Do not call list for businesses: what you actually need to know

Businesses must scrub against the National DNC Registry before calling. Violations cost up to $53,088 per call. Here's how the rules work in plain English.

LeadCompliant Team
24 min read
In This Article

Last updated 2026-07-10

Office landline phone on a wooden desk representing do not call list compliance for businesses
Office landline phone on a wooden desk representing do not call list compliance for businesses

TL;DR

Businesses that make telemarketing calls must register with the FTC, scrub their lists against the National Do Not Call Registry every 31 days, and honor stop-calling requests within 30 days. FTC penalties reach $53,088 per call. On top of that, any consumer can sue under the TCPA for $500 to $1,500 per call. Written consent and existing-customer relationships create limited exceptions, and neither covers every situation.

What is the National Do Not Call Registry and who runs it?

The National Do Not Call Registry is a federal list the Federal Trade Commission runs, where consumers register their phone numbers to stop most unsolicited telemarketing calls. It launched in 2003 under the Do-Not-Call Implementation Act and the Telemarketing Sales Rule (TSR), 16 CFR Part 310 [1]. The FCC enforces parallel restrictions under the Telephone Consumer Protection Act, 47 U.S.C. § 227 [2]. That means two federal agencies can chase you for two different violations arising from one call.

The Registry holds roughly 245 million active phone numbers as of recent FTC reporting [1]. Numbers never expire once registered. Congress made that permanent in 2008 through the Do-Not-Call Improvement Act [8]. So the old belief that numbers "fall off" after five years is dead wrong.

Consumers register at donotcall.gov or by calling 1-888-382-1222. A number stays on the list until the consumer removes it or the carrier reassigns it to a new subscriber. You can't assume a number cycled off. You check. For how the Registry is built, see our overview of the do not call list.

Can a business phone number be on the Do Not Call list?

The honest answer: the National Do Not Call Registry protects residential subscribers and personal wireless numbers, not business lines. The TSR and TCPA both define the protected class as residential subscribers [2][3]. A company's main office line registered to a business entity is generally not covered.

The line blurs for sole proprietors and home-based businesses whose personal lines double as work lines. If a number gets used mostly for personal and household purposes, the Registry applies, even when the owner takes the occasional work call on it.

So do you need to worry about accidentally dialing a business number that sits on the Registry? For clearly commercial lines, the risk is low. But if you're calling cell phones or numbers that could belong to someone running a business from their kitchen table, you're in residential territory and the rules apply in full. The national do not call list for business callers is less about who you dial and more about what you, the calling company, owe before you dial.

Some states push further. Georgia's do not call list, under O.C.G.A. § 46-5-27, covers residential subscribers and personal wireless numbers just like the federal list, and it runs on its own track [4]. Calling Georgia numbers means checking both lists.

What businesses are required to follow Do Not Call rules?

Any person or company that makes, or causes others to make, telephone solicitations to residential numbers to sell goods or services has to comply with the TSR and the TCPA [3]. That sweeps in in-house sales teams, outsourced call centers, lead-gen firms that pass calls along, and ringless voicemail providers. If you sit at the top of the chain directing what gets dialed, you share the liability.

The real exemptions matter:

  • Calls to truly commercial business lines fall outside the Registry's scope.
  • Calls made with the prior express written consent of the called party are exempt under 47 U.S.C. § 227(b)(1) [2].
  • Calls under an established business relationship (EBR), meaning a prior purchase within 18 months or an inquiry within 3 months, are exempt under the TSR [3]. But the EBR never overrides a written stop-calling request. Once someone tells you in writing to quit, the EBR is dead for that number.
  • Political groups, charities, and telephone surveyors are exempt from the Registry but still face other calling rules.
  • Low call volume is not a free pass. The law has no small-business carve-out based on how many calls you make.

Cold-calling consumers puts you squarely under the rules. The question isn't whether the rules apply. It's whether you hold a valid exemption for the exact number you're about to dial.

How does a business access and scrub against the Do Not Call Registry?

Businesses reach the Registry through the FTC's telemarketer portal at donotcall.gov. You register your organization, pay the fee, and download the list for the area codes you plan to call [1].

The fee runs $79 per area code per year, capped at $18,538 for full national access [1]. Calling numbers in only three states? You pay for just those area codes. There's a free tier too: you can check up to five numbers at a time through the portal at no cost, which covers tiny operations or one-off verification.

The TSR scrub rule says you must check each number against a version of the Registry no more than 31 days old before you dial [3]. Download the list on June 1, and your last safe call date on that download is July 1. After that, you need a fresh pull. Plenty of compliance teams refresh on a 28-day cycle to keep a buffer.

For a step-by-step walkthrough, see our guide on how do i get the do not call list.

You also keep your own internal Do Not Call list. Anyone who asks your company to stop calling goes on that internal list, and you honor the request within 30 days [3]. Calling someone who sits on both the national Registry and your own internal DNC is exactly the pattern that turns a routine violation into a willfulness finding in court.

How much does violating the Do Not Call Registry actually cost a business?

The FTC can seek civil penalties up to $53,088 per violation under the TSR, and that ceiling rises with inflation under the Federal Civil Penalties Inflation Adjustment Act [5]. The FCC has separate authority under the TCPA, where private plaintiffs sue for $500 per negligent violation or $1,500 per willful violation, with no cap on how many violations stack in a class action [2].

That private right of action is the real money risk for most businesses. You don't wait for the FTC to knock. Any consumer can file in small claims or federal court, and plaintiff attorneys bundle hundreds or thousands of calls into class actions. Several well-known settlements have run into the tens of millions.

State penalties stack on top. Georgia allows civil penalties up to $1,000 for a first offense, $2,000 for a second, and $5,000 for later violations [4]. Florida, which runs its own list, uses a similar structure. For how Florida's list sits alongside the federal one, read our article on the florida do not call list.

The FTC has won multi-million-dollar judgments against repeat robocallers, though the numbers swing hard on case facts [5]. Here's the honest risk picture. One willful violation on its own is survivable. A pattern of ignoring the scrub rule across thousands of calls is where companies go under.

Do Not Call violation penalties by enforcement layer Maximum per-violation amounts under federal and sample state law FTC / TSR civil penalty (per viol… $53k TCPA private suit, willful (per c… $1,500 TCPA private suit, negligent (per… $500 Georgia state penalty, 3rd+ offen… $5,000 Georgia state penalty, 1st offens… $1,000 Source: FTC (16 CFR Part 310), 47 U.S.C. § 227, O.C.G.A. § 46-5-27

Do Not Call penalty and fee comparison table

Here's how the cost layers stack up for a business that ignores the DNC rules:

Enforcement layerWho brings itPer-violation amountWho it benefits
FTC / TSR civil penaltyFTCUp to $53,088 [5]Government
TCPA private suit (negligent)Any consumer or plaintiff attorney$500 [2]Consumer / attorney
TCPA private suit (willful)Any consumer or plaintiff attorney$1,500 [2]Consumer / attorney
Georgia state penalty (1st offense)GA AG or consumerUp to $1,000 [4]Consumer
Georgia state penalty (3rd+ offense)GA AG or consumerUp to $5,000 [4]Consumer
FTC Registry access fee (compliance cost)N/A$79 per area code, $18,538 national cap [1]Business (cost of compliance)

The math is stark. Paying $18,538 for the full national Registry is nothing next to a single class action. Businesses that skip the fee to save money and then get sued didn't save a dime.

What is the Georgia Do Not Call list and does it apply to my business?

Georgia runs its own telemarketing program under O.C.G.A. § 46-5-27, administered by the Georgia Public Service Commission [4]. Any business soliciting Georgia residents by phone has to comply with both the federal Registry and the Georgia list. They're separate obligations, not swap-outs.

The georgia do not call list covers residential telephone subscribers in the state. Consumer registration is free and permanent. The law bars solicitation calls to registered numbers and requires businesses to buy access to the state list on top of the national Registry.

Enforcement flows through the Georgia Attorney General and the PSC. Private consumers can bring civil actions too. The penalty tiers (up to $5,000 per violation for repeat offenders) mean a Georgia-heavy campaign that skips the state list carries real legal exposure, not a paperwork nuisance [4].

If you run a national operation, Georgia is one of several states with its own independent list. Indiana has one. Pennsylvania has one. For those, read our breakdowns of the indiana do not call list and the do not call list pa.

Prior express written consent is the strongest exemption you can hold. Under the TCPA, the FCC defines it as a written agreement that clearly authorizes the caller to deliver calls or texts to a specific number using an autodialer or prerecorded voice, and that shows the consumer understood what they agreed to [2][6]. You get the consent before the call, and you keep records you can produce.

For live manual calls to numbers not run through an autodialer, the TCPA bar is lower: prior express consent, not necessarily written. But the TSR's EBR rules and your own practices still matter. The FTC has said flatly that consent obtained through deception or buried in fine print doesn't count.

A 2024 FCC ruling tightened things hard. It required consent for robocalls and robotexts to be obtained on a one-to-one basis, so consent captured on a lead-gen form can't be handed off to multiple sellers [6]. That's a big deal for anyone buying leads. If your leads came through a form listing several potential callers, your consent basis is now legally shaky under that ruling. The order was set to take effect in early 2025, and litigation over it continues, so watch the status before you rely on old multi-seller consent.

The takeaway is simple. Written, specific, documented consent tied to the exact number you're calling is the only position that survives a fight. Anything weaker leaves you leaning on the EBR, which expires, or on the hope that nobody complains.

For how consent works with mobile numbers, see mobile phone do not call list.

How should a business set up an internal Do Not Call policy?

The TSR requires any business making more than a token amount of outbound telemarketing to keep a written internal DNC policy, train staff on it, and honor opt-out requests within 30 days [3]. This is not optional. "We use the national Registry" is not a substitute. They're separate requirements.

A working internal DNC policy has five pieces:

1. A central list every caller and dialer checks before connecting any call. 2. A process that adds numbers the moment a consumer asks for no further contact, through any channel (phone, email, text, mail). 3. A retention period of at least five years for opt-out records and the dates they were honored. 4. Training, at least once a year, for anyone who dials or manages the dialer. 5. A supervisor or third-party audit at least annually to spot-check compliance.

Many CRMs automate parts of this. Automation still isn't a compliance program. The TSR wants the written policy to exist as an actual document. In litigation, the first thing plaintiff's counsel asks for is that policy. Can't produce it? You're behind before anyone argues the facts.

LeadCompliant's free compliance kit includes a template internal DNC policy and a scrub-date tracking worksheet. Download them and adapt them without hiring an attorney for the basic structure, though you should get legal review before you rely on any compliance document.

What happens when someone reports a business for calling a Do Not Call number?

Consumers report violations at donotcall.gov or by calling 1-888-382-1222 [1]. The FTC uses complaint data to spot patterns. A single complaint rarely triggers a formal investigation. A company sitting on hundreds of complaints across a region or a stretch of time is another matter.

The FTC and FCC share complaint data. State attorneys general can reach the databases. The FCC takes its own complaints through the Consumer Complaint Center [10]. None of these fire off instant enforcement, but they all feed the same investigatory pipeline.

From your side of the phone, you probably won't know you've been reported. The FTC doesn't tip off the caller. You might get a Civil Investigative Demand months or years after the complaints landed. By then, the records you kept (or didn't) decide how the story goes.

Private plaintiffs skip the FTC system entirely. They or their attorneys find violations, gather evidence (often by calling their own registered number and logging the result), and file straight in federal district court. The TCPA's private right of action has built a whole cottage industry of plaintiff-side attorneys doing this at scale.

For a closer look at reporting, see do not call list report.

Are there Do Not Call rules for B2B calls, and do they differ?

The National Do Not Call Registry generally doesn't cover business-to-business calls. Calling a company's published line to pitch a procurement manager? The Registry doesn't apply [3]. The TSR focuses on calls to residential subscribers.

The B2B exception has hard limits. First, cell phones are tricky. That work cell you're dialing may also be the contact's personal cell. The TCPA's autodialer and prerecorded-call restrictions cover cellular numbers no matter the business purpose. You can't autodial a cell without prior express consent, even for a B2B pitch [2].

Second, state laws vary. Some statutes run broader than federal law and reach small business owners or sole proprietors. In California, for instance, state privacy law and AG interpretations have stretched who counts as a "consumer" in ways that can touch small-business contacts.

Third, even on a clean B2B call, the rest of the TSR still binds you: no misrepresentation, proper caller identification, truthful material statements. The B2B carve-out is narrow. It's about the Registry scrub requirement specifically, not the whole TSR.

Here's what I'd do. If your list mixes consumer and business numbers and you can't say which is which, scrub everything. The Registry subscription is a rounding error next to the exposure from dialing a residential number you mislabeled as commercial.

How do state Do Not Call lists interact with the national Registry?

State DNC lists are additive, not replacements. You comply with the national Registry and any applicable state list. Following one does not excuse ignoring the other [7].

As of 2024, states with their own active DNC registries or enhanced telemarketing protections include Georgia, Florida, Indiana, Pennsylvania, Wyoming, and several others [7]. Each has its own consumer registration process, its own business-access process, and its own penalty structure. Some charge businesses for access. Some are free.

The national Registry gives you a single scrub point for federal compliance. But you separately confirm whether each state you call keeps its own list and comply with that state's law. This is one of the more operationally annoying parts of running a national calling program.

A common shortcut lands businesses in trouble. They scrub the federal Registry, assume they're clear, then eat a state AG action for the state list they skipped. Georgia and Florida have both been active here.

For how the federal Registry works at the base level, our ftc do not call list and government do not call list articles walk through the framework. For core registry mechanics, see dnc registry.

What records does a business need to keep for Do Not Call compliance?

The TSR requires sellers and telemarketers to keep telemarketing records for 24 months from the date the record was last used [3]. 16 CFR Part 310 spells out what those records hold: the name and last known address of each consumer who asked for no further calls, the products or services offered, the date and nature of any prize offered, and records of verifiable authorizations.

In practice, keep:

  • Date-stamped Registry downloads (to prove your scrub was fresh).
  • Call logs with timestamps, the caller ID used, and the number dialed.
  • Consent records: the form, the IP address, the timestamp, and the exact language the consumer agreed to.
  • Your internal DNC list with the date each number was added and why.
  • Training records for every employee who dialed or supervised calls.

Two years is the federal floor. Many compliance attorneys push for five to seven years, because TCPA class actions can land long after the calls happened and discovery can reach back to the start of the relevant period. The FTC also has a longer window for willful violations.

Cloud storage is fine. What counts is your ability to retrieve and produce any specific record fast when a legal demand arrives. Records that technically exist but can't be found in practice are the same as no records when you're standing in front of a judge.

Frequently asked questions

Can a business number be added to the National Do Not Call Registry?

No. The Registry covers residential telephone subscribers and personal wireless numbers, not business lines registered to companies. Sole proprietors using a personal or residential line for work may have that number covered. Cell phones blur the line further: the TCPA protects cellular numbers separately from the Registry, regardless of whether they're used for business, so you can't autodial one without consent.

How often does a business need to scrub its call list against the Registry?

The FTC's Telemarketing Sales Rule requires you to check each number against a version of the Registry no more than 31 days old before you dial. Most compliance teams pull a fresh list every 28 days to build in a buffer. Calling from a list that hasn't been refreshed within 31 days is a violation, even if the number wasn't on the Registry at your last scrub.

What is the established business relationship exemption, and does it override DNC registration?

The established business relationship (EBR) exemption allows calls to consumers who bought something within 18 months or made an inquiry within 3 months, even if their number is registered. It's not absolute. If a consumer makes a written request to stop calls, the EBR ends immediately for that number, and you must honor the request within 30 days. The EBR never overrides an explicit opt-out.

Does the Georgia Do Not Call list require separate registration from the national Registry?

Yes. Georgia's law under O.C.G.A. § 46-5-27 runs independently of the federal Registry. Businesses calling Georgia residents must access and scrub the Georgia list separately. Compliance with the national Registry alone does not satisfy Georgia's requirements. Penalties reach up to $5,000 per violation for repeat offenders, enforced by the Georgia Attorney General and the Public Service Commission.

What is the penalty for calling a number on the Do Not Call Registry?

The FTC can assess civil penalties up to $53,088 per violation under the TSR. Under the TCPA, private plaintiffs can sue for $500 per negligent violation or $1,500 per willful violation, with no cap on the number of violations in a class action. State penalties stack on top. The TCPA private right of action is usually the bigger practical risk, since any consumer can file without waiting for a federal agency.

How does a business get access to the National Do Not Call Registry?

Register at donotcall.gov and pay $79 per area code per year, capped at $18,538 for full national access. After registering, download the numbers for the area codes you bought and scrub your list against them. You must re-download at least every 31 days to stay compliant. A free option lets you verify up to five numbers at a time, which covers very small operations.

Do Do Not Call rules apply to B2B telemarketing calls?

The National Do Not Call Registry generally doesn't apply to business-to-business calls to commercial lines. But there are limits: autodialing a business contact's cell phone still requires prior express consent under the TCPA, regardless of the business purpose. Some state laws extend protections to sole proprietors. If your list mixes consumer and business numbers, scrub everything rather than sorting each number by type.

What must be in a company's internal Do Not Call policy?

The TSR requires a written policy, training for calling staff, and a process to add numbers to your internal list within 30 days of any opt-out. Include a central DNC list every dialer checks before connecting calls, a process to record opt-outs from any channel, a five-year retention period for opt-out records, and an annual audit. The written policy must exist as a document you can produce in litigation.

Yes, for both the Registry and the TCPA's autodialer restrictions. Written consent from the consumer to receive calls or texts, obtained before the call, is a valid exemption even if the number is registered. After a 2024 FCC ruling, consent for robocalls and robotexts must be obtained on a one-to-one basis, so consent gathered on a multi-seller lead form may no longer hold up for TCPA purposes.

How long does a business need to keep Do Not Call compliance records?

The TSR requires records kept for at least 24 months from the date last used. That includes Registry download dates, call logs, consent records, and your internal DNC list with the dates numbers were added. Many compliance attorneys recommend five to seven years, because TCPA class actions can be filed long after the calls occurred and discovery can reach back to the start of the relevant program.

What is a do not call telemarketer list and how does it differ from the national Registry?

The phrase 'do not call telemarketer list' usually means the same National Do Not Call Registry the FTC runs. Some states and third-party vendors use similar wording for their own lists. The key difference: the national Registry is a consumer opt-out mechanism, while an internal DNC list is a company's own record of people who asked that specific business to stop calling. Both are legally required and run in parallel.

Can a business be sued directly by a consumer for DNC violations, or only by the FTC?

Both. The TCPA's private right of action at 47 U.S.C. § 227(c)(5) lets any person who gets more than one call within 12 months from the same entity in violation of DNC rules sue in federal court for $500 to $1,500 per violation. No FTC involvement needed. Plaintiff attorneys specialize in aggregating these claims into class actions covering thousands of calls, which is where the largest exposure lives.

What is the do not call list number for consumers to register or for businesses to check?

Consumers register or verify by calling 1-888-382-1222 from the number they want registered, or online at donotcall.gov. Businesses access the Registry for scrubbing through the business portal at donotcall.gov, not the consumer phone line. The consumer registration number is not a business compliance resource. Businesses need a paid account through the FTC's portal to download the actual list for scrubbing.

Sources

  1. FTC, National Do Not Call Registry (donotcall.gov): Registry holds roughly 245 million active registrations; $79 per area code, $18,538 national cap; consumers register at donotcall.gov or 1-888-382-1222
  2. Cornell Law / Legal Information Institute, 47 U.S.C. § 227 (TCPA): TCPA private right of action: $500 per negligent violation, $1,500 per willful violation; prior express written consent exemption; residential and cellular subscriber protections
  3. FTC, Telemarketing Sales Rule, 16 CFR Part 310: TSR requires scrub against Registry no more than 31 days old; EBR exemption (18 months/3 months); internal DNC policy required; 24-month record retention; honor opt-outs within 30 days
  4. Georgia General Assembly, O.C.G.A. § 46-5-27: Georgia Do Not Call law covers residential subscribers; penalties up to $1,000 first offense, $2,000 second, $5,000 third and subsequent violations; administered by GA PSC
  5. FTC, Telemarketing Sales Rule rulemaking and enforcement: FTC civil penalty up to $53,088 per TSR violation; FTC has obtained multi-million-dollar penalties in robocall enforcement actions
  6. FTC, Consumer Advice (do not call and telemarketing): Multiple states including Georgia, Florida, Indiana, and Pennsylvania maintain their own DNC registries that operate independently of the federal list; compliance with federal Registry does not satisfy state requirements
  7. U.S. Congress, Do-Not-Call Improvement Act of 2007 (Public Law 110-187): Congress made DNC registrations permanent in 2008; numbers no longer expire after five years
  8. FTC, Business Guidance: B2B calls to commercial lines generally not covered by Registry; TSR focuses on residential subscribers; businesses must maintain written internal DNC policy
  9. FCC, Consumer Complaint Center: FCC enforces TCPA separately from FTC enforcement of TSR; FCC takes consumer complaints through its Consumer Complaint Center; autodialer restrictions apply to cellular numbers regardless of business purpose

Disclaimer: LeadCompliant is a compliance review tool, not a law firm. We do not provide legal advice. Consult with a TCPA attorney for legal guidance on specific compliance questions. Compliance scores, audits, and risk assessments are informational only.

LeadCompliant Team

LeadCompliant provides expert guidance and tools to help you succeed. Our content is reviewed for accuracy and kept up to date.

Related Articles

Related Glossary Terms

LeadCompliant
Build My Kit