Robocall consent requirements under federal law: what you must know

Federal law requires prior express written consent for most robocalls to cell phones. Learn the exact rules, consent tiers, and penalties under 47 USC 227.

LeadCompliant Team
23 min read
In This Article

Last updated 2026-07-09

Person on a phone call at a desk reviewing compliance documents under warm afternoon light
Person on a phone call at a desk reviewing compliance documents under warm afternoon light

TL;DR

Under the TCPA (47 USC 227), robocalls and robotexts to cell phones need prior express written consent when they are telemarketing. Informational calls need prior express consent, which can be oral or written. Prerecorded telemarketing to landlines also needs written consent. Violations cost $500 to $1,500 per call. No single exemption covers a general outbound campaign.

What federal law actually governs robocalls?

The Telephone Consumer Protection Act, at 47 U.S.C. § 227, is the main federal statute. Congress passed it in 1991. The Federal Communications Commission writes the implementing rules in 47 C.F.R. Part 64, Subpart L. The FTC runs a parallel set of rules called the Telemarketing Sales Rule (TSR) at 16 C.F.R. Part 310, which covers live and prerecorded telemarketing calls. If you do outbound sales, both agencies can come after you depending on the call type. [1][2]

The TCPA defines an "autodialer" as equipment that has the capacity to store or produce telephone numbers using a random or sequential number generator and to dial them. The Supreme Court narrowed that definition in Facebook, Inc. v. Duguid (2021). A system now has to actually use a random or sequential number generator to count, more than dial from a stored list. [3] That ruling matters for vendors selling "TCPA-safe" dialers. It does not touch the consent rules for prerecorded voice calls, which live on a separate track in the statute.

State laws stack on top. Florida, Oklahoma, and Washington have mini-TCPA statutes with stricter or different triggers. Several states also add their own call recording consent rules. If your call reaches into California call recording laws, you pick up a separate obligation on top of federal consent. Federal law is a floor, not a ceiling.

The FCC built a tiered consent framework. The tier you need turns on two things: the technology you use and why you are calling.

TierCall typeTechnologyConsent required
1Telemarketing / promotionalAutodialer or prerecorded voice to cellPrior express written consent
2Informational (non-marketing)Autodialer or prerecorded voice to cellPrior express consent (oral or written)
3Telemarketing prerecordedPrerecorded voice to residential landlinePrior express written consent

Prior express written consent is the strict tier. The FCC's 2012 Order defined it as an agreement in writing, electronic signatures included, that clearly authorizes the seller to send calls or texts using an autodialer or prerecorded voice. [4] The agreement has to say the consumer is not required to sign as a condition of buying anything. It has to include the phone number that will be called.

Prior express consent, the middle tier, is looser. A consumer can give it orally or in writing, and context can imply it. The FCC has said that handing your cell number to a creditor during a transaction creates prior express consent for calls about that debt. That reading comes from the FCC's 2008 Declaratory Ruling. [5]

The gap between tier one and tier two is where cases are won and lost. Show that a call was promotional, and the caller needed written consent. Courts have not been kind to companies that tried to relabel marketing calls as informational after the fact.

The FCC requires the written agreement to have four things. A clear and conspicuous disclosure that the consumer authorizes the seller to use an autodialer or prerecorded message. The specific phone number being authorized. The name of the seller, not a generic lead form. And a statement that consent is not a condition of purchase. [4]

The agreement has to work under the E-Sign Act, so an electronic signature counts. A checkbox on a web form is fine if the form carries the disclosures. A verbal agreement recorded over the phone does not satisfy written consent for tier-one calls.

Here is what trips teams up. The 2012 FCC Order killed the established business relationship (EBR) exemption for prerecorded telemarketing calls to cell phones. Before 2013, a purchase in the prior 18 months let you call without fresh consent. Gone for cell phones. You need current, documented consent now. [4]

For lead generation, the FCC's rule adopted in December 2023 addressed "one-to-many" consent. A consumer's consent on a lead aggregator's site does not flow automatically to every buyer who bought that lead. The consent has to name the specific seller placing the call. That closed a loophole used hard in mortgage, insurance, and solar. [6]

Store your consent records. Can't produce them in litigation, and you have no defense. Log the date, the consent method, the disclosure language the consumer saw, the phone number, and the seller identity named in the form.

TCPA robocall consent: key numbers Core thresholds and penalties under federal law 500 Statutory damages per viola… (standard) 1,500 Statutory damages per viola… (willful) 31 Days to stop calling after DNC registration 4 Years to retain consent records (statute of limitat… Source: 47 U.S.C. § 227; 47 C.F.R. § 64.1200; FTC Telemarketing Sales Rule; 28 U.S.C. § 1658

Do robocall rules apply differently to cell phones vs. landlines?

Yes, and the difference is real. The TCPA's autodialer and prerecorded voice restrictions apply to calls made to "any cellular telephone service" or to residential lines for prerecorded telemarketing. [1] Autodialed calls to landlines fall outside that same TCPA provision, though the TSR's prerecorded call rules cover some of that ground.

A prerecorded telemarketing call to a residential landline needs prior express written consent under the FCC's 2012 Order. An informational prerecorded call to a landline sits at a lower bar and got separate treatment under FCC rules. Live agent calls to landlines run under Do Not Call rules, not the autodialer provision.

Cell phones get the roughest treatment because the statute was built to keep consumers from paying airtime for unwanted calls. That logic predates unlimited plans. Courts and the FCC never updated it.

Numbers get reassigned too. The FCC created the Reassigned Numbers Database (RND) in 2018, and callers can query it to see whether a number moved to a new subscriber since consent was given. Using the RND is not mandatory in every case, but a good-faith query gives you a safe harbor for a single call. [7] Dial a big list without scrubbing reassigned numbers, and you are stacking up exposure.

Recording those calls varies by state. See call recording consent laws: one-party vs. all-party overview for how recording sits alongside the consent rules here.

What exemptions exist for robocalls under federal law?

There are exemptions. Most are narrower than vendors claim.

Government and nonprofit calls. Calls by or on behalf of a tax-exempt nonprofit, or by a government entity, follow different rules. Political calls using a prerecorded voice are not exempt from the autodialer rules on cell phones, which the FCC has affirmed.

Emergency calls. The statute exempts calls made for emergency purposes. The FCC reads this narrowly: a real, immediate safety emergency, not a marketing message wearing an alert costume.

Free-to-end-user calls. The FCC created an exemption for certain calls where the called party pays nothing and the content is non-commercial. Healthcare providers using automated appointment reminders have relied on it, but only under strict conditions, and the FCC has been sued over how it drew those lines.

The TRACED Act (2019) told the FCC to exempt certain robocalls from the written consent requirement when they serve specific consumer protection purposes, like fraud alerts from banks. The FCC implemented those through 2020. They are category-specific and do nothing for a general outbound sales operation. [8]

One practical point. Even a call type exempt from TCPA consent may still owe compliance with the TSR's calling hours, the National Do Not Call Registry, and state mini-TCPA laws. An exemption in one statute rarely buys you a clean pass everywhere.

What are the TCPA penalties per robocall violation?

The TCPA gives consumers a private right of action with statutory damages of $500 per violation. If a court finds the violation willful or knowing, damages climb to $1,500 per call or text. [1] There is no cap. A campaign of 100,000 calls without proper consent could produce $150 million in statutory damages before any plaintiff's attorney adds a multiplier.

TCPA cases almost always arrive as class actions. The per-call number is small, the class can be huge. Mid-size TCPA class settlements commonly land between $1 million and $75 million, though the real figure swings hard on class size and the strength of the consent records.

FCC enforcement is a separate lane. The Commission can impose forfeiture penalties under 47 U.S.C. § 503(b). In 2021 the FCC issued a $225 million proposed forfeiture against Texas-based health insurance robocallers, its largest ever at the time. [9] The FCC also refers egregious spoofing cases to the DOJ under the Truth in Caller ID Act.

The FTC can enforce the TSR against prerecorded telemarketing calls and has won cases running into tens of millions in civil penalties.

Here is the part nobody says enough. Small teams get sued too. Plaintiffs' lawyers run their own call-monitoring lines to catch violations, then file individually or as a class. A startup that fires off 5,000 texts without written consent is a target, full stop.

In December 2023, the FCC adopted a rule requiring prior express written consent for telemarketing robocalls and texts to be obtained on a one-to-one basis. [6] The consent has to name the specific company placing the calls. A single form authorizing calls from dozens of unnamed "marketing partners" no longer works.

This lands hard on lead buyers. Buy leads from a third-party aggregator, and you cannot assume the original web form built valid consent for your company. You either collect your own consent directly or confirm the original consent named your company by name. The FCC described the goal as closing a "lead generator loophole."

The rule also requires the consent to be logically and topically related to the site or interaction where you collected it. A consumer filling out a car insurance form cannot, under this rule, be validly consenting to Medicare Advantage calls from unrelated companies.

What that means for you: renegotiate lead vendor contracts, audit consent language on any third-party form feeding your pipeline, and build your own consent collection where you can. A note on timing. The rule was originally set to take effect January 27, 2025, but the FCC delayed the one-to-one portion and the D.C. Circuit vacated it in early 2025, so treat the specific one-to-one mechanics as unsettled while the underlying written consent standard stays fully in force. When in doubt, collect your own named consent.

LeadCompliant's compliance kit includes template consent language and a lead vendor audit checklist if you need a starting point.

The safest way to collect prior express written consent for a cell phone marketing campaign is a form the consumer fills out themselves, on a page your company controls, that hits all four FCC disclosure elements.

On web forms, put the disclosure right next to the submit button, not buried in a terms-of-service link. Core language reads something like: "By submitting this form, I authorize [Company Name] to contact me at [phone number] using an autodialer or prerecorded voice for marketing purposes. This consent is not required to purchase." Capture the timestamp, the IP address, and the exact page URL where consent happened.

For inbound calls, you can capture consent live with an IVR prompt if the caller clearly agrees and you record that agreement. That works for tier-two informational consent. For written consent you still need something in writing beforehand, or a follow-up confirmation the consumer actively completes.

No pre-checked boxes. Courts and the FCC have rejected them as proof of affirmative written consent. The consumer has to take a deliberate action.

Keep records at least four years. The TCPA statute of limitations is four years under 28 U.S.C. § 1658. A plaintiff sues in year three, you can't find the consent record, and you lose the only defense that matters.

Scrub your list against the National Do Not Call Registry at least every 31 days. Consent to receive autodialed marketing calls does not override a consumer's later request to go on your internal DNC list.

What is the National Do Not Call Registry and how does it interact with consent?

The National Do Not Call Registry (DNC), run by the FTC, covers telemarketing calls to residential numbers. Once someone registers, telemarketers have 31 days to stop calling. [10] The FTC charges for list access. As of 2024, the first five area codes are free, additional area codes run about $75 each, and the cap for all numbers sits around $18,900 a year.

Consent and DNC registration interact in a specific way. Under the TSR, a consumer's prior express written invitation or permission to call can override the DNC registration for that one seller. So if someone fills out your consent form while sitting on the DNC list, you can still call. The consent has to meet the written standard above, and the consumer can revoke it at any time.

The TCPA's cell phone autodialer rules and the DNC rules are parallel systems. A consumer can be on the DNC list and still need to give you TCPA consent before you autodial them. Scrubbing DNC alone does not satisfy the TCPA. You need both.

For texts, the FCC extended TCPA autodialer protections to SMS in 2003. Every marketing text sent by an autodialer to a cell phone without prior express written consent is a potential TCPA violation, separate from DNC rules.

Run outbound across multiple states and you hit state DNC lists too. Florida and Texas keep their own on top of the federal registry.

SMS marketing sent by autodialer to cell phones is treated the same as autodialed voice calls under the TCPA. Prior express written consent is required for marketing texts. [1][4] The one real difference: texts are cheap to send at scale, which is why TCPA class actions over text campaigns carry enormous class sizes and settlement demands.

The CTIA (a wireless industry trade group) publishes messaging guidelines, and carriers layer their own rules on top of federal law. [11] CTIA guidelines are not federal statutes, but carriers enforce them by contract and can cut off your sender access, which makes them practically mandatory for any business using 10DLC, short codes, or toll-free numbers.

Text opt-out has to be honored right away and permanently. A consumer texts STOP, you stop. Send another marketing message after a STOP and you have a willful TCPA violation, which triggers the $1,500 per-message figure.

Document text consent the same way you document voice consent: timestamp, the consent language shown, the phone number, and the company name. Some platforms save a screenshot of the web form at the moment of consent. That is good practice.

Some teams run a "conversational" texting platform and argue it is not an autodialer under Facebook v. Duguid. That has some merit for certain setups. But if the system can blast a stored list to many recipients without a human initiating each message, it may still meet the TCPA's functional definition. Do not assume Duguid wiped out the risk for stored-list text blasting.

Buying leads and assuming consent came along for the ride. This is the number-one mistake for lead buyers. The consent on the original form names someone else. You call. That is an uninvited robocall.

Vague or buried consent language. A checkbox tucked near a privacy policy link, or consent hidden in 400 words of fine print, routinely fails in court. Courts ask whether a reasonable consumer would have understood they were agreeing to robocalls.

Not honoring opt-outs fast enough. A consumer who texts STOP or says "don't call me again" has revoked consent. Some CRMs take 24 to 72 hours to push that suppression through. Every additional call in that gap is a fresh violation.

Dialing reassigned numbers. A number you had consent for two years ago may belong to a stranger now. Skip the Reassigned Numbers Database and you have no good-faith defense for calling the new subscriber.

Mistaking an EBR for written consent. The established business relationship exemption still helps with some live-agent DNC purposes. It does not satisfy TCPA written consent for autodialed or prerecorded calls to cell phones. [4]

No compliant internal DNC list. Even with written consent, a consumer can revoke by asking not to be called. You have to keep your own suppression list and honor removal requests within a set window. The FTC requires an internal do-not-call process at 16 C.F.R. § 310.4(b)(1)(iii).

Those six account for the bulk of TCPA demand letters and class filings against small and mid-size outbound teams. Fix your consent documentation and your opt-out flow and you kill most of the exposure before litigation starts. LeadCompliant's free TCPA consent checker can flag issues in your current web form language if you want a quick second opinion.

Federal TCPA sets the minimum. States go further, and several have.

Florida's Mini-TCPA (Fla. Stat. § 501.059) took effect in 2021 and reaches calls made using any automated system for selecting or dialing numbers, including systems that are not autodialers under the narrowed federal definition after Duguid. Florida also bars artificial or prerecorded voice telemarketing without prior express written consent, mirroring the federal standard with state enforcement behind it. Damages run $500 per call with a willfulness treble. [12]

Oklahoma's Telephone Solicitation Act, amended in 2022, uses a similarly broad definition of automated dialing technology and requires written consent for automated telemarketing.

Washington's commercial telephone solicitation rules add disclosure requirements and cap calls per day.

Texas and Indiana run their own variations.

Call recording is a separate state layer. If you record calls for training or quality, two-party (all-party) consent states require the called party's permission first. California call recording law and Florida's call recording statute 934.03 are the two highest-risk states, given their populations, litigation culture, and statutory damages. Also check Michigan call recording laws and Arizona's one-party consent rule if those states sit in your footprint.

The safest operating rule is simple. Treat every call as if it needs prior express written consent and two-party recording consent. That is over-inclusive in some states, but it closes the gap when a consumer in a strict state lands in your calling pool.

Frequently asked questions

The TCPA sets no hard expiration date, but the FCC has said consent should stay current and reflect a real ongoing relationship. Long dormant consent, several years with no contact, is harder to defend in court. Many compliance teams treat consent older than two years as needing re-verification. Consumers can revoke at any time, which effectively expires it on the spot.

Can I robocall someone who gave me their number in person?

Giving a number in person can create prior express consent for informational calls in some contexts. It does not satisfy the written consent standard for autodialed or prerecorded marketing calls to cell phones. For a promotional robocall campaign you still need a written, signed agreement carrying the FCC disclosures. An in-person number handoff is not enough.

It must authorize calls or texts to a specific number using an autodialer or prerecorded voice, name the specific seller making the calls, state that consent is not a condition of purchase, and include the consumer's signature, which can be electronic. All four have to be present. A vague marketing opt-in does not clear this bar.

Does the Facebook v. Duguid Supreme Court ruling mean I don't need consent anymore?

No. Duguid narrowed the "autodialer" definition for systems that do not use a random or sequential number generator. Consent rules for prerecorded voice calls run on a separate statutory track and were untouched. Many platforms still qualify as autodialers under the narrower reading. State mini-TCPA statutes often use broader definitions Duguid never addressed.

How do the TCPA and the FTC's Telemarketing Sales Rule differ for robocalls?

The TCPA (FCC) governs the technology, autodialers and prerecorded voice, and requires prior express written consent for marketing calls. The TSR (FTC) covers the telemarketing practice itself: prerecorded calls, Do Not Call compliance, calling hours. Both can hit the same call. Neither preempts the other. Violations of either draw separate enforcement and penalties.

The FCC has not issued a final rule treating ringless voicemail uniformly as a TCPA call, but most courts that have looked at it hold that a message dropped into voicemail storage involves a "call" under the TCPA. The FCC has a pending rulemaking. Conservative practice treats ringless voicemails as needing prior express written consent for marketing content.

Yes. The FCC confirmed in its 2015 Order that consumers can revoke consent at any time by any reasonable method, including orally on a call, by text, or by email. The caller has to honor it promptly. The FCC's 2024 rules set that callers must honor opt-out requests within ten business days, and for texts, immediately on a STOP message. Contact after revocation is a willful violation.

Does a B2B call to a business cell phone require TCPA consent?

The TCPA applies to calls to any cellular number, regardless of whether the owner uses it for business. What matters is the phone service type, not the call's commercial purpose. A sales call autodialed to a business owner's cell needs the same prior express written consent as a consumer call. A few courts have found narrow B2B exceptions, but leaning on that is risky.

What is the statute of limitations for a TCPA claim?

TCPA claims carry a four-year statute of limitations under 28 U.S.C. § 1658, the general federal-question period. Some state courts apply shorter periods to state-law analogs. Retain consent records at least four years from the date of each call or text that relied on them, or you may lose your defense before the case even reaches the merits.

The FCC's December 2023 rule required consent for autodialed or prerecorded marketing calls to name the specific seller placing the calls, not a broad group of "marketing partners." The one-to-one portion was set for January 27, 2025, but the D.C. Circuit vacated it in early 2025, so the mechanics are unsettled. The underlying written consent standard still stands, so collect your own named consent.

Are there calling hour restrictions for robocalls under federal law?

Yes. TCPA and FCC rules bar calls before 8 a.m. or after 9 p.m. in the called party's local time. The FTC's TSR imposes the same window. Local time means the consumer's time zone, not yours. Some states are stricter: Florida limits telemarketing to 8 a.m. through 8 p.m. Apply the stricter of the two for each state in your pool.

What records should I keep to defend against a TCPA lawsuit?

At minimum: the consent form or recording showing the consumer agreed, the timestamp and IP address for web forms, the exact disclosure language shown at the time of consent, the phone number consented to, your company name as it appeared on the form, and a call log of each contact attempt. Keep all of it at least four years. Without these records, no consent defense is possible.

Yes. The FCC classified SMS as a call under the TCPA in 2003. Any text sent to a cell phone by an autodialer for marketing needs prior express written consent, the same standard as a marketing robocall. STOP requests must be honored immediately. Text-campaign cases are among the most common TCPA filings, often because automated blasts reach very large lists fast.

Sources

  1. Cornell Law School / Legal Information Institute, 47 U.S.C. § 227: TCPA text including $500/$1,500 per-violation damages and cell phone autodialer provisions
  2. Federal Trade Commission, Telemarketing Sales Rule (16 C.F.R. Part 310): TSR governs prerecorded telemarketing calls and runs parallel to the TCPA
  3. Supreme Court of the United States, Facebook Inc. v. Duguid, 592 U.S. 395 (2021): Held that an autodialer must use a random or sequential number generator; narrowed TCPA autodialer definition
  4. Cornell Law School / Legal Information Institute, 47 C.F.R. § 64.1200 (FCC TCPA rules, prior express written consent): Established prior express written consent requirement for autodialed/prerecorded telemarketing calls to cell phones; abolished EBR exemption for cell phones (FCC 2012 Order codified here)
  5. Cornell Law School / Legal Information Institute, 47 U.S.C. § 227 (prior express consent standard): Statutory basis for prior express consent; FCC 2008 Declaratory Ruling held that giving a cell number to a creditor during a transaction is prior express consent for calls about that debt
  6. Federal Register, FCC Rule on Implementing the TCPA Regarding Robotexts and Consent (2024): Required prior express written consent to be granted on a one-to-one basis naming the specific seller; one-to-one portion later vacated by the D.C. Circuit in 2025
  7. FCC, Reassigned Numbers Database: FCC created the RND in 2018; callers who query it get a safe harbor for a single call made after a good-faith check
  8. Congress.gov, TRACED Act (Pub. L. 116-105): The TRACED Act (2019) required FCC to exempt certain non-commercial robocall categories; those exemptions are narrow and category-specific
  9. Federal Trade Commission, National Do Not Call Registry: Telemarketers must stop calling registered numbers within 31 days; fee structure applies to list access beyond first five area codes
  10. Florida Legislature, Fla. Stat. § 501.059 (Florida Telephone Solicitation Act): Florida's mini-TCPA uses a broader autodialer definition than post-Duguid federal standard and imposes $500/call damages with treble for willfulness

Disclaimer: LeadCompliant is a compliance review tool, not a law firm. We do not provide legal advice. Consult with a TCPA attorney for legal guidance on specific compliance questions. Compliance scores, audits, and risk assessments are informational only.

LeadCompliant Team

LeadCompliant provides expert guidance and tools to help you succeed. Our content is reviewed for accuracy and kept up to date.

Related Articles

Related Glossary Terms

LeadCompliant
Build My Kit