Last updated 2026-07-11

TL;DR
Investors want proof your outbound program can't spawn a TCPA class action that eats the deal. That means written consent records, a scrubbed DNC policy, call and SMS logs tied to consent, staff training records, and an incident response plan. Most teams have the practices but not the paper trail. This guide shows what to document, in what format, and why each piece matters in due diligence.
Why do investors care about TCPA documentation at all?
TCPA liability is now a standard line item in M&A due diligence. The reason is simple math. Under 47 U.S.C. § 227, statutory damages run $500 per violation and up to $1,500 per willful violation, with no cap on class size [1]. A company that sent 100,000 unconsented marketing texts faces up to $150 million in exposure before a single lawyer files a motion.
Settlements confirm the risk is real. The Cash App TCPA class action settlement resolved for $5 million. Credit One Bank's TCPA settlement reached $12.5 million. These aren't outliers anymore. They're the comparable transactions a buyer's counsel will cite when they value your contingent liability.
Private equity and strategic buyers have responded by adding TCPA to the standard reps-and-warranties checklist. If you can't produce consent records, scrub logs, or a written policy, underwriters for reps-and-warranties insurance will either exclude TCPA coverage or price the policy to reflect the unknown. That kills the deal or cuts your valuation directly.
Here's the good news. Documenting a compliance program isn't the same as building one from scratch. Most outbound teams already scrub numbers, collect consent, and train staff. The gap is almost always the paper trail, not the practice.
What documents does a TCPA compliance program actually need?
Think of the documentation stack in five layers. Each layer answers a specific question a compliance auditor or investor's counsel will ask.
Layer 1: The written compliance policy This is the governing document. It names the owner of TCPA compliance, defines what communications require prior express written consent versus prior express consent, sets your internal calling hours (the TCPA federal floor is 8 a.m. to 9 p.m. local time [1]), and describes how employees escalate a possible violation. Two to four pages is fine. A fifty-page manual nobody reads is worse than a short policy people actually follow.
Layer 2: Consent records For autodialed or prerecorded calls and texts to cell phones, the FCC requires "prior express written consent" that meets specific elements: a clear and conspicuous disclosure, a checkbox or signature that isn't preconditioned on a purchase, and a plain-English description of what the person agrees to receive [2]. Your records need the timestamp, the IP address or signed form, and the exact disclosure language the person saw when they consented. A screenshot of your current opt-in form is not enough if you can't tie it to a specific record.
Layer 3: DNC compliance records You need a written procedure for how you access and scrub against the National Do Not Call Registry [3], how often you re-scrub (the FTC requires scrubbing every 31 days for active lists [4]), and how you handle internal DNC requests. Document every scrub with a date-stamped export or API confirmation. If you use a third-party scrubbing vendor, keep the vendor contracts and their compliance certifications.
Layer 4: Training records Every employee or contractor who makes outbound calls or sends marketing texts should have a signed acknowledgment that they finished TCPA training and understand the policy. The training doesn't need to be elaborate, but the record needs to exist. Date it. Version it. When the law changes, retrain and re-document.
Layer 5: Incident log This is the document most teams skip. Any complaint, opt-out request, potential violation, or regulatory inquiry gets logged with a date, description, and resolution. An empty log is fine and is evidence of a clean program. A missing log just means you have no way to show there were no incidents.
For a closer look at how these layers work in day-to-day outbound, see our overview of TCPA basics and the rules around cold calling.
What format should TCPA compliance records be in?
Format matters because investors and their counsel need to review records fast, and auditors need to verify the records weren't fabricated after the fact.
Consent records belong in a database, not a spreadsheet. Each contact's record should carry a unique identifier, the phone number, the consent timestamp in UTC, the source URL or form ID, the IP address, and the text of the disclosure shown. If you collected consent by phone (an inbound call, say), you need a call recording or a written transcript plus a notation that the disclosure was read verbatim.
DNC scrub logs should be machine-generated exports from your CRM or dialer showing the date of each scrub and the list version used. The FTC's SAN (Subscriber Account Number) system generates a confirmation number for each data download. Keep those confirmation numbers [4].
Policies and training records should be version-controlled with effective dates. Use a simple document management system or a dated folder structure with PDF exports. What you want to avoid is a policy with no date or version number, because that tells an auditor it was created retroactively.
Call logs for autodialed campaigns should show the number called, the date and time, the campaign name, the consent record ID that authorized the call, and the outcome. Many dialers export this natively. The point is simple: pull up any single call and trace it back to a consent record in a few clicks.
How do you document consent for text message marketing?
Text message marketing is the highest-risk TCPA category right now, and it draws the most scrutiny in due diligence. The FCC's 2023 one-to-one consent rule, effective January 27, 2025, requires that written consent for robotexts name the specific seller, not a lead generator or aggregator [2]. Consent captured through a shared opt-in form that says "I agree to be contacted by our partners" no longer meets the standard.
To document compliant SMS consent, you need:
1. The exact opt-in language the subscriber saw, stored with an effective date. 2. A database entry showing the subscriber's phone number, consent timestamp, and the form or keyword that captured consent. 3. Confirmation that the opt-in language named your company specifically. 4. A record of the opt-out mechanism disclosed to the subscriber (typically STOP to unsubscribe). 5. For lead-gen consent: the specific source where the lead opted in, not the aggregator's certification.
For text message marketing campaigns, also document your message frequency disclosure and proof that you honored every STOP request on time. The FCC requires opt-outs to be honored promptly, and industry practice treats "promptly" as within 10 business days, though immediately is safer and technically easy on any modern SMS platform.
Keep screenshots of your opt-in flows, especially the mobile landing pages. These are the exhibits that get attached to your compliance certification during due diligence.
What does a DNC compliance policy need to say?
A written Do Not Call policy is required by federal law, more than good practice. The FTC's Telemarketing Sales Rule requires every telemarketer to have a written policy available on demand, train its personnel on the policy, and maintain a company-specific DNC list [4].
Your written DNC policy should cover:
- How consumers can ask to be added to your internal DNC list (phone, email, or verbal request).
- The maximum time to honor a DNC request, which is legally required to be within 30 days of the request [4].
- How you access the National DNC Registry (your SAN number, your scrubbing vendor, or both).
- How often you re-scrub active lists against the registry.
- How you handle wireless numbers, since cell phones are covered by both the TCPA and the DNC rules.
- Your safe harbor procedures, because companies that rely on a registry scrub that was accurate within the last 31 days have a safe harbor against DNC violations even if a number was added in the interim [4].
For more on how the registry works and who can access it, see how to get the do not call list and our overview of the do not call telemarketer list rules.
Document every scrub with a date-stamped log. If you use a vendor, get their scrub confirmation in writing and store it. An investor's counsel will want to see scrubs happening on a rolling basis, not once at program launch.
What should a TCPA written compliance policy actually say?
Here's a simple structure that covers what investors and auditors look for. This isn't a template to copy word for word. Get a telecom attorney to review it for your specific program. But the sections below are the ones a diligence reviewer will check for.
Section 1: Scope. Which channels does this policy cover? Outbound calls, SMS, voicemail drops, ringless voicemail? Be specific. A policy that says "we comply with applicable law" is not a policy.
Section 2: Consent standards. Define what prior express written consent means for your program, what the disclosure language must include, and who is authorized to approve new opt-in flows.
Section 3: Calling hours. State your internal rule. Federal law bars calls before 8 a.m. or after 9 p.m. local time [1]. Some companies adopt a tighter internal standard, like 9 a.m. to 8 p.m., to build a buffer. Document whatever your standard is.
Section 4: DNC compliance. Cross-reference your DNC procedure. State the 30-day honor window for internal DNC requests.
Section 5: Prohibited practices. No calls to numbers on the internal DNC list. No prerecorded messages without consent. No spoofed caller IDs (this also implicates the TRACED Act [5]). No abandoned calls above the 3 percent abandonment cap for predictive dialers [1].
Section 6: Training and accountability. Who completes training, how often, and who keeps the records.
Section 7: Incident response. What happens when a complaint arrives? Who reviews it, within what timeframe, and how is it logged?
Section 8: Policy ownership and review date. Name a person, not a title. Set a review date at least annually.
How do you document staff training for TCPA purposes?
Training records are easy to build and easy to neglect. Investors' counsel will ask for them by name, because the willful violation standard under 47 U.S.C. § 227(b)(3) allows treble damages when the defendant knew or should have known about the requirement [1]. A training record showing an employee was explicitly taught the rule, then broke it anyway, can help you argue the company itself didn't act willfully.
Minimum training documentation:
- Name of the employee or contractor.
- Date of training completion.
- Version of the policy they trained on (match the version number to the policy document).
- A signature or electronic acknowledgment.
- A short description of what the training covered.
New hires should train before they make their first outbound contact. Existing staff get annual refreshers, plus extra training any time the law or your policy changes materially. The FCC's 2023 consent rules that took effect in January 2025 are one such trigger for a documented refresher [2].
You don't need a fancy LMS. A signed PDF acknowledgment with the right fields is defensible. What you can't do is claim employees were trained with no record to show for it.
What does a TCPA incident log look like and why does it matter?
An incident log is the document that shows a program is alive, not a binder someone assembled for the deal.
Every compliance-mature organization logs TCPA-adjacent events: consumer complaints about unwanted calls or texts, opt-out requests through any channel, any internal flag that a call may have gone out without proper consent, and any regulatory inquiry or demand letter. The log doesn't need to be long. For a clean program, it should be short.
Each entry needs: date received, description of the event, who handled it, what action was taken, and date of resolution. That's five fields. You can keep it in a spreadsheet if your volume is low.
For investors, the log does two jobs. It shows that when problems came up, you caught them and fixed them, which is evidence of a working compliance culture. And it lets you make a credible representation in the deal that there are no pending or threatened TCPA claims beyond what's listed, because you have the log to back it up.
A missing incident log doesn't suggest there were no incidents. It just means you can't make that representation credibly, and a prudent buyer will assume the worst when setting escrow holdbacks.
How should you organize TCPA documentation for a due diligence review?
When an investor or their counsel requests your compliance documentation, they'll usually send a diligence request list. TCPA items typically show up under "regulatory compliance" or "litigation and claims." Having your documents organized in advance saves time and signals operational maturity.
A clean TCPA due diligence folder structure looks like this:
| Folder | Contents |
|---|---|
| Policy | Written TCPA/DNC compliance policy, version-dated |
| Consent Records | Sample exports from consent database (not all records, just samples and the schema) |
| DNC Scrub Logs | Last 12 months of scrub confirmations with dates |
| Training Records | Signed acknowledgments for all current outbound staff |
| Opt-in Flows | Screenshots of every active consent capture form |
| Incident Log | All TCPA complaints, opt-out requests, and inquiries |
| Vendor Agreements | Contracts with dialer, SMS platform, and scrub vendors, including their compliance reps |
| Legal Opinions | Any outside counsel memos on your program (if you have them) |
The LeadCompliant compliance kit organizes these into a ready-to-export package you can hand to counsel or drop into a virtual data room, which helps if you're preparing for a raise or sale and want to move fast.
One practical tip. Don't produce your entire consent database in raw form during early-stage diligence. Provide a representative sample and the schema, and offer a more detailed review under an NDA at a later stage. This protects your customer data while still proving the records exist and are well-structured.
What are the biggest TCPA documentation gaps investors find?
Based on the public record of TCPA enforcement and litigation, the gaps that create the most deal risk are predictable.
No consent records for older contacts. Many companies upgraded their consent practices at some point but never backfilled documentation for lists acquired or built before the upgrade. If you're still calling or texting any number added to your CRM before your current consent process existed, you need retroactive consent documentation or you purge those contacts.
Lead-gen consent that fails the one-to-one standard. The FCC's 2023 rules targeted the comparison-shopping-website model, where a consumer fills out one form and gets contacted by dozens of companies [2]. If any part of your list came from a lead aggregator, you need documentation that the opt-in named your company specifically.
DNC scrubs that happened once at list import and never again. The 31-day re-scrub requirement under the TSR is missed all the time [4]. Investors will ask for a scrub log showing ongoing compliance, not a single historical scrub.
Verbal consent claims with no supporting record. Some teams log inbound call consent as "customer called us and agreed to be contacted." That's not enough for autodialed or prerecorded communications. You need a recording or a written contemporaneous note that includes the disclosure language read to the customer.
No policy for wireless numbers. Mobile phone do not call list rules get their own treatment in many compliance policies because the TCPA applies to cell phones regardless of DNC registration [1]. If your policy doesn't address wireless number handling, that's a flag.
For teams running outbound sales, our cold call compliance guide covers the consent and DNC issues that come up most in practice.
What do reps and warranties in a deal look like for TCPA compliance?
In a standard purchase agreement, the seller is asked to represent that the company has been in material compliance with applicable telemarketing laws, including the TCPA and the Telemarketing Sales Rule. The language varies, but the seller typically reps that:
- The company has a written TCPA compliance policy.
- All marketing communications went out with required consents.
- There are no pending or threatened claims, investigations, or demand letters related to TCPA.
- The company has maintained and honored its DNC obligations.
The FTC's Telemarketing Sales Rule, 16 C.F.R. Part 310, requires sellers engaged in outbound telemarketing to have written policies, which makes this a verifiable legal obligation, not a best practice [4].
If any of those reps can't be made cleanly, you have three options: negotiate a carve-out from the rep with a specific disclosure, fund an indemnity escrow for the identified exposure, or clean up the program before signing. The first two cut your proceeds. The third takes time but is the right answer if you have runway before the deal closes.
Reps-and-warranties insurers have gotten specific about TCPA. Several now require a TCPA compliance questionnaire during underwriting, and exclusions for undisclosed TCPA exposure are common in policies written after 2022.
How long should you retain TCPA compliance records?
The TCPA's four-year federal statute of limitations under 28 U.S.C. § 1658 means a plaintiff can sue over a violation that happened up to four years ago [6]. That sets the floor for retention.
The practical answer: keep records at least five years from the date of the communication. That gives you a one-year buffer beyond the federal limitations period and covers most state-law claims, which have varying statutes but rarely exceed four years for this type of action.
For consent records specifically, keep them five years from the last date you communicated with that contact, not from the date consent was captured. If you re-engaged a contact three years after their original opt-in, the clock resets.
The FTC's TSR requires certain telemarketing records to be kept for 24 months [4]. That's the regulatory minimum, not the litigation-prudent standard. For investor documentation, five years of retention history is the expectation.
When you archive old records, document the archiving process too. An investor may ask, "Can you produce consent records from three years ago?" You want to say yes with a clear retrieval process, not "they might be in an old database somewhere."
Frequently asked questions
Do I actually need a written TCPA policy or is practicing compliance enough?
You need both. The FTC's Telemarketing Sales Rule explicitly requires a written Do Not Call policy available on demand, and FCC consent rules require documented consent records, not verbal assurances. In litigation, unwritten practices are nearly impossible to prove. For investors, an undocumented program looks identical to a non-compliant one during diligence.
How do investors verify that consent records are real and not created after the fact?
They look at the technical metadata. Legitimate consent records have UTC timestamps, IP addresses, and form version IDs that match your web analytics and deployment history. A consent record with a timestamp that predates your opt-in form's launch date, or that lacks an IP address, is a red flag. Storing records in a tamper-evident database or with a third-party consent management platform makes verification straightforward.
What is the TCPA statutory damages amount per violation?
Under 47 U.S.C. § 227, the minimum is $500 per violation. For willful or knowing violations, a court can raise damages up to $1,500 per violation. There's no statutory cap on the number of class members or total damages, which is why class actions here produce settlements in the millions even for short campaigns.
Does the FCC's 2023 one-to-one consent rule affect existing lead lists?
Yes, and this is the most common gap investors find. The rule, effective January 27, 2025, requires consent to name the specific seller. Contacts on lists acquired through shared lead-gen forms before that date may not have compliant consent under the new standard. You either re-consent those contacts or remove them from your active dialing and texting lists.
What TCPA documentation do I need if I use a third-party lead vendor?
You need the vendor's consent certification, the specific opt-in language the lead saw at point of capture, proof that your company was named in that disclosure, and the date the consent was captured. A vendor's blanket certification that "all leads are TCPA compliant" is not enough. Under the one-to-one consent rule, the burden is on you to verify that your company was specifically named.
How often do I need to re-scrub my calling list against the National DNC Registry?
At minimum every 31 days for lists you're actively dialing. The FTC's Telemarketing Sales Rule provides a safe harbor for calls to numbers that weren't on the registry at the time of the last scrub, as long as that scrub was within 31 days. For diligence, you want date-stamped scrub logs showing this happened on a rolling basis, more than at list import.
What happens if a company I'm acquiring has undisclosed TCPA exposure?
If the seller repped that there were no pending or threatened TCPA claims and that turns out false, you have an indemnification claim. But indemnification claims take time and money to pursue. Reps-and-warranties insurance can cover the gap, but many insurers now specifically exclude TCPA claims unless the seller provides a compliance questionnaire and supporting documentation during underwriting.
Is ringless voicemail covered by TCPA and does it need consent documentation?
This is unsettled law. The FCC has received petitions on both sides. Several courts have found ringless voicemail is a "call" under the TCPA because it delivers a message to voicemail, which connects to the phone line. The safe, documentable position is to treat ringless voicemail like a prerecorded call and require prior express written consent. Documenting that you took the conservative approach protects you if the law resolves against the technology.
What is the statute of limitations for TCPA claims and how does it affect retention?
The federal statute of limitations for TCPA claims is four years under 28 U.S.C. § 1658. Some state law claims may run longer. The practical retention standard is five years from the last date of communication with a contact. That covers the federal period plus a buffer and is what sophisticated buyers expect to see during diligence.
Do small outbound teams need the same TCPA documentation as large enterprises?
Yes, proportionately. The law has no small-business exemption. The documentation doesn't need to be elaborate: a two-page policy, a consent database, DNC scrub logs, and signed training acknowledgments are achievable for a five-person team. What matters is that each category of document exists and is current. A short, accurate policy beats a long one that doesn't reflect your actual practice.
Should I get an outside attorney to review my TCPA compliance program before a deal?
Yes, especially if your program involves lead-gen consent, autodialed SMS, or any volume over a few thousand contacts per month. A telecom attorney can spot gaps before investors do and provide a written opinion you can include in the data room. The opinion doesn't guarantee compliance, but it shows investors you took the program seriously and had qualified counsel review it.
What is the FTC Telemarketing Sales Rule and how does it relate to TCPA documentation?
The Telemarketing Sales Rule (16 C.F.R. Part 310) is the FTC's companion regulation to the TCPA. It requires sellers and telemarketers to maintain a written DNC policy, honor DNC requests within 30 days, scrub against the National DNC Registry, and keep certain records for 24 months. For investor diligence, TSR and TCPA documentation requirements overlap heavily, and a single compliance program typically satisfies both.
Can I use a compliance checklist as a substitute for a full written policy?
A checklist can supplement a policy but can't replace it. Regulators and plaintiffs' counsel want a governing document that sets rules, assigns responsibility, and is versioned and dated. A checklist shows tasks were completed. A policy shows the organization had a deliberate framework. For investor diligence, presenting only a checklist signals an informal program, which creates uncertainty about what your practices actually looked like.
What free tools exist to check whether my number lists are DNC-compliant before diligence?
The FCC's consumer complaint database and the FTC's National DNC Registry are the primary public resources. LeadCompliant offers a free DNC checker for spot-checking individual numbers, plus a one-time compliance kit that packages policy templates, consent record schemas, and scrub log formats into a single data-room-ready export. Neither replaces a full audit, but both help identify obvious gaps quickly.
Sources
- 47 U.S.C. § 227, Telephone Consumer Protection Act (Cornell LII): $500 statutory damages per violation, up to $1,500 for willful violations; 8 a.m. to 9 p.m. local calling hours restriction; 3% predictive dialer abandonment cap
- FCC, Report and Order on One-to-One Consent (FCC-23-107, 2023): FCC's 2023 one-to-one consent rule requiring robotext/robocall consent to name the specific seller, effective January 27, 2025
- FTC, National Do Not Call Registry (donotcall.gov): National DNC Registry operates as the federal list consumers register to avoid unwanted telemarketing calls
- FTC, Telemarketing Sales Rule, 16 C.F.R. Part 310: Written DNC policy required on demand; DNC requests must be honored within 30 days; 31-day safe harbor for registry scrubs; 24-month record retention requirement
- TRACED Act, Pub. L. 116-105 (Congress.gov): TRACED Act prohibits caller ID spoofing, extending and strengthening enforcement alongside TCPA obligations
- 28 U.S.C. § 1658, Federal Statute of Limitations (Cornell LII): Four-year federal statute of limitations applicable to TCPA claims
- FCC, Rules and Regulations Implementing the TCPA, 47 C.F.R. § 64.1200 (Cornell LII): FCC regulatory implementation of prior express written consent, calling hours, and DNC requirements under the TCPA
- FTC, Complying with the Telemarketing Sales Rule: TSR compliance requirements for written policies, personnel training, and DNC list maintenance
- SEC, EDGAR full-text search (M&A filings with TCPA contingent liability disclosures): TCPA settlements and contingent liabilities disclosed in public M&A filings, including multi-million dollar settlement amounts