Last updated 2026-07-09

TL;DR
Keep TCPA consent records at least 4 years. That matches the TCPA's statute of limitations under 28 U.S.C. § 1658, the longest window a plaintiff has to sue you over a call or text. Many compliance attorneys recommend 5 years to cover state-law claims that run longer. Destroy records early and you lose your only defense.
What is the minimum time you must keep TCPA consent records?
Keep them at least 4 years from each call or text. The TCPA itself, 47 U.S.C. § 227, names no retention period. That silence trips people up. Because the statute says nothing, you back into the answer from the statute of limitations, which tells you how long someone can wait before suing. [1]
For federal TCPA claims, that window is 4 years under the general federal civil statute of limitations at 28 U.S.C. § 1658. [2] A plaintiff can file a private suit up to 4 years after your allegedly illegal call or text. Destroy your consent records at year 3 and you walk into that lawsuit with no proof you had permission. Bad spot.
So the floor is 4 years from the date of each contact. Not 4 years from when you collected consent. From when you used it.
Does the FCC require a specific retention period in its rules?
No. The FCC's TCPA rules in 47 C.F.R. Part 64 set no hard document-retention number the way SEC or HIPAA rules do. [3] The FCC's 2012 order (FCC 12-21) tightened the prior-express-written-consent requirement for autodialed and prerecorded calls, but said nothing about how long to keep those records. [4]
What the FCC does make clear is that the burden of proof sits with the caller. If a consumer disputes that they consented, you have to show consent existed. The agency has stated in enforcement guidance that the caller carries the burden of documenting and retaining that proof. [4] So no regulation says "keep records 4 years," but the practical consequence of having none is that you cannot meet your burden.
Adjacent FCC rules do set explicit periods. Telemarketers must maintain their internal do-not-call lists and honor requests for 5 years under 47 C.F.R. § 64.1200(d)(6). [3] That 5-year mark is a reasonable upper benchmark for consent records too. Plenty of programs just apply 5 years across the board and stop overthinking it.
How does the 4-year statute of limitations actually work in practice?
The clock runs from each individual violation, not from your first call. Say you send a text on January 15, 2024. A plaintiff has until January 15, 2028, to sue over that specific message. Destroy your opt-in record in December 2026 and you tossed your defense 13 months early.
A long-running campaign creates a rolling retention obligation. Every call or text restarts a potential 4-year window for that specific contact event. If you texted the same number monthly for two years, your last text sets the outer edge of your risk, not your first.
There is a tolling wrinkle too. In some class actions, the clock pauses while a related class action is pending, under the American Pipe tolling doctrine. [5] That can stretch the real exposure window past 4 years in a class context. It is a minority scenario but real enough that cautious teams keep records 5 years.
State claims complicate things further. States like California have their own mini-TCPA equivalents with their own limitation periods. California's Invasion of Privacy Act claims run 1 year, but the state's unfair-competition claims under the UCL run 4. If you call nationally, 5 years is the safer default.
What exact records do you need to keep, more than how long?
Retention length is half the problem. The other half is knowing what to save. Courts and the FCC both look for records that prove three things: the consumer gave consent, the consent covered the specific type of communication you sent, and the consent was never revoked. [6]
At minimum, save:
- The timestamp and IP address of the opt-in event
- The exact consent language the consumer saw when they agreed
- The form URL or interface where consent was collected
- The phone number that consented
- Any confirmation message sent to verify consent (for SMS double opt-in)
- The date and time of every contact made to that number
- Any opt-out or revocation request and the date received
- Confirmation that you honored the opt-out within 10 business days, the FCC's required window for do-not-call requests [3]
Screenshots of your web form from the day of collection are worth keeping. The exact language matters because the FCC requires prior express written consent to name the seller and be specific to autodialed or prerecorded contacts. [4] If your form language changed over time, archive each version and match it to date ranges.
If you buy leads from third parties, you need records proving that vendor got consent that covers your calls specifically, not generic marketing consent. Courts have thrown out "consent" that only covered the original website owner's calls and not the buyers who came later. Documenting the chain of consent is as important as documenting the consent. See how TCPA litigation over lead-gen consent has expanded lately.
What happens if you destroy records too early and get sued?
It gets worse than a weak defense. Destroying records before the 4-year window closes can actively sink you.
Federal courts apply the doctrine of spoliation of evidence. If a court finds you destroyed records you should have known were relevant to litigation, it can tell the jury to assume those records were unfavorable to you. That is an adverse inference instruction, and it is brutal in a TCPA case where your whole defense is "we had consent." [7]
The duty to preserve arises when litigation is reasonably anticipated, not only when a suit is filed. A demand letter, an opt-out complaint, or a regulatory inquiry makes litigation foreseeable right then. Destroying anything after that point is spoliation regardless of your normal schedule.
Class actions multiply the damage. A single adverse inference in a class action with 10,000 members means 10,000 presumptions against you. The cash app TCPA class action settlement and cases like it show how fast aggregate exposure balloons when the defendant has no clean documentation.
So keep the records. Storage is cheap. Settlements are not.
How should you store consent records so they hold up in court?
Records only help you if they are credible and tamper-evident. Courts ask whether the data could have been altered after the fact, so build for that question before it gets asked.
What holds up:
- Store opt-in data in an immutable or write-once format where you can, or in a system that logs every edit with timestamps
- Archive the version of your consent form as it appeared on each date, more than the current one
- Use a CRM or compliance platform that timestamps entries at creation and blocks backdating
- Keep server logs that corroborate the opt-in timestamp from a source independent of your marketing database
- If you use a third-party consent management platform, confirm it keeps audit logs and that you can export them
Nobody has clean data on how often courts reject records on technical grounds versus substantive ones. From TCPA defense attorneys' public commentary, the pattern is that courts have gotten sharp at spotting records that look assembled after the lawsuit started.
LeadCompliant's compliance kit includes a consent record checklist covering what fields to capture at opt-in. Worth running against your setup before a lawsuit forces the audit.
One note on format. Paper records and PDF exports can work, but if you store consent in a live database and someone later deletes or overwrites the original row, you may not be able to prove the original state. Date-locked backup snapshots matter.
Do state laws require longer retention than the federal 4-year rule?
A few do, or at least push you that way. California's CCPA and CPRA require businesses to retain personal data only as long as needed for its disclosed purpose, but they also give residents the right to know what data you hold. Delete a consent record too early and a consumer request opens a CCPA gap on top of your TCPA defense gap. [8]
California's limitation period for CIPA claims is 1 year, shorter than federal TCPA, but its unfair-competition claims under the UCL run 4 years.
Florida's Mini-TCPA (the Florida Telephone Solicitation Act, amended in 2021) created a private right of action for calls and texts to Florida numbers. Its limitation period runs about 4 years under Florida's general framework, so no change from the federal standard there.
Texas, New York, and Washington all have consumer protection statutes that can layer onto a TCPA claim. None of them imposes an explicit TCPA consent retention mandate beyond the federal floor.
The practical call for multi-state operations: make 5 years your floor. It covers the federal 4-year window with a buffer, covers most state limitation periods, and is simple enough that your team actually follows it.
| Jurisdiction | Relevant limitation period | Practical retention recommendation |
|---|---|---|
| Federal TCPA (28 U.S.C. § 1658) | 4 years | 4 years minimum |
| California (UCL claims) | 4 years | 5 years (CCPA obligations overlap) |
| Florida (FTSA) | ~4 years | 4 years minimum |
| Texas (DTPA) | 2 years | 4 years (federal floor applies) |
| New York (GBL § 349) | 3 years | 4 years (federal floor applies) |
When is it actually safe to destroy TCPA consent records?
Two conditions have to be true at the same time. First, the retention period has expired for every contact event tied to that consent record. Second, you have no pending litigation, demand letters, regulatory investigations, or reasonable anticipation of any of them.
That second condition matters more than people think. A consumer complaint from last year that went quiet does not mean litigation is off the table. A plaintiff's attorney can take months to build a class. Err toward caution.
A practical schedule for most outbound teams: run a quarterly or annual audit of your consent database, flag records where the last contact event was more than 5 years ago, cross-check those against open legal matters, then destroy the confirmed-clear records in a documented batch. Log the destruction itself, including who authorized it, what got destroyed, and the method. That log protects you if someone later claims you destroyed records maliciously.
Secure destruction of digital records means verified deletion from all backups, more than the primary database. If your backups rotate on a 90-day cycle, a "deleted" record can linger for another 90 days. Your policy should account for that lag.
What about internal do-not-call lists, are the rules different from consent records?
Yes, and the difference matters. Internal do-not-call (DNC) lists are separate from consent records. Under 47 C.F.R. § 64.1200(d)(6), you must honor a consumer's do-not-call request for at least 5 years, and the FTC's Telemarketing Sales Rule sets the same 5-year period. [3][9] That is a minimum hold, not a maximum. The number stays on your internal DNC list until you have strong affirmative evidence the consumer re-consented.
The retention logic flips. For consent records, you keep them until the statute of limitations expires, then you can destroy them. For DNC records, you keep them at least 5 years and realistically forever, because destroying one early means you might call someone who told you to stop. That is a fresh TCPA violation with a fresh 4-year clock attached.
See the articles on do not call list and mobile phone do not call list for how the national DNC registry interacts with your internal list. The two systems run differently, but both need long-term upkeep.
Never purge a DNC record to tidy up your database. A TCPA violation costs far more than storing a phone number forever.
How does consent record retention work differently for SMS versus calls?
The retention obligation is the same for both: keep records long enough to defend any claim, which means at least 4 years from the last contact event. The specific records you need differ by channel.
For SMS, keep the original opt-in keyword or web form submission, any double opt-in confirmation exchange, the exact consent disclosure language, message logs showing what was sent and when, and opt-out confirmations (the STOP reply and your confirmation back). The CTIA's Messaging Principles and Best Practices, which carriers and aggregators expect you to follow, call for documented opt-in evidence for every subscriber. [10] CTIA guidance is not law, but non-compliance can get your short code or 10DLC campaign suspended, which is enforcement with teeth.
For voice calls, keep the signed or electronically submitted consent form for autodialed or prerecorded calls, any call recordings if you record (check state two-party consent laws), and your dialer's call logs showing time, duration, and outcome. Cold calling numbers without consent documentation is the single largest source of TCPA class action exposure.
Text message marketing has drawn enormous class action attention lately. Ironclad SMS opt-in records are not optional if you run any real volume.
What does a defensible consent record retention policy actually look like?
Four parts: a written policy document, a named owner, a technical system that enforces it, and a periodic audit. Miss any one and the whole thing wobbles.
The written policy should state the minimum retention period (recommend 5 years from last contact), the categories of records covered, the storage format and location, the process for legal holds when litigation is anticipated, and the secure destruction procedure.
The named owner is usually whoever runs compliance, legal, or RevOps. Someone has to own the quarterly or annual audit. Policies nobody owns get ignored.
The technical system matters because manual processes fail at scale. If your CRM does not automatically log opt-in timestamps and contact event dates, you will have gaps. Most modern SMS and dialer platforms have audit log features. Turn them on.
The periodic audit checks whether new opt-ins are logged correctly, whether contact events are recorded against the right consent records, which records are approaching the 5-year mark for safe destruction, and whether any legal holds should pause destruction for specific numbers.
LeadCompliant's one-time compliance kit includes a consent record retention policy template and a monthly audit checklist covering all four parts.
Build this before a lawsuit. After one, everything you do looks like damage control.
What have courts actually said about missing consent records?
Courts have no patience for defendants who claim consent but cannot produce it. In Mais v. Gulf Coast Collection Bureau, the Eleventh Circuit addressed what counts as sufficient consent documentation and put the burden on the party asserting consent. [6] District courts since then have routinely denied summary judgment to defendants who claimed consent but offered only vague testimony or incomplete records instead of contemporaneous documentation.
The Ninth and Eleventh Circuits, which handle most TCPA class action appeals, have both held that the absence of consent records creates a genuine issue of material fact. That means the case goes to trial instead of getting dismissed. Trial alone is expensive.
The credit one TCPA settlement is a documented example of a consent dispute turning into a multi-million-dollar settlement even when the defendant believed it had consent. Building and keeping consent records costs almost nothing next to litigating without them.
One number to sit with: the average TCPA class action settlement was $6.3 million in 2022, per WebRecon's annual TCPA litigation report. [11] Statutory damages run $500 to $1,500 per violation. At any real call volume, missing records are an existential risk.
Frequently asked questions
Is there a specific law that says how long to keep TCPA consent records?
No single statute names a retention period. The 4-year floor comes from the general federal civil statute of limitations at 28 U.S.C. § 1658, which sets how long a plaintiff has to sue under the TCPA. The FCC's rules require you to carry the burden of proving consent but specify no retention number. Most compliance programs use 5 years to add a buffer for state law claims.
Can I destroy consent records after 4 years if no one has sued me?
Only if no litigation is pending or reasonably anticipated. The 4-year period runs from each individual contact event, not from when you collected consent. If you texted a number a year ago, that specific text's window runs another four years from that date. Confirm there are no open demand letters or regulatory inquiries before destroying anything.
Do I need to keep records of opt-outs as well as opt-ins?
Yes. Opt-out records are arguably more important than opt-ins for day-to-day operations. Under 47 C.F.R. § 64.1200(d)(6), you must honor do-not-call requests for at least 5 years. A consumer who opted out and then got another call or text from you has a fresh TCPA claim. Keep opt-out records indefinitely unless you have strong documented evidence of re-consent.
What counts as a valid consent record under the TCPA?
For autodialed or prerecorded calls and texts, you need prior express written consent. That means a signed (including electronic) agreement that clearly authorizes the specific type of contact and names you as the caller. The record should show the consumer saw and agreed to compliant disclosure language, ideally with a timestamp, IP address, and the exact form language they agreed to.
Does the retention rule apply to B2B calls, more than consumer calls?
The TCPA's prior express written consent requirement is strongest for calls to residential and mobile numbers. B2B calls to landlines follow somewhat different rules. But if you call mobile numbers, even in a B2B context, the mobile rules apply because the TCPA protects the number, not the account type. Keep consent records for any call to a mobile number, business contact or not.
If I bought leads from a third party, do I still need to keep the consent records?
Yes, and you need the original third-party consent records, more than a representation that consent exists. Courts have held that downstream callers who cannot produce the original opt-in evidence cannot rely on a vendor's assurance. Get the consent records when you buy the leads, confirm the disclosure language covered your calls specifically, and store them under the same 4-to-5-year policy.
How does the CTIA's guidance affect SMS consent record retention?
CTIA's Messaging Principles and Best Practices are not federal law, but carriers and aggregators enforce them as a condition of service. CTIA expects documented opt-in evidence for every subscriber. If you cannot produce opt-in records, your 10DLC campaign can be suspended. That gives you an operational reason to retain SMS consent records on top of the legal one, and it reinforces a 4-to-5-year floor.
Does a legal hold override my normal retention and destruction schedule?
Yes, entirely. Once you have reason to anticipate litigation, a regulatory inquiry, or any formal proceeding, you must stop destroying potentially relevant records regardless of what your normal policy says. This is a litigation hold. Destroying records after you should have anticipated litigation is spoliation, which can trigger adverse jury instructions and sanctions.
What is the statute of limitations for TCPA claims in California specifically?
Federal TCPA claims in California federal courts carry the 4-year federal limitation period. California's CIPA claims run 1 year. California UCL claims run 4 years. Since a plaintiff can often choose the theory, plan for the longest applicable period. For California-heavy operations, keeping records 5 years is the sensible default given the layered state and federal exposure.
How should I document the actual destruction of consent records?
Create a destruction log recording the date of destruction, the categories and date ranges destroyed, who authorized it, the method (database deletion with backup purge, shredding, and so on), and a confirmation that no legal holds applied at the time. This documentation protects you from later claims that you destroyed records maliciously, and it shows your program is systematic rather than ad hoc.
Are there industry-specific regulations that add to the TCPA retention requirements?
Healthcare callers may face HIPAA overlay requirements for records containing PHI, which run 6 years from creation or last effective date under 45 C.F.R. § 164.530(j). Financial services firms under FINRA face separate books-and-records rules. If you operate in a regulated industry, check your sector-specific rules: they may require longer retention than the 4-to-5-year TCPA baseline.
Can storing consent records in the cloud create additional risks?
The storage medium is not itself a legal risk as long as records stay secure, tamper-evident, and accessible when needed. Cloud storage can beat on-premise for retention because most major platforms keep their own audit logs and backup history. The risk shows up if a cloud platform auto-deletes records on its own schedule, shorter than your retention period. Check your vendor's data retention settings explicitly.
What is the maximum statutory penalty if I can't prove consent?
TCPA statutory damages are $500 per violation for negligent violations and $1,500 per violation for willful ones. Each call or text is a separate violation. In a class action, even a modest volume produces aggregate exposure in the millions. Courts can treble damages for willful violations, and plaintiffs' attorneys take these cases on contingency because the per-call math works in their favor.
Sources
- Cornell Law School LII, 47 U.S.C. § 227 (TCPA text): The TCPA itself does not specify a records retention period
- Cornell Law School LII, 28 U.S.C. § 1658 (4-year federal statute of limitations): Federal civil claims including TCPA have a 4-year statute of limitations
- FCC, 47 C.F.R. § 64.1200 (TCPA implementing rules): Internal DNC lists must be honored for 5 years under 47 C.F.R. § 64.1200(d)(6); no explicit consent record retention period is specified
- Supreme Court of the United States, American Pipe & Construction Co. v. Utah, 414 U.S. 538 (1974): American Pipe tolling doctrine can pause the statute of limitations for individual class members while a class action is pending
- Mais v. Gulf Coast Collection Bureau, 768 F.3d 1110 (11th Cir. 2014): The burden of proving consent rests with the party asserting consent in TCPA cases
- Federal Rules of Civil Procedure, Rule 37(e) (Spoliation sanctions): Courts may impose adverse inference instructions when electronically stored information is destroyed that should have been preserved in anticipation of litigation
- California Attorney General, CCPA/CPRA guidance: CCPA requires businesses to retain personal data only as long as necessary and gives consumers the right to know what data is held
- FTC, Telemarketing Sales Rule, 16 C.F.R. Part 310: TSR requires telemarketers to maintain do-not-call suppression lists and honor requests for 5 years
- WebRecon LLC, TCPA Litigation Report 2022: Average TCPA class action settlement was $6.3 million in 2022
- HHS, HIPAA Security Rule, 45 C.F.R. § 164.530(j): HIPAA requires covered entities to retain documentation for 6 years from creation or last effective date