Last updated 2026-07-11

TL;DR
TCPA violations carry statutory damages of $500 to $1,500 per call or text, and class actions can reach eight or nine figures. Investors expect this risk quantified in your risk factors, not buried. Disclose your consent practices, your DNC scrubbing process, and any pending claims. Hiding known litigation risk can hand founders a securities fraud claim on top of the TCPA exposure itself.
Why do investors care about TCPA risk at all?
Most early-stage investors have watched at least one portfolio company get blindsided by a TCPA class action, and the math explains the flinch. The statute, 47 U.S.C. § 227, sets damages at $500 per violation and up to $1,500 per willful violation, with no cap on how many violations a class can stack. [1] A company that sends 500,000 promotional texts without proper consent is not looking at a rounding error. It's looking at exposure that can swallow its annual revenue.
The Cash App TCPA class action settled at $15 million. That's a useful anchor when investors try to size this category of liability. [2] The Credit One TCPA settlement hit $75 million. These aren't freak accidents. They're the predictable ending when a company scales outbound before it builds real consent infrastructure.
For a seed-stage company, even a six-figure settlement demand can be fatal, because the legal defense alone often costs more than the settlement in year one. Investors know this cold. Sophisticated angels and institutional funds with consumer-tech or fintech exposure will ask about it directly. If they don't ask, your disclosure still has to cover it, because a surprise surfacing during diligence after a signed term sheet is a much worse conversation.
Here's the short version. TCPA risk is real, quantifiable, and legally recognized, and it belongs in your fundraising materials the same way product liability belongs in a hardware company's disclosures.
What securities rules govern how you disclose startup risk factors?
Private fundraising in the United States carries disclosure duties that most founders underestimate, even at the seed stage. Raising under Regulation D (Rules 504 or 506) exempts you from SEC registration. It does not exempt you from the anti-fraud provisions of the Securities Act of 1933 and the Securities Exchange Act of 1934. [3] Section 10(b) of the Exchange Act and SEC Rule 10b-5 both ban materially false or misleading statements in connection with the sale of any security, and that includes a SAFE or a convertible note. [10]
A "material" fact is one a reasonable investor would consider important to the decision. In TSC Industries v. Northway (1976), the Supreme Court held that a fact is material if "there is a substantial likelihood that a reasonable shareholder would consider it important." [11] So if you know you have TCPA exposure and you leave it out, and an investor later takes a loss and finds the omission, you now have a securities fraud problem sitting on top of the original TCPA problem.
Here's the practical test for a private placement. If you'd be embarrassed to have the fact come out during litigation, it's material and it goes in.
Your TCPA risk factor should live in a formal risk factors section of your private placement memorandum (PPM). For simpler seed rounds, it can live in the deck notes or a standalone disclosure letter that each investor signs. Get a lawyer to review it. That part is not optional.
What does a strong TCPA risk factor actually say?
A strong TCPA risk factor names the statute, quantifies the exposure, describes your real practices, lists any known claims, and admits what's uncertain. Weak disclosure reads like filler: "The company is subject to various federal and state laws including the TCPA." Nobody believes that sentence says anything, and no court will treat it as protective if you knew something specific and buried it.
A strong TCPA risk factor does four things.
First, it names the statute and the dollar exposure. Something like: "The Telephone Consumer Protection Act, 47 U.S.C. § 227, imposes statutory damages of $500 to $1,500 per unlawful call or text message. The company's outbound sales and marketing activities involve [X million] contacts per year, which creates potential aggregate exposure if our consent or scrubbing practices are found non-compliant."
Second, it describes your actual practices honestly. Are you collecting prior express written consent? Are you scrubbing against the National Do Not Call Registry? [4] If yes, say so, and say how often. If no, explain why and what you do instead. Investors care whether you have a defensible position, more than whether you've admitted the law exists.
Third, it discloses any known claims or investigations. Got a demand letter you dismissed as frivolous? It goes in. Any FCC correspondence? It goes in. Materiality does not wait for a lawsuit to be filed.
Fourth, it's honest about uncertainty. The TCPA environment has shifted repeatedly, including the FCC's 2024 one-to-one consent rule [5], and that instability is itself a risk worth naming. You don't know what the next FCC order will say. Say that.
Here's what weak versus strong disclosure looks like side by side:
| Element | Weak disclosure | Strong disclosure |
|---|---|---|
| Statute named | Generic reference | 47 U.S.C. § 227, specific damage amounts |
| Company practices described | None | Consent type, scrubbing cadence, vendor names |
| Known claims | Omitted | All demand letters, pending litigation |
| Regulatory uncertainty | None | FCC rulemaking activity cited |
| Quantified exposure estimate | None | Volume of contacts, estimated per-unit exposure |
How should you quantify TCPA exposure for investors?
Give investors a number, or at least a range with a method behind it. Nobody wants a narrative. Take your annual contact volume, apply a conservative deficiency rate, multiply by the per-violation damages, then discount for how defensible your process is. That's the whole model.
Start with total outbound calls plus texts sent in a year. Then apply a conservative non-compliance rate. Nobody has clean data here, but TCPA plaintiff firms hunt for systemic failures, so even a small slice of contacts with missing consent documentation or a failed DNC scrub can seed a large class. A reasonable conservative assumption is that 1 to 5% of contacts in a typical startup's outbound program carry some consent or scrubbing gap, though that swings hard with how mature the program is.
Multiply the at-risk contact count by $500 for negligent violations or $1,500 for willful ones. That's your theoretical maximum. Then apply a probability discount based on how defensible your consent process is and how aggressive the plaintiffs' bar is in your industry. Your lawyer sets that discount.
A company sending 200,000 outbound texts a year with a 2% deficiency rate carries theoretical exposure of $2 million (at $500) to $6 million (at $1,500) before any probability weighting. That number goes in the disclosure. Investors can work with a range. They cannot work with silence.
Note one more thing for context. TCPA class settlements often resolve at a fraction of theoretical maximum exposure. The Cash App TCPA class action settlement and cases like it suggest courts and mediators recognize that maximum statutory exposure in a big class produces absurd results, so settlements get discounted. That discount is not guaranteed, and defense costs pile up either way.
What TCPA compliance evidence should you show investors during due diligence?
Disclosure is the floor. Showing compliance evidence is what actually builds confidence. Investors running real diligence will ask for documentation, and having it ready shortens the process and signals you run a tight operation.
Here are the core documents to have staged.
Consent records. Every contact you reach out to should have documented prior express consent, or prior express written consent for marketing messages under the 2012 FCC rules. [6] Your CRM or consent platform should produce a per-contact record: when consent was captured, through what mechanism, and what the opt-in language said. If you can't produce that on demand, the gap itself is disclosure-worthy.
DNC scrubbing logs. Show that you scrub against the National do not call list before each campaign, and how often. The FCC requires companies to access the registry no more than 31 days before making calls. [4] Your logs should show the date of each scrub and the list version used.
Vendor contracts. If you use a lead vendor, a dialing platform, or an SMS aggregator, your contract should carry TCPA compliance representations and indemnification language. Investors read these to see whether liability can be pushed upstream.
Training records. Proof that your sales team has been trained on TCPA rules, including calling cell phones, cold calling hours, and the ban on prerecorded voices without consent, makes a "willful" characterization harder to pin on you. Willful violations trigger the $1,500 per-call multiplier. [1]
Any demand letters or complaints received, with your responses attached. Show the paper trail and show your response was timely.
If you use LeadCompliant's compliance kit to systematize this before your raise, you'll have the file structure investors and their lawyers expect. Worth mentioning once, then move on.
Does the FCC's 2024 one-to-one consent rule change what you need to disclose?
Yes, and it's one of the biggest regulatory shifts to flag in any raise happening after 2024. The FCC's January 2024 order amended its TCPA rules to require that prior express written consent for telemarketing calls and texts be obtained one seller at a time. [5] The old trick of a consumer checking a box on a lead gen form that bundled consent for hundreds of "marketing partners" no longer satisfies the TCPA for calls and texts to wireless numbers made with an automatic telephone dialing system.
This lands hard on startups that buy leads or use aggregators. If your growth model runs on purchased leads where consent came through a shared-consent form, that consent may not be valid under the new rule. That's a direct, material risk to your business model, and investors need to see it named.
The one-to-one rule had a compliance deadline originally set for January 2025. There's been litigation over the rule's scope and implementation, so confirm the current status with counsel, because timelines in this area move. The direction of travel is not ambiguous: consent has to be specific to your company, not bundled with a crowd of other marketers.
Name the order directly in your risk factor. Cite it as "In the Matter of Advanced Methods to Target and Eliminate Unlawful Robocalls, FCC 24-17." Then state whether your current consent process conforms to the one-to-one standard, and what any required changes cost and how long they take. That level of operational specificity is what separates a credible disclosure from boilerplate.
How do you disclose TCPA risk in a SAFE or convertible note raise versus a Series A?
The form of the raise changes how formal the disclosure has to look. It does not change whether you have to make it. A SAFE gets a signed risk acknowledgment; a Series A gets a full risk factor in the PPM. The underlying duty is identical.
Seed rounds on SAFEs or convertible notes are usually simple enough that founders skip a full PPM. That's common and often fine on the legal mechanics. It does not erase your duty to disclose material risks. In practice, most sophisticated seed investors will sign an acknowledgment of risk factors that you send alongside the SAFE. That acknowledgment is your proof you made the disclosure.
For a Series A with institutional VCs, you'll almost certainly have a PPM, or at minimum a detailed term sheet backed by a data room. The TCPA risk factor belongs in the PPM risk section. VC lawyers run legal diligence and will ask about regulatory compliance specifically. Having your disclosure drafted and your documentation organized can save two to four weeks in diligence, which matters when you're racing to close.
At Series B and beyond, formal representations and warranties in the purchase agreement start to bite. TCPA exposure above certain dollar thresholds may require a disclosure schedule listing known claims. Ask your deal counsel about the thresholds in your specific transaction documents.
One practical note. If text message marketing is a core growth channel, call it out by name in the risk factor rather than folding it into generic "communications." The TCPA treats SMS to wireless numbers with the same force as robocalls, and investors in SMS-heavy companies need to understand that per-message exposure is identical to per-call exposure.
What TCPA litigation trends should founders reference to set investor context?
Investors take disclosed risk better when it comes with industry context, more than your company in isolation. A few accurate data points are worth citing. The FCC logs roughly 50,000 to 60,000 TCPA-related complaints a year in recent years, though the exact annual count moves around. [7]
TCPA class action filings have swung since the Supreme Court's 2021 ruling in Facebook v. Duguid, which narrowed the definition of an automatic telephone dialing system (ATDS) and cut some class exposure for companies using modern dialing tech. [8] The ruling did not kill TCPA liability. Plaintiff firms shifted toward artificial or prerecorded voice claims and DNC violations, which reach more broadly.
Settlements in significant TCPA class actions have run from low six figures for small companies to nine figures for large financial services firms. [2] The median in consumer cases is hard to pin down because most settle under confidential terms, but plaintiff-side attorneys have publicly cited per-class-member values in the $25 to $150 range as typical.
State mini-TCPA laws add another layer. Florida's FTSA imposes its own per-call penalties and does not require an ATDS, which makes Florida an active jurisdiction for TCPA-adjacent litigation. [9] If you have real contact volume in Florida, Texas, or Washington, those state risks deserve their own mention alongside the federal exposure.
Founders who can walk through Facebook v. Duguid and explain why it did or didn't change their risk profile come across as far more credible than founders who've never heard the case name. Understanding the landscape reads better than reciting the statute.
What should you do if you have an active TCPA claim during a fundraise?
Disclose it. Full stop. There's no legitimate strategic reason to hide pending litigation from investors, and several strong reasons not to try.
An undisclosed known claim is the textbook definition of a material omission under Rule 10b-5. [10] If the investor finds out after closing, and they will, because litigation is public record, you're now looking at possible rescission of the investment plus a securities fraud claim stacked on the original TCPA claim.
Here's how to disclose an active claim without blowing up your raise.
State the facts flat. The complaint was filed on [date] in [court] by [named plaintiff, or "a purported class action plaintiff"]. The alleged conduct involves [brief description]. The company's current exposure estimate is $X to $Y based on the class size alleged and the statutory damages.
Describe your defense posture. Are you represented by counsel? Is a motion to dismiss pending? Has any class been certified? Class certification is the event that turns a nuisance suit into an existential threat, so certification status drives the exposure sizing.
Describe your insurance coverage. Do you have a commercial general liability policy or a directors and officers policy that reaches this claim? What's the limit? Coverage changes the net exposure for investors a lot.
Show what you changed. If the conduct behind the claim was a specific practice you've since stopped or fixed, say so and show evidence. Investors can accept a company that made a mistake and corrected it. What they can't accept is a founder who still doesn't understand what went wrong.
If you're actively trying to settle before closing, disclose the negotiation status and your settlement reserve. That reserve should also show up in your financials.
How do you structure the actual disclosure document?
If you're drafting this yourself before counsel reviews it, here's a structure that works. This is not legal advice, and an attorney should review anything that goes to investors.
Section header: Risk Factors Related to Regulatory Compliance and Litigation.
Opening sentence: quantify the statutory exposure. "The Telephone Consumer Protection Act, 47 U.S.C. § 227, imposes statutory damages of $500 per violation and up to $1,500 for willful violations on companies that make calls or send text messages to wireless numbers without required consent or in violation of Do Not Call restrictions." [1]
Company operations paragraph: describe your outbound program. How many contacts per year? Which channels (calls, SMS, ringless voicemail)? What consent mechanism? How often do you scrub against the do not call telemarketer list?
Known claims paragraph: list any pending claims, demand letters, or regulatory inquiries, with status.
Regulatory change paragraph: describe the one-to-one consent rule and any other pending FCC proceedings that could hit your business. [5]
State law paragraph: if you operate in Florida, Texas, Washington, or other active mini-TCPA jurisdictions, name those laws.
Mitigation paragraph: describe how you manage the risk. DNC scrubbing cadence, consent management system, counsel retained, employee training. This is where you show the risk is managed, more than acknowledged.
Close: a sentence noting that despite these precautions you cannot guarantee compliance in all circumstances, and that a material adverse judgment could affect the company's financial condition.
Total length for a seed-stage disclosure: 300 to 500 words. For a Series A PPM: up to 800 words with more granular operational detail. Keep it factual and specific. Vague language protects nobody.
What can founders do right now to reduce TCPA risk before the fundraise?
Cleaning up your TCPA posture before you talk to investors does two things at once. It cuts your actual liability, and it shortens the risk factor you have to write. Start with your consent records, because that's where the exposure hides.
Audit those records first. Pull a random sample of 200 to 500 contacts from your outbound list and verify that each one has documented prior express written consent. If a meaningful share has no documentation, that's your disclosure item and your remediation project. Prioritize contacts in mini-TCPA states.
Scrub your list against the National DNC Registry before the next campaign. The FTC maintains the registry and licenses access. [4] Scrub against state DNC lists too. The FTC's site has the current registration and scrubbing requirements. Do it on a rolling 31-day basis going forward.
Review your lead vendor contracts. Any vendor feeding you leads should represent in writing that the leads carry TCPA-compliant consent specific to your company (post the one-to-one rule) and should indemnify you for violations arising from their consent collection. If your current contracts lack that language, get addenda signed before you raise.
Document your training. A one-page memo to your sales team, dated and signed, covering the rules around calling mobile phone do not call list registrants and cell phone calling hours, goes a long way toward defeating a "willful violation" charge if a claim lands.
Get a legal opinion letter, or at minimum a written summary from outside counsel, on your current TCPA posture. Outside counsel confirming in writing that your practices are defensible is a document you can hand to investors. It doesn't erase risk. It shows diligence.
LeadCompliant has a free TCPA compliance kit with consent language templates, a DNC scrubbing log template, and a vendor due diligence checklist. It won't replace counsel, but it gives you a starting structure if you're building from scratch.
Going into the raise, the goal is to be able to say: here's our exposure estimate, here's our consent process, here are our scrubbing logs, here's our counsel's assessment, here's what we'd do if a claim arose. That's a conversation you can have. Hoping nobody asks is not a plan.
Frequently asked questions
Do I have to disclose TCPA risk if I haven't been sued yet?
Yes. Securities materiality does not require a lawsuit to exist. If you know your consent documentation is weak or your DNC scrubbing is inconsistent, that known gap is material, because a reasonable investor would factor it into the decision. Undisclosed known risks are a basis for securities fraud claims under Rule 10b-5, independent of whether a TCPA plaintiff ever shows up.
How much does a TCPA class action actually cost a startup to defend?
Defending a contested TCPA class action typically runs $200,000 to $500,000 before trial, even for small companies, because of the discovery around class certification. Many small companies settle for $50,000 to $500,000 rather than spend more on defense. Insurance, where applicable, can offset a lot of it. The timeline from complaint to resolution commonly runs 18 to 36 months.
What is the FCC's one-to-one consent rule and why does it matter for my fundraise?
The FCC's January 2024 order, FCC 24-17, requires prior express written consent for telemarketing calls and texts to be obtained one seller at a time. Shared lead gen forms bundling multiple marketers no longer satisfy the TCPA for those contacts. If your growth model uses purchased leads, this rule may invalidate a chunk of your list. Investors need to know, because it's both legal exposure and a growth constraint.
Should I get a TCPA compliance audit before pitching investors?
If your business makes or plans significant outbound calls or texts, yes. A short compliance review by outside counsel, covering consent mechanisms and DNC scrubbing, gives you a document to show investors and sets a defensible baseline. It also tells you whether your disclosure has to name specific known gaps. A one-time audit typically costs $2,000 to $8,000 depending on the firm and scope.
Does a TCPA demand letter need to go in my investor disclosure?
Almost certainly yes. A demand letter, even one you think is frivolous, is a known claim against the company. It's potentially material because it signals a plaintiff attorney has flagged you as a target and believes there's evidence of violations. Disclose the date received, the amount demanded, the alleged conduct, and the current status. Silence about it is riskier than the letter itself.
Can I just put generic regulatory risk language in my deck and call it disclosed?
No. Boilerplate like 'we are subject to various regulations' does not adequately disclose a specific, known, quantifiable risk. Courts have held that materiality requires disclosure of specific facts, not general categories. If you know your TCPA exposure is material, you have to quantify it, describe your practices, and list any known claims. Generic language gives you no legal protection.
What happens if an investor finds TCPA problems during due diligence that I didn't disclose?
Outcomes range from a repriced valuation to a withdrawn term sheet to, in serious cases, a post-closing securities fraud claim seeking rescission of the investment. Most investors first try to reprice or add escrow provisions. If the omission was intentional and material, the exposure shifts from TCPA liability alone to potential securities fraud liability for the founders personally.
Do state mini-TCPA laws need to go in my risk disclosure?
Yes, if you have meaningful contact volume in those states. Florida's FTSA does not require an ATDS and imposes its own per-call penalties, so it can be broader exposure than the federal TCPA in some scenarios. Washington, Texas, and several other states have their own analog laws. If you contact a material number of consumers there, name the specific state laws in your risk factor.
Does D&O insurance cover TCPA claims?
Generally no, not for the underlying TCPA liability. Directors and officers insurance covers claims against individuals for management decisions, not the company's direct statutory violations. Some commercial general liability policies have covered TCPA claims under 'personal and advertising injury' provisions, though insurers increasingly exclude it. Check your current policies and disclose the coverage gap if one exists. This matters to investors.
How do I handle TCPA risk disclosure in a crowdfunding raise under Regulation CF?
Regulation CF filings on SEC-registered portals require a Form C, which includes a risk factors section. [12] The SEC's rules require disclosure of any facts that make the offering risky or speculative. Material TCPA exposure belongs there using the same specificity standard as a Reg D raise. Form C is a public filing, so the disclosure becomes public record, which is one more reason to get it right.
What if my TCPA compliance improved significantly last year? Do I still need to disclose old practices?
Yes, for two reasons. The statute of limitations under the TCPA is four years, so old practices can still spawn current claims. And any conduct in the lookback period that could give rise to a claim stays a known risk until the limitations period runs. Disclose the old practices, the rough volume of contacts under them, and the changes you made. The improvement is a mitigant, not an eraser.
How should I talk about TCPA risk verbally in investor meetings without making it sound catastrophic?
Frame it as a managed operational risk with a known cost range. Explain your consent process and scrubbing cadence, give the exposure estimate, note what you've done to cut it, and cite your counsel's assessment. Investors fund companies with risks daily. The ones who walk away from TCPA disclosure usually do so because the number is too large for the business, not because the risk exists. Candor builds more trust than minimizing.
Is there a standard format for TCPA risk disclosures in private placements?
No regulatory body prescribes a specific format. The standard comes from securities materiality doctrine and market practice. Your risk factor should name the statute, quantify the exposure, describe your practices, disclose known claims, and address regulatory change risk. Length scales with the raise: 300 to 500 words for seed, up to 800 for Series A. Have securities counsel review the final language before it reaches investors.
Sources
- U.S. Congress, Telephone Consumer Protection Act, 47 U.S.C. § 227: TCPA statutory damages are $500 per violation and up to $1,500 for willful violations, with no class-level cap.
- Stanford Law School, Securities Class Action Clearinghouse: Large TCPA class action settlements have reached into the tens of millions of dollars, with Cash App settling at $15 million as a reference point for investor context.
- U.S. Securities and Exchange Commission, Exempt Offerings (Regulation D): Regulation D provides exemptions from SEC registration but not from the anti-fraud provisions of the Securities Act of 1933 or the Exchange Act.
- Federal Trade Commission, National Do Not Call Registry: Companies must scrub contact lists against the National DNC Registry no more than 31 days before making calls to ensure compliance.
- U.S. Supreme Court, Facebook Inc. v. Duguid, 592 U.S. 395 (2021): The Supreme Court narrowed the definition of an automatic telephone dialing system, reducing some class action exposure for companies using modern dialing technology.
- Florida Legislature, Florida Telephone Solicitation Act, Fla. Stat. § 501.059: Florida's FTSA imposes its own per-call penalties and does not require proof of ATDS use, making Florida a particularly active jurisdiction for TCPA-adjacent litigation.
- U.S. Securities and Exchange Commission, Rule 10b-5, 17 CFR § 240.10b-5: SEC Rule 10b-5 prohibits materially false or misleading statements in connection with the sale of any security, including private placements such as SAFEs and convertible notes.
- U.S. Supreme Court, TSC Industries Inc. v. Northway Inc., 426 U.S. 438 (1976): The Supreme Court held that a fact is material if there is a substantial likelihood a reasonable shareholder would consider it important, altering the total mix of available information.
- U.S. Securities and Exchange Commission, Regulation Crowdfunding: Regulation CF requires a Form C public filing with a risk factors section, making material TCPA exposure disclosures part of the public record.