Last updated 2026-07-11

TL;DR
A TCPA incident response plan is a written playbook your team follows the moment a complaint, demand letter, or lawsuit arrives. It names who stops outreach, who pulls records, who talks to counsel, and what you preserve. Without one, you lose the hours that matter most and hand plaintiffs' lawyers the easy wins they count on.
What is a TCPA incident response plan and why does your team need one?
A TCPA incident response plan is a documented, step-by-step procedure that tells your team exactly what to do when a complaint, cease-and-desist letter, opt-out failure notice, or lawsuit under the Telephone Consumer Protection Act arrives. It names responsible people, sets time limits, and specifies what records to freeze and what communications to route through counsel.
Most outbound teams have no such document. They improvise. And improvising in the first 24 to 72 hours of a TCPA complaint is one of the fastest ways to turn a manageable problem into a class action. [1]
The TCPA sits at 47 U.S.C. § 227 and carries statutory damages of $500 per violation for negligent violations and $1,500 per violation for willful ones. [2] Those numbers do not sound catastrophic until you multiply them by the size of a contact list. A campaign that touched 50,000 cell numbers without proper consent is not a $500 problem. The math gets ugly fast.
A written plan does three things. It compresses your response window. It signals to courts and regulators that you run a compliance-aware operation, which matters in willfulness arguments. And it keeps panicked employees from saying the wrong thing to the wrong person before a lawyer is involved.
What does TCPA exposure actually look like for a small outbound team?
Small teams underestimate their exposure because they assume class actions only hit Fortune 500 companies. Wrong assumption. Plaintiffs' firms watch smaller operations closely, because consent records are often weaker and defense budgets are smaller, which raises the odds of a fast settlement.
The cash app tcpa class action settlement and the credit one tcpa settlement are examples of real settlements that ran into eight figures. But individual demand letters targeting a single caller's cell phone are common at the $500 to $1,500 range and often settle for a few thousand dollars. The cost is more than money. It is legal fees, staff time, and reputational damage with carriers who track your complaint rates.
The FCC's 2023 order tightening the "one-to-one consent" rule took effect in early 2025, requiring consent from a single identified seller rather than consent shared across a lead-generation network. [3] That change widened the pool of potentially non-compliant contacts for teams that relied on shared lead vendors.
Here is a plain reality check:
| Scenario | Statutory damage per violation | 10,000-contact campaign exposure |
|---|---|---|
| Negligent TCPA violation | $500 | $5,000,000 |
| Willful TCPA violation | $1,500 | $15,000,000 |
| State mini-TCPA (e.g., Florida FTSA) | Up to $500 per call or text | Varies by state |
Those are statutory maximums, not guaranteed outcomes. Courts reduce them through settlement and judicial discretion. But the exposure range is what drives litigation behavior, and it is why a demand letter over four calls can still cost you real money.
Who should own TCPA incident response inside your company?
Every plan needs a named Incident Commander. At a 10-person company that might be the founder or head of sales operations. At a 50-person company it is usually the head of compliance, general counsel, or whoever owns the cold calling and SMS programs day-to-day.
The Incident Commander does not handle everything alone. They coordinate four roles:
1. Legal contact: the outside or in-house attorney who receives the actual complaint and gives the litigation hold instruction. Nothing moves without their sign-off once litigation is threatened. 2. Records custodian: the person with access to your CRM, dialer logs, consent records, and suppression lists. They freeze the relevant data the moment the Incident Commander calls. 3. Communications lead: the person who handles any response to the complainant, regulator, or press. This is almost never the salesperson who made the call. 4. Technical contact: the person at your dialer vendor, SMS platform, or data provider who can pull raw logs, confirm timestamps, and export records quickly.
Document these roles by name and by backup name. People leave. If your only records custodian quits during active litigation, you have a serious spoliation risk.
The plan should also spell out who is NOT authorized to respond. Front-line sales reps should never reply to a demand letter or a cease-and-desist email on their own. That sounds obvious. It gets violated constantly.
What triggers should activate your TCPA incident response plan?
Not every complaint is a lawsuit trigger, but every complaint is a data signal that deserves a documented review. Your plan should define at least four activation tiers.
Tier 1 is an opt-out or stop request through a normal channel (reply STOP, verbal request, web form). This activates your standard suppression workflow. No escalation needed, but the suppression must be timestamped and logged.
Tier 2 is a written complaint, a letter or email asserting a TCPA violation, or a carrier complaint escalation. This activates your records preservation checklist and requires legal notification within 24 hours.
Tier 3 is a formal demand letter citing 47 U.S.C. § 227, requesting a dollar amount, or threatening litigation. This activates a litigation hold immediately, stops all outreach to the identified number and any related numbers from the same campaign, and requires outside counsel contact within the same business day.
Tier 4 is actual service of process. Your team should know exactly where to send it and what the response deadline is. Federal court gives defendants 21 days to respond to a complaint after service under FRCP Rule 12, and state courts vary. [12] Miss that window and you risk a default judgment.
Build the trigger list with your counsel before any incident. You do not want to be deciding what counts as Tier 3 at 6 PM on a Friday when a demand letter just landed.
What records do you need to preserve when a TCPA complaint arrives?
Spoliation of evidence is a separate, devastating legal problem stacked on top of the underlying TCPA claim. Once litigation is reasonably anticipated, you must preserve all potentially relevant records. Deleting or overwriting data after that point can bring sanctions, adverse inference instructions, or worse. [4]
Your records preservation checklist should cover:
- Dialer or SMS platform logs showing the exact number called or texted, the timestamp, the campaign ID, and the agent or system that initiated the outreach.
- The consent record for that number: the web form submission, lead purchase confirmation, recording of verbal consent, or signed document, with its original timestamp.
- Suppression list snapshots: what lists were you scrubbing against at the time of the call? The do not call list check logs, internal DNC records, and any wireless number scrub records should all be preserved. [5]
- Your lead source documentation: who sold you or provided this contact, what representations did they make about consent, and do you have a written contract with indemnification language?
- Any prior opt-out or complaint from the same number, even if it was in a different campaign or system.
- The script or message template used in the campaign.
- Any carrier or platform complaint notifications tied to the number or campaign.
Store these as a time-stamped archive. Do not drop them in a shared folder where someone can accidentally overwrite them. A simple read-only evidence folder with access logs is enough for most small teams.
How do you draft the actual response protocol your team will follow?
The protocol is a numbered checklist, not a memo. It should fit on one or two pages. Longer documents do not get followed under pressure.
A workable structure looks like this:
Hours 0 to 4: Incident Commander notified. Incident tier assigned. Legal contact notified if Tier 2 or above. Records custodian places a hold on relevant campaign data. No outbound contact to the complainant without legal sign-off.
Hours 4 to 24: Records custodian exports and archives all logs listed in the preservation checklist. Incident Commander documents a preliminary timeline: when the number was acquired, what consent record exists, when the contact occurred, and any prior complaints. Legal reviews and advises on response strategy.
Hours 24 to 72: Legal decides whether to respond to a demand letter and in what form. If a class action is possible, outside counsel with TCPA class action experience is engaged. A preliminary root-cause assessment begins: was this a consent gap, a suppression list failure, a vendor error, or a technical platform issue?
Day 4 onward: Root cause is documented. Remediation steps are identified (fix the consent flow, add a scrub, terminate the vendor, adjust the campaign). A written corrective action memo is created. If regulators are involved, legal coordinates any regulatory response.
None of this is possible if you build it during the incident. Write it, test it with a tabletop drill once a year, and update it when your tech stack or team changes.
What preventive practices reduce the chance of ever needing this plan?
Prevention is cheaper than response. Here is what actually moves the needle, in rough order of impact.
Consent hygiene is the biggest lever. Every contact in your outreach database should have a documented, dated consent record tied to a specific disclosure. The FCC's 2025 one-to-one consent rule means you cannot lean on broad, multi-seller consent language anymore. [3] If you run text message marketing, your opt-in flow needs to name your company explicitly.
Real-time DNC scrubbing matters. The National Do Not Call Registry requires access subscriptions, and you must scrub within 31 days of any call under FTC rules. [5] Scrubbing once at list import is not enough for long-running campaigns. Numbers get added to the DNC every day. You also need to weigh the mobile phone do not call list considerations, because wireless numbers are covered by the TCPA regardless of DNC registration. [6]
Vendor contracts should include TCPA indemnification. If a lead vendor promises consent that does not exist, you want a clause that shifts liability back to them. Most small vendors will not sign strong indemnification, which is itself information about the quality of their consent practices.
Training is underrated. Sales reps who understand that a verbal "stop calling me" is a legally required suppression event, not a rejection to push through, create far fewer incidents. A 30-minute annual training with a written attestation is a realistic standard for a small team.
The do not call telemarketer list and your internal suppression list should be treated as live, operational records, not static files. Any complaint or opt-out should feed back into them the same day it arrives.
How do you handle the conversation with the person who complained?
This is where small teams make the most damaging mistakes. The instinct is to call the person, apologize, and try to make it right. Sometimes that works. More often, it generates an admission that gets used in litigation.
The right answer: route everything through counsel before any substantive response. If you receive a demand letter, do not call the number to apologize. Do not email the person to explain your consent process. Do not have your sales manager call them back to work it out.
For opt-outs and stop requests that are not paired with a legal claim, your response is simple. Honor the request immediately and confirm it in the channel the person used. If they texted STOP, the auto-reply confirmation is enough. If they sent an email, a brief confirmation that they have been removed is fine. Keep it factual and short.
If someone has already retained an attorney, you almost certainly have to communicate counsel-to-counsel. Your attorney will tell you this. Make sure your front-line team knows to forward any attorney communication immediately and not to respond directly.
One thing worth saying plainly: if the complaint is valid, meaning you did call someone who was on the DNC or who had not consented, a quick and reasonable settlement often beats litigation. TCPA defense costs are real. A single TCPA case can cost $50,000 to $150,000 in legal fees to take through discovery, even if you win. Nobody has clean public data on average defense costs for small-team cases specifically, but that range reflects what specialized TCPA defense firms commonly quote.
What should your TCPA incident log look like?
Every incident, even a Tier 1 stop request, should be logged. Over time, your incident log becomes your compliance evidence. If you ever stand in front of a regulator or a plaintiff's attorney arguing willfulness, a documented pattern of taking complaints seriously is genuinely valuable.
A minimal incident log entry has eight fields:
1. Date and time the complaint was received. 2. Channel (phone, email, carrier complaint, legal mail). 3. Tier assigned. 4. Number or contact at issue. 5. Campaign or list source. 6. Consent record status (found, not found, under review). 7. Actions taken, with timestamps and names. 8. Resolution and any corrective actions.
Keep this log for at least four years. The TCPA statute of limitations for private claims is four years under 28 U.S.C. § 1658, the general federal four-year limitations period that courts have applied to these claims. [7] Some state law claims have shorter periods, but the four-year horizon is the safe standard.
LeadCompliant's free compliance kit includes a TCPA incident log template you can adapt, along with a consent audit checklist. These are a reasonable starting point if you do not want to build your own from scratch.
The log should live somewhere your legal team can reach immediately without asking you to email attachments. A shared drive with version control works. A compliance module in your CRM works better if you have one.
How do you test your incident response plan before you need it?
A plan that has never been tested is a document, not a plan. Run a tabletop exercise once a year. It takes two hours. A facilitator (internal or external) walks the team through a fictional TCPA complaint scenario, and each role-player responds as they would in real life.
Good tabletop scenarios to test against:
Scenario A: A lawyer's demand letter arrives claiming your team called a cell phone 12 times in 30 days without consent. Your records show consent was collected, but through a third-party lead vendor whose form language is now unclear.
Scenario B: A carrier complaint comes in during a weekend. Your records custodian is on vacation. The dialer platform is a new vendor you switched to three months ago and whose log export process you have never tested.
Scenario C: A plaintiff's attorney emails your sales manager directly, not the company's legal contact, asking to discuss a potential claim. The manager is tempted to respond.
After the exercise, document gaps and fix them. Common findings: nobody knows how to export logs from the current dialer, the legal contact's cell number is wrong in the plan, or the backup records custodian was never told they had that role.
If you run a cold call volume above 1,000 calls per week, annual tabletop drills are a minimum. If you are below that threshold and your consent processes are clean, a lighter annual review of the written plan with a quick records export test is reasonable.
What does a well-run TCPA incident response look like in practice?
Here is a realistic example built from the structure of cases that settle quietly. A sales team running outbound calls receives a demand letter on a Tuesday afternoon. The letter cites 47 U.S.C. § 227 and claims four calls to a cell number registered on the National Do Not Call Registry.
The sales manager who opens the letter does not call the number back. She follows the plan. She notifies the Incident Commander within 30 minutes. The Incident Commander assigns Tier 3. Outside counsel is notified that evening. The records custodian exports the dialer logs for that number, confirms all four calls occurred, and pulls the DNC scrub log showing the number was not checked in the 31 days before the third and fourth calls.
Counsel reviews the records over 48 hours. The consent record exists for the initial call, but the scrub gap on the later calls is a real problem. Counsel advises settling quickly given the evidence and the cost of defense. A settlement is reached for a few thousand dollars with a release. The corrective action: the team switches to a scrubbing tool that runs automated checks before every outbound session.
Total cost, including legal fees and settlement: roughly $8,000 to $12,000. Painful but survivable. Without the plan, this scenario often costs five to ten times more, because critical records are not preserved, someone says something problematic directly to the plaintiff, or the company blows a response deadline.
The how do i get the do not call list resource explains the scrubbing access process if you are not currently registered with the FTC's National Do Not Call Registry system.
What are the FCC and FTC rules your incident response plan must account for?
Build your plan against real regulatory requirements, not general compliance anxiety. The rules that generate the most incidents for small outbound teams are these.
47 U.S.C. § 227(b) prohibits calls made using an automatic telephone dialing system (ATDS) or a prerecorded voice to cell phones without prior express consent, and to residential lines for telemarketing without prior express written consent. [2] The ATDS definition was narrowed hard by the Supreme Court's April 2021 decision in Facebook v. Duguid, which held that equipment must use a random or sequential number generator to qualify as an ATDS. [8] That ruling matters for your plan because it affects whether certain dialer technology triggers the statute at all.
The FCC's 2023 one-to-one consent order requires that written consent for telemarketing calls or texts name the specific company that will contact the consumer. [3] Consent obtained through a lead aggregator's general form no longer satisfies this requirement if your company is not named.
The FTC's Telemarketing Sales Rule requires telemarketers to check the National Do Not Call Registry at least every 31 days and to maintain an internal DNC list that must be honored within 30 days of a request. [9]
The FCC's call authentication rules under STIR/SHAKEN require carriers to authenticate calls, and companies that generate high complaint rates face increased blocking. [10] That is both a TCPA risk and a deliverability risk.
State laws add more layers. Florida's Telephone Solicitation Act (FTSA), for example, extends TCPA-like protections to calls and texts and has its own consent and calling-hours rules. [11] If you call into Florida, California, or Texas at any volume, your plan should reference those state-specific rules.
You can review LeadCompliant's free TCPA tools to run a quick compliance gap check on your current dialer and consent setup before building your full plan.
Frequently asked questions
How quickly do I need to respond to a TCPA demand letter?
There is no statutory deadline for responding to a pre-litigation demand letter, but speed matters. Most plaintiff attorneys expect a response within 10 to 14 days. Ignoring a demand letter signals weakness and can accelerate a filing. More important, your internal response (preserving records and notifying counsel) should happen within hours of receiving the letter, not days.
Does a TCPA incident response plan protect me from class actions?
It does not immunize you, but it reduces exposure in meaningful ways. A documented response showing you took complaints seriously, preserved evidence, and remediated the root cause can support arguments against willfulness, which is what drives the $1,500 per-violation figure. Courts and opposing counsel do look at whether a company had systems in place. An absent or ignored plan makes settlement negotiations harder.
What is the statute of limitations on TCPA claims?
Private TCPA claims are generally subject to a four-year statute of limitations under 28 U.S.C. § 1658, the federal catch-all limitations period. State law claims based on state mini-TCPA statutes can have shorter periods. Keep your consent records, call logs, and suppression lists for at least four years from the date of any outreach.
Can my lead vendor be held liable for TCPA violations instead of me?
Potentially, but only if your contract includes clear indemnification language and you can show you relied reasonably on their consent representations. Courts have found callers liable even when vendors provided bad data, under the theory that the calling company is the one who made the call. Your vendor contract should include representations about consent validity and indemnification for TCPA claims, but do not count on indemnification as your primary defense.
What is the one-to-one consent rule and how does it affect my incident response plan?
The FCC's December 2023 order, effective in early 2025, requires that consumer consent for telemarketing calls or texts identify the specific seller by name rather than letting one consent cover multiple companies. If your contacts came through a shared lead network before this rule took effect, those consent records may not meet the new standard. Your incident response plan should flag this as a risk factor in any consent review a complaint triggers.
Do I need a TCPA incident response plan if I only send text messages, not calls?
Yes. The TCPA's written consent requirement for marketing texts applies to any message sent using an autodialer or in bulk, and the same $500 to $1,500 per-message statutory damages apply. Text campaigns often involve higher volumes than calls, so the exposure math gets larger faster. An incident response plan for SMS outreach is arguably more important than for voice, not less.
What should I do if a TCPA complaint names my company in a class action?
Stop all outreach to the claimed class of numbers immediately pending legal review. Engage outside counsel with TCPA class action experience right away. Preserve every record related to the campaign described in the complaint. Do not contact class members or their attorney without your counsel's explicit direction. Class actions move on their own timetable, but your first 72 hours of documented response will matter throughout the litigation.
How often should I update my TCPA incident response plan?
Review the written plan at least once a year. Trigger an off-cycle update any time you change your dialer or SMS platform, switch lead vendors, hire or lose the person named as Incident Commander or records custodian, or when a significant new regulatory rule takes effect. The FCC's 2025 consent rule is an example of a change that should have prompted immediate plan review for any team using shared lead sources.
What is the difference between a TCPA incident response plan and a general compliance program?
A compliance program is your ongoing, day-to-day system for staying within TCPA rules: consent collection, DNC scrubbing, call-hours policies, training. An incident response plan is what you do when something goes wrong despite that program. You need both. The compliance program reduces incident frequency. The response plan limits damage when an incident happens anyway. They reference each other but serve different purposes.
Can employees be personally liable under the TCPA?
Generally the company is the liable party, but courts have held individual corporate officers personally liable where they directly participated in or directed the violating conduct. If a sales manager personally authorized a campaign that violated the TCPA after being warned, personal liability is a real possibility. That is one reason the incident response plan should route complaints up the chain rather than let front-line employees manage them.
What records do I need to prove TCPA consent if I am sued?
You need the original opt-in record with a timestamp, the IP address or other identifier of the device used to submit consent, the exact disclosure language shown at the time of consent, and evidence that your company was named in that disclosure. For verbal consent, you need a recording. For written consent collected through a lead vendor, you need their documentation plus your contract with them. Courts examine all of this.
Does the Facebook v. Duguid Supreme Court decision affect my TCPA risk?
Yes, but narrowly. The April 2021 ruling in Facebook Inc. v. Duguid held that an automatic telephone dialing system (ATDS) under the TCPA must use a random or sequential number generator. Many modern predictive dialers do not meet that definition, which reduces TCPA exposure for some call campaigns. But prerecorded voice calls and texts still carry separate TCPA restrictions that do not depend on the ATDS definition, so the ruling did not eliminate risk for most outbound teams.
Sources
- U.S. Code, 47 U.S.C. § 227, Telephone Consumer Protection Act: Statutory damages of $500 per negligent violation and $1,500 per willful violation under 47 U.S.C. § 227
- Federal Rules of Civil Procedure, Rule 37(e), Spoliation and ESI: Courts may impose sanctions including adverse inference instructions for failure to preserve electronically stored information once litigation is reasonably anticipated
- Federal Trade Commission, National Do Not Call Registry (business guidance): Telemarketers must scrub against the National Do Not Call Registry at least every 31 days
- U.S. Code, 47 U.S.C. § 227, TCPA cell phone protections: Wireless numbers are protected by the TCPA regardless of whether they appear on the National DNC Registry
- U.S. Code, 28 U.S.C. § 1658, four-year statute of limitations: Federal four-year catch-all statute of limitations applied to private TCPA claims
- U.S. Supreme Court, Facebook Inc. v. Duguid, No. 19-511 (2021): Supreme Court held in April 2021 that an ATDS must use a random or sequential number generator to qualify under the TCPA
- Federal Trade Commission, Telemarketing Sales Rule, 16 C.F.R. Part 310: TSR requires telemarketers to maintain internal DNC lists and honor requests within 30 days
- Florida Legislature, Florida Telephone Solicitation Act, § 501.059 F.S.: Florida FTSA extends TCPA-like protections to calls and texts with its own consent and calling-hours requirements
- Federal Rules of Civil Procedure, Rule 12: Federal defendants generally have 21 days after service to respond to a complaint under FRCP Rule 12