Last updated 2026-07-10

TL;DR
Outbound dialing compliance failures expose companies to TCPA liability of $500 to $1,500 per call or text, state-law penalties, and class actions that settle in the tens of millions. The main risks are calling without proper consent, ignoring Do Not Call lists, using auto-dialers without authorization, and missing state rules that go past federal law.
What is outbound dialing compliance and why does it matter legally?
Outbound dialing compliance is the set of rules a company follows every time it calls or texts a consumer. The legal spine is the Telephone Consumer Protection Act of 1991, codified at 47 U.S.C. § 227 [1]. The FCC writes the implementing regulations, currently at 47 C.F.R. Part 64, Subpart L [2]. On top of federal law sit state statutes, many of them stricter.
Why does this matter? The TCPA gives individuals a private right of action. A consumer can sue you directly, no regulator required. No class certification is needed to start a case, though most TCPA cases become class actions. A single unsolicited robocall campaign can produce a class of millions.
The math is brutal. Statutory damages run $500 per violation for a negligent violation, and up to $1,500 per violation if a court finds the violation was willful or knowing [1]. Multiply that by 100,000 texts and exposure hits $150 million before trial. Courts have entered those numbers. In 2022, an Oregon jury returned a $925 million verdict against a nutrition company for a mass robocall campaign, and the Ninth Circuit later upheld it [3].
The point is not that every five-person team faces a nine-figure verdict. The point is that exposure is real, it scales with call volume, and plaintiffs' attorneys take these cases on contingency because the math runs in their favor.
What does the TCPA actually prohibit for outbound calls and texts?
The statute is worth reading straight. 47 U.S.C. § 227(b)(1)(A) bars making any call using an automatic telephone dialing system (ATDS) or an artificial or prerecorded voice to a cell phone number without prior express consent of the called party [1]. That covers texts too. The FCC has treated SMS as "calls" under the TCPA since 2003 [10].
Landlines get different treatment. An ATDS call to a residential line using a prerecorded voice is barred without consent under § 227(b)(1)(B). Live-agent calls to residential numbers get more room unless they are telemarketing, in which case the national Do Not Call rules kick in under § 227(c).
Here is the practical breakdown:
| Call type | Technology used | Consent required |
|---|---|---|
| Marketing call to cell | ATDS or prerecorded | Prior express written consent |
| Marketing call to cell | Live agent, manual dial | Prior express consent (oral OK) |
| Marketing call to residential | ATDS or prerecorded | Prior express written consent |
| Informational call to cell | ATDS or prerecorded | Prior express consent (oral OK) |
| Text message (marketing) | Any platform | Prior express written consent |
| Text message (informational) | Any platform | Prior express consent (oral OK) |
The consent tier matters enormously. Prior express written consent requires a written agreement that clearly authorizes autodialed or prerecorded calls, includes the consumer's signature (electronic is fine), and discloses that agreeing is not a condition of purchase [2]. Oral consent, or a web form missing those disclosures, does not clear the written-consent bar for marketing.
For the SMS side, the tcpa sms compliance and TCPA articles cover text-messaging rules in detail.
What is the Do Not Call list risk and how big is it?
The National Do Not Call Registry, run by the FTC under 16 C.F.R. Part 310, held more than 249 million phone numbers as of the FTC's FY 2023 Data Book [9]. Calling a registered number for telemarketing without an existing business relationship or prior written consent is a separate violation from the ATDS rules. The FTC can impose civil penalties up to $51,744 per violation under the Telemarketing Sales Rule, and that amount adjusts for inflation [4].
The FCC mirrors the registry for TCPA purposes. A consumer who registers a number triggers Do Not Call protections under § 227(c), and the private right of action there runs the same $500 to $1,500 per violation as the ATDS rules [1].
DNC risk bites in two ways. First, failing to scrub your list against the registry before dialing. You have to access the registry at least every 31 days and drop registered numbers before calling them [4]. Second, ignoring company-specific do-not-call requests. If a consumer tells your agent to stop calling, you have to honor that and keep the suppression record on file.
Small teams often think the registry is a big-company problem. It is not. Plaintiffs monitor lists for unwanted calls, register numbers specifically to catch violators, and some are professional litigants. Per-call exposure is identical whether you run a 500-seat call center or a five-person SDR desk.
What counts as an automatic telephone dialing system under the TCPA?
This is where the law gets genuinely uncertain. The statutory definition in § 227(a)(1) covers equipment with the capacity to store or produce telephone numbers using a random or sequential number generator, and to dial them [1]. In 2021, the Supreme Court narrowed that definition in Facebook, Inc. v. Duguid, 141 S. Ct. 1163 (2021) [5]. The Court held that an ATDS must use a random or sequential number generator to store or produce numbers, more than any stored list.
Duguid helped defendants in federal court. It did not end the fight. Several circuits still split on edge cases. And state laws do not ride on the federal ATDS definition. California's Automatic Telephone Dialing Systems Act and Florida's FTSA (amended effective July 2021) carry their own dialer definitions that can reach further than the federal one after Duguid [6].
If your platform pulls from a CRM list and dials without a human click-to-call for each record, your legal team should decide whether that counts as an ATDS in the states where your prospects live. Do not assume Duguid gives you blanket protection. It does not. And even if you dodge the ATDS label, you still face prerecorded-voice restrictions and DNC duties.
For teams on Twilio or similar infrastructure, the Twilio TCPA compliance guide covers what your vendor configuration actually means for exposure.
What are the consent rules for outbound sales calls?
Consent is the most common failure point. Teams assume that because someone filled out a web form or bought from them once, they can call with an autodialer. Often they cannot.
The FCC's 2012 order set the written-consent standard: prior express written consent requires (1) a written agreement signed by the person, (2) clear and conspicuous authorization to deliver calls using an ATDS or prerecorded voice, and (3) a disclosure that agreeing is not a condition of purchase [2]. A bare web form reading "submit for a free quote" almost certainly does not clear that bar.
Lead generation is a minefield. If you buy leads from a third party, someone else obtained the consent, for their site, often without a clear disclosure that names your company. The FCC's December 2023 order requires one-to-one consent: a single lead form cannot grant consent to multiple unrelated sellers [7]. It took effect January 27, 2025. If you buy shared leads, you now face a strong argument that you have no valid TCPA consent at all unless the consumer separately consented to calls from your company by name.
For inbound forms you control, the fix is an SMS opt-in form with the right disclosures, or a web form that names your company, describes the calling technology you use, and captures a signature. The sms opt in resource has language that meets the written-consent standard.
Revocation matters too. Under the FCC's 2024 rules, consumers can revoke consent by any reasonable means at any time, and sellers must honor revocation within ten business days [7]. If your CRM lacks a field and a process for tracking revocation with a timestamp, you have a gap.
How big are the financial penalties and what do real cases show?
Statutory damages under 47 U.S.C. § 227(b)(3) run $500 per violation, or up to $1,500 for willful violations [1]. The statute sets no cap. Courts have mostly refused to trim class-wide verdicts as disproportionate, though a few judges have applied due-process review to cut extreme individual awards.
Real case outcomes:
- Wakefield v. ViSalus (D. Or. 2022): a jury awarded $925 million for roughly 1.8 million unsolicited prerecorded calls, at $500 per call [3]. The Ninth Circuit upheld the verdict in 2023.
- Krakauer v. Dish Network (4th Cir. 2019): $61 million upheld for DNC violations affecting about 51,000 consumers [8].
- Satterfield v. Simon & Schuster (9th Cir. 2009): an early case establishing that text messages are covered by the TCPA.
Settlements often top verdicts because defendants want out of trial risk. Google settled a TCPA case for $10 million. Capital One settled for $75.5 million. Yahoo settled for $4.4 million.
FTC civil penalties run separately and can be large. Under the Telemarketing Sales Rule, the FTC has brought actions that produced hundreds of millions in penalties against robocall operations [4].
For smaller teams, the real risk is not a $900 million verdict. It is a demand letter from a plaintiff's attorney offering to settle for $25,000 to $150,000, often less than the cost of litigation. Plenty of small companies pay these nuisance settlements. That risk is real and frequent.
What state laws add risk beyond federal TCPA requirements?
Federal law sets a floor, not a ceiling. States go further.
Florida: the Florida Telephone Solicitation Act (FTSA), amended effective July 2021 and revised in 2023, bars autodialed or automated calls or texts to Florida numbers without prior express written consent. The FTSA's definition of "automated system" may reach equipment that no longer qualifies as an ATDS under the post-Duguid federal standard [6]. Damages run $500 per call, with the same trebling option as the TCPA. Florida produced a wave of plaintiff filings in 2021 and 2022 built on exactly this gap.
California: California has the Consumer Legal Remedies Act, the Invasion of Privacy Act governing call recording (all-party consent required), and data rules under the CCPA that shape how you store and use contact data. California plaintiffs' attorneys are among the most active in TCPA litigation.
Texas: Texas Business & Commerce Code § 305 covers telephone solicitation with its own requirements, including registration of solicitors.
Washington: the Automatic Dialing and Announcing Device statute covers robocalls to Washington numbers.
B2B is not a safe harbor. State law sometimes protects business calls more than federal law does, sometimes less. Florida's FTSA covers business numbers. Several state DNC lists (Indiana, Texas, and Wyoming among them) include business numbers in some contexts.
If your team dials nationally, you are effectively bound by the strictest state on your list. That is usually Florida or California. State-level DNC scrubbing and consent auditing by area code is one mitigation. It is tedious, but the exposure in California and Florida alone pays for it.
What are the calling time window rules and other operational requirements?
The TCPA regulations at 47 C.F.R. § 64.1200(c)(1) bar telephone solicitation calls to residential lines before 8 a.m. or after 9 p.m., local time at the called party's location [2]. The FTC's Telemarketing Sales Rule at 16 C.F.R. § 310.4(c) mirrors that window [4]. Some states are stricter. Maryland limits calls to 8 a.m. to 9 p.m. and adds restrictions around meal times.
The "local time" rule is the catch. Calling from Chicago to Los Angeles, you count the prospect's time zone, not yours. A 7:30 a.m. CDT call to a California number lands at 5:30 a.m. PDT, which is a clear violation. Flip it: a 10 p.m. CDT call to that same California number lands at 8 p.m. PDT, which is fine. Time-zone math trips up dialers constantly.
Other operational rules that generate lawsuits:
- Caller ID: you have to transmit accurate caller ID. Spoofing it to show a false number violates the Truth in Caller ID Act and triggers FCC enforcement [2].
- Abandonment rate: with predictive dialers, the FCC caps the call abandonment rate at no more than 3% of calls answered by a live person over a 30-day period [2].
- Prerecorded call disclosures: you have to state your name, the company the call is made for, and a callback number within the first few seconds [2].
- Opt-out mechanism: prerecorded calls need an automated, interactive opt-out the called party can use during the call [2].
These rules feel minor until a plaintiff's attorney adds them to a complaint and multiplies by call volume.
How does the 2024 FCC one-to-one consent rule change the lead generation risk?
The FCC adopted the one-to-one consent rule in December 2023, effective January 27, 2025 [7]. Under the old framework, a single lead form could list dozens of "partner" companies, and submitting the form arguably granted consent to all of them. Courts were already skeptical of that model. The new rule shuts the door.
Now consent has to be specific to one seller, and it has to be logically and topically related to the website where it is obtained. A general "get quotes" form on a mortgage comparison site cannot grant consent to an unrelated insurance company.
For teams that buy leads from aggregators or share forms across brands, this is a material change. If you received a lead after January 27, 2025, and it came through a form that listed multiple sellers, you almost certainly do not have valid TCPA consent to autodial that number.
The fix is one of two things. Own the lead source, running your own forms with one-to-one consent language. Or require your lead vendors to hand over documentation that consent was obtained for your company by name. Most vendors cannot produce that documentation for older inventory.
For opt-in SMS marketing and text flows, the same one-to-one standard applies. A consumer's text opt-in has to go to your company, not to a partner network.
What internal processes reduce legal risk without killing sales velocity?
Compliance and velocity are not opposites. You just have to pick the right tools and build the right processes.
Consent documentation is the foundation. Every contact in your dialing system should carry a documented consent record: the source (form URL or call recording), the date and time, the exact consent language the consumer saw, and whether it is written consent or only oral. If you cannot produce that record, you have no defense. Keep it at least five years, which beats the FTC's 24-month TSR minimum and matches typical class-action timelines [4].
List hygiene runs second. Scrub against the national DNC registry at least every 31 days, as required [4]. Scrub against state DNC lists for high-risk states (Indiana, Texas, Wyoming, and Colorado among those with their own registries). Keep your internal suppression list on a logging system that records when each number went on and why.
Dialer configuration matters. If you are not sure whether your platform qualifies as an ATDS, run it past a TCPA attorney before you scale. A two-hour consult costs trivial money against class exposure. For SMS, the text message marketing compliance guides cover what your platform settings need to look like.
LeadCompliant's free TCPA tools and compliance kit (at leadcompliant.com) include a DNC scrubber and a consent documentation template that small teams can run without building a custom stack. These tools do not replace legal advice. They give you a documented baseline.
Training counts. The TCPA's willfulness standard turns on what your team knew. If an agent ignores a revocation request because nobody trained them to log it, a court may treat that as willful and apply the $1,500 tier instead of $500. Training logs and written procedures are evidence that you were trying.
Audit your lead vendors last. Get contractual representations that the leads were collected with TCPA-compliant consent, that consent was one-to-one after January 2025, and that the vendor will indemnify you for misrepresentations. Most vendors push back. The negotiation itself tells you what they can actually attest to.
What should you do if you receive a TCPA demand letter or complaint?
This article is not legal advice. If a TCPA demand letter lands, your first call goes to a litigator who handles TCPA defense. Here is what the practical picture looks like.
Do not ignore it. TCPA demand letters are not always the front of serious litigation, but they need a response. Ignore one and then get served with a class action, and you missed the chance to settle a single-plaintiff case cheaply.
Preserve everything. Issue a litigation hold immediately: call records, dialer logs, consent documentation, DNC scrub logs, training records. Deleting records after a demand letter triggers spoliation sanctions that make your substantive defense harder.
Assess the exposure honestly. How many calls or texts are at issue? One plaintiff or a class? Do you have documented consent for each? What is your DNC scrub history for those numbers? That analysis tells you whether you are looking at a $25,000 nuisance settlement or genuine class exposure.
Weigh the consent record. Solid written consent may sink the ATDS claim, or push the plaintiff to drop the case once they see your files. Many TCPA plaintiffs are opportunistic. They file when they believe you cannot prove consent.
For ongoing risk management, the tcpa news today resource tracks new FCC rulings and case outcomes that move your exposure in real time. The law changes faster than most compliance calendars account for.
Frequently asked questions
What is the maximum penalty for a TCPA violation?
There is no statutory cap. The TCPA sets $500 per violation for negligent violations and up to $1,500 per violation for willful or knowing violations under 47 U.S.C. § 227(b)(3). In a class action covering millions of calls, total exposure reaches hundreds of millions of dollars. The $925 million verdict in Wakefield v. ViSalus (2022) is the largest known TCPA judgment entered by a U.S. district court.
Do TCPA rules apply to B2B outbound calls?
Federal TCPA rules apply to calls to cell phones regardless of whether the recipient is a consumer or a business employee. The number type controls, not the relationship. The Do Not Call rules under § 227(c) target residential subscribers, so B2B calling to business landlines has more room. But Florida's FTSA covers business cell numbers, and most employees use cells, so treating B2B as TCPA-exempt is risky.
How often do I need to scrub my call list against the national DNC registry?
You must access the National Do Not Call Registry and remove registered numbers from your list at least every 31 days, per 16 C.F.R. § 310.4(b)(3)(iv) under the FTC's Telemarketing Sales Rule. Calling a registered number for telemarketing after that window lapses, even if the number was clean at your last scrub, still exposes you to liability if the consumer registered in the interim.
What changed with the FCC's one-to-one consent rule in 2025?
The FCC's December 2023 order, effective January 27, 2025, requires TCPA consent to be specific to a single seller. A consumer's consent on a lead form must name your company and cannot be shared with unrelated third parties. Lead funnels that once served dozens of buyers off one submission no longer produce valid TCPA consent. You have to own your form or obtain lead-specific consent documentation from vendors.
Does the Supreme Court's Facebook v. Duguid decision mean I can use any auto-dialer?
No. Duguid (2021) narrowed the federal ATDS definition to equipment that uses a random or sequential number generator. But state laws, especially Florida's FTSA and California statutes, use their own broader definitions. Prerecorded voice calls and DNC rules apply regardless of whether your dialer meets the ATDS definition. Duguid cut some federal class exposure but did not erase it, and state exposure stays significant.
What hours can I legally make outbound telemarketing calls?
Under the TCPA and the FTC's Telemarketing Sales Rule, you cannot make telemarketing calls to residential lines before 8 a.m. or after 9 p.m. local time at the called party's location. Some states are stricter. The local-time calculation is based on the recipient's location, not yours. A dialer unaware of time zones produces violations automatically at scale.
Is a web form submission enough to establish TCPA written consent for marketing calls?
Only if the form meets specific requirements. It must clearly and conspicuously authorize the use of an ATDS or prerecorded voice, name your company, capture a signature (electronic is fine), and disclose that consent is not a condition of purchase. A generic "contact me" or "get a quote" form without those elements does not meet the prior express written consent standard the FCC set in its 2012 order.
Can a consumer sue me directly for TCPA violations, or does it have to go through the FCC?
Consumers have a direct private right of action under 47 U.S.C. § 227(b)(3). They do not have to file with the FCC first. They can file in federal or state court, alone or as part of a class. This private right of action drives TCPA litigation. Plaintiffs' attorneys take cases on contingency because per-violation damages are fixed by statute and the math works without proving actual harm.
What records do I need to keep to defend a TCPA lawsuit?
At minimum: consent records (source, date, consent language, consumer signature) for every number you autodialed, DNC scrub logs with dates and results, internal suppression list additions with timestamps, dialer call logs, and training documentation for your team. The FTC requires TSR records for 24 months. Five years is the safer standard for TCPA defense given class-action timelines.
What is the risk of buying leads from a third party under the new FCC rules?
High. After January 27, 2025, a consumer's TCPA consent must be specific to one seller. Leads bought from aggregators whose forms listed multiple buyers likely lack valid consent for your company. You need vendor contracts that represent compliance and identify the exact consent language consumers saw. Without that documentation you are dialing without defensible consent, and the TCPA's willfulness tier could apply if you knew the risk.
Do text messages (SMS) face the same TCPA risks as phone calls?
Yes. The FCC treats SMS as "calls" under the TCPA. Every restriction on autodialed calls, including prior express written consent for marketing texts, DNC scrubbing, and the right to revoke consent, applies equally to text messages. State laws like Florida's FTSA explicitly cover texts. The tcpa sms compliance and sms double opt in articles cover text-specific requirements in detail.
What is the abandonment rate rule for predictive dialers?
The FCC's rules at 47 C.F.R. § 64.1200(a)(7) cap the call abandonment rate at no more than 3% of answered calls, calculated per campaign over a 30-day period. An abandoned call is one the system disconnects before connecting a live agent. Violating the abandonment rate rule is a separate TCPA violation from the ATDS and consent rules, with the same $500 to $1,500 per-violation exposure.
What states have their own Do Not Call lists beyond the federal registry?
Several states run their own DNC registries, including Indiana, Texas, Wyoming, Colorado, Louisiana, Massachusetts, Missouri, and Tennessee, among others. Requirements and covered number types vary. Some state lists cover business numbers the federal registry does not. If you dial nationally, you need state-level scrubbing on top of the federal registry, especially for high-litigation states like Florida and California.
How quickly do I have to honor a consumer's request to stop calling?
For company-specific do-not-call requests, the FTC's Telemarketing Sales Rule gives you up to 30 days to honor the request and requires you to keep it for five years. For revocation of TCPA consent specifically, the FCC's 2024 order requires honoring revocation within ten business days. The safest practice is to suppress the number immediately in your CRM and confirm the suppression in writing.
Sources
- Cornell Law School Legal Information Institute, 47 U.S.C. § 227 Telephone Consumer Protection Act: TCPA statutory damages are $500 per violation, up to $1,500 for willful violations; prohibits ATDS calls to cell numbers without prior express consent
- U.S. District Court D. Oregon, Wakefield v. ViSalus Inc., Case No. 3:15-cv-01857-SI: $925 million jury verdict for approximately 1.8 million unsolicited prerecorded calls at $500 per call, upheld on appeal
- FTC, Telemarketing Sales Rule 16 C.F.R. Part 310 and National Do Not Call Registry: Sellers must scrub every 31 days; civil penalties up to $51,744 per violation; record retention 24 months; calling hours 8 a.m. to 9 p.m. local time
- U.S. Supreme Court, Facebook Inc. v. Duguid, 141 S. Ct. 1163 (2021): Supreme Court narrowed ATDS definition to equipment using random or sequential number generator; a stored-list dialer may not qualify as ATDS under federal law
- Florida Legislature, Florida Telephone Solicitation Act (FTSA), Fla. Stat. § 501.059: FTSA prohibits autodialed calls or texts to Florida numbers without prior express written consent; damages $500 per call; state definition may be broader than post-Duguid federal ATDS standard
- FCC, Report and Order FCC 23-107, One-to-One Consent Rule (adopted December 2023, effective January 27, 2025): FCC requires TCPA consent to be specific to one seller; lead forms listing multiple sellers no longer produce valid TCPA consent; consent revocation must be honored within 10 business days
- U.S. Court of Appeals Fourth Circuit, Krakauer v. Dish Network LLC, 925 F.3d 643 (4th Cir. 2019): $61 million verdict upheld for DNC violations affecting approximately 51,000 consumers
- FTC, National Do Not Call Registry Data Book FY 2023: National DNC Registry contains over 249 million registered phone numbers as of FY 2023 report