Last updated 2026-07-09

TL;DR
A cold call is an unsolicited phone call to a prospect who has had no prior relationship with your business. Legally, cold calls to cell phones using automated dialers require written consent under the TCPA (47 USC 227). Calls to landlines and DNC-registered numbers carry their own rules. Violations cost $500 to $1,500 per call, per the FCC.
What is a cold call, exactly?
A cold call is an outbound phone call placed to someone who never asked to hear from you. The 'cold' refers to the absence of a prior relationship or expressed interest. The prospect didn't raise their hand. You're calling them out of the blue, usually to pitch a product, a service, or a meeting.
That definition sounds simple. Legally, it isn't. It matters enormously whether the call goes to a cell phone or a landline, whether you use an automated dialer or a human clicking a number by hand, and whether the person sits on a Do Not Call list. Each of those variables changes what you're allowed to do under federal law.
For a broader look at how cold calling fits into outbound sales strategy, see what is cold calling in sales and the cold calling definition breakdowns.
People confuse cold calls with warm calls. A warm call follows up on some earlier contact: a trade show chat, a downloaded white paper, an email reply. That prior touch doesn't automatically give you legal consent to autodial a cell phone. It does change the sales dynamic, and it often changes the legal analysis around an 'established business relationship,' which decides whether the National DNC Registry exemption applies.
What does the TCPA actually say about cold calls?
The Telephone Consumer Protection Act, codified at 47 USC 227, is the main federal law governing cold calls [1]. Congress passed it in 1991 because unsolicited calls had become a genuine nuisance. The FCC writes the rules that put it into practice.
The statute reads: 'It shall be unlawful for any person within the United States... to make any call (other than a call made for emergency purposes or made with the prior express consent of the called party) using any automatic telephone dialing system or an artificial or prerecorded voice... to any telephone number assigned to a... cellular telephone service.' [1] That sentence is the heart of the law. Break it down:
- Automatic telephone dialing system (ATDS): The FCC and the courts fought over this definition for years. After the Supreme Court's 2021 ruling in Facebook v. Duguid, an ATDS is equipment that uses a random or sequential number generator to store or produce and dial numbers [2]. A dialer that works off a fixed list probably isn't an ATDS under that ruling, though circuit courts are still sorting out the edges.
- Artificial or prerecorded voice: Robocalls and ringless voicemail drops fall under a separate hook. Even if your dialer isn't an ATDS, leaving a prerecorded message triggers TCPA liability.
- Cell phones: The cell phone restriction is strict. Prior express written consent is required for marketing calls placed with an ATDS or a prerecorded voice to mobile numbers [3].
- Landlines: For residential landlines, the TCPA and the FTC's Telemarketing Sales Rule (TSR) both apply, but the consent bar is lower. Informational calls need prior express consent (not necessarily written), and marketing calls using prerecorded messages need written consent.
Violations carry a statutory penalty of $500 per call, trebled to $1,500 per call if a court finds the violation was willful [1]. The TCPA sets no cap. That's why class actions produce judgments in the millions.
How does the National Do Not Call Registry affect cold calls?
The FTC runs the National Do Not Call (DNC) Registry, which consumers use to opt out of most telemarketing calls [4]. If a residential number appears on the registry, you generally can't call it for telemarketing unless you have an established business relationship (EBR) with that person or they've given you written permission.
The EBR exemption is narrow. Under FTC rules, an EBR exists if a consumer made a purchase or payment within the prior 18 months, or if they inquired about your product or service within the prior 3 months [4]. Once those windows close, the EBR expires and the DNC registration controls again.
Businesses must scrub their call lists against the National DNC Registry at least every 31 days [4]. Skipping the scrub isn't a technicality courts wave off. The FTC and DOJ hit DISH Network with a $280 million penalty in 2017 for DNC violations, one of the largest in telemarketing history [5].
State DNC lists exist too. Florida, Indiana, Texas, and several other states keep their own registries. Some states make you scrub against the state list separately even after you've scrubbed the federal one. California's rules add another layer for B2C outreach.
For a full walkthrough of scrubbing workflows, see cold calling.
What are the real TCPA penalty numbers?
The TCPA sets $500 per violation for negligent violations and up to $1,500 per violation for willful or knowing ones [1]. Every individual call or text counts separately. A campaign of 10,000 autodial calls to cell phones without consent could expose a company to $5 million to $15 million in theory.
That's the statute. Real settlements land lower because defendants negotiate, but they still hurt. Some notable outcomes:
| Case / Action | Amount | Year |
|---|---|---|
| DISH Network (FTC/DOJ) | $280 million | 2017 |
| Dish Network class action settlement | $61 million | 2020 |
| Caribbean Cruise Line TCPA settlement | $76 million | 2015 |
| Sirius XM TCPA settlement | $25 million | 2017 |
| Capital One TCPA settlement | $75.5 million | 2014 |
Small businesses get hit too. A single plaintiff can file in federal court, and serial TCPA plaintiffs (sometimes called 'professional plaintiffs') hunt for small companies with sloppy consent practices. A demand letter asking $20,000 to $50,000 to settle 50 or 100 allegedly improper calls is common, and plenty of businesses pay rather than litigate.
Honest advice: risk scales with volume. If you're making 100 manual calls a day, a human dialing a cell number found on LinkedIn, your TCPA exposure is low next to a company running 50,000 autodial minutes a week. Know your dialer type before you build the campaign.
How do you cold call legally: the practical rules
Here's what you actually do before your team picks up the phone.
1. Know your dialer type. If your software dials automatically from a list without a human clicking each number, it may be an ATDS. If it uses prerecorded messages or voicemail drops, those rules apply no matter how the numbers get dialed. Manual click-to-dial from a fixed list is the lowest-risk path for cell phone outreach [2].
2. Scrub against the National DNC Registry. Register at donotcall.gov, pay the access fee (free for lists under 5 area codes, a few hundred dollars a year for broader access), and scrub at least every 31 days [4]. Keep records of every scrub.
3. Get written consent for cell phones if you're autodialing. The FCC's 2012 order requires 'prior express written consent' for autodialed or prerecorded marketing calls to cell phones [3]. That means a signed agreement, e-signatures included, that clearly authorizes your specific company to call that number using an ATDS. Buying a list of numbers doesn't buy you consent.
4. Respect calling hours. The TCPA and TSR both bar calls before 8 a.m. or after 9 p.m. local time of the person you're calling [1]. That's their local time, not yours.
5. Identify yourself immediately. Under the TSR, the caller must promptly state the caller's name, the company's name, and the purpose of the call [6]. Skipping that is its own violation.
6. Honor do-not-call requests fast. If someone tells you to stop calling, you must add them to your internal DNC list and stop [4]. Your company needs a written DNC policy and has to train staff on it.
7. Keep records. Document your scrubs, your consent records, your DNC list, and your calling-hours compliance. If you get sued or investigated, records are the defense.
For scripts that follow these rules, see cold call script and cold calling scripts.
Does the TCPA apply to B2B cold calls?
This is one of the most common misconceptions in outbound sales. The TCPA applies to telephone numbers, not to whether the person you reached is a consumer or a business.
Call a direct-dial cell phone that belongs to a business executive and the TCPA applies to that number the same way it applies to a consumer's personal cell [1]. The cell phone restriction is about the number type, not the job title.
B2B gets some relief. The National DNC Registry covers residential numbers, so a line registered as a business number likely isn't on the consumer DNC list. Some courts have read the ATDS definition more loosely in B2B settings. But 'more loosely' is not 'exempt.' If your team runs an autodial system or drops prerecorded voicemails to mobile numbers pulled from LinkedIn, you have TCPA exposure regardless of where those people work.
The safest B2B posture for cell phone outreach is manual dialing, a live human on every call, zero prerecorded messages. Plenty of sales development teams run exactly this way for cell phones and save auto-sequences for email.
The FTC's TSR does carve out some B2B exemptions more explicitly, but the TCPA statute has no formal B2B carveout. If you run a high-volume B2B program calling mobile numbers, talk to a TCPA attorney before you scale.
What changed with the FCC's 2024 one-to-one consent rules?
In December 2023, the FCC adopted rules tightening the definition of 'prior express written consent' for calls and texts [7]. The core change: consent now has to be obtained one-to-one, so a consumer's checkbox on a single lead generation website can't authorize a swarm of sellers at once.
Before this rule, lead generation sites routinely used one consent checkbox to authorize dozens of companies to call the consumer. The FCC took direct aim at what it called the lead generator loophole [7]. Now each seller needs its own consent, obtained separately.
The D.C. Circuit vacated the one-to-one provision in January 2025 before it took effect, so the older consent standard still governs at the moment. That's the honest state of play: the FCC wrote the rule, a court struck it down, and the agency could rewrite it. Treat the one-to-one standard as the direction of travel, not settled law.
If your leads come from third-party generators who collect consent on your behalf, verify that the consent language names your company by name, not a generic list of 'marketing partners.' Purchased lists that arrive with claims of 'TCPA-compliant consent' deserve real skepticism unless you can see the exact language and the timestamp records.
Practical impact on small teams: if you buy leads, audit the consent mechanism. Ask for the consent record on each lead, including the IP address, timestamp, and exact disclosure language. If they can't produce it, you're exposed.
LeadCompliant's free TCPA consent checker can help you judge whether a given consent form holds up before you dial.
How is AI cold calling changing the legal landscape?
AI voice agents that run outbound sales calls are a real and growing category. Several vendors sell systems where an AI voice calls prospects, qualifies them, and books meetings with no human on the line.
The FCC addressed this head-on in February 2024, ruling that AI-generated voices count as 'artificial or prerecorded voices' under the TCPA [8]. An AI voice call to a cell phone without prior express written consent is an illegal robocall, full stop. The ruling followed the wave of AI voice cloning in political robocall campaigns.
For sales teams, that means AI voice outreach to cell phones needs the same written consent as any other autodialed or prerecorded call. AI calls to numbers on the DNC registry are barred the same way. New technology doesn't buy a new exception.
For a deeper look at how AI calling tools interact with the TCPA, see ai cold calling.
The honest take on AI cold calling right now: the conversion rates some vendors advertise are unverified, the legal risk is real and immediate, and most small teams are better served by a well-trained human SDR making manual calls with a good script than by an AI system that might invite an enforcement action. That could change as the tech and the legal picture mature. In mid-2026, go slow.
What time can you legally make cold calls?
Both the TCPA and the FTC's Telemarketing Sales Rule prohibit outbound telemarketing calls before 8 a.m. or after 9 p.m. in the recipient's local time [1][6]. Local time means the time zone where the person you're calling sits, not where you sit.
This trips up teams with centralized call centers. Call from Phoenix to New York and 6 a.m. Phoenix time is 9 a.m. in New York, so that call is legal. But 8 p.m. Phoenix time is 11 p.m. in New York, so that one isn't. Your dialing software should enforce time-zone-based windows using the area code and, where you can, the known location of the recipient.
Some states tighten the window. A few jurisdictions bar calls on Sundays or holidays. Florida's telemarketing statute is notably aggressive, so if you're calling Florida consumers, check state law on its own [10].
No federal rule blocks weekend telemarketing, but many sales teams skip Saturdays and Sundays anyway. Partly for a conservative compliance posture, partly because answer rates are poor.
What records do you need to keep to defend a cold call complaint?
Get hit with a TCPA demand letter or an FCC complaint and your records decide whether you have a defense. Here's the list.
Consent records: For every cell phone number you've autodialed or sent a prerecorded message to, keep the written consent record. That's the IP address, the date and time, the exact language the consumer agreed to, and your company's name inside that language. Store it so you can pull it by phone number.
DNC scrub logs: The date of every scrub against the National DNC Registry, the version of the registry you used, and your method. Using a third-party compliance vendor? Get their certification records too.
Internal DNC list: Every number where someone asked not to be called again, the date of that request, and confirmation you honored it. The TSR requires this list be kept for 5 years [6].
Call records: Timestamps, the caller ID you used, agent ID or campaign ID. If a plaintiff claims you called 47 times, you want records that settle it.
Training records: Proof your agents were trained on calling hours, DNC requirements, and identification requirements. This matters for the willful standard that decides whether penalties treble.
The FTC requires telemarketers keep certain records for 24 months under the TSR [6]. Many TCPA attorneys say keep consent records for the life of the company plus the statute of limitations, which runs 4 years under federal law.
LeadCompliant's compliance kit includes record-keeping templates and a DNC scrub tracking log a small team can actually maintain without a legal department.
How do you actually make a good cold call? The mechanics
Compliance sets the floor. Sales skill decides whether calls convert. Here's what practitioner consensus says about cold call mechanics, separate from any legal requirement.
Opening line. The first 10 seconds decide whether you get a conversation or a click. State your name, your company, and one specific reason you're calling that's relevant to this person. Generic openers like 'How are you today?' tend to lower conversion compared to direct, specific ones. Get to the point.
Research before you dial. Know the prospect's role, company size, and at least one specific thing about their business before the call. Cold calls that reference real context ('I saw your team just expanded into the Southeast') beat generic pitches, though nobody has clean public data on the exact lift.
Ask a question, don't give a speech. The goal of a cold call is usually to earn a longer conversation, not to close a deal. Ask one sharp question that reveals whether they have the problem you solve. If they don't, thank them and move on.
Handle the objection before the call. 'I'm not interested' and 'Send me an email' are predictable. Have a two-sentence response ready for each. Not a script. A response that sounds human because it is.
Call volume math. Benchmarks vary a lot, but most sales research puts cold call connect rates at 5% to 10% of dials and conversation-to-meeting conversion at 20% to 30% of connects. That works out to roughly 33 to 100 dials per booked meeting. Anyone promising far better numbers from AI or a 'secret script' is probably selling you something.
For script structures and openers, see cold calling scripts and cold call script.
What are the biggest cold call compliance mistakes small teams make?
Most TCPA trouble at small companies traces to a short list of repeat errors.
Using a power dialer without knowing it's an ATDS. Many sales engagement platforms bundle auto-dialing. Teams switch it on because it looks like a productivity feature. If the dialer can call a number without a human clicking each call, it may be an ATDS under some court readings. Read your vendor's terms and ask them directly whether their dialer qualifies.
Buying lists without verifying consent. List vendors love the phrase 'TCPA compliant.' That claim almost never means the vendor holds written consent records that would survive court for your specific company. You can't buy consent. You can only get it directly.
Not scrubbing cell phones separately. The DNC Registry covers both landlines and cell phones, but the TCPA cell phone restriction is broader and stricter. Scrub only for DNC without checking whether a number is a cell (and whether you hold cell-specific consent) and you miss the biggest risk.
Ignoring state law. Florida, California, Texas, Indiana, and Washington run state telemarketing or robocall statutes that add requirements or lower the plaintiff's burden. Florida's FTSA, for one, lets plaintiffs collect $500 per violation with a lighter proof threshold than a federal TCPA claim [10].
No internal DNC process. A prospect says 'don't call me again,' your agent buries it in a CRM note that never feeds back to the dialing list, and that number gets called again. Separate violation. Evidence of willfulness.
The cheapest compliance investment for a small team is a documented process: who scrubs the list, how often, what tool they use, where the records live. That alone kills most of the exposure above.
Frequently asked questions
What is a cold call in simple terms?
A cold call is a phone call you make to someone who never asked you to contact them and has no prior relationship with your company. The 'cold' means no prior connection. It differs from a warm call, where some earlier interaction already happened. In sales, it's the starting point of outbound prospecting.
Are cold calls legal in 2026?
Yes, cold calls are legal, but with real conditions. Calls to cell phones using automated dialers require written consent under the TCPA. Calls to DNC-registered numbers are barred for telemarketing. Manual calls to landlines and business lines have more room. The rules are real and the penalties are high, so 'legal' depends entirely on how your team dials and who you call.
What is the difference between cold calling and telemarketing under the law?
The TCPA and TSR use the term 'telemarketing,' which covers calls promoting a product, service, or business. Most cold calls in a sales context qualify as telemarketing. Cold calling is the sales term; telemarketing is the legal term. The practical difference matters because purely informational calls (promoting nothing) get somewhat looser rules under the TSR.
Do cold call rules apply to B2B calls?
The TCPA applies to phone numbers, not to consumer-versus-business distinctions. Call a business executive's cell phone with an autodialer and TCPA rules apply. The National DNC Registry is mainly for residential numbers, so direct business lines get some relief there, but B2B is not a blanket exemption. Manual dialing with live agents is the safest B2B approach for mobile numbers.
How many times can you legally cold call someone?
There's no explicit federal limit on how many times you can call someone, provided each call is otherwise compliant (right hours, not on DNC, proper consent for cell phones). But if someone asks you to stop, you must stop and add them to your internal DNC list. Courts have treated excessive call volume as evidence of harassment or willful violation in some cases.
What hours can you make cold calls legally?
Federal law (TCPA and TSR) bars telemarketing calls before 8 a.m. or after 9 p.m. in the recipient's local time zone. That's their time zone, not yours. Some states run tighter windows or add weekend restrictions. Configure your dialing system to enforce time-zone-based windows, or you risk violations even when your intent is clean.
What happens if you call a number on the Do Not Call list?
Calling a number on the National DNC Registry without an applicable exemption (like an established business relationship) violates both FTC and FCC rules. The FTC can impose civil penalties up to $51,744 per violation under the TSR. The TCPA allows private lawsuits with $500 to $1,500 per call in statutory damages. Both can apply at once.
Does leaving a voicemail count as a cold call under the TCPA?
Yes. A prerecorded voicemail on a cell phone is treated as a call using an artificial or prerecorded voice under the TCPA. Ringless voicemail drops, which land in voicemail without the phone ringing, are covered too. The FCC has confirmed this applies whether or not the phone actually rings. Prior express written consent is required for marketing voicemails to cell phones.
What is prior express written consent for cold calls?
Prior express written consent is an agreement, signed by the consumer (e-signatures count), that authorizes a specific company to call or text them using an autodialer or prerecorded voice. The consent must clearly disclose that agreeing isn't a condition of purchase. The FCC's one-to-one version of this rule was struck down in court in January 2025, so the earlier written-consent standard currently governs.
Can you cold call using an AI voice agent?
Technically yes, but the FCC ruled in February 2024 that AI-generated voices count as 'artificial or prerecorded voices' under the TCPA. That means AI voice calls to cell phones need prior express written consent, and AI calls to DNC-registered numbers are barred. There's no legal exception for the technology being new. Treat AI voice calls like any robocall for compliance.
What should you say at the start of a cold call to stay compliant?
Under the TSR, you must promptly state your name, the name of the company you're calling for, and the purpose of the call. You can't misrepresent who you are or why you're calling. Past the legal minimum, good openers are specific and direct: who you are, why this particular person, and one relevant reason you're calling, all in under 15 seconds.
How long do you need to keep cold call records?
The FTC's Telemarketing Sales Rule requires keeping certain records for 24 months. The TCPA statute of limitations for private lawsuits is 4 years. Most TCPA attorneys recommend keeping consent records, DNC scrub logs, and call records for at least 4 years from the last contact, or longer if your company is actively in litigation.
What is a 'cold call meaning' in finance or investing versus sales?
In finance and brokerage, a cold call carries the same basic meaning: an unsolicited call to a potential investor. FINRA rules bar brokers from cold calling between 9 p.m. and 8 a.m. local time of the recipient, and brokers must keep their own DNC lists. The sales definition and the finance definition overlap almost entirely, with securities-specific regulations stacked on top.
How do you check if a number is on the Do Not Call list before calling?
The FTC provides access to the National DNC Registry at donotcall.gov for organizations to scrub their call lists. You register, pay any applicable fee, and download the registry data for the area codes you call. You must re-scrub at least every 31 days. Third-party compliance vendors can automate this and often bundle real-time cell phone identification.
Sources
- U.S. Congress, Telephone Consumer Protection Act, 47 USC 227: TCPA text prohibiting autodialed calls to cell phones without consent; $500 per violation, $1,500 if willful
- U.S. Supreme Court, Facebook Inc. v. Duguid, 592 U.S. 395 (2021): Supreme Court definition of ATDS as equipment using random or sequential number generator to store or produce and dial numbers
- FTC, Complying with the Telemarketing Sales Rule and National Do Not Call Registry: DNC Registry rules: established business relationship exemption windows (18 months/3 months), 31-day scrub requirement
- U.S. Department of Justice, DISH Network Telemarketing Penalty (2017): DISH Network ordered to pay a $280 million penalty for DNC and telemarketing violations, one of the largest telemarketing penalties in history
- FTC, Telemarketing Sales Rule, 16 CFR Part 310: TSR requirements: 8am-9pm calling hours, prompt identification of caller, 5-year internal DNC list retention, 24-month record retention
- FTC, Complying with the Telemarketing Sales Rule (business guidance): FTC guidance on TSR compliance obligations for businesses including record-keeping and internal DNC requirements
- Florida Legislature, Florida Telephone Solicitation Act (FTSA), Section 501.059: Florida state telemarketing law with $500 per violation private right of action and additional state-level restrictions
- FTC, National Do Not Call Registry: Official National Do Not Call Registry access point for businesses to register and scrub call lists