Last updated 2026-07-09

TL;DR
Federal telemarketing do-not-call rules come from the TCPA (47 U.S.C. § 227), the FTC's Telemarketing Sales Rule, and FCC regulations. Calling a number on the National Do Not Call Registry can cost up to $1,500 per call in private TCPA suits or up to $51,744 per call in FTC enforcement. Financial firms also answer to FINRA Rule 3230. State laws often go further. This guide covers every layer.
What are the telemarketing do not call rules, and where do they come from?
Three federal bodies regulate telemarketing calls in the United States, and most states pile their own layer on top.
The Telephone Consumer Protection Act (TCPA), codified at 47 U.S.C. § 227, is the foundation [1]. Congress passed it in 1991. The Federal Communications Commission (FCC) writes the implementing rules. Then the FTC created the National Do Not Call Registry in 2003 under the Telemarketing Sales Rule (TSR), 16 C.F.R. Part 310, and shares enforcement authority with the FCC [2]. Financial industry firms answer to FINRA Rule 3230, which mirrors many TCPA requirements but adds broker-dealer obligations of its own.
These frameworks do not overlap cleanly. A call can be legal under the TCPA and illegal under a state mini-TCPA, or compliant with the TSR and still violate FINRA Rule 3230. That gap is the reality outbound teams have to build around.
Strip it down and the rules say this: before you call a residential or mobile number for telemarketing, check it against the National DNC Registry, keep an internal DNC list, and honor any opt-out the consumer has given you. The TCPA stacks a separate layer around autodialers and prerecorded messages that applies even when you are not selling anything.
How does the National Do Not Call Registry work?
The National DNC Registry is a database of phone numbers that consumers register to stop most telemarketing calls [2]. The FTC runs it. Anyone can register a number at donotcall.gov, and registration never expires. The registry held more than 249 million actively registered numbers at the close of fiscal year 2023 [3].
For callers, the rules are:
- Scrub your call list against the registry before each campaign. The FTC requires access through a paid subscription for organizations making more than a minimal number of calls. Subscriptions are organized by area code.
- Re-scrub at least every 31 days. If a number was clean when you pulled your list but the consumer registered before your call, your only defense is a scrub inside the 31-day window [2].
- A newly registered number takes up to 31 days to appear in the registry data. The window cuts both ways: callers get 31 days of safe harbor, consumers get 31 days of exposure after registering.
The "established business relationship" (EBR) exemption is real but narrow. If a consumer made a purchase, payment, or inquiry within the prior 18 months, or made an application within the prior 3 months, you may call even if their number sits on the DNC registry [2]. But if that same consumer has told you directly not to call, the EBR exemption vanishes on the spot. Their direct opt-out wins.
Charities, political organizations, and survey researchers fall outside the National DNC Registry rules, though state laws sometimes disagree. Call on behalf of a charity as a for-profit fundraiser and the exemption may not cover you at all.
What does the TCPA actually prohibit for outbound calls?
The TCPA reaches further than most people think. It is not only about DNC lists. The statute at 47 U.S.C. § 227(b) bans:
1. Using an automatic telephone dialing system (ATDS) or prerecorded voice to call any mobile number without prior express consent. 2. Using a prerecorded voice to call residential lines for marketing without prior express written consent. 3. Calling any number on the National DNC Registry for telemarketing without a valid exemption.
The ATDS definition has been fought over for years. The Supreme Court's 2021 ruling in Facebook, Inc. v. Duguid narrowed it. A system counts as an ATDS only if it has the capacity to store or produce numbers using a random or sequential number generator and dial them [4]. That knocked a lot of predictive dialers out of the definition. It did not end TCPA exposure. Prerecorded calls to cell phones stay restricted even without ATDS equipment.
Prior express written consent for marketing calls means a signed agreement (electronic signatures count) that clearly authorizes the specific seller to call or text, that says an autodialer or prerecorded message may be used, and that includes the phone number the consumer is authorizing [5]. The form cannot require the consumer to agree as a condition of buying anything. "Lead gen" forms that grab a number and check a box agreeing to calls from "our partners" have drawn more and more challenges. The FCC's one-to-one consent rule, adopted in its December 2023 order, tightened this by requiring consent to name each seller specifically instead of hiding behind a category like "marketing partners" [5].
Teams doing purely manual calling with live agents to landlines carry the thinnest TCPA exposure. The DNC rules still apply in full. If your sales team is hand-dialing a list, the scrubbing obligation does not disappear.
What are the fines and penalties for violating do not call rules?
This is where teams start paying attention.
The FTC raises its civil penalty ceiling every year for inflation. As of 2024, the maximum FTC penalty per TSR violation is $51,744 [6]. That is per call, per violation. The FCC's TCPA statutory damages run $500 per negligent violation, which a court trebles to $1,500 for willful or knowing violations [1]. Private plaintiffs can sue under the TCPA without proving any actual harm, which is why class actions pile up. Ten thousand calls to DNC-listed numbers translates to $5 million to $15 million in exposure before you count a dime of litigation cost.
In one 2023 case the FTC went after a single robocall operation it accused of placing more than a billion illegal calls, and the operators agreed to a judgment of $299 million [7]. Most small teams will never draw that kind of enforcement. But one plaintiff and one TCPA suit can end a small outbound shop.
State attorneys general bring claims under state telemarketing laws too, and those often carry separate per-call fines. Some states hand consumers a private right of action under their own statutes on top of the federal TCPA one.
| Violation type | Statutory amount | Trebled (willful) |
|---|---|---|
| TCPA per call (private suit) | $500 | $1,500 |
| FCC TCPA per call (enforcement) | Up to $23,727 (2024 ceiling) | Higher for willful |
| FTC TSR per call (enforcement) | Up to $51,744 (2024) | N/A (civil penalty) |
| FINRA Rule 3230 (firm) | Case by case | Varies |
FINRA fines under Rule 3230 for broker-dealers get set case by case, but FINRA has imposed six-figure sanctions on firms that failed to keep adequate DNC procedures or called registered numbers with no valid exemption.
What is FINRA Rule 3230 and how does it relate to telemarketing do not call rules?
FINRA Rule 3230, titled "Telemarketing," applies to FINRA member firms: broker-dealers and their associated persons [8]. If your outbound sales team works for or on behalf of a registered broker-dealer, Rule 3230 is your framework.
Rule 3230 tracks the FTC's TSR and the TCPA's DNC requirements closely, then adds securities-industry duties on top. Key requirements:
- A written do-not-call policy. Not a habit, a documented policy.
- Training for registered persons who do telemarketing on their DNC obligations.
- An internal DNC list, with requests honored within 30 days.
- Scrubbing against the National DNC Registry before calling.
- Calls only between 8 a.m. and 9 p.m. in the called party's time zone.
- Identifying the caller and the firm at the start of each call.
The rule requires members to have procedures in place to honor do-not-call requests and to train their people on those procedures. Compliance here is not optional. FINRA examiners want written evidence of the policy and training records during routine exams.
Broker-dealers sometimes assume that complying with the TCPA covers Rule 3230 automatically. That assumption has cost firms real money. Rule 3230 can be violated on its own even where the TCPA is not, because FINRA applies its own standards through its exam and enforcement process, separate from any FCC or FTC action.
For financial-services teams weighing cold calling as a channel, the FINRA layer means the documentation has to run more formal than a typical sales team keeps. Written policies, training logs, and documented scrubbing procedures are the floor, not the ceiling.
Rule 3230 also carries the established business relationship exemption and the personal relationship exemption, both of which track the TSR's definitions closely. But the burden sits on the firm to document that an exemption applied.
What hours can telemarketers legally call?
Federal rules under both the TSR and the TCPA allow telemarketing calls only between 8 a.m. and 9 p.m. in the called party's local time [2]. The phrase that matters is "called party's local time." If your team sits in California and calls a Florida number at 5 p.m. Pacific, that is 8 p.m. Eastern. Legal. Dial the same Florida number at 6:30 p.m. Pacific and you just called at 9:30 p.m. Eastern. Illegal.
FINRA Rule 3230 uses the same 8 a.m. to 9 p.m. window in the time zone of the person being called.
Several states squeeze this tighter. Some cap calls at 9 a.m. to 8 p.m. or narrower. Run a national campaign and the safest operating window is 9 a.m. to 8 p.m. in the recipient's time zone. It keeps you clean in the strictest states without geo-filtering every number on the fly.
Holidays carry no federal restriction, but some states ban calls on Sundays or specific holidays. State law can always be stricter.
What is an internal do not call list, and are you required to have one?
Yes, you have to have one. The TSR and the FCC's TCPA rules both require any entity engaged in telemarketing to keep an internal DNC list [2]. This sits separate from the National DNC Registry scrubbing obligation.
The internal DNC list captures consumers who told your organization not to call them again. When someone on a call says "take me off your list" or "don't call me again," you have to honor that request within 30 days under the TSR (FINRA Rule 3230 also says 30 days). Under the TCPA rules, the FCC wants the request honored at the time of the call or within a reasonable period, but 30 days is the safe harbor most teams work to.
The internal DNC list is company-specific and permanent. No expiration. If a consumer opted out five years ago and you lost the record in a CRM migration, that is not a defense. Courts have shown little patience for recordkeeping failures.
Common internal DNC list failures:
- Not syncing the list across subsidiaries or affiliated brands calling the same consumers.
- Not preserving opt-out records through CRM transitions.
- Treating an opt-out as covering only one product instead of the whole organization.
- Not training agents to catch and log verbal opt-outs in real time.
If someone on your team is new to cold call work, internal DNC handling is one of the first procedures to drill.
Which states have stricter do not call laws than the federal rules?
Most states run their own telemarketing statutes, and many are meaningfully stricter than federal rules. The federal TCPA and TSR set a floor, not a ceiling.
California's automatic dialing statute (California Public Utilities Code § 2871 et seq.) and the California Consumer Privacy Act both add restrictions. Indiana runs one of the more aggressive state DNC registries, kept separate from the federal one, with its own registration and scrubbing rules. Texas, Florida, and several other states maintain separate state DNC lists that demand independent compliance [9].
Patterns that show up again and again in state laws:
- Shorter caller identification windows (some states want ID inside the first 30 seconds, not a vague reasonable time).
- Narrower calling hours.
- Restrictions on specific technologies (some states limit predictive dialers even where the post-Duguid federal ATDS definition would not reach them).
- Private rights of action letting residents sue individually, on top of the federal TCPA right.
- Higher per-call statutory damages than the federal $500/$1,500 range.
Florida's Mini-TCPA deserves specific attention. Effective July 2021, Florida Statute § 501.059 bans automated calls and texts to Florida residents without prior express written consent, regardless of whether the equipment qualifies as an ATDS under the post-Duguid federal test [10]. Florida plaintiffs can collect $500 per call and $1,500 for willful violations under state law, alongside any federal TCPA claim.
The practical takeaway: if you call nationally, you need a map of which states run separate DNC registries and you have to scrub against all of them, more than the federal one. You also need to know which states passed mini-TCPAs with technology definitions broader than the post-Duguid federal standard.
What disclosures are telemarketers required to make on every call?
The TSR at 16 C.F.R. § 310.4 sets the minimum disclosures for every outbound telemarketing call [2]. At the start of each call, the caller must:
1. Promptly disclose the identity of the seller. 2. Disclose that the call is a sales call, before asking for any financial information. 3. Disclose the nature of the goods or services being offered.
The FCC's TCPA rules add that a prerecorded message must state at the beginning who is responsible for initiating the call, and must provide a phone number during or after the message that the consumer can call to get on an internal DNC list [5].
FINRA Rule 3230 independently requires broker-dealer telemarketers to identify themselves and their firm at the start of each call.
These are not technicalities. Failing to promptly identify yourself as a sales caller, especially in prerecorded messages, is one of the most common FTC enforcement hooks. The requirement to say it is a sales call before asking for financial information exists so consumers can hang up before handing over anything sensitive.
For teams building cold calling scripts, the opening ten seconds of every script needs your name and company before any pitch starts. That is both the legal requirement and, in practice, the only way to earn the trust that makes the rest of the call worth having.
How do you set up a compliant telemarketing do not call process from scratch?
Here is what a working DNC compliance process looks like for a small outbound team. These are the steps that hold up under scrutiny.
Step 1: Subscribe to the National DNC Registry. Go to telemarketing.donotcall.gov and create an organization account. Subscribe to the area codes your team will call. Costs scale with volume; the FTC publishes the current fee schedule [3]. Budget for annual renewal.
Step 2: Build your internal DNC list. Your CRM needs a hard stop that blocks agents from dialing any number flagged as opted out. The flag stays permanent unless the consumer re-consents. Export and back up this list on a schedule.
Step 3: Set a scrubbing cadence. Pull fresh DNC data at least every 31 days. Plenty of compliance teams scrub weekly. It costs little extra and kills the 31-day window risk.
Step 4: Check state-specific registries. If your campaigns hit Indiana, Colorado, Wyoming, or other states with separate registries, subscribe to those on their own.
Step 5: Write your DNC policy. FINRA Rule 3230 requires a written policy for broker-dealers, and it is good practice for everyone. The policy should name who owns scrubbing, how opt-outs get logged, what training is required, and the escalation path when a possible violation surfaces.
Step 6: Train your agents. Every person who dials has to understand the calling-hour rules, how to handle an opt-out in real time, the disclosure requirements, and what to do when a consumer questions your right to call. Document the training.
Step 7: Audit regularly. Pull call records monthly and sample-check that DNC-listed numbers got no calls, that opt-outs were logged within 30 days, and that every call landed inside permitted hours.
LeadCompliant offers a free DNC number checker and a one-time compliance kit with templates that walk through this process. If you want to skip the build-from-scratch phase, that is a reasonable place to start.
For teams testing AI cold calling tools, the process above still applies in full. Automated systems need the same DNC scrubbing, and prerecorded AI voice calls to cell phones require prior express written consent no matter what the vendor tells you about the technology.
What consent do you need before calling a mobile number for sales?
This is the question that produces the most TCPA litigation, so it earns a direct answer.
For a live agent hand-dialing a mobile number for sales, federal law does not require prior consent under the TCPA (though state laws may). The DNC registry rules still apply. If the number is on the registry and no exemption fits, you cannot call, autodialer or not.
For a prerecorded voice message to a mobile number, or a call placed with an ATDS to a mobile number, the TCPA requires prior express written consent for marketing calls [5]. The FCC's definition of prior express written consent means a signed agreement that:
- Authorizes the specific seller to place calls or texts.
- Names the telephone number being authorized.
- States that an autodialer or prerecorded voice may be used.
- Is not a condition of any purchase.
The FCC's December 2023 order (Report and Order in CG Docket No. 21-402) adopted a one-to-one consent requirement effective January 27, 2025 [5]. A single lead form can no longer collect consent for a broad slate of sellers. Consent goes to one seller at a time, for a logically and topically related type of call.
Lead generation companies that sold "consent" across many buyers took the biggest hit from this rule. If you bought leads whose consent was collected before January 2025 under the old "marketing partners" model, that consent no longer holds up.
For anyone still figuring out what is cold calling in sales, the consent framework matters most the moment you add any automated touchpoint to your outreach sequence.
Are there exemptions to the do not call rules outbound teams can legitimately use?
Yes, several. They are narrower than most teams assume.
Established Business Relationship (EBR): a purchase, payment, or inquiry within the prior 18 months, or an application within the prior 3 months, creates an EBR. A direct opt-out from the consumer kills the EBR immediately and permanently. The EBR exemption does not touch the TCPA's robocall and autodialer restrictions. It only exempts the call from the National DNC Registry requirement.
Prior Express Invitation or Permission: if the consumer signed a written agreement to be called, that covers both the DNC registry restriction and the TCPA autodialer restriction for marketing calls, subject to the one-to-one consent rules above.
Personal Relationship: if the caller has a genuine personal relationship with the consumer (an actual acquaintance, not a business contact), the call may be exempt. This almost never fits a commercial outbound team.
B2B Calls: calls to businesses rather than consumers generally fall outside the National DNC Registry and the TCPA's residential calling restrictions. But if you call a mobile number registered to an individual who happens to work at a business, the TCPA autodialer restrictions still apply to that mobile number. The post-Duguid narrowing of the ATDS definition helped here, though prerecorded calls to business mobile numbers stay restricted.
Exempt Callers: political campaigns, charities calling directly for donations (not through third-party for-profit fundraisers), and survey researchers fall outside the National DNC Registry. State laws vary on all of these.
One exemption that does not exist: "we have a product they'd want." No product-relevance exemption lives in any federal telemarketing statute.
Frequently asked questions
How do I check if a number is on the Do Not Call Registry before calling?
Go to telemarketing.donotcall.gov and subscribe to the National DNC Registry. You can then pull the registry data by area code and scrub your call lists against it. The FTC requires scrubbing within 31 days of each campaign. Several third-party compliance tools also offer automated DNC scrubbing as a service, which is practical for teams dialing high volumes.
What is the difference between the National DNC Registry and an internal do not call list?
The National DNC Registry is a federal database consumers opt into to stop most telemarketing calls. Your internal DNC list is a company-maintained record of consumers who asked your organization specifically not to call again. Both are legally required. The internal list applies even to numbers not on the national registry, and opt-outs on it are permanent unless the consumer re-consents.
How long do I have to honor a do not call request?
The FTC's Telemarketing Sales Rule requires honoring DNC requests within 30 days. FINRA Rule 3230 sets the same 30-day window for broker-dealers. The FCC's TCPA rules say the request must be honored at the time of the call or within a reasonable period, but treating 30 days as the deadline keeps you inside all three frameworks. Log verbal opt-outs during a live call in real time.
Does FINRA Rule 3230 apply to my sales team if we sell financial products?
If your firm is a FINRA member broker-dealer and your sales team does telemarketing, yes. Rule 3230 requires a written DNC policy, agent training, a maintained internal DNC list, scrubbing against the National DNC Registry, and calling only between 8 a.m. and 9 p.m. in the called party's time zone. Violations draw FINRA disciplinary action separately from any FTC or FCC enforcement.
Can I call a number on the DNC Registry if the person is an existing customer?
Yes, if the established business relationship (EBR) exemption applies. You can call a number on the National DNC Registry if the consumer made a purchase, payment, or inquiry within the prior 18 months, or submitted an application within the prior 3 months. If that consumer has ever told you directly not to call, the EBR exemption no longer covers their number.
What hours can telemarketers legally call residential numbers?
Federal law under both the FTC's Telemarketing Sales Rule and the FCC's TCPA regulations permits calls between 8 a.m. and 9 p.m. in the called party's local time zone. FINRA Rule 3230 uses the same window. Several states restrict calls further, some to 9 a.m. to 8 p.m. Running campaigns within 9 a.m. to 8 p.m. in the recipient's time zone is the safest universal approach.
What disclosures does a telemarketer have to make at the start of a call?
The FTC's Telemarketing Sales Rule requires prompt disclosure of the seller's identity, that the call is a sales call, and the nature of the goods or services offered. The FCC requires prerecorded messages to identify the calling entity at the beginning and provide a callback number for DNC requests during or after the message. FINRA Rule 3230 requires broker-dealers to identify themselves and their firm at the start of every call.
Are business-to-business calls covered by do not call rules?
Generally B2B calls fall outside the National DNC Registry rules. The TCPA's residential DNC provisions focus on consumers. But calling a mobile phone with an autodialer or prerecorded message is restricted by the TCPA whether the recipient is a business or a consumer. Post-Duguid, the ATDS definition is narrower, yet prerecorded calls to business mobile numbers still require prior express consent under federal law.
Can AI-generated voice calls to prospects trigger TCPA liability?
Yes. If an AI voice system places prerecorded calls to mobile numbers without prior express written consent, that violates the TCPA no matter how sophisticated the technology is. In a February 2024 declaratory ruling, the FCC confirmed that AI-generated voices used in calls fall within the prerecorded and artificial voice restrictions under 47 U.S.C. § 227(b). Consent requirements apply fully.
How much does it cost to subscribe to the National DNC Registry?
The FTC charges based on the number of area codes accessed. As of 2024, the annual fee is $79 per area code, with access to the first five area codes free. A national campaign covering all area codes costs several thousand dollars per year, capped at a set maximum. The exact fee schedule is published at telemarketing.donotcall.gov and updated annually for inflation.
What happens if I call someone who is on the Do Not Call Registry by mistake?
The TCPA provides a safe harbor if you have written procedures in place, scrubbed your list within 31 days, and the call was an isolated error, not the result of failing to honor previous DNC requests. The safe harbor is no free pass for systemic failures. A single documented error rarely draws regulatory action, but private plaintiffs can still bring TCPA claims over individual violations.
Do text messages count as telemarketing calls under DNC rules?
Text messages sent with an autodialer or for marketing get treated as calls under the TCPA. The FCC has consistently held that texts fall within 47 U.S.C. § 227's restrictions on calls to mobile numbers. National DNC Registry scrubbing applies to marketing texts as well as voice calls. Prior express written consent is required for marketing texts sent via autodialer to mobile numbers.
Does the FCC's one-to-one consent rule affect my lead-buying process?
Yes, significantly. The FCC's December 2023 order, effective January 27, 2025, requires that consent for automated marketing calls and texts go to one seller at a time, not to a broad category of partners. Lead forms that captured consent for multiple buyers no longer comply. If you purchase leads, verify that each lead's consent specifically named your company before you dial.
Which states have their own do not call registries separate from the federal registry?
Several states run registries that require separate scrubbing, including Indiana, Colorado, and Wyoming, among others. Indiana's state DNC registry is among the most actively enforced at the state level. If you run national campaigns, check the current list of state registries, since states occasionally add or update programs. Compliance means scrubbing against both the federal registry and any applicable state registries.
Sources
- Legal Information Institute (Cornell), 47 U.S.C. § 227, Telephone Consumer Protection Act: The TCPA is codified at 47 U.S.C. § 227 and provides $500 per violation, trebled to $1,500 for willful violations.
- Federal Trade Commission, Telemarketing Sales Rule (16 C.F.R. Part 310) and Do Not Call guidance: The TSR requires scrubbing the National DNC Registry, honoring opt-outs within 30 days, calling only 8 a.m. to 9 p.m. local time, and maintaining an internal DNC list.
- Federal Trade Commission, National Do Not Call Registry: The National DNC Registry held more than 249 million actively registered numbers at the close of fiscal year 2023.
- Supreme Court of the United States, Facebook, Inc. v. Duguid, 592 U.S. 395 (2021): The Supreme Court held in 2021 that an ATDS must have the capacity to store or produce numbers using a random or sequential number generator and dial them.
- Federal Trade Commission, Civil Penalty Inflation Adjustments (2024): The maximum FTC civil penalty per TSR violation was $51,744 as of 2024.
- Federal Trade Commission, News and Press Releases (2023 robocall enforcement action): The FTC alleged more than a billion illegal calls and obtained a $299 million judgment in a 2023 robocall enforcement action.
- FINRA, Rule 3230 Telemarketing: FINRA Rule 3230 requires member firms to maintain a written DNC policy, train personnel, maintain an internal DNC list, scrub the National DNC Registry, and restrict calls to 8 a.m. to 9 p.m. in the called party's time zone.
- Indiana Attorney General, Do Not Call program: Indiana maintains a state-level Do Not Call program separate from the federal registry that requires independent compliance.
- Florida Legislature, Florida Statutes § 501.059: Florida's Mini-TCPA, effective July 2021, bans automated calls and texts to Florida residents without prior express written consent and provides $500 per violation, $1,500 for willful violations.