Does TCPA consent expire and when does it run out?

TCPA consent has no set expiration date in the statute, but courts and FCC rules say it can expire. Here's exactly when and how it lapses.

LeadCompliant Team
22 min read
In This Article

Last updated 2026-07-11

Person reviewing phone call records at a desk, TCPA consent audit in progress
Person reviewing phone call records at a desk, TCPA consent audit in progress

TL;DR

TCPA consent has no explicit expiration date written into 47 U.S.C. 227, but it absolutely can expire. A consumer can revoke consent at any time by any reasonable means, effective immediately. Courts have also found consent stale when years pass, the business relationship ends, or the contact number changes hands. Treat consent as living, not permanent.

The short answer: nothing. The statute, 47 U.S.C. 227, never uses the word "expire" in connection with consent. Congress wrote a law that tells you what requires consent (autodialed or prerecorded calls to cell phones, certain texts, calls to residential lines for telemarketing) and then handed the duration question almost entirely to the FCC and to courts [1].

That silence has caused real grief for outbound teams. Plenty of operators read it as permission to treat a five-year-old opt-in as fully valid today. Courts have been less generous. The FCC's 2015 Declaratory Ruling and Order made two things plain: consumers may revoke consent at any time through any reasonable means, and that revocation is effective immediately, not at some future convenient point [2]. So even without a statutory clock, consent can vanish two ways. The consumer revokes it. Or a court decides the original consent no longer fits the current situation.

If you are building a tcpa compliance program from scratch, assume consent is temporary. That posture is far safer than assuming it lasts forever.

Yes, and the FCC's 2015 order is unusually clear here. The Commission ruled that "consumers have the right to revoke their prior express consent at any time and through any reasonable means" [2]. That language is not hedged. A text reply of STOP, a spoken request on a recorded call, an email to a customer service address, or a written letter all count, as long as they clearly say the consumer wants the contact to stop.

A 2024 FCC order standardized revocation for text messages. Callers must honor opt-out requests within 10 business days, and they cannot send any message after a STOP request except a single, one-time confirmation [3]. That confirmation cannot carry any marketing content.

Companies get sued in the gap between receiving a revocation and their systems acting on it. Collectors and marketers have lost big TCPA cases because a consumer opted out on a phone call and the company kept running a separate SMS campaign that the call-center system never told the text platform about. Each message sent after a valid revocation is a separate statutory violation. Statutory damages run $500 to $1,500 per message [1].

So treat every consumer communication channel as a possible opt-out vector. Build your systems so any revocation spreads across all channels within hours, not days.

This is where the law gets genuinely murky, and nobody should pretend otherwise. No FCC rule says consent is valid for exactly X years. Courts have filled that gap inconsistently.

Several courts have borrowed a "reasonable time" standard from contract law: consent given for one business purpose does not automatically stretch to changed circumstances forever. The clearest judicial thread runs through reassigned numbers. When a cell number moves to a new subscriber, the original subscriber's consent obviously does not follow it to the stranger who now owns that line. The FCC's 2015 order addressed this directly, and the D.C. Circuit later modified it in ACA International v. FCC (2018), striking down the FCC's one-call safe harbor as arbitrary while leaving intact the principle that consent tied to a specific consumer does not survive reassignment [4].

For consent that was never revoked and a number that never changed hands, the honest answer is that courts have set no bright-line expiration date. What they do instead is look at whether the consent was knowing and clear at the time, whether the relationship that generated it is still alive, and whether the calls match the scope of what the consumer agreed to. A 2019 consent to receive loan offers does not obviously cover a 2025 call about a different product from a company that bought the original creditor's portfolio.

Here is a practical benchmark. Most compliance attorneys I have seen recommend treating consent older than 18 to 24 months as suspect once the underlying business relationship has ended. That is not a legal rule. It is a risk posture, built on how plaintiffs argue staleness and how juries react.

TCPA consent validity risk by scenario Risk score (1 = low, 5 = high) based on FCC rulings and case law patterns Number reassigned to new subscrib… 5 Consumer sent STOP / verbal revoc… 5 Account closed 3+ years, no recen… 4 Lead from multi-seller shared con… 4 Account closed 12-18 months ago 3 Active account, consent 2+ years… 2 Active account, consent recent, R… 1 Source: FCC Declaratory Ruling FCC 15-72 (2015), FCC 23-107 (2023), ACA International v. FCC (2018)

Very much so. TCPA cases often turn on whether an existing business relationship (EBR) was present or already ended. Under the FTC's Telemarketing Sales Rule, an EBR lets you call a number on the National Do Not Call Registry for up to 18 months after the last purchase or transaction, or 3 months after the consumer's last inquiry [5]. The TCPA itself does not define EBR duration in identical terms, but the FCC has cited the FTC framework approvingly.

When a business relationship ends, a consumer's reasonable expectation of contact changes with it. Courts have found that express written consent for marketing messages, captured during an active account, does not automatically extend to calls made years after the account closed. If your customer closed their account in 2021 and you are running a win-back campaign in 2025, you are not operating under the same consent umbrella that covered account calls in 2020.

Here is a mental model that holds up. Consent has a scope (what topics), a channel (calls versus texts), and a relationship context (what account or transaction created it). When any of those three shifts substantially, you re-obtain consent. You do not stretch the old one to cover new ground.

For outbound sales teams doing cold calling, that makes list hygiene mandatory, not optional. A recycled list of leads from two or three years ago needs real re-verification, more than a DNC scrub.

What happens when a phone number is reassigned to a new person?

This is one of the most expensive TCPA traps for outbound teams, and it has spawned its own body of case law. When a wireless carrier reassigns a number that used to belong to your consenting customer, the new subscriber has given you zero consent. Autodialed calls to that new subscriber are violations even if you had spotless documentation of the original owner's opt-in [4].

The FCC built a database to fix this: the Reassigned Numbers Database (RND), which carriers populate with numbers that have been disconnected and recycled. The RND launched in 2021, and the FCC made querying it a recognized safe harbor for callers who want to show good faith [6]. Using the RND is not legally required. But failing to use it and then claiming ignorance of reassignment is a much harder defense to run in front of a judge.

The table below shows the consent-validity risk profile across common scenarios:

ScenarioConsent statusKey risk
Original consumer, never revoked, active accountLikely validScope drift if product changes
Original consumer, account closed 12 months agoUncertainStaleness argument; EBR expired
Original consumer, account closed 3+ years agoHigh riskCourts may find consent stale
Number reassigned to new subscriberInvalid entirelyEvery call is a potential violation
Consumer sent STOP textRevoked immediatelyNext message is a violation
Consumer verbally revoked on callRevoked immediatelyApplies to all channels

Querying the RND before each campaign run is one of the cheapest insurance policies you can buy, given that TCPA statutory damages start at $500 per call [1].

Not automatically, and the FCC has been explicit about it. The type of consent you need depends on the type of communication. Prior express written consent is required for autodialed or prerecorded telemarketing calls to cell phones and for marketing text messages [2]. Informational calls (appointment reminders, fraud alerts, package delivery notices) require prior express consent, a lower bar than the written standard.

A consumer who agreed to calls about their account has not agreed to your SMS marketing program. The channels differ, the messages may differ, and courts and the FCC both look at what the consumer understood at the moment of consent. A signature on a paper loan application authorizing calls is not the same as an electronic checkbox agreeing to promotional texts.

For text message marketing, the FCC's 2024 rules added a one-to-one consent requirement: consent given to one seller does not transfer to a different company, even if the two are lead-gen partners [3]. That ended the practice of a consumer checking one box and having their number sold to dozens of marketers. Each company that wants to send marketing texts needs its own direct consent from that consumer.

The FCC's December 2023 Report and Order requires that consent be "logically and topically associated" with the specific seller and subject matter the consumer engaged with at opt-in [3]. The rule ties consent to a single named seller and covers only that seller's communications. (The one-to-one provision faced court challenge and did not take effect on its original schedule, but the standard it describes reflects how the FCC and plaintiffs now read prior express written consent.)

This matters enormously for lead generation companies and the businesses buying those leads. Consent collected through a shared lead form, where a consumer filled out one field and the fine print disclosed thirty potential callers, is legally shaky. Blanket, multi-seller consent does not meet the standard for prior express written consent under the TCPA.

So yes, this thinking clouds the validity of a lot of consent records collected under the old shared-consent model. If your list was built from lead-gen partners who used the shotgun disclosure approach, that consent may already be worthless for TCPA purposes no matter how recently it was collected.

LeadCompliant's free consent checker can help you flag records that were likely collected through shared-consent forms before you work those leads.

Documentation is where most small teams fail. Consent happens in a moment. The lawsuit arrives years later, and the burden of proof sits on the caller to demonstrate valid consent. Courts have ruled that consent records must be specific enough to show who consented, what they consented to, when they consented, through what mechanism, and what disclosure language they saw [2].

Here is what holds up in litigation.

Timestamp and store the IP address of any web form submission. Store a copy of the exact consent language shown at opt-in, more than what your current form says. Record the keyword or short code used for SMS opt-ins, plus the confirmation message you sent back. For voice-captured consent, keep the audio or a verbatim transcript.

For any list bought or obtained from a lead partner, keep documentation showing the original consent named your company as a recipient, not a generic consent-to-contact disclosure. A list that cannot show one-to-one consent attribution is not a list you can safely call or text under the TCPA.

Storage duration is another common gap. The TCPA has a four-year federal statute of limitations under 28 U.S.C. 1658, and some state claims run longer. Keep consent records for at least five years after your last contact with that consumer. Many companies delete records after 18 months for data minimization, then have no defense when a four-year-old call surfaces in litigation [7].

The cash app tcpa class action settlement shows how documentation failures compound into nine-figure exposure.

What happens if you call someone who previously revoked consent?

Each call made after a valid revocation is a separate, standalone TCPA violation. The statute provides $500 per violation and up to $1,500 per willful violation [1]. There is no per-plaintiff cap in individual suits, and class actions aggregate violations across every affected consumer.

Courts have consistently rejected the argument that a caller did not "know" about a revocation when the revocation came through a reasonable channel and the company's internal systems simply failed to act on it. Organizational dysfunction is not a defense to willfulness. If your opt-out system failed to sync between your CRM and your dialer, a court can find willful violation without any evidence that a specific employee chose to ignore the opt-out.

The credit one tcpa settlement shows how fast statutory damages pile up when a dialer keeps calling people who said stop. A single campaign to a list with a few hundred invalid-consent numbers can generate six or seven figures in exposure before anyone files a complaint.

If you discover your system has been contacting people who revoked, stop immediately, document when you found it, and call a TCPA attorney before you do anything else. Self-reporting and remediation do not automatically cut damages, but they matter for the willfulness analysis and for any regulatory proceeding.

Are there any safe harbors that protect callers from expired-consent claims?

A few, and they are narrower than most salespeople want to believe.

The Reassigned Numbers Database safe harbor is real. If a caller queries the RND before a campaign, gets no result indicating reassignment, and then calls, the FCC recognizes that good-faith reliance as a shield against liability to the new subscriber [6]. It covers only the reassignment scenario, not claims by the original subscriber.

For DNC-related claims (as distinct from consent claims), there is a safe harbor under 47 C.F.R. 64.1200 for callers who maintain written policies, train their personnel, and scrub against a DNC list no older than 31 days [8]. That does not protect you if your underlying consent was obtained improperly. The do not call list framework and the TCPA consent framework are separate obligations that overlap but never substitute for each other.

There is no safe harbor for simply having old consent on file. "We had consent at some point" is not a defense if the consent was revoked, if the number changed hands, or if the calls no longer match what the consumer agreed to.

What should small outbound teams do right now to audit their consent records?

Start with the oldest records on your calling or texting list. Sort by consent date and flag anything older than 18 months where the account or underlying relationship is no longer active. That cohort carries the most staleness risk.

Next, run every number through the Reassigned Numbers Database before your next campaign. The FCC set the access fee at $0.005 per query under its initial fee schedule, and that cost is trivial next to a single TCPA judgment [6]. Third-party vendors offer batched RND lookups if your volume is high.

Review how consent was collected for any leads bought from third parties. If the lead provider cannot give you documentation showing your company was specifically named in the disclosure at opt-in, treat those records as unconsented for TCPA purposes. Re-consent them or pull them from your autodialed campaigns.

Build a revocation tracking workflow that connects every consumer communication channel to a single opt-out flag in your CRM. A STOP text, a verbal request, an unsubscribe email, and a dispute run through your mobile phone do not call list scrub should all trigger the same suppression.

LeadCompliant's compliance kit has a consent audit template and a revocation workflow checklist you can adapt for any team size. The goal is to make consent management routine, not an emergency response to a demand letter.

This article is for informational purposes only and is not legal advice. Consult a licensed attorney for guidance on your specific situation.

Frequently asked questions

The TCPA statute sets no automatic expiration date, but courts have found consent effectively stale when a significant period passes after the underlying business relationship ends, when a number is reassigned to a new subscriber, or when calls no longer match the scope of what the consumer originally agreed to. There is no bright-line rule, but consent older than 18 to 24 months after account closure carries meaningful litigation risk.

How long after a consumer says stop must a company honor the opt-out?

For text messages, the FCC's 2024 order requires callers to honor opt-out requests within 10 business days. For calls, the FCC's 2015 ruling said revocation is effective immediately through any reasonable means. In practice, any gap between receiving a revocation and stopping contact is a potential violation window, and each contact made after a valid revocation is a separate TCPA claim at $500 to $1,500 per violation.

No. Courts have consistently held that consent must be clear, knowing, and unambiguous. Hiding a consent renewal in a TOS update that the consumer never actively agreed to does not meet the prior express written consent standard. The FCC requires that consent be affirmative, meaning the consumer takes a deliberate action specifically agreeing to receive the communications in question.

If I buy a lead list, am I responsible for verifying the consent records?

Yes. The TCPA places liability on the company that places the call or sends the text, not solely on the lead provider who collected the consent. If the consent documentation is invalid, missing, or does not name your company as a recipient, you face the same statutory exposure as if no consent existed. Multi-seller blanket consent collected under the old shared-form model is now particularly risky.

Not automatically. The FCC treats calls and texts as distinct communication types requiring consent appropriate to each. Prior express written consent is required for both autodialed marketing calls to cell phones and for marketing texts. Consent given specifically for calls does not automatically extend to a separate SMS marketing program, and the FCC's one-to-one consent standard ties marketing consent to a specific named seller for each channel.

What is the statute of limitations on a TCPA violation involving expired or revoked consent?

The federal statute of limitations for TCPA claims is four years under 28 U.S.C. 1658. Some states allow TCPA-related claims under state consumer protection statutes with potentially different limitations periods. This means you should retain consent records, opt-out logs, and call records for at least five years after the last contact with any consumer to have documentation available if a claim arises.

Verbal consent can support informational or non-telemarketing calls. For autodialed or prerecorded telemarketing calls to cell phones and for marketing texts, the TCPA and FCC rules require prior express written consent, which includes electronic signatures and electronic form submissions. A spoken agreement alone does not meet the written consent standard for telemarketing, though it may cover some informational call categories.

Does the national DNC registry replace the need for TCPA consent?

No. The National Do Not Call Registry and TCPA consent are separate legal frameworks that both apply to outbound calls and texts. A consumer not listed on the DNC registry still has TCPA rights requiring consent for autodialed or prerecorded calls to their cell phone. Being DNC-compliant does not make you TCPA-compliant, and vice versa. Both obligations apply simultaneously to most outbound telemarketing campaigns.

What is the Reassigned Numbers Database and does using it protect against TCPA liability?

The FCC's Reassigned Numbers Database (RND) is a database carriers populate with disconnected and recycled phone numbers. Callers who query the RND before a campaign and receive no reassignment indication get a recognized FCC safe harbor against liability to a new subscriber if the number was in fact reassigned. The safe harbor is narrow: it only covers the reassignment scenario, not revocation or staleness claims from the original consumer.

The FCC's one-to-one consent standard requires that marketing consent be tied to a single, specific seller named at the time of opt-in and logically related to what the consumer was doing when they consented. Consent collected through shared lead forms naming multiple callers does not meet the prior express written consent standard, regardless of when it was collected. Old multi-seller consent records are legally unreliable for TCPA purposes.

How does an existing business relationship affect TCPA consent duration?

An active business relationship supports ongoing contact, and FTC rules under the Telemarketing Sales Rule allow calling a DNC-listed consumer for up to 18 months after a purchase or 3 months after an inquiry. Once that relationship ends, the consent umbrella shrinks. Courts and regulators look at whether calls match the scope and context of the original consent, and purely commercial calls years after account closure face staleness challenges.

You need: the timestamp and IP address of web form submissions, the exact consent language displayed at opt-in (not a current version), the keyword or short code used for SMS opt-ins, audio or transcripts of verbal consent, and documentation from lead partners showing your company was specifically named. Retain all consent and opt-out records for at least five years given the four-year federal statute of limitations on TCPA claims.

No. TCPA consent is tied to a specific telephone number, not a consumer identity. If your customer gets a new phone number, calls to that new number without fresh consent are unconsented, even if the same person owns both numbers. You need to obtain a new, documented consent for the new number before including it in an autodialed or prerecorded campaign.

Sources

  1. Cornell LII / Legal Information Institute, 47 U.S.C. 227 (TCPA statute text): Statutory damages are $500 per violation and up to $1,500 per willful violation; statute text does not set an expiration date for consent
  2. FCC, Report and Order on Consent Revocation and Lead Generator Robocall Rules, FCC 23-107 (December 2023): One-to-one consent standard requires consent tied to a single named seller; opt-out requests must be honored within 10 business days; only one confirmatory text permitted after STOP
  3. U.S. Court of Appeals, D.C. Circuit, ACA International v. FCC, No. 15-1211 (2018): Court struck down the FCC's one-call safe harbor for reassigned numbers as arbitrary but affirmed that consent does not transfer to a new subscriber who receives a reassigned number
  4. FTC, Telemarketing Sales Rule, 16 C.F.R. Part 310 (Existing Business Relationship provisions): Existing business relationship allows calling a DNC-listed consumer up to 18 months after last purchase or transaction, or 3 months after last inquiry
  5. FCC, Reassigned Numbers Database, official program information: RND provides safe harbor for callers who query the database before campaigns and receive no reassignment indication; initial query fee set at $0.005 per number
  6. Cornell LII / Legal Information Institute, 28 U.S.C. 1658 (federal statute of limitations): Four-year statute of limitations applies to TCPA claims brought in federal court
  7. FCC, 47 C.F.R. 64.1200, TCPA implementing regulations: Safe harbor for DNC violations available to callers with written policies, trained personnel, and DNC scrubs against lists no older than 31 days; prior express written consent requirements codified
  8. FTC, National Do Not Call Registry, business compliance information: DNC registry and TCPA consent are separate and simultaneous obligations for outbound telemarketers

Disclaimer: LeadCompliant is a compliance review tool, not a law firm. We do not provide legal advice. Consult with a TCPA attorney for legal guidance on specific compliance questions. Compliance scores, audits, and risk assessments are informational only.

LeadCompliant Team

LeadCompliant provides expert guidance and tools to help you succeed. Our content is reviewed for accuracy and kept up to date.

Related Articles

Related Glossary Terms

LeadCompliant
Build My Kit