Last updated 2026-07-11

TL;DR
A consent-first outbound sales process means you collect, document, and store prior express written consent before you call or text anyone on a cell phone for marketing. Under 47 USC 227, violations cost $500 to $1,500 per message or call. This guide covers list hygiene, consent capture, DNC scrubbing, documentation, and team training, step by step.
What does 'consent-first' actually mean in outbound sales?
Consent-first is not a philosophy. It is a legal requirement with dollar amounts attached.
The TCPA (Telephone Consumer Protection Act, codified at 47 USC 227) bans autodialed or prerecorded calls and texts to cell phones without prior express consent. For marketing, the bar goes higher. You need prior express written consent, which means a signed agreement (electronic signatures count) where the person clearly agrees to receive autodialed or prerecorded marketing calls or texts from your specific company [1].
The FCC's 2012 rules, effective October 16, 2013, killed the prior business relationship exception for marketing calls to cell phones. That exception is gone. Someone bought from you three years ago? That does not give you consent to autodial them today [2].
Consent-first means your process is built so consent is collected and verified before the first dial or send, not after you get sued. Every contact on your outbound list either has documented consent attached to their record or gets reached through a fully manual, non-ATDS dial on a landline. That is the only two-lane road here.
What are the TCPA consent requirements for calls vs. texts?
The rules split by channel and by purpose. Get this table into your head before you build anything.
| Contact type | Channel | Consent level required |
|---|---|---|
| Marketing/promotional | Cell phone (autodialed or prerecorded) | Prior express written consent |
| Informational/non-marketing | Cell phone (autodialed) | Prior express oral or written consent |
| Any outbound | Numbers on National DNC Registry | Prior express written consent OR established business relationship (EBR) within 18 months |
| Human-dialed, non-prerecorded | Landline | No TCPA consent required for calls; state laws may still apply |
| Marketing text (SMS/MMS) | Cell phone | Prior express written consent |
For outbound sales teams, the row that almost always matters is row one: autodialed or prerecorded marketing to cell phones needs prior express written consent [1]. That consent has to name your company. A generic "I agree to receive marketing calls" that never identifies your business will not hold up [3].
The FCC's one-to-one consent rule, effective January 27, 2025, tightened this further. Leads from comparison shopping sites or lead aggregators now require consent that names your specific company, more than a broad category of sellers. You can no longer rely on a lead vendor who gathered consent for "insurance companies" and sold that lead to ten carriers at once [4].
Texts follow the same written consent standard as autodialed calls. Running SMS outreach? Read the text message marketing rules before you send anything.
How do TCPA fines actually add up, and what have companies paid?
Statutory damages under 47 USC 227(b)(3) are $500 per violation for negligent violations and $1,500 per violation for willful or knowing ones [1]. Each call or text counts as one violation. A campaign of 100,000 texts to people who never consented can, on paper, produce $50 million in statutory damages before any court applies a multiplier.
These are not hypothetical numbers. The Cash App TCPA class action settled for $18 million, covering consumers who got unwanted texts see the [cash app tcpa class action settlement]. Credit One Bank settled for $12.5 million, one of the larger individual TCPA resolutions on record see the [credit one tcpa settlement]. Most defendants in TCPA class actions settle because per-message math makes trial catastrophic.
Small outbound teams are not immune. A 15-person sales floor running power dialers without documented consent is exposed exactly like a 500-seat call center. The plaintiff's bar is efficient. Serial TCPA litigants exist, and they have tools to detect whether a number got an autodialed call [5].
Here is the honest business case. Building a compliant process costs hundreds or low thousands of dollars plus some operational friction. A single TCPA class action, even a small one that settles early, routinely runs past six figures. That math is not close.
How do you collect valid prior express written consent for sales outreach?
Written consent under the FCC's rules has to clear four bars. It must be in writing (electronic is fine), signed (electronic signature counts), it must clearly authorize calls or texts, and it must name your company [2].
Here are the channels outbound teams use to collect it, and how each one works in practice.
Web forms. The most common method. The consent language has to sit near the submit button, not buried in a privacy policy link at the bottom of the page. Something like "By submitting this form, you authorize [Company Name] to contact you at the phone number provided, including via autodialed or prerecorded calls and text messages, for marketing purposes" is the right structure. Pre-checked boxes that assume consent do not satisfy the written standard [3].
Inbound calls. If a prospect calls you first, you can ask for verbal consent during the call to follow up by text or autodialer. Record the call. Log the consent in your CRM with timestamp, call recording ID, and the phone number given. Verbal consent captured this way clears the prior express consent bar for informational calls, but some attorneys argue it falls short for marketing texts. Using it to send promotional texts is a gray area. Talk to counsel.
Paper forms at events or point of sale. Still valid. Scan them, store them, timestamp the batch. You need to produce the signed form if a plaintiff's attorney asks.
Third-party leads. The highest-risk category. After the 2024 rule, a lead vendor has to capture consent that names your company. Ask every vendor for a copy of the consent disclosure the consumer actually saw, the URL where it was captured, and the timestamp. No three things, no autodialed marketing to that lead [4].
What is the right way to scrub your list against the Do Not Call registry?
The National Do Not Call Registry, run by the FTC, covers residential phones and cell phones [6]. Telemarketers have to scrub against it before calling. The safe harbor rule says scrub within 31 days of a call [7]. Most compliance teams scrub every 30 days or before every campaign send.
Here is the scrub workflow that holds up under scrutiny:
1. Download the registry data for the area codes you dial. Access needs a subscription past a small call volume. The FTC gives free access to organizations calling five or fewer area codes; beyond that, you pay an annual fee, currently around $80 per area code, capped at roughly $22,038 for all US area codes [6]. 2. Match your outbound list against the registry using exact and fuzzy phone number matching. Strip formatting before you match. 3. Remove matched numbers unless you have prior express written consent from that specific number or a documented EBR within 18 months (or a transaction within 3 months) [7]. 4. Log the scrub: date run, list version, records scrubbed, and who ran it. 5. Keep an internal DNC list for anyone who opted out of your own calls, separate from the registry. Honor internal opt-outs the same day, not on a 30-day cycle.
You also need to scrub against state DNC lists. Texas, Colorado, Indiana, Louisiana, and others run their own registries with separate registration rules for telemarketers [8]. How to access the do not call list walks through registration if you have not done this.
For mobile numbers, see mobile phone do not call list. Cell phones on the national DNC list get the same protection landlines do.
How should you document and store consent so it actually protects you?
Documentation is what turns your consent collection into a legal defense. Consent you cannot produce in discovery might as well not exist.
For each consenting contact, capture: the phone number the consent covers, the exact date and time (with timezone), the source (URL, form name, or call recording ID), the consent language the person saw or heard, the IP address for web-based consent, and your company name as it appeared in the disclosure [3].
Store this at the contact record level in your CRM. Do not park it only in a marketing platform that might change or get cancelled. Export consent records to a separate, durable store at least monthly. If your tool captures lead form submissions with timestamps, confirm it logs the actual disclosure text, more than a flag reading "consented: true." That flag is nearly worthless in litigation. You cannot reconstruct what the person actually agreed to from a boolean.
Retention: keep consent records at least 4 years after the last contact made using that consent. TCPA claims carry a 4-year statute of limitations under 28 USC 1658 [5]. Defendants have been caught without records from campaigns run three years earlier.
LeadCompliant's free compliance kit includes a consent record template and a documentation checklist built around these requirements, so your team does not build it from scratch.
When a contact revokes consent, document that with the same rigor, immediately. Revocation stops the clock on future liability, but only if you can show the date and method.
What does a compliant outbound sales workflow look like step by step?
Here is the flow a small outbound team can actually run.
Step 1: List acquisition review. Before any list enters your dialer, run a compliance check. Third-party list? Request the consent documentation. Your own web forms? Confirm they have proper consent language and the submissions are logged.
Step 2: DNC scrub. Scrub against the National DNC Registry, your internal DNC list, and any state lists that apply. Log the results. Remove matches unless consent is documented.
Step 3: Consent flag in CRM. Each record carries a consent status field: "prior express written consent documented," "prior express oral consent," "EBR (date)," or "no consent on file." Your dialing workflow should block autodialed outreach to any record without the right consent level.
Step 4: Caller ID compliance. FCC rules require your outbound caller ID to display a number answered during regular business hours [2]. Do not spoof or mask your number.
Step 5: Time-of-day restrictions. Federal rules ban calls before 8 AM or after 9 PM in the called party's local time [7]. Program your dialer to enforce this by area code.
Step 6: Call recording and opt-out handling. Record calls where legally permitted (check state two-party consent laws). Every prerecorded message needs an opt-out mechanism. Process opt-outs on time. For DNC opt-outs during a live call, honor immediately and add to your internal list within 30 days at most. Same day is better [7].
Step 7: Post-campaign audit. After each campaign, log complaints, opt-outs, and any consent challenges. Review them before the next one.
For how cold calling rules interact with consent, especially B2B, that guide covers the business-to-business exemptions and where they run out.
Are there different rules for B2B outbound sales vs. B2C?
Yes. This is one of the more consequential distinctions in outbound compliance.
The TCPA's autodialer and prerecorded call restrictions apply to calls made to "residential telephone subscribers" and to cell phones [1]. B2B calls to a company's direct landline sit generally outside the TCPA, which is why B2B teams working off business landlines carry lighter TCPA exposure.
Three big exceptions eat that relief.
First, dial cell phones and the TCPA applies regardless of purpose. A rep calling a CFO's cell with an autodialer is under TCPA consent rules even for a pure B2B pitch. Employees' cell phones are not business landlines.
Second, some state laws do not draw the same B2B line. Florida runs the Florida Telephone Solicitation Act (FTSA), which applies to calls and texts with its own consent requirements [8].
Third, the FTC's Telemarketing Sales Rule (TSR) has its own B2B provisions, including deceptive-practice restrictions that apply whether the called party is a business or a consumer [9].
The practical rule: if your team dials any cell phones, build the full consent-first process no matter how you classify the sale. Routing cell phones through a human-dialed, non-ATDS workflow (and documenting it as such) is one way B2B teams handle this. Just be certain your dialing technology actually qualifies as non-ATDS under the current definition [10].
What qualifies as an automatic telephone dialing system (ATDS) under the TCPA?
This is genuinely unsettled law. Any advisor who tells you otherwise is overconfident.
The TCPA defines an ATDS as equipment "which has the capacity to store or produce telephone numbers to be called, using a random or sequential number generator; and to dial such numbers" [1]. The Supreme Court's 2021 ruling in Facebook v. Duguid held that the random-or-sequential-number-generator requirement applies to both the storage and the dialing functions, narrowing the definition sharply against earlier Ninth Circuit reads [10].
After Duguid, systems that only dial from a pre-loaded list, without random or sequential number generation, have a stronger argument that they are not ATDSs. Power dialers pulling from a fixed contact list may fall outside the definition, depending on their technical guts.
That does not mean you can ignore consent. A few reasons.
Some circuits have not fully worked out how Duguid meshes with their prior precedent. State laws (Florida's FTSA especially) use broader ATDS-equivalent definitions that can sweep in predictive dialers and list-based systems [8]. And even if your dialer is not an ATDS, using a prerecorded message triggers TCPA liability on its own, separate from the ATDS question.
The safest posture: treat your dialing system as an ATDS for compliance purposes unless you have a written technical analysis from your vendor and a legal opinion saying otherwise. The cost of that caution is small next to the cost of being wrong.
How do you train your sales team to maintain consent compliance on live calls?
Process and documentation collapse if the person on the phone undoes them. Training is not optional.
The core habits every outbound rep needs:
Honor opt-outs in real time. When a prospect says "take me off your list," the rep logs it immediately, not at end of shift. Build the internal DNC submission into the CRM so it takes one click during the call. Delayed processing of opt-out requests is a documented source of TCPA violations [7].
Read from approved scripts on recorded lines. Improvised consent requests are hard to document and easy to challenge. If your team collects verbal consent for follow-up, the script has to match the exact language you have logged as your consent disclosure.
Know the calling window. Reps working across time zones check the contact's local time before dialing. A rep in New York calling California at 8:55 PM Eastern is calling at 5:55 PM Pacific. Fine. At 9:05 PM Eastern, that is 6:05 PM Pacific. Still fine. But a rep who guesses wrong and calls a Florida contact at 9:10 PM Eastern is calling at 9:10 PM local time, past the federal window [7].
Never dial a flagged number. If a contact is marked DNC or "no consent," the rep should not be able to dial it from the CRM. If your system lets them anyway, that is a technology problem to fix before the next campaign.
Run a compliance refresher quarterly, not annually. The rules move, and the one-to-one consent rule is new enough that reps hired before 2025 may never have absorbed it. Document your training with dates and attendee lists. That paper matters if you ever need to argue a violation was isolated and not a policy.
What should you do if you receive a TCPA complaint or demand letter?
Stop the campaign in question. Send no more messages to the complainant. Make no admissions in writing.
Then gather your documentation. Pull the consent record for that phone number, the DNC scrub log, the call records, and any opt-out logs. If the consent record is there and solid, you have a defense. If it is missing or thin, that is the information you need to make a realistic call fast.
Call a TCPA defense attorney before you respond to any demand letter. TCPA demand letters are often the opening of a negotiation, not a lawsuit, and how you respond can decide whether it stays there. Many small TCPA claims settle in the $500 to $2,500 range when the defendant has some documentation and moves quickly. Claims where the defendant ignored the first letter, or where documentation is clearly absent, tend to escalate.
Do not delete records after a complaint. That creates a spoliation problem stacked on top of the underlying TCPA exposure. Preserve everything.
For what large-scale TCPA litigation looks like and costs, the credit one tcpa settlement shows how class-action exposure calculates out even when the per-call amount looks manageable.
This article is for informational purposes only and is not legal advice. Consult a licensed attorney for guidance specific to your situation.
What tools and systems support a consent-first process without killing productivity?
The fear most sales managers carry is that compliance kills speed. It does add steps. The right tooling keeps the friction manageable.
CRM with consent fields. Your CRM needs a consent status field the dialer reads before it allows a call. Salesforce, HubSpot, and most modern CRMs support custom fields. The question is whether you have configured them and whether your dialer respects them. If your dialer bypasses CRM flags, fix that integration before the next campaign.
DNC scrubbing service. Manual registry scrubs work but are error-prone. Automated services (several run in the $100 to $500 per month range depending on volume) match your list against the national registry and major state lists on a schedule and flag new registrants before your next campaign. Worth the cost for any team dialing more than a few thousand numbers a month.
Consent capture forms with logging. Collecting web-form consent? Use a form platform that logs the submission timestamp, IP address, and the exact page URL where consent happened. Store those logs outside the form platform itself.
Call recording and transcription. Useful for training and documentation both. If a rep collects verbal consent or processes a verbal opt-out, the recording is your evidence.
Compliance kits for small teams. LeadCompliant offers a free one-time compliance kit with consent language templates, a DNC scrub checklist, and a consent record template. For a small team building this from scratch, starting with a pre-built template is faster and less likely to miss something than drafting from zero.
For do not call list registration and scrub mechanics, that guide covers accessing the FTC's registry and which state lists you need separately. Using third-party lists? Read do not call telemarketer list for what vendors have to provide and what to demand in your vendor contract.
Frequently asked questions
Does prior express written consent expire?
The TCPA sets no expiration date for written consent, but the FCC's 2024 one-to-one consent rule and general agency guidance make clear that consent attaches to a specific company and purpose. If the nature of your contact changes materially, or a long stretch passes with no interaction, re-capturing consent is the safer move. Many compliance attorneys treat consent older than 4 years as stale unless activity confirms the relationship is ongoing.
Can I call someone back if they called me first?
An inbound call does not automatically grant you consent to make future autodialed marketing calls. It shows the person called you, not that they authorized you to autodial them back for marketing. If you want to follow up via autodialer or prerecorded message, capture written consent during that inbound call or at a web touchpoint before you start automated outreach.
What is the difference between prior express consent and prior express written consent?
Prior express consent (oral or written) covers non-marketing informational calls to cell phones made with an autodialer. Prior express written consent is required for marketing calls and texts to cell phones. Written consent must be signed (electronic signatures count), must name your company, and must clearly authorize the type of contact you plan to make. The higher standard applies to any message that includes or promotes a product or service.
Do I need to honor a Do Not Call request if the person already gave me written consent?
Yes. Consent is revocable. If a consumer tells you to stop calling, that revokes their prior consent immediately. Under FCC guidance, consumers can revoke consent through any reasonable means, including telling a live agent, texting STOP, or submitting a web form. You have to honor it and add them to your internal DNC list. Calling after a revocation is a willful violation subject to $1,500 per-call statutory damages.
What is the FCC's 2024 one-to-one consent rule and when did it take effect?
The FCC issued a Report and Order in December 2023 requiring prior express written consent for marketing calls and texts to be obtained one-to-one: one consent, one seller named in the disclosure. Consent gathered on comparison shopping sites that funneled leads to multiple companies at once no longer satisfies the TCPA. The rule took effect January 27, 2025. If you rely on shared leads from aggregators, your vendor contracts and consent capture need to reflect the new standard.
Are B2B calls to cell phones exempt from TCPA consent requirements?
No. The TCPA's cell phone protections attach to the number, not the purpose of the call. If you autodial a business contact's cell phone for marketing, you need prior express written consent regardless of whether the call is B2B. The B2B exemption applies to calls to a company's direct landline. Once you are dialing cell phones, the full TCPA consent framework applies.
How quickly do I need to process an opt-out request?
For live calls where a consumer asks to be placed on your company's do-not-call list, honor the request during that call and keep the number on your internal list for at least 5 years. For broader DNC registry opt-outs, the FTC requires telemarketers to access updated registry data every 31 days. Best practice is to process internal opt-outs the same day they arrive, not at the end of a billing or data cycle.
What time of day can I legally make outbound sales calls?
Federal TCPA regulations prohibit calls before 8 AM or after 9 PM in the called party's local time zone. This applies to both cell phones and residential landlines. Some states run tighter windows: certain states restrict calls to between 8 AM and 8 PM. Always apply the called party's local time, not the caller's. Program your dialer to enforce this automatically by area code.
What happens if a third-party lead vendor gave me bad consent?
You are responsible for the calls you make, even if your lead vendor said consent was captured. Courts have held that relying on a vendor's representation about consent does not automatically shield you. Contractually require vendors to indemnify you for consent failures, request samples of the actual consent language consumers saw, and verify that consent names your company. After the 2024 rule, shared consent from aggregators does not meet the standard regardless of what your vendor claims.
How long should I keep consent records?
Keep consent records at least 4 years from the date of the last contact made using that consent. The TCPA carries a 4-year statute of limitations under 28 USC 1658. If a plaintiff files at the edge of the limitations period, you need records that far back. Store them in a durable system separate from any single vendor or marketing platform that could get discontinued, and export backups regularly.
Does the TCPA apply to ringless voicemails?
The FCC has not issued a final definitive ruling on ringless voicemails as of this writing, but the agency has signaled in several proceedings that voicemail delivery systems bypassing the phone's ring likely count as calls under the TCPA. Multiple courts have held ringless voicemails are subject to TCPA requirements. Treat them as regulated calls and require the same consent you would for a live or prerecorded call.
What is the safe harbor for calling someone on the DNC registry by mistake?
There is a safe harbor under 47 USC 227(c)(5) if you have established and implemented written procedures for maintaining a do-not-call list, trained personnel, have access to the national registry, and the violation results from an error. The safe harbor requires you to have scrubbed within 31 days of the call. It does not protect calls to people on your own internal DNC list, or calls made without consent to cell phones, where the ATDS and prerecorded call rules apply separately.
Can a sales rep manually dial a cell phone without consent?
If the dial is truly manual, no autodialer and no prerecorded message, the TCPA's autodialer restrictions do not apply, and the DNC registry rules govern instead. If the number is on the national DNC registry and you lack written consent or a qualifying EBR, you still cannot call for telemarketing. The ATDS exemption only removes the TCPA's consent requirement for the autodialer piece. DNC obligations stay.
What should my consent disclosure language actually say?
It should name your company, describe the contact method (autodialed calls, prerecorded messages, text messages, or some combination), state it is for marketing purposes, include or confirm the phone number the person is submitting, and confirm consent is not a condition of any purchase. Place it near the submission point, not buried in a privacy policy, and use clear readable type. Pre-checked boxes do not satisfy the written consent standard.
Sources
- Cornell Law School / Legal Information Institute, 47 USC 227: TCPA statutory text defining ATDS, prior express written consent requirement, and $500/$1,500 per-violation damages
- FTC, Telemarketing Sales Rule: Requirements that consent be affirmative and not assumed from pre-checked boxes; seller identification in consent disclosures
- Cornell Law School / Legal Information Institute, 28 USC 1658: 4-year statute of limitations for TCPA claims under the federal catch-all limitations period
- FTC, National Do Not Call Registry: National DNC Registry access, fee structure (approximately $80 per area code, capped at roughly $22,038 for all US area codes), free access for five or fewer area codes
- Florida Legislature, Florida Telephone Solicitation Act (FTSA), Section 501.059: Florida FTSA applies its own consent requirements to calls and texts, using broader ATDS-equivalent definitions than post-Facebook v. Duguid federal interpretation
- FTC, Telemarketing Sales Rule (16 CFR Part 310): FTC Telemarketing Sales Rule B2B provisions and deceptive practice restrictions applicable regardless of whether called party is a business or consumer
- US Supreme Court, Facebook Inc. v. Duguid, 592 U.S. 395 (2021): Supreme Court narrowed ATDS definition: random-or-sequential-number-generator requirement applies to both storage and dialing functions; systems dialing only from pre-loaded lists have stronger argument they are not ATDSs
- FTC, National Do Not Call Registry (consumer information): DNC Registry covers residential phones and cell phones; established business relationship exception rules