Insurance prospecting tools compliance: TCPA and Do Not Call rules explained

TCPA violations cost up to $1,500 per call. Here's how insurance teams pick prospecting tools that stay compliant with federal and state DNC rules.

LeadCompliant Team
23 min read
In This Article

Last updated 2026-07-10

Home office desk with phone and printed call list used for insurance prospecting
Home office desk with phone and printed call list used for insurance prospecting

TL;DR

Insurance prospecting tools have to comply with the TCPA (47 U.S.C. § 227), the FTC's National Do Not Call Registry, and state rules that often go further. Violations run $500 to $1,500 per call or text. The safe path: scrub every list against the DNC registry, get express written consent before any autodialed or prerecorded call, and check a tool's consent-capture and scrubbing features before you sign anything.

Why insurance teams get sued under TCPA more than most industries

Insurance sits near the top of the list for TCPA class action filings, and the reason is not a mystery. Outbound volume is enormous. Margins on a sold policy pay for aggressive prospecting. And the gap between what agents think the law requires and what it actually requires is wide.

The statute, 47 U.S.C. § 227, bans using an automatic telephone dialing system (ATDS) or a prerecorded voice to call a cell phone without prior express consent [1]. It also bans telemarketing calls to numbers on the National Do Not Call Registry unless you have written consent or an established business relationship [2]. Each violation carries a $500 penalty, trebled to $1,500 if a court finds it was willful or knowing [1].

Run the math on an agency dialing 10,000 numbers a week. A single scrubbing failure against the DNC registry produces thousands of violations at once. That is the arithmetic that makes insurance dialing campaigns a favorite target for plaintiffs' attorneys. UnitedHealthcare paid $2.5 million to settle alleged TCPA violations, and the underlying facts were ordinary: outbound calls to numbers that had not consented.

The risk lives inside the prospecting workflow itself. That is why the tool you dial with matters as much as the policy you sell.

What does the TCPA actually require for insurance cold calls?

The TCPA splits into separate tracks depending on how you reach the prospect and what kind of number you dial. Miss which track applies and you miss the rule.

Track 1: Calling a cell phone with an ATDS or prerecorded voice. You need prior express written consent from that specific person before the first contact. The FCC's 2012 order tightened the standard: the consent has to be signed (an electronic signature counts), has to clearly say the person agrees to receive autodialed or prerecorded calls, and has to name who is calling [3]. A lead form that just says 'submit to get a quote' does not clear that bar unless it also discloses the autodialing and names your company.

Track 2: Calling a residential landline for telemarketing. Here you need either a pre-existing business relationship or express written consent. The National Do Not Call rules under 47 C.F.R. § 64.1200 apply. If the number is on the registry and you lack that relationship or consent, the call is a violation [2].

Track 3: Any number on your internal do-not-call list. If someone opted out, you cannot call them again. Federal law requires you to keep your own internal DNC list and honor opt-outs within 30 days [2].

For a plain-English walkthrough of the statute, see What does TCPA mean? The plain-English breakdown. For the current rules including 2025 changes, TCPA 2025: what changed, what it costs, and how to stay compliant covers the post-2024 FCC landscape.

One thing that catches new compliance owners off guard: B2B calls get some shelter, but it is narrower than most assume. See TCPA b2b exemption for AI calls: what businesses actually get for where the limits fall.

How do the FTC Do Not Call rules interact with TCPA for insurance?

The National Do Not Call Registry is an FTC program, not an FCC one, but both agencies enforce telemarketing rules that overlap. The FTC runs the Telemarketing Sales Rule (16 C.F.R. Part 310). The FCC runs the TCPA regulations under 47 C.F.R. Part 64. For most insurance outbound teams, both sets of rules apply at the same time [11].

The registry covers personal cell phones and residential landlines. A number stays on the list indefinitely until the consumer removes it. As of 2024, the registry held more than 249 million phone numbers [4].

The established business relationship exemption under the TSR lets you call existing customers for up to 18 months after the last transaction, or up to 3 months after an inquiry. That exemption dies the moment someone tells you to stop calling. A specific do-not-call request beats the relationship, always [11].

State insurance regulators add another layer. California, Florida, Indiana, and others have telemarketing statutes that run stricter than federal rules on calling hours, consent language, or required disclosures. A tool that is 'TCPA compliant' by federal standards can still put you in violation of a state rule [5].

For a current read on what has shifted at the federal level, Telemarketing rules news: what changed and what's coming in 2025-2026 is worth a bookmark.

TCPA exposure at a glance for insurance prospectors Key thresholds and figures every outbound insurance team needs to know 500 Statutory damages per viola… 1,500 Trebled damages per willful violation 31 DNC scrub must be current within (days) 249 Registered DNC numbers (mil… 2024) Source: 47 U.S.C. § 227, 47 C.F.R. § 64.1200, FTC donotcall.gov (2024)

What TCPA compliance features should an insurance prospecting tool actually have?

This is where most teams blow the buying decision. They grade prospecting tools on data quality, price per lead, or CRM integrations, then treat compliance as a checkbox instead of a set of concrete technical requirements. Here is what to actually look for.

DNC scrubbing that runs before every campaign. Not once at import. Numbers rotate on and off the registry constantly. A list that was clean in January can hold DNC numbers by March. Ask the vendor two direct questions: how often is your registry data refreshed, and do you scrub at dial-time or only at upload? If the answer is 'upload only,' that is a liability gap.

Consent timestamp and source capture. When a lead enters the system, the tool should record exactly what consent language the person saw, when they saw it, and on which form or page. This matters because if you get sued, the burden of proof shifts to you to show prior express consent. A timestamp and a screenshot are worth far more than a vendor's verbal promise.

Internal DNC list management. The system has to let prospects opt out easily and suppress those numbers automatically. 30 days is the legal maximum to honor an opt-out [2]. Best practice is 24 to 48 hours.

Calling hours enforcement. Federal rules limit telemarketing calls to 8 a.m. through 9 p.m. in the called party's local time [2]. A good tool enforces this by the prospect's time zone, not your office's. Sounds trivial until an agent in Chicago dials a California number at 7:45 a.m. their time.

Audit logs. Every call, every consent event, every opt-out, every scrub, logged and exportable. If litigation comes, you will need all of it.

Safe harbor documentation. The TCPA gives you a safe harbor if you can show written DNC procedures, staff training, and registry scrubbing [2]. Good tools produce the paperwork that backs the safe harbor defense.

LeadCompliant's free DNC checker and compliance kit (at leadcompliant.com) cover the core documentation you need, including the consent log template and opt-out tracking process, without a software subscription.

What are the biggest TCPA traps in insurance lead generation?

Bought leads are the single biggest trap. An agency buys a list of homeowners, renters, or auto policyholders from a data broker. The list looks clean. The dialing starts. Three months later there is a class action. Why?

Because the consent behind that list was nonexistent, expired, or generic. The FCC's 2024 one-to-one consent rule (Report and Order FCC 24-15) went straight at this problem [3]. Starting January 2025, a consumer's consent to receive calls from 'marketing partners' or a broad list of companies is no longer enough for TCPA purposes. The consent has to name the specific seller, meaning your agency, not the lead generator. If the opt-in form said something like 'I agree to be contacted by insurance providers,' that consent does not meet the new standard for autodialed calls to cell phones.

The second trap is prerecorded and AI voice calls. Agents sometimes use ringless voicemail drops or AI voice tools figuring they are not 'calls' under TCPA. They are. The FCC has said ringless voicemail drops count as calls under the statute, and AI-generated voices used for marketing need the same prior express written consent as any other prerecorded message [3].

The third trap is texting on the wrong consent. SMS to prospects falls under TCPA if sent via an autodialer. See text message marketing for how the consent standard applies to insurance text outreach. Plenty of agencies run text campaigns assuming a web quote form-fill counts as consent. It does if the form explicitly says so and names your company. It does not if it just says 'submit for a quote.'

For what a TCPA lawsuit looks like and what it costs, the Credit One TCPA settlement and Truist Bank TCPA class action settlement cases show how fast settlement numbers climb.

Does the existing business relationship exemption protect insurance renewals?

Sort of, but not the way most agents believe. The existing business relationship (EBR) exemption under the TSR lets you call a customer for 18 months after their most recent transaction [11]. For insurance, a 'transaction' usually means a purchase, a payment, or a renewal. So if someone renewed their auto policy with you 6 months ago, you can call them about cross-selling homeowners coverage even if their number is on the DNC registry, as long as they have not told you to stop.

Here is the part that trips people up. The EBR exemption does not override the TCPA's consent requirement for autodialed calls to cell phones. That is a separate legal track. EBR is a TSR/FTC concept. The TCPA autodialer consent rule is an FCC concept. You can hold a valid EBR and still violate TCPA by using an ATDS to call a cell phone without separate written consent.

Agents hear 'existing customer, no problem' and assume every channel is covered. It is not. Autodialed cell phone calls need express written consent to be autodialed, separate from the fact that the person is a customer.

See TCPA existing business relationship: what actually protects you for the full breakdown of when EBR works and where it stops.

How much can a TCPA violation actually cost an insurance agency?

Statutory damages are $500 per violation, up to $1,500 if a court finds the violation willful [1]. In practice, a 'violation' is each individual call or text to a non-consenting or DNC-listed number. Class actions stack those individual violations, so the number gets big in a hurry.

Settlements in the $2 million to $76 million range are documented across TCPA litigation history [6]. For insurance specifically, the UnitedHealthcare $2.5 million settlement for alleged TCPA violations is one of the more cited cases [1]. Small agencies face smaller absolute numbers but proportionally similar exposure against their revenue.

Then there is the cost of defense. Even winning a TCPA case commonly runs $50,000 to $500,000 in legal fees, depending on whether it reaches class certification. Most smaller agencies settle early to skip that bill.

State attorneys general can also bring enforcement actions under state telemarketing laws, adding state penalties on top of federal ones. Florida's FTSA allows $500 per call with a two-year statute of limitations, layered right on top of federal TCPA exposure [5].

The honest answer on total exposure for a mid-sized agency running a non-compliant dialing campaign: the range is wide, but six-figure settlements are common and seven-figure settlements are not rare. See the penalties and lawsuits section for how courts calculate damages.

Comparing the main categories of insurance prospecting tools on compliance risk

Not every prospecting tool carries the same risk. Here is a practical breakdown by category.

Tool CategoryDNC ScrubbingConsent CaptureATDS RiskTypical Compliance Gap
Predictive dialers (hosted)Usually includedUsually absentHighConsent documentation missing
Power dialers (click-to-call)VariesUsually absentLower (agent-initiated)Still ATDS if the queue is automated
CRM with dialing (Salesforce, HubSpot integrations)Rarely built inDepends on form setupDepends on dialer add-onScrubbing done manually or not at all
Lead gen platforms (data brokers)Scrub at exportConsent often unverifiedN/A (no dialing)Consent quality and specificity
SMS platforms (text marketing)Rarely built inBuilt in on good platformsHigh (autodialer by definition)Missing TCPA-compliant opt-in language
AI voice / ringless voicemailRarely built inRarely built inHigh (FCC confirmed)Both consent and ATDS gaps

The pattern jumps out fast. Most tools handle dialing mechanics well and handle compliance documentation badly. The gap sits almost always on the consent side and on how often the DNC scrub runs.

If you are evaluating tools right now, ask the vendor for a compliance documentation sample. If they cannot show you a consent timestamp log, a DNC scrub report, and an opt-out audit trail from an existing client, treat that as a red flag.

For how TCPA rules apply to SMS-based prospecting, text messaging marketing covers the standards for insurance text campaigns.

What does a compliant insurance prospecting workflow actually look like?

A compliant workflow runs five steps in order. Skip any one and that is where liability walks in.

Step 1: List acquisition with consent verification. If you buy leads, the consent documentation has to travel with each record and has to name your company specifically. If you generate leads from your own web forms, the form has to disclose autodialed calls, prerecorded messages, and texts by name, and cannot require consent as a condition of getting a quote (the TCPA bars bundling consent with a product purchase) [3].

Step 2: Pre-campaign DNC scrub. Every number gets checked against the federal registry (and any relevant state registries) no more than 31 days before launch. The safe harbor under 47 C.F.R. § 64.1200(c)(2) requires the scrub to be current [2].

Step 3: Calling hours enforcement by local time zone. The system controls this, not the agent. 8 a.m. to 9 p.m. in the called party's local time, every day [2].

Step 4: Real-time opt-out capture. If someone says 'stop calling me' or texts 'STOP,' that number lands on the internal DNC list within 24 hours, and the suppression holds until the person re-consents.

Step 5: Record keeping. Every call disposition, every consent event, every opt-out, and every scrub, logged with timestamps. The FCC requires written DNC procedures [2]. When a demand letter or suit shows up, these records are the difference between a quick dismissal and a long settlement.

Compliance kits like the one at LeadCompliant (leadcompliant.com) bundle the written DNC procedure, the consent log template, and the opt-out tracking sheet into one package you can hand an attorney to check before you launch.

What state laws do insurance prospectors need to know beyond federal TCPA?

Federal law is the floor, not the ceiling. Several states have telemarketing or privacy statutes that reach further, and any agency working across state lines needs to know which ones bite.

Florida (FTSA). Florida's Telephone Solicitation Act extends TCPA-style protections to autodialed calls and texts sent to Florida numbers. It carries a private right of action much like TCPA, at $500 per violation, and Florida plaintiffs have sued hard under it since 2021 [5]. The FTSA's definition of autodialer may be broader than the federal one after Facebook v. Duguid.

California (CPUC and CCPA). California has its own Public Utilities Commission telemarketing rules plus the California Consumer Privacy Act. The CCPA gives residents the right to opt out of the sale of their personal data, which shapes how data-broker leads can be used for insurance prospecting [8].

Washington, Oklahoma, and Indiana each have state DNC registries or telemarketing licensing rules that apply to agents calling into those states. Skip the registration or the state scrub and you add a separate violation track.

The collision of state law and federal TCPA is an active litigation area. A state claim can survive when a federal TCPA claim is dismissed, or the other way around. Any agency operating nationally should have counsel review its state exposure once a year.

For a state-by-state reference, the FTC maintains its Telemarketing Sales Rule materials at ftc.gov [11], and the National Conference of State Legislatures tracks state telemarketing legislation at ncsl.org [9].

How do you get the TCPA safe harbor as an insurance seller?

The TCPA and its regulations give you a safe harbor defense if you can show four things: written procedures to comply with the do-not-call rules, personnel trained on those procedures, a list of numbers that have asked not to be called, and a process to keep calls off the DNC registry numbers [2].

The regulation at 47 C.F.R. § 64.1200(c)(2) reads: "a person or entity will not be liable for violating the federal do-not-call rules if it can demonstrate that the violation is the result of error and that as part of its routine business practice, it meets the following standards," followed by the four elements above [2].

Read that language closely. It is an error defense, not blanket immunity. It protects you when a number slips through a reasonable, documented process. It does nothing for you if you have no process, or if the error was systematic.

So the safe harbor is most useful for the occasional inadvertent contact, not for a pattern of violations. Courts have denied it when plaintiffs showed the defendant had no real written procedure, even where the defendant claimed one existed verbally.

For TCPA guidelines on documenting the safe harbor correctly, that article walks through the procedure template structure.

Frequently asked questions

Yes, if you use an automatic telephone dialing system or a prerecorded voice. The TCPA requires prior express written consent before making autodialed or prerecorded calls to cell phones, whether or not the number is on the DNC registry. Manual, human-initiated calls to cell phones face a lower bar, but you still cannot call numbers on the National DNC Registry without consent or an established business relationship.

Can I call someone I got a quote request from without written consent?

A quote request creates an inquiry-based relationship that allows calls for up to 3 months under the FTC's Telemarketing Sales Rule, for DNC purposes. But if you plan to use an autodialer to reach their cell phone, you still need prior express written consent under TCPA. The quote form has to explicitly disclose autodialed calls and name your company. A generic 'submit for quote' button does not satisfy that requirement.

FCC Report and Order FCC 24-15, effective January 2025, requires that a consumer's TCPA consent name the specific seller making calls, not a category of 'marketing partners.' Insurance agencies buying leads where the opt-in form listed multiple companies or used generic language no longer hold valid consent for autodialed cell phone calls. You need new consent forms that name your agency specifically.

How often do I need to scrub my list against the Do Not Call registry?

The TCPA's regulations require your DNC scrub to be no older than 31 days when you call. The federal safe harbor requires ongoing scrubbing as a routine business practice, not a one-time import check. Best practice is to scrub within 24 to 48 hours of any campaign launch and to re-scrub monthly for any list you keep active.

No, not without prior express written consent to a cell phone. The FCC has said ringless voicemail drops count as 'calls' under the TCPA because they deliver a message to the subscriber's voicemail system, which is part of the phone service. You need the same consent for a voicemail drop as for any other prerecorded call to a cell phone.

What hours can insurance agents legally call prospects?

Federal telemarketing rules limit outbound telemarketing calls to 8 a.m. through 9 p.m. in the local time of the person being called, under 47 C.F.R. § 64.1200(c)(1). 'Local time' means the prospect's time zone, not the agent's. Some states run tighter windows, for example restricting Sunday calls or setting earlier evening cutoffs. Your dialing platform should enforce time zone rules automatically.

Can I text insurance prospects for prospecting purposes?

Yes, but only with prior express written consent if you send via an autodialer, which most SMS marketing platforms are. The consent has to specifically disclose that the person agrees to receive text messages, and has to name your company. Texts to numbers on the DNC registry are also prohibited without consent. Opt-out requests via 'STOP' must be honored within 30 days, and best practice is 24 hours.

Does the existing business relationship exemption cover cross-selling to current policyholders?

For DNC purposes under the TSR, yes: you can call an existing policyholder for up to 18 months after their last transaction about related products. But this exemption does not cover autodialed calls to their cell phone under TCPA, which needs separate written consent. A policyholder who gave you their cell number for account management did not necessarily consent to autodialed marketing calls.

What records do I need to keep to defend a TCPA claim?

You need written DNC procedures, staff training records, consent logs with timestamps and form copies, DNC scrub reports with dates, and internal DNC list records showing opt-out dates. The TCPA safe harbor requires demonstrating a routine business practice with documentation. Courts have rejected safe harbor defenses where defendants could only offer verbal descriptions of their procedures.

Are there state DNC registries separate from the federal one I need to scrub?

Yes. Several states keep their own DNC registries that require separate registration and scrubbing, including Colorado, Indiana, Louisiana, Massachusetts, Missouri, Oregon, Tennessee, Texas, and Wyoming, among others. Scrubbing only the federal registry leaves you exposed to state-level violations, which carry their own penalty tracks independent of TCPA.

What makes a TCPA violation 'willful' and how does that change my exposure?

Courts have found willfulness when a defendant knew about the TCPA requirements and proceeded anyway, or when a pattern of violations showed disregard for the law. Willful violations allow trebled damages of $1,500 per call versus $500. You do not have to intend to break the law; you just have to knowingly do the conduct that violates it. Documented non-compliance after a complaint or demand letter is frequently cited as evidence of willfulness.

How does the FCC's ATDS definition after Facebook v. Duguid affect insurance dialers?

The Supreme Court's 2021 Facebook v. Duguid decision narrowed the ATDS definition to systems that use a random or sequential number generator to store or produce numbers to dial. Many modern predictive dialers that dial from a pre-loaded list may fall outside ATDS, which lowers TCPA exposure for cell phone calls on those systems. But state laws like Florida's FTSA may use a broader definition, and the FCC is revisiting its own ATDS rules, so the landscape stays unsettled.

Only if the consent document specifically names your company and meets the FCC's post-2025 one-to-one consent standard. You cannot rely on a vendor's blanket 'marketing partners' consent. Request the actual consent form and a data sample showing consent timestamps. If you cannot verify the consent quality, you carry the liability if a suit is filed, not the vendor.

Sources

  1. U.S. Code, 47 U.S.C. § 227, Telephone Consumer Protection Act: TCPA prohibits autodialed or prerecorded calls to cell phones without consent; violations carry $500 per call, trebled to $1,500 for willful violations
  2. FCC, 47 C.F.R. § 64.1200, Delivery restrictions: Requires DNC scrubs no older than 31 days, calling hours 8am-9pm local time, 30-day opt-out honor period, and written DNC procedures for safe harbor
  3. FTC, National Do Not Call Registry, donotcall.gov: Registry holds over 249 million registered numbers as of 2024; established business relationship exemption allows calls for 18 months after last transaction, 3 months after inquiry
  4. Florida Legislature, Florida Telephone Solicitation Act, Fla. Stat. § 501.059: Florida FTSA provides $500 per violation private right of action for autodialed calls and texts to Florida numbers, with a two-year statute of limitations
  5. WebRecon LLC, TCPA Lawsuit Statistics: TCPA settlements documented in the $2 million to $76 million range in class action litigation history
  6. California Attorney General, California Consumer Privacy Act: CCPA gives California residents rights to opt out of sale of personal data, affecting how data-broker insurance leads can be used in California
  7. National Conference of State Legislatures, Telemarketing and Consumer Protection: Multiple states including Colorado, Indiana, Texas, and Wyoming maintain separate state DNC registries requiring independent registration and scrubbing
  8. U.S. Supreme Court, Facebook, Inc. v. Duguid, 592 U.S. 395 (2021): Narrowed ATDS definition to systems using random or sequential number generators, excluding many predictive dialers that dial from pre-loaded lists
  9. FTC, Telemarketing Sales Rule, 16 C.F.R. Part 310: TSR governs telemarketing practices including DNC compliance, established business relationship exemption, and calling hour restrictions alongside FCC TCPA rules

Disclaimer: LeadCompliant is a compliance review tool, not a law firm. We do not provide legal advice. Consult with a TCPA attorney for legal guidance on specific compliance questions. Compliance scores, audits, and risk assessments are informational only.

LeadCompliant Team

LeadCompliant provides expert guidance and tools to help you succeed. Our content is reviewed for accuracy and kept up to date.

Related Articles

Related Glossary Terms

LeadCompliant
Build My Kit