Last updated 2026-07-09

TL;DR
Hiring an overseas call center does not move TCPA liability offshore. Under 47 USC 227, the company that initiates or directs the call is liable, no matter where the dialer sits. To vet a foreign vendor safely, you need written consent documentation, verified DNC scrubbing logs, ATDS disclosure, call recording access, and ironclad contract indemnification before the first dial.
Does using an overseas call center protect you from TCPA liability?
No. Not even a little.
The Telephone Consumer Protection Act, 47 USC 227, attaches liability to the party that initiates or causes a call to be made to a US number. [1] The FCC has been consistent on this. If you hire a vendor, supply the lead list, and pocket the sales, you are the initiating party. Courts have repeatedly held the domestic client jointly liable with the foreign vendor, even when the client never touched the dialing software.
The FCC's 2015 Declaratory Ruling put the point plainly: a seller may be held vicariously liable for TCPA violations committed by its third-party telemarketers under federal common law agency principles. [2] An overseas address does not dissolve that agency relationship. It just makes your indemnification clause harder to collect on.
So the real question isn't "can I outsource my TCPA risk?" It's "how do I confirm my vendor's practices meet the TCPA so I'm not the one writing a seven-figure settlement check?" The cash app tcpa class action settlement and the credit one tcpa settlement both show what happens when companies skip the hard questions before a campaign launches.
What are the actual TCPA rules an overseas vendor must follow?
The statute doesn't care about geography. Any vendor calling US consumers on your behalf has to follow the same federal rules a domestic call center does.
Here's the short list:
- Get prior express written consent before using an autodialer or prerecorded voice to call a mobile number [1]
- Scrub against the National Do Not Call Registry before each campaign [3]
- Honor company-specific do-not-call requests within 30 days [3]
- Call only between 8 a.m. and 9 p.m. local time at the called party's location [8]
- Identify the seller's name on every call
- Give the consumer a way to opt out during any prerecorded call
The FCC's one-to-one consent rule, adopted in 2024, adds another layer: a single consent form can no longer authorize calls from multiple sellers. Each seller needs its own consent. [4] If your overseas vendor runs consent through a shared lead generation portal that names dozens of companies, every call they make for you is likely out of compliance right now.
For cold calling to residential landlines, prior express written consent isn't required for non-automated calls, but DNC compliance still is. What counts as a "cold call," and which dialing tech trips the ATDS wire, is covered in our cold call explainer.
What documents should you request from a foreign vendor before signing a contract?
This is where most small teams lose. They take a Zoom call, get a price sheet, and start shipping leads. Here's what you actually need in writing before anyone picks up a phone.
Consent documentation sample. Ask for a real example: the web page or IVR script where the consumer opted in, the timestamp, the IP address, and the exact disclosure language. The disclosure has to name your company. Vague language like "partners" or "affiliates" will not satisfy the FCC's one-to-one rule. [4]
DNC scrub certificates. Request proof they scrub against the national registry, and ask how often. The FTC requires businesses to download updated registry data at least every 31 days. [3] A vendor scrubbing quarterly is already non-compliant. Ask for the most recent scrub report, with the date and the record count before and after.
Dialing technology disclosure. Have them describe in writing what dialing system they run. If it meets the FCC's definition of an automatic telephone dialing system (ATDS), prior express written consent is required for every cell phone call regardless of content. The Supreme Court's Facebook v. Duguid decision in 2021 narrowed the ATDS definition, but the boundaries are still being fought over in the lower courts. [5] Don't assume your vendor's system is safe.
Call recordings access. You need to pull recordings for any call on demand, not "upon request with five business days' notice." Plaintiffs' attorneys move fast. You need recordings the same day.
State law compliance protocol. Several states, Florida, Oklahoma, and Maryland among them, run stricter calling laws than the federal TCPA. [6] Ask the vendor to show their state-specific opt-in and calling hour protocols, in writing.
Incident reporting. The contract must require the vendor to tell you within 24 to 48 hours of any consumer complaint, demand letter, or lawsuit naming your campaigns. You cannot defend what you don't know is happening.
What contract clauses protect you when the vendor causes a TCPA violation?
Vetting doesn't stop at document review. The contract is your second line of defense.
Start with indemnification. It needs to say the vendor will defend, indemnify, and hold you harmless for any TCPA claim arising from their acts or omissions, including violations of any applicable state telemarketing law. Make the risk asymmetric in practice: they carry their operational failures, you carry only your own.
Statutory damages under the TCPA run $500 per negligent violation and $1,500 per willful violation. [1] In a class action, that math gets ugly fast. An indemnification clause is worthless if the vendor has no money, so require proof of errors and omissions (E&O) insurance with a per-occurrence limit that could actually absorb a class. For a mid-size campaign, $2 million per occurrence is a floor, not a ceiling.
Add a right-to-audit clause. You should be able to request consent records, call logs, and DNC scrub certificates for any campaign at any time, with a 48-hour turnaround. Without it, you're blind if litigation starts.
Build in cure and termination rights. If the vendor fails a compliance audit or draws three or more TCPA complaints in a 30-day window, you want the right to terminate for cause immediately, no penalty. Cold calling rules shift fast enough that a vendor who was fine last year may be out of compliance today.
Choice of law matters too. An overseas vendor will try to name their own country's law as governing law. Push back hard. US courts apply the TCPA regardless, but governing law shapes how indemnification disputes play out. Insist on a US state you actually operate in.
How do you verify a vendor's DNC scrubbing process?
The National Do Not Call Registry holds more than 249 million registered phone numbers as of the FTC's most recent Data Book. [3] A vendor who doesn't scrub properly hands you exposure on almost every residential call.
Here's a practical check. Take 50 phone numbers from a list the vendor says is scrubbed and run them yourself against the registry. The FTC's subscription service lets registered organizations query numbers. [3] If any active DNC registrations show up in your sample, the vendor's scrubbing is broken or stale. Do this before the campaign starts, not after.
Check their internal suppression list too. The TCPA and the FTC's Telemarketing Sales Rule both require companies to keep a company-specific do-not-call list and honor requests for at least five years. [8] Ask how large their suppression list is and how it gets populated. A vendor who's made millions of calls over several years and has a suppression list of a few hundred numbers is almost certainly not honoring opt-outs.
Our do not call list guide and how do i get the do not call list explainer walk through how to access and verify registry data yourself. Worth doing as a double-check even if you trust your vendor.
For mobile numbers specifically, see our mobile phone do not call list article, because cell phones carry extra ATDS-related requirements that landline scrubbing alone won't cover.
How can you tell if a vendor is actually TCPA-compliant vs. just claiming to be?
Every vendor claims compliance. Most can't prove it.
The best single signal is whether they can produce consent records in a format that would survive in court. That means a timestamped record with the consumer's IP address, the URL of the consent page, the exact disclosure language displayed, and confirmation the phone number was entered by the user, not pre-filled. If a vendor says they have consent but can't produce a record in that format within 24 hours, treat it as a red flag.
Ask for references from US-based clients who have received TCPA demand letters and can confirm the vendor handed over records quickly. Don't settle for happy clients. Ask specifically for clients who worked through a compliance problem with this vendor.
If the vendor generates leads rather than just dialing them, load their consent pages yourself. Is the consent language disclosed up front, or buried in a footer? Does it name your company, as the FCC's 2024 ruling requires? [4] Does it say automated calls may be made? If you have to squint to find the disclosure, a court won't be impressed either.
Check litigation databases. PACER, the federal court records system, is public and searchable. [7] Search the vendor's legal name and any known DBA names. A vendor with three or more TCPA cases in the past two years earns heavy extra scrutiny, because that pattern points to systemic practices, not bad luck.
The LeadCompliant free TCPA checklist works well here as a structured walkthrough, so you don't miss a line item during vendor calls.
What red flags should immediately disqualify an overseas vendor?
Some things are just deal-breakers. No pricing discount buys them back.
They can't produce a sample consent record. If the vendor holds your consent data and can't show you a single record within 24 hours, they don't have real records.
They scrub DNC data less than monthly. The FTC's 31-day rule is the federal floor. [3] Anything slower is non-compliant before a single call goes out.
They use a shared consent form across multiple sellers. The FCC's one-to-one consent requirement, adopted in 2024, killed that practice. [4] A vendor still running multi-seller consent forms is on borrowed time.
They refuse audit rights. A compliant vendor knows clients need documentation for their own defense and has nothing to hide. Refusal tells you they can't withstand scrutiny.
They promise zero complaints. That's not a compliance guarantee. It's a sales pitch. Every operation of scale gets complaints. What matters is how fast they document and suppress them.
They operate from a jurisdiction with no US legal presence. If litigation hits and they vanish, your indemnification clause is worth nothing. Verify they have a US-registered legal entity, a US bank account, or at minimum US-based legal counsel.
For examples of what bad outcomes look like when these flags get ignored, the do not call telemarketer list enforcement actions are instructive.
What TCPA consent requirements apply to overseas vendors calling US cell phones?
Cell phone calls carry the highest exposure, and overseas vendors cut corners there most often.
For any call to a US mobile number using an ATDS or a prerecorded voice, the TCPA requires prior express written consent. [1] "Written" means a signed agreement, wet or electronic, and it has to clearly authorize the seller making the call. The consent must disclose that calls may be placed using an autodialer.
After Facebook v. Duguid (2021), the ATDS definition requires a system with "the capacity either to store a telephone number using a random or sequential number generator, or to produce a telephone number using a random or sequential number generator," per the Supreme Court's opinion. [5] Plenty of predictive dialers used by overseas vendors still meet that definition. If the vendor uses any form of automated dialing, assume ATDS applies and require written consent for every cell number.
Text messages to cell phones fall under the same TCPA rules as calls. [1] Our text message marketing guide covers the SMS side in detail.
One more thing: consent doesn't transfer across sellers. If your vendor bought a lead list from a third party that collected consent for a different company, that consent is invalid for your calls. Not a technicality. Courts and the FCC have been clear about it. [4]
How should you structure ongoing monitoring of an overseas vendor after onboarding?
Vetting once at the start is necessary but not enough. Vendor practices drift. Staff turns over. Dialing software updates without telling you.
Set a monthly compliance review. Pull a random sample of 25 to 50 call recordings each month and review them for required disclosures, calling hours, and opt-out handling. If you can't do this in-house, hire a compliance consultant for a few hours a month. Far cheaper than a settlement.
Require a monthly scrub certificate. The vendor should send you a dated document confirming they pulled an updated registry from the FTC within the last 31 days and scrubbed your lead list against it. File every one. If litigation hits, a consistent paper trail of scrub certificates is real evidence of good faith.
Track complaint volume. Ask for a weekly log of consumer complaints or opt-out requests tied to your campaigns, and compare the rate against industry norms. Nobody has great public data on baseline TCPA complaint rates by campaign type. The closest reference is the FTC's annual Do Not Call Data Book, which shows complaint volumes and which industries generate the most. [3]
Review the contract once a year. Laws change, the FCC issues new rulings, and state legislatures keep piling on requirements. A contract that was adequate in 2023 may have gaps today because of the 2024 one-to-one consent rule. [4] Put an annual contract review on your compliance calendar.
LeadCompliant's one-time compliance kit includes a vendor audit template you can send straight to your calling partner, so you're not building the questionnaire from scratch.
What happens if your overseas vendor violates the TCPA and a class action is filed?
The plaintiff names you, not the vendor. That's the reality.
Under the vicarious liability principles affirmed in the FCC's 2015 Declaratory Ruling, a seller can be held liable for a telemarketer's TCPA violations if the seller ratified the conduct or the telemarketer acted with apparent authority. [2] Ratification can be as simple as paying invoices and accepting leads from campaigns you knew were running.
Class certification is common in TCPA cases. Damages are statutory, individual proof of harm isn't required, and the same calling list usually defines the class. At $500 per call per class member, a class of 10,000 people generates $5 million in minimum exposure. [1] Willful violations triple that to $15 million.
Your first call should be to a TCPA defense attorney, not to your vendor. Preserve everything immediately: consent files, call logs, scrub certificates, vendor contracts, and all communications. Delete nothing.
Then pursue your indemnification rights under the contract. Whether you collect depends on whether the vendor is solvent and adequately insured. That's why the pre-contract due diligence on insurance and US legal presence matters so much.
Settlement values vary enormously. Large TCPA class actions involving major financial brands have settled in the tens of millions. Smaller single-defendant cases sometimes resolve for under $100,000 when records are clean and the violation looks isolated. The difference is almost always documentation.
Is there a simple vetting checklist you can use right now?
Yes. Here's a practical table covering the minimum before you hand any lead list to an overseas vendor.
| Vetting Item | Minimum Standard | Deal-Breaker if Missing? |
|---|---|---|
| Sample consent record | Timestamped, IP-logged, named seller | Yes |
| DNC scrub frequency | At least every 31 days [3] | Yes |
| ATDS disclosure in writing | Confirms dialing tech and consent requirement | Yes |
| One-to-one consent confirmation | Consent names your company only [4] | Yes |
| Call recording access | On-demand, 48-hour turnaround | Yes |
| Company suppression list size | Proportionate to call volume | Red flag if tiny |
| E&O insurance certificate | $2M+ per occurrence recommended | Yes |
| Indemnification clause | Full TCPA indemnification in contract | Yes |
| Audit rights clause | Any time, 48-hour turnaround | Yes |
| US legal entity or counsel | Verifiable US presence | Yes |
| PACER litigation search | No pattern of repeated violations | Red flag if pattern found |
| State law protocol | Written protocol for FL, OK, MD, TX, WA at minimum [6] | Red flag if absent |
This table is a starting point, not a legal opinion. TCPA requirements shift regularly and state laws add their own layers. Work with a TCPA-focused attorney before launching any high-volume campaign.
*Nothing in this article is legal advice. Consult qualified legal counsel for guidance specific to your situation.*
Frequently asked questions
Can I be sued for TCPA violations even if my overseas vendor made the calls?
Yes. The FCC's 2015 Declaratory Ruling confirmed that sellers face vicarious liability for violations by third-party telemarketers under federal agency law. If you supplied the lead list, paid for the calls, and profited from the results, a court will likely find you jointly liable. Your vendor's overseas location doesn't change that analysis. The TCPA attaches to the call reaching a US consumer, not to where the caller sits.
What is the minimum DNC scrub frequency required by law?
The FTC's Telemarketing Sales Rule requires businesses to download updated National Do Not Call Registry data at least every 31 days before calling. Any vendor scrubbing quarterly or less is already non-compliant with federal rules before a campaign begins. Some states impose shorter windows, so check state-specific telemarketing rules for any market you're calling into.
Does the FCC's 2024 one-to-one consent rule apply to my overseas vendor?
Yes. The FCC's one-to-one consent rule requires that consent for automated calls or texts name the specific seller making the call. A shared consent form covering multiple companies is no longer valid. If your overseas vendor uses a lead generation portal that collects consent for many sellers at once, every call they make to those leads on your behalf is likely out of compliance.
How do I verify that an overseas vendor's consent records would hold up in court?
Ask for a sample record that includes the timestamp of consent, the consumer's IP address, the URL of the page where consent was given, the exact disclosure text shown, and confirmation the phone number was entered by the user. If any of those elements are missing, the record probably won't survive a plaintiff's attorney's challenge. Run a small test: ask for records for a specific batch of leads before the campaign scales.
What insurance should I require from an overseas call center?
At a minimum, require errors and omissions (E&O) insurance with a per-occurrence limit of at least $2 million. For large-volume campaigns, $5 million is more appropriate. Also require general commercial liability insurance and that your company be named as an additional insured. Get certificates before signing, not promises they'll send them later. Verify the certificates come from a real, rated insurer.
What US states have stricter telemarketing laws than the federal TCPA?
Florida, Oklahoma, Maryland, Washington, and Texas all have state-level telemarketing statutes with requirements that go beyond the TCPA in at least one area, such as earlier calling hour cutoffs, lower consent thresholds, or added disclosure requirements. Several allow private lawsuits with their own damages. Always confirm your vendor has a written compliance protocol for every state your campaign will reach.
What should I do if I discover my overseas vendor has been violating TCPA rules?
Stop campaigns immediately. Preserve all records: contracts, consent files, call logs, scrub certificates, and communications with the vendor. Contact a TCPA defense attorney before responding to any demand letter or inquiry. Then pursue indemnification under your contract. Do not destroy records, and do not communicate informally with plaintiffs or their counsel. Your response in the first 48 hours shapes your legal exposure significantly.
Can an overseas vendor use text messaging to reach US consumers on my behalf?
Only with proper prior express written consent. The TCPA treats SMS messages to cell phones essentially the same as autodialed calls: both require prior express written consent if an ATDS is used. The FCC's one-to-one consent rule applies to texts as well. A vendor sending bulk texts without verified, named-seller consent generates the same liability as one making unauthorized autodialed calls.
How do I search for existing TCPA lawsuits against a potential vendor?
Use PACER (Public Access to Court Electronic Records) at pacer.uscourts.gov to search federal court records by the vendor's legal name and any known DBAs. TCPA class actions are filed in federal court under federal question jurisdiction. A pattern of three or more cases in two years suggests systemic compliance failures, not bad luck. Also search your state court system for smaller demand-letter settlements that never went federal.
What TCPA damages can I face if a class action is certified?
Statutory damages are $500 per negligent violation and $1,500 per willful violation under 47 USC 227. In a class action, the class is typically defined by the same calling list, so if 10,000 people were called without proper consent, minimum exposure is $5 million at the negligent rate. Courts have discretion to reduce class-wide damages if they would be disproportionate, but that's not guaranteed. Settlement values depend heavily on how clean your documentation is.
Does the TCPA apply to B2B calls made by an overseas vendor?
Mostly, with nuances. The TCPA's autodialer and prerecorded voice restrictions apply to calls to cell phones regardless of whether the recipient uses the phone for business. The National Do Not Call rules have an established business relationship exception and don't cover purely B2B transactions the same way. But if your vendor calls business professionals on their personal cell phones using an ATDS, the standard TCPA consent requirements apply.
How often should I audit an overseas vendor after onboarding?
Monthly at minimum: pull 25 to 50 random call recordings, review a scrub certificate, and check the complaint log. Run a full written audit using a formal questionnaire at least quarterly. Review the vendor contract annually against current law, especially since the FCC's 2024 one-to-one consent rule changed requirements for any campaign using consent-based lead data. Document every audit in writing and keep it on file.
What is the statute of limitations for TCPA claims?
The TCPA has a four-year federal statute of limitations under 28 USC 1658, because it's a federal statute with no explicit limitations period of its own. Some courts have applied the analogous state statute, which can be shorter, but four years is the safe planning assumption. Calls made today can generate claims for four years, so your record retention for consent and DNC scrubs needs to cover at least that long.
Are there any safe harbor protections if my vendor violates TCPA rules without my knowledge?
There's a limited safe harbor for certain errors if you have procedures in place and the call was made in error. For DNC violations specifically, 47 USC 227(c)(5) provides a safe harbor if the seller keeps written policies, trains its personnel, maintains its own suppression list, and scrubs against the national registry. But courts apply these safe harbors narrowly, and ratifying a vendor's calls by accepting the business benefit tends to undercut the 'without knowledge' defense.
Sources
- U.S. Government, 47 USC 227, Telephone Consumer Protection Act (Cornell LII): TCPA statutory text establishing restrictions on autodialed calls, consent requirements, and $500/$1,500 per-violation damages
- FTC, National Do Not Call Registry Data Book and business guidance: 249 million-plus registered numbers, 31-day scrub requirement, and Do Not Call complaint volumes reported in the FTC Data Book
- U.S. Supreme Court, Facebook, Inc. v. Duguid, 592 U.S. 395 (2021): Supreme Court narrowed ATDS definition to systems with the capacity to store or produce numbers using a random or sequential number generator
- National Conference of State Legislatures, State Telemarketing Laws: Multiple states including Florida, Oklahoma, and Maryland have state telemarketing statutes with requirements exceeding the federal TCPA
- U.S. Courts, PACER (Public Access to Court Electronic Records): Federal court records searchable by party name, used to identify existing TCPA litigation history for vendor due diligence
- FTC, Telemarketing Sales Rule, 16 CFR Part 310: TSR requirements for company-specific do-not-call lists, five-year retention, honoring opt-outs, and calling hour restrictions (8 a.m. to 9 p.m. local time)
- FCC, Consumer guidance on unwanted calls and robocalls: FCC guidance on robocall restrictions and identification requirements for telemarketing calls
- U.S. Government, 28 USC 1658, Limitations Period for Federal Statutes (Cornell LII): Four-year federal statute of limitations applied to TCPA claims under the general federal limitations statute