TCPA express written consent: the complete guide for 2025

TCPA prior express written consent requires a signed agreement, clear disclosure, and no bundled consent. Violations cost $500, $1,500 per text or call. Here's exactly what you need.

LeadCompliant Team
23 min read
In This Article

Last updated 2026-07-10

Hand over a paper consent form on a desk illustrating TCPA written consent
Hand over a paper consent form on a desk illustrating TCPA written consent

TL;DR

TCPA prior express written consent means a consumer signed something, in writing, that clearly authorizes autodialed or prerecorded marketing calls and texts to their number. The agreement must name your company, state they are not required to consent as a condition of purchase, and survive audit. Miss any element and you are exposed to $500, $1,500 per message in statutory damages.

TCPA prior express written consent is a signed, written agreement that clearly authorizes a named seller to send autodialed or prerecorded marketing calls and texts to a specific number. It is the highest of the three consent tiers under the Telephone Consumer Protection Act, and it is what the law demands before marketing hits a cell phone.

The statute lives at 47 U.S.C. § 227. [1] The FCC wrote the working definition into 47 C.F.R. § 64.1200(f)(9): "The term prior express written consent means an agreement, in writing, bearing the signature of the person called that clearly authorizes the seller to deliver or cause to be delivered to the person called advertisements or telemarketing messages using an automatic telephone dialing system or an artificial or prerecorded voice." [2]

Four things have to be true at once. The agreement is in writing. It bears a signature (electronic is fine under the E-SIGN Act). It clearly authorizes the specific seller. And it tells the consumer they are not required to agree as a condition of buying anything. Skip one and the consent is legally worthless.

This is not the same as "express consent," the lower bar for non-marketing informational calls, and it is not implied consent. The written requirement attaches to marketing and promotional content sent by autodialer or prerecorded voice. A one-time password or a delivery notification may ride under a different standard. This article stays in the marketing lane, because that is where the lawsuits come from.

A valid TCPA consent form names your specific company, states the consumer agrees to autodialed or prerecorded calls and texts, confirms the number being authorized, says consent is not a condition of purchase, and carries the consumer's signature. Miss any one and courts routinely toss the whole record. Vague or buried language rarely survives discovery.

Here are the required elements, pulled from 47 C.F.R. § 64.1200(f)(9) and FCC guidance [2]:

ElementWhat it must sayCommon failure mode
Clear authorizationThat the signer agrees to receive autodialed or prerecorded calls/textsGeneric "contact me" checkbox
Seller identityThe specific company name, more than a product or brandLead-gen form names a "partner network" only
Number being calledThe telephone number being authorizedNo field to confirm number
Not a condition of purchaseBuying is not contingent on consentLanguage buried in fine print below submit button
SignatureConsumer's electronic or ink signaturePre-checked checkbox (courts split on this)

The "not a condition of purchase" line is the one most teams miss. It has to be conspicuous, meaning visible right next to the consent language, not tucked into footer legalese. Courts have thrown out consent records because the phrase only lived in a privacy policy the consumer never opened. [2]

Electronic signatures are valid under 15 U.S.C. § 7001, the E-SIGN Act. [14] A checked box, a typed name, a "Reply YES" text: all count. Pre-checked boxes are riskier. Some courts accept them, others say a pre-check shows no affirmative action by the consumer. The safer play is making the consumer take a distinct step.

One more practical point. Consent has to come before you contact the person. Bolting a checkbox onto a form after someone already handed over their number does nothing.

The consent tier is identical. Autodialed or prerecorded marketing texts and calls to a cell phone both require prior express written consent. The FCC has treated a text message as a "call" under the TCPA for years. [1]

The difference shows up in how you capture consent. You cannot text someone to ask permission to text them. The first contact has to run through a channel the person already engaged with: a web form, a paper form, or an inbound text the consumer started.

The FCC's one-to-one consent rule, adopted in its December 2023 order and originally set for January 27, 2025, would have required consent for each seller separately instead of one broad lead-gen checkbox covering dozens of companies. [4] That rule got vacated before it took effect (more on that below). Check current FCC guidance before you build anything around it, because the status has moved more than once.

Peer-to-peer texting, where a human manually composes and sends each message, sits in a gray zone. The autodialer provision may not reach true P2P. Do not assume your platform qualifies. Courts look at whether a system has the capacity to autodial, more than whether you used that capacity on a given campaign. [5]

That is why text message marketing is its own operational headache. The consent flow, the opt-out mechanism, and the recordkeeping are all text-specific.

TCPA express written consent: key numbers Statutory damages, limitations period, and consent elements at a glance 500 Per-violation damages (negl… 1,500 Per-violation damages (will… 4 Statute of limitations (yea… 5 Required consent elements u… 47 C.F.R. § 64.1200(f)(9) Source: 47 U.S.C. § 227; 47 C.F.R. § 64.1200; 28 U.S.C. § 1658

Is the TCPA applicable without an autodialer?

Yes, in part. The autodialer restriction is only one provision. Prerecorded and artificial-voice calls to cell phones are covered no matter what dials them, so a ringless voicemail drop or any prerecorded marketing message still needs prior express written consent. "No autodialer" removes one theory, not your whole risk.

This question exploded after the Supreme Court's 2021 decision in Facebook, Inc. v. Duguid. [5] The Court held that an automatic telephone dialing system must have the capacity to produce numbers using a random or sequential number generator, more than the ability to store and dial from a list. So a platform that only dials a fixed uploaded list, and cannot generate numbers, may fall outside the ATDS definition in some courts.

The prerecorded-voice teeth stay sharp. 47 U.S.C. § 227(b)(1)(A)(iii) covers prerecorded or artificial voice calls to cell phones regardless of any autodialer. [1] Marketing content over a prerecorded voice needs written consent even when no autodialer touches the campaign.

State law piles on. Florida's Telephone Solicitation Act, for one, covers live calls to numbers on the Florida Do Not Call list with no autodialer trigger at all.

So run everything through a full analysis before you assume you are clear. Teams that think they beat the statute by ditching autodialers tend to learn otherwise in discovery. The UnitedHealthcare $2.5M TCPA settlement and the Truist Bank class action show how broadly plaintiffs' counsel reads the statute.

What are the TCPA penalties for missing prior express written consent?

The TCPA sets damages at $500 per violation for negligent violations and $1,500 per violation for willful or knowing violations. [1] Every text and every call is a separate violation. A 10,000-person SMS blast without proper consent is not a $5,000 problem. It is $5,000,000 to $15,000,000 in exposure before any fee shifting.

Class actions are the real threat. The TCPA is one of the most litigated consumer statutes in the country, and the plaintiffs' bar runs efficient factory operations around it. Class certification under Rule 23 is often easy to meet, because a broken consent flow tends to fail the same way across every contact.

Recent settlements show the range:

CompanySettlement amountCore allegation
Credit One Bank$9.25 millionAutodialed calls without consent [6]
Kaiser PermanenteVaried by classMarketing calls/texts issues [7]
Albertsons/SafewaySettlement reachedSMS marketing consent gaps [8]
Cash AppClass action filedAlleged TCPA violations [9]

The FTC and state attorneys general can pursue enforcement on their own, separate from private plaintiffs, and FCC forfeiture orders can run into the millions.

One argument that does not help: "we didn't know." Willfulness under the TCPA does not require that you knew the specific rule you broke. Courts have found willfulness when a company kept calling after a consumer revoked consent, which bumps every later call to the $1,500 tier.

How do you actually capture and document TCPA prior express written consent?

Consent is only as good as the record you can hand a judge. "We're pretty sure they agreed" is not a defense. Log the timestamp, IP address, form URL, phone number, and the exact consent language the consumer saw, and keep it for at least four years.

For web forms, put the consent block directly above or next to the phone number field, never below the submit button. Keep the language plain: "By providing your phone number and clicking Submit, you agree that [Company Name] may contact you at the number provided using autodialed or prerecorded calls and text messages for marketing purposes. Consent is not a condition of any purchase." Then capture the metadata around that agreement.

For inbound SMS opt-ins, the consumer texts a keyword to your short code. Your reply has to include your company name, a description of the messages they will get, message frequency, "Msg & data rates may apply," and opt-out instructions (STOP to cancel). The CTIA's Messaging Principles and Best Practices back this structure. [10]

For lead-gen forms on third-party sites, the consent still has to name your company. Blanket consent to "our marketing partners" fails the standard cold. This is where outbound teams get burned: they buy leads from a vendor whose opt-in language never once mentioned them. You cannot borrow the vendor's consent. Verify the exact disclosure language before you dial or text anyone from a bought list.

Store the evidence. At minimum: the signed record (or a screenshot of the form state), the timestamp, the phone number, the IP address, and the consent text. Four years matches the TCPA limitations period in most jurisdictions.

LeadCompliant's compliance kit includes a consent language template and a documentation checklist mapped to these requirements. Tools like that save you time on audit prep. They do not replace legal review of your actual flows.

A valid TCPA signature is any affirmative electronic or ink mark the consumer actively makes: a checkbox they clicked, a typed name, a "Reply YES" text, or a click-to-sign step. The E-SIGN Act (15 U.S.C. § 7001) makes electronic signatures fully valid, so ink on paper is optional. [14]

What courts want is a step the consumer took on purpose. A checked checkbox counts. A typed name in a signature field counts. A keyword confirmation by text counts.

Pre-checked boxes stay contested. The FCC's 2012 order did not ban them outright, but several district courts have held that a pre-checked box shows no affirmative agreement, and the Ninth Circuit has been especially cold on pre-checked consent. Building new forms? Require an active check.

Voice recordings can document verbal consent, but verbal consent alone does not clear the written bar for marketing calls and texts. Some teams record verbal consent as a backup layer, with a confirmation number, then send a written confirmation. That adds documentation. It does not turn verbal consent into written consent.

Watch third-party consent. A number a spouse, family member, or colleague hands over is not consent from the actual subscriber. Courts hold that consent has to come from the subscriber or the customary user of the number.

Yes. A consumer can revoke consent at any time, through any reasonable means. The Supreme Court's decision in Barr v. American Association of Political Consultants (2020) confirmed the TCPA framework, and FCC guidance has long held that revocation sticks. [11] Once someone opts out, keep contacting them and you are into willful-violation territory at $1,500 per message.

The FCC's 2015 ruling made clear that revocation has to be honored even through a method you never officially designated. Someone calls your sales line and says "stop texting me," that counts. They email you, that counts. Brushing it off because "they didn't text STOP" is exactly the behavior courts label willful.

Operationally, revocation is where small teams break. You need a process that pulls opt-outs from any channel into your suppression list within 24 hours. Longer than that is real risk. For SMS, STOP and STOPALL have to work instantly and fire a confirmation message. For call campaigns, a Do Not Call request must be honored within 30 days under the FTC's Telemarketing Sales Rule, though faster is better. [12]

For the consumer side of this, our guide on how to stop robocalls covers what people can do to block calls, which is useful context for what regulators expect from you on the business side.

The FCC's December 2023 order required prior express written consent on a one-to-one basis: one consent, one seller. [4] Before it, lead generators used a single checkbox to authorize contact from dozens of "partner" companies at once. The FCC called that practice a main driver of unwanted robocalls and robotexts. The rule was then vacated in January 2025 before it took effect, so its practical status is contested.

The rule would have also required the subject of the consent to be "logically and topically" related to the site or context where consent was captured. A home improvement site could not have harvested consent for insurance marketing.

The original effective date was January 27, 2025. The Eleventh Circuit vacated the rule in Insurance Marketing Coalition v. FCC in January 2025, finding the FCC exceeded its statutory authority on at least part of the order. [13] Check current FCC orders before building your consent flows around or against it.

What did not change: the underlying statutory requirement for prior express written consent under 47 U.S.C. § 227 stands. Even with the one-to-one rule gone, consent that names "our partner network" instead of your company has always been weak. Treat specificity of seller identification as non-negotiable no matter where the rule lands.

Follow TCPA news to track how this shakes out, because the FCC has signaled it wants similar protections through other rulemaking paths.

The TCPA protects residential telephone subscribers and wireless subscribers. Calls to a business's main landline generally do not trigger the prior express written consent requirement under the autodialer provision. But the exception is narrower than most B2B sales teams think, and it disappears the moment you dial a cell phone.

Text or call a cell phone and the consent requirement applies, even if the person uses that phone for work. The subscriber is the individual, not the employer. Grab a direct cell number off a business card at a trade show and you are calling a cell phone, so the TCPA applies. [1]

The FCC has not carved out a broad B2B exemption for mobile numbers. Some courts have found implied consent when a person hands over their cell in a commercial setting, like a business card exchange. Implied consent is not written consent, and it is far weaker cover against a TCPA claim.

For true business-to-business outbound, where you are calling a company's published office line, the autodialer written-consent rule generally does not apply. The residential or wireless nature of the number is what triggers the heightened standard.

Verify what kind of number you are dialing. Number lookup tools flag wireless versus landline, which drives how you classify your consent obligations.

How should small outbound teams build a TCPA-compliant consent process?

Start with the consent language, build the documentation system before you send a single message, audit your lead vendors quarterly, and scrub against the National Do Not Call Registry before any voice campaign. Most small teams overbuild the technology and underbuild the paper trail. The paper trail is what wins in court.

Write your consent language in plain English. Place it right next to the phone number field, include your company name, describe the message types, say consent is not required for purchase, and make the consumer take an active step. Run it past a TCPA attorney before you go live.

Build documentation first. Every contact in your CRM should carry a linked consent record: the date, the form URL, the consent language version, the IP address. If you cannot pull that record in 48 hours during discovery, it might as well not exist.

Audit lead vendors every quarter. Ask for a sample of the real opt-in language and form screenshots. A vendor who cannot produce them is telling you something. You are liable for contacts made on consent you cannot verify.

Scrub against the National Do Not Call Registry before any voice campaign. That is a separate obligation from TCPA consent, and it applies even when you hold consent for the number. [12]

For SMS, make sure your platform handles STOP automatically and propagates opt-outs to your CRM within minutes. Test it monthly. Carry suppression lists from campaign to campaign so an old opt-out survives the next send.

LeadCompliant offers a free TCPA compliance kit with consent language templates, a documentation checklist, and a DNC scrubbing guide built for small outbound teams. It is not a substitute for a TCPA attorney. It does get the operational groundwork right.

Want to see what happens when the process fails? The Albertsons/Safeway settlement and the Credit One settlement show how consent gaps turn into eight-figure problems.

Frequently asked questions

Is TCPA applicable without an autodialer?

Partially. The autodialer provision (47 U.S.C. § 227(b)(1)(A)) requires an ATDS, but the prerecorded-voice provision applies to cell phones no matter how the call is placed. After Facebook v. Duguid (2021), systems that only dial from stored lists may not qualify as an ATDS. But any prerecorded or artificial voice marketing message still requires prior express written consent.

The statute sets no explicit expiration date, but consent can go stale. If a consumer's relationship with your company ends, or they show clear intent to stop hearing from you, calling on old consent is risky. Courts and the FCC look at whether consent covered the specific type of contact being made, more than whether some consent once existed.

Only if the vendor's opt-in language named your company specifically. Generic consent to "marketing partners" or "partner networks" does not satisfy TCPA prior express written consent. Obtain and review the actual form language before contacting any list. If the consent did not name you, get fresh consent before you message anyone.

The form has to tell the consumer that agreeing to receive marketing calls or texts is not required to buy your product or service. The language must be conspicuous, meaning a consumer can see it without scrolling away or clicking through to another page. It cannot be buried in a privacy policy or a terms of service link.

Does a verbal opt-in satisfy TCPA prior express written consent?

No. For marketing calls and texts via autodialer or prerecorded voice, consent has to be in writing. A recorded call where someone says "yes, you can text me" does not meet the written standard. Some companies record verbal consent as a backup layer, but it does not substitute for a signed written agreement under 47 C.F.R. § 64.1200(f)(9).

What is the TCPA statute of limitations?

Most courts apply a four-year federal statute of limitations under 28 U.S.C. § 1658. Some state courts apply their own limitations periods. Retain consent records for at least four years from the date of the last contact made under that consent, so you can produce documentation if a claim lands near the deadline.

No. Informational, transactional, or non-marketing messages sent via autodialer may qualify under the lower prior express consent standard rather than prior express written consent. The written standard applies to marketing or promotional content. The line is fact-specific, and slipping promotional content into an informational text can trigger the higher standard.

The FCC adopted it in December 2023 with a planned effective date of January 27, 2025. The Eleventh Circuit vacated it in Insurance Marketing Coalition v. FCC in January 2025. The core statutory requirement for prior express written consent that names your specific company was not affected and remains in place under 47 U.S.C. § 227.

Yes. Consumers can revoke consent at any time through any reasonable means, including calling your customer service line, emailing you, or texting STOP. FCC guidance and court decisions require you to honor revocation regardless of the channel used. Continuing to contact someone after they revoke is treated as a willful violation, raising per-message damages to $1,500.

Does TCPA apply to business cell phones?

Yes. The TCPA protects any wireless telephone subscriber. If you call or text a cell phone number, the prior express written consent requirement applies even if the person uses that phone mainly for business. There is no blanket B2B exemption for mobile numbers. The exception for business landlines does not extend to a cell phone used by an individual employee.

Express consent (without 'written') is the lower standard the FCC allows for non-marketing informational calls and texts to cell phones, usually established when a consumer voluntarily gives their number in a relevant context. Prior express written consent is the higher standard for marketing content via autodialer or prerecorded voice, and it requires a signed written agreement with specific disclosures.

How much does a TCPA class action typically settle for?

Settlements vary widely by class size and facts. Recent examples include Credit One Bank at $9.25 million and others in the $1 million to $15 million range. Per-person payouts in class settlements are often small, but plaintiff attorney fees can be large. The real cost driver is the per-violation statutory damages of $500 to $1,500 multiplied across every message sent without valid consent.

Contested. The FCC's 2012 order did not explicitly bar pre-checked boxes, but multiple district courts, especially in the Ninth Circuit, have held that a pre-checked box does not show affirmative agreement. The safer and more defensible approach is requiring the consumer to actively check the box. Any new consent flow you build should use unchecked boxes.

Do I still need to check the Do Not Call registry if I have TCPA consent?

Yes. TCPA consent and the National Do Not Call Registry are separate requirements. Having someone's prior express written consent does not override their DNC registration for voice campaigns governed by the FTC's Telemarketing Sales Rule. Scrub against the registry before calling, maintain your own internal DNC list, and honor DNC requests even from people who previously consented.

Sources

  1. U.S. Code, 47 U.S.C. § 227, Telephone Consumer Protection Act: TCPA prohibits autodialed or prerecorded marketing calls/texts to wireless numbers without prior express written consent; damages are $500–$1,500 per violation
  2. FCC, 47 C.F.R. § 64.1200, Rules and Regulations Implementing the TCPA: Prior express written consent defined as 'an agreement, in writing, bearing the signature of the person called' with specific required disclosures including that consent is not a condition of purchase
  3. Federal Trade Commission, National Do Not Call Registry and telemarketing consumer information: Federal regulators require consent disclosures to be conspicuous and treat buried or hidden consent language as ineffective
  4. U.S. Supreme Court, Facebook, Inc. v. Duguid, 592 U.S. 522 (2021): Supreme Court held ATDS must have capacity to produce numbers using random or sequential number generator, narrowing the autodialer definition under TCPA
  5. U.S. Supreme Court, Barr v. American Association of Political Consultants, 591 U.S. 610 (2020): Supreme Court confirmed TCPA framework including consumer right to revoke consent
  6. FTC, Telemarketing Sales Rule, 16 C.F.R. Part 310: TSR requires telemarketers to honor DNC requests within 30 days and to scrub against the National Do Not Call Registry
  7. U.S. Court of Appeals, Eleventh Circuit, Insurance Marketing Coalition v. FCC, No. 24-10277 (2025): Eleventh Circuit vacated FCC's one-to-one consent rule in January 2025, finding the FCC exceeded its statutory authority
  8. U.S. Code, 15 U.S.C. § 7001, Electronic Signatures in Global and National Commerce Act (E-SIGN): E-SIGN Act validates electronic signatures for consent purposes, including checked checkboxes and typed names in online forms

Disclaimer: LeadCompliant is a compliance review tool, not a law firm. We do not provide legal advice. Consult with a TCPA attorney for legal guidance on specific compliance questions. Compliance scores, audits, and risk assessments are informational only.

LeadCompliant Team

LeadCompliant provides expert guidance and tools to help you succeed. Our content is reviewed for accuracy and kept up to date.

Related Articles

Related Glossary Terms

LeadCompliant
Build My Kit