Last updated 2026-07-10

TL;DR
Cold calling is not illegal, but it is heavily regulated. Federal law (the TCPA, 47 U.S.C. § 227) and the FTC's Do Not Call rules control when, how, and whom you can call. Violators face fines of $500 to $1,500 per call under the TCPA, and up to $51,744 per call under FTC penalties. Follow the rules and cold calling stays a fully legal sales channel.
What does the law actually say about cold calling?
Cold calling is legal. No federal statute bans outbound sales calls outright. The law sets conditions you have to meet before you dial, and a short list of things you can never do once someone picks up.
The main federal law is the Telephone Consumer Protection Act of 1991, codified at 47 U.S.C. § 227 [1]. It restricts autodialed calls, prerecorded messages, and calls to numbers on the National Do Not Call Registry. Separately, the FTC's Telemarketing Sales Rule (16 C.F.R. Part 310) covers deceptive and abusive telemarketing, calling hours, and the disclosures you owe on every call [2].
Here is the short version. A human agent, manually dialing a mobile or landline, reaching someone who is not on the DNC Registry, during allowed hours, who identifies themselves properly, is acting lawfully. Trouble starts fast once you add an autodialer, a prerecorded message, or a number that is registered on the DNC.
For a fuller look at what the practice involves before the compliance layer, see our cold calling definition overview.
What is the TCPA and how does it restrict cold calls?
The TCPA is the federal law most cold callers run into. Congress passed it in 1991 to curb unwanted telephone solicitations, and the FCC has stretched its reach through rulemaking ever since [1].
Three restrictions matter for outbound sales teams.
One. It bans using an automatic telephone dialing system (ATDS) to call any cell phone without prior express consent. The definition of an ATDS has been fought over for years. The Supreme Court narrowed it in Facebook, Inc. v. Duguid (2021), ruling that an ATDS has to use a random or sequential number generator, more than any software that stores and dials numbers [3]. That gave dialer vendors room to breathe, but manual-dial setups are still the norm at careful shops.
Two. It bans prerecorded or artificial voice messages to residential lines and cell phones without consent. That covers robocalls and ringless voicemail, which the FCC has treated as a call under the TCPA.
Three. The law folds in the National Do Not Call Registry. Calling a registered number without an established business relationship or written consent is a separate violation, and each call carries its own fine.
The statute itself says violators are liable for "actual monetary loss" or "$500 in damages for each such violation," whichever is greater, and courts can triple that to $1,500 for willful violations [1].
What is the National Do Not Call Registry and who does it cover?
The National Do Not Call Registry is a database the FTC runs where consumers list phone numbers they do not want solicitation calls on [4]. Landlines and mobile numbers both qualify. Once a number lands on the registry, telemarketers have 31 days to stop calling it.
The registry covers most residential consumers. It does not cover calls to businesses, calls from exempt categories (charities, political organizations, survey researchers, and companies with an established business relationship), or calls you have prior express written consent to make.
The established business relationship (EBR) exception is the one people forget. Under the FTC's Telemarketing Sales Rule, you can call a DNC-listed number if the consumer bought from you in the past 18 months, or made an inquiry in the past 3 months [2]. Each new purchase or inquiry resets the clock.
As of mid-2024, the registry held over 249 million phone numbers [4]. Scrubbing your call list against it before every campaign is a legal requirement, not a best practice. Fines for calling a registered number reach $51,744 per call under updated FTC penalty schedules [5].
| Violation type | Statute | Fine per call |
|---|---|---|
| Calling DNC-registered number | FTC TSR / TCPA | Up to $51,744 [5] |
| TCPA statutory damages (negligent) | 47 U.S.C. § 227 | $500 [1] |
| TCPA statutory damages (willful) | 47 U.S.C. § 227 | Up to $1,500 [1] |
| State mini-TCPA (e.g., Florida FTSA) | State statutes | Varies; FL: $500/call [6] |
Are cold calls to cell phones illegal?
Not automatically. The rules are just tighter for cell phones than for landlines.
A human rep manually dialing a cell number for a sales call is legal under federal law, as long as the number is not on the DNC Registry or you have the right consent or EBR exception. The cell phone restriction in the TCPA targets autodialed calls and prerecorded messages, not human-dialed ones [1].
Here is the catch. A lot of what sales teams call "manual dialing" runs through power dialers or predictive dialers that may count as an ATDS depending on how they work. After Facebook v. Duguid, the test is whether the system uses a random or sequential number generator [3]. Plenty of vendors rebuilt their software specifically to fall outside that line. If you are unsure about your dialing tech, get a written opinion from your vendor on how their system measures against the Duguid standard.
For cold calling teams working consumer mobile numbers, the safest setup is true click-to-dial with a human starting every call, paired with tight DNC scrubbing.
AI-assisted dialing stacks on more risk. See our breakdown of AI cold calling rules for how automated systems collide with TCPA restrictions.
What hours are cold calls allowed?
Federal law sets a floor on calling hours. Under both the TCPA and the FTC's Telemarketing Sales Rule, telemarketers cannot call consumers before 8 a.m. or after 9 p.m. local time at the recipient's location [2].
That last part trips people up. You go by the time zone of the number you are calling, not your call center's clock. Dial from New York into California at 8:30 p.m. your time and it is 5:30 p.m. Pacific, which is fine. Dial from California into an East Coast number at 8:30 p.m. your time and it is 11:30 p.m. where the phone is ringing. That is a violation.
State laws can and do tighten the window. Some ban calls on Sundays or public holidays. Florida's FTSA, for example, keeps the same federal calling window but layers extra restrictions on top [6].
The practical rule: build the recipient's local time calculation into your dialer, not a spreadsheet a rep checks by hand.
Can businesses cold call other businesses (B2B)?
B2B cold calling gets a lot more room under federal law. The National Do Not Call Registry covers residential subscribers and personal cell phone users, not business lines [4]. The TCPA's autodialer rules technically reach any "telephone number assigned to a paging service, cellular telephone service, specialized mobile radio service, or other radio common carrier service" regardless of whether the line is a business or a consumer, but the DNC exemption for business numbers is a real advantage in practice.
For B2B, your main federal worry becomes the Telemarketing Sales Rule's ban on deceptive or abusive practices: misrepresenting who you are, faking caller ID, refusing to give your name or your company's name, and using threats or profanity [2].
State laws are the bigger wildcard in B2B. Some apply their consumer telemarketing laws to business recipients in certain situations. If your target list holds home-based businesses, the line blurs, because those numbers may double as personal lines registered on the DNC.
For teams thinking about what to say once someone answers, a well-built cold calling script helps keep your reps consistent on the required identification disclosures.
What caller ID and identification rules apply to cold calls?
You cannot legally spoof caller ID. The Truth in Caller ID Act of 2009, which the FCC enforces, prohibits sending misleading or inaccurate caller ID information with intent to defraud, cause harm, or wrongfully obtain anything of value [7].
Beyond spoofing, the FTC's Telemarketing Sales Rule requires the telemarketer to promptly disclose their name, the name of the company they represent, and the purpose of the call [2]. "Promptly" in FTC guidance means at the start of the call, before the pitch.
For prerecorded messages, the TCPA requires the message to state who is responsible for the call and give a phone number the consumer can use to make a DNC request [1].
Here is a loophole that is not actually a loophole. Some teams think they can route calls through a third-party number to hide the originating company. It does not work. The FCC has been clear that showing a number the consumer cannot call back to opt out of future calls violates TCPA regulations.
Which state laws add extra restrictions on cold calling?
State laws are where teams get blindsided. Several states passed rules stricter than the TCPA, and those stricter rules apply whenever you call a resident of that state, no matter where you sit.
Florida's Telephone Solicitation Act (FTSA), amended in 2021 and again in 2023, created a state-level private right of action that mirrors the TCPA's per-call damages [6]. Florida also runs a state DNC list alongside the federal registry.
California has no direct TCPA analog for voice calls, but the California Consumer Privacy Act (CCPA) shapes how you collect and use consumer data to build call lists [8].
Texas, Indiana, and several other states run their own DNC registries with separate registration requirements for solicitors.
The honest summary: scrub against the federal registry and any relevant state lists. Then check whether the states you dial into require solicitor licenses or bonds. Around 30 states have some form of telemarketer registration requirement, and the specifics vary a lot.
LeadCompliant's compliance kit includes a state-by-state telemarketing restriction checklist, which is one way to get through that research fast without hiring a lawyer in every state.
What counts as prior express written consent for TCPA purposes?
Prior express written consent is the safe harbor that lets you use autodialers or prerecorded messages to reach consumers. Without it, you are stuck with manually dialed calls to non-DNC numbers.
The FCC's 2012 TCPA rules (effective 2013) defined prior express written consent as a written agreement, electronic signatures included, that clearly authorizes the caller to deliver autodialed or prerecorded messages, with the consumer acknowledging they are not required to consent as a condition of buying anything [9].
In October 2024, the FCC issued a new rule (effective January 2025) requiring one-to-one consent. Consent collected on a lead generation website cannot be shared with or sold to multiple sellers [9]. That closed the so-called "lead gen loophole," where one consent form authorized dozens of companies to call the same person. Every company now needs its own direct consent.
If your leads come from third-party vendors, this rule change likely moves your whole compliance posture. Leads generated before January 2025 under old consent structures sit in a gray area that is already drawing litigation.
For how what is cold calling in sales looks in practice for teams working under post-2025 consent rules, that piece covers the operational side.
What happens if you violate cold calling laws? Real consequences
The consequences run from a demand letter to nine-figure class action settlements.
At the low end, a single TCPA plaintiff sends a demand letter, often for a few thousand dollars, after one or two unwanted calls. Many companies settle fast because fighting costs more than paying. The plaintiffs' bar built a cottage industry on exactly this, and they know it.
At the high end, class actions pull in thousands of plaintiffs, and courts have signed off on huge settlements. Dish Network paid a $280 million judgment in a major FTC/DOJ enforcement case involving 57 million DNC violations [10]. Capital One settled a TCPA class action for $75.5 million in 2015. More recently, a 2023 FCC enforcement action against a robocall operation produced a $299 million fine [11].
FTC civil penalties for TSR violations, adjusted for inflation, reached $51,744 per violation as of 2024 [5].
The math is brutal. Say only 1% of a 10,000-number list gets called improperly. That is 100 potential violations at $500 to $1,500 each under the TCPA alone. Call it $50,000 to $150,000 in statutory damages before a single legal fee.
Small teams assume they are too small to sue. Wrong. TCPA plaintiffs and their attorneys chase any company making outbound calls. Size is not a shield.
How do you cold call legally? The practical checklist
Compliance is not one big thing. It is a stack of small practices that together keep you inside the law.
Scrub your list against the federal DNC Registry before each campaign. The FTC requires you to access the registry and scrub within 31 days before a call [2]. Many teams scrub monthly or weekly.
Scrub against state DNC lists for every state you dial into. Florida, Texas, Indiana, Wyoming, and others run separate registries.
Keep an internal DNC list. Any consumer who asks not to be called again goes on your company's own do-not-call list, and you have to honor that request within 30 days [2].
Call only during allowed hours: 8 a.m. to 9 p.m. in the recipient's local time zone.
Identify yourself immediately. State your name, your company's name, and why you are calling.
Do not use an autodialer or prerecorded message to reach cell phones without prior express written consent. Get that consent documented and stored where you can pull it up.
For third-party leads, verify the consent chain. Under the FCC's 2025 one-to-one consent rule, consent on a lead gen site has to name your company specifically [9].
Keep records. If a claim lands, your DNC scrub dates, consent records, and calling hour logs are the difference between a quick dismissal and expensive discovery.
Want a structured version of this checklist for your team? LeadCompliant's free compliance kit covers the full process, including DNC scrub workflows and consent documentation templates.
A solid cold call script also helps your reps hit the required disclosures on every call.
Does the TCPA apply to B2B SaaS and tech sales teams?
This is the question most outbound SaaS teams ask, and the honest answer is: more than you probably think.
The DNC exemption for business lines is real, and it covers most B2B outbound work. Three scenarios still pull B2B teams into TCPA exposure.
One. Many B2B prospects answer on personal cell phones. If your rep dials a prospect's mobile, that number may sit on the DNC, and the individual (not their employer) can bring a TCPA claim.
Two. If you run a predictive dialer or power dialer that could count as an ATDS under any reading of Duguid, and you reach mobile numbers without consent, you have exposure even in B2B.
Three. If you do outbound to small businesses run from home offices, those numbers often live on personal accounts and land on the DNC Registry.
The safest B2B posture: click-to-dial (a human starts every call), scrub personal mobile numbers against the DNC, and train reps on the identification requirements. Most SaaS teams with fewer than 20 reps can handle this without expensive compliance software.
Frequently asked questions
Is it illegal to cold call someone who is on the Do Not Call list?
Yes. Calling a residential number registered on the National Do Not Call Registry without consent or an established business relationship violates both the FTC's Telemarketing Sales Rule and the TCPA. Fines reach $51,744 per call under FTC penalty schedules, plus TCPA statutory damages of $500 to $1,500 per call.
Is cold calling illegal in the United States for B2B sales?
No. The National Do Not Call Registry covers residential numbers, not business lines, so B2B cold calling to business phones is generally legal under federal law. You still have to follow Telemarketing Sales Rule disclosure requirements and cannot use deceptive practices. Watch for calls to personal mobile phones of business contacts, which carry more restrictions.
What is the penalty for illegal cold calling?
Under the TCPA, each unlawful call carries statutory damages of $500, or up to $1,500 for willful violations. The FTC can impose civil penalties up to $51,744 per TSR violation as of 2024. Class actions have produced settlements in the hundreds of millions against large-scale violators.
Can I cold call cell phones legally?
A human rep manually dialing a cell phone that is not on the DNC Registry is legal under federal law. Using an autodialer or prerecorded message to reach a cell phone without prior express written consent is not. After Facebook v. Duguid (2021), the ATDS definition requires random or sequential number generation, but many dialers still carry risk depending on their design.
What time can I legally make cold calls?
Federal law allows calls between 8 a.m. and 9 p.m. local time at the recipient's location. You use the recipient's time zone, not yours. Some states impose tighter restrictions. Build time-zone calculation into your dialing system instead of relying on reps to do the math.
Is cold calling illegal in California?
Cold calling is not outright illegal in California, but California law adds layers. The CCPA restricts how you collect and use personal data to build call lists. California also enforces consumer protection laws covering deceptive telemarketing. Callers still have to scrub against the federal DNC Registry. California does not run a separate state DNC list.
Is cold calling illegal in the UK?
Cold calling in the UK is regulated by the Information Commissioner's Office under the Privacy and Electronic Communications Regulations (PECR). Calls to TPS (Telephone Preference Service) registered numbers without consent are prohibited. The UK rules are separate from U.S. TCPA law. If you call UK numbers from the U.S., PECR applies to those calls, not the TCPA.
Does the TCPA apply to text messages as well as calls?
Yes. The TCPA covers text messages sent via autodialer the same way it covers automated calls. Sending a marketing text to a consumer who has not given prior express written consent, or whose number is on the DNC Registry, carries the same $500 to $1,500 per-message exposure as an automated call. Human-typed texts sent one at a time sit in a grayer zone.
Do I need a license to make cold calls?
Roughly 30 states require telemarketers to register before soliciting their residents. Requirements vary: some ask for a registration fee and bond, others just a registration. There is no single federal telemarketer license. If you call into multiple states, check each state's registration rules before launching a campaign.
What is the one-to-one consent rule for cold calling?
The FCC's October 2024 rule, effective January 2025, requires that consent for autodialed calls or texts come directly from the company making contact, not through a shared lead generation form bundling consent for multiple sellers. Each seller now needs individually named consent. This changes how lead gen and list purchasing can be used for TCPA-covered outreach.
Can robocalls be used for cold calling legally?
Robocalls (prerecorded messages) to residential landlines and cell phones require prior express written consent from the recipient under the TCPA. Without consent, robocalling consumers is illegal under federal law. Limited exceptions apply for non-commercial calls and certain informational messages. Political robocalls and charity solicitations follow different rules.
How long does a Do Not Call registration last?
Permanently, since 2008. The FTC removed the five-year expiration on DNC registrations in 2008, so a number stays on the registry until the consumer removes it or the carrier reassigns it. Check your list against a reassigned numbers database periodically so you do not call a new consumer on a number you once had consent for.
What is an established business relationship exception to the DNC rules?
Under the FTC's Telemarketing Sales Rule, a company can call a DNC-registered number if the consumer made a purchase within the past 18 months, or made an inquiry or application within the past 3 months. The exception only covers the company that holds the relationship, not affiliates or third parties. A do-not-call request from the consumer overrides the EBR immediately.
Sources
- U.S. Code, 47 U.S.C. § 227, Telephone Consumer Protection Act: TCPA statutory damages of $500 per violation, up to $1,500 for willful violations; restrictions on autodialers and prerecorded messages
- FTC, Telemarketing Sales Rule, 16 C.F.R. Part 310: Calling hours 8 a.m. to 9 p.m. local time, DNC Registry requirements, established business relationship exception, identification disclosure requirements
- Supreme Court of the United States, Facebook Inc. v. Duguid, 592 U.S. 395 (2021): ATDS definition requires random or sequential number generation; narrowed scope of autodialer under TCPA
- FTC, National Do Not Call Registry: Registry covers residential and personal mobile numbers; over 249 million registered phone numbers as of mid-2024
- FTC, Civil Penalty Inflation Adjustments (2024 Federal Register notice): Maximum civil penalty of $51,744 per TSR violation as of 2024
- Florida Legislature, Florida Telephone Solicitation Act (FTSA), Fla. Stat. § 501.059: Florida state-level private right of action for telemarketing violations, $500 per call damages
- California Attorney General, California Consumer Privacy Act (CCPA): CCPA restricts collection and use of personal consumer data in California, affecting call list building
- U.S. Department of Justice, United States v. Dish Network enforcement: Dish Network paid a $280 million judgment for 57 million DNC violations in a major FTC/DOJ enforcement case