TCPA defense strategies that actually work for small businesses

Facing a TCPA lawsuit? Learn the defenses that courts actually accept, what evidence to gather now, and how small teams cut their exposure. Real cases cited.

LeadCompliant Team
24 min read
In This Article

Last updated 2026-07-11

Small business owner reviewing legal compliance documents at a wooden desk in warm office light
Small business owner reviewing legal compliance documents at a wooden desk in warm office light

TL;DR

The TCPA allows statutory damages of $500 to $1,500 per call or text, so even a small campaign can balloon into a six-figure lawsuit. The defenses that hold up: prior express written consent you can prove, the established business relationship exception for certain calls, DNC Registry scrubbing, and challenging whether the equipment was an ATDS. Build the paper trail before you dial.

What does TCPA exposure actually look like for a small business?

Most founders don't take the TCPA seriously until a demand letter lands in the inbox. Then the math hits hard.

Under 47 U.S.C. § 227(b)(3), a plaintiff can recover $500 per violation and up to $1,500 if the court finds the violation was willful. [1] There is no cap on the number of violations in a single case, and class actions aggregate individual claims. Each call or text counts as its own violation. That's the detail that turns a routine campaign into a catastrophe.

Here's what that means in practice. Say your team sent a 10,000-message SMS blast without proper consent documentation. At the baseline $500 rate, that's $5 million in statutory exposure before a single hour of attorney fees. Courts have certified TCPA classes against companies far smaller than yours. The cash app tcpa class action settlement and the credit one tcpa settlement both show that even well-resourced companies pay real money.

Small businesses get targeted for a reason. Plaintiffs' attorneys know you'll settle fast to avoid litigation costs. A $30,000 to $60,000 demand looks rational next to the cost of defending a federal suit. That's the business model. Understanding it is step one in building a defense posture that makes you the harder target.

What are the main TCPA defenses courts actually accept?

Not every TCPA defense is worth arguing. Some sound good in a conference room and lose consistently in court. Here are the ones with real traction.

Prior express written consent. This is the strongest defense and the one to build your entire program around. Under 47 U.S.C. § 227(b)(1)(A), calls and texts to cell phones using an automatic telephone dialing system require prior express consent. For telemarketing, the FCC's 2012 rule tightened this to require written consent that specifically authorizes marketing contact. [2] A signed opt-in form, a recorded check-box on a web lead form, or a documented inbound inquiry works, so long as you can produce it in discovery. The phrase "can produce" is doing a lot of work in that sentence.

Not an ATDS. The statute only covers calls made using an automatic telephone dialing system, defined in § 227(a)(1) as equipment with the capacity to store or produce telephone numbers using a random or sequential number generator and to dial them. [1] After the Supreme Court's 2021 decision in Facebook v. Duguid, the definition narrowed: a system has to actually use a random or sequential number generator to qualify, not merely have the theoretical capacity. [3] If your team manually dials from a CRM or uses a click-to-call tool that needs a human to start each call, you have a credible argument that no ATDS was involved.

Established business relationship (EBR). For calls to residential landlines, the FCC recognizes an EBR exemption if the consumer bought from you or made an inquiry within specific windows: 18 months after a transaction, or 3 months after an inquiry. [2] This exemption doesn't extend to cell phone marketing calls under the ATDS rules, so don't overcount it.

DNC scrubbing compliance. Show you properly scrubbed your list against the National Do Not Call Registry before calling, and you have a defense for registry-based claims. The FTC requires scrubbing no more than 31 days before a call. [4] See the do not call list article for scrubbing mechanics.

Safe harbor. 47 U.S.C. § 227(c)(5) gives a safe harbor to companies with written DNC procedures, trained personnel, and prompt opt-out handling. It won't get you out of a consent claim, but it knocks down the willfulness findings that trigger the $1,500 treble tier.

What evidence do you need to survive a TCPA lawsuit?

This is where small businesses lose over and over. The defense exists in the abstract. The evidence doesn't exist in the filing cabinet.

Consent records are the most important thing you own. For each campaign, keep: the exact opt-in language the consumer saw at the moment of consent, the date and timestamp, the IP address or form submission record, and the URL of the page where consent was collected. Courts have dismissed TCPA claims when defendants produced this level of documentation. They've found for plaintiffs when defendants said "we had consent" and couldn't produce a thing. [5]

Call and text logs matter too. You need records showing what number was contacted, when, from what system, and which campaign it belonged to. Your carrier or SMS platform retains these. Pull them and keep a copy outside the platform.

For the ATDS defense, document how your dialing technology actually works. Get a technical spec or written description from your vendor. If the system needs a human to click before each call, capture that workflow. This is exactly the fact-specific argument Facebook v. Duguid opened up.

Revocation records are underappreciated. If a consumer says they opted out and you kept calling, that's a separate violation and evidence of willfulness. Every opt-out request, by text reply, web form, or phone, needs a timestamp and confirmation the number was suppressed. Honor opt-outs within 10 business days for DNC purposes. For text campaigns, most practitioners suppress same-day.

Organize all of this before litigation starts. Once a demand letter arrives, litigation hold rules apply and you cannot delete anything. If you haven't built these records yet, start now.

TCPA damages at a glance Statutory per-violation amounts under 47 U.S.C. § 227(b)(3) and class action settlement benchmarks $500 Base TCPA violation (per call/text) $1,500 Willful TCPA violation (per call/text) $76M Capital One class settlement (2014, millions) $40M Charter Communications sett… millions) Source: 47 U.S.C. § 227; FCC Enforcement Bureau, 2014-2020

How does the Facebook v. Duguid ruling change your defense options?

Facebook, Inc. v. Duguid (2021) is the most useful Supreme Court decision for TCPA defendants in years. [3]

Before Duguid, courts split on whether "capacity" to generate random numbers was enough to make a dialing system an ATDS, even if it never used that capacity. The Ninth Circuit took the broad view, which made almost any automated system vulnerable. The Supreme Court reversed unanimously. The statute requires that the equipment actually use a random or sequential number generator to store or produce telephone numbers. The Court put it plainly: to qualify as an ATDS, "a device must have the capacity either to store a telephone number using a random or sequential generator or to produce a telephone number using a random or sequential number generator." A system that dials from a stored list of specific numbers, without generating them randomly, is not an ATDS under the federal definition.

For small businesses running a CRM with click-to-call, a sales engagement platform that dials from a fixed lead list, or even a predictive dialer working through pre-loaded contacts, Duguid created genuine room to argue the ATDS element isn't met.

Two caveats matter. First, this is a federal statutory definition. Some states, California under CIPA and Washington under its own rules, use broader definitions of automated dialing that don't track the federal ATDS standard. [6] Second, even if you win the ATDS argument, a plaintiff may still have a DNC Registry claim if you called a registered number without consent, because DNC claims under § 227(c) don't require an ATDS.

Duguid narrows one avenue of attack, not all of them. Use it as one layer, not the whole wall.

Yes, when it's real and documented. Courts have consistently dismissed TCPA claims once defendants produce clean consent records.

The FCC's 2012 TCPA order defined prior express written consent for telemarketing calls to cell phones as "an agreement, in writing, bearing the signature of the person called that clearly authorizes the seller to deliver or cause to be delivered to the person called advertisements or telemarketing messages using an automatic telephone dialing system or an artificial or prerecorded voice." [2] Electronic signatures and web-form check-boxes satisfy the writing requirement under the E-SIGN Act. [11]

The common failure mode: consent buried in terms of service. Courts have found that consent hidden in fine print, without a clear disclosure that the consumer is authorizing marketing calls or texts, doesn't meet the FCC standard. The disclosure has to be clear, conspicuous, and specific to the purpose. A consumer agreeing to your terms of service is not the same as a consumer explicitly authorizing you to send them promotional SMS.

Another failure mode: consent obtained by a third party. If you bought a lead list and the form said the consumer agreed to receive calls from "our partners," you're on uncertain ground. The FCC has moved against lead generator consent schemes where the authorization was too vague to cover the specific caller. [7] If you rely on third-party consent, audit the exact opt-in language at the source and make sure your company is named or falls within a clearly defined category.

For text message marketing specifically, the written consent standard applies to every promotional message, not only the first one.

What is the DNC safe harbor and how do you qualify for it?

Under 47 U.S.C. § 227(c)(5), a company can't be held liable for a DNC violation if it shows the violation happened despite written procedures in place, trained personnel, and a scrub of its lists against the National DNC Registry within 31 days before the call. [1] [4]

The safe harbor is not automatic. You have to affirmatively prove all three elements. A one-page policy nobody reads doesn't count. Training logs, dated scrub records, and a documented suppression process all matter.

Here's what a defensible DNC program looks like for a small team: a written policy (even one page) that describes your scrubbing process and opt-out handling, a sales manager who can show they walked the team through it, and evidence of actual scrubs against the registry inside the 31-day window before each campaign.

Scrubbing against the national registry only covers part of the obligation. You also need an internal DNC list for consumers who asked your company specifically to stop calling, separate from the national registry. Ignoring those company-specific opt-outs is an independent violation. [4]

For more detail on accessing the registry and scrubbing correctly, see how do i get the do not call list and do not call telemarketer list.

How should a small business respond when it receives a TCPA demand letter?

Don't panic, and don't ignore it. A demand letter is not a lawsuit. It's usually the opening bid in a negotiation, and how you respond in the first 30 days shapes everything after.

Four immediate steps.

First, issue a litigation hold internally. Preserve all call logs, consent records, opt-out logs, campaign records, and platform exports. Delete nothing. If you fail to preserve relevant records and a lawsuit follows, you risk spoliation sanctions worse than the underlying claim.

Second, pull the actual records for the specific numbers named in the demand. Do you have consent documentation? Can you show the numbers were scrubbed? What system made the calls? Answering these honestly tells you whether you have a strong defense or a case you should settle.

Third, get a TCPA defense attorney. This is not the place to go it alone or hire a general small business lawyer who has never seen a TCPA complaint. The plaintiffs' bar is specialized. You need someone who is too. Ask prospective attorneys how many TCPA defense matters they've handled in the past two years.

Fourth, make no admission in your response to the letter. Even a well-meaning email that says "we may have made a mistake" can become an exhibit. Have your attorney handle all communications.

On settlement: if your records are weak, settling early is usually cheaper than defending. If your records are strong, a short, firm response from counsel walking through your documentation often sends serial filers off to an easier target. That's the honest calculus.

What proactive steps cut TCPA lawsuit risk before a claim arrives?

The best TCPA defense is the one you never have to use. These steps matter most.

Consent at the point of lead capture. Every web form feeding your outbound pipeline should carry a clear, specific disclosure that the consumer agrees to receive calls or texts from your company, using an ATDS, for marketing purposes. Checkbox, not pre-checked. Your specific company name, not vague "partners" language. Save the form screenshot and the submission record.

Scrub before every campaign. Pull a fresh list from the National DNC Registry (you subscribe through the FTC's access portal) no more than 31 days before launch. [4] Layer your own internal suppression list on top. Document the scrub date.

Audit your dialing technology. Know exactly what your platform does. Get vendor documentation on whether the system uses random or sequential number generation. If it doesn't (you're calling from a static list with human initiation), preserve that documentation as ATDS defense evidence.

Train your team. Two or three times a year. Keep a sign-in sheet or training log. It's one of the three elements of the DNC safe harbor and evidence of good faith if you ever face a willfulness argument.

Honor opt-outs immediately. Same day for texts, within 10 business days for DNC purposes. Add the number to your internal suppression list before the next campaign runs, not after.

Vet your lead vendors. Ask for the opt-in language and audit it. If a vendor can't tell you exactly what disclosure the consumer saw, that list is a liability. Most small teams skip this step because vetting is inconvenient. It's also one of the most common sources of TCPA exposure.

LeadCompliant's free compliance kit includes consent language templates and a scrubbing checklist sized for small teams. Use it as a starting point, then have a TCPA attorney review your specific setup.

For teams just starting to think through cold calling compliance, the cold calling and cold call reference articles cover the framework.

Do state laws create additional exposure beyond the federal TCPA?

Yes, and this catches small businesses off guard regularly.

California's Invasion of Privacy Act (CIPA) and the California Consumer Privacy Act (CCPA) can create parallel claims for the same conduct. Florida's Telephone Solicitation Act (FTSA), updated in 2021, carries its own per-call damages and a broader definition of an auto-dialer than the post-Duguid federal standard. [6] Washington State runs similarly broad rules.

The practical risk: a plaintiff in California or Florida may bring both a TCPA claim and a state law claim for the same call or text. Win the ATDS argument under Duguid on the federal claim, and you may still face liability under the state statute with its different definition.

Small businesses that operate nationally need to map their state-specific exposure, not assume the federal TCPA covers the whole picture. At a minimum, know the rules in every state where your leads concentrate. If a large share of your leads are California or Florida residents, you need state-specific counsel review.

Some states also run their own DNC registries (Indiana, Texas, Wyoming, and others) alongside the national list. Calling a number on a state registry, even after scrubbing the federal list, creates independent liability under state law. See mobile phone do not call list for a breakdown of state registry obligations.

What do real TCPA settlements and judgments tell us about defense outcomes?

Actual outcomes give you a more realistic picture than the statute alone.

Large-company settlements grab the headlines: $76 million (Capital One, 2014), $56 million (DirecTV, 2017), $40 million (Charter Communications, 2020). [8] These are class actions involving millions of calls. Small businesses rarely face class certification, but serial individual plaintiffs are a separate and very real problem.

Serial plaintiffs (sometimes called "professional plaintiffs") file multiple TCPA claims each year, usually targeting companies with weak consent documentation. Courts have occasionally limited their claims when the conduct looks abusive, but the TCPA's private right of action is broad and requires no proof of actual harm. A plaintiff who never even answered your call can still sue.

Cases where defendants win tend to share a few features: clean consent records, documented scrubbing, an ATDS argument backed by technical documentation, and early, credible presentation of that evidence to opposing counsel. Cases where defendants lose or pay big settlements share the opposite: no consent records, no training documentation, calls that continued after opt-out requests, and third-party lead lists with questionable consent provenance.

The credit one tcpa settlement shows what poor consent documentation costs even a company with resources. Small businesses don't have those resources, which is exactly why building your paper trail now, before a claim arrives, is the only strategy that consistently pays off.

Is arbitration a realistic defense option for small businesses?

Sometimes, but it turns entirely on whether the consumer agreed to arbitration before the dispute arose.

If your lead capture form or service agreement includes a binding arbitration clause and a class action waiver, you may be able to compel individual arbitration, which caps your exposure at one plaintiff's claims rather than a class. That's a legitimate risk management tool. The Supreme Court has generally upheld arbitration clauses in consumer contracts under the Federal Arbitration Act.

The catch for TCPA defendants: if the plaintiff says they never agreed to your terms (because you bought their number from a lead vendor), you can't compel them to arbitrate under an agreement they never signed. Arbitration clauses protect you when the plaintiff was your customer or lead. They do nothing when the plaintiff received an unsolicited contact off a purchased list.

So arbitration clauses work well as a defense layer for businesses marketing to existing customers or inbound leads who agreed to terms. They do very little for cold outreach. Know which type of program you're running before you count on this strategy.

Frequently asked questions

Can I be sued under the TCPA for just one or two calls?

Yes. The TCPA has no minimum call threshold. A single call to a cell phone using an ATDS without consent can support a $500 to $1,500 claim. Serial plaintiffs routinely file over one or two contacts. Attorneys are more likely to pursue cases with multiple violations because the damages are larger, so one or two calls may bring a demand letter rather than a lawsuit. It can still escalate.

Does the TCPA apply to B2B calls?

The TCPA applies to calls to wireless numbers regardless of whether the call is personal or business-related. The FCC has not carved out a blanket B2B exemption. Practically, individual plaintiffs in B2B contexts are rarer, and the established business relationship defense is more often available. But if you're calling cell phones using an ATDS without consent, the statute reaches B2B calls too.

What is the difference between a TCPA claim and a DNC Registry claim?

A TCPA ATDS claim under § 227(b) requires that the defendant used an automatic telephone dialing system or prerecorded voice. A DNC Registry claim under § 227(c) doesn't require an ATDS; it just requires that you called a registered number more than once in 12 months without consent. You can win the ATDS argument and still lose a DNC claim, or the reverse. Both carry $500 to $1,500 per-violation damages.

How long does a plaintiff have to file a TCPA lawsuit?

Federal courts apply a four-year statute of limitations to TCPA claims under the general federal limitations statute (28 U.S.C. § 1658). Some state law parallel claims run on their own shorter or longer periods. A plaintiff can sue over calls made up to four years ago, which is why retaining call logs and consent records for at least four years is sensible practice.

Only if the consent language specifically named you or your company, or clearly authorized calls from a defined category you fit. Vague consent to "partners" or "affiliates" has not consistently held up in court. The FCC has signaled that overly broad third-party consent may not satisfy the prior express written consent standard. Always obtain and review the exact opt-in language from your lead vendor before calling.

Can I use a predictive dialer without TCPA liability after Facebook v. Duguid?

It depends on how the dialer works. If your predictive dialer calls from a pre-loaded list of specific numbers without using a random or sequential number generator to produce them, the post-Duguid federal ATDS definition may not cover it. But state laws in California, Florida, and Washington use broader definitions that may still capture predictive dialers. Get a technical spec from your vendor and have a TCPA attorney assess your setup.

What is the DNC safe harbor and can a small business actually qualify for it?

The DNC safe harbor under 47 U.S.C. § 227(c)(5) protects companies from DNC Registry-based claims if they had written compliance procedures, trained their staff, and scrubbed their lists against the registry within 31 days of each call. A small business absolutely can qualify. The bar is not high: a written policy, documented training, and dated scrub records. Most small businesses just haven't done the paperwork.

Should a small business settle a TCPA demand letter or fight it?

Depends on your records. If you have clean consent documentation, scrub records, and technical support for an ATDS defense, a firm response from TCPA counsel often resolves the claim without litigation. If your records are weak or nonexistent, early settlement is usually cheaper than discovery. Get a TCPA-experienced attorney to assess your documentation before responding to any demand letter. A general response without counsel can become an admission.

Do I need to scrub against state DNC registries as well as the national registry?

Yes, if you're calling into states with their own registries. Indiana, Texas, Wyoming, Colorado, Louisiana, and several others maintain state-level DNC registries alongside the national list. Scrubbing only the national registry leaves you exposed to state-law claims if you call a number that appears on a state list but not the federal one. Map your lead geography and check which states require separate registration and access.

Capture and store the exact opt-in disclosure text shown on the form, the date and time of submission, the IP address of the submitting device, and the form URL. Screenshot the form while it's live. Store submission records in a database with timestamps. If your form vendor doesn't provide these records, switch to one that does. Courts expect this level of documentation, and "we had a form" without the records is not a defense.

Each call after a revocation is a separate TCPA violation and likely willful, which opens you to $1,500 per call instead of $500. The FCC confirmed in its 2015 declaratory ruling that consumers may revoke consent through any reasonable means. Once you receive a revocation, you must stop and suppress that number immediately. Document the revocation request and the date your team suppressed the number.

Does the TCPA apply to ringless voicemail?

The FCC classified ringless voicemail as a "call" under the TCPA in 2022, meaning it is subject to the same consent requirements as a regular call to a cell phone. [2] Before that ruling, there was an argument that ringless voicemail bypassed the statute. That argument is now much weaker under the FCC's position, though litigation continues on specific applications.

Can I face both TCPA and state law claims for the same text or call?

Yes. California's CIPA, Florida's FTSA, and other state statutes often provide independent causes of action for the same conduct that triggers the TCPA. Some state statutes carry broader ATDS definitions than the post-Duguid federal standard, so a plaintiff may win a state claim even if you defeat the federal ATDS argument. This is why compliance programs need to account for state law, especially in California and Florida.

Is there free help for small businesses trying to build a TCPA compliance program?

Yes. LeadCompliant offers a free one-time compliance kit with consent language templates, a scrubbing checklist, and an opt-out tracking worksheet sized for small outbound teams. The FTC and FCC also publish free guidance on DNC requirements and ATDS standards. These resources get you started, but they don't replace a review by a TCPA-experienced attorney before you launch a high-volume campaign.

Sources

  1. U.S. Congress, 47 U.S.C. § 227 (Telephone Consumer Protection Act, full statute text): Statutory damages of $500 per violation and up to $1,500 for willful violations; ATDS defined in § 227(a)(1)
  2. Supreme Court of the United States, Facebook Inc. v. Duguid, 592 U.S. 395 (2021): ATDS requires equipment that uses random or sequential number generator to produce or store numbers; merely dialing from a stored list is not enough
  3. FTC, Complying with the Telemarketing Sales Rule (business guidance): Sellers must scrub against the National DNC Registry no more than 31 days before a call; safe harbor requires written procedures, training, and scrubbing evidence
  4. FTC, Privacy and Security (business guidance): Consent record documentation requirements and best practices for demonstrating affirmative authorization
  5. Florida Legislature, Florida Telephone Solicitation Act, Fla. Stat. § 501.059 (2021 amendment): Florida FTSA's broader auto-dialer definition and per-text damages provisions, effective July 1, 2021
  6. FTC, National Do Not Call Registry Data Book FY 2023: Registry size, consumer complaint volumes, and enforcement statistics through FY2023
  7. California Legislative Information, Invasion of Privacy Act, Cal. Penal Code § 638.51: California CIPA broader auto-dialer definition creating parallel state TCPA liability
  8. U.S. Congress, Electronic Signatures in Global and National Commerce Act (E-SIGN), 15 U.S.C. § 7001: Electronic signatures and web-form check-boxes satisfy the written consent requirement for TCPA prior express written consent purposes

Disclaimer: LeadCompliant is a compliance review tool, not a law firm. We do not provide legal advice. Consult with a TCPA attorney for legal guidance on specific compliance questions. Compliance scores, audits, and risk assessments are informational only.

LeadCompliant Team

LeadCompliant provides expert guidance and tools to help you succeed. Our content is reviewed for accuracy and kept up to date.

Related Articles

Related Glossary Terms

LeadCompliant
Build My Kit