Last updated 2026-07-10

TL;DR
TCPA consent is written or electronic permission a consumer gives before a business can call or text them using an autodialer or prerecorded voice. Marketing calls and texts need express written consent. That consent must be voluntary and clearly disclosed, and the consumer can revoke it anytime through any reasonable means. Violations run $500 to $1,500 each, with no cap on class actions.
What is TCPA consent?
TCPA consent is the permission a person gives before a company can reach them by autodialed call, prerecorded message, or text. The Telephone Consumer Protection Act, codified at 47 U.S.C. § 227, makes that permission a legal prerequisite, not a courtesy [1]. Skip it and each call or text can cost you $500 to $1,500 in statutory damages. There's no cap on the class-action total.
The law draws a hard line between two kinds of consent. "Prior express consent" covers informational calls to a number the consumer handed over voluntarily. "Prior express written consent" covers anything with a marketing purpose. Most outbound sales teams need the written version. Most compliance failures happen because teams assume the lower standard is enough.
Consent under the TCPA is not a general terms-of-service agreement. The FCC has said for years that consent must be knowing, voluntary, and tied to the specific type of communication the consumer agreed to receive [2]. Bury your disclosure in a privacy policy nobody reads and you probably don't have valid TCPA consent.
What does the TCPA regulate?
The TCPA covers four things: autodialed calls to mobile numbers, prerecorded or artificial-voice calls to any number, unsolicited fax advertisements, and text messages sent by automated systems [1]. Congress signed the statute in 1991, long before SMS was common. Courts and the FCC have read "calls" to include texts anyway.
Here's a quick map of what's covered:
| Communication type | Equipment trigger | Consent tier needed |
|---|---|---|
| Autodialed call, mobile number | Autodialer (ATDS) | Express written (marketing) or express (informational) |
| Prerecorded/artificial voice call | Prerecorded message | Express written (marketing) or express (informational) |
| Text message (SMS/MMS) via autodialer | Autodialer | Express written (marketing) or express (informational) |
| Unsolicited fax advertisement | Fax machine | Written consent or established business relationship |
| Manual call to landline (no prerecord) | None | Not covered by TCPA |
One thing teams miss: the autodialer definition has been fought over in court for years. The Supreme Court's 2021 ruling in Facebook v. Duguid narrowed it to systems that use a random or sequential number generator to store or produce numbers [3]. That helped some defendants. But the FCC still reads the definition broadly in places, and state laws fill any gap the federal statute leaves. Don't assume Duguid gives you a free pass.
For a channel-by-channel look at how these rules hit outbound text message marketing, the SMS-specific requirements deserve their own read.
Who regulates and implements the requirements of the TCPA?
The Federal Communications Commission is the primary regulator. Congress gave the FCC authority to issue implementing rules under 47 U.S.C. § 227(b)(2), and the agency has used that authority through a string of orders since 1992 [2]. The current regulations sit at 47 C.F.R. § 64.1200.
The Federal Trade Commission runs the National Do Not Call Registry and enforces the Telemarketing Sales Rule, which overlaps with but is separate from the TCPA [4]. Both agencies can bring enforcement actions. State attorneys general can enforce the TCPA on behalf of their residents. And individual consumers can sue directly in federal or state court with no agency involved at all. That private right of action is why TCPA litigation is everywhere: plaintiffs don't wait for a government investigation.
The FCC updates its rules through formal rulemaking. A big set of changes tightening the "one-to-one consent" requirement was set to take effect in early 2025 before a federal court vacated it, and the rules for lead-generation consent remain contested [2]. Staying current with FCC orders matters as much as knowing the statute. Recent TCPA news has tracked those swings in detail.
What are the TCPA consent requirements for marketing calls and texts?
Any call or text with a marketing purpose needs "prior express written consent." The FCC's 2012 rules (effective October 2013) spelled it out: the consumer signs an agreement, on paper or electronically, that plainly authorizes the seller to contact them using an autodialer or prerecorded message [2]. The agreement also has to disclose that consent is not a condition of buying anything.
Five things that agreement must contain:
1. The consumer's signature (a typed name, checkbox, or similar electronic act counts). 2. A clear description of who will contact them. 3. The phone number calls or texts will go to. 4. A statement that the consumer agrees to autodialed or prerecorded contacts. 5. A statement that consent is not required to make a purchase.
The FCC also tried to add a "one-to-one" consent rule: a single opt-in obtained through a lead-generation site could not be shared across multiple sellers, and each seller would need its own separate consent [2]. That rule was scheduled for January 2025, but the Eleventh Circuit vacated it days before it took effect, holding the FCC had overstepped its authority. The practical lesson survives the legal reversal. Shared, unnamed consent has always been the weakest kind, and plaintiffs' firms still attack it.
For purely informational calls (appointment reminders, fraud alerts, delivery notices) from a company the consumer already deals with, the lower "prior express consent" standard applies. No written agreement needed. But the consumer must have voluntarily given the number in a context where such calls were reasonably expected.
What is a TCPA consent disclosure?
A TCPA consent disclosure is the specific language shown to a consumer at the point of opt-in that explains what they're agreeing to. It's your written record that consent was informed and voluntary. Without a proper disclosure, you can't prove valid consent even if the consumer checked a box or filled out a form.
A compliant disclosure reads something like this: "By submitting this form, you agree to receive autodialed and prerecorded calls and text messages from [Company Name] at the phone number provided. Consent is not a condition of purchase. Message and data rates may apply. Reply STOP to opt out."
The FCC hasn't mandated a word-for-word script. It has said the disclosure must be "clear and conspicuous." That means no hiding it in a footer, no tiny gray text, no burying it under other content. It sits immediately next to the submission button or signature field [2]. Courts have thrown out disclosures separated from the opt-in action by several paragraphs of unrelated text.
A few things that kill an otherwise valid disclosure. Bundling consent with unrelated terms. Using a pre-checked box (the FCC requires an affirmative action). Failing to identify which companies will do the contacting. Disclosures that say "you may be contacted by our partners" without naming those partners have always been a weak spot, and they're the exact thing regulators keep trying to shut down [2].
Can anyone revoke TCPA consent, and who has that right?
Yes. Any consumer who gave TCPA consent can revoke it. Full stop. The FCC has been consistent on this for years, and the Third Circuit's 2013 decision in Gager v. Dell Financial Services confirmed the right to revoke is built into the consent framework [5]. Consent that can't be revoked isn't really consent.
Only the person who gave consent can revoke it. A third party generally can't opt out on someone else's behalf unless they're an authorized agent. If a consumer gave consent through a form completed by a sales rep, the consumer still holds the revocation right.
Businesses can't contract the revocation right away. If your terms of service say "consent is irrevocable for 12 months," that clause is unenforceable. The FCC addressed this head-on in its 2015 Omnibus Declaratory Ruling, holding that consumers may revoke consent through any reasonable means [6].
How can a consumer revoke TCPA consent?
Revocation happens through any reasonable means that clearly signals the consumer wants the contacts to stop. The FCC's 2015 ruling listed examples: telling a live agent during a call, mailing a letter, emailing the company, or replying STOP to a text [6]. The method doesn't have to match how consent was given in the first place.
For SMS, replying STOP (or STOPALL, UNSUBSCRIBE, CANCEL, END, or QUIT) triggers an industry-standard opt-out that carriers and messaging platforms honor automatically. Businesses have to process these replies immediately and stop sending. Texting someone after a STOP reply is one of the cleanest TCPA violations a plaintiff's lawyer will ever find.
For voice calls, a consumer saying "stop calling me" or "put me on your do not call list" during a live call is a valid revocation. The FCC's do-not-call rules give you up to 30 days to process the request, but you should stop right away. Failure to honor oral revocation has surfaced in several large settlements, including the UnitedHealthcare $2.5 million TCPA settlement.
The FCC clarified that companies can set up a "reasonable" opt-out mechanism and ask consumers to use it, but they can't require consumers to use only that mechanism [6]. If someone revokes through an unofficial channel, like a direct email to a rep, that revocation still counts.
How long does TCPA consent last?
The TCPA sets no expiration date on consent. There's no statutory 18-month rule or 12-month shelf life for written consent the way some state laws impose. In theory, consent given once stays valid until it's revoked or until the facts change enough that relying on it is no longer reasonable.
Consent goes stale two ways in practice. First, if a consumer's number gets reassigned to a new person, the original consent does not transfer to the new subscriber. The FCC built a safe harbor here: you can make one call or send one text to a reassigned number before liability attaches, as long as you had no knowledge of the reassignment [2]. Running a carrier lookup or the reassigned-number database before each campaign is the smart move.
Second, some courts and commentators argue that a long gap between consent and contact can make reliance unreasonable, especially if the relationship has changed. Nobody has put a firm number on this, and the case law is thin. Most compliance teams treat consent older than two to three years with extra caution and re-confirm rather than fight the question in court.
Keep records of when consent was obtained, through what channel, and using what disclosure language. If a lawsuit lands two years from now, you have to produce that proof. A screenshot of a webform won't cut it. You need a database record tied to the consumer's submission timestamp.
What is TCPA global consent, and does it exist?
"TCPA global consent" is not an official FCC term. It floats around industry conversations to describe the idea that one broadly worded opt-in could cover every future contact from a company and its affiliates. The short answer: it doesn't work that way.
Regulators keep trying to bar pooled or shared consent for marketing, and even where the formal one-to-one rule has been vacated in court, the underlying logic holds up in litigation. A company that wants to contact a consumer for marketing purposes wants its own direct consent from that consumer [2]. A consumer opting into one brand's emails is not consenting to calls from that brand's parent company, subsidiary, or marketing partners.
Some businesses use "global opt-out" language in the reverse direction, giving consumers one mechanism to opt out of all contact from the company and its brands at once. That's a reasonable practice, arguably what the spirit of the rules wants, but it's a separate question from how you obtain consent.
Running a multi-brand operation and want to reach consumers across brands? The safe path is separate, brand-specific consent forms with brand-specific disclosures. Hoping a single consent covers everything is how companies end up in TCPA class action settlements that cost millions.
How much can a TCPA violation actually cost?
The statute sets damages at $500 per violation for negligent violations and $1,500 per violation for willful or knowing ones [1]. Each call or text is a separate violation. A campaign that sent 50,000 texts without proper consent faces potential exposure of $25 million at the negligent rate, or $75 million at the willful rate, before any class-action multiplier.
Courts have handed down eye-popping verdicts. Settlements are common even when the defendant thinks it has a defense, because litigation often costs more than the settlement. Real examples from the public record:
- Credit One Bank paid a reported $75 million to resolve TCPA claims over autodialed calls to consumers who hadn't given valid consent.
- Albertsons/Safeway reached a settlement over text message marketing claims.
- Truist Bank faced a class action over similar issues.
The pattern is almost always the same. Consent records were incomplete, consent language was ambiguous, or the company kept contacting people after they revoked. All preventable.
LeadCompliant's free consent checker can audit your opt-in flows before a plaintiff's lawyer does it for you. Checking now costs nothing. Finding out in discovery costs a lot.
What does a compliant TCPA consent flow look like in practice?
A compliant flow has five steps. Skip any one and you create risk.
First, present a clear, conspicuous disclosure immediately above or below the submit button. It names your company, describes the messages the consumer will get, states that consent isn't required for purchase, and includes opt-out instructions.
Second, require an affirmative opt-in action. A pre-checked box doesn't count. The consumer checks the box themselves, types their name, or takes some other deliberate step [2].
Third, capture and store the consent record. Save the timestamp, the IP address, the exact disclosure text shown, and the form version. If your disclosure changes, version-control it so you can prove which text a given consumer saw.
Fourth, honor opt-outs immediately. Build your opt-out logic before launch, not after. For SMS, register with your messaging provider's opt-out handling. For voice, log DNC requests and suppress them before the next dial cycle.
Fifth, scrub against the FCC's Reassigned Numbers Database before contacting numbers that have sat in your system for more than a few months [7]. It's a federal database the FCC maintains to track number reassignments, and using it is the only way to claim the safe harbor for reassigned-number mistakes.
Want a pre-built checklist for all of this? LeadCompliant's one-time compliance kit covers consent flows, disclosure templates, and opt-out procedures in one place.
What are the most common TCPA consent mistakes outbound teams make?
Assuming a business relationship equals consent. An existing customer relationship gives you leeway under the established business relationship (EBR) exemption for the national DNC list, but it does not satisfy the TCPA's prior express written consent requirement for autodialed marketing calls. Different rules, different parts of the law.
Buying lead lists and assuming consent transfers. When a lead aggregator calls a list "TCPA compliant," they mean the consumer consented to something on the aggregator's site. That consent probably doesn't name your company, and unnamed downstream consent is exactly what regulators and plaintiffs keep attacking [2]. Verify that the disclosure named your company, or get fresh consent.
Not confirming opt-out processing. Teams set up a STOP handler for SMS and never test it. A broken handler that fires a confirmation message and then keeps sending promotions is a textbook violation.
Failing to document consent at all. A verbal yes on a sales call is not written consent for future autodialed contacts. You need a signed or clicked record.
Ignoring state laws. California's CCPA/CPRA, Florida's mini-TCPA (the FTSA), and other state statutes can go stricter than the federal TCPA. A flow that passes federal muster can still fail under Florida law, which doesn't require an autodialer to trigger liability. For text messaging marketing especially, the state-law layer matters a lot.
Frequently asked questions
What are the TCPA requirements for texting customers?
For marketing texts sent via autodialer, you need prior express written consent: a signed agreement that identifies your company, describes the texts, and states consent is not a condition of purchase. For purely informational texts, prior express consent without the written requirement may suffice. Regulators have pushed hard against shared, unnamed consent, so obtain consent directly for your specific company rather than relying on a third-party lead generator.
Who regulates and implements the requirements of the TCPA?
The FCC is the primary regulator under 47 U.S.C. § 227, issuing implementing rules at 47 C.F.R. § 64.1200. The FTC overlaps through the Telemarketing Sales Rule and the National Do Not Call Registry. State attorneys general can also enforce the TCPA, and individual consumers can sue directly, which is why private class actions make up the bulk of TCPA litigation.
Can a consumer revoke TCPA consent after giving it?
Yes, always. The right to revoke is inherent under the TCPA and cannot be contractually waived. The FCC's 2015 Omnibus Declaratory Ruling confirmed that consumers may revoke through any reasonable means: texting STOP, telling a live agent, sending an email, or writing a letter. The method does not have to match how the original consent was given.
How long does TCPA consent last?
There is no statutory expiration date in the TCPA. Consent stays valid until revoked, or until the phone number is reassigned to a new person. Practically, most compliance teams treat consent older than two to three years with caution and prefer to re-confirm it. Always keep timestamped records of when consent was obtained so you can prove it in litigation.
What is a TCPA consent disclosure?
It is the specific written notice shown to a consumer at the moment of opt-in, explaining who will contact them, how, and for what purpose. It must state that consent is not required to make a purchase and include opt-out instructions. It must be clear, conspicuous, and placed immediately adjacent to the opt-in action. A buried or vague disclosure does not create valid TCPA consent.
Does an existing customer relationship count as TCPA consent?
No, not for autodialed marketing calls or texts. An established business relationship (EBR) can satisfy the national DNC list rules under FTC regulations, but it does not meet the TCPA's prior express written consent standard for autodialed or prerecorded marketing communications. You still need a signed consent record even for current customers.
What is TCPA global consent?
It is not an official FCC concept. The idea that one broad opt-in can cover all future contacts from a company and its affiliates does not hold up under FCC rules. Each company contacting a consumer for marketing purposes wants its own direct consent, and regulators keep targeting shared, unnamed opt-ins. Multi-brand organizations should use brand-specific consent forms.
How do I document TCPA consent so it holds up in court?
Store the consumer's IP address, the submission timestamp, the exact disclosure text shown (version-controlled), and the phone number submitted. A screenshot of your webform is not enough; you need a database record tied to that specific consumer's session. Courts routinely demand this level of detail in discovery, and the burden of proving consent is on the company, not the plaintiff.
What happens if I call a reassigned phone number?
You are exposed to TCPA liability even if you had valid consent from the prior owner. The FCC offers a one-call safe harbor if you had no actual knowledge of the reassignment. To claim it reliably, scrub your list against the FCC's Reassigned Numbers Database before each campaign. Consent from the prior subscriber does not transfer to the new one.
Can a lead generation company sell me TCPA-compliant consent?
Be careful here. Consent obtained on a third-party lead-gen website is strongest for you only when it identifies your specific company by name. Generic consent shared across many buyers is the weakest kind and the exact target of regulators and plaintiffs' firms. Verify the actual disclosure language before buying any lead list that claims TCPA compliance.
What does TCPA regulate beyond phone calls?
The TCPA covers autodialed and prerecorded calls to mobile numbers, prerecorded calls to residential landlines, text messages sent by automated systems, and unsolicited fax advertisements. It does not cover purely manual calls made without autodialing equipment, though the FTC's Telemarketing Sales Rule and state laws can cover those in different contexts.
How much can a TCPA violation cost per text or call?
The statute sets $500 per violation for unintentional violations and $1,500 per violation for willful or knowing violations, with no cap on class actions. A campaign of 10,000 texts without valid consent carries potential exposure of $5 million to $15 million before any negotiation. Courts have discretion to reduce awards, but plaintiffs' firms take these cases on contingency, making even weak cases expensive to defend.
Is a pre-checked opt-in box valid TCPA consent?
No. The FCC requires an affirmative act by the consumer. A pre-checked box the consumer did not actively check does not satisfy the prior express written consent standard. The consumer must take a deliberate, voluntary action such as checking an unchecked box, typing their name, or clicking a clearly labeled consent button.
Do state laws add requirements on top of federal TCPA consent rules?
Yes, significantly. Florida's Telephone Solicitation Act (FTSA) does not require an autodialer to trigger liability, covering broader automated systems. California's laws add data-privacy dimensions through the CCPA. Other states have their own versions. A consent flow that meets federal TCPA standards may still fail under state law, so layer state requirements on top of the federal baseline.
Sources
- U.S. Code, 47 U.S.C. § 227, Telephone Consumer Protection Act: The TCPA imposes $500 per violation ($1,500 for willful) and requires prior express consent for autodialed calls and texts
- Supreme Court of the United States, Facebook Inc. v. Duguid, 592 U.S. 395 (2021): The Supreme Court narrowed the ATDS definition to systems using a random or sequential number generator
- Federal Trade Commission, National Do Not Call Registry: FTC administers the National Do Not Call Registry and enforces the Telemarketing Sales Rule alongside the TCPA
- U.S. Court of Appeals, 3rd Circuit, Gager v. Dell Financial Services, LLC, 727 F.3d 265 (2013): The 3rd Circuit confirmed consumers have the right to revoke TCPA consent at any time
- FCC, Reassigned Numbers Database: The FCC maintains the Reassigned Numbers Database; callers who consult it before dialing can claim a safe harbor for one contact to a reassigned number
- Consumer Financial Protection Bureau, Telephone Consumer Protection Act overview: CFPB outlines TCPA requirements applicable to financial services companies including consent standards
- FTC, Telemarketing Sales Rule, 16 C.F.R. Part 310: The FTC's Telemarketing Sales Rule governs telemarketing practices and intersects with TCPA consent requirements
- Electronic Code of Federal Regulations, 47 C.F.R. § 64.1200: The FCC's TCPA implementing regulations, including prior express written consent definitions, are codified at 47 C.F.R. § 64.1200