Last updated 2026-07-09

TL;DR
Health insurance outbound campaigns face TCPA liability up to $1,500 per call for willful violations, plus state mini-TCPA exposure. To stay compliant, you need prior express written consent before auto-dialing or texting cell phones, active DNC scrubbing, an internal suppression list, and documented consent records. The FCC's 2024 one-to-one consent rule makes lead aggregator lists especially risky.
Why is health insurance outbound calling a TCPA minefield?
Health insurance is one of the most litigated outbound verticals in the country. High call volume, heavy reliance on aggregator lead lists, and a customer base that never really asked to be called. That mix is exactly what class action firms look for.
The Telephone Consumer Protection Act, codified at 47 U.S.C. § 227, prohibits making any call with an automatic telephone dialing system or a prerecorded voice to a cell phone without the called party's prior express consent [1]. Violations carry statutory damages of $500 per call, up to $1,500 per call for willful violations, and there is no cap on class damages [1]. One bad campaign that sends 10,000 texts can expose you to $15 million on paper.
Health insurance adds a wrinkle on top of the baseline. ACA open enrollment and Medicare Advantage marketing are sensitive seasons when call volume spikes and plaintiff attorneys pay close attention. Several insurance settlements have cleared eight figures. The cash app tcpa class action settlement and credit one tcpa settlement show how fast per-call penalties stack up across a big list.
So why is this vertical so dangerous? You are usually calling cell phones, which get TCPA's strongest protection. You are usually using some form of automated dialing. And you are usually relying on consent sourced through third-party lead generators whose paperwork rarely survives litigation.
What does TCPA actually require for outbound insurance calls?
TCPA draws a sharp line between landlines and cell phones, and another between manually dialed calls and auto-dialed or prerecorded ones. Health insurance calls sit on the risky side of both lines.
To call or text a cell phone using an automatic telephone dialing system (ATDS) or a prerecorded message, you need prior express consent at minimum, and prior express written consent if the call is telemarketing [2]. Health insurance outbound calls are telemarketing. So the written consent bar applies. Full stop.
Here is what "prior express written consent" means under FCC rules: a signed written agreement (electronic signatures count) in which the consumer clearly authorizes you to contact them using an ATDS or prerecorded voice at a specific number, and the agreement states that consent is not a condition of buying anything [2]. That last phrase is not decorative boilerplate. Plaintiff attorneys hunt for it. If your web form or your vendor's form is missing it, you may not have valid consent even if the consumer checked a box.
For manually dialed calls with a live agent and no prerecorded component, written consent is not required, but you still have to honor the National DNC Registry and your internal do-not-call list. See the do not call list overview for how that registry works.
One more layer. If your predictive dialer has the capacity to generate or store random or sequential numbers, the FCC may treat it as an ATDS whether or not you actually use that capacity. The definition has been fought over since the Supreme Court's 2021 ruling in Facebook v. Duguid, which narrowed it, and the FCC has signaled it may update its rules [3]. The safer posture is to treat any high-volume dialing technology as potentially covered.
What changed with the FCC's 2024 one-to-one consent rule?
This is the change that caught most health insurance lead buyers off guard. The FCC's December 2023 order (effective January 27, 2025) closed the comparison-shopping loophole that let one consumer's consent form authorize calls from dozens of unrelated companies [4].
Under the old reading, a lead gen site could show a consumer a single checkbox authorizing contact from a broad list of insurance providers. One opt-in, unlimited callers. Plaintiff attorneys and the FCC both agreed it was a mess.
The new rule requires one-to-one consent. The consumer must separately and clearly authorize each specific company that will contact them. A blanket "our marketing partners" list does not cut it. The consumer has to know your company name and agree to your calls specifically [4].
For carriers and agents who buy leads, that is a direct hit. Most aggregator forms were built on the comparison-shopping model. If you are still buying lists where the consent form named a category of companies instead of you by name, you are probably buying non-compliant leads.
The order also requires the consent be "logically and topically associated" with the website where it was collected [4]. A consumer who signs up for a recipe newsletter and happens to check an insurance box has not given you valid consent. The consent has to make contextual sense for the product being sold.
What to do about it: audit every lead source now. Ask each vendor for the exact consent language and a sample opt-in form. If they hesitate to hand it over, that hesitation is your answer.
How do you build a compliant consent flow for a health insurance campaign?
Start with your own web properties if you can. When you own the form, you control the language and you keep the audit trail. A compliant consent form for health insurance outbound calling needs four things in writing:
1. Your company name, specifically. 2. The consumer's telephone number. 3. Clear authorization for contact via ATDS, prerecorded voice, or text (name the technologies you will use). 4. An explicit statement that consent is not required to buy a health insurance plan.
The checkbox cannot be pre-checked. It has to be an affirmative act by the consumer.
Store every opt-in with a timestamp, IP address, the exact version of the form language, and the source URL. Courts and the FCC have repeatedly asked defendants to produce this data. "We had consent" is not a defense if you cannot document it. A spreadsheet with a name and a date is not enough.
If you rely on third-party leads, demand the same documentation from your vendor for every lead you buy. Ask for the consent capture timestamp, the IP, and the rendered form HTML at the moment of capture. Some vendors provide a consent certificate through services like ActiveProspect's TrustedForm. These are not bulletproof, but they give you evidence a plaintiff has to attack directly rather than a swearing match over your word.
Text outbound uses the same consent standard, but the paper trail matters even more because SMS class actions are easier to certify. Every text is logged. Review the text message marketing rules before you send a single SMS to a cold list.
How do DNC scrubbing requirements work for insurance outbound teams?
Every outbound telemarketing call has to be scrubbed against the National Do Not Call Registry before you dial. The FTC's Telemarketing Sales Rule and the FCC's TCPA rules both require it. You cannot call a number that has been on the registry for more than 31 days [5].
To access the registry, you register at donotcall.gov, pay an annual fee based on the area codes you access (the first five are free), and download files you can compare against your list [5]. Re-scrub before any campaign. More often than once a year, always.
Beyond the federal registry, you have to maintain your own internal do-not-call list. Anyone who says they do not want to be called gets added within 30 days and stays honored for at least five years [6]. That includes people who ask to be removed mid-call. Training agents to capture and document those requests is not optional.
Four states run their own do-not-call registries with extra requirements: Indiana, Tennessee, Wyoming, and Montana. If you call into those states, scrub those lists separately. See our breakdown of how do i get the do not call list for the access process.
Cell phone numbers do appear on the National DNC Registry. There is a stubborn myth that cell phones have a separate registry, or that you cannot call cell phones at all. Neither is true. What is true is that cell phones carry the extra ATDS and prerecorded consent requirement on top of DNC compliance. The mobile phone do not call list piece covers that distinction.
| Scrubbing requirement | Frequency | Source |
|---|---|---|
| National DNC Registry | Before each campaign, max 31-day-old data | FTC/FCC [5] |
| State DNC registries (IN, TN, WY, MT) | Per state rules, typically monthly | State AG offices |
| Internal suppression list | Real-time, updated within 30 days of opt-out request | FCC 47 CFR 64.1200 [6] |
| Litigator list scrubbing | Before each campaign | Third-party vendors |
What calling hours and frequency limits apply to insurance outbound?
Federal TCPA rules allow telemarketing calls only between 8 a.m. and 9 p.m. in the called party's local time zone [6]. That is their time zone, not yours. If your team sits in Arizona and calls Florida numbers, you dial on Eastern time.
Some states are stricter. Florida's mini-TCPA (the Florida Telephone Solicitation Act, amended in 2021) cuts calling hours to 8 a.m. to 8 p.m. and adds its own consent requirements for calls and texts [7]. Washington, Oklahoma, and several other states have parallel rules. When state law is tighter than federal, you follow the state.
There is no explicit federal rule on call frequency. But dialing the same number over and over after a consumer says stop creates TCPA exposure plus potential harassment claims under state consumer protection law. Most compliance counsel land on the same practical standard: no more than three attempts to a number in a 72-hour window, and a full stop the moment the consumer asks to be removed.
For cold calling specifically, a live-agent manual dial to a cell phone with no prerecorded component sits outside the ATDS consent rule under the current Facebook v. Duguid reading. Every DNC rule and every calling-hours rule still applies. Do not let "we dial manually" become the excuse for skipping the rest of your compliance.
What records do you need to keep to defend a TCPA claim?
Litigation is a document fight. Most TCPA defendants who lose do so because they cannot produce records, not because they genuinely lacked consent.
At minimum, keep the following.
Consent records: the signed agreement, timestamp, IP address, and the exact form version. Hold these at least four years, which covers the federal TCPA statute of limitations with buffer for tolling arguments.
Call logs: every dialed number, the time and duration, the agent ID, and the outcome. Your dialing platform should export these on its own. Back them up somewhere your vendor cannot delete without your knowledge.
DNC suppression records: documented proof that you scrubbed against the registry and your internal list, with the date of each scrub.
Opt-out processing records: when a consumer asked for removal, who took the request, and when it hit your suppression file.
Training records: proof your agents got TCPA training. If a rogue agent ignores opt-out requests, showing you trained against exactly that limits your vicarious liability.
Companies like LeadCompliant provide compliance kits with record-keeping templates and consent language you can adapt. A structured system in place before a lawsuit lands is the difference between a quick dismissal and years of expensive discovery.
One caution specific to health insurance: CMS has its own marketing guidelines for Medicare Advantage and Part D plans that layer on top of TCPA. Those rules require call recordings be retained for 10 years in some cases [8]. If you sell Medicare products, your retention schedule probably runs longer than your TCPA counsel is telling you.
How does the FCC's robocall and junk fax enforcement affect insurance campaigns?
The FCC has treated robocall enforcement as a priority since at least 2019, when the TRACED Act (Telephone Robocall Abuse Criminal Enforcement and Deterrence Act, signed December 2019) gave the commission authority to issue larger fines and push call authentication standards [9].
STIR/SHAKEN is the authentication framework carriers now use to assign a trust score to calls. If your calls come from numbers that were never properly registered, or that show spam patterns, carriers can label or block them. For a health insurance outbound team, that means caller ID reputation is money. Spoofing caller IDs, using number farms, or buying numbers in bulk without proper registration gets your calls flagged or dropped before they ever ring.
The FCC also requires telemarketers to transmit truthful caller ID information. Using a fake number, or a number that gives the consumer no way to call back or opt out, is a separate violation from the consent rules [9].
If your agents use a dialer platform, confirm the provider meets STIR/SHAKEN attestation requirements and has a real process for registering your outbound numbers. That is a basic table-stakes question when you evaluate dialer vendors.
What state laws add compliance requirements beyond federal TCPA?
Federal TCPA is the floor, not the ceiling. At least a dozen states have passed mini-TCPA statutes or amended their telemarketing laws to push past federal requirements.
Florida's FTSA (Florida Telephone Solicitation Act, amended by SB 1120 in 2021) is the most aggressive right now [7]. It created a private right of action for unsolicited sales calls or texts made using an "automated system for the selection or dialing of telephone numbers," which is arguably broader than the federal ATDS definition. Florida also keeps a separate DNC registry, maintained alongside the federal list. FTSA class actions have piled up, and health insurance is one of the top targets.
California stacks several overlapping statutes: the TCPA, the California Consumer Privacy Act (CCPA), and the automated-calls provisions of the Business and Professions Code. For health insurance specifically, California requires extra disclosures in insurance solicitations.
Washington, Texas, Oklahoma, Wyoming, and Maryland all run state telemarketing acts with consent, disclosure, or registration requirements that go past federal rules. If you run a national campaign, you need a 50-state analysis, or at least a review of your top five states by call volume.
The do not call telemarketer list article breaks down which states maintain their own registries.
What are the biggest TCPA mistakes health insurance teams make?
Now the rules are on the table, here is where teams actually get burned.
Buying shared leads without verifying consent language. The most common mistake by a mile. A vendor tells you the list is opted in. You take their word for it. The consumer never saw your company name on any form. You call 50,000 people. A class action shows up six months later.
Skipping the internal DNC list. Teams scrub against the federal registry and forget they also have to track their own opt-outs. One agent takes a removal request verbally and never logs it. That person gets a call three weeks later. That is a willful violation.
Running a predictive dialer on cold lists. If the numbers are not verified, consented cell phone leads, auto-dialing them is TCPA exposure even after Facebook v. Duguid, because the consent problem is separate from the ATDS definition problem.
Ignoring time zones. Dialing a Florida number at 9:05 p.m. Eastern from a Pacific-time call center is a violation. Simple, avoidable, and surprisingly common.
Re-using old lead lists without re-scrubbing. Number reassignment is real. A number that was valid and consented 18 months ago may now belong to a stranger who consented to nothing. The FCC's Reassigned Numbers Database exists for exactly this [10]. Scrubbing against it before a campaign limits your liability when you unknowingly dial a reassigned number.
For cold call operations, not having a written do-not-call policy you can produce in litigation is its own mistake. The FCC safe harbor for DNC violations requires a written policy, trained personnel, and a process for maintaining the list [6]. No documentation, no safe harbor.
How should a small health insurance outbound team structure its compliance process?
Most of the advice above reads like big-company infrastructure. But small teams get sued too, and they often lose faster because they have fewer resources to fight.
Here is a structure that works for a team of 5 to 30 agents.
Pre-campaign checklist. Before any campaign launches, one named person (not "the team") verifies consent documentation is reviewed, the list is scrubbed against national DNC and internal suppression, calling hours are confirmed for the target states, dialer settings are checked for ATDS mode, and agent training is current.
Real-time opt-out capture. Every agent needs a way to log a removal request on the spot, not at end of shift. If your CRM cannot do it, a shared spreadsheet with a timestamp column beats nothing, though a proper system is worth the money.
Monthly scrub cycle. Even with no new campaign running, re-scrub your active pipeline monthly against the national registry. Numbers get added constantly.
Lead vendor due diligence in the contract. Your vendor contract should include a representation that all leads were obtained with TCPA-compliant consent, an indemnity for consent failures, and a promise to hand over consent documentation on request. Few vendors love this language. Push for it anyway.
Legal review of consent forms. A one-time review by a TCPA-experienced attorney of your opt-in form and your vendor's form is money well spent. It costs far less than a single demand letter, let alone a class action settlement.
LeadCompliant's free TCPA compliance kit includes consent language templates and a pre-campaign checklist you can adapt without starting from scratch.
For teams sorting out the gap between tcpa compliance for calls and for SMS, the requirements overlap but are not identical. Text campaigns need separate opt-in flows and opt-out keyword handling. STOP, CANCEL, and UNSUBSCRIBE all have to trigger immediate removal.
What should you do if you receive a TCPA demand letter or get named in a lawsuit?
Stop the behavior in question right now. Not after the next campaign. Not after an internal chat. Stop.
Do not answer the demand letter yourself. TCPA demand letters are often sent by plaintiff attorneys fishing for a quick settlement. Replying without counsel can hand them admissions. Hire a TCPA defense attorney before you respond to anything.
Preserve all records. Issue a litigation hold immediately: do not delete call logs, consent records, lead vendor contracts, or dialer exports. Spoliation (destroying evidence after litigation is anticipated) can bring sanctions that make a bad case worse.
Quantify the exposure. The plaintiff will claim the maximum statutory damages per call. Your defense counsel will work through whether the calls used an ATDS, whether valid consent existed, whether the safe harbor applies, and whether the class can actually be certified. Many TCPA cases settle before class certification because the math is brutal for defendants even with a reasonable defense.
The FTC and FCC both publish their enforcement actions publicly [5][9]. Reading recent health insurance enforcement actions tells you what the regulators care about and roughly what settlements run in this industry.
Frequently asked questions
Do I need written consent to call health insurance leads on cell phones?
Yes. If you use any automatic telephone dialing system or a prerecorded message to call a cell phone for telemarketing, you need prior express written consent under 47 U.S.C. § 227 and FCC rules. The consent must name your company, authorize the contact technology you use, and state that consent is not required to purchase. Manual live-agent calls still require DNC compliance but do not require written consent under current federal law.
Can I buy health insurance leads from a lead aggregator and call them?
You can, but it is risky after the FCC's 2024 one-to-one consent rule. The aggregator's consent form must name your company specifically. A blanket consent to 'insurance partners' or a long company list no longer satisfies the rule as of January 27, 2025. Before buying any list, request the actual consent form language and a sample consent certificate showing the timestamp and IP address.
What is the one-to-one consent rule and when did it take effect?
The FCC issued its one-to-one consent order in December 2023, and it took effect January 27, 2025. It requires consumer consent for telemarketing calls to be given separately to each specific company that will contact them. Lead generation sites can no longer use a single opt-in to authorize calls from a broad list of unrelated companies. This rule directly affects insurance lead buyers who relied on comparison-shopping lead gen sites.
How often do I need to scrub my call list against the Do Not Call Registry?
The FCC and FTC require you to scrub against a version of the National DNC Registry no more than 31 days old before any telemarketing campaign. In practice, most compliance counsel recommends scrubbing right before each campaign launch, not on a fixed monthly calendar. You also must maintain your own internal suppression list and update it within 30 days of any consumer opt-out request.
What calling hours apply to health insurance outbound campaigns?
Federal TCPA rules permit telemarketing calls between 8 a.m. and 9 p.m. in the called party's local time zone, not the caller's. Some states are stricter: Florida limits calls to 8 a.m. to 8 p.m. Always use the most restrictive rule that applies to the state you are calling into. Calling-hour violations are per-call violations with the same $500 to $1,500 statutory damages.
Does TCPA apply to texts as well as phone calls for insurance marketing?
Yes. The TCPA covers text messages sent using an automatic telephone dialing system to the same extent it covers voice calls to cell phones. You need prior express written consent before sending marketing texts to a cell phone. You must also honor opt-out requests immediately when consumers reply STOP, CANCEL, UNSUBSCRIBE, END, QUIT, or HELP. Ignoring an SMS opt-out is typically treated as a willful violation.
What is the TCPA penalty per call for health insurance violations?
Statutory damages under 47 U.S.C. § 227 are $500 per violation (per call or text) for standard violations and $1,500 per violation for willful or knowing violations. There is no statutory cap on class damages, which means a campaign that reached 100,000 people without proper consent could produce $150 million in exposure before any negotiation. Most cases settle, but insurance settlements have reached eight figures.
Does Florida have its own TCPA that affects health insurance calls?
Yes. Florida's Telephone Solicitation Act (FTSA), amended in 2021 by SB 1120, created a private right of action for unsolicited sales calls or texts made with an automated dialing system. Florida's definition of automated dialing is arguably broader than the federal ATDS definition post-Facebook v. Duguid. Florida also limits calling hours to 8 a.m. to 8 p.m. Health insurance is one of the most targeted industries under FTSA class actions.
What is the FCC's Reassigned Numbers Database and should I use it?
The Reassigned Numbers Database (RND) is an FCC-maintained database of phone numbers that have been disconnected and potentially reassigned to new subscribers. Calling a reassigned number whose new owner never consented is a TCPA violation. The FCC provides a safe harbor from liability if you checked the RND before calling and it showed no reassignment. For insurance campaigns using older lead lists, RND scrubbing is a cheap way to cut exposure.
Can I use a predictive dialer for health insurance outbound calls?
You can use a predictive dialer to call numbers where you hold prior express written consent. Using one on cold or unverified lists is high-risk. Even after the Supreme Court's narrowed ATDS definition in Facebook v. Duguid (2021), some courts and the FCC read ATDS broadly. More to the point, if you lack consent the dialer classification is irrelevant to the consent violation. Reserve auto-dialing for your fully consented pipeline only.
What records do I need to keep to defend a TCPA lawsuit?
You need signed consent records with timestamp and IP address, call logs showing each number dialed and the outcome, DNC scrub records with scrub dates, an internal suppression list with opt-out timestamps, and agent training records. Most TCPA defense attorneys recommend keeping these at least four years. For Medicare Advantage campaigns, CMS rules may require call recordings for up to 10 years.
What is a litigator scrub and do I need one for insurance campaigns?
A litigator scrub compares your call list against a database of phone numbers tied to known serial TCPA plaintiffs and their attorneys. These individuals intentionally take calls to generate lawsuits. Litigator scrubs are not federally required, but they are standard practice in high-volume insurance outbound. Several third-party vendors maintain these lists. The cost is usually pennies per number and can strip your most dangerous contacts before you ever dial.
Does TCPA apply if my agents are dialing manually from a CRM?
If agents truly dial each number by hand with no automated selection or dialing assistance, the ATDS consent requirement under the current federal reading does not apply. You still must follow DNC registry rules, internal suppression requirements, calling hours, and state mini-TCPA rules. The manual-dial exemption is narrow and fact-specific. If your CRM auto-populates the next number and auto-initiates the call, a court may still find ATDS use.
What should my insurance company's written do-not-call policy include?
The FCC's safe harbor for DNC violations requires a written policy covering how the company trains personnel on DNC rules, how opt-out requests are recorded and honored, the process for maintaining the internal suppression list, and how compliance is monitored. The policy must be available to any employee who places calls. Without a written policy you can produce in litigation, you cannot claim the FCC's safe harbor even with good-faith practices.
Sources
- Cornell Law School, Legal Information Institute: 47 U.S.C. § 227 (Telephone Consumer Protection Act): TCPA prohibits ATDS/prerecorded calls to cell phones without prior express consent; statutory damages are $500 per violation, up to $1,500 for willful violations
- FCC: 47 CFR § 64.1200, Restrictions on Telephone Solicitation: Prior express written consent required for telemarketing calls/texts using ATDS or prerecorded voice to cell phones; consent must state it is not required for purchase
- Supreme Court of the United States: Facebook, Inc. v. Duguid, 592 U.S. 395 (2021): Supreme Court narrowed ATDS definition: a device must have capacity to use a random or sequential number generator to store or produce numbers to qualify as ATDS
- Federal Trade Commission: National Do Not Call Registry: Telemarketers must scrub against the National DNC Registry using data no more than 31 days old; access via donotcall.gov with area-code-based fees
- FCC: 47 CFR § 64.1200, Restrictions on Telephone Solicitation (calling hours, internal DNC, safe harbor): Calling hours restricted to 8 a.m. to 9 p.m. called party's local time; internal do-not-call opt-outs must be honored within 30 days and maintained for 5 years; written DNC policy required for safe harbor
- Florida Legislature: Florida Telephone Solicitation Act, § 501.059, F.S. (as amended by SB 1120, 2021): Florida's FTSA (2021) created private right of action for automated sales calls/texts; restricts calling hours to 8 a.m. to 8 p.m.; broader automated system definition than federal ATDS
- FCC: Reassigned Numbers Database: FCC maintains the Reassigned Numbers Database; callers who check RND before calling and find no reassignment qualify for a safe harbor from TCPA liability for calls to reassigned numbers
- FTC: Telemarketing Sales Rule, 16 CFR Part 310: TSR requires telemarketers to scrub against the National DNC Registry; applies alongside TCPA for most outbound telemarketing campaigns