Last updated 2026-07-10

TL;DR
A TCPA disclosure is the written consent notice you must show a consumer before calling or texting them with an autodialer or prerecorded message. It must name the seller, describe the message types, state that consent is not required to buy, and get an affirmative opt-in. Missing any element exposes you to $500 to $1,500 per violation under 47 U.S.C. § 227.
What is a TCPA disclosure and why does it exist?
A TCPA disclosure is the consent notice a business shows a consumer before contacting them with an automatic telephone dialing system (ATDS), an artificial or prerecorded voice, or an automated marketing text. It is your proof, if you ever get sued, that the person actually agreed. Without a written record of that agreement, you are running on hope.
The Telephone Consumer Protection Act (47 U.S.C. § 227) passed in 1991 to stop the flood of unsolicited telemarketing calls hitting home phones across the country [1]. Congress handed the FCC authority to write the rules. Those rules now live at 47 C.F.R. § 64.1200, and that is where the disclosure requirements sit [2].
The stakes are real. Each call or text made without proper consent carries a statutory penalty of $500, trebled to $1,500 when a court finds the violation was willful [1]. Class actions are common because the math scales fast. Ten thousand improperly texted consumers times $1,500 per message equals $15 million in exposure before you pay a single lawyer. The UnitedHealthcare $2.5M settlement and the Credit One TCPA settlement both trace back, at least in part, to consent documentation failures.
The FCC tightened things hard with its 2012 order (FCC 12-21). That order added the requirement for prior express written consent for telemarketing calls and texts made with an ATDS [3]. That single shift turned sloppy web forms into litigation magnets.
What are the exact TCPA disclosure requirements the FCC mandates?
The FCC's rules spell out what "prior express written consent" means. Under 47 C.F.R. § 64.1200(f), the agreement must be a written agreement (including electronic acceptance) that clearly and conspicuously authorizes the seller to deliver, or cause to be delivered, advertisements or telemarketing messages using an ATDS or an artificial or prerecorded voice [2].
The statute and the FCC's rules together require these elements in or alongside the disclosure:
1. Clear and conspicuous disclosure. The consent language cannot hide in a terms-of-service block or sit in 6-point gray text on a white background. Courts keep rejecting consent obtained through dark patterns.
2. Seller identification. The disclosure must name the specific seller (or sellers) who will make contact. The FCC's one-to-one consent rule sharpened this. A single consent cannot authorize calls from an unlimited list of companies [4].
3. Description of message types and methods. The consumer has to know they are agreeing to calls and/or texts, whether those contacts use an autodialer, and roughly what content to expect (promotions, account alerts, appointment reminders, and so on).
4. Statement that consent is not a condition of purchase. The FCC rule requires this language outright. Word it plainly: "You are not required to consent to receive these messages in order to make a purchase."
5. An affirmative act. The consumer must do something that clearly signals agreement. Pre-checked boxes fail. Silence fails. The person has to check a box, sign a form, or reply to a confirmation message.
6. A clear statement that they will receive autodialed and/or prerecorded calls or texts. Vague language like "we may contact you" does not cut it when an ATDS is in play.
The FCC's July 2015 declaratory ruling (FCC 15-72) added clarity on what counts as an ATDS and when you must honor revocation of consent [5]. If a consumer tells you to stop, by any reasonable means, you stop. Contacting them after revocation is a separate violation.
What does compliant TCPA consent language actually look like?
Lawyers argue over exact wording, but the FCC's rule text gives you a reliable skeleton. Here is what a compliant disclosure on a web lead form might read:
"By submitting this form, I authorize [Company Name] to contact me at the phone number provided using automated telephone dialing systems, prerecorded messages, or text messages for marketing purposes. I understand that my consent is not a condition of purchasing any goods or services. Message and data rates may apply. I may opt out at any time by replying STOP."
Break that down against the checklist. Company named: yes. ATDS and prerecorded voice mentioned: yes. Text messages mentioned: yes. Marketing purpose disclosed: yes. No-purchase-required statement: yes. Opt-out instruction: yes. Affirmative act (clicking submit or checking a box): required at the form level.
Here are the practical points most teams get wrong. The disclosure has to sit right next to the signature or checkbox, not on a separate page reached through a footnote. The FCC uses the phrase "clear and conspicuous," and courts read that as meaning a reasonable consumer would actually see and understand it before opting in. The phone number on the consent form should match the number you dial. And you should timestamp and store the exact disclosure text the consumer saw, more than the fact that they checked a box. Consent language changes over time, and in litigation you need to prove which specific words appeared on the specific date the consumer opted in.
For SMS, a double opt-in confirmation text (where the consumer replies YES to confirm) is not required by law but builds a strong paper trail. Many text message marketing platforms build this in by default, and the minor friction is worth it.
How did the FCC's 2024 one-to-one consent rule change disclosures?
The FCC adopted this rule change in December 2023, with an effective date of January 27, 2025, aimed squarely at the lead generation ecosystem [4]. Before the rule, a single consent form could bundle consent for calls from dozens of unrelated companies. A consumer checked one box on a comparison-shopping site and suddenly got calls from 15 insurance carriers.
Under the new rule, prior express written consent must be obtained separately for each seller. The FCC's order requires that the consent be "logically and topically" related to the website where it is obtained. A home insurance comparison site cannot bundle consent for auto loans in the same click.
For outbound teams who buy leads from aggregators, this rule bites. If your lead vendor collected consent on a general-purpose form that named 30 companies, that consent is not valid for your calls. You need to confirm the consent form named you specifically, or named a category narrow enough that your contact is logically related, or find another way to establish consent before dialing.
The FCC also reinforced in this order that prior express written consent for marketing calls and texts cannot be a condition of any purchase. That language has been in the rules since 2012, but enforcement focus has sharpened.
If your team buys lists or leads, read the Albertsons Safeway TCPA settlement. It shows how consent chain failures, where one party collects consent and another relies on it, turn into defendant liability.
What is the difference between express consent and prior express written consent?
TCPA uses three different consent standards depending on the type of call, and mixing them up is a common source of gaps. Any marketing by autodialer or text needs prior express written consent. Oral consent is not enough for that category.
| Call/Text Type | Consent Standard Required | Written Record Required? |
|---|---|---|
| Emergency calls (power outage alerts, fraud alerts with no marketing) | No consent required | N/A |
| Informational calls (non-marketing, autodialed) to wireless numbers | Express oral or written consent | Not required by rule, but advisable |
| Telemarketing calls/texts with ATDS or prerecorded voice | Prior express WRITTEN consent | Yes [2] |
| Calls to residential landlines using prerecorded voice | Prior express consent (written or oral) | Not required by rule |
The table shows the practical hierarchy. Marketing by autodialer or text sits at the top and demands written consent, period.
Teams stumble on the informational versus marketing line. A text that says "Your appointment is tomorrow at 3pm" is informational. A text that says "Your appointment is tomorrow, and by the way we have a promotion this week" has crossed into marketing and now needs the higher consent standard. Courts and the FCC look at the content of the message, not the intent of the sender.
How should you store and document TCPA consent records?
Storing a checkbox click is not documentation. Documentation is the evidence package you would hand an attorney if a plaintiff's lawyer sent you a demand letter tomorrow.
At minimum, your consent records should include the date and timestamp of consent, the IP address of the submission, the exact disclosure text the consumer saw (not a version number, the actual text), the phone number that was consented to, and the source URL of the form. If you use a CRM or marketing platform, confirm it stores all of these fields, more than a boolean "consented: true".
Retention matters too. The TCPA has a four-year statute of limitations under 28 U.S.C. § 1658 for federal claims, though some plaintiffs argue state law provides longer periods in certain jurisdictions [6]. Keep consent records for at least five years. Some larger companies go to seven.
If you change your disclosure language, do not overwrite old records. Version your consent forms so you can prove exactly what a consumer who opted in two years ago agreed to. This feels like extra work until you are in discovery and opposing counsel asks you to produce the consent record for one specific consumer.
LeadCompliant's compliance kit includes consent record templates and a storage checklist built around these documentation standards, which helps if you are building this from scratch rather than retrofitting an existing CRM.
For teams buying third-party leads, you also need the consent documentation from the lead vendor. A contractual promise that they collected valid consent means nothing if the underlying record does not exist. Get the actual record.
Does a TCPA disclosure need to be different for text messages versus phone calls?
The underlying consent standard (prior express written consent for marketing) is the same for both. The practical disclosure language, though, benefits from a few text-specific additions.
For SMS programs, industry practice and the CTIA's messaging guidelines (which carriers enforce) recommend including the program name or short description, message frequency (even if approximate, like "recurring messages, up to X per month"), a data rates disclosure ("Message and data rates may apply"), opt-out instructions ("Reply STOP to cancel"), and help instructions ("Reply HELP for help") [7].
The CTIA guidelines are not law, but carriers can reject or block your SMS traffic if you ignore them, so they work as a hard constraint no matter what TCPA says.
For calls, the disclosure does not need the frequency or data rate language, but it should still include the seller name, the ATDS disclosure, the prerecorded voice disclosure if applicable, and the no-purchase-required statement.
One nuance. If you send texts under an SMS marketing program, the initial confirmation message after someone opts in should itself carry the program name, opt-out and help keywords, and messaging frequency. That confirmation text is more than courtesy. It is documentation that the consumer received notice of what they signed up for.
For a deeper look at building compliant SMS programs from the ground up, the text messaging marketing guide covers the full setup.
What happens when a consumer revokes TCPA consent?
Revocation is its own compliance problem. The FCC's 2015 declaratory ruling held that a consumer can revoke consent at any time through any reasonable means [5]. That covers a verbal request on a call, a reply of STOP to a text, an email, a letter, even a note your support agent jots down during a service call.
The FCC finalized updated revocation rules in 2024, effective April 11, 2025, that require companies to honor opt-out requests within ten business days and bar any message after revocation except a single confirmation that the opt-out was processed [8]. That confirmation message must carry no marketing content.
The operational challenge is that revocation signals arrive through many channels and need to reach your dialing system before the next campaign run. A consumer calls your support line to opt out on Monday. Your outbound system fires a marketing text on Wednesday because the opt-out never propagated to the suppression list. That is a fresh violation.
Build your suppression list update process so any opt-out, from any source, updates the master suppression record within 24 hours at the outside. Most TCPA suits involving revocation fail not because the company ignored the opt-out maliciously, but because the internal process was too slow or too siloed.
Stopping unwanted calls is something consumers ask about constantly. The how to stop robocalls resource explains the consumer side, which is useful context when you build a complaint-handling workflow.
Can you use a pre-existing business relationship instead of written consent?
No. For marketing calls and texts made with an ATDS, the pre-existing business relationship (EBR) exemption does not apply. The FCC killed EBR as a basis for autodialed telemarketing calls to wireless phones in its 2012 order (FCC 12-21) [3].
EBR still matters for calls to residential landlines using prerecorded messages, where FCC rules allow a window of 18 months from the most recent transaction or 3 months from an inquiry without requiring additional express consent. But most outbound teams today are dialing cell phones, where that exemption is gone.
Here is the practical takeaway. Do not assume that because someone is an existing customer you can autodial or text them promotional content without written consent. You have to collect it. Companies find this gap when they try to run a winback campaign to lapsed customers and realize they have no written consent records, because those customers predate the 2012 rule change.
What real TCPA lawsuits show about disclosure failures?
Actual settlements give you better intuition for what courts care about than any abstract rule summary.
The Cash App TCPA class action settlement involved allegations that Cash App sent text messages without adequate prior express written consent. The case settled for several million dollars across a class of consumers who alleged they received texts they had not properly authorized.
The Truist Bank TCPA class action settlement similarly involved allegedly improper autodialed calls, with the bank facing class-wide exposure because consent documentation across a large customer base was inconsistent.
The Kaiser TCPA settlement is another example of a large organization with heavy call volume finding that its consent collection practices did not survive scrutiny at scale.
A pattern runs through these cases. The companies were not rogue actors deliberately calling people who had refused. Most had some form of consent collection process. The failures were in the specificity of the disclosure language, the documentation of consent records, or the propagation of revocation requests. That is the real lesson. You can have a consent checkbox and still lose a TCPA suit if the consent language was legally insufficient.
Statutory damages under 47 U.S.C. § 227(b)(3) are $500 per violation, or $1,500 if the violation is willful or knowing [1]. With a class of 100,000 consumers and $1,500 per text, the exposure ceiling is $150 million. That number almost always gets negotiated down, but it drives settlement values into the millions.
How do you audit your current TCPA disclosures for compliance gaps?
Start with your active web forms, landing pages, and co-registration flows. Pull the exact consent language from each one. Then run it against this checklist:
- Does it name your company specifically?
- Does it mention autodialer and/or prerecorded voice?
- Does it mention text messages if you send texts?
- Does it describe the type of content the consumer will receive?
- Does it include the no-purchase-required statement?
- Is it visually next to the opt-in mechanism (not linked to a separate page)?
- Is it set in readable font and contrast?
- Does the opt-in mechanism require an affirmative act (not pre-checked)?
- Are the consent timestamp and disclosure text being stored?
- Under the one-to-one consent rule: is your company named individually, not grouped with a generic list?
For your inbound consent flows (verbal consent from live calls), review your call scripts and confirm agents read the required disclosure before obtaining consent. Verbal consent still has to cover the same substantive elements, even though it does not meet the written standard for autodialed marketing calls.
For lead purchases, request the consent form and a sample consent record from each vendor before you load those contacts into your dialer. This feels like friction until it saves you from a class action.
LeadCompliant's free compliance kit includes an editable TCPA disclosure audit checklist built around the current FCC rules. Use it to document your review and give yourself a defensible record that you performed due diligence.
Check your state law layer too. Several states, including Florida and Oklahoma, have their own mini-TCPA statutes with tighter standards or broader definitions of what counts as an autodialer [9]. State law can create liability even when federal TCPA is satisfied.
Are there TCPA disclosure requirements for B2B calls?
TCPA does apply to calls to business phone numbers, but the analysis gets more complicated. Calls to numbers listed in a business directory for business purposes, using only human agents with no ATDS, generally do not trigger the main TCPA autodialer restrictions. The moment you use an ATDS or a prerecorded message to call a business phone number, TCPA applies.
The bigger B2B trap is cell phones. Many business contacts give out cell numbers as their primary line. Cell phones are wireless numbers. TCPA's protections for wireless numbers apply regardless of whether the phone owner is acting in a personal or business capacity. If you autodial a sales manager's cell phone to pitch your product, TCPA applies even though the contact is commercial.
For B2B outbound using predictive dialers or power dialers that make multiple connections automatically, get competent legal advice on whether your specific system counts as an ATDS. The definition of ATDS has been litigated heavily. The Supreme Court's 2021 Facebook v. Duguid decision [10] narrowed the definition, holding that a device must use a random or sequential number generator to qualify, but the boundary is still contested in the lower courts. Do not assume predictive dialers are safe simply because Facebook v. Duguid came out the way it did.
For B2B SMS, the same analysis applies. If you use an automated system to text business contacts on their cell phones, you need written consent.
Frequently asked questions
What must a TCPA disclosure include to be legally valid?
A valid TCPA disclosure for marketing calls or texts must clearly name the company making contact, state that an autodialer and/or prerecorded messages will be used, describe the type of messages, include a statement that consent is not required to make a purchase, and require an affirmative opt-in action. All of this must be clearly visible to the consumer before they agree.
Does TCPA consent need to be in writing?
For marketing calls or texts made using an automatic telephone dialing system or prerecorded voice, yes. The FCC's 2012 order (FCC 12-21) requires prior express written consent for this category. Written consent includes electronic acceptance, such as checking a web form box, but oral consent alone is not sufficient for autodialed marketing contacts to wireless numbers.
Can a pre-checked checkbox satisfy TCPA consent requirements?
No. The FCC requires an affirmative act from the consumer. A pre-checked box is not an affirmative act because the consumer did not actually do anything to indicate agreement. Courts have rejected pre-checked consent forms. The consumer must take a deliberate action, such as checking a box themselves or clicking a clearly labeled agree button.
How long do you need to keep TCPA consent records?
The federal TCPA statute of limitations is four years under 28 U.S.C. § 1658. Best practice is to retain consent records for five years minimum, with some larger organizations going to seven years. Records should include the timestamp, IP address, phone number, and the exact disclosure text the consumer saw at the time of consent, more than a flag indicating consent was given.
What is the FCC's one-to-one consent rule and when does it take effect?
The FCC adopted a rule in December 2023, effective January 27, 2025, requiring that prior express written consent for marketing calls and texts be obtained separately for each individual seller. A single consent form can no longer authorize contacts from multiple unrelated companies. Lead buyers should verify that vendor consent forms name their company specifically before dialing purchased leads.
What is the penalty for violating TCPA disclosure requirements?
TCPA provides for statutory damages of $500 per violation. If a court finds the violation was willful or knowing, damages increase to $1,500 per violation under 47 U.S.C. § 227(b)(3). Because each call or text is a separate violation, class actions against companies with large call volumes can produce exposure in the tens of millions of dollars before attorney fees.
Does TCPA apply to text messages the same way it applies to calls?
Yes. The FCC confirmed in 2003 that the TCPA applies to SMS text messages. The same prior express written consent standard required for autodialed marketing calls applies to automated marketing texts. CTIA carrier guidelines also impose SMS-specific requirements like opt-out instructions and message frequency disclosures, which carriers enforce independently of the FCC.
How quickly must a company honor a TCPA opt-out request?
Under FCC rules finalized in 2024 and effective April 11, 2025, companies must honor revocation requests within ten business days. After revocation, the only permitted outbound contact is a single confirmation message, which must contain no marketing content. Revocation requests made by any reasonable means, including verbal requests, emails, or STOP replies, must be honored.
Does having an existing customer relationship allow you to skip TCPA consent?
Not for autodialed or prerecorded marketing calls to cell phones. The FCC eliminated the pre-existing business relationship exemption for this category in its 2012 order. Existing customers can still be contacted by live agents without ATDS on cell phones without consent, but any automated marketing contact requires prior express written consent regardless of the customer relationship.
Are B2B calls covered by TCPA disclosure requirements?
Partly. Calls to business landlines from live agents without ATDS generally fall outside the main TCPA autodialer rules. However, if you are using an autodialer or prerecorded message, or if you are calling a business contact's cell phone, TCPA applies. The nature of the equipment and the type of number dialed matter more than whether the contact is commercial or personal.
What does 'clear and conspicuous' mean for TCPA disclosures?
The FCC and courts require that consent language be presented so a reasonable consumer would actually see and understand it before opting in. Disclosure buried in a linked terms page, set in very small or low-contrast text, or placed below the submit button has been found insufficient in litigation. The disclosure should be adjacent to the opt-in mechanism and readable without additional clicks.
Can you buy leads and use the seller's TCPA consent for your calls?
Only if the original consent form named your company specifically and the lead was generated in a context logically related to your offer. Under the FCC's 2025 one-to-one consent rule, bundled consents naming multiple companies are invalid. You should obtain the actual consent record from the vendor and verify the disclosure language before dialing. A contractual warranty from the vendor alone is not a complete defense.
Do state laws add TCPA disclosure requirements beyond federal rules?
Yes, in several states. Florida's Telephone Solicitation Act and Oklahoma's law both have provisions that can be stricter than federal TCPA or cover scenarios federal law does not. Some states have broader definitions of auto-dialing technology or shorter opt-out windows. Running a compliant federal TCPA program does not guarantee compliance with every state where your consumers are located.
What records should be stored alongside a TCPA consent form submission?
Store the exact disclosure text shown to the consumer (not a version reference, the actual language), the date and time of consent, the consumer's IP address, the phone number consented to, and the URL of the page where consent was collected. If consent language changes over time, version the records so you can reconstruct exactly what a specific consumer saw on a specific date.
Sources
- U.S. House of Representatives, 47 U.S.C. § 227 (Telephone Consumer Protection Act): TCPA provides statutory damages of $500 per violation, trebled to $1,500 for willful or knowing violations, per 47 U.S.C. § 227(b)(3)
- FCC, 47 C.F.R. § 64.1200 (Code of Federal Regulations, Telecommunications): Prior express written consent definition and requirements, including seller identification, ATDS disclosure, and no-purchase-required statement
- FCC, In re Rules and Regulations Implementing the TCPA, Report and Order FCC 12-21 (February 2012): FCC 2012 order requiring prior express written consent for autodialed or prerecorded marketing calls to wireless numbers and eliminating the pre-existing business relationship exemption for this category
- FCC, Report and Order FCC 23-107 (December 2023, one-to-one consent rule): FCC one-to-one consent rule requiring consent to name each seller individually, effective January 27, 2025
- FCC, Declaratory Ruling and Order FCC 15-72 (July 2015): FCC 2015 ruling holding that consumers may revoke consent at any time through any reasonable means
- Cornell Law School Legal Information Institute, 28 U.S.C. § 1658: Four-year federal statute of limitations applicable to TCPA claims
- FCC, Report and Order FCC 24-24 (2024, consent revocation rules): FCC 2024 order requiring revocation of consent to be honored within ten business days and limiting post-revocation contacts to a single confirmation message, effective April 11, 2025
- Florida Legislature, Florida Telephone Solicitation Act, § 501.059 Fla. Stat.: Florida's mini-TCPA statute imposes state-level requirements on telephone solicitations that can exceed federal TCPA standards
- U.S. Supreme Court, Facebook, Inc. v. Duguid, 592 U.S. 395 (2021): Supreme Court narrowed the ATDS definition in 2021, holding that a device must use a random or sequential number generator to qualify, but lower court litigation over ATDS scope continues
- FTC, Telemarketing Sales Rule, 16 C.F.R. Part 310: FTC Telemarketing Sales Rule overlaps with TCPA and includes its own consent and disclosure requirements for telemarketing calls