Last updated 2026-07-11

TL;DR
You don't need a $700/hour telecom litigator on retainer to manage TCPA risk. Most small teams get 80% of the protection from a one-time compliance audit (often $1,500 to $5,000), a consent workflow reviewed by counsel, and a plan for demand letters. Smart upfront spending beats $1,500 per statutory violation later.
Why does outside counsel matter for TCPA compliance at all?
The TCPA is a federal statute, 47 U.S.C. § 227, that lets private plaintiffs sue you directly without going through a regulator first. [1] That private right of action is the thing that makes it different from most business rules. Your state AG can pile on too. And class actions are the norm, because every recipient of an allegedly bad call or text is a potential named plaintiff.
Statutory damages run $500 per violation for negligent conduct and up to $1,500 per violation for willful conduct. [1] Send 50,000 texts without proper consent and the willful math is $75 million. That number shrinks in class settlements, but the Cash App TCPA class action settlement still paid out tens of millions, and the Credit One TCPA settlement landed in similar territory.
So why outside counsel specifically? In-house teams at small companies rarely have anyone who tracks FCC orders as they drop, knows the circuit split on revocation of consent, or has handled a demand letter from a professional plaintiff's firm. A lawyer who does this every week has pattern recognition you can't build from reading blog posts, including this one.
The goal isn't a lawyer signing off on everything forever. The goal is to borrow their expertise at the right moments so your internal process runs on its own.
What does TCPA outside counsel actually cost, and what drives the price?
Hourly rates for telecom or privacy counsel in the U.S. run from roughly $250/hour at boutique firms to $700 or $900/hour at large litigation shops. [2] For a small outbound team, the BigLaw end is almost never right unless you're already in active litigation.
Here's the honest breakdown of what different engagements cost:
| Engagement type | Typical cost range | What you get |
|---|---|---|
| One-time compliance audit | $1,500 to $5,000 | Written opinion on your workflow, consent language, scrubbing process |
| Template review (consent forms, scripts) | $500 to $2,000 | Markup plus a memo on what to change |
| Demand letter response | $1,500 to $5,000 | Letter back to plaintiff's counsel, initial strategy call |
| Ongoing retainer (monthly) | $1,500 to $6,000/mo | Rolling advice, regulatory monitoring, faster turnaround |
| Class action defense | $50,000 to $500,000+ | Full litigation, discovery, potential trial |
The one-time audit is where most small teams get the best return. You pay once, you learn exactly where your gaps are, and you fix them. That costs less than a single statutory violation.
What drives cost up: vague questions, disorganized records, asking the lawyer to build your process from scratch instead of reviewing what you have, and waiting until a demand letter shows up. What drives cost down: a clear written description of your calling or texting workflow, organized consent records, and specific questions instead of open-ended ones.
How do you find the right TCPA counsel without overpaying?
Start with specialization. A general business attorney who handles contracts and employment disputes is the wrong person for a TCPA matter. You want someone who has defended or advised on TCPA cases, knows the FCC's one-to-one consent orders from 2023 and 2024, and can name cases like ACA International v. FCC or Facebook v. Duguid without pausing. [3][8]
Where to find them.
State bar referral services sometimes have telecom or privacy subcategories. Martindale-Hubbell lets you filter by practice area. [9] The National Association of Consumer Advocates publishes a member directory of plaintiff's attorneys, which sounds backwards but works: their list tells you who the active plaintiff firms are, which tells you who the active defense firms are fighting them. [10]
Ask whether they've handled TCPA matters in the last 24 months, how many demand letters they've answered, and whether they've dealt with FCC TCPA orders. If they say yes but can't name a single order or case, that's a flag.
For very small teams, a solo practitioner or boutique in advertising and marketing law often costs less than a larger firm and does compliance work just as well. Save the big firm for the moment you're actually in litigation.
Get a fixed-fee quote for defined deliverables (the audit, the template review) rather than open-ended hourly. Most competent TCPA counsel can price a scoped compliance review flat. A lawyer who won't quote a fixed fee for a clearly scoped project just told you something.
What should you have ready before the first counsel meeting?
Lawyers bill by the hour, so the more prepared you are, the less you pay for basic orientation. Bring a written one-page description of your outbound process: how you get leads, what consent language sits on your forms or landing pages, what phone or text platform you use, how you scrub against the do not call list, and what your call and text frequency looks like.
Also have this ready.
Samples of your actual consent language, exactly as a consumer sees it. Not what you think it says. The actual text on the actual form. Screenshots work fine.
A description of how you handle opt-outs and revocation of consent, because that's an area where a lot of teams are weaker than they think.
Any demand letters or cease-and-desist letters you've already gotten. Even if one came in and you ignored it, tell the lawyer.
Your list sources and whether you have documentation of how the original consent was captured, especially for purchased lists.
Write a two-page memo covering all of that before the call and a good attorney can read it in advance, then spend the meeting giving substantive feedback instead of asking you to explain your business. That alone can turn a $3,000 engagement into $1,500.
What should a one-time TCPA compliance audit actually cover?
A proper audit hits the three liability zones: consent, the do-not-call rules, and calling or texting restrictions.
Consent. The attorney should check whether your consent language meets the TCPA's "prior express written consent" standard for autodialed or prerecorded calls and texts to cell phones. [1] The FCC's one-to-one consent rule, effective January 2025 and born from a 2023 rulemaking, requires that consent name the specific seller and not be bundled into a comparison shopping form that pipes your number to dozens of buyers. [4] A lot of lead-gen setups that were routine in 2022 are now non-compliant.
DNC scrubbing. The audit should confirm you're registered with the National Do Not Call Registry, that you scrub at the required cadence (at least every 31 days for numbers you're actively calling), and that you have a written do-not-call policy as required by 47 C.F.R. § 64.1200(d). [6]
Technical restrictions. Are you calling cell phones with an autodialer? What counts as an ATDS has been contested since Facebook v. Duguid (2021), but the safe move is still to treat any predictive or click-to-dial system that touches cell numbers with TCPA discipline. [3] What time zone are you using for the 8am to 9pm calling window? How do you handle abandoned calls?
The output should be a written memo, not a verbal debrief. A memo becomes your documented due-diligence evidence if you ever need to show a court you tried to comply. That matters for the willfulness analysis on damages.
How do you handle a TCPA demand letter without spending a fortune?
The moment a demand letter from a plaintiff's attorney lands, do not ignore it and do not respond yourself. That's the single most expensive mistake small teams make. Ignoring it signals that a lawsuit is the only path left. Responding yourself, without counsel, can create admissions you can't take back.
Your immediate steps.
Preserve everything. A litigation hold means you stop deleting call logs, consent records, lead files, and CRM notes right away. Destroying records after notice is spoliation, and federal courts can sanction it with adverse inference instructions once litigation is reasonably anticipated. [11]
Get counsel within a week. Not a month. A week. Many demand letters carry response deadlines, and plaintiff's firms file fast when they hear nothing back.
Ask counsel to evaluate the underlying claim before you pick settlement or defense. Some demand letters come from serial filers targeting anyone they can reach. Others represent a real class. The analysis differs.
For a legitimate single-plaintiff demand, many cases settle for $3,000 to $15,000 before anything gets filed, especially with good consent records. Weak or missing documentation pushes that number up fast.
LeadCompliant's free consent record checker helps you audit whether your existing captures would hold up before counsel even gets involved, so you walk into that first attorney call knowing exactly how strong your position is.
Don't treat every demand letter as doomsday. Treat it as a signal to tighten your process, whether you settle or fight.
What can you do in-house versus what genuinely needs a lawyer?
A lot of TCPA risk management is operational, not legal. You don't need a lawyer to tell you to scrub against the National DNC Registry before every campaign. You don't need one to tell you to stop calling after 9pm local time. You don't need one to set up an opt-out log.
Here's an honest split.
Handle in-house: DNC scrubbing cadence, call time controls, opt-out processing, training your callers on what not to say, keeping consent records organized.
Get a lawyer to set up: your consent language on forms and landing pages, your written internal DNC policy (required by FCC rules), your contracts with lead vendors that allocate liability when their consent is bad, and your response to any legal threat.
Get a lawyer to review periodically: your consent workflow when you add a lead source or channel, any major change to your dialing technology, and any new FCC rulemaking that touches your use case.
The cold calling rules and text message marketing rules diverge enough that if you do both, you want counsel to address each separately. Teams get burned because they apply the wrong rule set. The B2B carveout, for instance, doesn't cover texts to cell phones the way it covers landline calls.
Realistic budget target for a small team: one legal engagement per year for a compliance refresh, plus ad hoc counsel when something changes or a threat arrives.
How do you structure an outside counsel relationship to keep costs predictable?
Unpredictable legal bills are a real problem for small teams. A few structures keep them under control.
Fixed-fee project work. Scope specific deliverables (consent form review, written DNC policy, audit memo) and get a flat price. This is the most predictable option and works well for defined tasks.
Small monthly advisory retainer. Some TCPA boutiques offer a $500 to $1,500/month retainer for a set number of hours and priority email. For a team actively running outbound, this can pay off, because you get fast answers without burning a big hourly budget on one question.
As-needed hourly with a cap. If you prefer hourly, ask for a monthly cap. The attorney bills hourly but agrees to warn you before you cross $X in a given month. It keeps you in the loop.
What doesn't work: a vague ongoing relationship where you email anytime with no agreed scope. That reliably produces bill shock.
One practical move. Ask your attorney to write a one-page internal playbook your team follows without calling counsel for routine decisions. What counts as an opt-out request? How long do you wait before calling an unresponsive lead again? What do you say when someone says "stop calling me"? A lawyer who builds that playbook once is worth more than one who answers the same question ten times at hourly rates.
What FCC rules and cases should you know before talking to counsel?
Walking into a consultation with the basic framework in your head saves you expensive orientation time. Here's what actually matters for a typical small outbound team.
47 U.S.C. § 227 is the statute. It bars autodialed or prerecorded calls and texts to cell phones without prior express consent, and it requires that calls to residential lines honor the National DNC Registry. [1]
Facebook v. Duguid (2021) is the Supreme Court case that narrowed what counts as an automatic telephone dialing system. The Court held that a qualifying system must "use a random or sequential number generator." [3] That doesn't make predictive dialers automatically safe, because the FCC still governs other calling restrictions, but it matters for the specific ATDS question.
The FCC's one-to-one consent rule, finalized in 2023 and effective January 2025, requires that written consent go to a specific seller, not to a website that redistributes leads. [4] If you buy leads from comparison shopping sites, this is the biggest recent development to raise with counsel.
The FCC's abandoned call rules under 47 C.F.R. § 64.1200(a)(7) cap you at abandoning no more than 3% of calls answered by a live person. [6] If you run a predictive dialer, your counsel should confirm your drop rate is tracked.
State mini-TCPA laws in Florida, Oklahoma, Washington, and a few others add restrictions the federal TCPA doesn't. A lawyer who knows where your leads live will flag state-specific issues. The do not call telemarketer list rules also vary somewhat by state.
Know this framework and your first meeting focuses on your situation, not on the basics.
How do you decide whether your TCPA risk actually warrants spending money on counsel?
Not every outbound team carries the same exposure. The honest answer: your risk depends on what you're doing and to whom.
Higher risk: autodialed or prerecorded calls or texts to cell phones, purchased lead lists where you can't document original consent, high volume (tens of thousands per month), and B2C markets full of consumers who know their rights (financial services, insurance, real estate, debt collection).
Lower risk: manual cold calls to business landlines, small volume, warm inbound leads who consented on your own form, minimal texting.
If you're in the higher-risk bucket and haven't had a compliance review in 18 months, $2,000 to $4,000 on an audit is almost certainly worth it. The expected-value math is simple: a 5% chance of a $50,000 demand letter carries an expected cost of $2,500 per year, and the audit costs less than that.
If you're lower risk, a one-time template review of your consent language (often $500 to $1,000) plus a careful read of the FCC's free published guidance may be enough to start. You can use LeadCompliant's free TCPA tools to check your current process against known requirements before you spend a dime on legal review.
One honest caveat: nobody can hand you a precise probability of getting sued. Professional plaintiff firms troll for violations algorithmically now, so even low-volume teams get hit. The math has shifted toward getting at least one professional review, even for small operations.
What does a realistic annual TCPA legal budget look like for a small team?
Here's a reasonable, not extravagant, budget for a B2C outbound team making, say, 10,000 to 50,000 calls or texts a month.
Year one: one compliance audit ($2,000 to $4,000) plus consent language and DNC policy drafting ($1,000 to $2,000). Total: $3,000 to $6,000.
Years two and three: an annual check-in to review FCC changes and update your consent forms if you added channels or lead sources ($500 to $1,500 per year), plus a small reserve ($2,000 to $3,000) for demand letter response if it comes.
Three-year total: roughly $8,000 to $15,000. That's for a team running a real process and getting professional review when it counts.
Compare that to one class action settlement. The Credit One TCPA settlement was reportedly around $12.5 million. Even a small pre-litigation settlement for a single plaintiff typically runs $5,000 to $25,000 once you count your own attorney fees. The numbers aren't close.
Teams overspend when they use counsel as a crutch for operational calls. Teams underspend when they assume the rules don't apply to them until a demand letter lands. The right answer sits between the two.
Frequently asked questions
Do I need a lawyer on retainer to run outbound calls compliantly?
No. A retainer makes sense if you run high-volume B2C calls or texts regularly and want fast access to advice. For most small teams, a one-time compliance audit and periodic check-ins are enough. The goal is a process that runs without constant legal input, not permanent dependency on outside counsel.
How much does a TCPA compliance audit from outside counsel typically cost?
Most boutique firms charge $1,500 to $5,000 for a written compliance audit covering consent, DNC scrubbing, and calling restrictions. Larger firms charge more. The output should be a written memo you keep as documented due diligence. Get a fixed-fee quote before you start, not an open-ended hourly engagement.
What's the first thing to do when you receive a TCPA demand letter?
Implement a litigation hold immediately (stop deleting call logs, consent records, lead files) and contact TCPA-specialized counsel within a week. Don't respond yourself and don't ignore it. Many single-plaintiff matters settle before litigation for $3,000 to $15,000 with decent consent documentation. Missing the response window or destroying records makes every option worse.
Can I use a general business attorney for TCPA matters to save money?
Technically yes, but it usually costs more in the end. A general business attorney spends billable time learning TCPA basics you pay for. Specialized counsel moves faster, charges less for the actual analysis, and knows circuit-specific case law. For a demand letter response or compliance audit, specialization is worth the search.
What's the difference between TCPA compliance review and TCPA litigation defense?
Compliance review is proactive: a lawyer examines your consent language, DNC process, and calling practices and tells you what to fix. Litigation defense is reactive: a lawyer responds to an actual lawsuit. Review costs hundreds or low thousands. Defense starts at tens of thousands and climbs fast. Spending on review to avoid defense is straightforwardly the better financial call.
Does the FCC's 2025 one-to-one consent rule affect how I should work with counsel?
Yes, and significantly. The rule, finalized in 2023 and effective January 2025, requires that consent name the specific seller rather than being bundled into a lead-gen form that shares your data with multiple buyers. If you buy leads from comparison sites, your counsel needs to review whether your consent chain now exposes you under the new standard.
What records should I keep to help my attorney defend a TCPA claim?
Keep original consent records (timestamped, with the exact language the consumer saw), lead source documentation, DNC scrub logs with dates, opt-out requests and how you handled them, and call logs. Courts look at these to assess willfulness, which decides whether damages are $500 or $1,500 per violation. The records that seem administrative are exactly what counsel needs in a defense.
How do I find a TCPA attorney who won't overcharge a small business?
Look for boutique firms or solo practitioners in advertising, marketing, or telecom law rather than large litigation shops. Ask for fixed-fee quotes on scoped work. Check whether they've handled TCPA matters in the last two years and can name relevant FCC orders. State bar referral services and Martindale-Hubbell are reasonable starting points for finding specialists.
What TCPA compliance tasks can my team handle without a lawyer?
DNC scrubbing cadence, call time enforcement (8am to 9pm local), opt-out processing, caller training, and maintaining consent records are all operational tasks. What needs a lawyer: drafting consent language, the written internal DNC policy required by FCC rules, vendor contracts that allocate liability for bad consent, and any response to a legal threat or demand letter.
Is there free TCPA guidance I can use before paying for legal review?
Yes. The FCC publishes its rules and orders at fcc.gov. The statute itself, 47 U.S.C. § 227, is public. The FTC maintains National DNC Registry guidance at donotcall.gov. These primary sources are free and accurate. Reading them before your first attorney call cuts the time you spend on basics and shrinks your legal bill.
How often should a small outbound team update its TCPA compliance review?
At minimum once a year, or whenever you make a significant change: a new lead source, a new channel (adding SMS when you were voice-only), a new dialing platform, or a major FCC rulemaking. The one-to-one consent rule in 2025 is an example of a change that required immediate review for any team buying third-party leads.
What does a TCPA class action actually cost a defendant company?
Settlement amounts vary widely, but reported cases show the scale. The Cash App TCPA class action settlement ran into tens of millions. Credit One's settlement landed in similar territory. Pre-class single-plaintiff settlements are smaller, often $5,000 to $25,000 including your own defense costs, but even that exceeds a full year's proactive compliance spend for most small teams.
Should I worry about state-level mini-TCPA laws in addition to federal rules?
Yes, especially if you call into Florida, Oklahoma, or Washington. Florida's FTSA, for example, has been read to impose per-call damages even for manual calls under certain conditions, and it has generated heavy litigation. Your outside counsel should know where your leads are located and flag state restrictions that exceed the federal TCPA standard.
Sources
- U.S. Government, 47 U.S.C. § 227 (TCPA statute text via Cornell LII): The TCPA provides a private right of action with statutory damages of $500 per violation and up to $1,500 for willful violations
- Clio, Legal Trends Report (attorney billing rates by practice area): Attorney hourly rates in the U.S. vary widely; specialty telecom and privacy counsel typically ranges $250 to $900/hour depending on firm size
- Supreme Court of the United States, Facebook Inc. v. Duguid, 592 U.S. 395 (2021): The Supreme Court held in Facebook v. Duguid (2021) that an ATDS must use a random or sequential number generator, narrowing the definition
- FTC, National Do Not Call Registry (donotcall.gov): Telemarketers must register with and scrub against the National DNC Registry; the FTC administers the registry, and FCC rules require scrubbing at least every 31 days
- ACA International v. FCC, 885 F.3d 687 (D.C. Cir. 2018) via Justia: The D.C. Circuit vacated parts of the FCC's 2015 TCPA order, including its expansive ATDS definition, creating ongoing litigation uncertainty about autodialer scope
- Martindale-Hubbell, Attorney Directory (practice area search): Martindale-Hubbell allows filtering attorney search by telecom and advertising law practice areas to identify TCPA-specialized counsel
- National Association of Consumer Advocates, Member Directory: NACA publishes a directory of plaintiff consumer protection attorneys, useful for identifying active TCPA plaintiff firms and by inference experienced defense counsel
- U.S. Courts, Federal Rules of Civil Procedure (Rule 37(e), spoliation and preservation): Federal courts may impose sanctions including adverse inference instructions for failure to preserve electronically stored information once litigation is reasonably anticipated