Last updated 2026-07-09

TL;DR
The TCPA bans auto-dialed calls and texts to cell phones without prior express consent. For marketing, that consent has to be written and has to disclose that consent isn't required to buy. Violations cost $500 per call or text, up to $1,500 if willful. Courts and the FCC have reshaped these rules since 2015, and a 2024 FCC order tightened written consent again.
What does the TCPA actually require for calling or texting a cell phone?
The Telephone Consumer Protection Act, codified at 47 U.S.C. § 227, draws a hard line around cell phones. [1] Use an automatic telephone dialing system (ATDS) or a prerecorded voice to reach a wireless number, and you need prior express consent before you dial. No consent, no call. That's the baseline, and it hasn't moved since 1991.
The statute makes it unlawful "to make any call (other than a call made for emergency purposes or made with the prior express consent of the called party) using any automatic telephone dialing system or an artificial or prerecorded voice... to any telephone number assigned to a... cellular telephone service." [1] That one sentence is the whole game. Everything else in TCPA cell phone compliance is an argument about what those words mean.
The FCC has stacked rules on top of the statute through a series of orders. The 2012 FCC Order raised the bar for marketing: plain "express consent" stopped being enough. Sellers now need prior express written consent for telemarketing and advertising. [2] Informational calls (appointment reminders, fraud alerts, delivery updates) still only need express consent, which can be oral or implied from the business relationship, though the rules on implied consent have gotten stricter.
So you have two consent tiers to keep straight. Express consent for non-marketing calls. Prior express written consent for marketing calls. Mixing them up is how companies land in class actions.
What counts as an ATDS under the TCPA after Facebook v. Duguid?
For a decade, plaintiffs and defendants fought over what equipment triggers TCPA cell phone rules. The Supreme Court answered the statutory question in Facebook, Inc. v. Duguid (2021). [3] The Court held that an ATDS must have the capacity to store or produce numbers "using a random or sequential number generator" and then dial them. A system that only dials specific numbers from a stored list, without a random or sequential generator, is not an ATDS under that definition.
That ruling helped businesses running predictive dialers off pre-loaded lists. It did not hand them a pass on consent. Keep three things in mind.
Prerecorded or artificial voice calls to cell phones need prior express consent no matter what dials them. [1] The ATDS definition covers one prong of the statute. The prerecorded voice prong stands on its own.
State laws often reach wider. Florida's Mini-TCPA (FTSA) uses "automated system" language that catches dialers Duguid would exclude. [4] A system that's clean under federal TCPA can still create liability in Florida, and states like Washington, Oklahoma, and Texas run their own analogs.
Capacity still counts. If your dialer can generate random or sequential numbers, some courts treat that as meeting the test even if you never flip the feature on. Read your vendor's real technical specs, not the sales brochure.
Duguid shrank ATDS exposure. It didn't erase it, and it did nothing to the prerecorded voice rule or the consent requirements sitting under both prongs.
What is prior express written consent and how do you get it properly?
The FCC's 2012 Order defines prior express written consent as an agreement that (1) is in writing, including electronic signature, (2) clearly authorizes the seller to send telemarketing calls or texts to the signer's cell phone using an ATDS or prerecorded voice, (3) discloses that consent is not a condition of purchase, and (4) includes the specific number being consented to. [2]
Every element gets tested in litigation. Courts have thrown out consent defenses where the disclosure buried the ATDS reference in fine print, where the form named a lead aggregator's generic language instead of the company doing the calling, or where the consumer gave a number for support and then got marketing texts.
The 2024 FCC Order added one-to-one consent, effective in early 2025. [5] One consent form can no longer authorize calls or texts from multiple sellers. If you buy leads from an opt-in page that listed 50 "marketing partners," that consent is legally dead for your use. The consumer has to agree, by name, to hear from your company.
A compliant written consent form should:
- Name your company.
- State the consumer agrees to receive autodialed and/or prerecorded marketing calls or texts.
- List the specific phone number to be contacted.
- Say plainly that consent is not required to make a purchase.
- Use an E-SIGN-compliant signature mechanism if collected online.
Here's the step people skip: keep a timestamped record of every consent, including the exact form language shown at the moment of signing. Courts and FCC investigators will ask for it. If you can't produce it, you don't have it.
Does texting a cell phone require the same consent as calling?
Yes. The FCC ruled in 2003, and has said it again since, that text messages sent to cell phones by ATDS are "calls" under 47 U.S.C. § 227. [6] The full framework applies: prior express written consent for marketing texts, and the same $500 to $1,500 per-message exposure.
This trips up a lot of teams because texting feels casual. Legally it isn't. A single marketing blast to 50,000 people without proper written consent is $25 million in statutory damages before anyone argues willfulness.
Text consent also has to be channel-specific. A cell number given for a voice call doesn't hand you permission to text, especially for marketing. Get consent that says "autodialed text messages" in words, or you're running a risk most lawyers won't sign off on. For a fuller look at building compliant text programs, see our guide to text message marketing.
One nuance worth knowing. Peer-to-peer (P2P) texts sent by a live human, one at a time, from a standard phone generally don't raise ATDS issues. But the moment a platform queues and fires messages automatically, even with a human "approving" each one, you're almost certainly in ATDS territory and you need consent.
What is the difference between express consent and express written consent?
This is the single most common mix-up in TCPA compliance, and getting it wrong costs money.
Express consent, the lower bar, covers non-marketing, informational calls and texts to cell phones. The consumer has to have given their number in a context that shows they're fine being contacted. Handing over your cell on a loan application for account servicing is the classic case. No written record required, though keep one anyway.
Prior express written consent, the higher bar, covers any telemarketing or advertising call or text to a cell phone. It takes a written agreement with the specific disclosures above. Oral consent doesn't count. An email saying "you can call me" doesn't count. The FCC's 2012 Order is blunt on this. [2]
The table below lays out the differences.
| Feature | Express Consent | Prior Express Written Consent |
|---|---|---|
| Message type | Informational, non-marketing | Marketing / advertising |
| Form | Oral or written | Written (including electronic) |
| Disclosure required | No specific FCC-mandated disclosure | Must disclose ATDS use; consent not required for purchase |
| Specific number required | Implied from context | Yes, best practice |
| One-to-one company requirement (post-2024) | No | Yes |
| Record retention | Best practice | Required |
If your call or text carries any promotional content, even a product mention or a deal, treat it as marketing and use the higher standard.
How does the 2024 FCC one-to-one consent rule change lead generation?
The FCC's December 2023 Order reshaped how lead generators and lead buyers handle consent. [5] The old trick of a consumer checking one box to authorize a list of "partners" or "affiliated companies" is now a TCPA violation when used for autodialed or prerecorded marketing.
Under the rule, prior express written consent for marketing calls and texts has to be (a) given to one seller at a time, and (b) logically and topically tied to the website or context where it was collected. A mortgage lead form can produce consent for mortgage lenders. It can't smuggle in consent for insurance, credit cards, or solar.
For outbound teams buying leads, the shift is real. Due diligence on your vendor's consent practices moved from a nice-to-have to your first line of defense against a class action. You need to see the actual consent form language, confirm it names your company, and confirm the topic matches your product.
The FCC's stated reason was protecting consumers from a flood of calls after a single opt-in. The agency pointed to complaints from people who checked one box and then got dozens of calls from unrelated companies. [5]
Still running the old multi-party model? Fix it. Exposure under the new rule is the same $500 to $1,500 per call, multiplied across every contact you made on consent that no longer holds. For how these failures play out in the real world, the UnitedHealthcare $2.5M TCPA settlement and the Truist Bank TCPA class action show what breaks when consent chains snap at scale.
What are the TCPA penalties for calling or texting a cell phone without consent?
The statute sets damages at $500 per violation. [1] If a court finds the violation knowing or willful, it can triple that to $1,500 per call or text. There's no federal cap, which is why class actions against big companies settle in the eight and nine figures.
The math is ugly. A company that sent 100,000 marketing texts without proper written consent faces $50 million in statutory damages before any willfulness multiplier. Courts award those damages without any proof of actual harm, and that is exactly what makes TCPA class actions catnip for plaintiff firms.
A few real examples. Credit One Bank faced a TCPA settlement that shows how consent failures compound at scale. Cash App's TCPA class action turned on whether the company had valid consent for its messaging. Albertsons/Safeway settled a TCPA case tied to promotional texts.
Private plaintiffs file the overwhelming majority of TCPA cases. The FCC can enforce directly, with civil penalties under 47 U.S.C. § 503. In practice your real exposure is the class action bar that specializes in TCPA, not an FCC investigation.
One number worth memorizing: TCPA filings in federal court topped 4,000 cases in 2022. [7] That's heavy litigation for a statute passed in 1991.
Does TCPA consent expire or can it be revoked?
Consent can be revoked, and the TCPA makes you honor it fast. The FCC's 2024 Order confirmed consumers can revoke through any reasonable means: a STOP reply to a text, a verbal request on a call, an email, a web form. [5] You can point people to a preferred revocation channel, but you can't make it the only one that works.
The 2024 Order also set a 10-business-day maximum to stop sending after a revocation request. That's the ceiling. Faster is always better and cuts your exposure.
Does consent expire on its own, without revocation? The statute names no expiration date, and no FCC rule sets one. But courts have side-eyed companies leaning on consent from years back, especially after the customer relationship ended. Practically: if someone opted in during 2018 and hasn't touched you since, refresh that consent before you restart outreach.
For lead purchases, consent obtained by a third party doesn't ride along forever. If the original opt-in happened two years ago for a different company and you just bought the lead, you're standing on thin ice. Fresh consent is almost always worth the friction of getting it.
Are there any exceptions that let you call a cell phone without consent?
A few narrow exceptions exist. None of them help most sales and marketing outreach.
Emergency calls are exempt. [1] Imminent threat to health or safety, you can call without consent. That does nothing for a sales team.
Calls by or for a tax-exempt nonprofit are not fully exempt, despite what people assume. Nonprofits still need consent for ATDS calls to cell phones. They just don't need prior express written consent for non-commercial calls.
Government debt collection got a brief statutory exception in 2015. The Supreme Court struck it down in Barr v. American Association of Political Consultants (2020) as an unconstitutional content-based restriction. [8] Calls about federal government debt are not automatically exempt.
Manual calls, meaning a live human dialing a single number by hand on a standard telephone with no ATDS in the loop, fall outside the ATDS prong entirely. But drop in a prerecorded message at any point and that prong wakes up. State laws may still impose consent rules on purely manual calls.
The prior business relationship (PBR) exception that once existed for cell phones was killed by the FCC in 2012. [2] It survives in a narrow way for residential landlines, not for wireless marketing calls. "We already have a relationship" is not permission to auto-dial someone's cell for marketing.
How should a small outbound team build a compliant cell phone consent process?
Most small teams over-engineer the technology and under-build the paperwork. Flip it.
Start with the consent form. Have a lawyer review the exact language on every form, landing page, or verbal script where you collect consent. Confirm it names your company, references ATDS and prerecorded calls by name, discloses that consent isn't required for purchase, and captures the specific phone number. Collecting online? Your platform has to be E-SIGN compliant.
Then build a consent database. Each record should store consumer name, phone number, date and time of consent, the form version shown, IP address for web forms, and the exact disclosure text. This is your proof if you get sued. Can't produce it in discovery, and courts treat it as if consent never existed.
For lead buying, get contractual reps and warranties that your vendor's consent meets the current FCC standard, including the post-2024 one-to-one rule. Ask to see a sample consent form. If the vendor won't show you one, that's your answer.
For revocation, set your text platform to process STOP replies automatically and immediately. Build a process to suppress revoked numbers across every channel, not only the one the revocation came in on, inside the 10-business-day window.
LeadCompliant's free compliance kit includes a consent form template and a consent-record field guide matched to the FCC's current requirements. Use it as a starting point before your attorney reviews the final version.
Last, run your cell numbers against the wireless portion of the National Do Not Call Registry, because cell numbers land there too, and DNC rules stack on top of TCPA consent. [9] On the DNC and lacking consent is a double violation.
What do courts look for when deciding if TCPA cell phone consent was valid?
Courts hit the same handful of factors again and again in TCPA cell phone consent cases, and knowing them shapes how you document everything.
Clarity of the consent language leads the list. Buried disclosures, tiny font, checkbox text that never mentions autodialed calls, these tend to lose. In Reyes v. Lincoln Automotive Financial Services, the court treated unambiguous consent as the standard. [10] Vague "contact you" language often isn't enough.
Context carries weight. Did the consumer give their cell in a setting logically connected to the call they later got? A number on a car loan application for account services doesn't consent you to marketing from the lender's insurance affiliate.
Record integrity matters more than people expect. Courts have watched defendants produce consent records that don't match what the consumer signed, or timestamps that fall apart under scrutiny. If your records look massaged, you've lost before opening arguments.
Revocation handling gets picked apart. Even with clean original consent, companies lose on the back end by ignoring STOP requests or failing to honor them system-wide. The Kaiser TCPA settlement shows how revocation failures turn into class-wide exposure.
To understand the plaintiff-side mechanics, our overview of how to stop robocalls walks through the consumer complaint process, which often triggers a class action. Following TCPA news helps you spot enforcement trends before they reach your industry.
Frequently asked questions
Can I call someone's cell phone if I have their number from a public source?
No. The TCPA doesn't care where you got the number. If you're using an ATDS or prerecorded voice, you need prior express consent, whether the number came from a website, a directory, or a business card. Consent has to come from the person who owns the number, not from the fact that it was publicly listed.
Does a signed contract or terms of service count as TCPA written consent?
It can, but only if the consent language inside meets FCC requirements: it names your company, references autodialed or prerecorded calls, lists the specific number, and discloses that consent isn't required to purchase. Generic terms-of-service language saying you may contact the customer for service matters usually won't cover marketing calls.
What happens if a cell phone number is reassigned to a new person after consent was given?
You lose the consent. Consent belongs to the subscriber, not the number. The FCC's Reassigned Numbers Database exists for this exact problem. You can query it before dialing to check whether a number changed hands since consent was collected. Using it isn't legally required, but it's strong evidence of good faith if you're sued over a reassigned-number call.
Is implied consent ever enough for cell phone calls under the TCPA?
For non-marketing, informational calls, courts have recognized implied consent when a consumer voluntarily gave their cell number in a transactional context, like opening a bank account. For marketing calls, no. The FCC's 2012 Order eliminated implied consent and requires prior express written consent. Implied consent is never safe for promotional or advertising messages.
How long do I have to stop calling after someone revokes consent?
The FCC's 2024 Order set a maximum of 10 business days to halt communications after a revocation request, no matter which channel the consumer used to revoke. In practice, your text platform should process STOP replies the same day, and you should suppress the number across every outreach channel, more than texts, inside that 10-day window.
Do TCPA rules apply to ringless voicemail drops?
The FCC's position is yes. In 2018 the FCC declined to exempt ringless voicemail, and enforcement has proceeded on the view that it's a call under the TCPA. Courts have generally agreed that ringless voicemail delivered to a cell phone triggers TCPA requirements, including prior express written consent for marketing messages. Treat it exactly like a prerecorded call.
If I buy leads, who is responsible for TCPA compliance, the lead vendor or me?
Both of you, potentially. Under the FCC's vicarious liability theory, a company can be liable for calls made on its behalf by a third party, including lead generators, if it knew or should have known the leads lacked proper consent. Contractual indemnification from your vendor helps you recover costs, but it doesn't shield you from the plaintiff directly.
Does TCPA consent have to be in English?
The statute doesn't specify English. But if your consent form is in English and the consumer's primary language isn't, a court may question whether the consent was knowing and voluntary. Marketing to non-English speakers? Get the disclosure translated. A consent form the consumer couldn't read is a weak foundation for a legal defense.
Can a business get TCPA consent verbally over the phone?
For non-marketing informational calls, oral consent can work. For marketing calls and texts, no. The FCC's 2012 Order requires written consent for telemarketing. You can confirm or record an oral agreement, but the written element has to exist before the marketing calls start, not after. Trying to ratify oral consent retroactively doesn't hold up.
What is the statute of limitations for a TCPA cell phone consent violation?
Federal courts have generally applied a four-year statute of limitations under 28 U.S.C. § 1658, though some circuits have borrowed shorter state periods. Four years is the safer planning assumption. That means a consent failure from 2021 could still generate a lawsuit filed in 2025. Keep records long enough to defend the full window.
Do state laws add consent requirements beyond the TCPA for cell phones?
Yes, several do. Florida's Telephone Solicitation Act uses a broader definition of automated dialer than the federal ATDS standard post-Duguid. Washington, Oklahoma, and Texas run similar analogs. Some states add disclosure requirements or shorter calling windows. Check state law for every state where your consumers sit, more than federal TCPA.
What records should I keep to prove TCPA cell phone consent?
At minimum: the consumer's name, the number consented, the date and time consent was given, the exact disclosure language shown, the IP address and device for web-based consent, and the name of the company authorized. Store these records at least four years, the outer edge of the federal statute of limitations. Change your form? Archive old versions with dates.
Sources
- Cornell LII, 47 U.S.C. § 227 (TCPA statute text): TCPA prohibits autodialed or prerecorded calls to cellular numbers without prior express consent; sets $500 per-violation damages, tripled for willful violations
- U.S. Supreme Court, Facebook Inc. v. Duguid, 592 U.S. 395 (2021): ATDS requires capacity to store or produce numbers using random or sequential number generator; predictive dialers calling pre-loaded lists may not qualify
- Florida Legislature, Florida Telephone Solicitation Act (FTSA), Fla. Stat. § 501.059: Florida's FTSA uses broader automated system language that reaches dialers excluded from TCPA's ATDS definition post-Duguid
- WebRecon LLC, TCPA Lawsuit & Complaint Statistics 2022: TCPA federal court filings exceeded 4,000 cases in 2022
- FTC, National Do Not Call Registry: Cell phone numbers can appear on the National Do Not Call Registry; DNC restrictions layer on top of TCPA consent requirements
- 2nd Circuit Court of Appeals, Reyes v. Lincoln Automotive Financial Services, 861 F.3d 51 (2d Cir. 2017): Courts require TCPA consent to be unambiguous; vague 'contact you' language has been found insufficient
- FCC, Reassigned Numbers Database: The Reassigned Numbers Database allows callers to verify whether a cell number has been reassigned to a new subscriber since consent was collected
- Cornell LII, 28 U.S.C. § 1658 (Federal catch-all statute of limitations): Federal courts have generally applied four-year statute of limitations to TCPA claims under 28 U.S.C. § 1658