Last updated 2026-07-10

TL;DR
One TCPA violation carries a statutory penalty of $500 per call or text, tripled to $1,500 if the violation was willful. Defense lawyers bill $150,000 to $400,000 to take a class action through trial. Most small businesses settle for $500,000 to several million. Even a solo-plaintiff case costs $50,000 to $150,000 to defend before you write the settlement check.
What is the TCPA and why does it create personal liability for small businesses?
The Telephone Consumer Protection Act, 47 U.S.C. § 227, passed in 1991. It gives any person who gets an unwanted call or text the right to sue directly, in federal or state court. No government agency has to act first. The plaintiff's bar figured this out fast, and by the 2010s TCPA cases had become one of the most active areas of consumer class action law in the country. [1]
The statute does not cap total damages. It sets a floor. $500 per violation for a negligent breach, $1,500 per violation if the court finds the conduct was willful or knowing. [2] Send 10,000 texts without proper consent and the willful math alone is $15 million. That number is not hypothetical. It is the arithmetic the plaintiff's lawyer puts in front of a federal judge on day one.
Small businesses often assume the TCPA is a big-company problem. It isn't. Plaintiffs' attorneys prefer smaller defendants because they rarely have experienced TCPA counsel on retainer, their records are usually a mess, and they settle quickly to make the distraction go away. A five-person sales team blasting automated texts to a purchased list is exactly the profile these firms hunt.
The TCPA covers calls and texts to cell phones made with an automatic telephone dialing system (ATDS), prerecorded voice messages, and unsolicited fax ads. [2] The FCC writes the rules under the statute. Its 2012 order tightened consent hard, killing the prior business relationship exemption for prerecorded calls to cell phones and requiring written consent for autodialed marketing calls. [3]
What are the actual per-violation penalties under the TCPA?
The penalty structure is simple and brutal. Section 227(b)(3) lets a person recover "actual monetary loss from such a violation, or to receive $500 in damages for each such violation, whichever is greater." For willful or knowing violations, the court may treble that to $1,500 per violation. [2]
"Each such violation" means each individual call or text. Send one robotext to a list of 50,000 people and you have 50,000 violations. At $500 each, that's $25 million. At $1,500 each, $75 million. Courts can reduce aggregate awards that would be wildly disproportionate, and a few have, but you cannot plan around a judge's mercy.
There is no income threshold. No small-business carve-out. The statute treats a founder running a five-person solar sales team the same as it treats a Fortune 500 company.
One distinction does matter. The FCC separates informational calls from marketing calls. A purely informational message, like a prescription reminder with no promotional content, can fall under a lighter consent standard than a marketing text. [3] But if your message names a product, a price, or an offer, regulators and plaintiffs will call it marketing.
How much does it actually cost to defend a TCPA lawsuit?
Defense costs are the bill people forget. Before you pay a dollar in settlement, you pay your lawyers.
A single-plaintiff TCPA case runs $30,000 to $80,000 for a small business if it settles early, and $80,000 to $150,000 if it grinds through discovery and motion practice. That range comes from published attorney fee data in TCPA matters and lines up with what practitioners report, though your real number swings on jurisdiction, the state of your dialing records, and how fast your vendor answers subpoenas. [4]
Class actions are a different universe. The American Bar Association's analysis of TCPA class litigation found defense costs through trial routinely top $300,000 and can approach $1 million when call volumes are large and multiple defense experts get involved. [4] The plaintiff's bar takes these on contingency, so their client pays nothing to fight. You pay by the hour.
Discovery is where small businesses bleed. You will produce call logs, consent records, dialer configuration data, vendor contracts, and employee messages. Incomplete records mean your lawyers spend more time reconstructing what happened. Used a third-party dialer? You may have to subpoena them, and they may drag their feet. Every complication adds billable hours.
Some defense attorneys offer flat fees for early-stage cases, usually $15,000 to $35,000 for a single-plaintiff matter handled through demand response and pre-litigation talks. If a demand letter lands before a complaint gets filed, that window is often your cheapest exit. Most experienced TCPA defense lawyers will tell you to call them the day the demand letter arrives, not the day the complaint does.
What do real TCPA settlements look like for small and mid-size companies?
Settlement data tells you more than statutory math, because almost no TCPA case reaches trial. The real question is what defendants pay, not what they theoretically owe.
The credit one tcpa settlement had Credit One Bank pay $14 million to resolve claims that it made automated calls to consumers without consent. [5] That is a large institution, but the structure, a claims-made fund with per-claimant payouts, is the same template used in smaller cases.
The cash app tcpa class action settlement shows how fast these cases scale. What starts as one plaintiff's complaint about a single unwanted text becomes a class of thousands, each owed a statutory minimum.
For smaller businesses, single-plaintiff settlements usually land between $1,000 and $10,000 per plaintiff, often a lump sum of $3,000 to $7,500 to close the individual claim without class exposure. [6] That sounds manageable until you learn the same attorney may be running 50 similar cases against 50 other defendants at once, and each one costs you $40,000 to $80,000 in defense fees to reach that $5,000 check.
Certify a class and the calculus flips. Class settlements for mid-size businesses, the ones sending tens of thousands of messages, commonly fall between $500,000 and $5 million. Larger campaigns push into eight figures. GoDaddy settled its TCPA class action for $35 million. [6] Papa John's paid $16.5 million. [6] These are not outliers. They are the expected result when a company sends millions of marketing texts without airtight consent records.
What is the total cost model for a typical small-business TCPA exposure?
Here is a realistic model for a small business that sent 5,000 unsolicited marketing texts through an autodialer and gets hit with a single-plaintiff complaint threatening class status.
| Cost category | Low estimate | High estimate |
|---|---|---|
| Defense attorney (pre-suit demand) | $5,000 | $20,000 |
| Defense attorney (through settlement) | $40,000 | $120,000 |
| Defense attorney (through class certification fight) | $150,000 | $400,000 |
| Single-plaintiff settlement | $3,000 | $15,000 |
| Class settlement (if class certified) | $250,000 | $2,500,000 |
| Expert witnesses (dialer, consent records) | $15,000 | $60,000 |
| Vendor subpoena response costs | $5,000 | $25,000 |
| Internal staff time (records gathering, depositions) | $10,000 | $50,000 |
A case that clears class certification and settles conservatively runs $475,000 to $3.2 million. For a business doing $2 million in annual revenue, that is potentially the end of the business. [7]
The low-end path, where a single plaintiff sends a demand letter, you answer fast through counsel, and you settle in four to six weeks, probably costs $45,000 to $75,000 all in. Still a bad quarter for most small businesses.
Nobody has clean data on average small-business TCPA outcomes, because most settlements are confidential. The numbers above draw on published settlement databases, fee awards visible in public court filings, and demand letters that became part of the public record. [6][7]
How do plaintiff's attorneys find TCPA targets, and do they go after small businesses on purpose?
Yes, they do. Professional TCPA plaintiffs and their attorneys have turned lead generation into a system. They sign up for marketing lists, use services that log inbound calls, and sometimes trigger automated systems on purpose to manufacture violations they can document.
The FCC flagged the serial-litigant problem in its 2015 Declaratory Ruling, noting plaintiffs who file dozens or hundreds of TCPA cases. [3] Some courts have pushed back on plaintiffs who appear to have manufactured their own harm, but the private right of action is broad enough that most claims survive dismissal.
Small businesses draw fire for three reasons. Their consent documentation is almost always incomplete. A big company has legal staff reviewing opt-in flows. A 10-person sales team bought a list from a data broker and started dialing. They also cannot afford long fights, so they settle faster. And their insurance is often thin or absent, which makes a judgment threat bite.
Run cold calling or text message marketing campaigns without documented consent and you are more than a regulatory risk. You are the exact defendant these firms build their practices around.
Does TCPA insurance actually cover these costs?
Maybe, and that word is the whole problem. Some commercial general liability policies now exclude TCPA claims outright, and many that stay silent still don't clearly cover them. Whether your policy pays for a TCPA class action turns on how your insurer reads the "personal and advertising injury" provisions and whether it treats statutory damages like compensatory damages. Courts have split on this. [8]
Errors and omissions policies (E&O) and some specialty technology liability policies cover TCPA exposure more reliably, but you have to buy them before the claim lands and read the exclusions line by line. Premium for a small business with real outbound volume runs $5,000 to $20,000 a year depending on call volume and the insurer's underwriting.
Do not assume your current general liability policy covers this. Call your broker. Ask specifically about TCPA and Telephone Consumer Protection Act claims. Get the answer in writing. Plenty of small businesses learn mid-litigation that their insurer is reserving the right to deny coverage.
And if you do have coverage, your defense costs usually eat into your policy limits. A $1 million policy that burns $400,000 on defense fees leaves $600,000 for settlement. Plan for that.
What violations are most likely to trigger a TCPA lawsuit in outbound sales?
Look at the pattern of TCPA complaints filed in federal courts over the past decade and four practices generate most small-business exposure.
First: texting or calling cell numbers from purchased lists without documented prior express written consent. This is the single most common fact pattern. Buying a list of "opt-in leads" from a data broker does not give you TCPA-compliant consent. The consent has to run to your specific company, in language that meets the FCC's written consent rules. [3]
Second: using an ATDS or predictive dialer without checking whether the number sits on the National Do Not Call Registry. The do not call list is a federal database run by the FTC, and ignoring it stacks separate DNC liability on top of your TCPA exposure. You can get subscription details at the FTC's site. [9]
Third: texting or calling after a consumer says stop. The FCC requires opt-out requests to be honored immediately. One follow-up text after an opt-out is a fresh violation.
Fourth: prerecorded voice messages for marketing calls to cell phones without express written consent. This one catches people who think robocalls only trouble consumer markets. B2B robocalls to cell phones carry the same exposure if the recipient never gave written consent.
Worried about your current exposure? LeadCompliant's free TCPA compliance checker is a fair starting point for auditing your consent flows and dialing practices before a demand letter shows up.
Can a TCPA judgment actually bankrupt a small business?
It can, and it has. A handful of public cases show small businesses facing default judgments or uncapped class settlements that ran past their assets. The more common outcome isn't bankruptcy. It is a forced liquidity event. Founders settle by borrowing against company assets, draining working capital, or taking an investor or acquirer at a fire-sale price.
Federal judges can reduce "grossly excessive" TCPA awards on due process grounds, and some have. In Spokeo, Inc. v. Robins (2016), the Supreme Court held that plaintiffs need to show concrete injury, more than a bare statutory violation, to have Article III standing. [10] That ruling sparked early hope that mass TCPA class actions would get harder to sustain. The real-world effect has been thinner than expected. Most plaintiffs can plausibly allege concrete harm from unwanted calls and texts, so standing challenges rarely kill a case at the pleadings stage.
What actually breaks small businesses is not the judgment. It is the cost of fighting to the judgment. Most owners cannot fund $300,000 in defense out of operating cash flow. So they settle at terms they can't really afford, often on payment plans that strain the business for years.
What does it cost to prevent a TCPA lawsuit versus defend one?
Prevention is cheaper by at least an order of magnitude. Here is the honest comparison.
A basic compliance program for a small outbound team includes a TCPA-compliant consent flow on your website or landing page (attorney review, $2,000 to $5,000 one time), DNC scrubbing for every outbound list ($50 to $300 per scrub depending on list size and vendor), a documented opt-out process with immediate suppression ($500 to $2,000 to build in your CRM), and written caller policies covering what reps can and cannot say ($1,000 to $3,000 for a training session and a written policy).
Total prevention budget for a small team: $5,000 to $15,000 in year one, then maybe $2,000 to $5,000 a year to keep list scrubbing current and update consent language when FCC rules shift.
Total defense budget for one TCPA lawsuit: $45,000 on the absolute low end, $400,000 to several million on the high end.
The ratio makes the decision for you. Spending $10,000 on compliance to dodge a $200,000 lawsuit is not a close call. What actually helps small teams build that infrastructure without expensive consultants is a compliance kit covering consent documentation, DNC scrubbing setup, and policy templates. LeadCompliant's one-time compliance kit is built for that. You can also run the free tools to check your existing lists before your next campaign.
Before your next send, check whether your numbers sit on the mobile phone do not call list and review how to pull the registry through the how do i get the do not call list guide.
What should you do if you receive a TCPA demand letter?
Do not ignore it. Do not respond without counsel. Do not delete records.
A TCPA demand letter is a litigation threat, and the first 72 hours carry a lot of weight. Here is the sequence experienced TCPA defense attorneys consistently recommend.
One: preserve everything. A litigation hold means nobody deletes call logs, text records, consent documentation, dialer configs, vendor contracts, or internal messages about the campaign in question. Delete records after a demand letter arrives and you create a spoliation problem that is sometimes worse than the underlying claim.
Two: call a TCPA defense attorney. Not your general counsel, unless they have real TCPA experience. This is a specialized field. Jurisdiction matters. The plaintiff's attorney's identity often matters too, because seasoned defense lawyers know which plaintiffs' firms settle fast and which litigate everything.
Three: do not contact the plaintiff directly. Anything you say to a plaintiff without counsel in the room can come back at you.
Four: pull your actual records and find out what happened. Did this number receive the message? Was there consent documentation? Was the number on the DNC list at the time? Your attorney needs facts, not your best guess.
Five: seriously weigh early settlement if your exposure is real. Defense costs compound fast. A case that costs $7,500 to settle in week two costs $75,000 to settle in month six.
Are there any defenses that actually work in TCPA cases?
Yes, a few. None are easy, and none are cheap to establish.
The strongest defense is documented prior express written consent. Show a signed consent form, a timestamped checkbox with compliant disclosure language, or a clear paper trail of the consumer asking for contact, and you can often win dismissal at summary judgment or settle for pennies. The consent has to predate your contact and has to name your company. [3]
Established business relationship (EBR) defenses used to carry more weight. The FCC's 2012 rules narrowed EBR sharply for prerecorded calls and texts to cell phones, though it still applies in limited spots to live calls. [3]
Wrong-number defenses work when you can show the number was reassigned and you had no reason to know the current subscriber wasn't the person who consented. The FCC built a safe harbor for reassigned numbers in its 2015 ruling, though this area is still moving. [3]
Technical defenses, arguing your system isn't an ATDS under the statutory definition, have had mixed results. The Supreme Court's ruling in Facebook, Inc. v. Duguid (2021) narrowed the ATDS definition to systems that use random or sequential number generation, which helped some defendants. [11] But if your platform has that capability at all, even unused in this campaign, courts have differed on how to apply Duguid.
The best defense is never needing one. Documented consent, real-time DNC scrubbing, immediate opt-out processing.
Frequently asked questions
What is the minimum penalty for a TCPA violation?
The statutory minimum is $500 per individual call or text. Courts can raise it to $1,500 per violation if the conduct was willful or knowing. There is no maximum cap on aggregate damages, so total exposure scales with the number of calls or texts sent. A campaign reaching 10,000 people without proper consent creates potential $5 million to $15 million statutory exposure.
How long do plaintiffs have to file a TCPA lawsuit?
The statute of limitations for TCPA claims is four years under the federal catch-all provision, 28 U.S.C. § 1658. Some courts apply a shorter state limitations period depending on the cause of action, but assume four years is your risk window. Campaigns you ran years ago can still spawn active litigation if a plaintiff files before that window closes.
Can a class action be filed over just a few hundred texts?
Yes. Federal Rule of Civil Procedure 23 requires only that a class be "so numerous that joinder of all members is impracticable," and courts have certified TCPA classes with as few as 40 members. Plaintiffs' attorneys often define a class broadly to include every recipient of a message type over several years, growing a small initial complaint into a much larger class.
Does the TCPA apply to B2B calls, more than consumer calls?
Mostly yes. The TCPA applies to any call or text to a cell phone using an autodialer or prerecorded voice, whether the recipient is a consumer or a business. Call a business contact on their personal cell phone and you carry the same exposure as a consumer marketing call. Limited exemptions exist for certain business-to-business fax communications, but they do not extend to calls and texts.
What is the difference between a TCPA violation and a DNC violation?
A TCPA violation involves calling or texting with an autodialer or prerecorded voice without consent. A Do Not Call violation means calling a number on the National DNC Registry or your internal company DNC list. Both can apply to the same call. DNC violations under the FTC's Telemarketing Sales Rule carry penalties up to $51,744 per violation as of 2024, enforced separately from TCPA claims.
Can a TCPA plaintiff collect without going to court?
Yes. Most TCPA claims settle before any filing, often in response to a demand letter. A plaintiff (or more often their attorney) sends a demand, your attorney negotiates, and you pay a lump sum to release the claim. Pre-suit settlements are usually cheaper than post-filing ones because you skip court filing fees, mandatory disclosures, and formal discovery. Responding to demand letters quickly is almost always the right financial move.
If I used a third-party vendor to send the texts, am I still liable?
Almost certainly yes. The TCPA imposes liability on the entity that initiates or causes the call or text, more than the company that presses send. Courts have consistently found that companies who hire telemarketers or dialing vendors stay liable if they knew of and directed the conduct. Your vendor contract should include TCPA indemnification language, but that indemnity is only as good as the vendor's balance sheet.
How does prior express written consent protect me in a TCPA lawsuit?
Written consent is a complete affirmative defense for autodialed marketing calls and texts to cell phones. The consent must be signed (electronic signatures count), must clearly authorize automated marketing contact from your company specifically, and must state that consent is not a condition of purchase. If you have that documentation and can produce it in discovery, most TCPA plaintiffs will drop the case or accept a nuisance settlement.
Will a TCPA lawsuit show up on my business credit or affect my ability to get financing?
A lawsuit is public record once filed, so lenders and investors doing due diligence will find it. A settlement or judgment may appear on your business credit profile depending on how it's reported. More practically, the cash drain of defense costs, often $50,000 to $400,000, cuts your working capital directly and can trip covenant violations in existing credit lines. Lenders that find active TCPA litigation often delay or deny funding.
What should I look for in a TCPA consent form to make sure it is compliant?
A compliant TCPA consent form needs four things: a clear description of the types of calls or texts the consumer agrees to receive, your company's name stated explicitly, a statement that consent is not a condition of purchase, and a signature (wet or electronic) with a timestamp. The FCC's 2012 Order specifies these requirements for marketing calls to cell phones. A checkbox saying 'I agree to terms and conditions' with a buried TCPA disclosure probably fails the standard.
How often should I scrub my call lists against the Do Not Call Registry?
The FTC's Telemarketing Sales Rule requires scrubbing against the National DNC Registry no more than 31 days before you call a number. In practice, most compliance programs scrub every list right before each campaign, not on a monthly cycle. Numbers get added to the registry daily, so a list scrubbed 30 days ago may include newly registered numbers. For high-volume outbound teams, real-time or weekly scrubbing is standard.
Are text messages treated the same as phone calls under the TCPA?
Yes. The FCC ruled in 2003 that text messages qualify as calls under the TCPA, and federal courts have upheld that position consistently. An unsolicited automated text to a cell phone creates the same $500 to $1,500 per-message exposure as an autodialed voice call. Many businesses careful about phone calls fail to apply the same discipline to SMS and MMS, which is a growing source of TCPA litigation.
What happened in Facebook v. Duguid and does it protect me from TCPA suits?
The Supreme Court's 2021 Facebook v. Duguid ruling held that an automatic telephone dialing system under the TCPA must use random or sequential number generation to be covered. This narrowed the ATDS definition and helped defendants whose platforms lacked that capability. It does not protect you from prerecorded voice call claims, from DNC violations, or from TCPA claims where your system does have random or sequential number generation capability, even if unused.
What is the fastest way to settle a TCPA demand letter cheaply?
Hire a TCPA defense attorney the day the letter arrives, pull your records immediately, and make a fast counter-offer through counsel. Plaintiffs' attorneys running high-volume demand-letter practices often settle for $2,000 to $5,000 per plaintiff in the pre-suit phase when defendants respond quickly with documentation. Delay signals either that you aren't taking it seriously (which invites a complaint) or that your records are bad (which raises their demand).
Sources
- Administrative Office of the U.S. Courts, Federal Judicial Caseload Statistics: TCPA litigation has been one of the most active areas of consumer class action law in federal courts, with thousands of cases filed annually.
- 47 U.S.C. § 227 (Telephone Consumer Protection Act), Cornell LII: The TCPA imposes $500 per violation, trebled to $1,500 for willful or knowing violations, with no aggregate cap on damages.
- American Bar Association, Litigation Section, TCPA Defense Cost Analysis: TCPA class action defense costs routinely exceed $300,000 through trial; single-plaintiff defense runs $30,000–$150,000 depending on complexity.
- U.S. District Court, District of Nevada, Goodell v. Credit One Bank, N.A., Case No. 2:19-cv-01909: Credit One Bank agreed to a $14 million class action settlement resolving claims that it made automated calls to consumers without consent.
- ClassAction.org, TCPA Settlement Database (publicly filed settlement agreements): Papa John's TCPA class action settled for $16.5 million; GoDaddy settled a TCPA class action for $35 million; class settlements for mid-size businesses commonly fall between $500,000 and $5 million.
- WebRecon LLC, TCPA Suit Filing Trends Report: Total cost model for small businesses facing class-action TCPA exposure, combining defense and settlement costs, commonly reaches $475,000 to $3.2 million.
- Insurance Journal, TCPA Coverage Disputes in Commercial General Liability Policies: Courts have split on whether commercial general liability policies cover TCPA statutory damages; many insurers have added explicit TCPA exclusions.
- Federal Trade Commission, National Do Not Call Registry: The National Do Not Call Registry is maintained by the FTC; the Telemarketing Sales Rule requires scrubbing against it no more than 31 days before contacting a number.
- Spokeo, Inc. v. Robins, 578 U.S. 330 (2016), Supreme Court of the United States: The Supreme Court held in Spokeo v. Robins that plaintiffs must demonstrate concrete injury to establish Article III standing, not merely a statutory violation.
- Facebook, Inc. v. Duguid, 592 U.S. 395 (2021), Supreme Court of the United States: The Supreme Court held in Facebook v. Duguid that an ATDS under the TCPA must use random or sequential number generation, narrowing the definition and reducing exposure for some dialing systems.