Last updated 2026-07-10

TL;DR
A TCPA litigation hold is a written order to stop deleting call logs, consent records, opt-out timestamps, and dialer settings the moment you reasonably expect a lawsuit. Courts have sanctioned defendants for destroying this data even by accident. Trigger the hold at the first demand letter, freeze the right data within 24 hours, and document every step you take.
What is a TCPA litigation hold and why does it matter?
A litigation hold (also called a legal hold or preservation notice) is a written order that suspends your normal deletion schedules and tells everyone who touches relevant data to stop erasing it. Under Federal Rule of Civil Procedure 37(e), a court can sanction you for failing to preserve electronically stored information (ESI) once you had a duty to preserve it. That duty attaches the moment you "reasonably anticipate" litigation, which courts read to include demand letters, FCC complaints, and cease-and-desist notices, well before a complaint is ever filed. [1]
The money involved is what makes this serious. Statutory damages under 47 U.S.C. § 227 run $500 per call or text for negligent violations and $1,500 per call or text for knowing or willful violations, with no cap on class size. [2] Class actions routinely cover millions of messages. The Cash App TCPA class action settlement resolved at $18.75 million, covering calls and texts to people who said they never consented. See [cash app tcpa class action settlement] Your entire defense usually rests on proving you had consent or ran a proper do-not-call scrub. Lose that data and you can lose the case outright.
Spoliation sanctions are the consequence. A court that finds spoliation can hand the jury an adverse inference instruction (telling jurors to assume the missing data was bad for you), exclude your witnesses, or in the worst cases enter default judgment against you. In Residential Funding Corp. v. DeGeorge Financial Corp., 306 F.3d 99 (2d Cir. 2002), the court upheld an adverse inference sanction where ESI was lost through gross negligence, with no proof of bad faith. [3] TCPA defendants face that same standard.
The hold is not paperwork for its own sake. It is your first line of defense.
When exactly should you trigger a TCPA litigation hold?
Trigger the hold when you reasonably anticipate litigation. That standard sounds vague, but courts have found it met by concrete events:
- A demand letter from a plaintiff or plaintiff's attorney citing TCPA violations
- An FCC complaint or state AG inquiry naming your calling or texting conduct
- A cease-and-desist letter from a known TCPA plaintiff (some serial litigants send these before they sue)
- Internal escalation where a consumer specifically threatens to sue
- Service of an actual complaint
Treat any written message that names the TCPA, mentions statutory damages, or threatens legal action as your trigger. Do not wait for a filed complaint. The gap between a demand letter and a lawsuit runs about 30 to 90 days, and that is exactly the window when automated deletion policies quietly destroy your best evidence.
If you run high-volume outbound, keep consent data and call logs for at least four years as a standing policy. The TCPA statute of limitations is four years under 28 U.S.C. § 1658, so any record younger than four years is potentially relevant the second a suit arrives. [4] You do not need a formal hold running at all times. You do need a retention schedule that never deletes anything inside that four-year window without legal review.
One detail decides most of these cases: the person who opens the demand letter has to know to escalate it right away. Plenty of small teams find the trigger point only after sales ops already ran a weekend batch delete. Build a simple escalation chain now, while it is boring, not later when it is on fire.
What TCPA data do you actually need to preserve?
Most teams badly underestimate the scope here. TCPA litigation is a data fight almost start to finish. Plaintiffs' attorneys will subpoena your dialer vendor, your CRM, your ESP, and your consent platform. Preserve all of this:
| Data Category | Specific Records | Why It Matters |
|---|---|---|
| Consent records | Signed forms, web form submissions, lead intake timestamps, IP addresses, checkbox states | Proves the consumer agreed to be called or texted |
| Call logs | Outbound call records with number dialed, timestamp, duration, disposition, agent ID | Shows which numbers were called and when |
| Text message logs | Sent/received SMS or MMS with content, timestamp, number, campaign ID | Shows which messages were sent and what they said |
| Do-not-call scrub records | DNC list download dates, scrub run timestamps, match results | Proves you checked before calling See [do not call list] |
| Internal DNC / opt-out lists | Consumer opt-out requests, suppression list versions | Proves you honored opt-outs |
| Dialer configurations | ATDS settings, predictive dialer configs, campaign parameters | Central to whether your equipment qualifies as an ATDS under 47 U.S.C. § 227(a)(1) |
| Vendor contracts | Agreements with dialer, lead gen, and consent data vendors | Establishes chain of custody for data you received |
| Lead purchase records | Lead provider name, purchase date, lead file, representations about consent | Establishes who made consent representations |
| Employee communications | Emails, Slack, Teams messages about the campaign at issue | Shows what your team knew |
| Training materials | Scripts, compliance training records, call monitoring results | Relevant to willfulness determination |
Consent records deserve extra attention. In TCPA litigation, once the plaintiff shows a call or text went out, the burden of proving consent usually shifts to you. [2] If you cannot produce the specific consent record tied to the specific number on the specific date, you are in trouble no matter how good your general process looked.
DNC scrub documentation carries the same weight. If the plaintiff sits on the National DNC Registry and you called them, you have to show a timely, complete scrub. Records of your mobile phone do not call list subscriptions and scrub runs are the evidence that does that. [5]
Who needs to receive the litigation hold notice?
Everyone who could hold relevant data, and every system that stores it, needs a hold notice. For a typical small outbound sales team that list looks like this:
- Sales reps and managers who made or supervised the calls
- The compliance officer or whoever manages DNC scrubs
- IT or whoever administers your CRM, dialer, and email platforms
- Marketing ops, who usually owns consent forms and lead intake
- Finance, if lead purchase records live there
- Any outside vendor with custody of your data (dialer companies, lead gen firms, consent platforms)
For vendors, put the hold in writing, name the specific data categories, and give the specific date range. Many dialer vendors delete data by default at 30, 60, or 90 days. If you do not tell them in writing to suspend that policy, they will delete your call logs on schedule, and you will eat the consequences.
Small teams forget the IT angle completely. Auto-archive rules in Gmail or Outlook, automated CRM purges, and scheduled database cleanups all erase relevant ESI without a sound. A hold notice to IT that names specific systems, specific custodians, and specific date ranges is the mechanism that actually stops the deletion. It is not optional.
Write down who got the notice and when. A litigation hold is only as strong as the paper trail proving you issued it.
How do you write an actual TCPA litigation hold notice?
A hold notice can be short. It just has to hit every required element. Here is the structure:
1. Statement of the potential claim. Identify the consumer complaint or demand letter by date and name. Say plainly that litigation is reasonably anticipated.
2. Duty to preserve. Tell the recipient to immediately suspend any routine deletion, overwriting, or recycling of data covered by the hold.
3. Scope of preserved data. List every data category from the table above. Name the systems: "Your call logs in Five9, your lead records in Salesforce, your text logs in Twilio."
4. Date range. Identify the campaign period plus a buffer on either side (at least 30 days before the first alleged contact through the present).
5. Instructions for physical and electronic data. Include voicemail recordings, phone records on company-issued devices, and any personal devices used for work calls.
6. Contact for questions. Name the attorney or compliance lead handling the matter.
7. Acknowledgment requirement. Ask recipients to sign and return a confirmation that they received the notice and understand their obligations.
Send it by email and keep read receipts or follow-up confirmations. If you have outside counsel, they should write or at least review the notice, because attorney-client privilege can protect the communications around the hold even when the hold itself ends up producible.
Refresh the notice on a schedule, especially if the case drags. Courts have found that a one-time hold that nobody ever repeats lets employees drift back into normal deletion habits, and the company still owns the loss. [3]
What are the worst consequences of getting a TCPA litigation hold wrong?
Spoliation sanctions are the main risk, and they run from painful to fatal.
The mildest is a monetary penalty covering the other side's attorney fees for the motion plus any re-discovery costs. Those can run $10,000 to $50,000 for a routine ESI dispute.
The most common sanction in TCPA cases is the adverse inference instruction. The jury hears that because you destroyed data you had a duty to keep, they may conclude the missing data would have hurt you. In a consent dispute, an adverse inference on consent records can flip the whole case. [1]
In extreme cases, courts have entered terminating sanctions, striking the defendant's answer and entering default judgment. Then the only open question is how much you owe, not whether. Given TCPA's per-call damages, a class covering 100,000 calls can produce a $50 million to $150 million default judgment.
The Credit One TCPA settlement resolved for $75 million after years of litigation over claims of calls to wrong numbers and reassigned numbers. See [credit one tcpa settlement] That case turned on the merits, but defendants with incomplete records walk into much harder settlement talks.
Federal courts also have inherent authority to sanction bad-faith conduct outside the Rule 37(e) framework. If a court decides you destroyed evidence on purpose, you face contempt, extra monetary sanctions, and possible referral to bar authorities if attorneys were involved.
Here is the part worth remembering: a solid hold helps your offense too. When you produce a complete, organized set of consent records and scrub logs, plaintiff's counsel often narrows the class or drops the weak claims early. The data that proves your defense is the same data the hold preserves.
How do you preserve data held by third-party vendors?
This is the single most overlooked piece of a small team's litigation hold. Your dialer vendor, your lead provider, and your consent platform all hold data you do not control. If they delete it on their standard schedule, you can still face spoliation sanctions, because courts ask whether you took reasonable steps to cause the data to be preserved, more than whether you controlled it directly. [1]
For each vendor in your stack, do this:
Send a written preservation demand by email (with delivery confirmation) the same day you issue your internal hold. Name the specific data types, specific campaigns, and specific date range. Ask for written confirmation that deletion has been suspended.
Read your contracts. Many dialer agreements cap data retention at 90 days or hand ownership of call recordings to the vendor. If your contract lets the vendor delete on a schedule, negotiate an extension in writing, fast.
Use a subpoena if a vendor stonewalls. Under FRCP 45, your counsel can subpoena third parties to preserve and produce ESI. This is rare with cooperative vendors but matters when a lead provider goes quiet.
If your dialer is cloud-based, ask the vendor to suspend any auto-delete or data lifecycle policy for the custodian accounts tied to the relevant campaigns. Get it in writing. Most SaaS vendors comply quickly once a formal hold notice on company letterhead lands in their inbox.
For cold calling operations that buy from several lead providers, the chain of consent often passes through two or three vendors before it reaches you. Preserve records from every link. See [do not call telemarketer list] Plaintiffs' attorneys subpoena lead providers directly, then use gaps between your records and theirs to argue you built consent documentation after the fact.
What systems and tools should you use to execute the hold?
Small teams do not need expensive eDiscovery software to run a competent TCPA litigation hold. You need documentation discipline and a clear chain of custody. That is it.
Start here:
Create a hold register. A plain spreadsheet listing every custodian notified, the date they were notified, the date they acknowledged, and the systems covered for each. Update it whenever you add a custodian or refresh the notice.
Snapshot your CRM and dialer data immediately. Export the relevant records to a read-only format (CSV or PDF exports in a locked folder) the same day you issue the hold. That baseline copy cannot be changed by later system updates or vendor deletions.
Turn off auto-delete in every system you control. In Salesforce, check your data retention settings and field history tracking. Most dialers have an admin setting for call recording retention. In Google Workspace or Microsoft 365, your IT admin can place a litigation hold on specific mailboxes through the admin console, which suspends auto-archive and purge for those accounts.
Log everything. Every export you run, every vendor you contact, every confirmation you get back. Courts read your hold process as a window into your whole compliance culture. A well-documented hold is evidence of good faith even when some data was lost before the trigger.
LeadCompliant's free compliance kit includes a litigation hold notice template and a data mapping worksheet built for the systems most common in outbound sales stacks. They do not replace legal counsel. They get your first draft done in a day instead of two weeks.
For text message marketing teams, opt-in records in your SMS platform (Twilio, Bandwidth, Attentive, and the like) are the most perishable data you have. Many platforms purge event logs at 30 days by default. Snapshot those logs first.
How long do you need to keep the data on hold?
The hold stays active until the litigation ends or counsel confirms in writing that the matter has resolved and the hold can lift. There is no calendar rule.
TCPA class actions take one to three years to resolve, so you may sit on frozen data for a long stretch. That is the argument for a real data architecture from day one instead of an emergency freeze that throws operations into chaos.
Once counsel issues a written release, record it in your hold register and run a formal destruction process. Do not leave data in legal limbo after a case closes. Sitting data is new privacy risk and storage cost with zero legal upside.
For records outside active litigation, your retention schedule should still keep consent data and call logs for at least four years, matching the TCPA statute of limitations under 28 U.S.C. § 1658. [4] The FCC's rules on written consent do not fix a retention period, but plaintiff's firms request records going back four years, so that is the practical floor. [6] Some state laws add their own twist: California's CCPA imposes deletion duties that can collide with TCPA preservation duties, so pull in counsel if you are holding California consumer data. [7]
What does a TCPA litigation hold look like in practice for a small team?
Picture a real scenario. Your sales manager gets an email on a Tuesday from a plaintiff's attorney. It cites 47 U.S.C. § 227, names your company, references calls to the attorney's client between March and June 2024, and demands $10,000 to settle within 30 days or a class complaint follows.
That email is your trigger. Here is what the next 24 hours should look like:
Hour 1: Forward the demand letter to your attorney (and if you do not have one, put finding one at the top of the list). Do not reply to the plaintiff's attorney directly.
Hour 2: Issue your internal hold notice to everyone who touched that March through June campaign. Sales reps, the compliance owner, IT, marketing ops.
Hour 3: Export call logs for the relevant period from your dialer. Save them to a locked folder only the compliance owner can change. Note the export timestamp.
Hour 4: Export consent records for the plaintiff's number and for every number in the relevant campaign. Note the export timestamp.
Hour 6: Email your dialer vendor, your lead provider, and your consent platform with written preservation demands.
Hour 8: Pull your DNC scrub records for the campaign period. Confirm you have the download receipt from the FTC's DNC subscription and the scrub run logs. [5] See [how do i get the do not call list]
Hour 24: Confirm IT has placed litigation holds on the relevant mailboxes and turned off auto-delete for the relevant CRM records.
That is the whole drill. No heroics. Just speed and documentation. Teams that lose TCPA cases over spoliation almost never destroyed data on purpose. They lost because nobody escalated the demand letter for a week, and the automated batch delete ran over the weekend.
Can you use a cold call or text record to your advantage once preserved?
Yes, and this is the part people miss. A litigation hold is defensive by default, but the data you preserve is also your offense.
Say you have a clean, timestamped, unbroken chain of consent records showing the plaintiff opted in on a specific date, from a specific IP address, checked a specific consent box, and got a confirmation message back. That evidence usually ends the case fast. TCPA plaintiff's attorneys know what good consent looks like. When they see it, they move on to easier targets.
Call logs that show your cold call operation scrubbed against the National DNC Registry within 31 days of each call, that the plaintiff's number was not on the registry at scrub time, and that your dialer flagged the number correctly are strong affirmative evidence. [6]
Preserved dialer configuration data can help on the ATDS question too. In Facebook, Inc. v. Duguid, 592 U.S. 395 (2021), the Supreme Court narrowed the definition of an automatic telephone dialing system to equipment that uses a random or sequential number generator. [8] If your dialer config logs show it dialed from a fixed list rather than generating numbers randomly or sequentially, that can be dispositive on liability.
Preserving data well is what lets your attorney make those arguments credibly. The worst litigation position is not "we have bad facts." It is "we might have good facts but we cannot prove them because the records are gone."
What should your ongoing compliance process include to make future holds easier?
A litigation hold is far easier to run if your data is already organized and retained properly before any dispute lands. Build a few habits now.
Document consent at the point of collection. Every opt-in should generate a timestamped record with the source URL, the exact consent language the consumer saw, and the consumer's IP address. Store those records somewhere that does not auto-delete. If you run text message marketing campaigns, your ESP or SMS platform should produce an audit trail for every opt-in.
Keep DNC scrub receipts. Every time you download from the National DNC Registry or run a scrub, save the confirmation. The FTC's Telemarketing Sales Rule requires you to scrub against the registry every 31 days for each number you plan to call. [9] That receipt is your proof.
Run a data map. Know where your consent data, call logs, and suppression lists actually live, down to the system name and the person responsible for each. When a demand letter arrives at 9 a.m., you have no time to go find out.
Test your hold process once a year. Issue a mock hold notice, confirm IT can execute the email litigation hold within two hours, and verify your vendor contacts are current. The two-hour drill is cheap. The spoliation sanction is not.
LeadCompliant's compliance kit includes a data map template built around the most common small-team outbound stacks. Run through it once and you will know exactly which systems you would freeze in a real hold.
Frequently asked questions
When does the duty to preserve TCPA evidence actually begin?
The duty begins when you reasonably anticipate litigation. Courts have consistently held that a written demand letter citing TCPA, an FCC complaint, or a cease-and-desist from a plaintiff's attorney all trigger the duty, even before a complaint is filed. Do not wait for service of process. The gap between demand letter and lawsuit is where most evidence gets destroyed.
What happens if you accidentally delete TCPA call records after a demand letter?
Courts treat post-trigger deletion as potential spoliation even when it is accidental. Under FRCP 37(e), if ESI is lost because you failed to take reasonable steps to preserve it, a court can impose measures ranging from an adverse inference instruction (telling the jury to assume the missing data hurt your case) to dismissal of your defenses. Document your hold process carefully so you can show good faith if records are lost anyway.
How long do you have to preserve TCPA data after a demand letter?
Preserve everything until your attorney issues a written release confirming the matter has resolved. TCPA class actions typically take one to three years. Outside active litigation, keep consent records and call logs for at least four years to match the TCPA statute of limitations under 28 U.S.C. § 1658. Some state privacy laws impose competing deletion duties, so get counsel involved if you hold California consumer data.
Do you need to notify your dialer vendor or lead provider about a litigation hold?
Yes. Courts have sanctioned defendants for failing to notify vendors when the defendant knew the vendor held relevant data and had a short-term deletion policy. Send a written preservation demand to your dialer, lead provider, and consent platform the same day you issue your internal hold. Get written confirmation from each vendor that their deletion schedules have been suspended for the relevant data.
What is an adverse inference instruction and how bad is it in a TCPA case?
An adverse inference instruction tells the jury they may assume that lost or destroyed evidence would have been harmful to the party that lost it. In a TCPA consent case, an adverse inference on consent records essentially tells the jury to assume you did not have consent. That can flip an otherwise winnable case. Residential Funding Corp. v. DeGeorge Financial Corp., 306 F.3d 99 (2d Cir. 2002) upheld this sanction even without proof of intentional destruction.
Does the TCPA litigation hold cover text message records, or just calls?
It covers both. 47 U.S.C. § 227 applies to calls and texts to cell phones. Your SMS platform logs (including sent/received timestamps, message content, campaign IDs, and opt-in records) are equally subject to preservation. Many SMS platforms delete event logs at 30 days by default, so snapshot those records within the first few hours of issuing your hold.
What is the TCPA statute of limitations, and how does it affect how long you retain data?
The TCPA has a four-year statute of limitations under 28 U.S.C. § 1658, the general federal statute of limitations. That means any call or text made within the past four years can be the basis of a new claim. Your standing data retention policy should keep consent records and call logs for at least four years so that you have evidence on hand when any demand arrives.
Can the Facebook v. Duguid ruling on ATDS affect what dialer data you need to preserve?
Yes. The Supreme Court's 2021 decision in Facebook, Inc. v. Duguid narrowed ATDS to equipment using a random or sequential number generator. Dialer configuration logs showing your system called from a fixed list, not a randomly generated one, can be a decisive liability defense. Preserve those configuration records and any vendor documentation that describes how your dialer generates or selects numbers.
How do you handle a litigation hold if you do not have in-house legal counsel?
Get outside TCPA counsel on the phone within 24 hours of receiving a demand letter. While you are arranging that, issue a basic internal hold notice yourself, covering the systems and people in the relevant campaign, and send preservation demand emails to your vendors. Document every step. Outside counsel can ratify and improve your hold when they engage, but the first 24 hours of data preservation cannot wait for an attorney engagement letter.
Do DNC scrub records count as part of a TCPA litigation hold?
Yes, they are among the most important records to preserve. If the plaintiff is on the National DNC Registry, your defense depends on showing a timely and complete scrub. Preserve your FTC subscription receipts, your scrub run logs, and the match results for the plaintiff's number. The FTC's Telemarketing Sales Rule requires scrubbing every 31 days, so you need records showing every scrub run during the relevant campaign period.
What is the difference between a litigation hold and a data retention policy?
A data retention policy is your standing rule for how long to keep data before deleting it. A litigation hold is a specific, temporary override that suspends the retention policy for particular data related to a particular dispute. Both are necessary. Your retention policy should keep TCPA-relevant data for four years as a baseline. The hold then freezes specific records beyond that schedule for the duration of the dispute.
How specific does a litigation hold notice need to be about which systems are covered?
Name the specific systems. A hold notice that says 'preserve all relevant data' is not enough. Courts expect you to identify specific custodians, specific platforms (your CRM name, your dialer vendor name, your email provider), and a specific date range. Vagueness gives employees an excuse to interpret the hold narrowly and continue deleting data they reasonably thought was not covered.
Can a TCPA plaintiff get punitive or treble damages if you destroy evidence?
The TCPA itself provides for treble damages of up to $1,500 per call for willful or knowing violations. Courts can also layer spoliation sanctions on top, including fee awards and adverse inferences. If a court finds your evidence destruction was intentional and in bad faith, you face the combination of trebled statutory damages plus whatever additional sanction the court imposes under its inherent authority or FRCP 37(e).
Is a litigation hold the same thing as a TCPA compliance audit?
No. A compliance audit proactively reviews your consent processes, DNC scrub procedures, and dialer settings to find problems before a lawsuit. A litigation hold is a reactive measure triggered by anticipated or actual litigation to freeze relevant evidence. You want both. A clean audit reduces the risk of a lawsuit; a solid hold protects you if one arrives anyway.
Sources
- Federal Rules of Civil Procedure, Rule 37(e), U.S. Courts: Courts may impose sanctions when a party fails to take reasonable steps to preserve ESI after the duty to preserve attaches upon reasonable anticipation of litigation.
- 47 U.S.C. § 227, Telephone Consumer Protection Act, Cornell LII: TCPA statutory damages are $500 per violation and up to $1,500 for willful or knowing violations, with no class-size cap.
- Residential Funding Corp. v. DeGeorge Financial Corp., 306 F.3d 99 (2d Cir. 2002), CourtListener: An adverse inference sanction for ESI loss can be upheld on a finding of gross negligence even without proof of intentional destruction.
- 28 U.S.C. § 1658, General Federal Statute of Limitations, Cornell LII: The TCPA's four-year statute of limitations is governed by 28 U.S.C. § 1658, the general federal catch-all limitations period.
- California Consumer Privacy Act (CCPA), California Attorney General: CCPA imposes data deletion obligations on businesses that can conflict with litigation hold preservation duties for California consumer data.
- Facebook, Inc. v. Duguid, 592 U.S. 395 (2021), Supreme Court of the United States: The Supreme Court narrowed ATDS definition to equipment using a random or sequential number generator to store or produce phone numbers to be called.
- FTC Telemarketing Sales Rule, 16 C.F.R. Part 310, Federal Trade Commission: The Telemarketing Sales Rule requires telemarketers to scrub their call lists against the National DNC Registry at least every 31 days.
- Federal Rules of Civil Procedure, Rule 26(b), ESI and Proportionality, U.S. Courts: FRCP 26(b) governs the scope of discovery and proportionality, relevant to determining which ESI a party must preserve and produce.