Last updated 2026-07-09

TL;DR
The TCPA sets statutory damages at $500 per illegal robocall or text, rising to $1,500 if a court finds the violation was willful. There is no cap on the number of violations in a single lawsuit, so class actions against high-volume dialers routinely reach eight or nine figures. The FCC can also issue separate administrative forfeiture penalties up to $23,727 per violation.
What is the TCPA and what does it actually prohibit?
The Telephone Consumer Protection Act is a federal statute, codified at 47 U.S.C. § 227, passed in 1991 and administered jointly by the FCC and the FTC. [1] It restricts four kinds of outbound contact: calls to cell phones using an automatic telephone dialing system (ATDS) or a prerecorded voice, calls to residential lines using a prerecorded voice, calls to numbers on the National Do Not Call Registry, and unsolicited fax advertisements.
Most outbound sales teams trip over the ATDS rule. You need prior express written consent before placing an autodialed or prerecorded call or text to a mobile number. Emergency calls are exempt. Calls to landlines for non-commercial purposes have looser rules. But if you run a modern outbound program, assume the strict standard applies until a lawyer says otherwise.
For a broader overview of how all these rules fit together, see our guide to tcpa law.
Here is the part people get wrong. The TCPA does not require that you actually annoy anyone or cause financial harm. For the private right of action, it works as a strict liability law. If the technical violation happened, damages are owed. That is why class actions are so dangerous. A single blast to 500,000 unconsented numbers is 500,000 separate violations, each worth at least $500. Do the math.
How much does a TCPA violation cost per call?
The TCPA sets a flat statutory damage floor of $500 per violation. [1] Courts count each individual call or text as one violation. So if your platform sent 10,000 texts without proper consent, the floor exposure is $5,000,000 before anyone hires a lawyer.
The statute also allows treble damages. Under 47 U.S.C. § 227(b)(3), a court may increase the award to up to $1,500 per violation if it finds the defendant "willfully or knowingly" violated the Act. [1] Willfulness does not require bad intent in the criminal sense. Courts have found it when a company kept calling after a cease-and-desist letter, or when internal documents showed the compliance team flagged the risk and management overrode them.
Here is how the three damage tiers look side by side:
| Scenario | Per-violation amount | Triggered by |
|---|---|---|
| Baseline statutory damage | $500 | Any proven TCPA violation |
| Treble damages (willful) | Up to $1,500 | Court finding of willful/knowing violation |
| FCC forfeiture (administrative) | Up to $23,727 | FCC enforcement action |
The FCC's administrative forfeiture ceiling of $23,727 per violation (adjusted periodically for inflation) applies to its own enforcement actions, separate from private lawsuits. [2] The two tracks run at the same time. You can settle a class action and still face an FCC Notice of Apparent Liability.
There is no statutory cap on total damages from private lawsuits. That is the single biggest financial risk most small teams miss until it is too late.
What are the biggest TCPA settlement amounts on record?
You do not have to guess at the real-world cost. Publicly filed settlements give a clear picture.
Capital One settled a TCPA class action in 2014 for $75.5 million, covering autodialed calls to cell phones. [3] Dish Network agreed to pay $61 million to resolve FTC and FCC claims over millions of illegal robocalls to numbers on the Do Not Call list. [4] Bank of America settled for $32 million in 2014 over autodialed debt collection calls. Caribbean Cruise Line settled for $76 million over prerecorded political survey calls that were really sales pitches.
Those are large companies with litigation budgets. The smaller the company, the more a mid-size settlement hurts. A $2 million settlement a Fortune 500 firm absorbs in a quarter can destroy a 20-person sales operation.
Nobody has perfect data on how many TCPA suits get filed each year. The WebRecon index, which tracks consumer law filings, consistently showed 3,000 to 5,000 TCPA cases filed annually in federal district courts through the early 2020s, with peaks near 5,000 in some years. That number shifted after the Supreme Court's 2021 decision in Facebook v. Duguid narrowed the definition of ATDS. [5] Even so, prerecorded-voice claims (which need no ATDS) stayed fully intact, and DNC claims are untouched by Duguid.
How does the FCC calculate and impose forfeiture penalties?
The FCC's power to fine robocallers comes from Section 503(b) of the Communications Act, which TCPA enforcement actions run through. [2] The FCC issues a Notice of Apparent Liability (NAL) first, giving the target a chance to respond. If the target does not resolve it, the FCC issues a Forfeiture Order.
The base forfeiture for TCPA violations is $10,000 per violation, but the FCC adjusts up or down based on the degree of willfulness, any history of prior offenses, ability to pay, and whether the party took remedial steps. The inflation-adjusted maximum per violation was $23,727 as of recent FCC guidance. [2]
The FCC has issued enormous NALs against robocallers. In 2022 it proposed a $299,997,000 forfeiture against a single operation running illegal auto warranty robocalls. [6] That is not a settlement figure. It is the proposed forfeiture before any collection process. Collected amounts often come in lower because many bad actors are judgment-proof or operate offshore. But for a legitimate domestic business, an NAL of that size is a company-ending event even before a private class action lands.
The FCC also works through the STIR/SHAKEN caller ID authentication framework and its traceback program to find originating carriers and the businesses behind them. Being traced and referred to the FCC Enforcement Bureau is now common for high-volume dialers. [6]
What did Facebook v. Duguid change about TCPA liability?
Facebook, Inc. v. Duguid (2021) is the most significant TCPA decision the Supreme Court has ever issued. [5] The Court held unanimously that an ATDS, as the TCPA defines it, must use a random or sequential number generator to either store or produce the numbers it dials. A system that dials from a stored list of specific numbers, with no random or sequential generation, is not an ATDS under the federal statute.
Plain version: if your CRM exports a list of leads and your dialer calls those specific numbers in order, many courts will not call that an ATDS. The autodialer risk narrowed for list-based calling.
That does not mean TCPA risk went away. Several tracks stayed fully alive.
First, prerecorded voice calls. The TCPA's ban on prerecorded messages to cell phones and residential lines does not depend on the ATDS definition at all. If you use drop-voicemail, ringless voicemail, or any prerecorded message, the ban applies no matter how you picked the number. [1]
Second, state analogs. California, Florida, and other states run their own robocall and telemarketing statutes that define autodialers more broadly than the post-Duguid federal standard. Florida's FTSA, effective July 2021, covers any system that can make a call without human intervention, regardless of random or sequential generation.
Third, Do Not Call violations. TCPA § 227(c) and the FTC's Telemarketing Sales Rule DNC provisions are untouched by Duguid. Calling a number on the National DNC list or your internal DNC list without permission is still a $500 per call violation.
Who can sue you under the TCPA, and what is the process?
Any person who received an illegal call or text has standing to sue. [1] The TCPA creates a private right of action in state or federal court. Most plaintiffs file in federal district court because diversity jurisdiction is easy to establish and federal courts have deeper TCPA case law.
Individual suits happen but stay rare, because the $500-per-call figure is too low to justify a solo case for most plaintiffs. What makes the TCPA catastrophic is class certification. If a plaintiff's attorney shows that one common system called a large, identifiable group of people the same illegal way, the court may certify a class. At that point every person in the class becomes a potential plaintiff, and the total climbs fast.
The statute of limitations is four years under the catch-all federal limitations period, 28 U.S.C. § 1658, though some courts characterize claims differently. [12] The practical consequence: calling records from four years ago can fuel a lawsuit today.
State attorneys general can also bring TCPA enforcement actions on behalf of their residents. That is separate from both the FCC enforcement track and private litigation. You can face all three at once for the same conduct.
What consent is required to avoid TCPA penalties?
Consent requirements vary by the type of call and who you are calling. The FCC has tightened consent standards through several orders over the years, most recently a 2024 order that took effect in January 2025. [7]
For autodialed or prerecorded marketing calls and texts to cell phones, you need prior express written consent. The FCC's 2013 TCPA order defined this as a written agreement (electronic counts) that clearly authorizes calls from a specific seller, includes the phone number, and discloses that consent is not a condition of purchase. [11]
For informational calls (not marketing) to cell phones, prior express consent works, and it does not have to be written. That is a lower bar, but the consumer still has to have given you the number in a context that implies permission to call.
For prerecorded calls to residential landlines, a non-commercial call is generally fine without consent. Commercial prerecorded calls to landlines need prior express written consent, the same as cell phones.
The 2024 FCC order introduced a one-to-one consent rule. Consent obtained through a lead generation form must be specific to each seller who calls. Blanket consent for "our marketing partners" no longer satisfies the TCPA for autodialed calls. [7] This is a big change for anyone buying leads from aggregators. If the lead form said "you may be contacted by our partners," that consent is almost certainly invalid for your calls.
Revocation has to be honored promptly. The FCC's 2024 order codified that consumers can revoke consent by any reasonable means, and callers must process revocations within ten business days. [7]
How do state laws add penalties on top of TCPA damages?
Federal TCPA exposure is bad enough. State laws often make it worse.
Florida's Telephone Solicitation Act (FTSA), as amended in 2021, created its own private right of action with damages of $500 per call, separate from and additive to TCPA damages. The FTSA covers text messages and uses a broader autodialer definition than post-Duguid federal law. Florida plaintiffs filed thousands of cases under the FTSA in its first two years. The legislature amended the FTSA in 2023 to add a single-call notice requirement before suit, but the exposure is still real.
California's CPUC has its own telemarketing regulations. California Business and Professions Code § 17538.41 addresses fax solicitations. The CCPA and CPRA add privacy dimensions to any marketing contact. A California resident who gets an illegal robocall might have a TCPA claim, a state telemarketing claim, and a CCPA claim for a failure to honor a deletion request, all from one interaction.
Other states with notable telemarketing damage provisions include Texas, Indiana, and Maryland. Call into multiple states and your exposure is more than federal. It is a stack of state-level risks, each with its own statutes and enforcement posture.
Call recording is a separate but related compliance area. Many states require two-party or all-party consent to record calls, and violations carry their own penalties. For state-specific recording rules, see our articles on pa call recording laws, maryland call recording laws, and indiana call recording laws.
What defenses actually work against a TCPA penalty claim?
The consent defense is the most reliable one you have. Clear, written, specific prior express written consent from the called number's user is a complete defense to the private cause of action. The burden shifts to you to produce it, though, and document retention matters enormously. Consent records from five years ago need to be pullable in minutes.
The established business relationship (EBR) defense was gutted by the FCC's 2003 and later orders for cell phone calls. For wireless numbers, EBR is not a defense to autodialed or prerecorded call claims at all. It keeps limited use for residential landline DNC claims.
Error and good-faith reliance can knock down treble damages. Courts have declined to triple awards when a company ran a genuine compliance program and made a good-faith mistake, even though the underlying $500-per-call liability still stood. This is where documented compliance pays off. Not by erasing liability, but by keeping the award at $500 instead of $1,500.
The called party versus the subscriber distinction matters for wrong-number calls. If you had consent from the person who originally held a number, but the number was reassigned, you called the current holder without consent. The TCPA does not forgive that automatically. The FCC built a safe harbor for single wrong-number calls if you had actual consent from the prior subscriber and a process to catch reassigned numbers, but courts still argue over its scope. The FCC's Reassigned Numbers Database exists to help callers scrub for reassigned numbers before dialing. [8]
What does a real TCPA compliance program look like for a small team?
A compliance program does not have to be expensive. It has to be documented and actually followed.
The minimum baseline: keep a written consent collection process that captures who consented, to what, from which number, and when. Scrub your calling list against the National DNC Registry at least every 31 days, the frequency the FTC requires. [9] Keep your own internal DNC list and honor opt-outs inside the statutory window. Train every person who touches the dialer on what they can and cannot do.
If you use any dialing technology, get a clear legal opinion from telecom counsel on whether your specific platform counts as an ATDS under post-Duguid law. Do not rely on the vendor's own assessment. Vendors have a financial interest in calling their system compliant. Get independent counsel to review the architecture.
Scrub your numbers against the FCC's Reassigned Numbers Database before each campaign. [8] It is cheap relative to the risk it removes.
LeadCompliant offers a free TCPA compliance kit and number-checking tools that small teams use to run these scrubs quickly. If you are not running systematic list hygiene yet, that is the first gap to close.
Document everything. When an FCC investigation or private lawsuit starts, your written policies, training records, opt-out logs, and scrub receipts are your evidence. A company that cannot produce those records looks willful even when it was just disorganized.
How does the FCC's Reassigned Numbers Database reduce penalty exposure?
The FCC launched the Reassigned Numbers Database (RND) in 2021. [8] Carriers report disconnected numbers monthly. Callers query the database with a number and a consent date, and it tells you whether the number was reassigned after that date.
The FCC built a safe harbor around it. Query the RND before calling, and if the database shows no reassignment, you are protected from liability for reaching a reassigned number in good faith. That safe harbor applies only when you actually had valid consent from the prior subscriber. [8]
For high-volume dialers, the RND API allows batch queries. The cost is $0.005 per query as of the FCC's initial pricing, with a monthly subscription option. Half a cent per number. One wrong-number class action dwarfs years of RND fees.
The RND does not replace DNC scrubbing. A number can sit on the DNC list and still show no reassignment. You need both checks. Treat them as two filters for two separate legal risks.
For teams also worried about how call recording intersects with wrong-number liability, the rules in each state matter. See our overview of telephone call recording laws for the state-by-state breakdown.
What should you do if you receive a TCPA demand letter or lawsuit?
Stop the specific conduct described in the letter right away, before you even know if the claim holds up. Keeping up the same calling behavior after a demand letter is strong evidence of willfulness, which turns $500 damages into $1,500 damages and makes a quick settlement much harder.
Do not respond to a plaintiff's attorney directly without your own counsel. TCPA plaintiffs' attorneys are specialists. Every statement you make can be used later.
Preserve everything. Dial records, consent records, opt-out logs, dialer configuration files, vendor contracts, training materials. A litigation hold notice should go out the same day you receive the letter.
Evaluate the class certification risk early. A demand from one person about 12 calls is a different animal from a demand tied to a campaign that touched 200,000 numbers. The class size drives whether a quick individual settlement or a full defense makes more economic sense.
If you have a good-faith compliance program on paper, hand it to your defense counsel. Courts and opposing counsel both treat a company that can show it took compliance seriously very differently from one with no records at all.
To check whether specific call recording rules were also broken in your outbound program, review is it against the law to record phone calls and close that exposure at the same time.
Frequently asked questions
Is there a maximum total penalty the FCC can impose for robocall violations?
There is no statutory cap on the total number of FCC forfeiture violations in a single enforcement action. The per-violation ceiling is $23,727 (inflation-adjusted), but if the FCC counts millions of individual calls, the proposed forfeiture can reach hundreds of millions of dollars. In 2022 the FCC proposed a $299,997,000 forfeiture against one auto warranty robocall operation, which shows the scale possible for high-volume campaigns.
Does the $500 TCPA penalty apply to text messages too?
Yes. Text messages sent via an ATDS to a cell phone are treated the same as autodialed calls under 47 U.S.C. § 227(b)(1)(A). Each text counts as one violation. The $500 floor and $1,500 treble-damage ceiling apply to texts exactly as they apply to calls. That is why bulk SMS campaigns without documented prior express written consent carry the same catastrophic class-action exposure as bulk robocall campaigns.
Can individuals really sue a company directly, or does the FCC have to act first?
Individuals can sue directly in state or federal court with no FCC involvement. The TCPA creates a private right of action at 47 U.S.C. § 227(b)(3) and (c)(5). No government agency needs to file first. That is why TCPA class actions by private plaintiffs' attorneys are far more common than FCC enforcement actions. The private litigation track and the FCC enforcement track run independently of each other.
Does the National Do Not Call Registry protect only landlines or cell phones too?
Both. Consumers can register any phone number, including cell phones, on the National DNC Registry at donotcall.gov. Once registered, telemarketers covered by the FTC's Telemarketing Sales Rule cannot call that number for solicitation. Violations carry up to $51,744 per call under the FTC's civil penalty authority, separate from any TCPA statutory damages.
How long does a TCPA lawsuit have to be filed after the violation?
The federal statute of limitations for TCPA claims is generally four years under 28 U.S.C. § 1658, the catch-all federal limitations period. Some circuits apply different periods depending on the claim type, but four years is the working assumption most practitioners use. That means calling records, consent documentation, and opt-out logs should be retained for at least five years to cover any investigation window.
What is the one-to-one consent rule the FCC adopted in 2024?
The FCC's 2024 TCPA order, which took effect January 27, 2025, requires that prior express written consent for autodialed marketing calls be specific to a single identified seller. A consumer who checks a box on a lead generation form consenting to contact from "our marketing partners" no longer satisfies the TCPA for any individual seller who buys that lead. Each seller needs its own, individually identified consent from that consumer.
What is the difference between an ATDS violation and a prerecorded voice violation?
An ATDS violation requires that the calling system meet the statutory definition of an automatic telephone dialing system, which the Supreme Court in Facebook v. Duguid (2021) narrowed to systems using random or sequential number generation. A prerecorded voice violation requires only that a prerecorded message played during the call, regardless of how the number was dialed. Prerecorded voice claims are broader and survived Duguid intact, which makes drop-voicemail and ringless voicemail tools high-risk.
Can a company avoid TCPA liability by using a third-party calling vendor?
No. Courts have held that companies can be liable for calls made on their behalf by vendors under theories of vicarious liability, including actual authority, apparent authority, and ratification. If your vendor makes calls your company directed and benefits from, you share the liability. Vendor contracts that indemnify you help, but they do not remove your exposure to plaintiffs or the FCC. You also have to confirm your vendor complies with the TCPA as part of your due diligence.
How quickly must a company honor a do-not-call or consent revocation request?
The FTC's Telemarketing Sales Rule requires internal DNC requests to be honored within 30 days. The FCC's 2024 TCPA order requires callers to honor consent revocations submitted by any reasonable means within ten business days. Missing that window turns every later call into a fresh violation. Internal processes for capturing, logging, and pushing opt-outs across all calling systems are not optional.
Does the TCPA apply to B2B calls to business phone numbers?
The TCPA's ATDS and prerecorded voice restrictions apply based on whether the number is a wireless number or residential line, not on whether the recipient is a business or consumer. A call to someone's business cell phone is still a call to a wireless number and needs the same prior express written consent. Calls to direct-dial business landlines fall under different rules with lighter consent requirements, but verify this with counsel for your specific use case.
What is the FCC's Reassigned Numbers Database and is using it mandatory?
The FCC's Reassigned Numbers Database, launched in 2021, lets callers check whether a phone number was reassigned after their consent date. Using it is not technically mandatory, but the FCC created a safe harbor only for callers who query it before dialing. Without that query, you have no safe harbor if you reach a reassigned number. Since the database costs about half a cent per query, skipping it is hard to justify on risk grounds.
Are ringless voicemail drops covered by the TCPA?
Ringless voicemail, which delivers a prerecorded audio message straight to voicemail without ringing the phone, is treated as a call under the TCPA by most courts and FCC guidance. The FCC has said calls that connect to voicemail are calls for TCPA purposes. Because a prerecorded message gets left, the prerecorded voice prohibition applies regardless of the ATDS definition. There is no ringless voicemail exemption, and assuming otherwise is a real compliance risk.
How do willful violations lead to $1,500 damages instead of $500?
Under 47 U.S.C. § 227(b)(3), courts may raise the $500 statutory award up to $1,500 if the defendant willfully or knowingly violated the TCPA. Courts have found willfulness from conduct like continuing calls after a cease-and-desist letter, ignoring internal compliance warnings, or running a campaign with no consent infrastructure at all. Willfulness does not require malicious intent. Reckless disregard for the statute's requirements is usually enough for a court to triple the damages.
What records should a company keep to defend a TCPA claim?
At minimum: consent records with timestamps and source URLs for each consented number, opt-out logs showing every DNC request received and the date honored, National DNC scrub receipts showing the scrub date and list version used, Reassigned Numbers Database query logs, dialer configuration records showing what system ran and how, and training records for staff who operate calling tools. Retain all of it for at least five years. In litigation, missing records are treated as evidence against you.
Sources
- U.S. Government Publishing Office, 47 U.S.C. § 227 (TCPA full text): Statutory damages of $500 per violation, up to $1,500 for willful violations; ATDS and prerecorded voice prohibitions; private right of action
- U.S. District Court, N.D. Illinois, In re Capital One TCPA Litigation, No. 12-cv-10064 (2014 settlement): Capital One settled TCPA class action for $75.5 million covering autodialed calls to cell phones
- FTC, Dish Network LLC Settlement (2017), Case 3:09-cv-03073: Dish Network agreed to pay $61 million to resolve FTC and FCC claims involving illegal robocalls to DNC-registered numbers
- U.S. Supreme Court, Facebook, Inc. v. Duguid, 592 U.S. 395 (2021): ATDS requires random or sequential number generation to store or produce phone numbers; systems dialing from static lists are not ATDS under federal TCPA
- FCC, Reassigned Numbers Database (reassigned.us): FCC-operated database of disconnected/reassigned numbers; safe harbor for callers who query before dialing; approximately $0.005 per query
- FTC, Complying with the Telemarketing Sales Rule: Telemarketers must scrub calling lists against the National DNC Registry at least every 31 days
- FTC, National Do Not Call Registry: Consumers can register wireless and landline numbers on the National DNC Registry; registration covers both cell phones and residential lines
- U.S. Government Publishing Office, 28 U.S.C. § 1658 (catch-all federal limitations period): Four-year catch-all federal statute of limitations applicable to TCPA private causes of action in most circuits