Last updated 2026-07-10

TL;DR
The TCPA requires businesses to honor opt-out requests for telemarketing calls and texts within 10 business days, keep an internal do-not-call list, and put a working opt-out into every automated text campaign. Fines run $500 to $1,500 per violation. FCC rules under 47 CFR 64.1200 spell out the specifics, and courts routinely certify class actions when companies ignore them.
What does the TCPA actually require for opt-outs?
The Telephone Consumer Protection Act (47 U.S.C. 227) lets consumers stop your telemarketing calls and texts at any time, for any reason. That right does not depend on how they gave consent in the first place. Someone can sign a paper opt-in form and still revoke by texting STOP, saying "take me off your list" on a recorded call, or emailing your support address. The method of revocation does not have to match the method of consent.
The FCC made that point explicit in its 2024 order on consent revocation, effective in April 2025. The order says consumers "may revoke consent through any reasonable means," and it bars companies from contractually limiting the channels through which revocation is accepted. [1] That closed a loophole some companies exploited by writing opt-in agreements that said revocation counted only through a specific web form.
For internal do-not-call purposes, 47 CFR 64.1200(d) requires telemarketers to maintain a written do-not-call policy, train staff on it, record opt-out requests within a reasonable time (the FCC treats 30 days as the outer edge), and honor requests for at least five years. [2] The 10-business-day window to stop calling comes from 47 CFR 64.1200(d)(3). That figure is the one most courts use when they measure a violation.
What are the opt-out requirements specifically for text messages?
Text opt-outs carry an extra layer of rules stacked on top of the baseline TCPA obligations. The CTIA's messaging guidelines, which carriers enforce through contract, require every marketing SMS program to answer STOP (and its cousins STOPALL, UNSUBSCRIBE, CANCEL, END, QUIT) with a single confirmation message and then send no further marketing texts to that number. [3] Carriers suspend short codes and 10DLC campaigns that fail this test. They do it on their own, without a lawsuit.
The FCC's 2024 order pushed further. It requires opt-outs to be honored within a "reasonable time" the agency said should generally not exceed 10 business days, and it bars any message after an opt-out except one final confirmation. That confirmation cannot carry marketing content, upsells, or any attempt to re-engage the subscriber. [1]
You also have to disclose opt-out instructions at the point of opt-in. The language most compliance teams use reads something like: "Reply STOP to unsubscribe. Msg & data rates may apply." That disclosure is required at enrollment and has to appear in periodic reminder messages for high-volume programs. [3] Run an SMS campaign without it and you have a problem no plaintiff's attorney needs to find first. The carriers flag it.
For more on building compliant text programs from scratch, see our guide to text message marketing.
How does the national Do Not Call Registry interact with TCPA opt-out rules?
The National Do Not Call Registry, run by the FTC under 16 CFR Part 310, is a separate system from a company's internal do-not-call obligations under the TCPA. Consumers who register get protection from telemarketing calls by companies they have no prior business relationship with. Your internal opt-out list is different. It covers people who have interacted with you at some point and told you to stop. Both lists are mandatory. Failing one does not excuse you on the other.
A consumer can be on your internal list, the national registry, or both. The working rule: before any outbound call or text, scrub against the national registry (refreshed at least every 31 days under FTC rules) and against your own suppression file. [4] The FTC gives companies a 31-day grace period from the date a number lands on the registry before violations attach. That window does not apply to your internal list. If someone told your company directly to stop, the 10-business-day clock starts that day.
Settlements show what ignoring the national registry costs. UnitedHealthcare paid $2.5 million over alleged TCPA violations that included calls to registered numbers. The details are in our breakdown of the UnitedHealthcare $2.5M TCPA settlement.
What is the TCPA opt-out penalty for each violation?
The TCPA sets statutory damages at $500 per violation for negligent violations and $1,500 per violation for willful or knowing ones. [5] Each call or text counts separately. The statute sets no cap.
That math turns dangerous fast. A campaign that sends 50,000 texts to numbers that already opted out faces $25 million to $75 million in exposure before any class multiplier. Courts certify these cases as class actions because the violation is uniform across the class and the damages formula is mechanical. Credit One Bank faced a class action partly over calls made after opt-out requests, and it settled for a large sum. Our write-up on the Credit One TCPA settlement covers how those cases develop.
The willful standard is easier to meet than most defendants expect. A plaintiff does not have to prove malice. Courts have found willfulness when a company had a written complaint about continued calls after an opt-out and kept calling, and when call logs showed the opt-out flag sat in the system but the dialer never checked it. [6] That second scenario, a technical gap between your CRM and your dialer, is the most common source of these cases.
What are the TCPA opt-in requirements, and how do they affect opt-out obligations?
Opt-in and opt-out are two sides of the same posture. A defective opt-in does not erase your opt-out obligations. It just makes them harder to defend. The FCC's 2012 order and later rules require prior express written consent for autodialed or prerecorded telemarketing calls and texts. [7] That consent has to be signed (electronic is fine), has to name the seller, and cannot hide inside general terms of service. [1]
Here is the link to opt-out. If your records cannot prove consent was obtained properly, a consumer who says they never opted in and then got texts does not need to prove revocation at all. The burden shifts to you to prove the opt-in existed. Sloppy opt-in records turn every opt-out claim into an opt-in dispute too.
Lead generation catches companies off guard. When you buy leads from a third party, the consent attached to that lead was given to the third party, not to you. The FCC's 2024 order tightened this hard, requiring consent to name the specific company making the calls. [1] Blanket consent to "marketing partners" no longer works. Opt-out requests to the lead generator do not flow to you automatically, and opt-outs made to you do not flow back to the generator. You need your own opt-out infrastructure no matter how the lead was acquired.
LeadCompliant's free consent checker and opt-out audit tools help you map where your program has gaps before a plaintiff does it for you.
What records do you need to keep for TCPA opt-out compliance?
The FCC and courts both read recordkeeping as evidence of good faith, and the absence of records as evidence of willfulness. At a minimum, your opt-out records need the phone number that requested opt-out, the date and time of the request, the channel it came through (inbound call, SMS reply, web form, email), and the agent or system that processed it.
Retention: the FTC's Telemarketing Sales Rule requires do-not-call records be kept for 24 months. [4] The TCPA statute names no retention period, but plaintiffs routinely allege violations going back four years (the standard TCPA limitations period in most circuits), so five years is the practical floor. Some programs keep records seven years to match general business retention norms.
Your suppression file needs to be checked in real time, or as close to it as you can manage, before each send. A list that was accurate last week is no protection if an opt-out landed yesterday. Nightly batch processing of opt-outs works in most circumstances. Weekly batching has burned companies when a consumer opts out Monday and gets a call Thursday.
For calls, if your IVR or live agents take opt-out requests, the recording counts as a record, but the number also has to hit your suppression file programmatically, more than as a note in a call comment. The gap between the recording and the system update is exactly where violations happen.
Do TCPA opt-out rules apply to B2B calls and texts?
Mostly yes, with some nuance. The TCPA's autodialer and prerecorded call rules apply whether the number is a consumer's cell phone or a business number registered to an LLC. The statute covers any cellular telephone number. [5]
The distinction matters more for internal do-not-call rules under 47 CFR 64.1200(d), which the FCC has historically applied to residential numbers. A prerecorded call to a business landline has a separate provision under 47 CFR 64.1200(a)(3)(ii) that generally bars prerecorded calls to business lines without consent. Opt-out obligations attach either way. If a business asks you to stop, continued calls create both TCPA risk (when the calls use an autodialer or prerecorded message) and general harassment or unfair-practices risk under state law.
Most B2B compliance teams treat their opt-out obligations exactly like B2C ones. The litigation risk is real, and running two standards costs more than it saves. The Truist Bank class action included business account holders. Our piece on the Truist Bank TCPA class action settlement shows how that played out.
What channel-by-channel opt-out rules apply (calls, texts, faxes)?
Each channel has its own mechanism requirements, though the underlying TCPA obligation is the same.
| Channel | Required opt-out mechanism | Honor within | Confirmation required? |
|---|---|---|---|
| Prerecorded/robocall | Interactive opt-out key (e.g., "press 2 to be removed") during the message | 10 business days [2] | No statutory requirement |
| Live agent call | Verbal request to agent is sufficient | 10 business days [2] | No statutory requirement |
| SMS/text | STOP reply (and variants) must work | 10 business days [1] | Yes, one confirmation text |
| Fax | Written request or opt-out notice on fax itself | 30 days [8] | No statutory requirement |
For prerecorded calls, 47 CFR 64.1200(b)(3) requires that "the telephone call includes an interactive opt-out mechanism for the called person to make a do-not-call request." [2] Your robocall has to offer a keypress or a spoken command that logs the opt-out without forcing the consumer to dial a different number. A message that says "call us back at 800-xxx-xxxx to be removed" does not satisfy this.
Fax opt-outs run on a 30-day window under the Junk Fax Prevention Act (folded into the TCPA), and every fax advertisement has to include a notice of the right to opt out plus a working fax number or cost-free mechanism to submit the request. [8] Fax compliance is litigated less than calls and texts, but the statutory damages are identical.
What happens when a consumer re-consents after opting out?
A consumer who opted out can re-consent, and that re-consent restores your right to contact them. The re-consent has to meet the same standard as the original: for autodialed marketing texts, a fresh prior express written consent with all required disclosures. [7]
The risk is in how you solicit it. You cannot call or text an opted-out consumer to ask them to re-consent. That itself is a TCPA violation. Re-consent has to come through a channel the consumer starts (they visit your site, they call you, they walk into your store) or through a medium you were already allowed to use (a transactional email, assuming you never sent marketing emails without separate consent).
Some companies route opted-out numbers through affiliate campaigns or partner companies, hoping the consumer will re-consent there. Courts have not looked kindly on this. If the companies are related enough in their marketing, the opt-out to one can bind the other. The safe rule: treat an opt-out as permanent until the consumer affirmatively re-engages on a new consent event you can document and produce in discovery.
What are the most common TCPA opt-out mistakes companies make?
The number-one failure, by far, is a gap between the CRM and the dialer or texting platform. A consumer texts STOP to your SMS provider, the provider logs it, but the flag never syncs back to your CRM before the next campaign runs. The CRM pulls a fresh audience export, the opted-out number rides along, and your platform sends the message before anyone notices. This is not hypothetical. It is the fact pattern in dozens of TCPA settlements every year.
The second most common failure is employees overriding opt-outs. Sales reps who spot a hot lead will sometimes call a number a compliance filter flagged, telling themselves the consumer "probably just fat-fingered STOP." Every instance of that is a willful violation.
Third: incomplete channel coverage. A company might run a solid SMS opt-out process but no interactive keypress on its robocalls, or a working STOP handler for texts but no way to opt out through the website. Every channel needs suppression coverage, and the suppression list has to be unified. An opt-out from a text should suppress calls too, and the reverse, unless you run clearly separate programs with separate opt-in consents that disclosed separate communication streams.
Fourth: weak training. If your call center agents do not know what to do when someone says "stop calling me," and no documented procedure tells them, a plaintiff can argue the violation was systemic rather than individual. That argument supports class certification and willfulness findings.
For what systematic failures look like in real litigation, read about the Albertsons/Safeway TCPA settlement or the Cash App TCPA class action.
How do you build an opt-out process that actually holds up?
A compliant opt-out process has four parts: capture, sync, suppress, and audit.
Capture means every channel that can receive an opt-out has a defined, automated intake. For SMS, that is a keyword handler (STOP and its variants) configured at the platform level, not by hand. For calls, it is an IVR branch or a CRM workflow agents must complete before ending any call where a consumer asks to be removed. For web, it is a form that writes straight to your suppression database, not to a spreadsheet someone babysits.
Sync means your suppression database is the single source of truth every outbound system checks before sending. No campaign list export happens without a real-time or same-day suppression scrub. If you run multiple platforms (an SMS tool, a predictive dialer, an email platform), all of them read from the same suppression list, or they push opt-outs back to a central system the others check.
Suppress means the check happens before the send, not after. That sounds obvious, but batch schedules create windows. If your suppression sync runs at 2 a.m. and a campaign fires at 11 p.m., you have a 21-hour exposure window. Tighten that as close to real time as your infrastructure allows.
Audit means a monthly sample check: pull 100 numbers from recent campaigns and verify none appear in your suppression log with an opt-out date before the campaign date. Matches mean a process failure that needs immediate correction and documentation of that correction. Courts treat self-correction favorably in damages calculations.
LeadCompliant's opt-out compliance kit includes suppression list templates and a pre-campaign scrub checklist you can adapt to your stack. Visit leadcompliant.com for the free download.
For managing outbound call compliance end to end, see our guide on how to stop robocalls from a consumer perspective, which also maps the rights your callers are asserting.
How do state laws add to federal TCPA opt-out requirements?
Several states run laws stricter than the TCPA, and those laws set a higher floor than the federal minimum. Florida's Mini-TCPA (Florida Statutes Section 501.059), amended in 2021, bars calls using an automated system to any number on the Florida Do Not Call list or the national registry, with no prior-business-relationship exception at the state level. [9] Florida also requires opt-out mechanisms on every solicitation call.
California's CCPA and CPRA add data deletion rights that work like opt-out mechanisms for marketing use of personal data, phone numbers included. A CPRA deletion request is not technically a TCPA opt-out, but honoring one without the other creates obvious risk. Most California-facing programs treat them as co-occurring obligations.
Texas, Indiana, Oklahoma, and several other states keep their own do-not-call registries that require separate registration and scrubbing. The FTC's national registry does not absorb these. If you run outbound into multiple states, you need a state registry compliance layer on top of the national DNC and TCPA suppression requirements.
State private rights of action vary. Florida's statute allows $500 per violation for negligent violations and up to $1,500 for willful ones, mirroring TCPA damages but under state court jurisdiction, where class certification can be easier or harder depending on the court. The upshot: do not assume TCPA compliance covers you in every state.
Frequently asked questions
How long does a company have to honor a TCPA opt-out request?
Under 47 CFR 64.1200(d)(3), a business must honor an internal do-not-call request within 10 business days of receiving it. For text messages, the FCC's 2024 consent revocation order reinforced this and required that no further marketing messages be sent after a STOP request, with only a single confirmation text permitted. Calling or texting within that 10-day window after an opt-out is a violation.
Can a consumer opt out by any method, or only by the method in the original opt-in?
Any reasonable method works for revocation under the FCC's 2024 order. A consumer who opted in via a web form can revoke by texting STOP, calling your customer service line, or emailing support. Companies cannot contractually restrict revocation to one channel. The only question courts apply is whether the revocation was communicated clearly and reached someone with authority to act on it.
Do TCPA opt-out requirements apply to transactional messages beyond marketing?
The TCPA's autodialer and prerecorded call restrictions apply to all calls and texts to cell phones using covered technology, regardless of whether the content is transactional or marketing. The prior express written consent requirement (and the opt-out rights tied to marketing rules) applies mainly to marketing. Purely transactional texts (appointment reminders, fraud alerts) require only prior express consent, a lower bar. But if someone says stop sending these, you still have to stop.
What must a TCPA opt-out confirmation text say?
The confirmation must tell the consumer they have been unsubscribed and will receive no further messages. It cannot include marketing language, coupons, re-engagement offers, or links to a landing page. CTIA guidelines and carrier rules both prohibit marketing content in the confirmation message. Something like "You have been unsubscribed from [Program Name]. No further messages will be sent" is the safe standard.
What is the TCPA penalty for ignoring an opt-out?
Each ignored opt-out that results in a call or text is a separate TCPA violation carrying $500 in statutory damages for a negligent violation and $1,500 for a willful one. There is no statutory cap, so class actions covering thousands of consumers can generate tens or hundreds of millions in potential liability. Courts have also applied the $1,500 rate when companies had documented notice of an opt-out and kept contacting the consumer anyway.
Does an opt-out from texts also cover calls, or do they work separately?
The statute does not automatically link SMS opt-outs to call suppression or the reverse. But the FCC and the plaintiffs' bar both treat them as connected when the programs share the same consent basis. If a consumer opted in once for both calls and texts, an opt-out that reasonably covers all contact should be honored across all channels. Safest approach: treat any opt-out as suppressing all automated outreach until you have new, documented consent for the specific channel you want to reactivate.
How long do you have to keep opt-out records under the TCPA?
The TCPA statute sets no specific retention period. The FTC's Telemarketing Sales Rule requires 24 months for do-not-call records. The TCPA statute of limitations runs four years in most federal circuits, so retaining records for at least five years is the minimum practical standard. If your state has a longer privacy or consumer protection record-retention requirement, that governs.
Can you charge a consumer to opt out of TCPA-covered calls or texts?
No. Charging for an opt-out would almost certainly be treated as an unlawful condition on a statutory right. The FCC has not needed a specific ruling because no credible business has tried it under heavy TCPA enforcement, but the consensus among TCPA attorneys is that any fee or friction added to the opt-out process creates real legal exposure, both under the TCPA and under state unfair practices statutes.
What are TCPA opt-in requirements for SMS marketing?
For autodialed marketing texts, you need prior express written consent under 47 CFR 64.1200(a)(2). That means a clear, affirmative agreement (no pre-checked boxes) that names your company, describes the type of messages, states that consent is not a condition of purchase, and discloses message frequency and that message and data rates may apply. The consent record has to be stored with a timestamp and evidence of the disclosure language the consumer saw.
Does buying leads from a third party include transferable TCPA opt-out obligations?
Not automatically, and this is a major risk area. The FCC's 2024 one-to-one consent rule requires consent to name the company making calls. Opt-outs given to the lead generator do not bind you, but you also cannot assume the consumer's consent to the generator extends to you. You need your own consent documentation for each lead you purchase, and your own opt-out tracking once you start contacting that lead.
What does a TCPA-compliant written do-not-call policy need to include?
Under 47 CFR 64.1200(d)(1), the policy must be available on demand to anyone who asks, must cover how opt-out requests are recorded and honored, must name the company and any affiliated entities sharing the list, and must describe training procedures for personnel who conduct telephone solicitations. The policy is not filed with the FCC. It is an internal document you must produce if asked in litigation or a regulatory inquiry.
How does the FCC's 2024 consent revocation order change existing opt-out practices?
The order, effective April 11, 2025, requires businesses to honor revocation through any reasonable channel the consumer chooses, prohibits contractual clauses that limit revocation to one method, and limits post-opt-out texts to a single confirmation with no marketing content. It also addressed lead generation by requiring one-to-one named consent. Companies that relied on broad consent language or channel-specific revocation clauses had to update their practices by the effective date.
Are there TCPA opt-out rules specific to healthcare or debt collection callers?
Healthcare calls (appointment reminders, prescription alerts) get a partial exemption from the prior express written consent rule if they meet FCC conditions for non-marketing health-related calls. Opt-out rights still apply: even exempt callers must honor stop requests. Debt collectors face both TCPA and FDCPA requirements at once. The FDCPA's cease-communication provisions can be stricter and must be honored independently of whatever the TCPA requires.
Sources
- FCC, Report and Order on Consent Revocation (FCC 24-72, July 2024): Consumers may revoke consent through any reasonable means; companies cannot contractually restrict revocation channels; one-to-one named consent required for lead generation; effective April 11, 2025
- FCC, 47 CFR Part 64.1200 (Code of Federal Regulations): Internal do-not-call requests must be honored within 10 business days; prerecorded calls must include an interactive opt-out mechanism; written DNC policy required
- CTIA, Messaging Principles and Best Practices (2023): SMS programs must honor STOP and variant keywords; opt-out confirmation required; opt-out instructions must be disclosed at enrollment
- FTC, Telemarketing Sales Rule (16 CFR Part 310): National DNC registry must be scrubbed at least every 31 days; do-not-call records must be retained for 24 months; 31-day grace period for new registry numbers
- U.S. Code, 47 U.S.C. 227 (Telephone Consumer Protection Act): TCPA statutory damages are $500 per violation for negligent violations and $1,500 per violation for willful or knowing violations; covers cellular telephone numbers
- FCC, Report and Order on Robocalling and Prior Express Written Consent (FCC 12-21, 2012): Prior express written consent required for autodialed or prerecorded telemarketing calls and texts; consent must be signed and identify the seller; effective October 16, 2013
- FCC, Junk Fax Prevention Act Rules (47 CFR 64.1200(a)(4)): Fax advertisements must include opt-out notice and working removal mechanism; opt-out must be honored within 30 days
- Florida Legislature, Florida Statutes Section 501.059 (Florida Telephone Solicitation Act, 2021 amendment): Florida prohibits automated solicitation calls to numbers on the Florida DNC list or national registry with no prior-business-relationship exception; requires opt-out mechanism on every solicitation call
- FTC, National Do Not Call Registry: National Do Not Call Registry is separate from internal company do-not-call obligations; both are mandatory for telemarketers
- FTC, Consumer Advice on Unwanted Calls: Consumers have the right to stop unwanted telemarketing calls and to revoke consent at any time