someone gets around to it.
Call detail records: your dialer or telephony provider generates these. Pull and store them. They show who was called, when, from what number, and often whether the call connected.
LeadCompliant's free compliance kit includes a consent-record template and a DNC log format you can put to use today without building anything custom.
One spot where small teams keep failing: they have consent records for the first opt-in but no proof they re-verified consent when a lead moved to a different campaign or a different calling entity. Under the one-to-one consent rules, that re-verification record matters a lot.
What are the rules for B2B telemarketing vs. consumer calls?
Calling businesses is a different animal from calling consumers, and it changes your compliance footprint.
The National DNC Registry covers residential telephone subscribers, not businesses [4]. A pure B2B call to a direct business line is generally not subject to DNC registry scrubbing. The TSR also exempts calls to businesses from most of its requirements.
The TCPA does not hand business lines a full pass. The FCC has held that the TCPA's ban on autodialed calls reaches calls to business cell phones if the number is assigned to a cell service [1]. So if your B2B prospecting dials direct-to-cell numbers for business contacts (which describes most modern B2B outbound), ATDS liability still hangs over you.
Prerecorded calls to business lines that are not cell phones face lighter federal regulation. State laws still vary.
The B2B risk profile runs lower than B2C for three reasons: the DNC registry ignores business lines, a professional plaintiff rarely holds a business number, and courts have sometimes doubted damages claims from business plaintiffs. "Lower risk" is not "no risk," though, especially when you dial mobile numbers.
Understanding what cold calling in sales means in a B2B context, including the line between a warm introduction and a regulated solicitation, helps you design workflows that hold exposure down without starving your pipeline.
How do the rules apply to text message marketing campaigns?
Texts are calls under the TCPA. Every rule for autodialed calls to cell phones applies to marketing texts. A few text-specific points deserve spelling out.
Opt-in language for texts has to be clear and conspicuous. The consumer must know they are consenting to marketing texts, more than account-related messages. Regulators and courts have found that generic privacy-policy consent does not meet the TCPA's written consent standard for marketing texts.
Opt-out has to be instant and permanent. When a consumer replies STOP, you stop sending marketing texts. The FCC has made clear that a single additional marketing text after a STOP reply is a violation. A one-time confirmation saying "You have been unsubscribed" is fine, but only if it carries no marketing content.
Short codes and 10-digit long codes (10DLC) both require campaign registration with The Campaign Registry (TCR) since 2021. Carriers block unregistered traffic. That is carrier policy, not a legal rule, and running unregistered traffic can mean your texts simply do not arrive, which carries its own business cost.
Text campaigns to mixed consumer-business lists carry the full consumer-call risk profile: prior express written consent, one-to-one named consent under the new FCC rules, and an opt-out mechanism in every message.
The Cellular Telecommunications Industry Association (CTIA) messaging guidelines are not law, but carriers enforce them as a condition of network access, so a violation can get your sender ID blocked even when no legal action follows [11].
How do you build a compliant outbound telemarketing process from scratch?
Here is the sequence I'd follow to stand up a compliant outbound team today.
Start with a consent audit. Before you dial a single number from any list, document how each record was acquired and what consent, if any, came with it. Purchased lists almost never carry TCPA-compliant written consent for your company specifically. Assume they do not. Either re-verify consent or treat those numbers as cold contacts that need a compliant opt-in before any autodialed outreach.
Set up DNC scrubbing. Subscribe to the national DNC registry data for your area codes and run a scrub before every campaign. Keep the dated scrub logs. Build an internal DNC database and wire it to your CRM so opt-out requests get captured and synced in real time.
Document your consent flows. For every opt-in form, landing page, or verbal consent script, take a dated screenshot or recording. Store the specific language. Change the form? Archive the old version with the date range it was live.
Train your team. Calling hours, disclosures, and opt-out handling are not optional extras. Every agent needs the 8 a.m. to 9 p.m. rule, the first-30-seconds disclosure, and a clean answer to "stop calling me."
For teams building from scratch, a solid cold call framework paired with a compliance checklist heads off the mistakes that create liability. LeadCompliant's free TCPA compliance kit covers the scrub workflow, the consent record template, and the agent training checklist in one download.
Review your dialer settings. If you run a predictive or autodialer, figure out whether its functionality meets the ATDS definition under current FCC guidance. If it does, your consent rules for cell phone contacts get stricter. If you use manual dialing or a click-to-call system, document that clearly.
Put a quarterly compliance review on the calendar. Laws move. The FCC's 2023 one-to-one consent rule is the proof: teams with compliant processes in 2022 had to update them before January 2025. Schedule the review. Do not rely on intent.
Frequently asked questions
What is the TCPA and does it apply to my business?
The Telephone Consumer Protection Act (47 U.S.C. § 227) is the main federal law restricting autodialed calls, prerecorded messages, and texts to cell phones. It applies to any person or entity making such calls in the United States, with very few exceptions. If you send marketing texts or use a predictive dialer to call cell numbers, the TCPA almost certainly applies to you.
Can I call a cell phone number for sales without consent?
Not if you use an autodialer or prerecorded message. The TCPA requires prior express written consent before any autodialed or prerecorded marketing call to a cell phone. A manually dialed live-agent call to a cell number has more room, though state laws and the DNC registry still apply. The safest move is written consent before any outbound cell contact.
How long does the existing business relationship (EBR) exemption last?
The EBR exemption lets you call a number on the national DNC registry when you have an existing relationship. For purchases, the window is 18 months from the last transaction. For inquiries, it is 3 months from the last contact. Once that window closes, you cannot use EBR as your basis for calling a DNC-registered number without fresh consent.
What happens if I call a number on the Do Not Call Registry?
Each call to a registered number without proper consent or an applicable exemption is a violation. The FTC can pursue civil penalties up to $51,744 per violation. Consumers can also file complaints, and the FTC uses complaint patterns to target enforcement. For high-volume campaigns, the exposure compounds fast.
Do telemarketing laws apply to text messages?
Yes. The TCPA treats text messages as calls, so every rule for autodialed calls to cell phones applies to marketing texts. You need prior express written consent, an opt-out mechanism in every message, and you must honor STOP replies immediately. State laws like the Florida FTSA also apply to texts.
What is the difference between the TCPA and the Telemarketing Sales Rule?
The TCPA is an FCC-administered statute focused on the technology used (autodialers, prerecorded messages) and covers calls to cell phones and residential lines. The TSR is an FTC rule focused on deceptive and abusive telemarketing practices in sales calls. Both apply to most outbound sales teams. Both also govern access to the national DNC registry. You comply with both at the same time.
Are B2B telemarketing calls exempt from all TCPA rules?
Not entirely. The national DNC registry covers residential lines only, so pure B2B calls to business landlines skip DNC scrubbing. But if you dial mobile numbers for business contacts using an autodialer, the TCPA's cell phone provisions still apply. Most modern B2B outbound involves cell numbers, so TCPA exposure stays real.
What is the new one-to-one consent rule and when did it take effect?
The FCC's 2023 order requires written consent for autodialed marketing calls and texts to name each company specifically. A blanket opt-in covering multiple sellers is no longer valid. The rule took effect January 2025. If your lead-gen forms or partner consent flows use umbrella language, update them, or the downstream calls may count as unconsented under the new standard.
Can I call someone who asked me to stop calling?
No. Once a consumer asks your company to stop calling, you add them to your internal DNC list and honor the request within 30 days. Calling again after that is a separate TCPA violation. The internal DNC obligation is independent of the national registry, so it applies even to numbers that never appear on the national list.
What are the fines for TCPA violations?
Statutory damages are $500 per illegal call or text. If a court finds the violation was willful or knowing, that triples to $1,500 per violation. Each call or text is a separate violation. The TCPA also creates a private right of action, so any consumer can sue you directly without going through a government agency, which is why class actions are common.
Do I need to register my telemarketing campaign with any state?
It depends on the states you call into. Texas requires telemarketers to register with the state. New York and Florida have their own licensing or registration requirements for certain activities. California does not require general telemarketer registration but enforces strict data rules under the CCPA. Check the requirements for each state where your consumer prospects live.
What records should I keep to defend against a TCPA lawsuit?
Keep consent records showing the consumer's name, number, consent date, IP address, the URL and exact language of the opt-in form, and any transfer records if the lead changed hands. Keep dated DNC scrub logs, your internal DNC list with opt-out requests, and call detail records from your dialer. Store everything for at least 4 years, matching the TCPA's statute of limitations.
Is it legal to use a prerecorded message for telemarketing calls?
Only with prior express written consent for calls to cell phones and residential lines with a commercial purpose. Prerecorded messages must also include an automated opt-out so consumers can add themselves to your DNC list during the call. Without those elements, even a single prerecorded marketing call is a TCPA violation.
What time can I legally call consumers?
Between 8 a.m. and 9 p.m. local time at the consumer's location. Use the consumer's time zone, not yours. Weekend calls are allowed within those hours under federal law, but some states like Florida restrict Sunday calling. If you call nationally, use a time-zone lookup tool keyed to the actual number, since area codes mislead thanks to number porting.
Sources
- Cornell Law School LII, 47 U.S.C. § 227 (TCPA full text): TCPA prohibits autodialed calls to cell phones without consent, sets $500/$1,500 per-violation damages, and establishes private right of action
- FTC.gov, Telemarketing Sales Rule (16 C.F.R. Part 310): TSR requires disclosures at call start, governs DNC registry, prohibits deceptive practices, sets civil penalty up to $51,744 per violation
- FTC.gov, National Do Not Call Registry: Consumers register numbers for free; telemarketers must scrub lists; full national database access costs $17,676 per year as of 2024
- Florida Legislature, Florida Telephone Solicitation Act (FTSA), Fla. Stat. § 501.059: FTSA creates Florida private right of action for autodialed call and text violations, amended 2021, restricts calling hours
- U.S. District Court, Capital One TCPA class action settlement, 2019 ($75.5 million): Capital One agreed to $75.5 million settlement in 2019 TCPA class action over debt collection calls
- FTC.gov, Dish Network TSR settlement press release: Dish Network paid $9.25 million to settle TSR and DNC violations in 2022
- WebRecon LLC, TCPA litigation statistics 2019: More than 4,000 TCPA cases filed in federal court in 2019
- U.S. Supreme Court, Facebook, Inc. v. Duguid, 592 U.S. 395 (2021): Supreme Court held ATDS must have capacity to store or produce numbers using random or sequential number generator; narrowed ATDS definition
- California Attorney General, California Consumer Privacy Act (CCPA): CCPA governs collection and use of consumer data in California, affecting how consent records for telemarketing are managed
- FTC.gov, Do Not Call Registry access fees and data: Annual access to the full national DNC database costs $17,676 as of 2024, scaled by area code access