FCC 2023 to 2024 TCPA rulemaking: what outbound teams must know

The FCC's 2024 one-to-one consent rule takes effect Jan 27 2025. Here's what changed, what it costs to ignore it, and exactly what to do now.

LeadCompliant Team
26 min read
In This Article

Last updated 2026-07-11

Person reviewing compliance documents at desk with office phone nearby
Person reviewing compliance documents at desk with office phone nearby

TL;DR

The FCC finalized two big TCPA rulemakings in 2023 and 2024. The largest: a one-to-one consent rule that bans lead generators from selling a single opt-in to multiple sellers, with a January 27, 2025 effective date. A second order confirmed AI-generated voices fall under the TCPA. Both carry FCC forfeitures up to $51,744 per call and private lawsuit exposure.

What did the FCC actually change in 2023 and 2024?

The FCC issued two rulemakings that together make the biggest change to TCPA consent rules in about a decade. One targeted lead generators. The other pulled AI voice tools under the statute.

The first was a December 2023 Report and Order aimed at closing what the Commission itself called the "lead generator loophole." The second, from February 2024, addressed AI-generated voice calls and said plainly that those calls count as "artificial or prerecorded" voices under 47 U.S.C. § 227. That means they need prior express consent to reach cell phones and prior express written consent for telemarketing. [1]

Before 2024, a common lead-gen setup worked like this. A consumer fills out a form on a comparison site, checks one box consenting to contact, and that single consent gets sold to a list of 10, 20, sometimes 50 companies. Every buyer claims valid consent. The 2024 order kills that model. Consent now has to be captured separately for each seller by name, and it has to be "logically and topically" related to the website where the consumer signed up. [2]

The AI voice order stands on its own. If your team uses any AI voice tool for outbound calls, including tools that clone or synthesize a human-sounding voice, those calls now fall under TCPA restrictions no matter whether a live agent joins later. The FCC's February 2024 declaratory ruling dropped AI-generated voices into the "artificial or prerecorded" bucket for the statute. [3]

These are finalized rules, not proposals sitting in a comment window. The one-to-one consent rule had an effective date of January 27, 2025, though a court challenge landed in 2024. More on that below.

The one-to-one consent rule is the centerpiece of the FCC's December 2023 order, formally titled "In the Matter of Rules and Regulations Implementing the Telephone Consumer Protection Act of 1991." It says consent runs to one named seller at a time, not to a marketplace of buyers. [2]

Here is the plain version. When a consumer gives prior express written consent for telemarketing calls or texts, that consent has to name the specific seller who will contact them. You cannot share it. You cannot resell it. The FCC's framing is that consent belongs to one seller, not to a broad category.

The "logically and topically related" piece adds a second layer. If someone visits a home insurance comparison site and consents to calls, that consent covers home insurance sellers. It does not cover mortgage lenders, auto dealers, or anyone else the lead gen company decides to sell to. The website topic has to match the product being sold.

What this means for outbound teams:

  • If you buy leads from aggregators, you need written confirmation that consent was captured for your company by legal name, not a category.
  • If your name was not on the consent page when the consumer opted in, that lead is legally risky to call or text with autodialer technology.
  • Verbal consent captured by a third party is not prior express written consent and never triggers the telemarketing carve-out under 47 U.S.C. § 227(b). [4]

Many compliance attorneys are telling clients to walk away from shared-consent lead gen entirely and capture consent directly on their own web properties or on co-registration pages where the seller's name appears. That is probably the safest path, and honestly the direction this was heading given the litigation history. See the Credit One TCPA settlement for what happens when consent documentation falls apart under scrutiny.

Yes. The Eleventh Circuit stayed the rule days before its effective date, and that is where things got messy.

In January 2025, the U.S. Court of Appeals for the Eleventh Circuit issued a stay of the one-to-one consent rule. The Insurance Marketing Coalition challenged it, arguing the FCC went past its statutory authority under the TCPA. The court paused enforcement while the case proceeds. [5]

That stay does not erase the rule. It puts enforcement on hold pending the appeal. The underlying FCC order stays legally valid unless and until a court vacates it, and the FCC has signaled it plans to defend the rule.

So what do you do with the uncertainty? Most practitioners land in one of two camps. The cautious camp says build toward one-to-one consent anyway, because the litigation risk of relying on shared consent exists whether or not this specific rule survives. Plaintiffs' attorneys were already arguing the shared-consent model was shaky under older FCC guidance. The aggressive camp says wait and see, because if the court vacates the rule, there is no new obligation. Neither position is crazy. Your call should turn on your litigation exposure, how many leads you buy from third parties, and how much your model leans on shared consent.

What is not in dispute: the AI voice order has not been stayed. If you use synthetic or AI-generated voices on outbound calls, those calls need proper consent under the TCPA right now.

How did the FCC's 2024 rulemaking change rules for AI voice calls?

The FCC's February 8, 2024 declaratory ruling answered the question hanging over the industry since AI voice tools went mainstream. Do AI-generated voices count as "artificial or prerecorded" voices under the TCPA? Yes, no hedging. [3]

The practical effect is simple. Any outbound call that uses AI to generate, clone, or synthesize voice audio needs the same consent as a robocall. For calls to cell phones, that means prior express consent. For telemarketing to cell phones, prior express written consent. For residential landlines, you comply with the abandoned call rate rules and the other FCC requirements for prerecorded telemarketing.

Some outbound teams had been running AI-voice tools in ways they figured were safe. AI to generate a greeting before a live agent picks up. Cloned-voice voicemail drops. Both of those now clearly require compliant consent.

The FCC paired the ruling with a note that political robocalls using AI voices, even on landlines, need prior express consent. That answered incidents around the 2024 election cycle involving deepfake audio. Political calls sit outside most outbound sales teams' scope, but the ruling showed how broadly the FCC reads its own authority here.

This ruling was not stayed. It took effect the moment it was released in February 2024. If your team runs any AI voice tool, confirm your consent documentation explicitly covers AI-generated communications, or have a lawyer check whether your existing written consent language is broad enough.

What are the penalties for violating these new FCC rules?

The TCPA's per-violation damages did not change with these rulemakings, but the enforcement context did. The statute allows $500 per violation and up to $1,500 per willful or knowing violation. In class actions, those numbers compound fast. [4]

On the FCC side, the Commission can issue forfeitures independent of private litigation. It adjusts its maximum forfeiture amounts periodically for inflation. As of 2024, the maximum forfeiture for a TCPA violation is $51,744 per call or message. [6] The FCC has used that authority hard, including a 2023 action against a robocall operation that drew a proposed $300 million forfeiture. [10]

Private class actions are the bigger financial threat for most outbound sales teams. A single class action alleging 100,000 unlawful texts at $1,500 each is a $150 million exposure before legal fees. That number rarely survives to verdict. It is the number that drives settlement talks. The Cash App TCPA class action settlement shows how quickly these cases settle and for how much.

The one-to-one consent rule creates a specific paper-trail problem. If the rule is ultimately upheld, any call or text made on shared consent after January 27, 2025 (the original effective date) is potentially a willful violation, because the effective date gave clear notice. Courts have awarded treble damages when defendants knew a rule existed and ignored it.

Here is the safest way to hold it. Treat every consent record as a document you might have to hand a federal judge. If you cannot prove exactly who gave consent, when, to whom, and for what kind of communication, that record is a liability, not an asset.

Key numbers from the FCC's 2023 to 2024 TCPA rulemakings Fines, consent standards, and enforcement figures every outbound team should know 52k Max FCC forfeiture per TCPA violation (2024) 1,500 Private lawsuit damages per willful violation 500 Private lawsuit damages per violation (base) 300 FCC proposed forfeiture vs major robocall operation (2… Source: FCC / 47 U.S.C. § 227 / 47 C.F.R. § 64.1200, 2024

What do these rules mean for SMS and text message campaigns specifically?

Text marketing is where these rules bite hardest. Campaigns lean on bulk lead lists, and regulators and plaintiffs love texts because they are easy to count and easy to prove. See our coverage of text message marketing for the baseline TCPA requirements.

Under the one-to-one consent rule, every person who gets a marketing text via autodialer has to have given prior express written consent to your company specifically. A consent that reads "I agree to be contacted by partners and affiliates" does not cut it under the new standard. Your company name has to appear, and the consumer has to have affirmatively opted in to contact from you. [2]

For transactional texts, the standard is lighter. You need prior express consent (not written), and the message cannot carry advertising or telemarketing content. Slip an upsell into a transactional text and it gets reclassified as telemarketing, which pulls the written consent requirement back in.

The "logically and topically related" element also boxes in cross-selling by text. If someone opted in for loan offers, you probably cannot lawfully text them about insurance products under the new framework, even when your company sells both.

Buying text opt-in lists from third parties? Audit your posture before you send another campaign. The question is not only whether consent was captured. It is whether consent was captured for your company, for this product category, in a format that meets the prior express written consent definition at 47 C.F.R. § 64.1200(f)(9). [9]

This is where the rule gets operational, and most teams underestimate the work.

For teams capturing consent on their own properties, the consent language has to name your company. Generic language like "I consent to be contacted by marketers" or "I consent to calls from [website name] and its partners" no longer works. The disclosure has to be clear, conspicuous, and name the seller before the consumer submits the form. [2]

Here is a framework that holds up:

1. Company name: The exact legal name (or clear DBA) of the entity that will call or text has to appear in the consent language, not buried in fine print elsewhere on the page. 2. Communication type: Say that the consumer agrees to autodialed calls, texts, or AI-generated calls, as applicable. 3. Product or service category: Name the product being offered, which satisfies the "logically and topically related" test. 4. STOP instruction: Every text program needs a clear opt-out, and the consent should acknowledge it exists. 5. No consent to purchase: State plainly that consent is not a condition of purchase, which existing FCC rules already require.

For teams that buy leads, the burden shifts to due diligence. You need a written representation from every lead vendor stating that consent was captured with language that names your company and meets the one-to-one standard. Realistically, most aggregator-style lead sellers cannot provide that for bulk lists, because their model depends on selling the same opt-in to many buyers. If a vendor cannot give you that written assurance, treat those leads as unconsented.

LeadCompliant's free consent language checker is a fair starting point to audit what your forms say before you pay an attorney for a full review.

Document everything and timestamp it. Consent records should carry the consumer's name, phone number, the exact consent language shown, the URL, the IP address, and a timestamp. Keep records at least five years, because the TCPA's four-year statute of limitations plus litigation delays means a live lawsuit can reach back years.

Does the FCC's new rulemaking affect cold calling to landlines or B2B calls?

Less than you might think for pure human-agent calling. The consent rules under 47 U.S.C. § 227(b) apply to automated calls and texts. A human agent making a manual call to a business landline is generally outside the autodialer prohibition, though the Do Not Call provisions at 47 U.S.C. § 227(c) still apply to residential numbers. [4]

For cold calling to residential landlines with a prerecorded or AI-generated voice, the new AI voice ruling matters a lot. Even calling landlines (not cell phones), a prerecorded telemarketing call to a residential line needs prior express written consent. That requirement predated the 2024 rulemakings, but the AI voice ruling now drops any synthetic-voice call into that same bucket.

B2B calls are more complicated. The FCC and courts have generally given calls to business numbers more room, especially when the call is not telemarketing. But if a business number is actually a person's cell phone (common in small business), the cell phone autodialer restrictions apply no matter how you label the call.

For teams running pure human-agent outbound cold calls to verified business numbers, the 2023 and 2024 rulemakings add little. The bigger issue for those teams is still the National DNC Registry and state DNC lists, which apply no matter how a call is placed. Know how to get the Do Not Call list and how often to scrub against it.

What is the FCC's position on the National DNC Registry after these rulemakings?

The 2023 and 2024 rulemakings did not change the core DNC Registry rules, but they live in the same legal environment, so it helps to be clear on what still applies.

The National DNC Registry, maintained by the FTC and enforced by both the FCC and FTC, covers telemarketing calls to residential numbers and personal cell phones. Telemarketers have to scrub lists against the registry every 31 days. DNC violations carry up to $51,744 per call under current penalty schedules, the same ceiling as TCPA forfeitures. [8]

The FCC rulemaking did not touch scrubbing frequency, the residential subscriber definition, or the established business relationship exceptions. Those rules stay as they were under 47 C.F.R. § 64.1200(c) and (d). [9]

Here is where they interact. A consumer on the DNC Registry who gives express written consent to your company can still be contacted for telemarketing. Consent overrides the DNC restriction. But that consent now has to meet the one-to-one standard above. So the DNC scrub is still your baseline check, consent is the override, and the quality of consent needed to invoke that override just got stricter.

For teams relying on DNC-exempt categories like existing business relationships, note that the FCC has repeatedly narrowed how it reads those exemptions. An existing business relationship does not give indefinite cover, and it does not override a consumer's specific written request to stop calls. See more on how the DNC registry interacts with TCPA consent rules.

What should outbound teams do right now, in practical steps?

The court stay tempts some teams to sit tight. That is a defensible short-term move. But some things you should do no matter how the Eleventh Circuit rules.

First, audit your lead sources. For every source you buy from, ask the vendor for documentation showing consent was captured with language that names your company. If they cannot produce it, stop using those leads for autodialed calls and texts until the legal picture clears.

Second, update your own consent forms. Even if the one-to-one rule gets vacated, named-seller consent is better for you, because it gives you cleaner documentation if you are ever sued. Name your company, specify the channel, and include the product category.

Third, audit any AI or synthetic voice tools in your stack. The AI voice ruling is in effect and not stayed. If your team uses AI voice for any outbound calling, confirm your consent language covers it explicitly.

Fourth, build a consent record system. Timestamp every opt-in. Store the URL, IP address, and the exact consent language displayed. If you rely on a third-party lead vendor, get their consent documentation in writing and store it with each record. LeadCompliant's free TCPA compliance kit has a documentation template if you do not have one.

Fifth, train your team. Reps and managers need to understand that buying a lead does not mean consent exists. They should know what to ask when a vendor sells them a list.

Sixth, talk to a TCPA-experienced attorney before you change your business model based on this article. This is legal-adjacent information, not legal advice, and the one-to-one consent litigation is still live.

What happens if the Eleventh Circuit vacates the one-to-one consent rule entirely?

If the court strikes it down, the FCC falls back to its prior guidance on consent. That older guidance allowed consent to be shared across multiple sellers if the consent language was broad enough, though courts split on how broad is broad enough.

Here is the honest read. Pre-2024 TCPA litigation was already eating companies alive without the one-to-one rule. The rule mostly codified practices plaintiffs' attorneys had already been winning on in court. Vacating it does not remove private lawsuit risk. It removes one enforcement mechanism.

A vacatur would probably prompt a new rulemaking too. The FCC under the current chair has been skeptical of some regulatory overreach arguments, but consent reform is bipartisan enough that some version of it likely comes back.

The practical takeaway. Build toward named-seller, documented consent regardless of the court outcome, and you are better off in both regulatory and litigation scenarios. Companies that treat consent documentation as a strategic asset, not a checkbox, are the ones that dodge the six-figure settlements. The Cash App TCPA class action settlement and cases like it show the pattern. Weak consent documentation plus volume equals a class action waiting to happen.

How does this compare to state-level TCPA equivalent laws?

Several states run their own call and text consent laws parallel to or stricter than federal TCPA. Florida's Telephone Solicitation Act, amended in 2021, imposes its own prior express written consent requirement for calls made with an automated system, with a $500 per-call penalty that does not require a showing of willfulness. [7] Oklahoma, Washington, and other states have similar frameworks.

The FCC rulemakings are federal floors, not ceilings. State laws can be stricter, and in several states they already are. If your outbound team calls into Florida, California, or Washington, layer the state requirements on top of the federal ones.

California's Consumer Privacy Act (CCPA) and its amendments also touch consent in ways the FCC rules do not address. If you collect consent data on California residents, the CCPA data handling requirements apply separately from the call and text consent rules.

One way to picture the compliance stack. FCC TCPA rules set the national minimum. State laws may demand stricter consent or lower the penalty thresholds. CCPA and similar state privacy laws govern how you store and share the consent data. You have to be compliant across all three layers at once.

Frequently asked questions

The FCC set January 27, 2025 as the effective date. But the U.S. Court of Appeals for the Eleventh Circuit stayed the rule in January 2025 after the Insurance Marketing Coalition challenged it. The rule is not being enforced right now, though the underlying FCC order stays valid and the appeal is ongoing. Compliance attorneys generally recommend preparing for the rule regardless of the court outcome.

Does the FCC's AI voice ruling apply to voicemail drops?

Yes. The FCC's February 2024 declaratory ruling covers any call using an AI-generated, synthesized, or cloned voice, including ringless voicemail drops. Those calls require prior express consent for cell phones and prior express written consent for telemarketing. The ruling was not stayed and took effect immediately. If your team uses any AI voice tool for voicemail drops, your consent documentation has to explicitly cover that channel.

Can I still buy leads from aggregators after the one-to-one consent rule?

Technically yes, but the leads have to carry consent that names your company. Most aggregator-model sellers capture one consent and sell it to many buyers, which is exactly what the rule targets. To use third-party leads lawfully under the new standard, you need written documentation from the vendor that your company's name appeared in the consent when the consumer opted in. In practice, most aggregator lists cannot meet that.

It means the product or service you are calling or texting about has to match the context in which the consumer gave consent. If a consumer opted in on a mortgage comparison site, consent covers mortgage-related outreach. Using that consent to sell auto insurance or credit cards is not logically and topically related. This requirement was part of the FCC's December 2023 order, designed to stop consent arbitrage across unrelated product categories.

Does the new FCC rulemaking change the rules for B2B cold calling?

Minimally. The TCPA's autodialer restrictions under 47 U.S.C. § 227(b) focus on residential and cell phone calls. Manual, human-agent calls to verified business numbers are largely outside those restrictions. But if you use AI-generated voices on B2B calls, the February 2024 AI voice ruling applies. And if a business contact's number is actually a personal cell phone, cell phone TCPA rules apply regardless of how you label the call.

At minimum: the consumer's name, phone number, the exact text of the consent language shown, the URL where consent was captured, an IP address or other session identifier, and a timestamp. The FCC does not specify a retention period, but the TCPA's four-year statute of limitations means you should keep records at least five years. If you rely on third-party consent, get the vendor's documentation in writing and store it with each lead record.

How does the National DNC Registry interact with the new consent rules?

The DNC scrub is still your baseline requirement for telemarketing to residential and cell numbers. Valid prior express written consent to your company can override a DNC listing, but that consent now needs to meet the one-to-one standard to be safe. Scrub frequency, the 31-day rule, and established business relationship exemptions have not changed. Consent is the override mechanism for DNC restrictions, but the bar for valid consent just got higher.

What is the maximum fine for a TCPA violation in 2024 to 2025?

The FCC's maximum forfeiture per violation is $51,744 as of 2024, adjusted for inflation. Private lawsuit damages under the statute are $500 per violation and up to $1,500 per willful or knowing violation. Class actions aggregating thousands of calls or texts are the primary financial threat for outbound teams, since class-wide exposure can reach millions of dollars before legal fees.

Does the FCC rulemaking affect text message marketing differently than phone calls?

The same consent standards apply to both autodialed calls and texts under 47 U.S.C. § 227(b). Text campaigns face particularly high litigation risk because violations are easy to document: recipients have screenshots, carriers have delivery logs, and plaintiffs' attorneys specifically target bulk text campaigns. The one-to-one consent requirement hits SMS-heavy marketing operations hardest because they tend to rely on third-party opt-in lists.

Prior express written consent is required for telemarketing calls or texts using an autodialer or prerecorded voice to cell phones. It requires a clear and conspicuous disclosure and a written signature (which can be electronic). Prior express consent, the lower standard, covers non-telemarketing autodialed calls to cell phones. The FCC defines prior express written consent at 47 C.F.R. § 64.1200(f)(9). Telemarketing calls always need the written, higher standard.

Are there any safe harbors or exemptions under the new FCC rules?

The existing exemptions remain: calls with prior express consent, calls not using an autodialer or prerecorded voice, emergency calls, and certain government-contracted calls. The established business relationship exemption applies narrowly to residential landline calls, not cell phones. Informational and transactional texts with no advertising qualify for the lower prior express consent standard. None of these exemptions are new; the 2023 and 2024 rulemakings did not create additional safe harbors.

What happened with the FCC's broader robocall rules in this rulemaking period?

The FCC kept pushing its STIR/SHAKEN call authentication mandate and pursued enforcement against spoofed robocall operations across 2023 and 2024. A 2023 action drew a $300 million proposed forfeiture against a robocall operation. The Commission also issued guidance requiring voice service providers to block calls from carriers that fail authentication standards. These network-level rules affect outbound teams indirectly by making it harder for non-compliant calls to reach consumers.

Should I stop all third-party lead buying until the Eleventh Circuit rules?

That depends on your risk tolerance and business model. The safest position is to pause third-party lead buying for autodialed calls and texts until you can document that each lead's consent names your company. If third-party leads are core to your business, get written assurances from vendors and consider calling with a live human agent on leads where consent documentation is unclear, since manual calls fall outside the autodialer prohibition. Neither approach is perfect without attorney guidance.

How do state laws interact with the FCC's federal TCPA rulemakings?

Federal TCPA rules are a floor, not a ceiling. States can impose stricter requirements. Florida's Telephone Solicitation Act, amended in 2021, has its own prior express written consent requirement with $500 per-call penalties that do not require proof of willfulness. California, Washington, and Oklahoma have similar parallel frameworks. Any outbound campaign calling into multiple states needs a compliance review at the state level separately from the federal FCC analysis.

Sources

  1. FCC, In the Matter of Advanced Methods to Target and Eliminate Unlawful Robocalls (February 2024 Declaratory Ruling on AI-Generated Voices): The FCC declared in February 2024 that AI-generated voices constitute 'artificial or prerecorded' voices under the TCPA, requiring prior express consent for cell phone calls and prior express written consent for telemarketing.
  2. FCC, Report and Order: Rules and Regulations Implementing the TCPA (December 2023, one-to-one consent rule): The FCC's December 2023 order requires that TCPA consent be given to one seller at a time and be 'logically and topically related' to the website where consent was captured, closing the lead generator loophole.
  3. 47 U.S.C. § 227, Telephone Consumer Protection Act (via Cornell Legal Information Institute): The TCPA provides $500 per violation and up to $1,500 per willful or knowing violation; requires prior express written consent for autodialed telemarketing calls to cell phones; and establishes the DNC and consent framework.
  4. U.S. Court of Appeals for the Eleventh Circuit, Insurance Marketing Coalition v. FCC (2025 stay order): The Eleventh Circuit issued a stay of the FCC's one-to-one consent rule in January 2025, pausing enforcement while the appeal by the Insurance Marketing Coalition proceeds.
  5. Code of Federal Regulations, FCC Forfeiture Guidelines, 47 C.F.R. § 1.80 (via eCFR): The FCC's maximum forfeiture per TCPA violation is $51,744 as of 2024, adjusted for inflation under 47 C.F.R. § 1.80.
  6. Florida Legislature, Florida Telephone Solicitation Act, Fla. Stat. § 501.059 (2021 amendment): Florida's 2021 amendment to the Telephone Solicitation Act imposes its own prior express written consent requirement for automated calls with a $500 per-call penalty that does not require proof of willfulness.
  7. FTC, Telemarketing Sales Rule and National Do Not Call Registry, 16 C.F.R. Part 310: Telemarketers must scrub against the National DNC Registry every 31 days; violations carry per-call penalties aligned with the FCC's inflation-adjusted maximum.
  8. 47 C.F.R. § 64.1200, FCC Regulations Implementing the TCPA (via eCFR): 47 C.F.R. § 64.1200(f)(9) defines 'prior express written consent' and requires a clear and conspicuous disclosure plus an electronic or written signature before autodialed telemarketing calls or texts to cell phones.

Disclaimer: LeadCompliant is a compliance review tool, not a law firm. We do not provide legal advice. Consult with a TCPA attorney for legal guidance on specific compliance questions. Compliance scores, audits, and risk assessments are informational only.

LeadCompliant Team

LeadCompliant provides expert guidance and tools to help you succeed. Our content is reviewed for accuracy and kept up to date.

Related Articles

Related Glossary Terms

LeadCompliant
Build My Kit