Last updated 2026-07-11

TL;DR
Cross-border calling means you have to satisfy every jurisdiction's rules at once: TCPA in the US (47 USC 227), CASL in Canada, and GDPR in the EU. The strictest rule wins. For US mobile numbers you need prior express written consent before an autodialer or prerecorded voice touches them. Canada requires express consent for commercial calls to wireless numbers. The EU requires opt-in consent under GDPR Article 6(1)(a) plus national telemarketing rules.
Which laws apply when you call across borders?
All of them, at the same time. That is the answer nobody wants and everybody needs. Sit in Texas, call a mobile number registered in Ontario, and both the US TCPA and Canada's CASL apply to that single call. If your lead is an EU resident whose number lands in your US CRM, GDPR stacks on top of both.
The TCPA, codified at 47 USC 227, governs any call or text to a US phone number no matter where the caller stands physically [1]. The law follows the called party's number, not the caller's geography. A UK-based contact center cold-calling US mobile numbers is fully on the hook for TCPA liability. No gray area there.
Canada's Anti-Spam Legislation (CASL) governs commercial electronic messages sent to or from Canadian devices. "Electronic message" under CASL reaches calls made to wireless numbers using automated dialing technology. The statute covers any message where part of the transmission starts or ends in Canada [2].
EU and UK GDPR apply when you process the personal data of people located in the EU or UK, and a phone number counts as personal data. Article 3 gives GDPR extraterritorial reach: offer goods or services to EU residents and GDPR binds you even if you incorporated in Delaware [3].
So your consent architecture has to satisfy the most demanding rule in the chain. You do not get to pick the law you like best.
What does the TCPA require for consent on cross-border calls?
Two consent tiers, split by call type. Calls to residential landlines using prerecorded messages need prior express consent. Calls to wireless numbers using an automatic telephone dialing system (ATDS) or a prerecorded voice need prior express written consent when they are for telemarketing [1].
"Prior express written consent" under 47 CFR 64.1200(f)(9) means a signed written agreement (electronic signatures count) in which the consumer clearly authorizes calls to a specific number using an ATDS or prerecorded voice and understands they are not required to sign as a condition of purchase [4]. The FCC's 2012 omnibus order, effective October 16, 2013, is where that definition got locked in.
Cross-border risk concentrates in two spots. First, any lead sourced outside the US whose US number ends up in your dialer is fully TCPA-covered. Second, consent obtained under a foreign law (say, CASL express consent) does not automatically clear the TCPA written consent bar. You need documentation that survives in a US federal court, where TCPA class actions routinely settle for millions. The cash app tcpa class action settlement and the credit one tcpa settlement show what exposure looks like in practice. Per-violation statutory damages run $500 to $1,500 [1].
Here is what people get wrong: buying a lead list does not transfer consent. The consent has to name your company, or at minimum name a category of callers a court would read to include you. The FCC's one-to-one consent rule (adopted 2024, set to take effect January 27, 2025, then vacated by the Eleventh Circuit before enforcement) would have gone further, requiring consent to name each seller individually [5]. Even without that rule in force, the case law keeps drifting toward narrower, seller-specific consent.
How does Canadian CASL consent differ from TCPA consent?
CASL splits consent into express and implied. Express consent needs an affirmative opt-in: the person clearly agrees to receive commercial electronic messages from you, and you keep a record of how, when, and through what mechanism the agreement happened [2].
Implied consent lives in narrower situations: an existing business relationship within the past two years, or an inquiry made to you within the past six months. Treat implied consent as a grace period, not a license to build a dialing list.
The difference that trips people up: CASL consent does not need to be written in the rigorous way TCPA demands. A verbal opt-in can satisfy CASL express consent if you document it well. But verbal consent will never satisfy TCPA prior express written consent, which requires a signed agreement. So if you call into Canada and also carry US numbers in the same campaign, TCPA-grade written consent becomes your baseline for everything.
The CRTC can impose administrative penalties up to CAD $10 million per violation for businesses under CASL [2]. That is a number small teams should keep somewhere visible.
What does GDPR require for calling EU residents?
GDPR does not ban telemarketing. It requires a lawful basis for processing personal data, and for most cold-calling the only realistic basis is consent under Article 6(1)(a), or in some narrow cases legitimate interests under Article 6(1)(f) [3].
Consent under GDPR has to be freely given, specific, informed, and unambiguous. Pre-ticked boxes fail. Bundled consent ("by signing up for our newsletter you agree to receive sales calls") fails. The person has to take a clear affirmative action to consent to calls specifically.
On top of GDPR, each EU member state runs its own national telemarketing rules under the ePrivacy Directive. Germany requires opt-in consent for all telemarketing calls under the Gesetz gegen den unlauteren Wettbewerb (UWG). France's Bloctel opt-out list works like the US DNC for landlines. The Netherlands and Austria run similarly strict regimes. So a solid GDPR basis can still leave you offside a national rule.
Here is the working rule for small US outbound teams. If your list holds phone numbers with EU country codes, or you have reason to think a US number belongs to an EU resident, treat that record as needing GDPR-grade explicit consent before you dial. GDPR administrative fines reach up to EUR 20 million or 4% of global annual turnover, whichever is higher [3].
The UK post-Brexit runs its own UK GDPR plus the Privacy and Electronic Communications Regulations (PECR). PECR requires opt-in consent for automated calls and for calls to numbers on the Telephone Preference Service (TPS) [10]. The TPS is the UK cousin of the do not call list.
How do you stack multiple consent requirements without creating a mess?
Build your consent language to the strictest applicable standard, then confirm it also covers the others. For any campaign touching US wireless numbers, that means TCPA prior express written consent language. Write it correctly and it will also satisfy CASL express consent and give you a defensible basis for GDPR.
Here is what a cross-border-ready consent block needs to contain:
1. The name of your company (and ideally any partner companies who will also call). 2. The specific wireless number being enrolled. 3. A clear statement that the person authorizes autodialed or prerecorded calls and texts to that number. 4. A statement that consent is not required as a condition of purchase. 5. A description of the kinds of messages they will receive. 6. An easy withdrawal mechanism.
For CASL, add the requester's identity and contact information, which is good practice regardless.
Store the consent record with a timestamp, IP address, form version, and the exact disclosure text shown at the moment of opt-in. This is not optional. Courts and regulators ask for it. You have to be able to reproduce what the opt-in screen said on a specific date.
Routing leads through a third-party lead generator? Require auditable consent records at the time of transfer, not after the fact. A consent record that shows up three days after the lead is weak evidence. LeadCompliant's free consent documentation checklist walks through what to capture and keep at the point of collection.
What counts as valid consent when leads come from third-party sources?
This is where most cross-border problems actually start. A lead aggregator collects opt-ins, sells them to a broker, who sells them to your team. By the time the record hits your dialer, you do not really know what disclosure language ran, whether the person knew they were consenting to calls from your company specifically, or whether the consent is still fresh.
The FCC's longstanding position, restated in its 2023 and 2024 guidance, is that the company making the call carries the burden of showing valid consent exists [5]. "I bought the list" is not a defense.
Cross-border lists multiply the problem. A lead aggregator operating in the Philippines may have collected consent under local rules far weaker than TCPA. A lead form written in Spanish for Mexican consumers may carry none of the TCPA-required disclosure language. None of that shields you when you place an autodialed call to a US mobile number.
Practical steps for third-party leads:
- Require contractual representations that consent was collected under TCPA-compliant language, plus indemnification for consent failures.
- Audit a sample of consent records before you dial, not after a complaint lands.
- Run numbers through the do not call telemarketer list and the National DNC Registry before any outreach [6].
- For Canadian numbers, scrub against the National DNCL maintained by the CRTC [9].
- Set a maximum lead age. Consent more than 18 months old on a CASL record is likely implied rather than express. Consent several years old on a US record draws hard scrutiny in litigation.
How do you handle consent revocation across borders?
Revocation is where teams lose cases they thought they had won on consent. Under TCPA, a consumer can revoke at any time through any reasonable means: a verbal request on a call, a text reply saying STOP, an email, a letter. The FCC's 2024 rules formalized this and set a 10-business-day processing window, after which continued calling is a violation [5].
Under CASL, recipients get the right to unsubscribe from commercial electronic messages, and the business has 10 business days to honor it [2].
GDPR gives data subjects the right to withdraw consent at any time under Article 7(3), and withdrawal must be as easy as giving consent was [3]. Someone who opted in via a web form should be able to opt out via a web form, not by mailing a letter.
The cross-border trap is that revocation received through one channel does not reach every system. Someone texts STOP from their US number, your SMS platform suppresses them, but your dialer runs a separate list and calls them six days later. That is a TCPA violation even though your SMS suppression worked perfectly.
You need one opt-out system that syncs revocations across all channels and all dialers within 24 hours at the outside. The 10-business-day TCPA window is a ceiling, not a goal. The mobile phone do not call list logic applies here too: a national DNC registration does not expire, and neither does a personal revocation once given.
Does the location of your call center affect which laws apply to you?
Mostly no, and that surprises people. The TCPA applies based on where the called number is registered, not where the call originates. A call center in India dialing a US 617 number faces the exact same TCPA rules as a Boston team [1].
CASL has a matching extraterritorial reach: send a message to or from a Canadian device and CASL applies no matter where your servers sit [2].
Where your call center location does matter is in which additional national laws bind you as a business entity. Operate a call center in Germany and German telemarketing rules and GDPR obligations apply to your operations directly, more than extraterritorially. Your data processing agreements, employee obligations, and the relevant German supervisory authority all come into play.
For most small US outbound teams, the takeaway is blunt: do not assume an offshore vendor is insulated from US law. Their calls to US numbers are your TCPA liability when they place them on your behalf. Vendor contracts need indemnification clauses and compliance warranties.
The tcpa framework has no "caller location" carve-out. Neither do the other major telemarketing laws.
What records do you need to keep to prove cross-border consent?
In a TCPA case, the defendant carries the burden of proof. You have to affirmatively show valid consent existed at the time of the call. Courts have been plain that after-the-fact reconstructions do not persuade [4].
For a cross-border campaign, your consent records should hold at minimum:
- Timestamp of consent (to the second, in UTC)
- IP address of the device that submitted the consent
- The exact disclosure text displayed at the moment of opt-in (a versioned screenshot or database record of the form)
- The phone number enrolled
- The name of the consenting party
- The name of your company as it appeared in the disclosure
- Any session or transaction ID linking the record to your platform logs
For CASL, also retain your identity and mailing address as they appeared to the consumer at opt-in, plus the channel (web, in-person, call) through which consent came in [2].
How long? The TCPA carries a 4-year federal statute of limitations under 28 USC 1658, though some state courts apply different periods. Keep consent records for at least 5 years. CASL does not name a retention period, but given CRTC enforcement timelines, 5 years is a sensible floor there too.
Back these records up in an exportable, auditable format. A spreadsheet living on one employee's laptop does not count.
How should small outbound teams build a cross-border consent workflow?
Most small teams overthink this in their heads and underbuild it in practice. Here is a workflow that holds up.
Step 1: Identify every country code in your dialing list. Flag US and Canada (they share +1), UK (+44), Germany (+49), France (+33), Australia (+61), and anything else. Because Canada and the US share +1, area code alone will not separate them. Run numbers through a carrier lookup or geocoding API to sort Canadian from US numbers inside the +1 range.
Step 2: Map the applicable laws per segment. US mobile: TCPA written consent. Canadian wireless: CASL express consent. EU/UK: GDPR consent plus national rules. Where a record is ambiguous, apply the strictest standard.
Step 3: Audit your existing opt-in forms. Do they name your company? Do they describe the call types the person agrees to? Do they carry the "not required as a condition of purchase" language for TCPA? If not, fix them before you collect any more leads with them.
Step 4: Set up cross-channel opt-out sync. Every revocation, from every channel, updates a central suppression list within 24 hours.
Step 5: Before any campaign, scrub your list against the US National DNC Registry [6], the Canadian National DNCL [9], and the UK TPS [10]. See how do i get the do not call list for the steps to access the US registry.
Step 6: Document the process, more than the records. Keep the consent records and the method by which you collect, store, and audit them. That audit trail becomes your evidence if a regulator ever knocks.
LeadCompliant offers a free one-time compliance kit with consent form templates and a cross-border checklist built for small outbound teams. Worth running through before your next campaign launch.
What are the penalties for getting cross-border consent wrong?
The numbers get large enough that a single mis-dialed mobile number can turn expensive fast.
Under the TCPA, each unauthorized call or text to a wireless number using an ATDS carries statutory damages of $500, rising to $1,500 if the violation was willful [1]. There is no per-campaign cap. A class action over 10,000 improperly called numbers has a damages floor around $5 million. Courts can treble that for willful conduct.
Under CASL, the CRTC can impose penalties up to CAD $1 million per violation for individuals and CAD $10 million per violation for businesses [2]. The CRTC has handed down multi-million-dollar penalties for spam violations.
GDPR fines are the biggest on paper: up to EUR 20 million or 4% of global annual turnover, whichever is higher [3]. For a small team, 4% of revenue stings even when the absolute figure trails enterprise-scale fines.
Beyond fines sit attorneys' fees in TCPA class actions, which defendants almost always pay as part of settlements. Reputational costs follow. So does the operational drag of a regulatory investigation that can run months.
The cold calling rules in the US already carry these penalties domestically. Cross-border exposure stacks jurisdictions on top of dollar amounts.
Nobody has clean data on how many small teams get sued specifically for cross-border consent failures versus domestic ones. But the mechanics match: the call went out without adequate consent, the number sat on a wireless device, and the statutory damages hit the same regardless of where the lead came from.
Is consent the only issue in cross-border calling, or are there other requirements?
Consent is the biggest issue, not the only one. A few others surface in cross-border work.
Calling hours. TCPA restricts calls to 8 AM to 9 PM local time at the called party's location [4]. In a cross-border campaign, "local time" means the consumer's time zone, not yours. If your prospect is in Dublin and it is 9 PM there, you cannot call even though your office clock reads 3 PM. Many dialers do not handle international time zones on their own.
Caller ID rules. FCC rules prohibit spoofing or displaying inaccurate caller ID. The Truth in Caller ID Act of 2009 makes it unlawful to transmit misleading or inaccurate caller ID information with intent to defraud, cause harm, or wrongfully obtain anything of value [7]. In Canada, the CRTC runs its own caller ID rules. In the EU, most national regulators require a valid callback number on display.
Recording consent. Many US states require two-party (all-party) consent for call recording. California's CIPA (Penal Code 632) is the most aggressive domestic example. Several EU countries require explicit consent to record under GDPR and national law. Record calls for QA and you need a disclosure at the start of every cross-border call.
Data transfer rules. Moving a phone number and its associated personal data from the EU to a US CRM triggers GDPR Chapter V transfer requirements. After the Schrems II decision struck down Privacy Shield in 2020, transfers require Standard Contractual Clauses (SCCs) or another valid mechanism [3]. The EU-US Data Privacy Framework, adopted in 2023, opened a new adequacy pathway for US companies that self-certify [8].
All of these are real obligations. They sit alongside consent requirements, not in place of them.
Frequently asked questions
Does TCPA apply to calls made from outside the United States to US mobile numbers?
Yes. TCPA liability follows the called number's location, not the caller's. Any business placing autodialed or prerecorded calls to US wireless numbers is subject to TCPA's prior express written consent requirement and $500 to $1,500 per-violation statutory damages, regardless of where the call originates. The FCC and federal courts have consistently applied this extraterritorial reach.
Does CASL consent satisfy TCPA consent requirements?
No. CASL express consent can be given verbally if documented. TCPA prior express written consent requires a signed written agreement (electronic signatures count) that specifically authorizes autodialed calls and states consent is not required for purchase. You need TCPA-grade written consent as the baseline for any campaign touching US wireless numbers, even when CASL is also satisfied.
How do I identify which numbers in my list are Canadian versus US when both use the +1 country code?
You cannot rely on area code patterns alone. Use a carrier lookup or number intelligence API that returns the country of registration for each number. Several providers offer this for a few cents per lookup. Flag every record returned as Canadian and apply CASL consent standards to them separately from your US TCPA analysis.
What happens if a consumer revokes consent verbally during a call?
Under TCPA and the FCC's 2024 revocation rules, a verbal request during a call is valid revocation. You must honor it within 10 business days. After that, any further autodialed or prerecorded contact to that number is a violation. Log the revocation in your CRM immediately with a timestamp and push it to all suppression lists and dialers, more than the system that took the call.
Can I use legitimate interests under GDPR as a basis for cold calling EU residents instead of consent?
Technically yes for some B2B scenarios, but it is harder to defend than many teams expect. Legitimate interests requires a balancing test weighing your business interest against the individual's privacy rights. National ePrivacy rules in several EU countries, including Germany and Austria, require opt-in consent for all telemarketing calls, which overrides the legitimate interests analysis. If you call EU consumers, treat consent as mandatory.
How long should I retain cross-border consent records?
Keep them for at least 5 years. The TCPA has a 4-year federal statute of limitations, and some state courts allow additional time. CASL does not specify a retention period, but CRTC investigations can begin years after the alleged violation. Store records with timestamps, IP addresses, form version data, and the specific disclosure text shown, in an exportable format backed up off any single employee's device.
If I buy leads from a vendor, am I responsible for their consent quality?
Yes. The FCC's position is that the company placing the call is responsible for ensuring valid consent exists. Buying a list does not transfer the consent obligation. Audit sample records before dialing, require contractual representations from vendors about TCPA-compliant consent language, and get indemnification clauses in your vendor agreements. "I bought the list" has not successfully defended a TCPA case.
What calling hours apply to international numbers under TCPA?
TCPA restricts calls to 8 AM to 9 PM local time at the called party's location. For international numbers, that means the consumer's time zone, not yours. If your dialer does not automatically calculate the called party's local time from their area code or country, handle it in your campaign setup. Many teams miss this for cross-border lists and create violations unrelated to consent.
Does the EU-US Data Privacy Framework resolve GDPR data transfer issues for outbound calling?
It helps, but only if your company self-certifies under the framework through the US Department of Commerce. Self-certification lets personal data, including phone numbers, flow from the EU to US-based systems without Standard Contractual Clauses. It does not replace the need for a lawful processing basis (consent or legitimate interests) for the call itself. The two requirements, data transfer and processing basis, stay separate.
Are there national DNC lists in Canada and the UK I need to scrub against?
Yes. Canada has the National Do Not Call List (DNCL) administered by the CRTC, and registration there does not expire. The UK has the Telephone Preference Service (TPS) for individuals and the Corporate TPS for businesses. Calling registered numbers in either country without an established business relationship or valid express consent violates those countries' telemarketing rules, separate from any CASL or GDPR analysis.
What is the penalty for violating CASL on a commercial call to a Canadian wireless number?
CASL allows the CRTC to impose administrative monetary penalties up to CAD $1 million per violation for individuals and CAD $10 million per violation for businesses. Unlike TCPA, CASL does not create a private right of action for consumers to sue directly (that provision has not been brought into force). Enforcement runs through the CRTC as a regulatory matter.
Does consent obtained at a trade show or in person satisfy cross-border requirements?
It can for CASL, which accepts in-person express consent when documented with the required identity and contact details for your organization. For TCPA, in-person oral consent does not satisfy the written consent requirement for autodialed calls to wireless numbers. You would need to follow up with a written confirmation meeting the TCPA standard before placing autodialed calls. Paper or electronic works, as long as it is signed.
Do B2B calls face the same cross-border consent requirements as B2C calls?
Usually lighter, but not absent. TCPA applies whether you are calling a consumer or a business if the number is wireless. CASL's implied consent provisions run somewhat broader for business relationships. GDPR treats all identified individuals the same, though legitimate interests is more defensible in genuine B2B contexts. In practice, if you are calling a mobile number, assume full consent requirements apply until proven otherwise.
Sources
- US Congress, Telephone Consumer Protection Act, 47 USC 227: TCPA imposes $500 to $1,500 per-violation statutory damages for unauthorized autodialed or prerecorded calls to wireless numbers, applying to the called party's number regardless of caller location
- Government of Canada, Canada's Anti-Spam Legislation (fightspam.gc.ca): CASL requires express or implied consent for commercial electronic messages sent to or from Canadian devices, with penalties up to CAD $10 million per violation for businesses
- European Union, General Data Protection Regulation (GDPR) full text, EUR-Lex: GDPR Article 3 establishes extraterritorial reach, Article 6(1)(a) requires freely given, specific, informed, unambiguous consent, and Article 83 permits fines up to EUR 20 million or 4% of global annual turnover
- FCC, 47 CFR Part 64 (Electronic Code of Federal Regulations): 47 CFR 64.1200(f)(9) defines prior express written consent and 64.1200(c) restricts calls to 8 AM to 9 PM local time at the called party's location
- FTC, National Do Not Call Registry for businesses: Telemarketers are required to scrub their call lists against the National DNC Registry before placing covered calls to US numbers
- US Department of Commerce, EU-US Data Privacy Framework program: The EU-US Data Privacy Framework, adopted July 2023, provides an adequacy mechanism for US companies that self-certify, enabling personal data transfers from the EU without Standard Contractual Clauses
- CRTC, National Do Not Call List program: Canada's National DNCL is administered by the CRTC; registration does not expire and telemarketers must scrub their lists before calling registered Canadian numbers
- UK Information Commissioner's Office, direct marketing and PECR guidance: UK PECR requires opt-in consent for automated calls and prohibits calls to numbers registered on the Telephone Preference Service (TPS) without prior consent
- FCC, Rules and regulations implementing the TCPA (Federal Register, 47 CFR 64.1200): The FCC's 2012 omnibus order formalized the prior express written consent requirement for telemarketing calls to wireless numbers using an ATDS, effective October 16, 2013