Last updated 2026-07-10

TL;DR
When a TCPA demand letter arrives, preserve your call logs, consent records, DNC scrub history, opt-out records, and every communication with the consumer right away. Statutory damages under 47 U.S.C. § 227 run $500 to $1,500 per violation. The records you produce in the first 30 days often decide whether a case settles cheaply or grows into class litigation.
What is a TCPA demand letter and why does it land on your desk?
A TCPA demand letter is a pre-litigation notice, usually one to four pages, claiming your company called or texted the recipient without proper consent in violation of the Telephone Consumer Protection Act, 47 U.S.C. § 227 [1]. The writer is either a plaintiff's attorney fishing for a quick settlement or an individual who read about statutory damages and drafted it themselves. Either way, it is not a lawsuit yet. It can become one within days.
The letter names a phone number, a date range of contacts, and a damages demand. Plaintiffs' lawyers know statutory damages are $500 per negligent violation and $1,500 per willful violation under 47 U.S.C. § 227(b)(3) [1], so a demand for 40 calls at $1,500 each is a $60,000 opener before any class angle surfaces. That math is why these letters exist. They work.
Your first instinct will be to call your carrier and ask what happened. Resist that until you read this article. Disorganized responses, missing records, and accidental deletions are how a manageable demand turns into a six-figure settlement. The record-gathering phase, done right, is your entire defense.
What should you do in the first 48 hours after receiving the letter?
Stop all outbound contact with the complaining phone number immediately. This sounds obvious. But automated dialers sometimes keep running campaigns while lawyers are still reading the letter. One more call after you receive the demand is documented evidence of a willful violation, and that triples your per-call exposure.
Issue a litigation hold in writing to everyone who touches your call data: your dialer platform, your CRM admin, your data vendor, your IT team. A litigation hold is a formal instruction not to delete, overwrite, or alter any records that could be relevant to the claim [2]. Courts have sanctioned defendants for routine data purges that happened after a demand letter arrived, even when the deletion ran automatically on a schedule. The hold needs to cover call logs, SMS logs, consent records, opt-out logs, lead source files, and internal communications about the campaign.
Get outside counsel or a TCPA-experienced attorney on the phone the same day if the demand is above $10,000 or hints at class claims. Below that, some companies respond directly, but the risk is misrepresenting facts in writing and creating worse exposure. This article is not legal advice. It is a records checklist. An attorney tells you what to do with the records once you have them.
Which call and SMS records do you need to pull first?
Start with your outbound call detail records (CDRs) for the specific number in the letter, pulled for at least 12 months before the demand date. Most dialer platforms and carriers keep CDRs for 90 days to 18 months depending on contract terms, so move fast. You need: the originating caller ID, the destination number, call duration, call disposition (answered, voicemail, abandoned), timestamps in UTC, and the campaign or list ID that drove the call [3].
For SMS campaigns, pull the full message log for that number: outbound message content, timestamps, delivery receipts, and every inbound reply including STOP messages. The STOP message log matters most. If the consumer texted STOP and you kept messaging, that is almost certainly a willful violation.
Map the records to the exact dates in the letter. If it says "on or about March 4, 2024," pull everything within a 30-day window around that date. Plaintiff's attorneys sometimes have the date slightly wrong, and a narrow pull can miss the actual event.
For cold calling operations using an autodialer or prerecorded voice, also pull the dialer's campaign configuration at the time of the calls: which list was loaded, what calling mode was active (predictive, preview, power), and which suppression lists were applied.
What consent records specifically prove your defense?
Consent is the core of most TCPA defenses. The FCC's 2012 amended rules require prior express written consent for autodialed or prerecorded marketing calls and texts to cell phones [4]. Prior express written consent means a signed written agreement that clearly authorizes calls using an autodialer or prerecorded voice, and that discloses the consumer is not required to consent as a condition of purchase. A verbal okay or a checkout box that doesn't meet those requirements is not a defense.
For each call type, here is what you need:
| Call Type | Consent Standard | Records to Preserve |
|---|---|---|
| Autodialed or prerecorded marketing to cell | Prior express written consent | Signed consent form, timestamp, IP address, lead source URL |
| Autodialed or prerecorded informational (non-marketing) to cell | Prior express consent (oral or written) | Call recording, opt-in data, confirmation message |
| Live agent marketing to cell or residential landline | No autodialer = TCPA's ATDS rules don't apply; state laws may | Lead source, DNC scrub proof |
| Text message marketing | Prior express written consent | Opt-in keyword log, double opt-in confirmation, timestamp |
If your consent came through a third-party lead generator, you need that vendor's documentation too. The FCC's January 2024 one-to-one consent rule (effective January 27, 2025) tightened this: consent obtained through a comparison-shopping site or lead aggregator must now name your company specifically and cover only your category of goods or services [5]. Blanket affiliate consents no longer work. Pull the exact consent artifact the lead vendor gave you, the date you received it, and any contractual representations they made about how it was gathered.
Timestamps and IP addresses carry enormous weight. In litigation, plaintiffs regularly challenge consent records by demanding the server logs that match the opt-in timestamp. If you cannot produce IP address data and a page snapshot of what the opt-in form looked like on that date, courts have ruled the consent insufficient. Back up your web form configurations and any A/B test histories.
How do DNC scrub records help your defense?
Calling a number on the National Do Not Call Registry is a separate TCPA violation, one that does not even require an autodialer [1]. Pulling your DNC scrub history is non-optional. You need to show that you scrubbed the complaining number against the National DNC Registry before each campaign that touched it, and that the scrub used a list no older than 31 days, as required under 16 C.F.R. § 310.4(b)(1)(iii) [6].
For a deeper look at how the registry works and how to pull the right data, see our guide on the do not call list.
The records to preserve include: the scrub date, the vendor or tool used, the version of the DNC list current at that time, and ideally a file-level hash or download receipt proving what data you had. If you use a third-party scrub service, get their logs too.
Pull your internal suppression list, sometimes called your company-specific DNC list. Under the TCPA and the FTC's Telemarketing Sales Rule, if a consumer told your company to stop calling, you must honor that request for at least five years [6]. If the person who sent the demand letter ever said "stop calling me" to one of your agents and that number is not on your internal DNC, that is a serious problem. Check call recordings and CRM notes for any prior stop requests from this number.
For background on the do not call telemarketer list rules that apply to your type of outreach, that article walks through which exemptions do and don't hold up under scrutiny.
What internal communications should you preserve?
Preserve every internal email, Slack message, or text that discusses the campaign, the contact list, the consent strategy, or the phone number at issue. This feels uncomfortable, and it should. Internal communications are discoverable in civil litigation, and plaintiff's attorneys ask for them specifically to find evidence of willful non-compliance.
What you want to find and keep safe: records showing that someone on your team knew the TCPA rules and built the campaign around them. What you hope is not there: any message like "just keep dialing, the fines are cheaper than leads" or "skip the scrub this one time." If those messages exist, call counsel before you do anything else.
Preserve communications with your dialer vendor, your data vendor, and any marketing agencies involved. If a vendor made compliance representations that turned out to be false, that creates an indemnification angle. Those vendor contracts matter too. Pull them.
What campaign configuration records should you document?
The TCPA's autodialer provisions under 47 U.S.C. § 227(b)(1)(A) turn on whether you used an automatic telephone dialing system (ATDS) [1]. After the Supreme Court's April 2021 decision in Facebook v. Duguid, the definition of ATDS narrowed to systems that store or produce numbers using a random or sequential number generator [7]. That does not make campaign records irrelevant. You still need to show what system you used and how it picked numbers to call.
Preserve: your dialer software name and version at the time of the calls, whether the system ran in predictive or preview mode, how the call list was loaded (uploaded manually versus generated algorithmically), and any audit logs the platform keeps. If you use a cloud-based platform, request a data export immediately. Platforms sometimes purge inactive campaign data on 90-day cycles.
Document your caller ID configuration too. Spoofed or misleading caller IDs add a separate violation layer under the Truth in Caller ID Act, and the FCC has levied multi-million dollar fines for caller ID manipulation [8].
For companies running text message marketing alongside voice campaigns, preserve the SMS platform's logs separately. Text logs, opt-out keyword responses, and message content are all separate discovery items.
How long do you need to keep these records?
The TCPA's statute of limitations is four years under 28 U.S.C. § 1658, the general federal statute of limitations for civil actions [9]. A plaintiff can sue for calls made up to four years before they file. So your retention policy, going forward, should keep consent records, call logs, and scrub records for at least four years from the date of each campaign contact.
For the specific demand letter in front of you, keep everything until the dispute is fully resolved and any appeal period has passed. Do not delete records just because a demand settles. If a class is later certified that covers the same campaign, those records become relevant again.
Practically, this means: if your dialer platform auto-purges logs after 90 days, you need to export and archive those logs externally on a rolling basis, more than when a demand arrives. Many companies discover after getting a letter that key call records simply do not exist anymore. That is not automatically a legal disaster, but it limits your defense options and hands opposing counsel a narrative.
The FTC's Telemarketing Sales Rule at 16 C.F.R. § 310.5 requires telemarketers to keep records of consent and certain other materials for 24 months [6]. The TCPA itself sets no specific retention period, but four years tracks the lawsuit window.
What does a TCPA demand letter defense checklist look like in practice?
Here is a working checklist organized by urgency. Pull these in order.
Within 24 hours:
- Halt all outbound contact to the number in the demand
- Issue a written litigation hold to IT, dialer admin, CRM admin, data vendors
- Pull CDRs for the specific number, minimum 12 months back
- Pull SMS logs for the specific number, minimum 12 months back
- Pull opt-out/STOP logs for the specific number
Within 72 hours:
- Locate the consent artifact for this contact (opt-in form, timestamp, IP, lead source)
- Pull DNC scrub logs for every campaign that touched this number
- Pull your internal suppression list and check if this number appears
- Export campaign configuration records (dialer settings, list IDs, campaign dates)
- Preserve all relevant internal emails and Slack threads (delete nothing)
Within one week:
- Get third-party vendor documentation: lead vendor consent proof, scrub vendor logs
- Pull vendor contracts for indemnification language
- Review call recordings if applicable
- Document your caller ID configuration at the time of calls
- Assemble a chronological timeline of every contact with this number
If you want a structured template to organize all of this, the LeadCompliant compliance kit includes a TCPA demand response worksheet that maps each record type to the TCPA provision it addresses.
For a broader picture of how TCPA violations play out financially, see the settlement breakdowns in the cash app TCPA class action settlement and credit one TCPA settlement articles. Those show how missing records contributed to bad outcomes.
What records do plaintiffs most commonly use to prove TCPA violations?
Plaintiff's attorneys are experienced at discovery. They know which records to request and which gaps to exploit. Understanding what they hunt for tells you what to protect.
The items requested most often in TCPA litigation discovery include: your complete call detail records for the complaining number (they frequently subpoena these from your carrier anyway), your opt-out/suppression list to check whether the number was already on it, your training materials (to show whether agents were taught to honor do-not-call requests), your dialer contract (to establish what calling mode you paid for and used), and your lead vendor agreements.
Plaintiffs also request screenshots or archives of the opt-in web form to challenge consent adequacy. If your form didn't explicitly disclose autodialed calls or came pre-checked, that consent doesn't meet the FCC's standard [4]. They may also send a litigation hold letter to your dialer vendor directly, which is why issuing your own hold to vendors fast matters.
In class actions, which show up when the same campaign touched thousands of numbers, plaintiffs request lists of every phone number in the campaign, every call attempt, and the suppression list at the time of each call. The mobile phone do not call list article explains why cell numbers get special attention in these cases.
One thing to know: plaintiffs often have more records than you think. They may have screenshot notifications from apps like Robokiller or Nomorobo, recordings of your calls made on their end, and records of every call attempt their carrier logged. Producing records that contradict what the plaintiff already has is a fast path to a bad outcome.
Can the records you produce actually reduce what you owe?
Yes, meaningfully. A complete, organized, timestamped record package does several things at once. It signals to plaintiff's counsel that you have facts supporting a defense, which shifts their settlement math. It narrows the dispute to the specific calls where consent or scrub proof is genuinely absent, instead of letting the plaintiff define the scope.
Courts have reduced or eliminated statutory damages where defendants showed good-faith compliance efforts. In Soppet v. Enhanced Recovery Co., the Seventh Circuit addressed how a company's reliance on data from a creditor affected TCPA liability for calls to reassigned numbers [10]. The argument that you acted in good-faith reliance on a lead vendor's consent records is a real defense, but only if you can produce those records.
Statutory damages of $500 to $1,500 per call sound fixed, but courts have discretion on willfulness. A defendant who produces clean records, a proper opt-in chain, and documented DNC scrubs looks very different to a judge than one who cannot account for how the number ended up in the campaign. That gap is worth real money.
For individual demand letters (not class actions), many resolve between $500 and $5,000 if you have partial documentation and respond promptly. Demands that escalate to class filings against companies with missing records routinely settle in the hundreds of thousands. The credit one TCPA settlement shows how a large-scale record failure drives settlement size.
What recordkeeping practices prevent this problem next time?
Demand letters are a symptom. The disease is a compliance program that treats recordkeeping as optional. Here is what a minimal working system looks like.
For every campaign, before it launches: document the consent basis, the DNC scrub date and vendor, the list source, and the dialer configuration. Store this in a campaign-level compliance file that gets archived automatically. This takes maybe 20 minutes per campaign and cuts your demand-letter response time from two weeks to two days.
For consent records specifically: store opt-in data with timestamps and IP addresses in a system separate from your CRM, so a CRM purge or migration doesn't wipe it. Many companies use their CRM as the only consent repository and then find it doesn't retain historical form versions or IP data.
Set up a formal internal DNC list and a process for adding numbers to it within 30 days of any opt-out request. Under 47 C.F.R. § 64.1200(d)(3), you are required to maintain such a list and honor it for at least five years [3].
Test your data vendors. If a lead vendor claims consent was obtained under the FCC's one-to-one consent standard [5], require them to produce a sample of consent artifacts on request before you buy. Vendors who cannot produce them are not worth the liability they carry.
LeadCompliant's free consent and DNC checker tools at leadcompliant.com help you verify a number's status before dialing, a useful first-line screen while you build more formal compliance infrastructure.
Frequently asked questions
How long do I have to respond to a TCPA demand letter?
There is no statutory response deadline for a pre-litigation demand letter. Plaintiff's attorneys typically give 10 to 30 days before filing suit, though some file immediately after sending. Respond as fast as your records and counsel allow. Delays that permit continued calling to the complaining number, or that look like stalling, tend to harden the plaintiff's position and raise settlement demands.
What happens if my company deleted the records before the demand letter arrived?
If deletion was routine and pre-litigation, courts generally do not sanction it, but you lose the defense value of those records. If a litigation hold was in place and records were deleted anyway, courts can impose sanctions including adverse inference instructions, meaning the jury can assume the deleted records were bad for you. Document when and why records were deleted to establish good faith.
Do I need to preserve records from my lead vendor too?
Yes. If consent came through a third-party lead generator, you need their documentation of how and when consent was obtained, the specific language the consumer saw, and the timestamp. Under the FCC's January 2025 one-to-one consent rule, you also need to show that consent named your company specifically. Contact your vendor in writing immediately and request a records hold on all data related to the number in question.
Is a TCPA demand letter the same as a lawsuit?
No. A demand letter is a pre-litigation notice. No court is involved yet, and nothing is filed on record. It can become a lawsuit quickly, sometimes within days of the letter date, but until a complaint is filed in court, you have room to negotiate or produce records that resolve the dispute without litigation. Treat it seriously, but don't confuse it with a summons.
Can I ignore a TCPA demand letter?
Ignoring it is almost always the wrong move. Plaintiff's attorneys send demand letters because most recipients either settle or make a response that strengthens the plaintiff's case. No response typically results in a lawsuit being filed. A lawsuit triggers formal discovery, legal fees, and the risk of a default judgment if you fail to appear. Ignoring the letter does not make the claim go away.
What is prior express written consent under the TCPA and how do I prove I had it?
Prior express written consent under 47 U.S.C. § 227 and FCC rules means a signed written agreement clearly authorizing autodialed or prerecorded calls or texts. To prove it, you need: the opt-in record with the consumer's signature or electronic equivalent, the exact form language they agreed to, the timestamp, the IP address, and the URL of the page where consent was given. A CRM entry alone, without this supporting data, is not enough.
What if the calls were made by a third-party vendor on my behalf?
You can still be liable. The FCC and courts have consistently held that companies are vicariously liable for TCPA violations committed by their agents or vendors acting with apparent authority. Pull your vendor contract immediately and look for indemnification clauses. Request all records from the vendor under your contract's audit rights provision. Your counsel may be able to bring the vendor into the dispute as a co-defendant or indemnitor.
How does the Facebook v. Duguid Supreme Court decision affect my TCPA defense?
The Supreme Court's 2021 decision in Facebook, Inc. v. Duguid (141 S. Ct. 1163) narrowed the definition of an automatic telephone dialing system to equipment that uses a random or sequential number generator to store or produce numbers. If you called from a static uploaded list without such a generator, you may not face ATDS liability. This does not eliminate DNC or consent requirements, and many state laws apply independently of the ATDS definition.
Do text message violations follow the same rules as call violations?
Largely yes. Texts to cell phones using an autodialer or sent as part of a marketing campaign require prior express written consent under 47 U.S.C. § 227(b)(1)(A). The same $500 to $1,500 per-message statutory damages apply. Preserve SMS logs, opt-in records, STOP message logs, and message content. One difference: a STOP reply creates an immediate opt-out obligation, and any message sent after a STOP is almost certainly willful.
What records prove I honored a do-not-call request?
You need your internal suppression list showing the number was added, the date it was added, and ideally the source (call recording, CRM note, inbound STOP text, or written request). You also need records showing that list was loaded into your dialer before later campaigns ran, and that the call generating the demand did not occur after the opt-out was recorded. Gaps in that chain are hard to explain.
How much can a TCPA demand letter actually cost me if it goes to court?
Statutory damages are $500 per negligent violation and $1,500 per willful violation under 47 U.S.C. § 227(b)(3). A 50-call campaign to one plaintiff is $25,000 to $75,000 before legal fees. Class actions covering thousands of numbers have settled for millions. The Cash App TCPA class action settlement and similar cases show how quickly aggregate exposure compounds when recordkeeping gaps prevent a defense.
Should I call the person who sent the demand letter to work it out?
Only if your attorney advises it. Unsupervised calls to a represented plaintiff are ethically problematic and can produce statements that hurt your case. If the letter comes from a plaintiff's attorney, all communication should go through counsel. If it comes from an unrepresented individual, a carefully worded written response is safer than a call. Never admit liability or discuss specific call details without first reviewing your records.
What is a litigation hold and do I really need one for a demand letter?
A litigation hold is a formal written instruction to preserve all potentially relevant records once litigation is reasonably anticipated. Courts have held that a demand letter triggers this anticipation, so yes, you need one even before a lawsuit is filed. Send it in writing to your IT team, CRM admin, dialer vendor, and data providers. Document that you sent it. Courts can sanction defendants for spoliation that occurs after a hold should have been issued.
Sources
- U.S. Government Publishing Office, 47 U.S.C. § 227, Telephone Consumer Protection Act: Statutory damages are $500 per violation and $1,500 per willful violation under 47 U.S.C. § 227(b)(3); the TCPA prohibits autodialed calls to cell phones without prior express written consent
- U.S. Courts, Federal Rules of Civil Procedure (Rule 37(e), Failure to Preserve ESI): Courts may sanction parties for failure to preserve electronically stored information when litigation was reasonably anticipated
- Government Publishing Office, 47 C.F.R. § 64.1200, Delivery Restrictions for Telephone Solicitations: Companies must maintain an internal do-not-call list and honor it for a minimum of five years under 47 C.F.R. § 64.1200(d)(3)
- FTC, Telemarketing Sales Rule, 16 C.F.R. Part 310: 16 C.F.R. § 310.4(b)(1)(iii) requires DNC scrubs against a list no older than 31 days; 16 C.F.R. § 310.5 requires retention of consent and related records for 24 months
- U.S. Supreme Court, Facebook, Inc. v. Duguid, 141 S. Ct. 1163 (2021): The Supreme Court held in April 2021 that an ATDS must use a random or sequential number generator to store or produce numbers, narrowing the TCPA's autodialer definition
- U.S. Government Publishing Office, 28 U.S.C. § 1658, Statute of Limitations for Civil Actions: The general federal four-year statute of limitations under 28 U.S.C. § 1658 applies to TCPA civil claims
- U.S. Court of Appeals, Seventh Circuit, Soppet v. Enhanced Recovery Co., 679 F.3d 637 (7th Cir. 2012): The Seventh Circuit addressed reliance on accurate creditor data as a factor in TCPA liability analysis for calls to reassigned numbers
- Federal Trade Commission, National Do Not Call Registry: Telemarketers must scrub against the National DNC Registry and may not call numbers that have been registered for at least 31 days