High-risk TCPA scenarios outbound teams face most often

TCPA violations can cost $500, $1,500 per call or text. Here are the highest-risk scenarios outbound sales teams hit most often, and how to avoid them.

LeadCompliant Team
25 min read
In This Article

Last updated 2026-07-11

Office desk with phone off the hook and scattered papers illustrating outbound call compliance risks
Office desk with phone off the hook and scattered papers illustrating outbound call compliance risks

TL;DR

The TCPA carries statutory damages of $500 per violation and up to $1,500 for willful ones, with no cap on class size. The scenarios that generate the most lawsuits are calling reassigned numbers, texting without written consent, scrubbing DNC lists late or never, calling cell phones with an autodialer without consent, and ignoring opt-out requests. Each one is avoidable with the right process.

What is the TCPA and why does it create so much liability for outbound teams?

The Telephone Consumer Protection Act, codified at 47 U.S.C. § 227, was signed in 1991 and has been reshaped by FCC rulemaking many times since. [1] It restricts autodialed calls and texts to cell phones, prerecorded voice calls to any number, and telemarketing calls to numbers on the National Do Not Call Registry. The private right of action is what makes it dangerous. Any consumer can sue without proving actual damages. Statutory damages start at $500 per violation and go up to $1,500 for each willful one. [1]

For an outbound team running even a modest campaign, that math gets scary fast. A class covering 50,000 contacts who each got two texts without proper consent is a theoretical $50 million exposure. Courts have not always awarded full statutory damages, but juries have handed down large verdicts and defendants have settled for tens of millions. The cash app tcpa class action settlement shows how quickly these cases scale.

The law covers four channels: telephone calls placed with an automatic telephone dialing system (ATDS), prerecorded or artificial voice calls, fax, and text messages. Outbound sales and marketing teams get burned mostly on the first three. Understanding tcpa basics is the starting point. This article is about where teams actually lose money.

What counts as an autodialer under the TCPA after the Facebook v. Duguid ruling?

This is the question that ate the compliance world for about four years. The Supreme Court's 2021 decision in Facebook, Inc. v. Duguid defined an ATDS narrowly: a system must have the capacity to store or produce telephone numbers using a random or sequential number generator. [2] That ruling closed a huge gray zone where plaintiffs argued any dialing software with a stored list counted as an autodialer.

A predictive dialer pulling from a CRM list is harder to call an ATDS under Duguid than it was before 2021. Here's the catch. Plaintiffs' attorneys pivoted. Many TCPA suits now target prerecorded voice calls, which carry a separate and broader ban under 47 U.S.C. § 227(b)(1)(A)(iii), or the DNC provisions under § 227(c), which require no ATDS at all. [1] Your team can still get sued for DNC violations dialing entirely by hand.

Do not let Duguid make you complacent. If your platform uses any automated queuing, preview dialing with an automated launch, or bulk SMS through an API, you still need consent analysis. State laws like California's CIPA add another layer, often broader than the federal ATDS definition.

Why are reassigned phone numbers one of the biggest TCPA traps?

Phone numbers get reassigned constantly. The FCC estimated that roughly 35 million numbers change hands in the United States each year. [3] A consumer hands you their cell number, gives consent, then cancels the line. That number can be active again within 45 days under a totally different person. You call or text the new subscriber, they never consented, and you have a violation.

Courts have generally rejected "we had prior consent from the old subscriber" as a defense once you have any signal the number moved. One call to a reassigned number to discover the reassignment counts as a permitted error. After that, continued contact is a knowing violation. [4]

The FCC launched the Reassigned Numbers Database (RND) in 2021 to fix exactly this. [3] You query the RND to check whether a number has been permanently disconnected since the date you obtained consent. As of the FCC's published rate schedule, queries run $0.001 each, or a flat $1,500 per month for unlimited access. [3] For any real call volume, the RND is not optional. It is cheap insurance. Scrub your active lists against it before every major campaign push, not once at list acquisition and never again.

The operational problem is that most CRMs do not build RND checks into the workflow. You usually need a data hygiene vendor or a direct API integration. Budget for it. One reassigned-number class action costs more than years of RND fees.

TCPA statutory damages by violation type Per-violation exposure under 47 U.S.C. § 227 and related state laws $500 TCPA standard violation (per call/text) $1,500 TCPA willful violation (per call/text) $500 Florida FTSA (per call/text) $5,000 California CIPA (per violat… minimum) Source: 47 U.S.C. § 227 [1]; 47 C.F.R. § 64.1200 [5]; Florida Statute § 501.059 [10]; California Penal Code § 632 [9]

This is where SMS campaigns get torched. For marketing texts sent via an ATDS or prerecorded message, the FCC requires "prior express written consent" as defined in 47 C.F.R. § 64.1200(f). [5] The consent has to be a written agreement, signed by the consumer, that clearly authorizes the seller to send autodialed or prerecorded messages. It has to name the phone number they consent to, and it has to disclose that consent is not a condition of purchase.

Verbal consent does not satisfy this standard for marketing texts. Checking a box that says "I agree to terms and conditions" with no TCPA disclosure does not satisfy it. A pre-checked box almost certainly does not. [5]

For text message marketing, the consent has to be for that type of message from that specific company. Consent given to Company A does not transfer to Company B, even if B bought A's lead list. This is the most common mistake on purchased lists: the original form named a different entity.

The FCC's 2023 one-to-one consent rule tightened this further by requiring consent for each seller by name rather than through a shared lead-gen form listing many companies. [6] If you buy leads from a generator whose consent form listed a dozen companies including yours, that consent is now legally questionable. Get the documentation from every lead vendor and have counsel review whether it meets current standards.

How often do teams need to scrub against the National DNC Registry, and what happens if they miss it?

The FTC's Telemarketing Sales Rule requires companies to scrub their call lists against the National Do Not Call Registry at least every 31 days. [7] The FCC's parallel TCPA rule sets the same frequency for telemarketers. [5] Teams that scrub quarterly, or once at list purchase and never again, are operating outside the law.

The consequences run past regulators. Under 47 U.S.C. § 227(c)(5), a person who gets more than one telemarketing call within any 12-month period after registering can sue for $500 per call. Willful violations go to $1,500. [1] No cap on the number of plaintiffs who can join a class.

Here is what most teams miss. The registry holds more than 249 million active registrations, per the FTC's fiscal year 2023 Do Not Call Registry Data Book. [12] A list you bought 90 days ago is already partly stale. People register new numbers every day. You need an automated, scheduled scrub built into your process, not a manual one that lives or dies on someone remembering.

For how the registry works and how to reach it, see our guide on the do not call list and the specifics of the do not call telemarketer list. If you are unsure whether your numbers are already registered, here is how to get the do not call list directly from the FTC.

Are cell phones treated differently from landlines under the TCPA?

Yes, significantly. The TCPA's autodialer restrictions under § 227(b) apply to calls or texts to a "cellular telephone service" or any service where the called party is charged per call. [1] Calling a landline with a prerecorded telemarketing message is also restricted, but the consent standard differs. For residential landlines, the FCC requires only "prior express consent" rather than "prior express written consent" for certain categories.

Cell phones get the stricter treatment because consumers pay for their airtime and receive texts directly. So your team needs to know, before dialing, whether a number is a cell or a landline. List and skip-tracing vendors often provide line-type data. Pay for it.

The mobile phone do not call list is not a separate registry, despite a persistent myth. The National DNC Registry covers all numbers, wireless and landline. The TCPA's wireless protections run independently of the registry and apply even to numbers that were never registered. Your team has to honor both frameworks at once.

One more trap: cell numbers ported from a landline. A number that was a residential landline when you got consent may now be a cell. Calling it with an autodialer without updated cell-specific consent is a violation. Line-type checks at each campaign run, more than at list acquisition, are the only reliable protection.

What are the most common cold calling violations that generate TCPA lawsuits?

Pure cold calling with no prior business relationship or established consent is a high-wire act under the TCPA. The violations that actually produce lawsuits fall into a few patterns.

First is calling DNC-registered numbers. This is the most common one. The plaintiff proves they registered, proves they got your call, and the burden shifts to you to show an established business relationship or written consent. If you cannot produce it, you lose.

Second is using prerecorded messages for telemarketing calls to cell or residential lines without consent. Plenty of teams drop prerecorded voicemails thinking there is less exposure than a live call. There is not. A ringless voicemail (RVM) deposited straight into voicemail is treated as a call under FCC guidance, and the same consent rules apply. [8]

Third is calling outside permitted hours. The TCPA and TSR both ban telemarketing calls before 8 a.m. or after 9 p.m. local time at the called party's location. [7] "Local time" means the recipient's time zone, not yours. A Los Angeles team calling East Coast prospects after 6 p.m. Pacific is calling after 9 p.m. Eastern. This one catches West Coast teams constantly.

For what a cold call legally requires and where the restrictions come from, we have a deeper breakdown. The mechanics are more manageable than people assume, but you have to build them into your dialer setup instead of retrofitting them by hand.

What happens when a contact opts out and the team keeps calling or texting?

This scenario produces some of the angriest plaintiffs and the biggest damage awards. When a consumer says stop or texts STOP, the clock starts. The FCC's rules require opt-out requests for telephone solicitations to be honored within a reasonable time not to exceed 30 days, and your internal DNC list has to reflect the request. [5] For SMS, industry practice and FCC guidance treat STOP as requiring immediate suppression, and most text platforms handle it automatically.

The problem is that most teams run on multiple systems. The opt-out lands in the SMS platform, but the CRM still shows the contact as active. Three days later a rep dials them from a different list pull. That is a willful violation, because you had notice and ignored it.

The credit one tcpa settlement shows how opt-out failures compound across large volumes. Credit One Bank paid $12.5 million to settle a class action centered in part on continued contacts after consumers asked them to stop. The size of that number reflects how fast individual $1,500 willful-violation damages multiply across a call center.

Your suppression list has to be a single source of truth that every dialing system and every campaign reads before launch. Not a Google Sheet someone updates by hand. A real-time, centralized suppression database that your CRM, your dialer, and your SMS platform all check before any outreach goes out.

How does buying lead lists create TCPA exposure even when you did nothing wrong?

Purchased lists are one of the sneakiest liability sources, because the seller's sins become your problem. The TCPA has no good-faith purchaser exception. If you call a number on a list you bought and that number is on the DNC registry, or the underlying consent was defective, you are liable. Period.

The FCC's 2023 one-to-one consent rule made this worse for lead buyers. Before the rule, a lead-gen form listing multiple companies could arguably provide consent for all of them. Under the new rule, consent has to be obtained for each seller by name. [6] List brokers who never updated their forms are now selling legally defective leads.

Due diligence on any purchased list means getting a copy of the consent form used to capture the lead, verifying your company name appears on it specifically, checking the consent date against your scrub window, and running the list through DNC and RND checks before first contact. That is a real process, not a quick step.

LeadCompliant's compliance kit has a lead vendor due diligence checklist and a consent documentation template you can send vendors before buying. It is free. The point is to hand a vendor something concrete and force them to produce the paperwork, because most will not volunteer it.

If a vendor refuses to provide consent documentation, or cannot tell you exactly what their capture form says, that is your answer. Do not buy those leads.

What are the biggest state-law risks on top of the federal TCPA?

Federal TCPA is the floor, not the ceiling. Several states have laws that go further in ways that matter.

California's Invasion of Privacy Act (CIPA) and the CCPA together create a parallel consent and data-rights framework. CIPA Section 632 restricts recording of phone calls without two-party consent. Section 638.51 restricts pen registers and trap-and-trace devices, and plaintiffs have argued that certain tracking technologies in marketing pipelines qualify. Damages under CIPA run $5,000 per violation or three times actual damages, whichever is greater, with a private right of action. [9]

Florida's Telephone Solicitation Act (FTSA), amended in 2021, created a state-law ATDS prohibition with a private right of action and $500 per call in damages. Florida plaintiffs' firms filed hundreds of FTSA suits in 2022 and 2023 before a 2023 amendment narrowed the definition of "autodialer" and added a 15-day cure period. [10] The cure period helps, but only if you respond fast to demand letters.

Washington, Texas, and Indiana all have telemarketing statutes with their own registration and consent requirements. Washington's Commercial Electronic Mail Act covers certain text messages and carries its own damages framework.

If you call into multiple states, you need a state-by-state review of your consent language and your time-of-day limits. The TSR and TCPA set the federal baseline. A California or Florida plaintiff can layer state claims on top and often recovers more that way.

What does a TCPA lawsuit actually cost a small outbound team?

Defense costs alone are steep even when you win. TCPA litigation gets complicated: discovery battles over call records, consent documentation, dialing-system architecture, and class certification. Firms that specialize in TCPA defense typically charge $350 to $600 an hour for senior attorneys, and a case that reaches class certification can run 18 to 36 months. Settling early still costs money. Simple one-plaintiff TCPA cases often settle for $5,000 to $15,000 once you add attorney fees on both sides.

Class actions are a different scale. Certified TCPA class settlements have ranged from under $1 million for small operators to nine figures for large ones. The $12.5 million Credit One settlement and the $280 million judgment against DISH Network mark the wide range, but the floor for a certified class against a mid-size operation usually lands in the low millions. [11]

Small teams sometimes assume they are too small to draw class-action attention. That is wrong. Plaintiffs' attorneys file TCPA cases on contingency and hunt for cases where the per-call or per-text damages, times the list size, produce a viable settlement fund. A team that blasted 20,000 unscrubbed contacts with a prerecorded message is a perfectly good target regardless of company size.

The chart below shows the range of TCPA statutory damages by violation type, which is why volume is the risk multiplier that matters.

How should a small outbound team structure its compliance process to reduce risk?

Start with the list before you dial a single number. Every phone number on every list gets scrubbed against the National DNC Registry, your internal suppression list, and the FCC Reassigned Numbers Database before the campaign launches. Not a one-time event. A pre-campaign ritual.

Consent documentation needs a home. Keep a record of where every contact came from, what consent form they signed, when they signed it, and what it said. If you cannot reconstruct that for a contact in your database, you cannot safely call or text them for marketing.

Time-of-day enforcement should be automated at the dialer level, not left to rep judgment. Configure your dialer to block outbound calls before 8 a.m. or after 9 p.m. in the recipient's time zone. Most modern dialers support this. Most teams never turn it on.

Opt-out handling needs one suppression list that every system reads. Any number that opts out by any channel, voice, text, email, or written request, goes into suppression within 24 hours and stays there permanently unless the consumer re-consents in writing.

Record keeping matters when you get sued. The FTC's TSR requires records supporting compliance to be kept for 24 months. [7] Keep your call logs, consent documentation, scrub records, and opt-out logs for at least that long, ideally longer.

LeadCompliant's free compliance kit has templates for consent forms, scrub logs, and vendor due diligence checklists. Use it as a starting checklist, then get counsel involved for anything that touches your product, industry, or state exposure. This article is a reference, not legal advice.

Frequently asked questions

Maybe, but the DNC registry still applies. The ATDS restriction in 47 U.S.C. § 227(b) is triggered by equipment type. A truly manual call to a cell phone without an autodialer avoids the ATDS prohibition. But if that cell number is on the National DNC Registry and you have no written consent or established business relationship, you still violate § 227(c). Most outbound teams use some automated queuing, which weakens the manual-dialer argument.

What is an established business relationship and does it protect me from DNC calls?

An established business relationship (EBR) is a prior transaction within the last 18 months, or an inquiry within the last 3 months, as defined in the FTC's TSR and FCC rules. An EBR can let you call a DNC-registered number for telemarketing, but it does not override the ATDS or prerecorded consent requirement for cell phones. It also does not survive the contact's request to stop calling.

Does TCPA apply to B2B calls?

Yes, partially. The DNC protections under § 227(c) apply to residential numbers, not business lines, so calling a business's main line is generally not a DNC issue. But the ATDS and prerecorded voice restrictions under § 227(b) apply to any cellular number, regardless of whether the owner uses it for business. A salesperson's work cell is still a cell phone, and calling it with a prerecorded message without consent is a violation.

How do I know if my dialer qualifies as an ATDS under the current definition?

After Facebook v. Duguid (2021), an ATDS must use a random or sequential number generator to store or produce numbers. A CRM-integrated dialer pulling a sorted list may not meet that definition at the federal level. But the analysis is fact-specific and platforms vary. Some state laws use broader definitions. Get a written assessment from a TCPA attorney who has reviewed your platform's technical architecture before you conclude you are in the clear.

Prior express consent (oral or written) is enough for non-marketing informational calls to cell phones. Prior express written consent is required for marketing calls and texts sent via ATDS or prerecorded voice, under 47 C.F.R. § 64.1200(f). The written standard requires a signed agreement, the specific phone number, disclosure that consent is not a condition of purchase, and disclosure that standard message and data rates may apply.

How quickly must I honor a STOP opt-out request on text messages?

Immediately, as a practical matter. The FCC requires telephone solicitation opt-outs to be honored within a reasonable time not to exceed 30 days for voice, but SMS industry practice and most platform terms require immediate suppression on STOP. Courts have not been sympathetic to delays. Your SMS platform should suppress the number automatically. The risk shows up when the opt-out never flows back to your CRM and a rep dials the same contact from a separate list.

The FCC's 2023 order requires written consent for marketing calls and texts to identify each seller by name and be obtained separately for each seller, rather than through a shared multi-seller form. Lead-gen forms that list multiple companies and claim consent for all of them no longer satisfy the standard. If you buy leads from a generator using the old multi-seller format, the consent underlying those leads is now legally questionable. Verify the consent form before buying.

Are ringless voicemails covered by the TCPA?

The FCC has treated ringless voicemails (RVMs), also called direct-to-voicemail drops, as calls under the TCPA. The argument that they do not ring the phone and therefore are not calls has not prevailed in FCC guidance or most court decisions. An RVM deposited straight into voicemail without ringing still requires the same prior express written consent as a live autodialed marketing call to a cell phone.

What records do I need to keep to defend a TCPA claim?

At minimum: call and text logs showing the number, date, time, and campaign for every outbound contact; consent documentation for each contact (form text, timestamp, IP address or signature); DNC scrub records showing when lists were scrubbed and which registry version was used; opt-out logs with timestamps; and vendor agreements covering lead acquisition. The FTC's TSR requires 24 months of retention. Keep everything longer if you have any reason to expect litigation.

Can I get hit with a class action if I am a small company with a small list?

Yes. TCPA plaintiffs' attorneys look at the per-contact violation amount times the list size, not the company's revenue. A small company that sent 15,000 unsolicited texts can face a theoretical $7.5 million exposure at $500 per text. Attorneys take these on contingency. Company size gives you no protection. Documented compliance processes do, because they support a defense that any violation was not willful and shift the math on settlement.

Does the TCPA apply if I am calling my own customers?

Prior express consent is often present for existing customers, and an established business relationship may apply for DNC purposes. But the ATDS and prerecorded call restrictions still apply to cell phones regardless of the customer relationship. If you send automated marketing texts to existing customers, you still need prior express written consent under 47 C.F.R. § 64.1200. Transactional messages have more flexibility, but that distinction requires careful review of what counts as purely transactional.

What is the statute of limitations for a TCPA lawsuit?

Federal courts have generally applied a four-year statute of limitations to TCPA claims under 28 U.S.C. § 1658, the general federal four-year limitations period, because the TCPA does not specify its own. Some courts have applied a two-year period. The practical result is that a campaign you ran three years ago can still generate valid claims today. Keep compliance records longer than you think you need to.

Is there a way to call numbers on the DNC list legally?

Yes, in limited cases. You can call DNC-registered numbers if you have prior express written consent from that person, an established business relationship (within 18 months of last transaction or 3 months of inquiry), or the call is not a telephone solicitation under the applicable definitions. Tax-exempt nonprofit calls are also exempt. Each exemption has specific requirements. An EBR does not protect against ATDS or prerecorded call violations on cell phones, which carry separate consent requirements.

How do I check if a number is on the National DNC Registry before calling?

The FTC provides paid access to the registry for telemarketers through telemarketing.donotcall.gov. Any organization making more than a small volume of calls has to subscribe. You download a file of registered numbers and compare it against your list, or use a scrubbing vendor that queries the registry automatically. Scrubs have to be refreshed at least every 31 days. The registry holds more than 249 million numbers, so skipping the scrub is not a reasonable option.

Sources

  1. U.S. Government, 47 U.S.C. § 227, Telephone Consumer Protection Act (Cornell Legal Information Institute): TCPA statutory damages are $500 per violation, up to $1,500 for willful violations; private right of action for consumers
  2. U.S. Supreme Court, Facebook, Inc. v. Duguid, 592 U.S. 395 (2021) (Cornell Legal Information Institute): An ATDS must use a random or sequential number generator to store or produce telephone numbers
  3. FCC, 47 C.F.R. § 64.1200, Delivery restrictions (Electronic Code of Federal Regulations): Prior express written consent definition; opt-out honored within a reasonable time not to exceed 30 days; scrub frequency and consent requirements for texts
  4. FTC, Telemarketing Sales Rule, 16 C.F.R. Part 310 (agency rules library): TSR requires scrubbing every 31 days; prohibits calls before 8 a.m. or after 9 p.m. local time; 24-month record retention required
  5. California Legislative Information, California Invasion of Privacy Act, Penal Code § 630 et seq.: CIPA provides $5,000 per violation or three times actual damages with private right of action; covers recording of phone calls
  6. Florida Legislature, Florida Telephone Solicitation Act, Fla. Stat. § 501.059: FTSA 2021 amendment created state-law ATDS prohibition with $500 per call damages; 2023 amendment added 15-day cure period and narrowed autodialer definition
  7. U.S. Department of Justice, United States v. DISH Network LLC (agency press office): DISH Network received a $280 million judgment for TCPA and TSR violations; illustrates scale of damages in large outbound operations
  8. FTC, National Do Not Call Registry Data Book (agency reports library): More than 249 million active registrations on the National DNC Registry per FTC fiscal year 2023 Data Book

Disclaimer: LeadCompliant is a compliance review tool, not a law firm. We do not provide legal advice. Consult with a TCPA attorney for legal guidance on specific compliance questions. Compliance scores, audits, and risk assessments are informational only.

LeadCompliant Team

LeadCompliant provides expert guidance and tools to help you succeed. Our content is reviewed for accuracy and kept up to date.

Related Articles

Related Glossary Terms

LeadCompliant
Build My Kit