Last updated 2026-07-10

TL;DR
TCPA, CAN-SPAM, GDPR, and CCPA each impose different obligations depending on your industry and who you're contacting. TCPA covers U.S. calls and texts, CAN-SPAM governs commercial email, GDPR applies when you reach EU residents, and CCPA covers California residents' data. Penalties run from $500 to tens of millions per action. Your risk depends on which laws overlap for your specific outreach.
What are TCPA, CAN-SPAM, GDPR, and CCPA, and which one applies to you?
These four laws have almost nothing to do with each other at the drafting level. Different governments wrote them, for different harms, across four different decades. What they share is this: if your team makes outbound calls, sends emails, or texts prospects, at least one of them applies to you right now.
The Telephone Consumer Protection Act (TCPA), codified at 47 U.S.C. § 227, was enacted in 1991 and restricts autodialed calls, prerecorded voice messages, and texts to U.S. consumers. [1] The FTC's CAN-SPAM Act (15 U.S.C. § 7701 et seq.) set the rules for commercial email in 2003 and, unlike TCPA, contains no private right of action, so individual recipients cannot sue you directly. [2] The General Data Protection Regulation (GDPR) is EU law that took effect in May 2018 and governs how any organization worldwide handles personal data of EU residents, including whether you can email or call them. [3] California's Consumer Privacy Act (CCPA), effective January 2020 and expanded by the CPRA in 2023, gives California residents rights over how their personal data is collected and sold. [4]
The overlap question is what trips up most teams. A U.S. fintech that calls American consumers and also emails prospects in Germany faces TCPA, CAN-SPAM, and GDPR at once. A SaaS company with a California customer list faces CCPA even if it never touches a byte of EU data. Map your actual audience before you build outreach programs. It's not optional.
| Law | Jurisdiction | Channel | Private right of action? | Max per-violation penalty |
|---|---|---|---|---|
| TCPA | U.S. consumers | Calls, texts, fax | Yes | $1,500 (willful) [1] |
| CAN-SPAM | U.S. email recipients | No (ISPs/FTC only) | $51,744 per email [2] | |
| GDPR | EU residents (worldwide reach) | All channels | Via DPA complaint | €20M or 4% global revenue [3] |
| CCPA/CPRA | California residents | All channels | Limited (data breach) | $7,500 per intentional violation [4] |
What does TCPA actually prohibit, and how does it differ by industry?
The statute at 47 U.S.C. § 227(b)(1) prohibits using an automatic telephone dialing system (ATDS) or a prerecorded voice to call any cell number without prior express consent. [1] It also bars calls to residential lines on the National Do Not Call Registry. The FCC enforces TCPA, but individuals can sue too, which is why TCPA class actions have become a cottage industry for plaintiff attorneys.
The per-call damages are $500 for each negligent violation and $1,500 for each willful one. [1] In a class action with thousands of members, those numbers stack up fast. One frequently cited example is the $76 million settlement in Kolinek v. Walgreen Co. (N.D. Ill. 2014), where a single ATDS policy touched millions of customers.
The risk profile changes by industry.
Financial services teams (banks, lenders, insurance) carry elevated exposure. They tend to run high-volume dialers and call people about sensitive money matters. The FCC has carved out certain informational calls from consent requirements, but those exemptions are narrow. Debt collection calls to cell phones still need consent under TCPA even when the debt is real.
Healthcare organizations have an extra overlay. HIPAA restricts how patient data can be used for marketing, so a health system cannot pull patient contact info from clinical records to run marketing calls without explicit authorization. [11] TCPA consent requirements sit on top of that.
Real estate agents and mortgage brokers are frequent TCPA defendants. Bought lists of homeowners with cell numbers are a recipe for litigation. The FCC's 2023 one-to-one consent rule, which took effect January 27, 2025, requires each lead generator or seller to obtain written consent individually rather than burying it in a broad website disclosure. [5] Lead aggregators who sold one consent to dozens of buyers can no longer do that legally.
B2B teams calling business lines have a bit more room. [Learn more about B2B cold calling rules at /articles/cold-calling-rules/b2b-cold-calling.] TCPA's ATDS restrictions apply mostly to calls to cell phones. Dialing a direct business landline with an autodialer carries lower TCPA risk, though the FTC's Telemarketing Sales Rule (TSR) still governs most telemarketing. [What the FTC Telemarketing Sales Rule is designed to do is explained in full at /articles/cold-calling-rules/the-telemarketing-sales-rule-is-designed-to.]
How does CAN-SPAM compliance vary by industry and what are the actual rules?
CAN-SPAM applies to any "commercial electronic mail message," which the FTC defines as email whose primary purpose is commercial advertisement or promotion of a product or service. [2] Transactional emails, like order confirmations, are largely exempt.
The core requirements hold across industries. Don't use deceptive subject lines or headers. Include a real physical postal address. Give people a working opt-out. Honor opt-out requests within 10 business days. [2] The FTC can fine violators up to $51,744 per email, and there have been enforcement actions in the hundreds of thousands of dollars. The per-email cap sounds terrifying, but in practice the FTC goes after systematic patterns, not a single clumsy send.
Where industry matters is in how you draw the line between "commercial" and "transactional." A healthcare provider sending appointment reminders is almost certainly sending transactional email. The same provider emailing a promotional offer for a paid wellness program is commercial and must comply with CAN-SPAM. Financial services firms that mix account alerts with promotional content in one email create a gray zone. The FTC's guidance says the primary purpose test decides classification. [2]
Financial advisors carry one complication CAN-SPAM doesn't address. FINRA and SEC rules govern what registered representatives can say in email to clients and prospects, including record-keeping under SEC Rule 17a-4. That's a layer on top of CAN-SPAM, not a substitute for it.
Edtech and nonprofits should note that CAN-SPAM does not exempt nonprofits from commercial email rules. If a university emails a promotion for a paid executive education program, that email must comply even though the university is tax-exempt.
Does GDPR apply to U.S. companies, and which industries feel it most?
Yes. GDPR applies to any organization that processes personal data of EU residents, no matter where the organization sits. [3] Article 3 says so directly: the regulation applies to processing of data of data subjects who are in the Union. If your SaaS product has users in Germany or your store ships to France, GDPR reaches you.
For outbound sales and marketing, GDPR's main constraint is the lawful basis for processing. Article 6 lists six lawful bases. [3] For cold outbound, two matter: consent (freely given, specific, informed, unambiguous) and legitimate interests. Legitimate interests is the basis most B2B companies try to use for cold outreach to EU prospects. Whether it holds up depends on passing the three-part legitimate interests assessment. You need a genuine interest, the processing must be necessary, and the individual's rights must not override your interest.
Three kinds of teams feel GDPR most in outbound.
SaaS and technology companies selling into European enterprises. They usually rely on legitimate interests for cold email, but they need a documented balancing test and must honor opt-outs immediately.
Recruiters and staffing agencies sourcing EU-based candidates. Scraping LinkedIn profiles to build lists and then cold emailing those people is legally precarious under GDPR. The UK ICO (which enforces UK GDPR post-Brexit) has issued guidance on exactly this.
Adtech and data brokers take the highest GDPR fines by volume. Meta's 2023 fine was €1.2 billion. [9] That's an outlier, but it shows how seriously EU regulators treat unlawful data transfers and consent failures.
GDPR also requires a Data Processing Agreement (DPA) with any vendor that processes EU personal data on your behalf: your CRM, your email platform, your analytics tools. So even a ten-person outbound team running HubSpot and a data enrichment provider needs signed DPAs.
What does CCPA mean for outbound sales teams targeting California residents?
CCPA, as amended by the CPRA, gives California residents the right to know what personal data you collect, to delete it, to opt out of its sale or sharing, and to correct inaccurate data. [4] You're a covered business if your annual gross revenue tops $25 million, if you buy or sell personal data of 100,000 or more California consumers per year, or if you make 50% or more of your revenue from selling consumer personal data. [4]
For outbound teams, the sharpest CCPA issue is purchased lead lists. If you buy a list of California residents and use it for outreach, the seller must have disclosed the sale in its privacy notice, and you become a "business" processing that data with your own obligations. The CPRA added "sensitive personal information," which covers precise geolocation, financial account data, health data, and racial or ethnic origin. Sensitive data gets stricter handling.
The California Privacy Protection Agency (CPPA) began formal enforcement in 2023 and has pursued large companies, while signaling it will go after smaller operators for systematic non-compliance too. Fines run $2,500 per unintentional violation and $7,500 per intentional one. [4] There's no per-incident cap, so a pattern across thousands of records creates real exposure.
Industries most affected by CCPA in outbound work: financial services (which also answers to GLBA's privacy provisions), healthcare marketing (overlapping HIPAA), and e-commerce companies running big email or SMS campaigns to California customers.
If you're already GDPR-compliant, CCPA isn't a free pass, but the operational habits carry over well. Both need privacy notices. Both need opt-out mechanisms. Both need vendor agreements for data processing.
How do these laws stack on each other for specific industries?
This is where the real work happens. The laws don't coordinate. They all apply at once, and you have to satisfy each one on its own terms.
Financial services (banks, lenders, insurance, wealth management)
A lender running an outbound mortgage campaign faces TCPA (for autodialed or prerecorded calls to cell phones), the FTC's TSR (for telemarketing), CAN-SPAM (for any email component), CCPA (if California residents sit in the list), and state mini-TCPAs like Florida's FTSA, which carries a private right of action and has driven huge litigation since 2021. [12] [Learn the full picture on cold calling at /articles/cold-calling-rules/cold-calling.] On top of those, RESPA, TILA, and ECOA govern what can be said in the actual solicitation. Layered, and expensive to get wrong.
Healthcare and medical services
A hospital marketing team sending promotional texts about a new urgent care location needs TCPA consent for the text, cannot use patient records for marketing without HIPAA authorization, and answers to CAN-SPAM if the promotion goes out by email. [11] The FTC and HHS both hold jurisdiction over different parts. Healthcare may be the highest-stakes industry for outbound compliance, because HIPAA and TCPA together create dual liability.
SaaS and B2B technology
A SaaS sales team emailing U.S. and EU prospects must satisfy CAN-SPAM for the U.S. sends and GDPR for the EU sends. [For tactical B2B cold calling guidance, see /articles/cold-calling-rules/b2b-cold-calling.] The consent standard is night and day: CAN-SPAM requires no prior consent at all (just an opt-out), while GDPR demands a lawful basis for every send. Many B2B SaaS teams run separate cadences by geography for exactly this reason.
Real estate and mortgage brokers
The FCC's one-to-one consent rule reshaped lead generation economics here. Shared consent (one checkbox consenting to calls from a "network of partners") no longer satisfies TCPA. [5] Each company that wants to call that lead must get consent directly. [For compliance on timing, see /articles/cold-calling-rules/tcpa-quiet-hours.]
Retail and e-commerce
SMS marketing is the exposure area. Retailers texting promotions need prior express written consent under TCPA, a clear opt-out path, and, for California customers, a compliant CCPA privacy notice. Cart abandonment texts sit in a gray area. Some platforms treat them as transactional, but if they carry promotional language or upsells, TCPA consent requirements likely apply.
| Industry | Primary laws | Highest single-channel risk |
|---|---|---|
| Financial services | TCPA, TSR, CAN-SPAM, CCPA, state mini-TCPAs | Autodialed cell calls |
| Healthcare | TCPA, HIPAA, CAN-SPAM | Marketing texts using patient data |
| SaaS / B2B tech | CAN-SPAM, GDPR, TCPA (if texting) | Cold email to EU without lawful basis |
| Real estate | TCPA, TSR, state laws | Post-lead-gen autodialed calls |
| Retail / e-commerce | TCPA, CAN-SPAM, CCPA | Promotional SMS without consent |
What time-of-day and frequency rules apply across these laws?
Time restrictions show up in both TCPA and the FTC's TSR, but they're written differently and don't always line up.
The FCC's TCPA regulations at 47 C.F.R. § 64.1200(c) restrict calls to residential numbers on the national Do Not Call list. [10] The TSR separately bars telemarketing calls before 8 a.m. or after 9 p.m. local time at the recipient's location. [7] [The full breakdown of these timing rules is at /articles/cold-calling-rules/ftc-telemarketing-sales-rule-8-a-m-9-p-m-local-time.] Most compliance programs default to the TSR's 8 a.m. to 9 p.m. window for all outbound calls, because it's the stricter and clearer standard.
GDPR has no time-of-day calling rule, but member state laws do. Germany's UWG (Act Against Unfair Competition) restricts cold calls to business hours even for B2B unless prior consent exists. The UK's PECR runs on similar lines. Call EU prospects and you have to check the rules country by country, more than at the EU level.
CAN-SPAM has no time-of-day restriction for email. Send at 3 a.m. and it's legal under CAN-SPAM, though your deliverability tools will tell you odd-hour sends tank open rates.
For SMS, the FCC has no statutory time restriction in TCPA, but courts and the FCC have generally applied the 8-to-9 window by analogy to the TSR. Most compliance attorneys treat the 8 a.m. to 9 p.m. local-time rule as covering texts too, to keep litigation risk down. [The full rules on call and text timing are covered at /articles/cold-calling-rules/tcpa-quiet-hours.]
How do consent rules differ across TCPA, GDPR, and CCPA?
Consent is the fulcrum the whole system balances on, and its definition shifts meaningfully under each law.
Under TCPA, consent has two tiers. For informational calls or texts (non-marketing), you need prior express consent, which can be oral or written. For telemarketing calls or texts to cell phones using an ATDS or prerecorded voice, you need prior express written consent: a signed (including electronically signed) agreement that the person consents specifically to autodialed marketing calls. [1] The FCC's 2023 rule tightened this. That written consent must now come from the specific company placing the call, not a lead aggregator acting as a middleman. [5]
Under GDPR, consent must be freely given, specific, informed, and unambiguous. [3] Pre-ticked boxes don't count. Bundled consent (one checkbox for many purposes) is a problem. And consent can be pulled at any time. This is a higher bar than TCPA's written consent, because GDPR also makes you able to demonstrate that consent was given.
CCPA works differently from both. It does not require opt-in consent to process most personal data. It requires opt-out consent for the sale or sharing of that data. The CPRA added an opt-in requirement for sensitive personal information and for data about consumers under 16. [4]
The practical consequence: if you operate across all three frameworks, you need tiered consent workflows. One consent form cannot satisfy TCPA, GDPR, and CCPA at the same time. B2B teams targeting both U.S. and EU prospects often keep separate consent records, sometimes in separate CRMs, so they can prove compliance under each standard.
For teams building compliant consent flows, LeadCompliant's free TCPA consent checker can validate whether your existing web forms meet the FCC's current written-consent requirements before you run your next campaign.
What are the penalties, and what has actually happened in court?
Look at the actual numbers.
TCPA. Statutory damages are $500 per negligent violation and $1,500 per willful one. [1] No cap on the total. Class actions aggregate millions of individual violations, and TCPA settlements routinely run into the tens of millions. The Dish Network case produced a $280 million judgment, the largest TCPA award at the time. Class action settlements in TCPA cases averaged $6.3 million between 2010 and 2019, per a WebRecon analysis cited across legal publications. That figure has climbed with the rise of higher-volume text campaigns.
CAN-SPAM. The FTC's penalty authority is indexed under the Federal Civil Penalties Inflation Adjustment Act. As of 2024, the per-email maximum is $51,744. [2] But FTC actions have historically hit egregious violators blasting millions of spam emails, not small sales teams with a clunky unsubscribe flow. For smaller operations, the deliverability and reputation damage from a CAN-SPAM problem usually outweighs the legal penalty.
GDPR. Headline fines are €20 million or 4% of annual global revenue, whichever is higher. [3] EU data protection authorities collected a combined €2.1 billion in GDPR fines in 2023, according to DLA Piper's GDPR Fines and Data Breach Survey 2024. [9] Meta's €1.2 billion fine in May 2023 was the largest single GDPR fine ever issued. For smaller companies, marketing-related violations land more often in the €50,000 to €500,000 range.
CCPA. $2,500 per unintentional violation, $7,500 per intentional one. [4] The California AG's first CCPA enforcement action, in 2022, ended in a $1.2 million settlement with Sephora for failing to disclose data sales and not honoring opt-outs. That case showed a well-known brand with resources can still face real consequences for systematic non-compliance.
The biggest takeaway: TCPA is the one most likely to draw a lawsuit from a plaintiff's attorney. GDPR is the one most likely to draw a regulatory investigation. CAN-SPAM and CCPA more often generate FTC or CPPA enforcement than private suits, with the exception of CCPA data breach claims.
What does a practical compliance program look like for a small outbound team?
A ten-person sales team doesn't need a general counsel. It needs a documented process and a handful of operational controls.
Step one: map your audience. Before anything else, figure out whether you call or text cell phones (TCPA), email commercial recipients (CAN-SPAM), contact EU residents (GDPR), or hold California resident data (CCPA). Most small teams face TCPA plus CAN-SPAM at minimum.
Step two: audit your consent records. For TCPA, you must be able to show each cell number you dial with an ATDS or prerecorded message gave prior express written consent that names your company. [1] A spreadsheet with date, source, and consent language for each record is the floor. For EU contacts, document your lawful basis per GDPR Article 6.
Step three: run a real DNC process. Keep your own internal DNC list, scrub against the national DNC registry before campaigns, and update your internal list within five business days of an opt-out (the TSR's standard). [7] TCPA gives you a safe harbor if you can show you maintain a company-specific DNC list and train staff on it. [10]
Step four: train your callers on what they can and cannot say. The TSR bars certain misrepresentations in telemarketing. TCPA requires identity and callback-number disclosures on prerecorded calls. [For practical scripting guidance, see /articles/cold-calling-rules/cold-calling-scripts.] Good scripts and call-recording review are your main tools.
Step five: review your vendors. Your CRM, dialer, and data provider all touch personal data. You need a Data Processing Agreement with each one when EU data is involved. For CCPA, make sure your data providers disclose the California residents' data they're selling you.
LeadCompliant's compliance kit bundles a TCPA consent audit checklist, a DNC policy template, and a state-law risk matrix so you can run this process without starting from scratch.
AI-powered outbound tools make the picture harder. [Learn how AI cold calling changes the compliance equation at /articles/cold-calling-rules/ai-cold-calling.]
Are there state laws that layer on top of these federal rules?
Yes, and they're multiplying fast.
Florida's Telephone Solicitation Act (FTSA) created a private right of action for calls or texts made with an "auto-dialer" as Florida law defines it. [12] Florida's definition is arguably broader than the FCC's post-Facebook v. Duguid ATDS standard. [6] Florida plaintiffs' attorneys filed thousands of FTSA cases after the 2021 amendment. The legislature narrowed the law in 2023, but it stays a real risk.
Washington State has its own telemarketing law (RCW 80.36.390) with a private right of action. Oklahoma, Texas, and Indiana all run state do-not-call statutes that add layers to the federal TSR. Texas's Business and Commerce Code § 305 has been used alongside TCPA claims.
New York's Stop Hacks and Improve Electronic Data Security (SHIELD) Act imposes data security duties that affect how outbound teams store contact data. New York is also weighing a broad privacy law that would rival CCPA in scope.
On email, Virginia's Computer Crimes Act adds state-level email protections. California has its own email marketing law under Business and Professions Code § 17538.45.
The implication: don't assume federal compliance covers you at the state level. If you run high-volume campaigns into specific states, check each state's telemarketing and privacy laws separately. Tedious, but necessary.
What should you do right now if you are not sure where you stand?
Start with risk triage. Don't try to fix everything at once.
If you use any form of automated dialing or texting to U.S. cell phones, TCPA is your highest-probability litigation risk. Fix that first. Audit your consent records for every mobile number in your active list. If you can't document consent, stop dialing or texting that number. Sounds extreme. The cost of a single TCPA class action dwarfs any revenue from a list you can't prove consent for.
If you cold email into EU countries, run a GDPR lawful basis review. Identify which countries your prospects sit in. For most B2B cold email the applicable basis is legitimate interests, but you need a documented assessment, not an assumption that it applies. Plenty of small teams have never done this and are technically non-compliant.
If your business meets CCPA thresholds and you hold California contacts, update your privacy notice, add a "Do Not Sell or Share My Personal Information" link to your site, and build a process to honor deletion requests within 45 days. [4]
For email, confirm your unsubscribe links work, that opt-outs get honored within 10 business days, and that your from-address and subject lines are accurate. Those three things cover most of the realistic CAN-SPAM enforcement risk for small teams. [2]
Nobody has perfect compliance. What you need is a documented, good-faith effort, evidence that you scrub DNC lists, and consent records that would survive scrutiny. Courts and regulators punish willful ignorance far harder than imperfect implementation backed by documented intent to comply.
[What a cold call is and how to do it legally is covered at /articles/cold-calling-rules/cold-call.]
Frequently asked questions
Does TCPA apply to B2B calls, or only consumer calls?
TCPA applies to calls to cell phones no matter whether the recipient is a business or a consumer. If you use an ATDS or prerecorded message to call a cell number, you need prior express consent even when the number belongs to a business owner. Calls to business landlines carry lower TCPA risk but are still subject to the FTC's TSR if the call is telemarketing. B2B exemptions are narrower than most teams assume.
Can I cold email EU prospects legally under GDPR?
Yes, but you need a lawful basis under GDPR Article 6. Most B2B companies use legitimate interests for cold outbound email to EU prospects. You must document a legitimate interests assessment, your email must include an easy opt-out, and you must not contact anyone who has opted out. Consent-based cold email is legally cleaner but operationally hard, since you need consent before you can reach them at all.
What is prior express written consent under TCPA?
Prior express written consent is a signed agreement (wet signature or electronic equivalent) in which the person agrees to receive autodialed or prerecorded marketing calls or texts from a specific named company. The agreement must clearly disclose that consent is not a condition of purchase. As of January 2025, the FCC requires this consent to name your company specifically, not a class of lead buyers.
How long do I have to honor a TCPA or CAN-SPAM opt-out request?
Under CAN-SPAM, you must honor email opt-outs within 10 business days. Under the FTC's TSR, you must add an opt-out to your internal DNC list within five business days and stop calling that number. TCPA sets no numeric deadline in the statute, but the FCC expects opt-outs to be honored promptly. GDPR requires you to stop processing data on withdrawal of consent without undue delay.
Does the CAN-SPAM Act apply to B2B commercial email?
Yes. CAN-SPAM applies to any commercial electronic mail message regardless of whether the recipient is a business or a consumer. The law does not exempt B2B email. Your physical address must be included, your subject line must not be deceptive, and you must provide a functional opt-out mechanism that keeps working for at least 30 days after the send.
What is the FCC's one-to-one consent rule and when did it take effect?
The FCC issued its one-to-one consent order in December 2023, requiring that prior express written consent for TCPA purposes identify the specific seller or company making the call, not a broad category of partners or lead buyers. The rule took effect January 27, 2025. It effectively ended the lead-generation practice of collecting one consumer consent and selling it to many buyers.
Is my small business exempt from GDPR if we are based in the U.S.?
No. GDPR's territorial scope under Article 3 covers any organization processing data of EU residents, no matter where the organization is established. A five-person U.S. company that emails EU prospects or serves EU customers is subject to GDPR. The law does ease record-keeping for organizations with fewer than 250 employees, but the core obligations, including lawful basis and opt-out rights, still apply.
What industries face the highest TCPA litigation risk?
Financial services (mortgage, insurance, debt collection), healthcare marketing, real estate, and retail SMS campaigns generate the most TCPA litigation. These industries tend to run high-volume autodialed or prerecorded outreach to consumer cell phones. Financial services and healthcare also stack extra regulatory obligations on top of TCPA, compounding exposure. Lead generation companies in these sectors have become primary targets since 2024.
Does CCPA apply to my company if we are not in California?
Yes, if you meet the revenue or data thresholds and process personal data of California residents. CCPA applies based on where your customers or contacts sit, not where your business is incorporated. A Texas business with a large California customer email list and over $25 million in annual revenue must comply with CCPA even with no physical presence in California.
Can I use a purchased prospect list for outbound calls or emails legally?
It depends on the channel. For email, CAN-SPAM does not ban purchased lists, but you must still include opt-outs and honor them. For TCPA-regulated calls or texts to cell phones, you must verify the original source obtained consent for calls from your specific company. Under GDPR, the source must have disclosed the transfer to you in its privacy notice. Purchased lists carry heavy compliance risk across all frameworks.
What is the difference between CCPA and GDPR for outbound marketing teams?
GDPR requires a lawful basis before you process EU residents' data, including before you contact them. CCPA is primarily opt-out: you can process California residents' data and contact them unless they opt out. GDPR is a prior-permission model; CCPA is a notice-and-opt-out model. Both require privacy notices, vendor agreements, and responses to individual data requests, but GDPR sets a higher upfront consent burden for marketing.
Do TCPA time-of-day restrictions apply to text messages?
TCPA does not spell out text message time restrictions, but the FCC and most compliance attorneys treat the FTC TSR's 8 a.m. to 9 p.m. local-time standard as the applicable benchmark for texts as well as calls. Sending promotional SMS outside those hours is legal under the literal statute but creates litigation risk. Most enterprise texting platforms offer time-zone-aware scheduling to stay inside the window.
What records do I need to keep to prove TCPA compliance?
At minimum: the date and source of consent for each cell number you dial with an autodialer, the exact language of the consent agreement, records of your DNC scrubs including date and list version, and any opt-out requests plus when you actioned them. The FTC's TSR requires a written DNC policy and proof you train staff on it. Keep these records at least four years given TCPA's statute of limitations.
How does GDPR affect cold calling in Europe specifically?
GDPR does not ban cold calling but requires a lawful basis for processing the contact data behind the call. Member state laws add restrictions: Germany's UWG requires consent for cold calls to both consumers and businesses without a prior relationship. The UK's PECR requires that the number not be registered on the UK's Telephone Preference Service. France, Spain, and other EU members run national rules alongside GDPR.
Sources
- U.S. Congress, Telephone Consumer Protection Act, 47 U.S.C. § 227: TCPA prohibits autodialed calls to cell phones without prior express consent; damages are $500 per violation and $1,500 for willful violations
- Federal Trade Commission, CAN-SPAM Act: A Compliance Guide for Business: CAN-SPAM requires opt-out mechanisms, physical address, non-deceptive headers; FTC can fine up to $51,744 per email; no private right of action
- European Parliament and Council, General Data Protection Regulation (GDPR), Regulation (EU) 2016/679: GDPR applies to all processing of EU residents' data worldwide; maximum fines are €20 million or 4% of global annual revenue; lawful basis required for all processing
- California Attorney General, California Consumer Privacy Act (CCPA) Resources: CCPA gives California residents rights over their data; fines are $2,500 per unintentional violation and $7,500 per intentional violation; covered businesses include those with $25M+ annual revenue
- Supreme Court of the United States, Facebook, Inc. v. Duguid, 592 U.S. 395 (2021): Supreme Court narrowed the ATDS definition under TCPA, ruling that a system must use a random or sequential number generator to qualify; narrowed class action exposure for some dialers
- Federal Trade Commission, Telemarketing Sales Rule (16 C.F.R. Part 310): TSR prohibits telemarketing calls before 8 a.m. or after 9 p.m. local time; requires internal DNC list maintenance; applies to most telemarketing in the U.S.
- DLA Piper, GDPR Fines and Data Breach Survey 2024: EU data protection authorities collected a combined €2.1 billion in GDPR fines in 2023; Meta's €1.2 billion fine was the largest single GDPR fine ever issued
- FCC, 47 C.F.R. § 64.1200, Delivery Restrictions: FCC regulations implementing TCPA restrict calls to residential numbers on the national DNC list and establish safe-harbor requirements for company-specific DNC list maintenance
- U.S. Department of Health and Human Services, HIPAA Marketing Guidance: HIPAA prohibits use of patient protected health information for marketing communications without patient authorization; applies on top of TCPA in healthcare outbound contexts
- Florida Legislature, Florida Telephone Solicitation Act (FTSA), Fla. Stat. § 501.059: Florida FTSA created a private right of action for autodialed calls and texts; amended in 2021 and 2023; has generated significant litigation against outbound telemarketers