Last updated 2026-07-09

TL;DR
A TCPA violation carries a statutory penalty of $500 per call or text. If a court finds the violation was willful, that jumps to $1,500 per violation. There is no cap on the number of violations in a single lawsuit, which is why class actions routinely reach millions. Consent errors, DNC failures, and missing opt-out mechanisms are the three most common triggers.
What is the TCPA and what counts as a violation?
The Telephone Consumer Protection Act (47 U.S.C. § 227) was passed in 1991 and gives the Federal Communications Commission authority to restrict automated calls, prerecorded messages, and text messages to cell phones, residential lines, and fax machines [1]. A violation happens whenever a covered communication reaches a person without meeting one of the statute's consent or exemption requirements.
The most common violations break down into a few clear categories. Calling or texting a cell phone using an automatic telephone dialing system (ATDS) without prior express written consent. Calling a number on the National Do Not Call Registry without a pre-existing business relationship or written consent. Abandoning calls, meaning not connecting a live agent within two seconds of the called party saying hello. Sending prerecorded messages without consent. Failing to honor an opt-out request within 30 days.
The statute itself defines the core prohibition this way: "It shall be unlawful for any person within the United States... to make any call (other than a call made for emergency purposes or made with the prior express consent of the called party) using any automatic telephone dialing system or an artificial or prerecorded voice... to any telephone number assigned to a paging service, cellular telephone service..." [1]. That language, specifically the word "any call," is why plaintiffs can stack violations. Each contact is its own potential claim.
The FCC has extended TCPA rules to text messages through a series of rulemakings, most significantly in 2003 and again in 2012 [2]. Courts have largely followed that interpretation. A single SMS blast to 100,000 numbers without proper consent is not one violation. It is 100,000 violations.
What is the fine for a violation of the TCPA?
The base statutory damage for a TCPA violation is $500 per violation [1]. Courts can triple that to $1,500 per violation if the defendant "willfully or knowingly" violated the statute. Unlike many federal statutes, the TCPA does not require plaintiffs to prove actual damages. The $500 figure is a statutory floor, meaning a plaintiff collects it even if they suffered no real financial harm from a single unwanted call.
That structure is what draws the plaintiffs' bar to TCPA work. A company that sends 500,000 text messages without valid consent faces potential exposure of $250 million at $500 per text, or $750 million if a court finds the conduct willful. Neither of those numbers is theoretical. Several settlements in the $10 million to $75 million range have run on exactly this math, though most class actions settle for a fraction of the theoretical maximum.
Here is the statutory language on damages from 47 U.S.C. § 227(b)(3): "A person or entity may, if otherwise permitted by the laws or rules of court of a State, bring in an appropriate court of that State: an action based on a violation of this subsection or the regulations prescribed under this subsection to enjoin such violation, an action to recover for actual monetary loss from such a violation, or to receive $500 in damages for each such violation, whichever is greater, or both such actions. If the court finds that the defendant willfully or knowingly violated this subsection or the regulations prescribed under this subsection, the court may, in its discretion, increase the amount of the award to an amount equal to not more than 3 times the amount available under subparagraph (B) of this paragraph." [1]
The FCC does not issue the fines directly in private lawsuits. Individuals and class action lawyers bring TCPA cases in state or federal court. The FCC can issue its own forfeitures separately under 47 U.S.C. § 503(b), and those can reach much higher amounts for egregious robocallers, but the $500/$1,500 per-violation figure is the civil private right of action that drives most of the litigation small and mid-size businesses face [2].
How does the per-violation penalty stack up in a real lawsuit?
The math on TCPA exposure is simple and brutal. Each individual call or text is a separate violation with its own $500 (or $1,500) price tag. There is no statutory cap on total damages. Courts have not routinely applied constitutional due process limits to reduce TCPA awards the way they sometimes do for punitive damages, though a handful of district court decisions have tried.
| Violation Type | Base Penalty | Willful/Knowing Penalty |
|---|---|---|
| Single autodialed cell call (no consent) | $500 | $1,500 |
| Single text message (no consent) | $500 | $1,500 |
| Single prerecorded message (no consent) | $500 | $1,500 |
| Single call to DNC-registered number | $500 | $1,500 |
| Single abandoned call | $500 | $1,500 |
Consider a real example. UnitedHealthcare settled a TCPA class action for $2.5 million after allegations that it placed autodialed calls and sent prerecorded messages to consumers without consent [see /articles/tcpa-basics/unitedhealthcare-to-pay-2-5m-for-alleged-tcpa-violations]. That settlement covered tens of thousands of class members. The per-class-member payout was modest, but the company's actual exposure before negotiation was many multiples of the settlement figure.
Truist Bank reached a class action settlement over similar allegations [see /articles/tcpa-basics/truist-bank-tcpa-class-action-settlement]. Credit One Bank has faced multiple TCPA suits, with one high-profile case litigated by an individual plaintiff [see /articles/tcpa-basics/credit-one-tcpa-settlement]. Albertsons and Safeway settled TCPA text message claims [see /articles/tcpa-basics/albertsons-safeway-tcpa-settlement]. The pattern across all of them is the same. High per-violation statutory damages multiplied by a large number of contacts produces the pressure that forces a settlement.
For outbound sales teams, the practical implication is this. Your call volume is your exposure multiplier. A team making 10,000 calls a month on a list with 5% DNC contamination is generating 500 potential violations per month, or $250,000 in potential statutory damages, before any willfulness finding.
What makes a TCPA violation "willful" and why does it matter?
The jump from $500 to $1,500 per violation depends on whether the court finds willful or knowing conduct. Courts read this standard broadly. You do not need to know that TCPA existed or that your conduct violated it. You need to know you were making the calls or sending the texts, and those calls or texts turn out to violate the statute [3].
Practically, this means most intentional marketing campaigns that turn out to lack proper consent will face the willfulness argument. A company that ran a text campaign, knew it was sending texts, and simply had bad consent records is a strong candidate for a treble damages finding. A company that scrubbed its lists diligently, had documented consent records, and made a genuine procedural error has a better argument against willfulness.
Willfulness also matters for settlement negotiations. Plaintiffs' counsel price in the treble damages possibility when deciding whether to settle and for how much. If the facts are bad, meaning the defendant clearly knew consent was missing or ignored opt-out requests, the settlement demand reflects the $1,500 per violation math.
The FCC's own enforcement posture treats repeated violations and ignored warning letters as evidence of willfulness in its forfeiture proceedings [2]. Courts look at similar facts: prior consent requests that were ignored, opt-out requests that went unheeded, or internal documents showing the company knew its lists were not properly scrubbed.
What are the most common causes of TCPA violations?
Bad consent records are the single most common cause. Companies buy lead lists, inherit contacts from acquisitions, or run web forms with vague disclosures, and then call or text those people. When a plaintiff or their lawyer pulls records, there is no evidence of clear and conspicuous written consent for autodialed marketing calls. That is a textbook TCPA violation.
DNC failures are the second most common cause. The National Do Not Call Registry has over 240 million registered phone numbers [4]. Companies are required to check their call lists against the DNC Registry before dialing. Missing a scrub, using an outdated pull, or exempting numbers incorrectly (for example, assuming a prior business relationship extends longer than 18 months) generates DNC violations at scale.
Opt-out failures are the third major cause. Once someone says stop calling, you have 30 days to honor it for telemarketing purposes under FTC rules, and for SMS you need to stop immediately as a practical matter. Companies with fragmented CRMs, siloed call centers, or manual opt-out processes regularly re-contact people who have already asked to be removed.
ATDS definition disputes have generated enormous litigation. Whether a system qualifies as an automatic telephone dialing system under the statute shifted after the Supreme Court's 2021 Facebook v. Duguid decision, which narrowed the definition to systems that use a random or sequential number generator to store or produce numbers [5]. Companies that dialed from static lists argued they were not using an ATDS. That legal question affects exposure on billions of calls, though prerecorded message violations do not require an ATDS and are still fully actionable.
For teams doing text message marketing, the consent standard for commercial texts is prior express written consent, and the disclosure requirements are specific [see /articles/tcpa-basics/text-message-marketing]. A checkbox that says "I agree to terms" is not enough without specific language mentioning autodialed texts.
How do TCPA class actions actually get filed and settled?
Most TCPA lawsuits start with one plaintiff who received an unwanted call or text. That person, often connected to a plaintiffs' law firm that actively scouts these claims, files a complaint alleging violations on their own behalf and on behalf of everyone similarly situated. The class is typically defined as all people who received the same type of communication without consent during a specific time period.
Certification is a major battleground. Plaintiffs need to show the class shares common legal and factual questions. TCPA cases are often certifiable because the same dialing system, the same list, and the same consent process (or lack of one) applies to every class member. Once a class is certified, the defendant's exposure balloons from one $500 claim to potentially millions of them.
Settlement is the norm. The vast majority of TCPA class actions settle before trial, largely because the gap between theoretical maximum exposure and a reasonable settlement gives both sides reason to deal. Defendants pay out a fraction of the total statutory damages. Plaintiffs get a certified settlement with real money distributed to class members.
Individual plaintiffs (not class actions) also file TCPA claims. Serial TCPA litigants, people who intentionally receive calls and texts in order to sue, are a real phenomenon. Courts have treated them with varying levels of sympathy. Some have found that a person who keeps a phone number active specifically to collect TCPA damages has not suffered the harm the statute targets. Others have said the statutory right to damages does not depend on intent. This area is not settled law.
The Cash App TCPA class action [see /articles/tcpa-basics/cash-app-tcpa-class-action-settlement] and Kaiser settlement [see /articles/tcpa-basics/kaiser-tcpa-settlement-claim-deadline] are recent examples of how large organizations with broad consumer contact programs find themselves in class action territory even with compliance programs in place.
What defenses actually work against a TCPA violation claim?
Consent is the primary defense. If you can prove the plaintiff gave prior express written consent to receive the type of communication at issue, the claim fails. The burden is on the defendant to prove consent, not on the plaintiff to disprove it [3]. That reversal catches a lot of companies off guard. Your consent records need to be stored, timestamped, and retrievable. A general terms-of-service checkbox from 2019 with no specific ATDS disclosure is not going to hold up.
The established business relationship (EBR) defense applies in some DNC contexts. If someone made a purchase or inquiry within the past 18 months, you can call them even if they are on the DNC Registry, unless they have asked to be placed on your internal do-not-call list [4]. The EBR does not apply to cell phone autodialed calls without consent.
The called party's consent for reassigned numbers is a genuine trap. If you have consent from the original subscriber but the number has since been reassigned to a new person, your calls to that new person are potential violations. The FCC has addressed this through its reassigned numbers database, which companies can query before dialing [2].
Facebook v. Duguid narrowed the ATDS definition, which is a partial defense for companies using predictive dialers or other systems that dial from a fixed list rather than generating numbers randomly or sequentially [5]. This defense does not apply to prerecorded message claims, which are separately prohibited.
Documented compliance programs reduce willfulness exposure but rarely eliminate the underlying violation. Showing the court that you had consent verification procedures, DNC scrubs, and opt-out processes does matter for the $500 vs. $1,500 question even if it does not eliminate liability.
What should outbound sales teams do right now to avoid violations?
The single highest-value action is fixing your consent documentation. Every number you call or text for marketing purposes should have a record showing when consent was given, what the disclosure said, what the person agreed to, and through what channel. "We have a CRM entry" is not a consent record. A timestamped log of the specific opt-in with the exact disclosure language is a consent record.
DNC scrubbing needs to happen before every campaign, more than once when you buy a list. The FTC requires that organizations access the National Do Not Call Registry at least every 31 days [4]. Use a scrubbing service that pulls a fresh registry snapshot and document when each scrub ran. Running a campaign on a 45-day-old pull is an avoidable mistake that generates real exposure.
Build a real opt-out process. For calls, that means training agents to log opt-outs immediately and syncing to a suppression list that every dialing system reads before launching. For texts, automated opt-out handling (STOP, UNSUBSCRIBE, QUIT, CANCEL, END, REVOKE) needs to be built into your SMS platform, not handled manually. A manual opt-out process will eventually fail at scale.
For teams just starting to organize their compliance approach, LeadCompliant offers a one-time compliance kit and free tools including a DNC checker and TCPA consent template, which can give you a documented starting point without requiring outside counsel for every step.
If you are using a third-party dialer or lead vendor, get contractual representations from them about consent. TCPA liability can flow to you even when a vendor placed the call or collected the lead. Courts have found companies liable as the party that initiated the call even when a third-party dialer made the physical connection.
For SMS specifically, review the full obligations around text messaging marketing [see /articles/tcpa-basics/text-message-marketing] before your next campaign. The consent requirements for text are stricter than for live agent calls, and the paper trail needs to be cleaner.
How does the FCC enforce TCPA separately from private lawsuits?
The FCC enforces TCPA through its own forfeiture authority under 47 U.S.C. § 503(b), separate from private civil suits. FCC forfeitures are typically much larger than the $500/$1,500 per-violation private damages, especially for robocall operations. The FCC has issued forfeiture orders in the tens of millions of dollars against egregious robocallers [2].
The FCC also issues rules under TCPA that define what equipment qualifies as an ATDS, what consent language is required, and what exemptions apply. Its 2012 order raised the consent standard for marketing calls to cells from prior express consent to prior express written consent [2]. Its 2015 omnibus order addressed reassigned numbers, predictive dialers, and opt-out requirements before being partially overturned in ACA International v. FCC. The 2024 FCC one-to-one consent rule, which would have required consent to be lead-specific and not transferable across multiple sellers, was vacated by the Eleventh Circuit in January 2025 [6].
State attorneys general can also enforce TCPA directly, and some state laws impose additional restrictions. Florida's FTSA, for example, has its own autodialer definition that is broader than the post-Facebook v. Duguid federal standard, creating additional exposure for companies dialing Florida area codes.
People looking for a TCPA lawyer in their state often find that local plaintiff firms have active TCPA practices, particularly in states with active litigation cultures. Understanding the general framework before getting to that stage is the better use of resources.
Are there any TCPA exemptions that reduce violation risk?
Yes, but they are narrower than most companies assume. The statute exempts calls made for emergency purposes. It exempts calls where the called party has given prior express consent. For residential lines (not cells), it exempts calls from tax-exempt nonprofit organizations. The FCC has created additional exemptions by rule for specific categories: package delivery notifications, fraud alerts, bank account alerts, and certain healthcare calls.
The informational exemption matters most for companies that think they are making service calls rather than marketing calls. A call to tell a customer their account is past due can be made without marketing consent. A call that also offers a payment plan or a new product in the same breath risks being reclassified as a marketing call, pulling it back into the full consent requirement.
The EBR exemption for DNC purposes (18 months from a purchase, 3 months from an inquiry) does not carry over to cell phone autodialing consent. Companies often mix these up. You can call a residential line number on the DNC list if you have an EBR, but you still need independent ATDS consent to call the person's cell phone with an autodialer.
The reassigned numbers database, operated by SOMOS under FCC oversight, lets callers check whether a number has been reassigned before dialing. Callers who query the database and dial after getting a clean response have a partial safe harbor against claims from a new subscriber who did not give consent [2]. Querying the database is not yet mandatory for most callers but is a concrete risk-reduction step.
What do recent TCPA settlements tell us about real-world exposure?
Actual settlements give a more grounded picture than the statutory math alone. Companies rarely pay the theoretical maximum. But the multimillion-dollar outcomes are real and routine.
The UnitedHealthcare $2.5 million settlement [see /articles/tcpa-basics/unitedhealthcare-to-pay-2-5m-for-alleged-tcpa-violations] involved allegations of autodialed and prerecorded calls to class members without consent. The Albertsons/Safeway settlement [see /articles/tcpa-basics/albertsons-safeway-tcpa-settlement] resolved text message marketing claims. The Credit One Bank litigation [see /articles/tcpa-basics/credit-one-tcpa-settlement] involved debt collection calls to cell phones, a particularly active area of TCPA litigation.
Debt collection is one of the highest-risk contexts. Creditors and their servicers make enormous call volumes to cell phones. When consent documentation is imperfect, which it often is in purchased-debt portfolios, the exposure is staggering. The Joseph Snyder v. Credit One case [see /articles/tcpa-basics/joseph-snyder-credit-one-tcpa] shows how individual plaintiffs can pursue these claims outside a class action framework.
For an outbound sales team reading this, the lesson is proportionality. Your absolute dollar exposure scales directly with call volume and list quality. A team calling 5,000 numbers a week with solid consent and DNC scrubbing has manageable risk. A team calling 50,000 numbers a week from a purchased list with no scrubbing and no documented consent has existential exposure.
LeadCompliant's free TCPA resources, including consent verification tools and a step-by-step compliance kit, help smaller teams get the documentation structure right without starting from scratch. The goal is building the paper trail that either prevents a lawsuit or gives you a real defense if one comes anyway.
Frequently asked questions
What is the fine for a violation of the TCPA?
The statutory fine for a TCPA violation is $500 per individual call or text. If a court finds the violation was willful or knowing, it can triple that to $1,500 per violation. There is no cap on the number of violations a plaintiff can claim, so a single mass text campaign to unconsented numbers can generate millions in potential statutory damages. Courts have discretion on the willfulness finding but not on the base $500 amount.
What is the per-violation penalty for TCPA violations?
$500 per violation is the base under 47 U.S.C. § 227(b)(3). Willful or knowing violations go up to $1,500 per violation. Each call, text, or fax is counted separately. A plaintiff does not need to prove actual financial harm to collect the statutory amount. This per-contact structure is why TCPA class actions involving millions of contacts can generate settlement demands well into eight figures.
Can one TCPA lawsuit cover multiple violations?
Yes. Each qualifying contact, call, text, or fax is a separate violation. A class action groups all similarly situated people who received the same type of contact without consent, so a single lawsuit can cover millions of individual violations. Defendants face the full stacked statutory damages as their worst-case exposure, which is why most cases settle for a fraction of the maximum.
Does the TCPA apply to text messages?
Yes. The FCC extended TCPA coverage to text messages in a 2003 rulemaking, and courts have consistently upheld that interpretation. The same $500/$1,500 per-violation penalty applies to commercial texts sent without prior express written consent. Each text to an unconsented number is its own violation. This applies to both marketing texts and texts sent using autodialing technology.
Does a TCPA violation require proof of harm?
No. The TCPA's private right of action allows plaintiffs to collect $500 per violation without proving any actual monetary loss. This is one of the statute's most distinctive features. It means receiving a single unwanted robocall or text is enough to file a claim. Courts have largely upheld this structure, though the Supreme Court's standing analysis in TransUnion v. Ramirez created some uncertainty about when a bare statutory violation confers Article III standing.
What is the statute of limitations for TCPA violations?
Federal courts have generally applied a four-year statute of limitations to TCPA claims under 28 U.S.C. § 1658, the federal catch-all limitations period. Some state courts applying state law have used different periods. The four-year window means calls or texts made in the past four years are potentially actionable. Plaintiffs' firms often request call records going back to that limit when investigating a potential class action.
Can a business be liable for TCPA violations by a third-party vendor?
Yes. Courts have found companies liable as the party that authorized or directed calls made by a third-party dialer or lead generator. Vicarious liability under TCPA applies when the company had control over the calling campaign or ratified the vendor's conduct. Buying leads from a vendor and then calling them does not transfer the consent obligations to the vendor. The company making commercial use of the call bears the compliance responsibility.
Does the TCPA apply to calls to numbers on the National Do Not Call Registry?
Yes, separately from the autodialing rules. Calling a residential number registered on the National Do Not Call Registry without consent or an applicable exemption violates TCPA's DNC provisions. The $500/$1,500 per-violation penalty applies. The DNC exemptions include an established business relationship within 18 months of a purchase and prior written consent. DNC violations on cell phones can stack with autodialing violations for the same call.
What is the difference between TCPA and FTC Do Not Call rules?
The TCPA (47 U.S.C. § 227) is an FCC-administered statute governing autodialed calls, prerecorded messages, and texts to cell phones and residential lines. The FTC's Telemarketing Sales Rule (TSR) governs the National Do Not Call Registry and additional telemarketing practices. Congress gave both agencies overlapping authority over DNC compliance. Violating the DNC Registry can trigger both FTC enforcement and TCPA private lawsuits, and they use different definitions and exemptions.
How has the Facebook v. Duguid Supreme Court decision changed TCPA violation exposure?
The Supreme Court's 2021 ruling in Facebook v. Duguid narrowed the definition of an automatic telephone dialing system (ATDS) to equipment that uses a random or sequential number generator. Systems that dial from a static stored list may not qualify as an ATDS. This eliminated one path to liability for predictive dialers using fixed lists. But prerecorded message violations do not require an ATDS, and DNC violations are unaffected, so exposure remains significant.
What records should a company keep to defend a TCPA lawsuit?
You need timestamped records of every consent event, including the specific disclosure language the person saw, the date and channel, and a way to tie the record to a specific phone number. DNC scrub logs with dates and list versions matter for DNC defenses. Opt-out logs showing every opt-out received and when it was applied to suppress future contacts are critical. Internal training records and compliance policy documents help establish good faith against a willfulness finding.
Are there any exemptions to the TCPA that eliminate violation risk?
Some, but they are narrow. Emergency calls, calls with prior express written consent, certain informational alerts (account alerts, fraud alerts, package notifications), and calls to residential lines from tax-exempt nonprofits have exemptions. An established business relationship exempts some DNC calls to residential lines but does not provide ATDS consent for cell phones. Informational calls that blend in marketing language lose the informational exemption. Review the specific FCC rules before relying on any exemption.
How do I stop robocalls to my personal number if I think I have a TCPA claim?
Register your number at donotcall.gov if you have not already. Document each unwanted call: date, time, caller ID, and any message left. For autodialed or prerecorded calls to your cell phone you did not consent to, you may have a private right of action under TCPA. Some consumers work with TCPA plaintiff attorneys who take these cases on contingency. For more detail on stopping robocalls, see the guide at LeadCompliant.
What triggers the $1,500 willful violation penalty versus the $500 base penalty?
Courts apply the $1,500 treble damages when they find the defendant willfully or knowingly violated TCPA. You do not need to know the law; you need to know you were making the calls or sending the texts. Ignoring opt-out requests, using list data you knew lacked proper consent, continuing to call after receiving a cease-and-desist, and internal documents showing awareness of noncompliance are common facts that support a willfulness finding.
Sources
- Cornell Law School Legal Information Institute, 47 U.S.C. § 227 (TCPA full statute text): Statutory text of TCPA prohibitions and $500/$1,500 per-violation damage amounts under 47 U.S.C. § 227(b)(3)
- FTC, National Do Not Call Registry information for businesses: Over 240 million numbers on the National Do Not Call Registry; 31-day scrub requirement; 18-month established business relationship exemption
- Supreme Court of the United States, Facebook, Inc. v. Duguid, 592 U.S. 395 (2021): Supreme Court narrowed ATDS definition to systems using random or sequential number generators; static list dialers may not qualify as ATDS
- FTC, Telemarketing Sales Rule (16 C.F.R. Part 310): FTC Telemarketing Sales Rule authority over DNC Registry, telemarketing practices, and distinct from FCC TCPA enforcement
- SOMOS Inc., Reassigned Numbers Database information page: SOMOS operates the FCC-mandated Reassigned Numbers Database that callers can query before dialing to check for number reassignment
- Cornell Law School Legal Information Institute, 47 U.S.C. § 503(b) (FCC forfeiture authority): FCC authority to issue large forfeiture orders against TCPA violators separate from private civil lawsuits
- FTC, donotcall.gov registry for consumers: National Do Not Call Registry where consumers register numbers and businesses must scrub call lists
- Cornell Law School Legal Information Institute, 28 U.S.C. § 1658 (4-year statute of limitations): Federal catch-all four-year statute of limitations applied to TCPA claims in federal court