How to prioritize TCPA compliance fixes by risk level

TCPA violations cost $500-$1,500 per call or text. Learn how to rank your compliance gaps by actual lawsuit risk and fix the highest-exposure issues first.

LeadCompliant Team
22 min read
In This Article

Last updated 2026-07-11

Person reviewing compliance spreadsheets at a wooden conference table in morning light
Person reviewing compliance spreadsheets at a wooden conference table in morning light

TL;DR

TCPA violations do not carry equal risk. Autodialed calls or texts to cell phones without written consent, plus DNC Registry failures, create the biggest exposure at $500 to $1,500 per violation. Fix them in this order: cell phone consent gaps, DNC scrubbing, abandoned call rates, then internal policy. Attack the violations that draw class actions first.

Why does TCPA risk vary so much by violation type?

The Telephone Consumer Protection Act, codified at 47 U.S.C. § 227, is not one rule. It is a stack of rules with different consent standards, different damage amounts, and wildly different litigation histories.[1] That gap matters when you have limited time and money to spend on fixes.

Some violations almost never draw lawsuits. Others are the bread and butter of the plaintiffs' bar. A small team that tries to fix everything at once usually fixes nothing well, so risk-based triage is the right frame.

The highest-risk violations share three traits. They scale, so one bad practice hits thousands of people at once. They are easy to prove with call records. And they attract class treatment. Autodialer calls to cell phones without prior express written consent check every box. A single class action there can settle in the tens of millions, as the cash app tcpa class action settlement showed when Cash App's parent agreed to pay $3.5 million over unsolicited texts.[2]

Compare that to a technical failure to state your name and number at the top of a call. Real violation. Rarely a class suit. Fix it, but not before you fix your consent process.

What is the risk tier framework that actually makes sense?

Sort every TCPA issue into four tiers. Tier 1 problems produce class actions and eight-figure exposure. Tier 2 problems produce individual suits or regulatory complaints in the low five figures per incident. Tier 3 problems draw state attorney general interest or FCC complaints but rarely private lawsuits. Tier 4 problems are housekeeping: technical breaches nobody sues over alone.

Here is how the major TCPA issues sort out:

TierIssueMax statutory damageClass action history?
1Autodialed/prerecorded calls to cell phones without written consent$1,500/call (willful)Yes, very common
1Texts to cell phones without prior express written consent$1,500/text (willful)Yes, very common
1DNC Registry violations (calling registered numbers without EBR)$1,500/call (willful)Yes, frequently
2Abandoned call rate above 3% per campaign$500-$1,500/callOccasional
2Calling outside 8 a.m.-9 p.m. local time$500-$1,500/callRare as standalone
3Failure to maintain internal DNC list$500/callRegulatory, rare private
3Missing opt-out mechanism in prerecorded messages$500/callRegulatory
4Caller ID identification failures$500/callAlmost never standalone

Those damage figures come straight from 47 U.S.C. § 227(b)(3), which sets $500 per violation and up to $1,500 when a court finds the violation willful or knowing.[1]

Start your remediation at Tier 1. That is where the money is, and that is where lawyers fish for clients.

Your Tier 1 job: confirm you hold valid prior express written consent for every cell phone number in your outreach list before you make another autodialed call or send another marketing text. Nothing else on this page matters more.

The FCC's 2012 rule under 47 C.F.R. § 64.1200 tightened consent hard. Prerecorded or autodialed marketing calls to cell phones now need prior express written consent, meaning a signed agreement that clearly authorizes calls to a specific number using an autodialer or prerecorded voice and carries the required disclosures.[3] The signature can be electronic.

Run your list through four questions:

1. Where did each cell number come from? Purchased lists almost never carry adequate TCPA consent. Organic opt-ins from your own web forms might, but only if the form language was specific enough.

2. Does your consent language name your company, describe the call or text type, state that consent is not a condition of purchase, and include a clear disclosure? Generic "I agree to the terms" language almost never survives litigation.

3. How old is the consent? The FCC has set no hard expiration date, but courts have found stale consent (years old, no intervening contact) inadequate. Anything past 18 to 24 months with no engagement deserves a second look.

4. Can you produce a timestamped consent record for any number you contact? If you cannot, you are undefended.

Find a segment where consent documentation is missing or thin? Stop autodialing those numbers now while you build a remediation path. That is not overcaution. Given $1,500-per-call exposure, it is the only rational move.

Before you redesign your intake forms, the cold calling rules explain how outbound calling interacts with cell phone consent requirements.

TCPA statutory damages by violation tier Per-violation exposure under 47 U.S.C. § 227(b)(3), negligent vs. willful Negligent violation (any TCPA bre… $500 Willful/knowing violation (any TC… $1,500 FTC civil penalty per DNC violati… $52k Source: Cornell Law School / Legal Information Institute, 47 U.S.C. § 227 (Citation 1)

How do you fix DNC scrubbing gaps, and how often does it need to happen?

Scrub every number against the National Do Not Call Registry within 31 days before you call it. Monthly is the floor, not the goal. The FTC runs the Registry, and it holds over 249 million active registrations as of recent reporting.[4] Calling a registered number without a qualifying exemption (an established business relationship, or EBR, being the most common) is a Tier 1 violation.

Fines from the FTC and FCC can reach $51,744 per violation as of 2024 adjustments, on top of any private TCPA claim.[4]

The FTC's Telemarketing Sales Rule requires you to scrub call lists against the Registry before calling, and it caps the age of your list data at 31 days.[5] Scrub quarterly and you are out of compliance for most of the year.

A schedule that works for most teams: pull a fresh Registry file every 15 to 30 days, then run every number you plan to contact through it before each campaign launch. Higher list volume means scrub more often.

Do not forget your internal DNC list. When someone tells you to stop calling, you must add them to your internal suppression list within 30 days and honor that request for at least five years.[5] Teams lose track of internal opt-outs constantly, and it creates real liability.

For how to actually pull and use the Registry file, see how do i get the do not call list. Cell numbers land on the national list right alongside landlines, so the mobile phone do not call list context bears directly on your cell outreach.

The do not call list and do not call telemarketer list resources cover related scrubbing duties if you want more depth.

What abandoned call rate violations look like and why they matter

If you run a predictive dialer, the FCC's rule at 47 C.F.R. § 64.1200(a)(7) caps your abandoned call rate at 3% of calls answered by a live person, measured per campaign over a 30-day period.[3] A call is abandoned when your dialer connects a person but no agent is free, so the system drops the line or plays dead air.

This is a Tier 2 issue. It rarely spawns class actions on its own, but it feeds individual complaints and FCC enforcement, and the FCC has issued multi-million-dollar fines for systemic abandoned call problems. The same rule requires an automated identification message within two seconds of the person saying hello when no agent is available, plus a toll-free callback number.

If your dialer reports abandoned rates, audit them monthly. If you cannot measure your abandoned rate, fix that before anything else on this issue. You cannot manage what you cannot see.

One warning. The 3% threshold sounds like headroom. It is not. Riding that headroom while you also have consent and DNC gaps makes enforcement and litigation far more likely. Plaintiffs and regulators read stacked violations as evidence of willfulness, which drags damage math toward the $1,500 ceiling.

How do you assess your text message compliance exposure?

SMS marketing to cell phones needs prior express written consent under the same framework as autodialed voice calls, per 47 C.F.R. § 64.1200.[3] Text case volume has climbed sharply since 2020. Text message marketing deserves its own audit track, separate from voice, because the consent flows run through different systems and the records live in different places.

Three SMS situations carry the most risk.

A third-party list for text outreach. If someone else collected those opt-ins, the consent almost certainly does not cover your messages. The FCC and courts have held consistently that consent must run to the specific company sending the texts, not a vague "partners" disclosure.

Texting after someone sends STOP. CTIA guidelines and FCC rules both require you to honor opt-outs within a reasonable time, which courts read as effectively immediate. A system that keeps texting an opted-out number for even one or two cycles builds serious per-message exposure.

Sending texts outside 8 a.m. to 9 p.m. local time. The TCPA's calling hours restriction covers texts too.

Audit your SMS platform's opt-out handling first. Then audit how you capture and document consent at opt-in. If SMS consent lives in a different system than voice consent, make sure both feed the same suppression list.

How do you rank and sequence compliance projects when resources are limited?

Here is the sequence I would run for a 5 to 20 person sales team with one person handling compliance part-time.

Week 1 to 2: Stop the bleeding. Pull any segment of your list where you cannot document written consent. Do not autodial or text those numbers until you have a remediation plan. It costs you outreach volume short term. Do it anyway.

Week 2 to 4: Fix DNC scrubbing. Set up a monthly scrub with your current vendor, or get direct Registry access at donotcall.gov.[4] Confirm your internal suppression list is current and actually applied before each campaign.

Month 2: Audit consent documentation. For every active list, record where each number came from, what consent language was used, and when. If you opt people in through a web form, review the exact language shown at submission. Add a consent audit log to your CRM.

Month 3: Fix SMS opt-out handling and review text consent flows. Text STOP from a number in your system and confirm it drops from every active campaign within 24 hours.

Month 3 to 4: Address Tier 3 and Tier 4 issues. Update prerecorded scripts to include opt-out instructions. Verify caller ID practices. Document your abandoned call rate monitoring.

At this stage, LeadCompliant's compliance kit (at leadcompliant.com) has a consent documentation template and a TCPA checklist mapped to this tier structure, which saves you from building tracking documents from scratch.

Ongoing: Scrub DNC monthly, audit consent records quarterly, and train anyone who touches outreach workflows on what needs compliance review before launch.

What do real TCPA settlements tell us about which violations are most dangerous?

Case outcomes guide risk better than the statute alone, because the statute treats many violations the same on paper while the litigation reality splits them wide open.

A few data points worth carrying around:

The credit one tcpa settlement reached $12.5 million over autodialed calls made after consumers revoked consent. That is the pattern courts hate most: calling after a clear revocation. If your system has no reliable way to flag and honor revocation, treat that as a Tier 1 emergency.

In 2021, Facebook (now Meta) settled a TCPA text case for $650 million, among the largest TCPA settlements on record.[6] The claim was autodialed texts without adequate consent. Scale drives it. Thousands or millions of violations at $500 to $1,500 each build settlement pressure even when individual liability is shaky.

A WebRecon review of TCPA filings found roughly 1,700 to 2,000 TCPA cases filed in federal courts annually in recent years, most tied to autodialed calls and texts to cell phones.[7] DNC violations show up often as co-claims but rarely drive a class action on their own.

The lesson is clean. Your worst exposure is the combination of cell phones, autodialers, and missing or thin consent documentation. Plaintiffs' attorneys look there first, because those cases prove easily on call records and certify easily as a class.

How should you handle state law TCPA analogs in your risk ranking?

Federal TCPA compliance is necessary but not enough once you call into states with their own telemarketing laws. Some state statutes run stricter than the TCPA and open additional private rights of action.

Florida's Telephone Solicitation Act got a serious tightening in 2021. It bars autodialed calls and texts to Florida residents without prior express written consent, much like the TCPA, and it also restricts calls using a list from a lead aggregator unless the consumer specifically opted in to being contacted by your company.[8] That last piece hits hard if you buy leads.

Washington State's telephone solicitation rules and its Commercial Electronic Mail Act pile on obligations for anyone calling Washington consumers.

California layers the CCPA and its Rosenthal Fair Debt Collection Practices Act on top, which overlaps with TCPA issues for any team doing collections or debt-related outreach.

For ranking purposes: if more than 20% of your list sits in Florida, Texas, or California, add a state law review to your Month 2 audit. These laws bite hardest when your outreach is geographically concentrated, because one violation pattern then sweeps in a large share of your list.

For the underlying federal statute in full, the tcpa resource walks through the core rules.

What does a practical TCPA risk register look like?

A risk register is a spreadsheet that turns your ranking into something concrete and trackable. Here is the minimum viable version.

Columns: Violation type | Tier | Current status (open/in progress/closed) | Estimated exposure ($) | Owner | Target close date | Evidence of fix.

For estimated exposure, multiply the number of potentially affected contacts by the $500 per-violation minimum. The number will alarm you. Good. That is the point. It creates urgency without needing a lawsuit to force action.

For evidence of fix, this is the column most teams skip. A fix is not real until it is documented. Changed your consent form language? Save a timestamped screenshot. Set up monthly DNC scrubs? Save each month's scrub report. These records are your defense if you get sued.

Review the register monthly. The compliance picture shifts every time you add a channel, buy a list, hire an SDR, or launch a campaign. None of those should happen without a compliance checkpoint.

One honest note: nobody has clean data on how much a documented compliance program actually cuts settlement exposure, because most cases settle confidentially. What we do know is that courts and regulators treat documented good-faith efforts as evidence against willfulness, which decides whether you pay $500 or $1,500 per violation and whether a class gets certified.[1]

How do you build a process so compliance does not slip again?

The real problem at small teams is not ignorance of the rules. It is treating compliance as a one-time project instead of a standing process. Six months later the list has grown by 40,000 contacts with no consent audit, and the DNC scrub has not run in three months.

Four structural changes that stick:

Make DNC scrubbing a launch condition for every campaign. Your CRM or dialer should block a campaign from going live if the list was not scrubbed against the Registry within the last 30 days. Most major dialer platforms enforce this at the workflow level.

Make consent documentation a required field in lead intake. Every new number should carry a source field, a consent type field, and a consent date field. Empty fields, not dialable.

Assign one person to own the risk register and review it monthly. At a small team that is usually the sales manager or ops lead, not a dedicated compliance officer. Fine. It just needs an owner.

Run a quarterly call audit. Pull a random sample of 50 recordings and check them against the rules: identification at the start, no calls outside 8 a.m. to 9 p.m., opt-outs honored, no abandoned calls missing the required message. It takes about two hours and surfaces problems before they become lawsuits.

LeadCompliant's free TCPA checkers at leadcompliant.com verify individual numbers against the DNC Registry and flag consent documentation gaps without a subscription, which helps during an audit when you want a fast read on a specific number or batch.

This is not legal advice. If your exposure is material, work with a TCPA-focused attorney. The framework here is a starting point, not a substitute for counsel.

Frequently asked questions

What is the single highest-risk TCPA violation for a small sales team?

Autodialed or prerecorded calls to cell phones without prior express written consent. This is where class actions start, where settlement values top out (up to $1,500 per call), and where consent documentation is most often missing. If you run a predictive dialer against purchased lists, audit those numbers before anything else.

How much can a TCPA violation actually cost per incident?

The statute sets $500 per violation for negligent violations and up to $1,500 per violation when a court finds the violation willful or knowing, per 47 U.S.C. § 227(b)(3). In a class action with thousands of affected consumers, those figures produce settlement pressure in the millions before litigation costs. The FTC can separately impose civil penalties up to $51,744 per violation for DNC Registry breaches.

Does the TCPA apply to text messages the same way it applies to calls?

Yes. The FCC confirmed that text messages are calls under the TCPA in its 2003 ruling. Autodialed marketing texts to cell phones need prior express written consent under 47 C.F.R. § 64.1200, the same standard as voice calls. Opt-out requests via text (like STOP) must be honored. The calling hours restriction (8 a.m. to 9 p.m. local time) applies to texts too.

How often do you need to scrub your call list against the DNC Registry?

The FTC's Telemarketing Sales Rule requires your Registry data to be no more than 31 days old at the time of any call. In practice that means scrubbing at least monthly, before each campaign launch. Many teams scrub every two weeks as a buffer. Quarterly scrubs leave you in violation for most of the year.

Prior express written consent is a signed agreement (electronic signature counts) that clearly authorizes calls or texts from a specific company to a specific phone number, using an autodialer or prerecorded voice, and states that consent is not a condition of purchase. You must produce a timestamped consent record for any number you contact. Generic terms-of-service checkboxes rarely meet this standard.

An established business relationship (EBR) exempts you from some DNC Registry obligations for landline calls, but it does not substitute for prior express written consent for autodialed or prerecorded calls to cell phones. Those cell calls need written consent regardless of any prior business relationship. This is one of the most commonly misunderstood distinctions in TCPA compliance.

What happens if you call someone who previously told you to stop calling?

Calling after someone revokes consent reads to courts as strong evidence of willful violation, which supports $1,500-per-call damages instead of $500. The Credit One TCPA settlement ($12.5 million) centered on this exact pattern. Once someone revokes consent, stop immediately and add them to your internal DNC list, which you must honor for at least five years.

Does the TCPA's 3% abandoned call rule apply to all outbound calling?

The 3% abandoned call rate limit under 47 C.F.R. § 64.1200(a)(7) applies to calls made using a predictive dialer or similar technology that may connect calls before an agent is free. It is measured per campaign over a rolling 30-day period. Manual dialing, where an agent is on the line before the call connects, is not subject to this specific rule, though other TCPA rules still apply.

Are there state laws stricter than the federal TCPA that I need to worry about?

Yes. Florida's Telephone Solicitation Act (2021 revision), Washington's telephone solicitation rules, and California's privacy and consumer protection laws all create obligations beyond the federal TCPA. Florida's law specifically restricts calls made using leads purchased from aggregators unless the consumer opted in to the specific caller. If your list skews toward Florida, California, or Washington consumers, add a state law audit to your plan.

What evidence do I need to defend a TCPA lawsuit successfully?

You need a timestamped consent record for the specific number called, proof your list was scrubbed against the DNC Registry within 31 days before the call, call records showing compliance with calling hours, and documented policies showing compliance is systematic rather than accidental. Documented good-faith compliance efforts weigh against willfulness findings and can drop per-violation damages from $1,500 to $500.

Should I stop using a predictive dialer to reduce TCPA risk?

Not necessarily. A predictive dialer used with proper consent documentation, current DNC scrubs, and an abandoned call rate inside the 3% limit is legally compliant. The risk is not the technology, it is running that technology against lists where consent is missing or inadequate. Switching to manual dialing removes some exposure but does not fix underlying consent or DNC problems.

How do I know if my existing opt-in forms capture TCPA-compliant consent?

Check four things. Does the form identify your company by name? Does it describe the type of calls or texts the person will receive? Does it state that consent is not a condition of purchase? Is the consent language clearly visible near the submission button, not buried in terms? If any of those four elements is missing, your consent is likely inadequate for TCPA purposes.

What is the difference between a TCPA violation and a DNC Registry violation in terms of who can sue?

Both create private rights of action for individuals under 47 U.S.C. § 227. The FTC enforces the DNC Registry separately and can impose civil penalties on top of private suits. TCPA autodialer and prerecorded call violations are the more common basis for class action litigation because they prove easily at scale using call records. DNC violations often appear as co-claims alongside TCPA claims rather than as the primary case.

Sources

  1. Cornell Law School / Legal Information Institute, 47 U.S.C. § 227: Statutory damages of $500 per violation and up to $1,500 for willful or knowing violations under the TCPA
  2. CNET, Cash App TCPA class action settlement reporting: Cash App's parent agreed to pay $3.5 million to resolve TCPA claims over unsolicited texts
  3. FCC, 47 C.F.R. § 64.1200 (Code of Federal Regulations): Prior express written consent required for autodialed or prerecorded marketing calls to cell phones; 3% abandoned call rate limit per campaign
  4. FTC, National Do Not Call Registry: National DNC Registry contains over 249 million active registrations; FTC civil penalties up to $51,744 per DNC violation
  5. FTC, Telemarketing Sales Rule (16 C.F.R. Part 310): Call list data must not be more than 31 days old; internal DNC requests must be honored within 30 days and for at least five years
  6. Reuters, Facebook $650 million TCPA text message settlement: Facebook settled a TCPA text message class action for $650 million related to autodialed texts without adequate consent
  7. WebRecon, TCPA federal lawsuit filing statistics: Approximately 1,700 to 2,000 TCPA cases filed in federal courts annually in recent years, majority related to autodialed calls and texts to cell phones
  8. Florida Legislature, Florida Telephone Solicitation Act (Fla. Stat. § 501.059): Florida's 2021 Telephone Solicitation Act prohibits autodialed calls and texts to Florida residents without prior express written consent and restricts use of leads from aggregators

Disclaimer: LeadCompliant is a compliance review tool, not a law firm. We do not provide legal advice. Consult with a TCPA attorney for legal guidance on specific compliance questions. Compliance scores, audits, and risk assessments are informational only.

LeadCompliant Team

LeadCompliant provides expert guidance and tools to help you succeed. Our content is reviewed for accuracy and kept up to date.

Related Articles

Related Glossary Terms

LeadCompliant
Build My Kit