Building an internal do not call list for small sales teams

Learn exactly how to build an internal DNC list, what the TCPA requires, and what a single violation can cost, up to $1,500 per call. Step-by-step for small teams.

LeadCompliant Team
23 min read
In This Article

Last updated 2026-07-09

Two sales team members reviewing a printed phone list at office desks
Two sales team members reviewing a printed phone list at office desks

TL;DR

The TCPA requires every telemarketer to keep a company-specific do not call list and honor opt-outs within 30 days. Violations cost $500 to $1,500 per call. A small team needs four things: a written policy, one central suppression file, a scrub step before every dial, and a rule that new opt-outs get logged the same day they arrive.

What is an internal do not call list and why does every sales team need one?

An internal do not call list is a record of the phone numbers where people have told you, specifically, to stop calling. Some people call it a company-specific DNC list or a suppression file. It is a separate thing from the National Do Not Call Registry that the FTC runs. Federal law requires you to keep one even if you scrub against the national registry every single day.

The FTC's Telemarketing Sales Rule and the TCPA both apply here, but the clearest company-specific duty lives in FCC rules that implement 47 U.S.C. § 227. The rule at 47 C.F.R. § 64.1200(d) says any entity making telephone solicitations must keep a written policy for a do not call list, train its people on it, and honor requests inside a set window [1].

Why does this matter for a five-person sales team? The law does not scale by headcount. A solo SDR who ignores an opt-out faces the same per-call exposure as a call center running 10,000 dials a day. Class actions are the real danger. One plaintiff who got two or three uncleaned calls can anchor a class of thousands with the same complaint. The cash app tcpa class action settlement shows how fast aggregate liability piles up from small individual slips.

The list is also plain good sales hygiene. Someone who told you to stop is never going to buy. Dialing them again burns rep time and drags down your reputation with carriers.

What does the TCPA actually require for company-specific do not call lists?

Four things: a written policy, trained staff, opt-outs honored within 30 days, and requests kept for at least five years. The text of 47 U.S.C. § 227(c)(1) directs the FCC to write rules protecting subscribers' privacy, including the right to tell a particular company to stop calling [2]. The FCC put those four requirements into 47 C.F.R. § 64.1200(d).

First, the written policy. Not a sticky note. A real document that spells out how your company receives, records, and enforces do not call requests. Second, you train every person who makes or supervises outbound calls on that policy. Third, you honor an opt-out within 30 days of getting it. The rule's language sets that as an outer limit, not a target. Fourth, you keep the request honored for at least five years.

The FCC's safe harbor at 47 C.F.R. § 64.1200(d) lets a company avoid liability for an accidental call to a listed number, but only if all four elements are already in place and the call was a good-faith error [1]. That harbor is narrow. "We forgot to scrub" does not qualify. "Our suppression file updated fine but one record failed a data sync, and here is the audit log proving it" might.

Small teams miss one detail constantly. The 30-day clock starts when the person makes the request, not when your CRM finally logs it. Someone emails your rep on Tuesday asking off the list, the rep sits on it for two weeks, and you are exposed for every call made during those two weeks.

How much does a TCPA violation actually cost per call?

The statute sets damages at $500 per violation for negligent calls and $1,500 per violation for willful or knowing ones [2]. Courts have repeatedly found that calling a number on your own internal DNC list, when you knew the request was made, is willful. That triples the number.

Most small-team pain comes from class certification, not one-off suits. A plaintiff's lawyer finds ten people who got uncleaned calls, certifies a class, and suddenly the aggregate figure dwarfs your annual revenue. The credit one tcpa settlement hit $12.5 million, driven mostly by automated call volume to numbers that had already asked for no contact.

Settlements swing wildly, and nobody has clean public data on median amounts for small teams specifically. The closest reliable figure comes from WebRecon LLC, which tracks federal TCPA filings and has reported a steady 5,000 to 6,000 cases filed per year in recent years [3]. Most settle behind closed doors. What is public is the floor: $500 minimum, no proof of actual damages needed.

Here is the math that decides it. A clean internal list costs a few hours of setup and maybe $50 to $200 a month for a scrubbing tool if you want automation. One missed opt-out that lands in a class action can cost six figures. Not a hard call.

Key TCPA numbers for internal DNC compliance Federal thresholds every small team must know 500 Statutory damages per negli… violation 1,500 Statutory damages per willf… violation 30 Days to honor an opt-out request (max) 5 Years a DNC request must be honored Source: 47 U.S.C. § 227; 47 C.F.R. § 64.1200(d); FTC DNC Registry fee schedule, 2024

How do you actually build an internal DNC list from scratch?

Start with a spreadsheet if that is all you have. Seriously. A Google Sheet with columns for the phone number (normalized to E.164 like +15551234567), the date the opt-out came in, how it came in (call, email, text, voicemail), and who logged it. That beats a verbal understanding every time.

Normalize the number format on day one. A common failure is logging 555-123-4567 in one row and 5551234567 in another, so your scrub logic never sees the match. Pick one format and enforce it.

Here is the workflow that holds up for a small team:

1. Create one dedicated suppression file (spreadsheet, CRM field, or DNC tool). 2. Set a hard rule: any opt-out on any channel gets logged within 24 hours. 3. Before any dial session, export your call list and run it against the suppression file. Pull matches before dialing. 4. After any session where new opt-outs came in, update the suppression file the same day. 5. Audit monthly: confirm recent opt-outs are present, spot-check that suppressed numbers are not sitting in active lists.

Running HubSpot or Salesforce? Add a boolean field called "DNC" and a workflow that auto-excludes any contact where that field is true from call sequences. That beats a manual spreadsheet match once you pass roughly 50 calls a day.

For teams doing cold calling at any real volume, the scrub step is not optional. You also check your list against the National DNC Registry for consumer numbers. The FTC gives you registry access through the do not call telemarketer list portal once you register as an organization.

What should your written DNC policy actually say?

The FCC requires a written policy but publishes no template. Here is what a compliant one covers, built on 47 C.F.R. § 64.1200(d) [1]:

Scope. Which channels does this cover? Calls, SMS, or both? If you send marketing texts, TCPA and text message marketing rules apply to those too, and your internal list should cover both.

How to make a request. List every channel someone can opt out through: verbal during a call, voicemail, email reply, text STOP, web form. All of them get honored.

Time to honor. State plainly that requests are honored within 30 days, and that your internal target is same-business-day logging.

Who is responsible. Name a role, not a person, because people leave. "The compliance owner" or "the sales manager" works. That role audits the list monthly.

Duration. Requests are permanent unless the consumer comes back and affirmatively consents again.

Training. New hires finish DNC training before their first outbound call. Document it.

Incident process. If someone dials a listed number by mistake, what happens? Log it, judge whether it was willful or an error, preserve the record.

Keep the document dated and version-controlled. In litigation, showing a judge a policy with a real revision history beats one that looks like it was drafted the week the suit landed.

What channels trigger an opt-out that must go on your internal DNC list?

Any clear "do not call me" from any channel goes on the list. Channel does not matter. The request does.

Verbal opt-out during a live call. The most common one. The rep logs it before the next call, or at the latest before the end of the business day.

Voicemail. Someone calls your sales line and leaves a message asking not to be contacted again. That counts.

Text STOP reply. If you send SMS, a STOP reply is a mandatory opt-out under the TCPA. It should auto-suppress in your texting platform and land in your master DNC file. Do not let these live only inside the SMS tool.

Email reply. "Please remove me from your list" in reply to a sales email is a DNC request. Courts have treated ignoring these and calling anyway as willful conduct.

Web form. If you run a contact form or a formal opt-out page, those submissions go to the same file.

One real gray area: does "I'm not interested" count? On its own, probably not, since it is a rejection, not a standing opt-out. But "don't call me again" absolutely does. When you are unsure, add them. There is no upside to dialing someone who already told you no.

How do you handle opt-outs that come in during a campaign or dialing session?

This is where small teams get burned. A rep works through 200 numbers. Halfway in, someone opts out. The rep makes a mental note and plans to log it tomorrow. Meanwhile a second rep on the same campaign calls that person two hours later.

Fix this with process, not willpower. Two approaches work:

Option A: Real-time CRM flag. The rep marks the contact DNC in the CRM during the call. The CRM is the system of record. Any active sequence unenrolls that contact within minutes if the CRM is set up right.

Option B: Dedicated opt-out log. A shared doc or channel (a Slack channel is fine for tiny teams) where reps post opted-out numbers on the spot. One designated person batch-updates the master list every two hours on active calling days.

Either way, the master suppression file updates at the end of every dialing session, not once a week. A weekly cadence leaves a seven-day window of exposure hanging open.

For teams running high-volume cold call campaigns, look at a compliance platform that plugs into your dialer. These tools scrub outbound numbers in real time against your internal list and the national registry at once. They cost money, but they also build an audit trail, which is your best friend if you ever get sued.

How does your internal DNC list relate to the National Do Not Call Registry?

They are two separate duties running side by side. The National DNC Registry, run by the FTC under 15 U.S.C. § 6151, holds consumer numbers registered by people who do not want telemarketing calls [4]. You scrub against it whenever you make telephone solicitations to residential or cell numbers.

Your internal list covers everyone who has personally told your company to stop, whether or not they are on the national registry. Someone can be on neither list when you first dial, tell you to stop during that call, and now you must honor it even though they never registered with the FTC.

Getting national registry data means accessing it through the FTC's system. You can read more about how do i get the do not call list at the FTC's business portal. Fees as of 2024 depend on how many area codes you pull: the first five are free, extra area codes cost $76 each, and access to all of them is capped at $18,538 [5].

Cell phones carry a separate layer. Autodialed or prerecorded calls to cell phones need prior express consent under 47 U.S.C. § 227(b)(1)(A) [2], no matter what the national registry says. The mobile phone do not call list rules run tighter than the ones for residential landlines. Treat cell opt-outs with at least as much urgency in your internal process.

Scrub against both lists. They do not substitute for each other.

What tools and processes work best for a small team's DNC management?

The right tool tracks your dialing volume. Here is the honest breakdown:

VolumeToolApproximate costNotes
Under 50 calls/dayGoogle Sheet + CRM DNC fieldFreeManual scrub before each session; works if reps stay disciplined
50-200 calls/dayCRM with DNC workflow (HubSpot, Salesforce)$50-150/mo for CRMAuto-suppress flagged contacts; still need manual import from off-CRM channels
200-1,000 calls/dayDedicated DNC scrubbing API or compliance tool$100-500/moReal-time scrub, audit log, national registry integration
Over 1,000 calls/dayFull compliance platform (Gryphon and similar)$500+/moNecessary at this volume; the audit trail alone pays for it

For most small teams reading this, the CRM approach is the right start. Flag a DNC field, build an exclusion list in your sequence tool, and lock in the habit of same-day updates.

LeadCompliant offers a free compliance kit with a DNC policy template and a pre-call checklist you can adapt. The kit is not a substitute for legal counsel on your situation, but it gives you the written-policy foundation the FCC requires.

One genuine waste of money at small volume: enterprise compliance platforms charging $2,000 a month for features you will touch maybe 5% of. Build the habit first on free or cheap tools. Upgrade when volume forces the question.

You can also run LeadCompliant's free DNC number checker to spot-check whether a specific number sits on the national registry before a campaign goes live.

How long do you have to keep DNC records and what happens if you lose them?

Keep them at least five years, and honestly, keep them indefinitely. The FCC rule sets no explicit retention period for internal DNC records, but the five-year minimum for honoring a request means you need records at least that long to prove you did [1]. The FTC's Telemarketing Sales Rule at 16 C.F.R. § 310.5 requires telemarketers to hold certain records for 24 months [6], though the defensible move is to keep DNC records far longer.

Lose the records and face a suit, and the burden shifts hard against you. You cannot prove a number was on your list if you deleted the log. Courts have drawn adverse inferences from missing compliance records in TCPA cases.

Practical setup: keep the suppression file in a cloud system with version history (Google Sheets, Airtable, your CRM's audit log). Never delete old entries. Archive when you clean up data. At small scale, storing a few thousand rows of numbers and dates costs essentially nothing.

Keep training records too: when you trained each employee, who was trained, and on which version of the policy. If someone on your team calls a DNC number and you get sued, a training log dated before the violation is the difference between a reasonable settlement and no defense at all.

What are the most common internal DNC list mistakes small teams make?

The same failure patterns show up over and over in public TCPA cases.

No written policy. A verbal understanding between a manager and a rep is not a documented policy. The FCC specifically requires writing. Oral understandings cannot satisfy the safe harbor.

Logging opt-outs in the wrong place. A rep flags someone "not interested" in a personal task manager and never touches the central list. Two weeks later a different rep calls the same number.

Inconsistent number formatting. Log the same number three different ways and your scrub logic misses it.

Missing whole channels. The team handles verbal opt-outs cleanly but ignores email replies and text STOP messages.

Deleting numbers after inactivity. Some teams prune the suppression list alongside their contact database. Bad habit. DNC entries should outlive campaign lists.

No training before the first dial. Compliance training gets scheduled for week three of onboarding, the new hire dials in week one, and a week-one opt-out goes unlogged because nobody taught the process yet.

Treating the national registry as enough. "We scrubbed the FTC list" is not a defense for calling someone who personally told you to stop. Two separate requirements.

The do not call list world is not that complicated. What makes it hard is operational discipline, not legal complexity. The law is simple. Running it consistently when you have 200 calls to make today is where teams break down.

Does your internal DNC list also apply to SMS and text campaigns?

Yes. The TCPA's consent and opt-out rules cover voice calls and text messages alike. Section 227(b)(1)(A) reaches calls and texts made with an automatic telephone dialing system or an artificial or prerecorded voice [2]. The FCC has confirmed across multiple orders that text messages count as "calls" under the TCPA.

When someone texts STOP, honoring that opt-out is legally required. It also has to flow into your master DNC file, more than sit in your SMS platform's suppression list. Run a voice campaign later off the same underlying contacts, and you need to know that person opted out.

Keep one suppression list, not one per channel. A unified list kills the scenario where someone opts out of texts, you honor it for texts, then a voice rep calls two months later with no idea they ever asked to stop.

For text message marketing, the consent bar is actually higher than for calls. Marketing texts sent via ATDS require prior express written consent. The opt-out rules cut the other way: STOP replies are mandatory opt-outs, processed immediately and permanently, and they belong on your unified DNC list.

Frequently asked questions

How quickly do I have to honor a do not call request?

The FCC rule at 47 C.F.R. § 64.1200(d) requires you to honor do not call requests within 30 days of receiving them. That is the legal maximum, not the target. Internally, aim for same-business-day logging, because you are exposed to liability for any call made between the moment of the request and the moment you actually add the number to your suppression file.

Can I remove a number from my internal DNC list if someone calls me back and says they want to talk?

Yes, if the consumer reaches out on their own and voluntarily resumes contact, you can treat that as renewed consent. Document it: log the date, time, and nature of the contact. Do not pull a number just because a rep thinks the person sounded open during a cold call. The person has to initiate the renewed contact themselves.

Do I need a separate DNC list for SMS versus phone calls?

No, and separate lists create risk. Keep one unified suppression file across all outbound channels. A STOP reply to a text, a verbal opt-out on a call, and an email request all go to the same file. That way a voice campaign cannot accidentally call someone who only opted out of texts, and the reverse cannot happen either.

Is a spreadsheet good enough as an internal DNC system, or do I need special software?

A well-kept spreadsheet is legally sufficient at low volume. The FCC does not mandate any specific technology. What matters is that the list is written, centrally accessible, updated promptly, used to scrub before every campaign, and retained at least five years. Past 200 calls a day, a dedicated compliance tool or CRM-integrated workflow earns its cost on the audit trail alone.

What counts as a telephone solicitation under the TCPA?

Under 47 U.S.C. § 227(a)(4), a telephone solicitation is a call or message to a residential subscriber initiating a purchase, rental, investment, or charitable contribution. Business-to-business calls follow different and generally lighter rules, though some states like Florida have extended protections to B2B calls. When unsure, treat the call as a solicitation and apply full DNC protocols.

What happens if a sales rep accidentally calls a number on our internal DNC list?

Document the incident right away: when the call happened, which number was called, when the opt-out came in, and why the number was not suppressed. If it was a genuine technical error and you have a documented policy plus training records, the FCC safe harbor may protect you. If it was negligence or the rep knew and called anyway, you face $500 to $1,500 per call with no safe harbor.

How does the TCPA's $500/$1,500 per-call penalty work in a class action?

Each unconsented call to each plaintiff is a separate violation. In a class action, if 1,000 people got two calls each after opting out, that is 2,000 violations at $500 minimum, or $1 million in statutory damages before attorneys' fees. Courts can reduce class damages that grow disproportionate, but that is not a reliable exit. Preventing the calls costs a fraction of litigating them.

Do I need to put the do not call policy in writing even if my team is just two people?

Yes. The FCC rule at 47 C.F.R. § 64.1200(d) requires a written policy for any entity making telephone solicitations. Team size is not a factor. A one-page Google Doc describing how your two-person team receives, logs, and honors opt-outs satisfies the requirement and gives you a safe harbor foundation if a complaint ever comes.

Does the internal DNC list requirement apply to B2B cold calls?

Federal TCPA DNC rules mainly target residential subscribers, but the FCC's company-specific DNC obligations under 47 C.F.R. § 64.1200(d) apply to telephone solicitations broadly. More practically, if a business contact tells you to stop calling, dialing them again exposes you to harassment claims, state law liability, and reputational damage. Keep a DNC list for B2B contacts too.

How do I train my sales reps on DNC compliance without making it a full-day seminar?

Keep it to 30 minutes. Cover four things: what a DNC request looks like on each channel (verbal, text STOP, email, voicemail), exactly where and how to log it, the 30-day legal deadline and why same-day logging is your internal standard, and what happens to the rep and the company if a logged opt-out gets called again. Have reps sign that they completed it. Refresh yearly.

Can I buy a scrubbed call list and skip building my own DNC process?

No. A pre-scrubbed vendor list handles national registry compliance and nothing else. It does nothing for your company-specific internal DNC duty. People who told your company specifically to stop are not on any list a vendor can scrub for you. Your internal suppression process is always required on top of purchased data, never instead of it.

How often should I audit my internal DNC list?

Monthly at minimum for an active team. In an audit, confirm recent opt-outs sit in the suppression file, verify no suppressed numbers appear in active campaign lists or call sequences, check that the format is consistent with no duplicate entries in different formats, and review whether any employee needs a training refresh. Keep a log of when each audit ran and who ran it.

What states have additional do not call rules beyond the federal TCPA?

Several states layer their own DNC statutes on top of federal law. Florida's Mini-TCPA, passed in 2021, covers B2B calls and imposes strict ATDS limits. Texas, Indiana, and Louisiana run state DNC registries. California's CCPA intersects with consumer contact preferences. Always check the law for the state where your prospect lives, not the state where your business sits.

Sources

  1. FCC, 47 C.F.R. § 64.1200(d), Telephone Consumer Protection Act regulations: Requires written DNC policy, personnel training, and honoring opt-out requests within 30 days; safe harbor available for good-faith errors when all four policy elements are in place
  2. U.S. Congress, 47 U.S.C. § 227, Telephone Consumer Protection Act: Sets statutory damages at $500 per violation ($1,500 for willful/knowing violations); covers autodialed or prerecorded calls and texts to cell phones under 227(b)(1)(A)
  3. WebRecon LLC, TCPA lawsuit filing statistics: Approximately 5,000 to 6,000 federal TCPA cases filed annually in recent years
  4. FTC, National Do Not Call Registry, business access portal: The National DNC Registry is maintained by the FTC under 15 U.S.C. § 6151 to protect consumers from unwanted telemarketing calls
  5. FTC, National Do Not Call Registry, fees for accessing data: First five area codes are free; additional area codes cost $76 each, capped at $18,538 for all area codes (2024 fee schedule)
  6. FTC, 16 C.F.R. § 310.5, Telemarketing Sales Rule record retention: Telemarketing Sales Rule requires telemarketers to keep certain records for 24 months
  7. FTC, Complying with the Telemarketing Sales Rule: The TSR and TCPA both impose company-specific DNC list obligations on entities making telephone solicitations, independent of national registry scrubbing
  8. U.S. Congress, 15 U.S.C. § 6151, Telemarketing and Consumer Fraud and Abuse Prevention Act: Authorizes the FTC to maintain the National Do Not Call Registry and sets the statutory basis for TSR DNC requirements
  9. FCC, 47 U.S.C. § 227(a)(4), definition of telephone solicitation: Defines telephone solicitation as a call or message to a residential subscriber initiating a purchase, rental, investment, or charitable contribution

Disclaimer: LeadCompliant is a compliance review tool, not a law firm. We do not provide legal advice. Consult with a TCPA attorney for legal guidance on specific compliance questions. Compliance scores, audits, and risk assessments are informational only.

LeadCompliant Team

LeadCompliant provides expert guidance and tools to help you succeed. Our content is reviewed for accuracy and kept up to date.

Related Articles

Related Glossary Terms

LeadCompliant
Build My Kit