Last updated 2026-07-10

TL;DR
Cold calling leads is legal but tightly regulated. The TCPA (47 U.S.C. § 227) limits when, how, and whom you can call. Calling a number on the National Do Not Call Registry without prior express consent can cost $500 to $1,500 per call in statutory damages. This article covers the key rules, the real lawsuit risks, and what a compliant cold-calling process looks like.
What is cold calling leads and why does it carry legal risk?
Cold calling leads means calling people who never asked to hear from you, usually to pitch a product or service. The call goes to a cell phone, a landline, or a business line. Which one it is changes your legal risk a lot, and so does how you placed the call.
The Telephone Consumer Protection Act, codified at 47 U.S.C. § 227, is the federal law that governs most outbound calling. [1] The FCC writes the implementing regulations, and they sit at 47 C.F.R. Part 64. The FTC enforces a parallel set of rules under the Telemarketing Sales Rule (16 C.F.R. Part 310) that apply to telemarketers specifically. [2]
Here is where small teams get surprised. The TCPA does more than restrict robocalls. It restricts any call to a cell phone made with an automatic telephone dialing system (ATDS) or a prerecorded message, without prior express consent. If your reps use a power dialer, a predictive dialer, or any software that stores and dials numbers automatically, you might be using an ATDS. Courts have gone back and forth on the exact definition since the Supreme Court's 2021 ruling in Facebook v. Duguid, but the risk did not disappear. [3]
For a fuller breakdown of what cold calling means in a legal context, and how the definition has shifted, that background is worth having before you build anything.
The short version: calling a cell phone on the National Do Not Call Registry, without consent, with an ATDS, can expose you to $500 per violation. If a court finds the violation willful, that triples to $1,500. One list of 10,000 unchecked numbers is a potential $15 million problem.
What does the TCPA actually say about calling leads?
The statute at 47 U.S.C. § 227(b)(1)(A) makes it unlawful to "make any call (other than a call made for emergency purposes or made with the prior express consent of the called party) using any automatic telephone dialing system or an artificial or prerecorded voice" to any cell phone. [1] That is the core prohibition people quote.
There is a second one most teams miss. Section 227(c) gives the FCC authority to run a national do-not-call database and lets consumers sue anyone who calls them in violation of those rules. This provision funds most of the class actions against sales teams. You do not need a robocall to trigger it. A live agent manually dialing a registered number is enough.
The FCC's one-to-one consent rule matters here. In a Report and Order adopted in December 2023, the FCC required that prior express written consent for telemarketing calls be obtained on a per-seller basis. [4] Consent gathered through a lead aggregator that said "partners may contact you" and listed 47 companies no longer works. The consumer has to consent to your company by name. The rule was set to take effect in early 2025, though the FCC and a federal court later delayed and vacated key parts of it, so check the current status before you rely on it. The direction of travel is clear either way: specific, named consent beats blanket consent.
For a working cold calling definition that maps to how the TCPA uses the term, including the split between solicited and unsolicited calls, that article unpacks the language in plain terms.
Who can you legally cold call without prior consent?
The answer splits two ways: by phone type, and by whether the number sits on the National Do Not Call Registry.
Residential landlines. You can call them with a live agent and no prior consent, unless the number is on the DNC Registry and you have no established business relationship (EBR) with that person. An EBR exists if the person bought from you in the last 18 months or made an inquiry in the last 3 months. [2]
Cell phones. You can call them with a live agent and no ATDS, no prior consent needed, as long as the number is not on the DNC Registry. The moment you add a dialer that qualifies as an ATDS, you need consent no matter the DNC status.
Business lines. The TCPA's cell phone provisions generally do not reach calls made to a business subscriber acting in a business capacity. B2B cold calling to a dedicated office number carries much lower TCPA risk. The catch: plenty of business people now use a cell phone as their main work number, which blurs the line.
Keep this table at your desk:
| Scenario | ATDS used? | DNC registered? | Consent required? |
|---|---|---|---|
| Live agent, residential landline, not on DNC | No | No | No |
| Live agent, residential landline, on DNC | No | Yes | Yes (or valid EBR) |
| Live agent, cell phone, not on DNC | No | No | No |
| Live agent, cell phone, on DNC | No | Yes | Yes (or valid EBR) |
| Power dialer, cell phone, not on DNC | Yes | No | Yes |
| Power dialer, cell phone, on DNC | Yes | Yes | Yes |
| Prerecorded message, any phone | Yes/pre-rec | Any | Yes |
This simplifies a genuinely messy area. State laws (Florida's mini-TCPA, Oklahoma, Texas) stack restrictions on top of the federal rules, so the table reflects the federal floor only. [5]
How do you check leads against the Do Not Call Registry?
The FTC runs the National Do Not Call Registry at donotcall.gov. [6] Telemarketers have to access it and scrub their call lists against it before dialing. The TSR requires you to download the registry data for the area codes you plan to call and compare your list to it no more than 31 days before each campaign.
Getting into the registry means registering your organization and paying an annual fee. As of 2024, the FTC charges $79 per area code per year, with the first five area codes free. Accessing every area code costs $18,044 per year. [6] That is the FTC's published number, not an estimate.
Beyond the federal registry, many states run their own do-not-call lists. Texas and Indiana, among others, maintain lists carrying numbers that never make it onto the federal database. You scrub against both.
For a cold call workflow to work legally, the scrub happens before the list touches your dialer, not after. Teams that buy a lead list and start dialing while the scrub is still processing are the ones who land in class actions.
Here is the part vendors gloss over. Most small teams buy "pre-scrubbed" lists from a data vendor. That does not erase your liability. The TCPA is a strict liability statute for many violations, so the plaintiff does not have to prove you meant to call a DNC number. Your vendor's promise is a contract between you and the vendor. It is not a defense against a consumer's lawsuit.
What are the real financial risks of TCPA violations when cold calling?
Statutory damages run $500 per violation for negligent violations and $1,500 per violation for willful or knowing ones. [1] Courts have repeatedly held that each individual call counts as a separate violation.
TCPA litigation exploded in the 2010s and stays busy. Industry trackers such as WebRecon report TCPA federal filings in the low thousands per year in recent periods, though the exact count moves around depending on how cases get categorized. [7] Class actions are the real exposure, because they roll up individual $500 hits across hundreds of thousands of consumers.
One case tells the story. In 2017, a federal court entered a $280 million judgment against Dish Network in a case brought by the DOJ and the FTC over do-not-call violations tied to calls made by Dish's authorized dealers, the largest civil penalty ever obtained under the FTC's telemarketing rules at the time. [8] That is an extreme example involving a big company. The mechanism underneath it, vicarious liability for your lead vendors or dealers, applies just as much to a five-person shop.
Small companies have paid six-figure settlements over a few thousand calls. A single serial plaintiff, the kind lawyers call a "professional plaintiff," can sue over one unwanted call and collect $500 to $1,500 plus, in some jurisdictions, attorney's fees. There is a whole cottage industry doing exactly this.
The honest read: if your team dials even 1,000 numbers a week without a clean compliance process, your odds of getting sued at some point over a year are not zero. They are probably meaningful.
What does a legally compliant cold-calling process look like step by step?
A compliant process has about six moving parts. None is technically hard. The failure mode is almost always skipping a step because it feels like friction.
Step 1: Build or buy a clean list. If you buy leads, make the vendor document how and when consent was obtained and for which specific sellers. Blanket "partners may contact you" consent is weak, and it has gotten weaker under the FCC's push toward per-seller consent. [4]
Step 2: Scrub against the National DNC Registry and any applicable state lists no more than 31 days before dialing. Keep a dated record of the scrub.
Step 3: Check your dialing technology. If you run a predictive or power dialer, figure out whether it counts as an ATDS under the post-Duguid law in your circuit. When in doubt, have an attorney review the actual product. [3]
Step 4: Maintain your own internal do-not-call list. The rules require you to honor a do-not-call request within a reasonable time and to keep that suppression in place for at least five years. Anyone who tells your agent to stop calling goes on the list right away. [11]
Step 5: Follow the calling hours. Federal rules bar calls before 8 a.m. or after 9 p.m. local time at the called party's location. Several states run narrower windows.
Step 6: Train agents on the required disclosures. At the start of a call, an agent has to state the caller's name, the company the call is made on behalf of, and a phone number or address where that company can be reached. [10]
LeadCompliant's free TCPA compliance kit includes a pre-call checklist and an internal DNC log template you can use to lock down steps 4 and 6 without building from scratch.
For teams that want to see what cold calling scripts should say to stay legally clean, especially around required disclosures, that resource walks through the specific language.
How do AI and auto-dialers change the legal risk when calling leads?
This is where the rules stay genuinely unsettled and where the risk has climbed fast.
The FCC ruled in February 2024 that AI-generated voices count as "artificial or prerecorded voices" under the TCPA. [9] So a call where an AI voice speaks to a consumer, even with a human monitoring, needs prior express consent the same way a prerecorded robocall does. The ruling targeted scam calls, but its text reaches broadly.
For AI cold calling, the question is simple to state and easy to get wrong: does your tool use a live human voice for the actual conversation, or does any part of the call play AI-synthesized speech to the consumer? If it is the latter, you need consent before the call. A good list is not enough.
Predictive dialers are a separate headache. They fire calls faster than agents can answer them, which creates dead air and abandoned calls. The FTC's TSR caps the abandonment rate at 3% of live-answered calls per campaign. [2] Blow past that and you have a violation, independent of any TCPA issue.
Facebook v. Duguid, decided by the Supreme Court in 2021, narrowed the federal ATDS definition. The Court held that a system has to use a random or sequential number generator to qualify. [3] But some states never adopted the narrower reading, and the FCC has signaled interest in revisiting it. The narrowing is real. It is neither permanent nor universal.
What time of day can you legally call leads?
Federal rules under the TCPA and TSR set the floor: no calls before 8 a.m. or after 9 p.m. local time at the called party's location. [1][2] So you have to know which time zone the number sits in, not which one you sit in.
Several states go stricter. California adds no separate hour restriction for general telemarketing under state law. Florida's telemarketing statute bars calls before 8 a.m. or after 9 p.m. local time (matching the federal window) while piling on registration requirements that reach past federal law. [5]
The practical bind for coast-to-coast teams: if you sit in New York and start dialing at 8 a.m. Eastern, you cannot legally call a Pacific number until 11 a.m. your time. Most dialers can filter by time zone automatically. If yours cannot, you need a manual process, and you need to actually follow it.
For what is cold calling in sales from an operational angle, including how strong teams structure their calling windows, that article covers the practical side next to the legal one.
How do you generate leads ethically without cold calling at all?
Not every team should cold call. If your product has a long sales cycle, a high contract value, or a market that reads content before it buys, inbound lead generation often produces better-qualified prospects at lower legal risk.
Generating leads without cold calling has real answers that do not require ignoring the TCPA. SEO content, paid search, LinkedIn outreach (which is not a "call" under the TCPA), email to opted-in lists, webinars, and referral programs all bring in people who at least raised a hand.
Warm leads close faster. HubSpot has cited a figure that inbound leads cost about 61% less than outbound leads, a number that gets repeated everywhere without noting it traces back to HubSpot's own research from the early 2010s and may have drifted since. Treat it as directional, not gospel. The underlying point holds: a warm lead closes faster than a cold one.
Referral programs stay underused by small teams. A customer who refers a friend already did the trust and consent work for you. The referred contact is far likelier to pick up, engage, and buy.
For B2B specifically, LinkedIn outreach and content-driven demand generation are the most common alternatives to cold phone calls. Neither is effortless. Neither carries TCPA liability for the outreach itself. (Email and LinkedIn messages have their own rules, but the TCPA is not one of them.)
A lot of markets still need outbound. If you sell to small business owners, contractors, or consumers who never search for what you offer, inbound alone will not fill the pipeline. The answer is not to quit cold calling. It is to work a list of numbers that are not on the DNC registry and to use live agents without an ATDS wherever you can.
What records do you need to keep to defend a TCPA lawsuit?
Get sued and the plaintiff demands discovery of your call records, your list sourcing documentation, your DNC scrub logs, your consent records, and your agent training logs. Miss any of these and you lose the ability to assert the defenses that might have saved you.
Here is what to retain.
List sourcing records: who sold you the list, when, what consent language they represented was used, and which specific seller the consent named. Under the FCC's per-seller consent direction, this documentation is the spine of your defense. [4]
DNC scrub records: dated logs showing you scrubbed against the national registry and applicable state lists within 31 days of each campaign.
Consent records: for any ATDS call to a cell phone, proof of prior express written consent. That means a dated record of the opt-in, the exact language the consumer agreed to, and which company they agreed to hear from.
Internal DNC list: every opt-out request with the date it came in. The rules require you to honor these promptly and hold them for at least five years. [11]
Agent training logs: training dates, topics, and who attended. These matter most for arguing a violation was not willful, which keeps damages at $500 instead of $1,500.
Five years is the safe retention window for most of this, matching the TCPA's four-year statute of limitations plus a buffer. Some attorneys push for seven to be conservative.
What state laws add extra restrictions on top of federal rules?
Federal law is the floor. Several states have passed mini-TCPA statutes or stricter telemarketing rules that apply no matter what the FTC and FCC allow.
Florida. The Florida Telephone Solicitation Act (FTSA), amended in 2021 and again in 2023, first created a private right of action for any autodialed call to a Florida number without prior express written consent, broader than the TCPA itself. [5] The 2023 amendments pulled it back, limiting the private right of action to calls where the autodialer uses a random or sequential number generator. Even so, Florida stays high-risk territory.
Oklahoma. Oklahoma's Telephone Solicitation Act of 2022 built TCPA-style restrictions on autodialed calls to Oklahoma residents without consent, with a private right of action attached.
Washington. Washington's Commercial Electronic Mail Act and its Consumer Protection Act have been used in telemarketing cases that reach beyond email.
Texas. Texas runs its own no-call list through the Texas Public Utility Commission, separate from the federal registry. Calls to registered Texas numbers without consent can trigger state violations on top of federal ones.
The pattern: if you dial into any high-litigation state (Florida, California, Illinois), get state-specific legal advice before you scale outbound. Do not assume federal compliance covers you.
How do you vet a lead vendor to reduce TCPA exposure?
Most small teams buy leads rather than grow them. That is fine. But the TCPA hands you no "my vendor said it was clean" defense against a consumer's lawsuit. You can negotiate indemnification in the contract. The consumer can still sue you directly.
Before you sign anything, ask the vendor these questions.
What exact consent language did the consumer see? Request a screenshot or the verbatim text of the opt-in form. Under the FCC's per-seller consent direction, that language should name your company, not a bucket of "partners."
How old are the leads? Consent goes stale. Someone who opted in 14 months ago for a mortgage quote never consented to your solar panel call today.
Do they scrub for DNC before delivery? Ask for the scrub date, in writing. Then scrub again yourself. Relying on the vendor's scrub alone gives you no legal protection.
Where did the lead come from? Co-registration pages, where a consumer ticks a box to "receive information from partners," are the highest-risk source. Leads from your own website forms, where your company name is right there, are the lowest.
Will the vendor sign an indemnification clause? A vendor who refuses to indemnify you for their own consent failures is telling you something about the quality of that consent.
LeadCompliant's free consent checker lets you paste in an opt-in form and flags language that would not survive a per-seller consent standard. It is not a legal opinion. It catches the common problems before they turn into lawsuits.
Frequently asked questions
Is cold calling leads legal in 2025?
Yes, with conditions. Calling residential landlines with a live agent is generally legal as long as the number is not on the National DNC Registry (or you have an established business relationship). Calling cell phones with an automatic telephone dialing system requires prior express consent. The FCC's one-to-one consent order tightened what counts as valid consent, so verify the current rule status before relying on old consent forms.
How much can a TCPA violation cost per call?
The TCPA sets statutory damages at $500 per violation for standard violations and $1,500 per violation for willful or knowing violations. Courts treat each individual call as a separate violation. Class actions aggregate these across large call lists, which is why a single bad campaign can produce seven-figure exposure.
Do you need consent to cold call a cell phone?
If you use a live agent and dial manually, no federal consent requirement applies just because the number is a cell phone, as long as it is not on the DNC Registry. The consent requirement triggers when you use an automatic telephone dialing system (ATDS) or a prerecorded message. Most modern sales dialers carry some ATDS risk, so get your specific technology reviewed.
What is the National Do Not Call Registry and how do you use it?
The FTC's National Do Not Call Registry (donotcall.gov) is a list of consumer phone numbers where people asked to stop receiving telemarketing calls. Telemarketers must register, download the relevant area code data, and scrub their call lists against it no more than 31 days before each campaign. The fee is $79 per area code per year, with the first five area codes free.
Can you cold call leads you bought from a vendor?
You can, but buying a list does not erase your TCPA liability. You are responsible for confirming the numbers are not on the DNC Registry and that valid, specific consent exists for any ATDS calls. Under the FCC's per-seller consent direction, consent obtained through a lead aggregator naming multiple companies is not sufficient. Always scrub the list yourself and document the vendor's consent representations.
What time of day can you legally make cold calls?
Federal rules prohibit calls before 8 a.m. or after 9 p.m. local time at the called party's location, under both the TCPA and the FTC's Telemarketing Sales Rule. Some states match this window; none that I am aware of are more permissive, though several add registration requirements. Always use the called party's local time, not your own.
What is the established business relationship exception to the DNC rules?
An established business relationship (EBR) lets you call a DNC-registered number if the consumer purchased from you or made a payment in the last 18 months, or made an inquiry or application in the last 3 months. The EBR does not override the ATDS consent requirement for cell phones. Once a consumer tells you not to call again, the EBR exception ends immediately.
Does the TCPA apply to B2B cold calling?
The TCPA's cell phone protections generally do not apply when a business person takes a call on a dedicated business line in their business capacity. B2B cold calling to office numbers carries lower TCPA risk. But many business people now use personal cell phones as their main work contact, which can pull those numbers back under TCPA coverage. The FTC's TSR does reach some business-to-business telemarketing.
What disclosures does an agent have to make at the start of a cold call?
Under the FTC's TSR and FCC rules, agents must promptly disclose their own name, the company the call is made on behalf of, and a phone number or address where the company can be reached. These disclosures come at the beginning of the call, not buried mid-pitch. Missing any of them is a separate violation, independent of DNC or consent issues.
How do you handle a do-not-call request from a consumer during a call?
Honor the request promptly, add the number to your internal do-not-call list, and keep that list for at least five years. Calling the same number again after a do-not-call request is a willful violation, which means $1,500 per call rather than $500. Train agents to log opt-out requests in real time, not at the end of the shift.
Can AI voice technology be used for cold calling leads?
The FCC ruled in February 2024 that AI-generated voices qualify as artificial or prerecorded voices under the TCPA. So using an AI voice to speak to a consumer requires prior express consent, the same requirement that applies to traditional robocalls. Using AI for backend call scoring or routing is different from using it to generate the voice the consumer actually hears.
What records should you keep in case of a TCPA lawsuit?
Keep dated DNC scrub logs (within 31 days of each campaign), consent documentation naming your company specifically, list source records showing the vendor's consent representations, your internal do-not-call list with opt-out dates, and agent training logs. Five years is the standard retention window, comfortably past the TCPA's four-year statute of limitations. Missing any of these seriously weakens your defenses.
What are the alternatives to cold calling for lead generation?
Inbound-focused alternatives include SEO content, paid search, LinkedIn outreach, email to opted-in lists, webinars, and referral programs. These produce leads with at least some expressed interest, which means higher close rates and no TCPA exposure from the first contact. For markets where consumers never search for your product, cold calling stays necessary, but do it on scrubbed lists with live agents where you can.
What do Florida's telemarketing laws add beyond the TCPA?
Florida's Telephone Solicitation Act (FTSA), even after 2023 amendments that narrowed it, still creates a private right of action for autodialed calls without consent that use a random or sequential number generator. Florida is the highest-litigation state for these claims. If you call Florida numbers at scale, you need both federal TCPA compliance and a Florida-specific review. Do not assume TCPA compliance is enough.
Sources
- Cornell Legal Information Institute, 47 U.S.C. § 227 (Telephone Consumer Protection Act): $500 statutory damages per violation, $1,500 for willful violations; prohibition on ATDS calls to cell phones without consent; 8 a.m. to 9 p.m. calling hours
- FTC, Telemarketing Sales Rule (16 C.F.R. Part 310): TSR requires DNC scrubbing, limits call abandonment rate to 3%, establishes EBR windows of 18 months (purchase) and 3 months (inquiry)
- Supreme Court of the United States, Facebook Inc. v. Duguid, 592 U.S. 395 (2021): ATDS definition requires use of a random or sequential number generator; narrowed the prior broader interpretation
- Florida Legislature, Florida Telephone Solicitation Act (FTSA), F.S. § 501.059: Florida's FTSA creates a private right of action for autodialed calls without consent; 2023 amendments narrowed but did not eliminate the statute
- FTC, National Do Not Call Registry for businesses (donotcall.gov): Registry access costs $79 per area code per year; first five area codes free; all area codes cost $18,044 per year; data must be accessed within 31 days of use
- WebRecon LLC, consumer litigation statistics reports: TCPA federal lawsuit filings run in the low thousands per year in recent reporting periods
- U.S. Department of Justice, United States v. Dish Network LLC ($280 million judgment, 2017): $280 million judgment against Dish Network for do-not-call violations including calls made by authorized dealers; largest civil penalty under the FTC telemarketing rules at the time
- FTC, Complying with the Telemarketing Sales Rule (business guidance): TSR requires agents to disclose caller's name, company name, and a contact number or address at the start of each call
- FCC, 47 C.F.R. Part 64 (Restrictions on Telemarketing and Telephone Solicitation): Internal do-not-call lists must be maintained for at least five years; opt-out requests must be honored promptly