Last updated 2026-07-09

TL;DR
The Telemarketing Sales Rule requires sellers and telemarketers to keep records for 24 months from the date each record is created. That covers advertising materials, prize recipient lists, employee names, sales records, and proof of verifiable authorization. Missing records is its own FTC violation, separate from any underlying call violation, and can cost up to $51,744 per offense per day.
What is the Telemarketing Sales Rule and who does it apply to?
The Telemarketing Sales Rule (TSR) is a federal regulation the Federal Trade Commission issued under the Telemarketing and Consumer Fraud and Abuse Prevention Act, 15 U.S.C. §§ 6101-6108 [1]. The rule lives at 16 C.F.R. Part 310. It reaches two parties: sellers (companies whose goods or services are being sold) and telemarketers (the companies or people making the calls on a seller's behalf) [2].
Both carry their own obligations. A seller cannot hand its TSR liability to a call center. If your vendor dials to promote your product, you are still the seller, and you are still on the hook for record retention.
The rule covers outbound calls to consumers selling goods or services, calls soliciting charitable contributions, and upsells made during otherwise inbound calls. Purely business-to-business calls with no consumer target sit outside it. The FTC still reads the rule broadly, and it has applied it to any campaign where consumers can be reached.
If you run cold calling campaigns for outbound sales, the TSR almost certainly applies to you.
How long does the Telemarketing Sales Rule require you to keep records?
The Telemarketing Sales Rule requires 24 months of record retention. That clock runs from the date a record is created, not from the date a campaign ends or a complaint gets filed [2].
This is a hard floor. The FTC does not grade on a curve. If an investigator asks for a record and you cannot hand it over because you purged it at 18 months, that gap is itself a violation of 16 C.F.R. § 310.5.
Many compliance attorneys keep records longer, especially consent records, because TCPA litigation can surface years after a call. The TSR sets the minimum. Your litigation exposure argues for more. Nobody has a clean public dataset on how often FTC investigations open more than 24 months after a campaign, but the general federal civil penalty statute of limitations is five years under 28 U.S.C. § 2462, which is a practical reason to hold records at least that long.
The 24-month clock resets each time a record is modified or updated. That matters for ongoing employee lists and evolving do-not-call suppression files.
What specific records does the TSR require you to keep?
Section 310.5(a) of the TSR names the categories precisely. Here is what you have to keep [2].
Advertising and promotional materials. Every piece of advertising or promotional material used in a campaign. Scripts count. So do email teasers, direct mail pieces, and any web pages that funnel inbound calls into a telemarketing flow.
Prize recipient information. If your campaign hands out a prize, gift, or sweepstakes entry, keep the name and address of every recipient, plus the prize description and its stated value.
Sales records. The name and last known address of each customer, the goods or services bought, the date and dollar amount of each purchase, and the payment method.
Employee records. The name, any fictitious name used, last known home address, and telephone number of every person working as a telemarketer, plus the period of employment.
Verifiable authorization records. For any charge to a customer account, keep evidence of the customer's express informed consent. This is the record that saves you in a billing dispute.
Donor records (charitable solicitations). Name, address, and amount donated by each person who gave during a campaign.
The FTC can ask for any of these at any time. The rule does not dictate a format, so electronic records are fine as long as they are retrievable and legible.
| Record Category | What to Keep | Retention Period |
|---|---|---|
| Advertising/promotional materials | Scripts, mailers, web pages used to generate calls | 24 months from creation |
| Prize recipient info | Name, address, prize description, stated value | 24 months from creation |
| Customer sales records | Name, address, purchase date, amount, payment type | 24 months from creation |
| Employee/telemarketer records | Real name, alias, address, phone, employment dates | 24 months from creation |
| Verifiable authorization | Express informed consent evidence per transaction | 24 months from creation |
| Donor records | Name, address, donation amount | 24 months from creation |
Who is responsible for TSR record retention: the seller or the telemarketer?
Both. The TSR puts the record-keeping duty on sellers and telemarketers independently [2]. That creates some duplication on purpose. The FTC wants at least two parties holding records so neither can plead ignorance.
The seller owns records tied to its campaign and its customers. The telemarketer owns records it creates during the call: call logs, employee records for its own staff, and any consent it collected.
This gets sharp when you work with a lead generation vendor or an outsourced call center. Put it in the contract. Require them to keep records for at least 24 months and deliver copies on request. If the vendor vanishes or refuses to produce records, none of that is a defense in an FTC investigation.
Get your campaign scripts, consent logs, and suppression list pulls in writing, and store your own copies. Do not rest on a vendor's promise to hold the file. For more on how cold calling compliance runs day to day, the obligations go deeper than most teams expect.
What happens if you fail to keep TSR records?
Record-keeping failures under the TSR are civil violations carrying penalties up to $51,744 per violation per day, adjusted periodically for inflation by the FTC [3]. That figure is not a typo. Each day a required record stays unavailable after a request can count as a separate violation.
Section 5 of the FTC Act lets the Commission seek civil penalties in federal court, injunctive relief, and consumer redress. FTC actions rarely target record-keeping failures alone. But a missing record during an investigation of something else, a Do Not Call violation or a deceptive claim, becomes strong evidence of willfulness. Willfulness drives penalties up fast.
In FTC v. Dish Network (N.D. Ill.), the court found the company liable for billions of TSR violations tied to do-not-call rules, ending in a $280 million judgment [4]. That case ran across the full range of TSR obligations, and the court leaned heavily on the call records the parties had kept, or failed to keep.
The reputational hit is real too. FTC complaints are public. Consent decrees are public. Once your name lands on the FTC's telemarketing enforcement list, payment processors and partners notice.
How does TSR record retention overlap with TCPA compliance?
The TSR and the TCPA (Telephone Consumer Protection Act, 47 U.S.C. § 227) [5] are separate regimes that lean on the same paperwork. The FCC and private lawsuits enforce the TCPA. The FTC enforces the TSR. You can break one without breaking the other, and you can break both at once.
Here is the overlap. Both frameworks feed off the same records. Consent logs, call timestamps, DNC suppression pulls, and employee and script records matter for a TCPA defense every bit as much as they matter for TSR compliance. A TCPA class action attorney subpoenas the same documents an FTC investigator requests.
The TCPA has no explicit retention period in the statute. The FCC has addressed consent and DNC compliance in orders like its 2012 omnibus TCPA order [6], but the practical retention window comes from the statute of limitations (four years under 28 U.S.C. § 1658 for federal TCPA claims) rather than a regulatory command.
So, in practice: keep records at least 24 months for the TSR, and keep consent and DNC suppression records at least four to five years for a realistic TCPA defense. If you dial at any real volume, the cost gap between 24 and 48 months of storage is trivial. The litigation gap is not.
What do Do Not Call records look like under the TSR?
The TSR's do-not-call provisions at 16 C.F.R. § 310.4(b) require telemarketers and sellers to keep an entity-specific do-not-call list, honor the National Do Not Call Registry, and suppress company-specific opt-outs inside a set window [2]. The record-keeping duty attaches to all of it.
You need to retain a few things.
Evidence that you accessed the National DNC Registry for the area codes you called, with the date of each access. The FTC expects sellers to scrub against a National DNC list no older than 31 days at the time of the call.
Your internal do-not-call list, including every consumer who asked not to be called, the date of that request, and the phone number they gave. You must honor these requests within 30 days.
Any written do-not-call policies you maintain. The TSR safe harbor at 16 C.F.R. § 310.4(b)(3)(i) requires an established written policy to qualify.
The 24-month retention period applies here too, but your internal DNC list should live indefinitely. Delete a DNC entry after 24 months, re-call that number, and you have a fresh violation. The retention rule is about records. The suppression duty never expires.
For a fuller look at how DNC scrubbing works in practice, understanding what cold calling in sales involves helps frame where the DNC touchpoints fall in a normal workflow.
How should you store TSR records to survive an FTC audit?
The TSR mandates no specific format. Paper works. Digital works. A mix works. What matters is that records are accessible, legible, and traceable to specific campaigns and transactions [2].
Here is what actually holds up under investigation.
Store records in a format that cannot be quietly changed after the fact. Immutable or append-only logs beat editable spreadsheets. If your CRM lets people rewrite call records with no audit trail, fix that.
Tag every record with a campaign identifier and a creation date. When the FTC asks for everything tied to one campaign, you need to pull it cleanly. A giant undifferentiated archive is technically compliant and practically a nightmare.
Keep consent records tied to the individual phone number or customer record. A general policy statement about how you collect consent is not a substitute for a per-record consent log.
Back up offsite or in the cloud. The FTC will not accept a dead hard drive as a reason a record is missing. The blunt version compliance counsel repeat is simple: if you can't produce the record, for FTC purposes it doesn't exist.
If you build this from scratch, LeadCompliant's free compliance kit has a TSR record retention checklist that maps each 16 C.F.R. § 310.5 category to a concrete storage action. It is a reasonable starting point before you bring in outside counsel.
If you use AI cold calling tools, confirm the platform exports call logs and consent records in a format you can store and retrieve on your own. Vendor lock-in on your records is a compliance risk.
Are there state law record retention requirements that go further than the TSR?
Yes. Several states run telemarketing statutes with retention rules that differ from or exceed the TSR's 24-month standard [7].
Florida's Telemarketing Act requires sellers to keep records for two years, matching the TSR [8]. But Florida regulators enforce aggressively, which makes thorough records matter more in practice than the baseline suggests.
California adds friction. Its Automatic Dialing-Announcing Device rules plus the broader CCPA/CPRA framework layer on data retention and deletion duties that sit awkwardly against the TSR's keep-everything-for-24-months logic. Under CPRA, consumers can request deletion of personal data, while you may have a competing duty to keep that same data as a TSR transaction record [9]. Sorting that out takes counsel and a written policy.
Texas's Business & Commerce Code Chapter 304 adds telemarketing registration and record-keeping requirements that run alongside the federal TSR [10].
The practical move: treat 24 months as your national floor, list every state where you dial, check that state's telemarketing statute, and write down the reconciled retention schedule. For multi-state teams, a compliance matrix is worth building once and updating each year.
What records do you need for a TSR safe harbor defense?
The TSR gives sellers and telemarketers a limited safe harbor from do-not-call violations if they can show procedural compliance [2]. Under 16 C.F.R. § 310.4(b)(3), the safe harbor asks for:
1. A written do-not-call policy with training procedures. 2. A company-specific do-not-call list, accessible and updated within 30 days of a request. 3. Access to the National DNC Registry no more than 31 days before calling. 4. Procedures maintained to prevent do-not-call errors, with any violation resulting from an error despite those procedures. 5. Proof that the error was a good-faith mistake, not a policy gap.
To raise this defense, you need records proving each element existed before the call that triggered the complaint. A policy written the day after an investigation opens is not a defense. A DNC list pull timestamped before the call is.
This is where record-keeping stops being a cost and becomes a litigation asset. A team with clean records sits in a completely different position than a team without, even when the underlying call error was identical.
If you are drafting outbound programs, reviewing cold calling scripts with proper disclosure language is a good parallel step, because the script itself is a TSR record you have to retain.
How does the FTC actually enforce TSR record retention violations?
FTC enforcement follows a few predictable paths. Civil investigative demands (CIDs) are the usual opening move. A CID is a subpoena requiring you to produce documents, answer interrogatories, or appear for testimony [11]. If one lands, your 24-month record set is the first thing you go find.
The Commission also runs investigations of registered telemarketers and sellers, especially when consumers file complaints through the FTC's complaint portal. The National Do Not Call Registry complaint database feeds straight into FTC monitoring.
When the FTC finds record-keeping violations, the outcomes range widely. Minor or first-time issues can draw a warning letter. Bigger ones lead to consent decrees with mandated compliance programs and years of reporting. The worst end in federal court and civil penalties.
The penalty math is the whole story. At $51,744 per violation [3], a campaign with thousands of calls and thin records can rack up theoretical penalties in the millions before anyone even reaches the underlying substantive violation. That is how the FTC gets to nine-figure consent decrees.
The best public window into all this is the FTC's case and proceedings library, which lists active cases and consent orders with the underlying complaint documents [11]. Read two or three complaints if you run any outbound program. It is worth an hour.
What is the fastest way to build a compliant TSR record retention system?
Start with a record inventory. List every TSR category from 16 C.F.R. § 310.5(a), then find where each record lives in your systems, or admit it lives nowhere. Most small teams spot three or four gaps right away.
Then assign ownership. Retention fails when it is everyone's job, because that means it is no one's job. One person, or one role, should own the retention schedule and answer for any regulatory request.
Automate what you can. Your CRM should timestamp every record. Your consent platform should log every opt-in with the phone number, timestamp, IP address, and the exact disclosure the consumer saw. Store call recordings with their metadata attached: number called, agent ID, campaign ID, date and time.
Set a calendar reminder 18 months out from your oldest record batch. At 18 months, review what you hold, confirm the 24-month clock on each category, and decide whether litigation risk justifies keeping it longer.
If you are building this from the ground up, LeadCompliant's compliance kit at leadcompliant.com includes a TSR record retention checklist and a free DNC scrubbing tool. Use it as a starting framework, then have counsel review your final policy.
Test your retrieval once a year. Pick a random campaign from 18 months ago and try to pull every required record inside 48 hours. If you cannot, you found your gaps before the FTC did.
Record retention is the unglamorous foundation that makes the rest of cold calling compliance defensible.
Frequently asked questions
The Telemarketing Sales Rule has a record retention period of how long?
The TSR requires sellers and telemarketers to keep records for 24 months from the date each record is created. This covers advertising materials, sales records, employee records, prize recipient information, and verifiable authorization documents. The 24-month period is a federal minimum under 16 C.F.R. § 310.5; state laws or litigation risk may push you to keep records longer.
Does the 24-month TSR record retention period start from the campaign end date or the record creation date?
It starts from the date the record is created, not when the campaign ends. If a sales record is created on January 1, 2024, you must keep it until at least January 1, 2026, no matter when the campaign wrapped. When a record is updated or modified, the clock arguably resets on the modified version.
Who enforces TSR record retention requirements?
The Federal Trade Commission enforces the Telemarketing Sales Rule, including the record-keeping provisions at 16 C.F.R. § 310.5. The FTC can issue civil investigative demands, seek civil penalties in federal court up to $51,744 per violation, and require injunctive relief. State attorneys general also have concurrent authority to enforce the TSR under 15 U.S.C. § 6103.
Are digital or electronic records acceptable under the TSR?
Yes. The TSR does not specify a storage format, so electronic records are fully acceptable. What matters is that records are legible, retrievable, and not easily altered after creation without an audit trail. Cloud storage, CRM-based records, and call recording platforms all work, as long as you can produce the records on request and attribute them to specific campaigns and transactions.
Does the TSR record retention rule apply to B2B telemarketing calls?
Mostly no. The TSR primarily covers calls to consumers (individuals). Purely business-to-business telemarketing is generally exempt from the TSR's consumer protections, including the record-keeping provisions. But if your B2B campaign reaches any consumers, or you cannot cleanly separate consumer-targeted calls, the safe move is to treat the campaign as covered and keep TSR-compliant records.
Do I need to keep records if I use a third-party telemarketer to make calls?
Yes. Both sellers and telemarketers carry independent TSR record-keeping duties. As the seller, you cannot delegate your retention obligation to your call center vendor. Require the vendor by contract to keep records for 24 months and deliver copies on demand, and also store your own copies of campaign materials, consent logs, and suppression list pulls.
What happens to TSR record retention obligations if my company closes?
The FTC does not automatically release a company from record-keeping duties because it shuts down. Principals, officers, and successor entities can face liability. If you are winding down, preserve records for the full 24-month period and name someone to answer regulatory requests. Destroying records early is a separate violation and can be treated as obstruction in a federal investigation.
How does TSR record retention interact with CCPA or CPRA consumer deletion requests?
There is real tension here. CCPA/CPRA gives California consumers the right to request deletion of personal data. The TSR requires you to keep transaction and consent records for 24 months. California's privacy law includes exemptions for records held to comply with other legal obligations. Document your position: keep the TSR-required records, delete or anonymize data outside required categories, and have counsel sign off on your reconciled policy.
Do I need to keep internal do-not-call list records forever?
The TSR's 24-month rule applies to records documenting do-not-call requests. But the suppression duty, actually honoring those requests, is permanent. Never delete a phone number from your internal DNC list just because 24 months have passed. In practice: keep the suppression list indefinitely, and understand that the 24-month rule covers the documentation of when and how each entry was added.
What is the penalty for a TSR record retention violation?
Up to $51,744 per violation per day, adjusted by the FTC for inflation under the Federal Civil Penalties Inflation Adjustment Act. Each day a required record stays unavailable after a regulatory request can count as a separate violation. Beyond civil penalties, the FTC can seek injunctive relief, consumer redress, and multi-year compliance reporting through a consent decree.
Does the TSR require keeping call recordings, or just call logs?
The TSR does not explicitly require call recordings. It requires records of sales transactions, employee identities, promotional materials, and consent verification. Call recordings are not legally mandated by the TSR, but they are often the cleanest way to prove consent and what was said on a call. Many compliance attorneys recommend recording all telemarketing calls for exactly that reason.
How does TSR record retention apply to ringless voicemail or text message campaigns?
The FTC has signaled that ringless voicemail drops may fall under the TSR's definition of an outbound call, depending on how they are delivered. SMS campaigns run by companies that also make covered outbound calls sit inside the TSR's broader framework. Either way, keeping the same 24-month records for promotional content, consent, and customer data is the defensible approach while the regulatory read keeps developing.
Can I use a single shared record storage system for both TSR and TCPA compliance?
Yes, and that is usually the right approach. The records that satisfy the TSR (consent logs, call metadata, suppression lists, employee records) double as TCPA defense documentation. Build one system that captures everything, tag records by campaign and regulation, and set retention to satisfy the longer of the two applicable periods. For TCPA, that is typically four to five years given the statute of limitations.
Sources
- FTC: Telemarketing and Consumer Fraud and Abuse Prevention Act, 15 U.S.C. §§ 6101-6108: The TSR was issued under authority of the Telemarketing and Consumer Fraud and Abuse Prevention Act.
- FTC: Telemarketing Sales Rule, 16 C.F.R. Part 310: TSR record retention requirements, do-not-call obligations, and safe harbor provisions at 16 C.F.R. § 310.5 and § 310.4(b).
- FTC: Civil penalty inflation adjustments, current schedule: TSR civil penalties are up to $51,744 per violation, adjusted for inflation under the Federal Civil Penalties Inflation Adjustment Act.
- FTC: FTC v. Dish Network LLC enforcement action summary: FTC v. Dish Network resulted in a $280 million judgment for TSR do-not-call violations.
- Cornell Law School LII: Telephone Consumer Protection Act, 47 U.S.C. § 227: The TCPA is a separate federal regime from the TSR, enforced by the FCC and through private lawsuits.
- National Conference of State Legislatures: State Telemarketing Laws: Several states have telemarketing statutes with record retention requirements that differ from the federal TSR.
- Florida Legislature: Florida Telemarketing Act, Chapter 501 Part IV, Florida Statutes: Florida's Telemarketing Act requires sellers to maintain records for 2 years.
- California Privacy Protection Agency: CPRA regulations: California's CPRA creates consumer deletion rights that interact with TSR retention obligations.
- Texas Legislature Online: Texas Business & Commerce Code Chapter 304 (Telemarketing): Texas Business & Commerce Code Chapter 304 imposes telemarketing registration and record-keeping requirements alongside the federal TSR.
- FTC: Cases and proceedings library: The FTC uses civil investigative demands as a primary enforcement tool for TSR violations; case records are publicly available.