Last updated 2026-07-09

TL;DR
Sellers and telemarketers avoid Do Not Call penalties by meeting three conditions at once: written DNC procedures, trained personnel, and a National DNC Registry scrub within 31 days. Miss one and the protection is gone. FTC penalties run up to $53,088 per call, and TCPA plaintiffs can win $500 to $1,500 per call in court.
What is the DNC safe harbor and who can use it?
The Do Not Call safe harbor is a defense written into the Telemarketing Sales Rule (TSR) at 16 CFR 310.4(b)(3) and mirrored in the FCC's TCPA rules at 47 CFR 64.1200(c)(2). It says a seller or telemarketer is off the hook for a call that accidentally reaches a number on the National Do Not Call Registry, but only if the caller can prove it had real procedures in place, acted in good faith, and the error was a genuine mistake.
Both sellers and telemarketers can invoke it. Their exposure differs. The seller is the company whose goods or services get marketed. The telemarketer is the call center or agency dialing. If a telemarketer makes an illegal call, the seller can still be on the hook unless it qualifies for safe harbor on its own. Every party in the chain needs its own documented program, more than the one holding the phone.
This is not blanket immunity. The FTC and the courts have been clear: it protects honest mistakes, not a habit of ignoring the registry. The FTC's 2003 TSR Statement of Basis and Purpose explains that the defense is available only when a violation results from "good faith" reliance on a defective list, not from a policy of non-compliance [6].
Small teams often assume enforcement skips them because they're small. It doesn't. The FTC has brought cases against solo operators and boutique lead-gen shops. Size affects how much attention you draw. It doesn't change whether the rules apply.
What are the three conditions you must meet to qualify for safe harbor?
To claim safe harbor under 16 CFR 310.4(b)(3), a seller or telemarketer has to satisfy all three of these at the moment the call goes out [1][2]. Miss one and the whole defense fails.
Condition 1: Written do-not-call procedures. You need established, written procedures to comply with the do-not-call rules. "Written" is not optional. "Implemented" means the procedures actually get followed, not filed in a drawer. The FTC has rejected safe harbor claims where a company had a policy on paper but no proof of training or enforcement.
Condition 2: Trained personnel. You have to train every employee and agent who makes or supervises outbound calls on those written procedures. One session at onboarding usually isn't enough if the law shifts and your training never catches up. Courts look at whether training was periodic and documented.
Condition 3: A registry scrub within 31 days. You must have accessed the National Do Not Call Registry, run by the FTC, within the 31 days before each call. If your last scrub was 32 days ago, you're outside the window and the safe harbor is gone for that call. This is the condition teams blow through most often without noticing.
A fourth requirement runs through all three: you have to keep records proving compliance. If you can't produce the training log, the dated scrub confirmation, and the written policy in discovery, the safe harbor collapses no matter what you actually did.
The FCC mirrors these conditions for calls to residential lines at 47 CFR 64.1200(c)(2), so the framework holds whether you're facing an FTC action or a private plaintiff [3].
How often do you need to scrub against the National DNC Registry?
Every 31 days at the outside, and the clock starts the day you pull the list, not the day your subscription renewed. That's the number to run your calendar on.
Here's the part that trips people up. The TSR allows a longer window, but the FCC's TCPA rules set a 31-day window for residential subscribers [3][10]. Most outbound teams are calling residential numbers, or numbers that could be residential. So the practical safe standard is 31 days. Use the longer TSR window and you might satisfy the TSR while exposing yourself under TCPA. Use 31 days and you clear both.
Company-specific internal DNC lists work differently. When someone asks your company not to call, that suppression never expires. They stay off your list permanently unless they give you fresh written consent [2]. Plenty of teams conflate the two and assume internal requests also lapse after 31 days. They don't.
If you run calls weekly, set a reminder to re-scrub every 28 days. Three days of buffer against the 31-day limit. Registry access is free for organizations pulling five or fewer area codes per year. Beyond that, it costs $79 per area code annually as of 2024, with an annual cap of $18,703 for unlimited national access [4].
For what do not call list access actually involves, including how to register your organization with the FTC, check the linked guide.
Does safe harbor protect you from calls to your own customers?
Mostly, within limits. The TSR and TCPA both carve out an Established Business Relationship (EBR) exception. A seller may call a number on the registry if it has an existing business relationship with that person [2][3]. An EBR exists if the consumer:
- Made a purchase, rental, or financial transaction with the seller within the past 18 months, OR
- Made an inquiry or application with the seller within the past 3 months.
The clock runs from the last transaction or inquiry, not from the start of the relationship. A customer who bought from you two years ago and went quiet is no longer covered. And the EBR vanishes the moment that customer asks to be on your internal DNC list. A request to stop calling beats any EBR.
The EBR is a separate defense from the safe harbor. You can stack them, but they cover different things. Safe harbor covers genuine errors: you called a DNC number by accident despite good procedures. EBR covers intentional calls to existing customers who happen to sit on the registry.
Financial services, mortgage, and solar sellers get this wrong constantly by treating old lead lists as EBR-qualified. A lead who filled out a form three years ago and never transacted is not an EBR. Calling them is a cold call to a possibly registered number. Full stop.
What does 'written procedures' actually have to include?
The FTC doesn't publish a mandatory template, but enforcement history and its business guidance make clear what a written DNC policy has to address [1][5]:
1. A statement that your company complies with the National DNC Registry and the TSR. 2. How you scrub outbound lists against the registry before each campaign (who owns it, how often, how the output gets logged). 3. How you maintain and honor your internal company-specific DNC list. 4. How you add a number to the internal list within 30 days of a request (the TSR requires you to honor the request within 30 days of getting it [1]). 5. How DNC requests from any channel (phone, email, chat, mail) get captured and routed into suppression. 6. Training requirements: who gets trained, when, and how often. 7. Record retention: how long you hold scrub records, training logs, and consent documentation.
A one-page policy hitting those seven points, refreshed once a year, is enough for most small teams. The more calls you make, the more detail your policy needs, because high volume makes it harder to argue a violation was a one-off error.
You also have to hand the written policy to anyone calling on your behalf. If you outsource to a third-party call center, the contract should require them to follow your policy, and you should audit whether they do. Courts have held sellers liable for a telemarketer's violations when the seller knew or should have known the telemarketer wasn't complying [6].
What training is required and how do you document it?
The TSR requires training for all employees and agents who make or supervise telemarketing calls [1]. That covers your reps, your team leads, and anyone setting call strategy. It doesn't strictly cover the marketing analyst who never touches the dialer, but there's no downside to training them too.
At minimum, the training has to cover: the existence of the National DNC Registry, how to check whether a number sits on it, what an internal DNC request looks like and how to honor it, and what to do when a called party asks to be added to your internal list mid-call.
Format doesn't matter under the rule. In-person, a recorded video, a written module with a quiz. What matters is that you can prove it happened. Keep a log with the date, the trainer or module name, and a signature or confirmation from each trainee. If someone joins mid-year, train them before their first call, not at the next scheduled session.
Re-training after a rule change is a judgment call, but it's smart. The FCC tightened its consent rules with a one-to-one consent order adopted in December 2023 that changed how leads can be called [3][9]. Any team that never updated its training to match is working off an outdated policy, and that weakens the safe harbor claim even if the core three conditions technically hold.
LeadCompliant offers a free one-time compliance kit with a DNC policy template and a training log you can adapt to your team's size.
What are the fines if safe harbor fails?
If you can't prove all three conditions and the FTC or a private plaintiff wins, the exposure is real. Under the TSR, the FTC can seek civil penalties up to $53,088 per violation [7]. Each call to a registered number is a separate violation. Five hundred illegal calls, if the FTC pursues every one, is over $26 million in theoretical liability.
Under the TCPA (47 USC 227), private plaintiffs can sue for $500 per negligent violation or $1,500 per willful or knowing violation [8]. Class actions are the real danger. One named plaintiff with a class of 10,000 members at $1,500 a call is $15 million in statutory damages, before attorneys' fees.
The credit one tcpa settlement and cash app tcpa class action settlement both show how fast exposure scales when the safe harbor isn't in place.
The FCC can also issue its own forfeitures under 47 USC 503 and refer cases to the DOJ. State attorneys general have concurrent authority under the TCPA to bring suits [8]. Some states go further. Florida's Mini-TCPA, the Florida Telephone Solicitation Act, carries its own penalties and no safe harbor that mirrors the federal one.
Nobody has clean public data on how many enforcement actions hit small teams versus large ones. What the record shows is that the FTC's telemarketing enforcement press releases from 2020 through 2024 include actions against companies with revenues well under $10 million.
Does safe harbor apply to text messages and robocalls?
This is where it gets messy. The registry safe harbor was written mainly for voice calls to residential lines. Texts and robocalls to cell phones run on a different track.
Marketing texts require prior express written consent under 47 USC 227(b) and the FCC's rules, no matter what the DNC registry says [3][8]. The safe harbor that covers registry scrubs does not stand in for consent in the text world. Scrubbing your SMS list against the registry is good practice and shows good faith. It does nothing to protect you from a TCPA claim if you never had proper written consent to send the text.
Robocalls follow the same logic. Autodialed or prerecorded calls to a cell phone need prior express written consent under 47 USC 227(b)(1)(A), registry status aside. The DNC safe harbor lives in 47 USC 227(c), which governs the registry's do-not-call list. Consent rules live in 227(b). Different sections, different defenses.
So for outbound SMS campaigns, the registry scrub is a backstop, not your main protection. Your main protection is documented prior written consent. The text message marketing guide walks through those consent rules.
For manually dialed calls to cell phones with no autodialer, the registry safe harbor is your primary line of defense, assuming the other two conditions are met.
How does the safe harbor work when you use a third-party lead list?
Buying or renting a lead list does not push liability onto the list provider. The seller calling from that list has to scrub it against the National DNC Registry before each campaign, whatever the vendor claims about freshness [1][5].
Some vendors advertise DNC-scrubbed lists. That scrub might be real, but it happened when they sold the list, not when you called. If the vendor scrubbed on day one and you dial on day 45, you're outside the 31-day window and their scrub protects you not at all.
Safer practice: always re-scrub any purchased list yourself, through your own FTC-registered account, within 31 days of launch. Log the date and the credentials used. That's the documentation that survives discovery when a plaintiff's attorney comes knocking.
Third-party lists also carry a consent-provenance problem. A list bought from a broker may include numbers where the original consent went to someone other than you. For registry purposes, what matters is registry status. For autodialer and text purposes, what matters is whether the consumer consented to calls specifically from you. The FCC's one-to-one consent order made that far harder to satisfy through shared lead forms [3][9].
When you evaluate a list vendor, ask for a sample suppression report showing the date of their most recent scrub. If they can't or won't produce it, that's your answer.
What records do you need to keep to defend a safe harbor claim?
Safe harbor is an affirmative defense. If a plaintiff sues and you claim it, the burden is on you to produce records. The FTC's business guidance points to a 24-month retention practice for DNC records [5], but the TCPA carries a four-year statute of limitations under 28 USC 1658, so keeping records for five years is the sensible standard.
Here's what you need to produce on short notice:
| Record | What to keep | Retention period |
|---|---|---|
| Written DNC policy | Dated version history, current and all past versions | 5 years |
| Training logs | Date, attendee list, trainer/module, sign-off | 5 years |
| Registry scrub confirmations | Date, account ID, area codes accessed, list file name | 5 years |
| Internal DNC list | Every number added, date of request, channel of request | Permanent (no sunset) |
| Consent records (robocalls/texts) | Source, date, exact language, method of capture | 5 years |
| Calling scripts | Dated versions for any scripted campaigns | 5 years |
Cloud storage with audit trails beats local files, because it's harder for an opposing party to argue records were backdated. Some teams rely on their CRM's built-in logging. That works if the timestamps are reliable and the records export cleanly.
Just getting started? The how do i get the do not call list guide walks through FTC registration and shows what your scrub confirmation will look like.
LeadCompliant's free DNC scrub checker flags numbers against the registry and generates a dated confirmation log you can drop straight into your compliance file.
Can a called party's previous consent override their DNC registration?
Yes, with conditions. A consumer who gave prior express written consent to a specific seller has, in effect, opted out of DNC protection as to that seller [3][8]. This is separate from the EBR exception. Consent is affirmative permission. EBR is a transactional relationship.
Consent has to be specific. A consumer who checked a box saying "I consent to be contacted by Company X" consented to Company X. That consent does not stretch to affiliates, partners, or anyone else in Company X's distribution chain. The FCC's one-to-one consent order made this explicit: consent captured through a comparison shopping site or shared lead form doesn't satisfy the requirement unless the consumer specifically names the entity calling them [9].
Consent can be revoked. Under the FCC's rules, a consumer can revoke at any time by any reasonable means. Once revoked, the number goes onto your internal DNC list and you have to honor the revocation. The FCC's 2024 revocation order requires callers to honor a revocation within 10 business days [3].
The interaction between consent and registration trips up lead-gen teams constantly. A consumer who filled out a web form consenting to contact may later register their number with the National DNC Registry. That registration doesn't automatically revoke prior consent, but it's a signal. If the consumer then tells you to stop, consent is revoked and the registration takes full effect.
What common mistakes void the safe harbor protection?
The most common way teams lose safe harbor isn't one catastrophic failure. It's a slow drift as the team grows.
The scrub goes stale. Someone sets up the 31-day reminder, then leaves, and nobody inherits it. Three months pass before anyone notices. Every call in that gap is outside safe harbor.
The written policy exists but never changes. The team added a text channel, hired a new vendor, or swapped dialer software, and nobody touched the procedures. The policy now describes a workflow that no longer matches reality.
Training happens once at onboarding and never again. New rule changes, like the FCC consent updates, never make it into a refresher. The team feels compliant because it got trained once, two years back.
Internal DNC requests get logged inconsistently. A caller asks to be removed. The rep drops a note in the CRM but never routes it to suppression. The number gets called again 60 days later. That's a willful violation, not an accident, and willful violations don't get safe harbor.
Vendors get trusted without verification. A call center claims it scrubs daily. Nobody checks. The call center hasn't touched the registry in 90 days.
For teams running cold calling campaigns at any real scale, the safest structure is one person, not a committee, accountable for the scrub calendar, the training schedule, and policy version control. Diffuse accountability means nobody's accountable.
Frequently asked questions
Do you have to register with the FTC to access the National DNC Registry?
Yes. Organizations making telemarketing calls have to register at donotcall.gov and pay any applicable fees before accessing the registry. Small organizations pulling five or fewer area codes pay nothing. Beyond that, access costs $79 per area code annually as of 2024, capped at $18,703 for unlimited national access. You need an active registration to generate the dated scrub confirmation that safe harbor requires.
How long does a company have to honor an internal do-not-call request?
The TSR requires a company to honor an internal DNC request within 30 days of receiving it. After that the number stays suppressed permanently. Unlike registry status, internal requests never expire. If the consumer later gives new written consent, you can resume contact, but the default is permanent suppression once the request comes in.
Can a telemarketer claim safe harbor independently of the seller it is calling for?
Yes, but only if the telemarketer had its own written procedures, its own trained staff, and ran its own registry scrub within 31 days. A telemarketer can't piggyback on the seller's program. If the seller hands over a pre-scrubbed list more than 31 days old, the telemarketer calling from it is outside safe harbor, even if the seller was compliant when it scrubbed.
Does the DNC safe harbor apply to calls made to business numbers?
The National DNC Registry covers residential subscribers and personal cell phones used for non-commercial purposes. It does not cover business-to-business calls. Call a business line and registry rules generally don't apply, so there's no safe harbor to claim there. State laws vary: some states extend DNC protections to business numbers, so check applicable state law before assuming B2B calls are unrestricted.
What happens if your dialer software scrubs the list but you cannot produce the log?
You lose the defense. Safe harbor is an affirmative defense, so you have to prove it. If the dialer scrubbed but the log got overwritten, the vendor folded, or you never saved the confirmation, you can't establish the defense in court or in an FTC proceeding. Treat the dated scrub confirmation as a business record and back it up in at least two places.
Are there state-level DNC safe harbor rules that differ from the federal standard?
Yes. Many states run their own DNC registries and safe harbor frameworks. Florida's Telephone Solicitation Act, for example, has stricter consent and calling-hour rules than federal law and doesn't copy the federal three-part safe harbor. California, Texas, and Indiana also have state DNC provisions. Federal compliance is a floor, not a ceiling. Check every state where you call.
Can you use a consent obtained through a third-party lead form to defeat a DNC claim?
As of the FCC's one-to-one consent order, consent obtained through a shared lead form or comparison shopping site likely doesn't satisfy the TCPA's prior express written consent requirement unless the consumer specifically named your company as an entity they agreed to hear from. This doesn't erase your registry obligations, but it collapses the consent-based defense many lead buyers leaned on before.
Does calling a cell phone require a separate analysis beyond checking the DNC registry?
Yes. Cell phones get two layers of protection. First, if the number is on the National DNC Registry, registry rules apply. Second, if you use an autodialer or a prerecorded message to a cell, 47 USC 227(b) requires prior express written consent regardless of registry status. Many teams focus on the registry and miss the 227(b) consent requirement, which is where the larger class action exposure sits.
How do you handle a number that was on a consent list but later appeared on the DNC registry?
Valid prior express written consent generally overrides registry status for that specific caller. But if the consumer later explicitly asks you to stop, that revokes consent and the registry status kicks in. The safest move is to re-scrub consent-based lists periodically anyway, because a consumer who registers on the DNC list without telling you directly is signaling intent, and ignoring that signal weakens any good-faith claim.
What is the difference between the TSR safe harbor and the TCPA safe harbor?
They're parallel frameworks that largely mirror each other. The TSR (16 CFR 310.4(b)(3)) is enforced by the FTC and governs telemarketing sales calls. The TCPA safe harbor (47 CFR 64.1200(c)(2)) is enforced by the FCC and governs residential subscriber protections. The three conditions are nearly identical. The practical difference: the TCPA allows private lawsuits, while the TSR is enforced only by the FTC and state AGs. A caller has to satisfy both for full protection.
Can you get safe harbor protection if you unknowingly called a number that was added to the registry after your last scrub?
Yes. This is exactly what the safe harbor was built for. If you scrubbed within the past 31 days, your written procedures were in place, and your team was trained, a call to a number registered after your scrub date is a genuine accidental violation, and the safe harbor protects you. The FTC's own rules recognize the 31-day window precisely because new registrations take time to reach callers who already scrubbed.
How does safe harbor interact with the wireless number portability problem (mobile numbers that look like landlines)?
Number portability means a line originally assigned to a landline may now be a cell phone, and vice versa. The FCC has made clear that a caller using an autodialer is responsible for knowing whether a number has ported to a cell before calling it without cell consent. Safe harbor doesn't cover the 227(b) autodialer restriction for ported-to-cell numbers. Run a carrier lookup or reassigned numbers database scrub alongside your registry scrub.
What does 'good faith' mean in the context of safe harbor?
Good faith means you had working procedures, genuinely followed them, and the violation was an error rather than a policy. The FTC looks at whether compliance was a real priority: did the policy get updated, was training refreshed, were internal DNC requests handled promptly, was the registry scrubbed consistently? A company with one violation despite tight procedures looks very different from one with a pattern of violations and a policy that lives only on paper.
Sources
- FTC, Telemarketing Sales Rule (16 CFR Part 310): Three-part safe harbor conditions under 16 CFR 310.4(b)(3) and 30-day honor requirement for internal DNC requests
- FTC, Complying with the Telemarketing Sales Rule: Established business relationship exception (18 months for transactions, 3 months for inquiries) and internal DNC list requirements
- FTC, National Do Not Call Registry: Registry access is free for five or fewer area codes; $79 per additional area code; $18,703 annual cap for unlimited access (2024)
- FTC, Business Guidance and Resources: FTC business guidance on record retention and requirement to re-scrub within the applicable window before each campaign
- FTC, TSR Statement of Basis and Purpose (2003), Fed. Reg. Vol. 68 No. 19: Safe harbor available only for good-faith reliance on a defective list, not for systemic non-compliance; seller liability for known telemarketer violations
- FTC, Federal Register notice on civil penalty inflation adjustments (2024): Maximum civil penalty per TSR violation: $53,088 (2024 inflation-adjusted figure)
- U.S. Congress, Telephone Consumer Protection Act, 47 USC 227: $500 per violation for negligent TCPA violations; $1,500 for willful/knowing violations; state AG enforcement authority; prior express written consent requirement for autodialed cell calls under 227(b)(1)(A)
- FCC, Rules and Regulations (47 CFR Part 64): 31-day scrub window for residential subscribers and requirement to honor company-specific DNC requests