Last updated 2026-07-10

TL;DR
TCPA compliance verification means confirming, before every outbound call or text, that you have valid consent or a lawful exemption, the number isn't on a DNC list, and the record proving both is saved and retrievable. Get any of those three wrong and each contact costs $500 to $1,500 per violation, with no hard cap on class exposure.
What does TCPA compliance verification actually mean?
The Telephone Consumer Protection Act, 47 U.S.C. § 227, prohibits using an automatic telephone dialing system (ATDS) or prerecorded voice to call or text a cell phone without the called party's prior express consent [1]. Verification is the process of confirming, before you dial or send, that consent exists and is documented, that the number is not on the National Do Not Call Registry or an internal DNC list, that the contact falls within permitted calling hours (8 a.m. to 9 p.m. local time in the recipient's time zone), and that the whole transaction is logged with enough detail to defend it in court [2].
That last part is what most small teams miss. They collect consent at some point, then lose the exact record of when, how, and what language the consumer saw. When a plaintiff files suit, "we had consent" is not a defense. The actual evidence of consent is the defense: a timestamped form submission, a call recording, a signed document.
Verification is not a one-time audit. It happens at three moments. At lead acquisition (was consent obtained properly?). At the time of contact (is this number still safe to call today?). And after a complaint or opt-out (was the record updated and calling stopped inside the required window?).
Practitioners sometimes use the phrase interchangeably with "TCPA compliance software," but software is one tool. The real compliance process needs written policies, trained staff, reliable data, and defensible records. Software that automates DNC scrubbing without a documented consent workflow still leaves you exposed.
What are the specific legal requirements you're verifying against?
The statute itself is the starting point. 47 U.S.C. § 227(b)(1)(A) makes it unlawful to "make any call (other than a call made for emergency purposes or made with the prior express consent of the called party) using any automatic telephone dialing system or an artificial or prerecorded voice" to any cellular number [1]. Violations carry $500 per call in statutory damages, or $1,500 per call if the court finds the violation was willful or knowing.
The FCC has layered more rules on top of the statute through a series of orders. The 2012 Report and Order (FCC 12-21) raised the consent standard for telemarketing calls to "prior express written consent," which must include a clear and conspicuous disclosure that the consumer will receive autodialed or prerecorded calls, the consumer's signature (electronic counts), and the consumer's phone number [3]. The FCC's 2023 one-to-one consent order, later stayed by the 11th Circuit pending review, signaled the agency's intent to tighten the link between the person giving consent and the specific seller [4].
The National DNC Registry, run by the FTC under the Telemarketing Sales Rule (16 C.F.R. Part 310), requires companies making telemarketing calls to scrub their lists against the registry at least every 31 days [5]. The TCPA's own DNC provisions at 47 U.S.C. § 227(c) give consumers a private right of action for two or more violations in a 12-month period, with the same $500/$1,500 per-call damages.
State laws add another layer. California's CCPA touches call data. Florida's Mini-TCPA (SB 1120, effective July 2021) puts its own restrictions on calls made with automated systems. Oklahoma, Washington, and others run state DNC lists that need separate scrubbing [6]. A verification program that checks only federal requirements is incomplete.
So here is what your verification system has to confirm for every outbound contact:
| Check | Standard | Frequency |
|---|---|---|
| Prior express written consent | FCC 2012 R&O, 47 USC 227(b) | At lead intake; re-confirm after 18-month gap |
| National DNC scrub | FTC 16 CFR 310.4(b) | Every 31 days minimum |
| Internal DNC / opt-out list | 47 USC 227(c)(5) | Real-time, updated within 30 days of request |
| State DNC lists | State-specific | Per state cadence; some monthly, some real-time |
| Calling hours | 47 USC 227(c)(1)(C) | Each contact, using recipient's local time zone |
| Reassigned number check | FCC Safe Harbor guidance | Before each campaign to a number not dialed recently |
What is a reassigned number and why does it blow up compliance?
Reassigned numbers are one of the most common sources of TCPA liability for otherwise careful companies. Here is how it goes wrong. A consumer gives you their cell number and consents to calls. They cancel service. The carrier hands that number to a different person, who never agreed to anything. You keep calling on the original consent, and now you're hitting an unconsenting stranger with an ATDS [7].
The FCC's 2018 Reassigned Numbers Database (RND) order required a central database that carriers must upload disconnected numbers to within 45 days [7]. The database, operated by iconectiv, went live in 2021. You can query it before dialing to check whether a number has been reassigned since consent was obtained.
Here is the safe harbor. If you query the Reassigned Numbers Database, it returns no reassignment, and you still reach a new subscriber, you get one free call before liability attaches [7]. One. Run a campaign without checking the RND and you have no safe harbor at all. Check it and still hit a reassigned number, and you're covered for that first contact.
For outbound teams with large contact lists, this is where automated TCPA compliance software earns its cost. Manual RND queries are possible but impractical at volume. Scrubbing tools that run RND lookups before each campaign cut reassigned-number exposure sharply.
The truist bank tcpa class action settlement case shows how reassigned number claims compound. Each call to a non-consenting recipient is a separate violation, so a campaign that dials 50,000 numbers can generate 50,000 individual claims.
How do you verify that written consent is actually valid?
Not all consent is equal. For telemarketing calls and texts using an ATDS, the FCC requires "prior express written consent," defined in 47 C.F.R. § 64.1200(f)(9) as an agreement, in writing, that clearly authorizes the seller to deliver calls using an automatic telephone dialing system or an artificial or prerecorded voice [3].
A valid consent record has to show four things: (1) the consumer's phone number, (2) the consumer's signature (wet or electronic, including a checkbox plus IP and timestamp), (3) clear disclosure that autodialed or prerecorded messages may follow, and (4) the specific seller authorized to make contact.
A pre-checked box does not meet the standard. Consent buried in general terms and conditions, with no separate, clear disclosure, does not meet the standard. The disclosure has to be obvious before the consumer acts.
When you verify consent at campaign time, you're checking that the record in your database hits all four elements above. You're also checking consent age. The FCC has set no formal expiration date on TCPA consent, but courts have found that very old or stale consent gets shaky, especially when the consumer has had no real contact with the company for years. A common internal rule (not a legal requirement, just a defensible practice) is to re-confirm consent after 18 to 24 months of inactivity.
Third-party leads need extra care. If you bought a lead from a list vendor, someone else gathered the consent, maybe for a different purpose, maybe listing multiple buyers. After the 2023 FCC one-to-one consent rules (which, even while stayed, reflect how the agency reads consent), relying on shared consent from a list vendor is high-risk. The safest move is to re-obtain consent directly before dialing through an ATDS.
For dealerships specifically, where internet leads pour in from aggregators, tcpa compliance software that flags third-party consent records for manual review before auto-dialing is standard at well-run programs.
How does DNC scrubbing work and what tools do it?
DNC scrubbing compares your outbound call list against one or more do-not-call databases and drops any number that appears. At minimum, you scrub against the National Do Not Call Registry. The FTC's Telemarketing Sales Rule requires subscription to the registry and scrubbing at least every 31 days [5]. Scrub less often and you're in violation, even if none of the numbers added during the gap show up in your campaign.
The registry lives at donotcall.gov and needs a paid subscription for scrub lists above 5 phone numbers (small batches under 5 are free) [8]. As of 2024, annual fees run from around $62 per area code to roughly $17,000 for the full national database, though the FTC updates its fee schedule periodically. Confirm current pricing directly with the registry.
Beyond the federal registry, you also scrub against:
- Your internal opt-out list. Any consumer who asks to be removed must be added within 30 days, and the opt-out has to hold for at least 5 years [2].
- State DNC lists. California, Texas, Indiana, Wyoming, and several others run their own lists with separate registration and scrubbing rules.
- Litigator lists. Not legally required, but many compliance teams track known TCPA plaintiffs and their attorneys. Calling a known litigator isn't illegal by itself, but it's asking for trouble.
TCPA compliance verification software from vendors like Gryphon, Contact Center Compliance (C3), or DNC.com automates most of this. The software ingests your call list, runs it against every subscribed database at once, returns a clean list with the scrub date and result documented, and archives the record. For teams running outbound at real volume, this is not optional.
For what happens when scrubbing breaks down, the unitedhealthcare to pay $2.5m for alleged tcpa violations settlement involved calls to numbers that should never have been contacted. Process failures, not malice, are usually the cause.
What records do you need to be able to produce in a TCPA lawsuit?
When a TCPA suit lands, the plaintiff's first move is to demand every record tied to their phone number. What you can produce in the first 30 days of litigation often decides whether you pay nuisance value to settle or beat the claim.
The records that matter most:
1. The original consent record: date, time, IP address, form URL, the exact language shown, the phone number as entered, and a screenshot or archived copy of the consent form as the consumer saw it. 2. Your DNC scrub logs: date the scrub ran, which databases were checked, the result for the specific number in question. 3. Your calling records: date, time, and duration of each attempt, whether it connected, what type of dialer or system was used. 4. Opt-out history: if the consumer asked for removal, when the request came in, when it was processed, and whether calls actually stopped. 5. The lead source record: where this number came from, when, what the lead vendor represented about consent.
Courts have awarded maximum statutory damages when companies could not produce contemporaneous documentation. Companies that produce clean, timestamped records have defeated class certification and individual claims [9].
Retention matters too. The FTC's TSR requires companies to keep records for 24 months [5]. In practice, keep them at least 4 years, because the TCPA statute of limitations is 4 years under 28 U.S.C. § 1658, and some courts apply state limitations periods that run even longer [11].
The credit one tcpa settlement and the cash app tcpa class action settlement are useful case studies. Both involved systematic record failures that made a defense impossible at scale.
What does a TCPA compliance audit look like in practice?
An audit is not a lawsuit. It's a self-initiated review you run before the lawsuit arrives, or ahead of a new campaign, a new dialing technology, or a regulatory inquiry.
A practical audit has five workstreams.
First, the consent inventory. Pull every lead source feeding your outbound pipeline. For each one, answer: what consent language was shown, when, and do you have the record? Flag any source where the answer is uncertain.
Second, the dialing technology review. Identify every system that makes or initiates calls, including CRM auto-dialers, ringless voicemail tools, and SMS platforms. Map each one to the TCPA's technology definitions. The ATDS definition remains contested after Facebook v. Duguid (2021), but the safest read is that any system with the capacity to store and dial numbers automatically, even from a static list, carries risk [9].
Third, the DNC compliance check. Review your scrub cadence. Is it documented? Are the scrub logs saved? Are state lists covered? Is your internal opt-out process running inside the 30-day window?
Fourth, the calling hours review. Do you have automated time-zone logic in your dialer? Can you show no calls went out before 8 a.m. or after 9 p.m. in the recipient's local time?
Fifth, the staff training review. TCPA liability attaches to the company for calls made by employees or agents. If your reps manually dial from a CRM that qualifies as an ATDS, they need to know the rules. Documented training sessions belong in the audit record.
LeadCompliant publishes a free one-time compliance kit that walks through this exact audit structure, with checklists for each workstream. It's a starting point, not a substitute for counsel, but it's a real step toward an audit-ready program.
For ongoing monitoring, the tcpa news hub tracks FCC orders, major settlements, and court decisions that change how the rules apply.
What does TCPA compliance verification software actually do?
The phrase covers products all over the map. At the low end, a "TCPA compliance tool" might be a phone number checker that queries the national DNC registry and nothing else. At the high end, enterprise platforms offer real-time consent verification, automated DNC scrubbing against federal and state lists, ATDS risk flagging, reassigned number database queries, and audit-trail logging with timestamp exports.
For most small to mid-size outbound teams, the features that actually earn their keep:
- DNC scrubbing on upload, before a campaign runs, with documented logs saved automatically.
- Reassigned Numbers Database integration, so numbers with recent reassignments get flagged before dialing.
- Consent record storage with field-level timestamps (more than "we have consent," but when, how, and what form version).
- Opt-out processing that suppresses a number across all future campaigns the moment a removal request is logged.
- Time-zone enforcement that blocks dialing outside legal hours by recipient geography.
TCPA compliance software for dealerships, a segment with heavy inbound lead volume from aggregators like Cars.com or Edmunds, usually adds lead-source tracking, so the origin of each consent record is logged and the vendor's consent language is archived. Dealerships carry particular exposure because they often autodial internet leads at high speed, and the consent chain from aggregator to dealer is exactly where documentation gaps open up.
Cost varies a lot. DNC scrubbing-only tools can run $50 to $200 per month for a small team. Full-stack compliance platforms range from $500 to several thousand per month depending on volume and features. The math is simple. One TCPA class action can settle for $500,000 to $10 million or more, as in the albertsons safeway tcpa settlement. Software that stops one meritorious claim pays for itself the day it does.
Free tools exist for basic checks. LeadCompliant offers free number checkers for DNC status as a starting point, though production campaigns need a properly subscribed, documented process.
How do you handle consent for text message marketing under the TCPA?
SMS sits under the same TCPA framework as voice calls. A text sent via an ATDS to a cell phone without prior express consent is a violation [1]. For marketing texts (as opposed to purely informational or transactional messages), the FCC requires prior express written consent, the same standard as telemarketing calls [3].
Verification for SMS campaigns means confirming written consent before any marketing message goes out, honoring opt-outs immediately (the industry standard is within seconds for automated STOP processing), keeping opt-in records with timestamps and the exact disclosure language, and scrubbing your SMS list against DNC records.
SMS-specific verification elements that differ from voice:
- Keyword opt-out. CTIA guidelines (which carriers enforce) require support for STOP, QUIT, CANCEL, UNSUBSCRIBE, and END as opt-out keywords. The FCC has pointed to CTIA standards as the baseline for industry compliance.
- Double opt-in. Not required by the TCPA, but courts and regulators treat it favorably because it creates an unambiguous, consumer-initiated consent record.
- Short code vs. 10DLC vs. toll-free. Each delivery type carries different carrier-level registration requirements. Since 2023, unregistered 10DLC numbers face heavy message filtering, which means unregistered campaigns often don't even deliver, let alone comply.
For how SMS marketing programs should be structured to stay compliant, the text message marketing and text messaging marketing guides cover the full setup.
Every opt-out gets processed immediately. The kaiser tcpa settlement claim deadline case involved, among other issues, failures in opt-out handling. That kind of claim is entirely avoidable with a properly configured SMS platform.
What TCPA violations actually lead to class action lawsuits?
Not every technical TCPA violation becomes a class action. Plaintiffs' attorneys hunt for patterns. A company that called thousands of people with an ATDS without proper consent. A company that kept calling after opt-out requests. A company whose records are so bad it cannot prove consent ever existed.
The highest-risk behaviors, based on the pattern of filed cases:
- Dialing purchased lists without re-confirming consent.
- Using ringless voicemail or auto-text platforms that qualify as ATDS under state or federal interpretation.
- Ignoring or slow-processing internal opt-out requests.
- Calling reassigned numbers at scale.
- Marketing to consumers who originally consented for a different product or seller.
Willful violations, where a company knew about the problem and kept going, can push damages to $1,500 per call. Courts have certified classes of hundreds of thousands of called parties, generating potential exposure in the hundreds of millions before any settlement. Real settlements in well-known cases include the cash app tcpa class action settlement and joseph snyder credit one tcpa, both of which stemmed from systemic failures that documentation and verification could have caught early.
The FCC accepts consumer complaints about unwanted calls and texts at fcc.gov, and the FTC takes DNC complaints at donotcall.gov [10]. Individual complaints are less dangerous than they look, but a cluster of complaints about the same campaign is a signal the plaintiff's bar will pick up.
The most honest thing to say about TCPA litigation risk is this. Most suits are not filed against companies making occasional errors. They're filed against companies with broken processes. Verification is process. Get the process right and the risk drops hard, though it never hits zero.
How do you build a verification checklist your team will actually use?
A compliance checklist nobody follows is not a defense. In litigation it can hurt you, because it proves you knew what to do and didn't do it. The checklist has to match your actual workflow.
Start with lead intake. Every new lead source goes through a one-time onboarding review: what consent language was shown, is it prior express written consent for your specific company, is it documented and retrievable? Set a rule that no new lead source goes live until someone reviews and signs off on the consent chain.
At campaign launch, the checklist should include: DNC scrub completed within the last 31 days (document the date and databases used), reassigned number check run, calling hours verified by recipient time zone, consent records spot-checked for a sample of the list, and opt-out suppression file updated.
At contact: if your CRM allows it, log call outcomes in real time. If a consumer asks to be removed, the opt-out enters your suppression list that day.
Post-campaign: archive the scrub logs and consent sample for at least 4 years. If a complaint comes in, pull the file for that number and confirm what the records show.
For teams that want a ready-made version, LeadCompliant's compliance kit includes a downloadable checklist mapped to 47 U.S.C. § 227 and FCC regulations, which you can adapt to your dialing technology and lead sources.
Keep it short. A checklist with 40 items does not get checked. Five to eight items per phase, each phrased as a yes/no question, gets used. You can also connect the how to stop robocalls perspective, since understanding what a consumer sees on their end helps your team calibrate what actually triggers complaints.
Frequently asked questions
How often do I have to scrub my list against the National DNC Registry?
The FTC's Telemarketing Sales Rule (16 C.F.R. § 310.4(b)(1)(iii)(B)) requires scrubbing at least every 31 days. Scrubbing once and running a campaign six weeks later is a violation even if the list hasn't changed. Your scrub logs should record the exact date the scrub ran so you can prove compliance if challenged.
Does TCPA compliance verification apply to B2B calls?
Mostly, yes. The TCPA's ATDS restrictions apply to all cell phone calls regardless of whether the recipient is a business owner or a consumer. The residential DNC registry technically covers personal numbers, not business lines, so pure B2B calls to published business numbers carry somewhat lower DNC risk. But dial a business owner's cell with an autodialer and the ATDS consent rules apply in full.
What is prior express written consent and how is it different from just "consent"?
The FCC's 2012 Report and Order (FCC 12-21) defines prior express written consent as a signed written agreement that includes the consumer's phone number, authorizes autodialed or prerecorded calls from a specific seller, and includes a clear disclosure of that fact. A verbal agreement, a pre-checked box, or general terms-of-service consent does not meet this standard for telemarketing calls and texts.
How long do I have to process a do-not-call request?
Under 47 U.S.C. § 227(c)(5) and FCC regulations at 47 C.F.R. § 64.1200(d)(3), a company must honor a consumer's opt-out request within 30 days and maintain that suppression for at least 5 years. Faster is better. Many complaints arise from calls placed in the gap between an opt-out request and when it was actually entered into the suppression list.
What is the Reassigned Numbers Database and do I have to use it?
The Reassigned Numbers Database (RND), operated by iconectiv under an FCC order, tracks cell numbers that have been disconnected and reassigned to new subscribers. The FCC's safe harbor for calling a reassigned number exists only if you queried the RND before dialing and it showed no recent reassignment. Without a query, there is no safe harbor, and each call to a new subscriber is a separate TCPA violation.
Can I rely on consent collected by a third-party lead vendor?
Technically yes, but with real risk. The consent must meet prior express written consent standards, must name your company (or at least your category, which is contested), and you must be able to produce the original consent record in litigation. The FCC's 2023 one-to-one consent framework, even while stayed by the 11th Circuit, signals that regulators view shared-list consent skeptically. For high-volume campaigns, re-obtaining consent directly is safer.
How much does TCPA compliance software cost for a small team?
DNC-scrubbing-only tools typically run $50 to $200 per month for small teams. Full-stack platforms covering DNC scrubbing, reassigned number checks, consent storage, and audit logging range from $500 to several thousand per month depending on volume. The FTC's National DNC Registry subscription fee for a single area code is around $62 per year; full national access is roughly $17,000 annually, though fees are updated periodically.
What are the TCPA calling hours and how do I enforce them automatically?
Under 47 C.F.R. § 64.1200(c)(1), telemarketing calls may only be placed between 8 a.m. and 9 p.m. in the called party's local time zone. The recipient's time zone, not yours, controls. Most modern CRMs and dialers support time-zone-based call suppression. Audit this feature regularly: time-zone data errors are common when numbers are ported between carriers.
What records do I need to keep and for how long to defend a TCPA claim?
You need the original consent record with timestamp and form language, DNC scrub logs with dates and databases checked, call logs showing each contact attempt, opt-out history, and lead source documentation. The FTC's TSR requires 24-month retention. The TCPA's 4-year statute of limitations under 28 U.S.C. § 1658 means keeping records for at least 4 years from the last contact is the practical minimum.
Is a TCPA compliance audit different from ongoing verification?
Yes. A compliance audit is a periodic, full review of your entire program: consent records, dialing technology, staff training, DNC processes, and documentation practices. Ongoing verification is the per-campaign or per-contact process of confirming a specific number is safe to contact right now. Both matter. Audits catch systemic problems; ongoing verification stops individual violations.
Does the TCPA apply to ringless voicemail drops?
The FCC has not issued a final rule specifically on ringless voicemail (RVM). But in 2017, the FCC signaled that RVM counts as a "call" under the TCPA, and several courts have agreed. The FCC's position is that delivering a message to a consumer's voicemail box, even without ringing, constitutes a call to a cell phone. Running RVM campaigns without prior express written consent carries real litigation risk.
Do I need a TCPA lawyer to set up a verification program?
Not necessarily for the initial setup, but for higher-volume programs, a one-time legal review of your consent forms and process is money well spent. TCPA plaintiffs' attorneys are sophisticated and will hunt for technical failures in your consent language. Having an attorney confirm your forms meet FCC standards before you run millions of contacts is far cheaper than a settlement after the fact. This article is not legal advice; consult qualified counsel for your situation.
What is the difference between the TCPA and the Telemarketing Sales Rule for compliance purposes?
The TCPA (47 U.S.C. § 227), enforced by the FCC and through private lawsuits, governs the technology used to make calls: autodialers, prerecorded voices, and text messages. The TSR (16 C.F.R. Part 310), enforced by the FTC, governs the conduct of telemarketing more broadly: disclosures, deceptive practices, and the National DNC Registry. Most outbound teams are subject to both, and your verification process needs to address both frameworks.
How do I verify TCPA compliance for a dealership's outbound program?
Dealership programs combine high inbound lead volume from aggregators with fast autodialer follow-up, and that mix creates consent chain risk. Verification should include archiving each lead vendor's consent language at time of receipt, flagging third-party leads for consent review before auto-dialing, running DNC scrubs before each campaign batch, and using TCPA compliance software that logs the consent source for every number dialed. Re-obtaining consent directly from internet leads before adding them to autodialed sequences is safest.
Sources
- U.S. Government, 47 U.S.C. § 227, Telephone Consumer Protection Act: TCPA prohibits ATDS or prerecorded voice calls to cell phones without prior express consent; $500 per violation, $1,500 if willful
- FCC, 47 C.F.R. § 64.1200, Delivery Restrictions: Calling hours restricted to 8 a.m. to 9 p.m. local time; internal DNC requests must be honored within 30 days and maintained 5 years
- FTC, Telemarketing Sales Rule, 16 C.F.R. Part 310: TSR requires scrubbing against National DNC Registry every 31 days and record retention for 24 months
- Florida Senate Bill 1120 (2021), Florida Telephone Solicitation Act amendments: Florida's 2021 Mini-TCPA imposed independent restrictions on automated calls, effective July 1, 2021
- FTC, National Do Not Call Registry: Businesses must subscribe to and scrub against the National DNC Registry; subscription fees apply for lists above 5 numbers
- U.S. Supreme Court, Facebook, Inc. v. Duguid, 592 U.S. 395 (2021): Supreme Court narrowed ATDS definition to require random or sequential number generation; FCC interpretation and lower court application remains contested
- U.S. Code, 28 U.S.C. § 1658, Statute of Limitations for Federal Civil Actions: General 4-year statute of limitations for TCPA private right of action claims
- FTC, Business Guidance for Telemarketers: DNC Registry access fees and subscription requirements for telemarketing businesses