Last updated 2026-07-10

TL;DR
Federal telemarketing runs on two laws: the Telephone Consumer Protection Act (TCPA, 47 USC 227) and the FTC's Telemarketing Sales Rule (TSR, 16 CFR Part 310). Together they set calling hours, consent standards, DNC requirements, and disclosures. Violations cost $500 to $1,500 per call or text under the TCPA, and up to $51,744 per TSR violation as of 2024.
What laws actually govern telemarketing in the United States?
Two federal frameworks do most of the heavy lifting. They come from different agencies, which trips people up constantly.
The Telephone Consumer Protection Act (TCPA), codified at 47 USC 227, is an FCC-enforced statute passed in 1991. It covers automated calls, prerecorded messages, and texts to cell phones. The FCC writes the implementing rules under the TCPA, and private citizens can sue you directly in federal or state court without waiting for any agency to act first. That private right of action is what makes TCPA litigation the business it is today.[1]
The Telemarketing Sales Rule (TSR), found at 16 CFR Part 310, is the FTC's vehicle. It covers the sales and deception side: what you must disclose, what you cannot lie about, how you handle the National Do Not Call Registry, and what counts as an abusive telemarketing practice. The FTC enforces the TSR. Private consumers cannot sue under it directly, but state attorneys general can and do.[2]
Then there is the National Do Not Call Registry itself, maintained jointly by the FTC and FCC. Any telemarketer calling consumers must scrub against it, with narrow exceptions. The registry holds more than 240 million registered phone numbers as of recent FTC reporting.[3]
Most states have their own telemarketing statutes on top of federal law. Some mirror the federal rules. Others go stricter, especially on calling hours, required disclosures, and what consent language qualifies. Florida's Telephone Solicitation Act and Washington's commercial calling laws are two examples of states that went well past federal minimums. A later section covers those state overlays.
One more statute is worth knowing: the Telemarketing and Consumer Fraud and Abuse Prevention Act (15 USC 6101), the congressional mandate that gave the FTC authority to write the TSR in the first place. You will see it cited in enforcement actions. It is not the rule you look up for operational guidance.
What does the TCPA actually prohibit?
The TCPA bans four broad categories of conduct. Knowing the differences matters because the consent requirements differ for each.[1]
First, automated calls (calls made with an automatic telephone dialing system, or ATDS) to any cell phone without prior express consent. The Supreme Court's 2021 decision in Facebook v. Duguid narrowed the ATDS definition, but the fight over what qualifies is still live in lower courts. Do not treat that ruling as a green light for aggressive auto-dialing without a lawyer's opinion specific to your system.[4]
Second, prerecorded or artificial voice calls to any cell phone, and to residential landlines for telemarketing, without prior express written consent. Prerecorded messages to residential landlines for non-telemarketing purposes need only prior express consent (the written part drops out). That distinction matters a lot in practice.
Third, sending unsolicited fax advertisements. Most outbound sales teams have moved on from fax. It still comes up in healthcare and real estate.
Fourth, autodialed or prerecorded calls to emergency lines, hospital patient rooms, or any line where the called party is charged for the call.
Live human calls to residential landlines, with no autodialer and no prerecorded message, do not require consent under the TCPA itself. Those calls run under the TSR and DNC rules instead. This is where small teams get confused. If your reps are manually dialing cell phones, the TCPA's autodialer consent rule does not apply, but you still owe DNC obligations and TSR disclosure duties.
The consent vocabulary matters too. "Prior express consent" (the lower bar) works for informational automated calls to cell phones. "Prior express written consent" (the higher bar) is required for telemarketing automated calls or texts to cell phones. Written consent has to include a clear and conspicuous disclosure that the person agrees to receive autodialed or prerecorded calls, and it cannot be a condition of purchase.[5]
For a full breakdown of what a cold call requires at each step, that walkthrough covers the live-agent manual-dial case in detail.
What does the FTC Telemarketing Sales Rule require?
The TSR sets the operating rules for anyone who makes outbound telephone calls to sell goods or services to consumers, or who gives substantial assistance to someone who does.[2]
Here is what it requires.
Calling hours. The TSR prohibits calls before 8 a.m. or after 9 p.m. local time at the called party's location.[2] The clock that matters is the prospect's, not your office's. See our deep look at FTC Telemarketing Sales Rule 8 a.m. to 9 p.m. local time for how to handle area codes that span time zones.
Required oral disclosures. At the start of every call, you must promptly tell the consumer: (1) your name, (2) the company you are calling on behalf of, and (3) the purpose of the call. Burying the pitch behind several minutes of small talk without that opening disclosure is a TSR violation.
Prohibited misrepresentations. The TSR bans false statements about the goods or services, the total cost, any restrictions, or the caller's identity. It also bans threatening or intimidating language.
Credit card laundering ban. You cannot charge a consumer's card without their express verifiable authorization.
Do Not Call compliance. Telemarketers covered by the TSR must honor the National DNC Registry and maintain an internal company-specific DNC list. They must process DNC requests within 30 days and honor them for at least 5 years.
Abandoned call limits. If you use predictive dialers, you cannot abandon more than 3% of answered calls per campaign, measured over a 30-day period. An abandoned call is one where no agent is available within 2 seconds of the consumer answering.
The civil penalty for a TSR violation was $50,120 in 2023 and rose to $51,744 in 2024 under the FTC's annual inflation adjustment.[6] These are per-call penalties. There is no per-campaign cap.
For more on what the telemarketing sales rule is designed to do, including its original intent, that article traces the TSR from its 1995 start to the 2024 amendments on AI-generated voices.
Who is exempt from federal telemarketing rules?
Exemptions exist. They are narrower than most salespeople think.
The TSR exempts calls to businesses in most cases. B2B telemarketing (calling a business to sell to that business) sits largely outside TSR scope, with real exceptions: calls to sole proprietors can still be covered because the person is both the business and the consumer, and calls involving categories like investment fraud or business opportunities stay under the TSR regardless of who answers.[2]
The TCPA has no blanket B2B exemption. If you are auto-dialing a cell phone that happens to belong to a business owner, the TCPA consent rules still apply, because the number is a cell phone, not because of who owns the business. This catches a lot of B2B teams off guard. Our breakdown of B2B cold calling rules shows exactly where the line sits.
Other partial TSR exemptions include calls to existing customers (the established business relationship exemption), calls from nonprofit organizations (though for-profit callers soliciting on behalf of nonprofits are often still covered), and calls that are entirely intrastate (though state rules usually fill that gap).
The FCC's TCPA rules include an established business relationship (EBR) exemption for prerecorded calls to residential landlines. The EBR does NOT extend to autodialed or prerecorded telemarketing calls to cell phones. This is one of the most expensive misconceptions in outbound sales.
Government entities, political organizations, and certain survey callers get narrower exemptions on specific TCPA provisions. None of these are blanket passes. Each carries conditions.
What are the National Do Not Call Registry rules every caller must follow?
The National DNC Registry, run at donotcall.gov, lets consumers register their numbers to opt out of most commercial telemarketing calls. Once a number has been on the registry for 31 days, you cannot call it for telemarketing unless you have an established business relationship (a transaction within the past 18 months, or an inquiry within the past 3 months) or the person gave you written permission to call.[3]
Access costs money. Under the FTC's current fee schedule, access is free for up to 5 area codes per organization per year. Beyond that, organizations pay roughly $70 per area code per year (the FTC adjusts this annually). There is an annual cap, in recent years around $18,000 to $19,000 for unlimited national access.[3]
Re-scrub your call lists against the registry at least every 31 days. Scrub once, sit on that clean list for six months, and you have a violation.
Separate from the national registry, you must keep an internal company-specific DNC list. Anyone who says they do not want to be called by your company goes on that list within 30 days and does not get called again. This obligation stands even if the person is not on the national registry.
The FTC has brought DNC enforcement actions running into tens of millions of dollars. One 2023 action against a lead generation operation produced a $17.3 million judgment.[7] That is not a typo.
| Requirement | National DNC Registry | Company-Specific DNC |
|---|---|---|
| Who maintains it | FTC / FCC | Your company |
| How to add a number | Consumer self-registers | Consumer requests removal |
| Scrub frequency required | Every 31 days | Honor within 30 days of request |
| How long you must honor | Indefinitely (unless EBR) | At least 5 years |
| Cost to access | Free up to 5 area codes/yr | N/A (internal list) |
For an operational guide to scrubbing, timing, and documentation, see cold calling, which covers the pre-call compliance checklist in full.
What are the TCPA penalties, and how does private litigation actually work?
The penalty math is what makes the TCPA the most-litigated consumer protection statute in the country.
Statutory damages under 47 USC 227(b)(3) are $500 per violation. If the court finds the violation willful or knowing, it can triple that to $1,500 per violation. No per-person cap. No per-campaign cap. A campaign that sent 100,000 texts to people without proper consent can carry $50 million in statutory exposure before any trebling.[1]
Unlike the TSR, private citizens can sue under the TCPA with no agency involvement. That has built an entire plaintiffs' bar that hunts for TCPA violations. Class actions are common. A single autodialed marketing text to a cell phone, sent to enough people without proper consent, is a class action waiting to happen.
FCC enforcement stacks civil monetary penalties on top of private litigation. The FCC's 2024 enforcement actions included a $6 million consent decree with a travel company over illegal robocalls.[8]
Most TCPA cases settle. Publicly available settlement data from 2018 to 2023 shows median TCPA class action settlements in the $4 million to $9 million range, though the spread is wide. Most small-to-mid business defendants settle for far less, because defense cost alone drives settlement. A solo plaintiff suing over 10 texts wants a few thousand dollars. A class of 500,000 consumers is a different conversation.
Documentation is your first line of defense. Produce consent records showing who consented, when, how, and to what disclosure language, and you can beat many TCPA claims before discovery. Without them, you are fighting on the merits of whether consent existed, which is slow and expensive and uncertain.
For penalty math and recent case outcomes, the penalties and lawsuits section of this site goes deeper on litigation strategy.
What time restrictions apply to telemarketing calls and texts?
Federal rules set a floor. The TSR bans calls before 8 a.m. or after 9 p.m. local time at the called party's location.[2] The FCC's TCPA rules apply the same window to autodialed and prerecorded calls under 47 CFR 64.1200.
Texts count as calls under the TCPA, so the same 8 a.m. to 9 p.m. window covers autodialed marketing texts to cell phones.
"Local time at the called party's location" is where teams get sloppy. You need the time zone of the number you are calling, not the zone your office sits in. Call a 480 number (Arizona) at 8:30 a.m. from New York and it is 5:30 a.m. there. That is a violation.
Several states run tighter. Florida keeps the 8 a.m. to 9 p.m. window like the federal rule, but some state laws narrow it to 9 a.m. or 8 p.m. cutoffs. Check the law for the state where your prospect sits, not where you dial from.
For a full time zone mapping guide and how to handle ambiguous area codes, see TCPA quiet hours.
One practical note. Even inside legal hours, dialing 8:00 a.m. sharp on a weekday breeds complaints and internal DNC requests. Compliance is the floor, not a performance strategy.
How do AI-generated voices and robocalls fit into telemarketing rules?
This is moving fast. The FCC issued a declaratory ruling in February 2024 confirming that calls using AI-generated voices are "artificial or prerecorded" voices under the TCPA. That means any AI voice call to a cell phone for telemarketing needs prior express written consent, the same as a traditional prerecorded message.[8]
The FTC updated the TSR in 2024 to address AI voice cloning in telemarketing. The rule now treats a call using a voice cloned or generated to impersonate another person as its own category of deceptive practice.[6]
Several states moved faster. Indiana, Texas, and California enacted specific restrictions on AI-generated voice calls in 2023 and 2024, with Indiana's law setting disclosure requirements past the federal baseline.
For outbound teams running AI-powered dialers or voice agents, the consent and disclosure rules are the same as for prerecorded calls. There is no "it sounds human, so it is not a robocall" exemption. The FCC's 2024 ruling is explicit on this.
The practical upshot for AI cold calling: if your platform uses any AI voice synthesis, treat every outbound call as a prerecorded message for consent purposes. Get written consent before the call, not during it.
For how the FTC's 2024 amendments changed operational rules for outbound teams, see FTC Telemarketing Sales Rule, B2B calls, and AI voice in 2024.
What state telemarketing laws add requirements on top of federal rules?
State law is where compliance programs most often have holes. Federal rules are the floor. A good number of states built walls higher than that floor.
Florida's Telephone Solicitation Act (FTSA), amended heavily in 2021, is probably the most talked-about state telemarketing law right now. It requires prior express written consent for any autodialed or prerecorded call or text to a Florida phone number, mirrors many TCPA provisions, and creates a private right of action with $500 per call statutory damages. The FTSA set off a wave of class actions in 2021 and 2022. Florida amended it again in 2023 to narrow the private right of action somewhat. It stays a high-risk state.
California layers its rules on top of the CCPA. The CCPA is mainly a data privacy law, but its opt-out and sale-of-data provisions bump into outbound telemarketing when you use purchased lists. Buy a lead list with California residents' cell phones, and the consent those consumers gave to the original collector may not transfer to you in any form that satisfies TCPA consent.
Washington, Virginia, and Colorado carry similar data-privacy complications for outbound telemarketers.
Texas and Indiana, as noted above, have specific AI voice requirements.
New York runs a separate Do Not Call registry alongside the national one. Some states with their own registries also require faster suppression than the federal 31-day window.
The practical move for small teams: pull your top five states by call volume, read the statute for each, and add anything past the federal baseline to your checklist. You cannot memorize 50 states. You can pin down your actual exposure.
| State | Key additional requirement vs. federal | Private right of action? |
|---|---|---|
| Florida | Written consent for all autodialed/prerecorded calls and texts | Yes ($500/call) |
| California | CCPA data provenance issues for purchased lists | Yes (via CCPA for data; TCPA for calls) |
| New York | Separate state DNC registry | No (state AG enforces) |
| Texas | AI voice disclosure requirements (2024) | Limited |
| Indiana | AI voice consent requirements (2024) | No (AG enforces) |
What records do you need to keep to defend a telemarketing compliance program?
The TSR requires telemarketers to keep records for 24 months (2 years) after the records are made.[2] The FTC can subpoena those records in an investigation. TCPA consent records should be kept at least as long, and given the 4-year federal statute of limitations on TCPA claims, most compliance-minded teams keep them 4 to 5 years.
Here is what to keep.
Consent records. For every person you contact by autodialer or prerecorded message, document who consented, what disclosure language they saw, when they consented, and through what channel (web form, signed document, recorded verbal consent). The exact disclosure language matters, because consent is only valid if the disclosure matched the FCC's required elements.
DNC scrub logs. Date and source of each scrub, which list version you used, and which numbers got suppressed. If you cannot prove you scrubbed, the scrub did not happen.
Call records. Who was called, at what time (in the called party's local time), by whom, and with what result. For abandoned call rate compliance, you need per-campaign disposition data.
Internal DNC requests. Name, number, date received, date added to suppression. The 30-day clock starts from the request date.
Scripts and promotional materials. Every script your agents use, especially disclosures. If the FTC investigates and the script lacks the required disclosures, that script is your evidence of what was said.
LeadCompliant's free compliance kit includes documentation templates for consent records, DNC logs, and scrub attestations you can adapt to your CRM or dialer. Keeping records in a format you can export and hand over matters as much as keeping them at all.
For cold calling scripts with the required TSR disclosures baked in, that resource has compliant templates you can hand a new rep on day one.
What should a small outbound team actually do to comply, step by step?
Here is the honest answer for a team of five to twenty people running outbound calls or SMS. This is not legal advice. A lawyer who specializes in TCPA and TSR should review your specific setup. These are the steps any serious practitioner would tell you to take.
Step 1: Classify your calls. Are you dialing manually (agent clicks to dial) or using an autodialer or prerecorded message? Are you texting? Are you calling cell phones or landlines? Each combination carries different consent requirements. Write it down.
Step 2: Map your consent flow. For every channel and method above, trace where consent gets collected, what language shows, and where the record lands. If there is a step where consent is assumed but not documented, fix that first.
Step 3: Scrub against the DNC registry. Register at donotcall.gov, download the lists for the area codes you call, and run suppression before every campaign. Set a calendar reminder to re-scrub every 30 days.
Step 4: Set calling hours in your dialer. Configure it to restrict calls to 8 a.m. to 9 p.m. in the called party's time zone. Most modern dialers have this setting. Enable it and verify it.
Step 5: Train reps on required disclosures. The TSR's opening disclosure (name, company, purpose) is not optional. Put it at the top of the script, not buried later.
Step 6: Build your internal DNC process. Anyone who says "don't call me" goes on your suppression list within 30 days. Log who added it and when.
Step 7: Keep records. Consent logs, DNC scrub logs, call logs, scripts. At least 4 years for TCPA exposure, 2 years minimum for TSR.
Step 8: Review state law for your top call markets. Florida and California alone cover enough potential plaintiffs to earn the hour.
LeadCompliant's one-time compliance kit has a checklist version of these steps, plus consent language templates and a DNC log template, if you want a structured starting point instead of building from scratch.
For structuring the call itself, see what is cold calling in sales and the cold call script resources for compliant opening approaches.
Frequently asked questions
Does the TCPA apply to B2B calls?
The TCPA's autodialer and prerecorded message rules apply to the phone number called, not the purpose of the call. If you are autodialing or sending prerecorded messages to a cell phone owned by a business owner or employee, the TCPA consent rules still apply. The TSR has broader B2B exemptions, but there is no blanket TCPA B2B carve-out. Manual live-agent calls to business numbers face fewer TCPA restrictions.
What is prior express written consent under the TCPA?
Prior express written consent is a signed or electronically executed agreement, clearly disclosing that the signer agrees to receive autodialed or prerecorded telemarketing calls or texts from a specific company at the number provided. It cannot be a condition of purchase. The disclosure must be clear and conspicuous. A general terms-of-service checkbox that is not specifically about autodialed calls typically does not qualify.
How much does it cost to access the National Do Not Call Registry?
Access is free for up to 5 area codes per organization per year. Beyond that, the FTC charges roughly $70 per area code per year, with an annual national access cap around $18,000 to $19,000. The FTC adjusts these fees periodically. You can register and access the registry at donotcall.gov.
What is the penalty for violating the FTC Telemarketing Sales Rule?
The civil penalty for a TSR violation is $51,744 per violation as of 2024, after the FTC's annual inflation adjustment. Each individual call can be a separate violation. The FTC also seeks injunctive relief and disgorgement of profits. State attorneys general can bring TSR enforcement actions in federal court on behalf of their residents.
Can I call someone who is on the Do Not Call Registry if they are an existing customer?
Yes, under the established business relationship (EBR) exemption. If a consumer bought from you within the past 18 months, or made an inquiry within the past 3 months, you can still call them even if they are on the national DNC registry. But if they told your company specifically not to call, your internal DNC obligation overrides the EBR exemption.
Are text messages covered by the TCPA?
Yes. The FCC confirmed that text messages sent by an autodialer to a cell phone are calls under the TCPA. Autodialed marketing texts require prior express written consent, must respect the 8 a.m. to 9 p.m. calling hours, and carry the same $500 to $1,500 per message statutory damages. Manual peer-to-peer texts are generally not covered, but the line between manual and automated texting is contested.
What does the TSR require me to say at the start of a telemarketing call?
Under 16 CFR 310.4(d), you must promptly disclose your name, the company you represent, and that the purpose of the call is to sell something. You cannot wait until after rapport-building to make these disclosures. Failing to make them promptly is an abusive practice under the TSR. When a prerecorded message is used, the same disclosures must appear in the recording.
How often do I need to scrub my call list against the Do Not Call Registry?
At minimum every 31 days. The TSR requires that you access and use registry data no older than 31 days before any call is made. Many compliance-focused teams scrub weekly, especially on large, active campaigns. Using a stale scrub is a violation even if the numbers were clean when you first pulled them.
Does an established business relationship let me ignore the TCPA's consent requirement for cell phones?
No. The EBR exemption applies to the national DNC registry and to prerecorded calls to residential landlines, but it does not create permission to autodial or send prerecorded messages to cell phones without prior express written consent. This is one of the most common and expensive TCPA misconceptions. Cell phone consent requirements stand regardless of prior purchase history.
What are the calling hour rules for telemarketing texts and calls?
Both the TSR and FCC rules prohibit calls and autodialed texts before 8 a.m. or after 9 p.m. in the called party's local time zone. Several states run stricter: some require 9 a.m. starts or 8 p.m. cutoffs. Use the time zone where the consumer is located, not where you dial from. Configure your platform to enforce this automatically. Do not rely on reps to track time zones by hand.
Do telemarketing rules apply to nonprofits?
Nonprofit organizations making calls for charitable solicitations are partially exempt from the TSR, not fully. When for-profit telemarketers make calls on behalf of nonprofits, those calls can still be covered by the TSR. The TCPA's autodialer and prerecorded message rules apply regardless of whether the caller is a nonprofit. Nonprofits also carry limited exemptions from the national DNC registry rules under the TSR.
What records do I need to keep to prove TCPA and TSR compliance?
Keep consent records (who consented, when, what disclosure language, through what channel), DNC scrub logs (date, list version, suppressed numbers), call records (who was called, when, time zone, outcome), internal DNC requests and processing dates, and any scripts or promotional materials used. The TSR requires 24-month retention. For TCPA claims, keep records at least 4 years given the federal statute of limitations.
Sources
- Cornell Law School / Legal Information Institute, 47 USC 227 (TCPA full statute text): TCPA statutory damages are $500 per violation, trebled to $1,500 for willful violations, with a private right of action
- FTC, Telemarketing Sales Rule (16 CFR Part 310): TSR requires calls only between 8 a.m. and 9 p.m. local time, prompt disclosure of name/company/purpose, DNC compliance, and 2-year record retention
- FTC / FCC, National Do Not Call Registry (donotcall.gov): More than 240 million phone numbers registered on the national DNC registry; access free for up to 5 area codes per year
- Supreme Court of the United States, Facebook Inc. v. Duguid, 592 U.S. 395 (2021): The Supreme Court narrowed the ATDS definition in 2021, requiring that a system store or produce numbers using a random or sequential number generator to qualify
- Cornell Law School / Legal Information Institute, 47 CFR 64.1200 (FCC TCPA rules): Prior express written consent required for autodialed or prerecorded telemarketing calls and texts to cell phones; cannot be condition of purchase
- FTC, Telemarketing Sales Rule civil penalty adjustments 2024: TSR civil penalty adjusted to $51,744 per violation in 2024 per the FTC's annual inflation adjustment
- FTC, Press Releases (2023 lead generation DNC enforcement action): 2023 FTC enforcement action against a lead generation operation resulted in a $17.3 million judgment for DNC violations
- Cornell Law School / Legal Information Institute, 15 USC 6101 (Telemarketing and Consumer Fraud and Abuse Prevention Act): 15 USC 6101 is the congressional mandate authorizing the FTC to promulgate the Telemarketing Sales Rule
- FTC, Do Not Call Registry fees and access rules: DNC registry access costs approximately $70 per area code per year beyond the free 5-area-code allotment, with a national access cap around $18,000 to $19,000 annually