Last updated 2026-07-09

TL;DR
Small outbound teams most often trigger TCPA class actions by calling cell phones without written consent, texting after a single opt-out, ignoring reassigned numbers, and skipping the National DNC scrub. Each violation costs $500 to $1,500 per call or text, and a class multiplies that across thousands of contacts. Nearly all of it is preventable with a documented consent and scrubbing process.
What actually triggers a TCPA class action against a small team?
Most TCPA defendants never set out to break the law. They ran outbound without a written compliance process, and the statute doesn't care about intent.
The Telephone Consumer Protection Act, 47 U.S.C. § 227, prohibits using an automatic telephone dialing system (ATDS) or prerecorded voice to call or text a cell phone without prior express written consent [1]. That phrase "automatic telephone dialing system" is where small teams trip. If your dialer or SMS platform queues and sends messages without a human manually starting each one, there's a real argument it qualifies as an ATDS under the statute's broad language, even after the Supreme Court narrowed things in Facebook, Inc. v. Duguid (2021).
Class actions work because TCPA damages are statutory, not actual. A plaintiff doesn't have to prove harm beyond receiving the call or text. At $500 per negligent violation and $1,500 per knowing or willful violation [2], a list of 5,000 contacts becomes a potential $7.5 million exposure before anyone argues treble damages. That math is why plaintiffs' attorneys hunt for small teams running messy lists.
The nine triggers below show up most often in complaints filed against companies with under 50 employees. Big enterprises have compliance departments that catch these. Small teams usually don't.
Does using a power dialer or SMS platform automatically make you liable?
Not automatically, but it raises the risk a lot and puts the burden on you to prove consent.
In Facebook, Inc. v. Duguid, 592 U.S. 395 (2021), the Supreme Court held that an ATDS must "use a random or sequential number generator" to store or produce numbers [3]. That narrowed the definition. Some platforms that dial only from a fixed uploaded list can now argue they aren't an ATDS. The problem: many modern sales dialers use algorithms to sequence calls, and the FCC has signaled it may revisit the ATDS definition in future rulemaking.
Here's the practical part. Even if your dialer dodges the ATDS label, prerecorded or artificial voice messages to cell phones still require prior express written consent no matter how the number was dialed [1]. And the National DNC Registry rules apply to all telemarketing calls, ATDS or not [4]. So the dialer question matters. It's not a get-out-of-jail-free card.
If you run cold calling campaigns with any automation, document exactly how your platform works and get that documentation from your vendor in writing. Courts have held that not knowing how a third-party platform functions isn't a defense.
What is prior express written consent and how do you prove you have it?
This is the most misunderstood requirement, and it's where most small-team class actions actually start.
The FCC's 2012 order (FCC 12-21) requires that prior express written consent for autodialed or prerecorded telemarketing calls to cell phones include three things: a clear and conspicuous disclosure that the consumer authorizes telemarketing calls or texts by ATDS or prerecorded voice, the specific telephone number consent applies to, and an explicit statement that consent is not a condition of purchase [5]. Verbal consent doesn't meet this standard for telemarketing calls. A checkbox buried in terms of service that never mentions autodialed calls probably doesn't either.
The burden of proof sits on the caller, not the consumer. If you can't produce a timestamped record showing what language the consumer agreed to, when, and from what IP address or signed document, you effectively have no consent in a courtroom. "They gave us their number on a lead form" is not proof of prior express written consent under the TCPA.
The usual documentation failures: lead forms that capture phone numbers but skip the required TCPA disclosure, purchased lists where the original consent language is gone or vague, and CRM records that store only the number, never the consent artifact. Keep consent records for at least four years, which matches the TCPA's statute of limitations.
For how text message marketing consent works for SMS specifically, the consent standard is the same. The paper trail issues differ a little.
How do reassigned numbers create TCPA liability you never saw coming?
This one surprises people. You had consent from the original number holder. You're calling that number in good faith. Except the person who picks up is someone else entirely, and they never gave you anything.
Phone numbers get reassigned constantly. The FCC estimated in 2018 that roughly 35 million numbers are reassigned in the United States each year [6]. A consumer who registered consent six months ago may have switched carriers and passed their old number to a stranger.
The FCC's answer is the Reassigned Numbers Database (RND), which launched in 2021. Carriers report disconnected numbers, and callers can query the database before dialing to see whether a number has been permanently disconnected and possibly reassigned since they last had valid consent [6]. Call a reassigned number and the FCC's safe harbor evaporates.
Small teams rarely use the RND. Most don't know it exists. Plaintiffs' attorneys do, and they use it to show your team was on notice that a number could have been reassigned.
The fix is simple. Query the RND as part of your pre-dial scrub, run it alongside your National DNC scrub, and log the query date in your CRM. It's cheap, and it's a real safe harbor under FCC rules [6].
What are the National DNC Registry scrubbing mistakes that invite lawsuits?
Failing to scrub the National Do Not Call Registry before each campaign is the most documented violation in FTC enforcement and a frequent trigger in private TCPA suits.
The rules require telemarketers to scrub call lists against the National DNC Registry at least every 31 days [4]. Not once. Not when you build the list. Every 31 days. A number you legally called on day one may register with the DNC on day 15, and if you call it again on day 45 without a fresh scrub, that's a violation.
Small teams also miss the split between the federal DNC list and state DNC lists. Several states, including Texas, Indiana, and Colorado, run their own registries with extra requirements. Texas, for example, has its own registration and enforcement process on top of federal calling rules [7].
For the mechanics of accessing and scrubbing the federal list, how do I get the do not call list walks through the subscription and SAN process. One thing teams miss: subscribing doesn't scrub anything for you. You have to actively apply the suppression file to your dialing list before each campaign.
Another missed requirement. You need a company-specific internal DNC list, and you must honor opt-out requests within 30 days, even when the consumer's number isn't on the national registry [4]. Every team needs a process to capture "don't call me" requests from any channel (voicemail, email, in-person) and apply them before the next dial cycle.
How does a single opt-out text you ignored become a class action?
One text. That's all it takes to start the clock.
Once a consumer opts out of SMS marketing by replying STOP, QUIT, CANCEL, UNSUBSCRIBE, or END, you have to honor that request immediately and permanently [8]. The CTIA Messaging Principles and the FCC's rules both treat any later marketing text to that number as a violation, no matter whether the consumer contacts you through a different channel or agrees to something else.
The class mechanism works like this. A plaintiff gets a marketing text after opting out. Their attorney subpoenas your SMS platform's send logs. If those logs show your platform sent post-opt-out messages to other numbers too, every one of those contacts is a potential class member. A list of 2,000 people who got a text after opting out is a $3 million case at $1,500 per knowing violation.
The failure mode for small teams is usually technical: the opt-out landed in the SMS platform, but the CRM or the dialer that feeds the SMS platform never got the suppression update before the next send. If your outbound tools don't share a suppression list in real time, you have a gap.
Building one unified suppression list that every outbound channel reads before sending isn't complicated. It just needs someone to own it. In most small teams, nobody does.
What are the calling time restrictions and how do violations escalate into lawsuits?
Federal rules ban telemarketing calls before 8 a.m. and after 9 p.m. in the consumer's local time zone [4]. Not your time zone. Theirs.
This sounds easy until your team sits in California and your list includes New York. A 5:30 p.m. call from San Francisco lands at 8:30 p.m. Eastern, which is fine. A 6:15 p.m. Pacific call lands at 9:15 p.m. Eastern, which is a violation. Time zone logic errors in CRMs and dialers that default to the company's local time are common, and they go unnoticed until someone files a complaint.
Time window violations rarely anchor a class action alone because they don't scale the way consent failures do. But they show up as extra counts alongside a primary ATDS or DNC claim, and that matters at settlement time because each count adds to the plaintiff's negotiating position.
Some state laws run stricter than federal rules. Florida's amended Telephone Solicitation Act under SB 1120 (2021) puts extra restrictions on certain automated calls and texts [9]. Check the law for every state you call into, not only where you're headquartered.
Does the established business relationship (EBR) exemption actually protect you?
Less than most small teams assume, and only for specific call types.
The EBR exemption under the TCPA allows certain calls to consumers who have had a prior business relationship with your company, even if they're on the National DNC Registry. But the exemption only covers calls made by live agents using manual dialers. It does not cover autodialed calls or prerecorded messages to cell phones [1]. If your team calls a prior customer via an ATDS and that customer is on the DNC, the EBR does nothing for you.
The EBR also expires. For transactions, the relationship ends 18 months after the last purchase. For inquiries, it ends 3 months after the inquiry [4]. Calling a customer from three years ago and assuming the EBR still holds is a common and costly mistake.
Consumers can also kill the EBR at any time by asking not to be called, even before the 18-month window closes. Once they say stop, the EBR is gone for that number. Your internal DNC list captures these, and the 30-day honor window applies here too.
If you're using EBR as a consent substitute for autodialed calls, that's a serious gap. The exemption simply doesn't cover that.
How do purchased lead lists create vicarious liability even when the vendor says they're compliant?
"Our list vendor guarantees TCPA compliance" is one of the most common defenses in TCPA cases. Courts don't buy it.
The FCC's 2013 Declaratory Ruling (FCC 13-54) established that a seller can be held vicariously liable for TCPA violations committed by its lead generators or third-party vendors under federal common law agency principles [10]. If your vendor collected consent through a deceptive form or vague language that fails the FCC's prior express written consent standard, you're exposed even when you had no idea.
The FTC and FCC have both flagged the "consent farm" problem, where consumers see a page with dozens of brand logos and a single checkbox claiming to grant consent to all of them [5]. Courts have found that blanket consent fails the prior express written consent standard because it never discloses which specific companies may call and for what purpose.
When you buy a lead list, request and read the actual consent form language the consumer saw. If the vendor won't provide it, that's your answer. If the language doesn't specifically disclose autodialed or prerecorded calls and name your company (or at least your product category), treat it as unconsented.
For cold call lists bought from third parties, running them through your own scrub instead of trusting the vendor's scrub is the only defensible move.
What do real TCPA class action settlements against small companies look like?
Two settlements show the pattern for small and mid-size defendants.
The Cash App TCPA class action settlement produced a large payout over text messages sent after opt-outs, a textbook example of the suppression list gap described earlier.
The Credit One TCPA settlement came from autodialed calls to cell phones, where consent records couldn't match the volume of calls made. Credit One paid $75 million to settle. Credit One is no small company, but the underlying violation (calling numbers without enough documented consent, at scale) is identical to what small teams do every day.
For small defendants, settlements tend to run between $500,000 and $5 million depending on list size and violation type. Legal defense alone, even for a case that settles well, commonly runs $150,000 to $400,000. Most small teams can't absorb that without real operational damage.
The table in this article shows how liability multiplies by list size. That's the fastest way to see why the plaintiff's bar targets outbound teams of any size.
How do you build a basic compliance process that prevents these triggers?
You don't need a compliance department. You need four things: a written consent collection process, a unified suppression list, a pre-dial scrub workflow, and a documented audit trail.
Written consent collection means every form, landing page, or enrollment point that captures a phone number carries the required TCPA disclosure with explicit mention of autodialed calls or texts, and stores a timestamped record of what the consumer agreed to.
A unified suppression list means opt-outs from every channel (SMS replies, verbal requests captured by agents, email unsubscribes, DNC registry matches) flow into one file that all outbound tools read before sending. This is the single most common gap in small team setups.
A pre-dial scrub workflow means your list runs through the National DNC scrub (every 31 days), relevant state DNC lists, the Reassigned Numbers Database, and your internal suppression list before any campaign touches a dial button. Log the date and version of each scrub.
An audit trail means you can produce, on demand, a timestamped consent record for any phone number in your active calling list. If you can't do that today, that's where to start.
LeadCompliant's free compliance kit includes consent language templates and a pre-dial scrub checklist you can adapt to your own stack without hiring a lawyer for every step. That said, this article and the kit are reference tools, not legal advice. For any active compliance concern, talk to a TCPA-experienced attorney.
The do not call list and mobile phone do not call list resources cover the registry subscription steps in detail.
What should a small team do immediately after receiving a TCPA demand letter?
Stop all outbound to the claimant's number right away. Document everything you do from that moment forward.
Don't answer the demand letter yourself. TCPA demand letters are often the opening move in a shakedown by professional plaintiffs who send dozens a month. They're also the opening move in legitimate class actions. You can't tell which you're facing without counsel.
Preserve every record tied to how you got the claimant's number, what consent language they saw, your scrub logs, and any call or text records. Do this before you talk to anyone. Courts take spoliation seriously, and deleting records after a demand, even by accident, can turn a defensible case into a bad one.
Get a TCPA-experienced attorney on the phone before you respond. This is not a general commercial litigator situation. TCPA practice is specialized enough that an attorney unfamiliar with the statute can cost you more than they save in the first week.
Many demand letters settle for $1,500 to $5,000 per individual plaintiff when the violation is real and isolated. Once a class is certified, the math changes completely. Early assessment of your exposure (how many contacts got the same message under the same conditions) is the most important thing your attorney will help you do.
Frequently asked questions
Can a small business really face a class action over a few hundred calls?
Yes. Class certification turns on whether the violation is common to a group, not on how many calls you made. If your dialer sent the same unconsented message to 500 contacts, every one of those people is a potential class member. At $1,500 per knowing violation under 47 U.S.C. § 227, that's $750,000 in potential statutory damages before legal fees, exactly the size of case plaintiffs' firms pursue against small teams.
Does the TCPA apply to B2B calls?
The TCPA applies to the phone number being called, not to whether the call is commercial or B2B. If you're calling a person's cell phone for telemarketing, the cell phone protections apply even in a business context. Calls to a business's dedicated landline get different (and generally lighter) treatment, but most B2B contacts today use cell phones, which puts you squarely under the full consent requirements.
What is the statute of limitations for a TCPA claim?
Four years. A consumer can sue you in 2028 for calls made in 2024. That's why you keep consent records and scrub logs for at least four years. In practice, plaintiffs' attorneys usually file within one to two years of the violation because evidence is fresher and the conduct is easier to document, but the four-year window under 28 U.S.C. § 1658 gives them a long runway.
If I get verbal consent on a recorded call, is that enough?
For autodialed or prerecorded telemarketing calls to cell phones, no. The FCC's 2012 order (FCC 12-21) requires written consent that meets specific disclosure standards. A recorded verbal "yes" can satisfy consent for some non-telemarketing informational calls, but for marketing calls you need written consent: a signed form, a checked box on a web form, or a text message exchange that clearly meets the disclosure standard.
Does texting someone who texted me first count as consent?
Texting you first does not constitute prior express written consent for marketing messages under the TCPA. The inbound text establishes contact, but to send autodialed marketing texts back you need explicit written agreement that meets FCC standards, including disclosure that they'll get marketing messages via automated technology. Answering a consumer inquiry with product info once may fall under different rules, but a recurring campaign requires proper written consent.
What does the Reassigned Numbers Database actually do and how do I access it?
The Reassigned Numbers Database (RND), maintained by SOMOS under FCC mandate, lets callers check whether a phone number has been permanently disconnected and possibly reassigned since they last obtained consent. You query it before dialing. If a number shows a disconnect date after your consent date, your consent is invalid for that number. Access requires registration at reassignednumbers.us. The FCC's safe harbor applies when callers query the database before dialing.
Can I rely on a lead vendor's guarantee that numbers are TCPA-compliant?
No. The FCC's 2013 Declaratory Ruling (FCC 13-54) makes sellers vicariously liable for violations by their lead generators under agency principles. If the consent your vendor collected doesn't meet TCPA standards, you're exposed. You need to review the actual consent language consumers saw and confirm it meets FCC requirements. Contractual indemnification from your vendor helps at settlement time but does not prevent the lawsuit or erase your liability to the plaintiff.
How quickly do I have to honor an opt-out request?
For SMS, opt-out replies must be honored immediately and permanently. For calls, the FTC's Do Not Call rules require adding a consumer to your internal DNC list within 30 days of the request and never calling again after that. The 30-day window is a processing allowance, not a grace period to squeeze in more calls. The cleaner approach is to suppress on the day of the request and use the 30 days only for administrative sync across systems.
Are there TCPA safe harbors for small businesses?
There are limited safe harbors. The EBR exemption covers live-agent calls to prior customers within 18 months of a transaction, as long as the consumer hasn't asked to be placed on your internal DNC list. The Reassigned Numbers Database safe harbor protects a call to a reassigned number if you queried the database before dialing. There is no small business exemption from TCPA liability based on company size or revenue.
What's the difference between a TCPA violation and an FTC DNC violation?
The TCPA (47 U.S.C. § 227) is enforced by the FCC and allows private lawsuits with statutory damages of $500 to $1,500 per violation. The FTC's Telemarketing Sales Rule, which governs the National DNC Registry, is enforced by the FTC with civil penalties up to $51,744 per violation as of 2024 but does not create a private right of action on its own. Many campaigns trigger both at once, and several states have their own mini-TCPA statutes with independent enforcement.
How do state laws change TCPA compliance obligations?
State laws layer on top of federal TCPA requirements and often run stricter. Florida's SB 1120 (2021) effectively bans robocalls and texts to Florida consumers by any platform that uses a list or sequence, regardless of the federal ATDS definition. Texas, Indiana, and Colorado have state DNC registries. California's privacy law adds consent requirements of its own. Compliance teams must check state law for every state in their calling footprint, not only their home state.
What records should I keep to defend a TCPA lawsuit?
At minimum: timestamped consent records for every number in your active list (including the form language the consumer saw), DNC scrub logs with scrub dates and registry version, Reassigned Numbers Database query records, opt-out request logs with dates and action taken, and call/text records showing timing, content, and platform used. Store all of it for four years. A well-documented compliance process often means early dismissal or a favorable settlement before class certification.
Do nonprofit or political calls have TCPA exemptions?
Partially. Nonprofit fundraising calls and political campaign calls are exempt from the National DNC Registry requirements and from some consent requirements for live-agent calls. But even exempt organizations cannot make autodialed or prerecorded calls to cell phones without prior express consent under the TCPA's cell phone protections. The exemptions are narrower than most nonprofits and campaigns assume, and the cell phone consent rules apply broadly.
Sources
- U.S. Government, 47 U.S.C. § 227, Telephone Consumer Protection Act (Cornell Legal Information Institute): The TCPA prohibits using an ATDS or prerecorded voice to call or text a cell phone without prior express written consent for telemarketing purposes; damages are $500 per violation, $1,500 for willful violations
- Supreme Court of the United States, Facebook, Inc. v. Duguid, 592 U.S. 395 (2021): The Supreme Court held that an ATDS must use a random or sequential number generator to produce or store numbers, narrowing the definition
- Federal Trade Commission, Telemarketing Sales Rule (16 C.F.R. Part 310): Telemarketers must scrub against the National DNC Registry every 31 days; calling time restrictions are 8 a.m. to 9 p.m. local time; internal DNC requests must be honored within 30 days; EBR expires 18 months after last transaction and 3 months after inquiry
- Reassigned Numbers Database (administered under FCC mandate): The FCC estimated approximately 35 million numbers are reassigned annually; the Reassigned Numbers Database launched in 2021 and provides a safe harbor for callers who query it before dialing
- Texas Office of the Attorney General, Consumer Protection Division: Texas operates its own state telemarketing regulation and enforcement process in addition to federal calling rules
- Florida Legislature, SB 1120 (2021 Florida Telephone Solicitation Act amendments): Florida SB 1120 (2021) imposes additional restrictions on automated calls and texts to Florida consumers beyond federal TCPA requirements
- Federal Trade Commission, National Do Not Call Registry: The National Do Not Call Registry is the federal database telemarketers must scrub against; registration and scrubbing process details are provided for both consumers and businesses
- Federal Trade Commission, Legal Library (civil penalty amount adjustments, 2024): FTC civil penalties for Telemarketing Sales Rule violations are up to $51,744 per violation as of 2024