Last updated 2026-07-09

TL;DR
California stacks at least four legal frameworks on top of federal TCPA: the CCPA/CPRA data rights law, the Rosenthal Fair Debt Collection Practices Act, California Public Utilities Commission telemarketing rules, and California's own harassment and recording statutes (Penal Code 632 and 653m). Each adds consent, disclosure, or timing rules. Break any one and you face per-call damages separate from any TCPA claim.
Why does California have its own calling rules on top of TCPA?
Federal TCPA is a floor, not a ceiling. Congress said so in 47 U.S.C. 227(f)(1), which lets states impose "more restrictive intrastate requirements or regulations on persons or entities." California has run with that for decades.
The state layers four frameworks on top of federal law that matter to outbound sales teams: the California Consumer Privacy Act (as amended by CPRA), the Rosenthal Fair Debt Collection Practices Act, California Public Utilities Commission General Order 168, and California's recording and harassment statutes in the Penal Code. Each was written for a different reason, so they do not line up cleanly. That gap is your compliance problem.
Dial into California and your work is not done after you check the federal do not call list and confirm TCPA consent. You need a separate California pass every time you build a campaign.
This article is a reference, not legal advice. Talk to a licensed California attorney before you set policy based on any of it.
What calling hours does California law require beyond federal rules?
California is stricter than TCPA on both ends of the day. Federal TCPA allows telemarketing calls from 8 a.m. to 9 p.m. local time at the called party's location [1]. California Business and Professions Code Section 17592 shrinks that window for phone solicitors to 9 a.m. through 8 p.m. Pacific on weekdays, and 10 a.m. through 8 p.m. on weekends [2].
Here is the trap. Federal law uses the called party's local time, so a team in Florida can dial a California consumer at 8 a.m. Eastern (5 a.m. Pacific), comply with TCPA, and break California law in the same second.
Debt collectors under the Rosenthal Act follow the federal FDCPA hours instead: 8 a.m. through 9 p.m. local time at the debtor's location [3]. So the Rosenthal window runs wider than the B&P Code window for general solicitors. Know which bucket your call sits in before you set the schedule.
Program your dialer to hard-stop at 8 p.m. Pacific and hold until 9 a.m. Pacific on weekdays for sales calls into California. Those two numbers differ from the federal floor and from the Rosenthal floor, and mixing them up is how teams get burned.
How does CCPA/CPRA affect outbound calling campaigns?
CCPA is a data privacy law, not a calling law, but it reaches outbound teams in two direct ways. The Act took effect in 2020, and the CPRA amendments took effect in 2023.
First, buy or rent a lead list of California residents and those consumers have the right to know their data was sold and the right to opt out of that sale [4]. If someone's data was sold without a working opt-out mechanism, and they later opt out and ask for deletion, you have to stop calling and scrub the record. Keep dialing after a deletion request and you have a CCPA violation, plus a possible TCPA problem depending on your consent status.
Second, CCPA defines "personal information" broadly enough to cover phone numbers, and it reaches the "sharing" of data for cross-context behavioral advertising, not only outright sales [4]. Some lead generation deals that do not look like sales are still on the hook.
The California Privacy Protection Agency (CPPA) enforces CCPA/CPRA. It can fine up to $2,500 per unintentional violation and $7,500 per intentional one [4]. There is no private right of action for most CCPA claims (the private right covers data breaches only), but the agency runs enforcement actions and has said it is looking hard at lead generation data flows from 2024 forward.
Building a consent and data flow for California leads means keeping a data inventory. Your cold calling program needs to map where each phone number came from, whether a sale or share happened, and whether an opt-out has landed.
What is the Rosenthal Act and who does it cover?
The Rosenthal Fair Debt Collection Practices Act, California Civil Code 1788 et seq., mirrors the federal FDCPA but reaches further: it covers original creditors collecting their own debts, not only third-party collectors [3]. Under federal FDCPA, a business collecting a debt it originated (say, a gym chasing a past-due membership) is exempt. Rosenthal strips that exemption for California debtors.
On calling, Rosenthal bars collectors from calling to annoy, calling repeatedly to harass, or using obscene language. It tracks the FDCPA's call-frequency and communication rules. Violations run to actual damages plus statutory damages up to $1,000 per case, plus attorney fees [3].
That attorney fees clause is the whole game. It is what makes California collection call cases worth filing even when actual damages are tiny. One badly timed call to a California debtor by an original creditor can spin up a case where legal fees dwarf the underlying claim.
Rosenthal gets enforced two ways: by the California Department of Financial Protection and Innovation (DFPI) and through private lawsuits [9]. Collect any consumer debt and call California residents, and you need Rosenthal-compliant scripts and frequency limits, more than FDCPA-compliant ones.
What does California Penal Code 653m add for auto-dialed or recorded calls?
California Penal Code 653m makes it a misdemeanor to call or send electronic messages with intent to annoy or harass [5]. That reads like a criminal law for bad actors, and mostly it is. But it bites outbound teams too: an aggressive cadence (several calls a day after someone asks you to stop) can cross into 653m territory. The maximum fine is $1,000.
The bigger issue for most teams is recording. California Penal Code 632 governs recording phone conversations, and California is an all-party consent state [6]. Record a call with a California consumer and you need their consent before recording starts. A clear, audible disclosure at the top of the call handles it, as long as it happens before any real conversation. Plenty of teams play a quick recorded disclosure, then connect the agent. That works if the consumer can actually hear it. Teams get burned when the routing plays the disclosure while the consumer is already talking over it.
The criminal penalty under Penal Code 632 runs to a fine up to $5,000 per violation and possible jail time [6]. Civil exposure is the greater of $5,000 or three times actual damages, per violation. Per call. A single campaign that recorded 10,000 California calls without a proper consent disclosure would face theoretical exposure in the tens of millions, which is exactly why this one settles fast once someone finds it.
What are the California PUC telemarketing rules that most teams miss?
California Public Utilities Commission General Order 168 governs telephone solicitation by entities under PUC jurisdiction, mainly carriers and certain service providers [7]. Most pure sales shops are not PUC-regulated, so this one does not touch every outbound team.
But if you are a telecommunications company, a phone service reseller, or a utility calling California consumers for marketing, GO 168 layers its own disclosure and do-not-call rules on top of everything above. The PUC also maintains a California do-not-call framework separate from the national registry [7].
Even teams outside PUC jurisdiction should know California's own do-not-call obligations exist under Business and Professions Code 17592. The national DNC registry does not substitute for a state-required scrub if state law calls for one independently. Many compliance teams run the national list and miss the state piece entirely.
Check the current process through the state's registered telemarketer framework and the CPUC's published guidance. Our do not call telemarketer list resource covers federal DNC mechanics in detail. California adds a separate state filing requirement for telephone solicitors working into the state.
Does California's Business and Professions Code Section 17592 require special disclosures?
Yes. B&P 17592 is California's main telephone solicitation statute for non-collection outbound calls [2]. It requires phone solicitors to do three things at the start of every solicitation call, before any pitch: state their name, state the name of the business they are calling for, and state the purpose of the call.
The statute also says any solicitor who gets a do-not-call request has to honor it and keep it on an internal do-not-call list for at least five years [2]. Federal rules give you 10 business days to honor a DNC request and require a five-year record too. The safe move is to comply with whichever is more protective, which in practice means scrubbing the California request inside the federal 10-business-day window since that clock is shorter.
Here is the part that scares defense counsel. Violations of B&P 17592 can be prosecuted as unfair business practices under B&P 17200, which lets the California Attorney General and private plaintiffs seek injunctions and restitution [11]. There is no cap on restitution under 17200. That missing cap is what makes it a favorite vehicle for class actions.
How do California calling rules interact with TCPA consent requirements?
Picture two circles. TCPA consent is one, California consent is the other. You have to sit inside both.
TCPA turns on whether you have prior express written consent to call a cell phone with an autodialer or a prerecorded voice [1]. That consent has to authorize calls from your specific company (or a clearly named class of companies) for a specific purpose. The FCC has moved toward one-to-one consent, and its one-to-one consent rule, which took effect January 27, 2025, tightened this by requiring consent to name the specific seller and to relate logically to the consumer's request [8].
California's CCPA/CPRA runs a separate consent track for the data itself. Even with valid prior express written consent to call, if the number came from an aggregator that never disclosed the sale of that data under CCPA, the consumer can later opt out and demand deletion. Keep calling and you are dialing someone whose data should be gone, which is CCPA exposure even when your TCPA consent was airtight.
So vet your lead sources. Ask every list vendor and lead gen partner for their CCPA compliance documentation. If they cannot produce it, that risk is now yours. One free resource: the LeadCompliant compliance kit includes a vendor questionnaire you can send to lead sources to document their CCPA data handling before you buy.
Recorded calls sit outside all of this. California's all-party consent rule under Penal Code 632 is its own obligation and does not overlap with TCPA at all. You can hold perfect TCPA consent to call and still break 632 by recording without disclosure.
What are the actual penalties for violating California calling laws?
Here is the honest picture, law by law.
| Law | Per-violation exposure | Who can sue |
|---|---|---|
| TCPA (federal baseline) | $500 (negligent) to $1,500 (willful) per call [1] | Private plaintiff, FCC |
| B&P 17592 / 17200 | Injunction + restitution, no per-call cap [11] | AG, private plaintiff |
| Rosenthal Act | Up to $1,000 statutory + actual damages + attorney fees [3] | Private plaintiff |
| CCPA/CPRA | $2,500 (unintentional) to $7,500 (intentional) per violation [4] | CPPA |
| Penal Code 632 | $5,000 or 3x actual damages per recorded call [6] | Private plaintiff |
| Penal Code 653m | Up to $1,000 fine + misdemeanor [5] | Criminal prosecution |
The real danger is stacking. One recorded robocall to a California cell without proper consent can break TCPA ($1,500), Penal Code 632 ($5,000), and B&P 17592 at once. Three violations, one call. That math is why California is the most expensive state to get wrong.
Look at the cash app tcpa class action settlement and the credit one tcpa settlement for real examples of federal TCPA exposure in practice. California exposure can run past those figures once state claims stack on top.
What does a California-compliant outbound call process actually look like?
Walk one outbound sales call to a California cell number end to end. Here is what compliance takes.
Before the call: confirm the number is off the national DNC registry (how to get the DNC list is covered in detail here) and off your internal California DNC list. Confirm prior express written consent if you are using an autodialer or a prerecorded message. Confirm the lead source has CCPA-compliant data documentation. Confirm the clock reads between 9 a.m. and 8 p.m. Pacific on a weekday, or 10 a.m. and 8 p.m. on a weekend.
At the start of the call: your agent (or a recorded disclosure) states their name, the company name, and the purpose of the call before anything else. If you are recording, the recording disclosure has to be audible and finished before any real conversation starts.
During the call: if the consumer asks to go on your do-not-call list, log the request with a timestamp. Scrub them from future campaigns inside 10 business days and keep the record for five years.
After the call: SMS follow-up needs separate text message marketing consent. Phone consent does not carry over to texting on its own.
High volume into California? The LeadCompliant free TCPA checker and compliance kit include California-specific workflow templates you can adapt to your dialing process.
For mobile phone do not call list scrubbing on cell numbers, add one more layer. Wireless numbers carry TCPA consent requirements that landlines do not, so your scrub has to tell the two apart.
Do B2B calls into California face the same restrictions?
Mostly no. Not entirely. TCPA's written consent rules apply to cell phone calls whether the person is a business or a consumer. If your B2B prospect uses a cell as their main line (most people do now), you run the same TCPA consent analysis you would for a consumer.
California B&P 17592 covers "telephone solicitors" making "telephone solicitations," defined as calls to consumers for the sale of consumer goods or services. A genuine business-to-business call for a commercial product or service is not a consumer solicitation, so B&P 17592 generally does not reach it [2].
Rosenthal covers consumer debt only, so B2B collection falls back under federal FDCPA.
CCPA applies to consumers defined as California residents. An employee who answers a business line is still a California resident. Their personal data rights under CCPA can apply even to a nominally B2B call, depending on how you sourced the contact. This one is unsettled: the CPPA has not issued firm guidance on B2B lead data, and the safe read is that identifiable individual data on a California resident should be treated as potentially CCPA-covered.
Penal Code 632 covers all recorded calls, business or consumer, with no B2B carve-out.
The honest summary: B2B into California is lighter than B2C, but it is not a free zone.
What should small outbound teams prioritize to stay compliant in California?
You run a 10-person sales team and cannot do everything at once. Here is the order, based on where enforcement and litigation actually land.
First, fix your calling hours. It costs nothing, and a single call outside the California window is easy for a plaintiff to prove. Hard-code 9 a.m. to 8 p.m. Pacific weekdays, 10 a.m. to 8 p.m. weekends into the dialer.
Second, fix your recording disclosure. One clean disclosure line at the top of every call, before the agent says anything real. This is a Penal Code 632 requirement with $5,000 per-call exposure. It is easy to audit and easy to fix.
Third, audit your lead sources for CCPA compliance. Ask every vendor for their data handling documentation before you buy another list. This is the slow, unglamorous part, and it is where liability builds fastest as CPPA enforcement ramps up.
Fourth, keep a California DNC list separate from your federal scrub. When a California consumer says stop, log the date, scrub inside 10 business days, and keep the record for five years.
Fifth, if you are an original creditor collecting into California, read the Rosenthal Act. It is short, and its obligations track FDCPA closely. The trap is assuming FDCPA compliance covers you.
For a cold call program spanning multiple states, California is the one place a TCPA-only posture will cost you real money.
Frequently asked questions
Does California have its own Do Not Call list separate from the national registry?
Yes. California Business and Professions Code 17592 and the California PUC framework both reference California-specific do-not-call obligations. The national DNC registry covers most residential lines, but California-registered telephone solicitors face additional state filing and scrubbing duties. Run both scrubs. Relying on the federal DNC list alone is not a complete defense to a California B&P 17592 claim.
Can a California consumer sue me directly for violating B&P 17592?
Not directly under 17592, but California Business and Professions Code 17200 (the Unfair Competition Law) lets private plaintiffs sue for any violation of another law, including 17592. Plaintiffs can seek injunctive relief and restitution under 17200. Paired with attorney fee provisions in related statutes, that makes private litigation over California calling violations worth filing even on small actual damages.
Does CCPA require me to stop calling someone if they submit a deletion request?
Yes, in practice. A CCPA deletion request requires you to delete the consumer's personal information, and that includes their phone number. Honor the deletion request and keep calling, and you have either re-sourced the number (a fresh data compliance question) or violated the deletion request. The safe path is to treat a CCPA deletion request like a do-not-call request and scrub the number from every outbound campaign.
Is California a two-party consent state for recorded calls?
Yes. California Penal Code 632 requires all parties to a phone conversation to consent before recording. A clear, audible disclosure at the start of the call satisfies it. The civil penalty is the greater of $5,000 or three times actual damages per violation. There is no B2B exemption. Record any call with a California participant without the disclosure and you face per-call exposure, sales, service, or collection alike.
What calling hours apply to outbound sales calls in California?
California Business and Professions Code 17592 limits telephone solicitation to 9 a.m. through 8 p.m. on weekdays and 10 a.m. through 8 p.m. on Saturdays and Sundays, Pacific time. That is tighter than the federal TCPA window of 8 a.m. to 9 p.m. local time. For debt collection under the Rosenthal Act, the window matches the federal FDCPA: 8 a.m. to 9 p.m. local time.
Does the Rosenthal Act cover original creditors, more than debt collectors?
Yes, and this is the sharpest split from federal FDCPA. California Civil Code 1788 et seq. extends Rosenthal Act obligations to original creditors collecting their own consumer debts. Under federal FDCPA, original creditors are largely exempt. In California, a gym, medical practice, or SaaS company chasing past-due accounts from California consumers has to comply with Rosenthal's call timing, frequency, and harassment prohibitions.
How does the FCC's 2024 one-to-one consent rule affect California campaigns?
The FCC's one-to-one consent rule, effective January 27, 2025, requires prior express written consent to name the specific seller and relate to the consumer's request. That tightens the federal baseline California campaigns already had to meet. California campaigns must satisfy both the new FCC rule and California's own CCPA consent and data-handling requirements. Shared or co-registered consent forms that bundle multiple sellers are now far riskier under both frameworks.
Can I use a predictive dialer to call California cell phones?
Yes, with proper consent. If your predictive dialer counts as an automatic telephone dialing system under TCPA, you need prior express written consent to call California cell numbers. California does not add a separate auto-dialer consent requirement on top of TCPA for most sales calls, but B&P 17592 disclosure requirements still apply. The dialer is not the problem. The consent documentation is where teams fail.
What disclosures must I make at the start of a California sales call?
Under B&P 17592, before any sales pitch you must disclose your name, the name of the company you are calling for, and the purpose of the call. If the call is being recorded, the Penal Code 632 disclosure must also come before any real conversation. These are separate obligations. A recording disclosure alone does not satisfy B&P 17592, and B&P 17592 disclosure does not satisfy 632.
How long do I have to honor a do-not-call request from a California consumer?
Federal TCPA requires you to honor DNC requests within 10 business days. California B&P 17592 uses a 30-calendar-day window, but that does not mean you get 30 days: the federal 10-business-day clock is shorter and controls. Honor the request within 10 business days, keep the record for five years, and suppress the number across all California campaigns, not only the one where the request came in.
Do California calling restrictions apply to my team even if we are based outside the state?
Yes. California's consumer protection laws apply based on where the consumer is, not where your business sits. Call a California resident from a Texas office and B&P 17592, the Rosenthal Act (if applicable), Penal Code 632, and CCPA all apply to that call. The trigger is that the called party is a California resident or the call has a substantial connection to California.
Does sending a text message to a California number trigger California-specific rules beyond TCPA?
Yes. CCPA covers text message contact data the same way it covers phone numbers. Penal Code 632 does not reach SMS (it applies to real-time telephone conversations), but CCPA deletion requests, opt-out rights, and data source vetting apply to SMS campaigns. B&P 17200 unfair competition claims can attach to deceptive or harassing text campaigns independent of TCPA. TCPA SMS consent requirements also apply as the federal floor.
What is the safest way to document CCPA compliance for outbound lead lists?
Get a written attestation from every lead vendor confirming the data was collected with a CCPA-compliant privacy notice, opt-out mechanisms were available at collection, any consumer deletion requests were applied before delivery, and the vendor will notify you of post-delivery deletion requests. Store those attestations for at least as long as you use the list. Verbal assurances do not hold up.
Sources
- FCC / Cornell LII, 47 U.S.C. 227 (TCPA), Section 227(b) and 227(f): TCPA limits telemarketing calls to 8 a.m.–9 p.m. local time; states may impose more restrictive intrastate requirements per 47 U.S.C. 227(f)(1); per-call damages are $500–$1,500.
- California Legislative Information, Business and Professions Code Section 17592: California B&P 17592 limits telephone solicitation calls to 9 a.m.–8 p.m. weekdays and 10 a.m.–8 p.m. weekends Pacific time, and requires name, company, and purpose disclosure at the start of every call.
- California Legislative Information, Civil Code Sections 1788–1788.33 (Rosenthal Fair Debt Collection Practices Act): Rosenthal Act extends FDCPA-style obligations to original creditors; statutory damages up to $1,000 per case plus attorney fees; call hours mirror federal FDCPA (8 a.m.–9 p.m. local time).
- California Attorney General, California Consumer Privacy Act (CCPA) overview: CCPA gives consumers rights to know about, delete, and opt out of the sale of personal information; civil penalties are $2,500 per unintentional violation and $7,500 per intentional violation.
- California Legislative Information, Penal Code Section 653m: California Penal Code 653m makes it a misdemeanor to make calls or electronic contacts with intent to annoy or harass; penalty up to $1,000 fine.
- California Legislative Information, Penal Code Section 632 (Invasion of Privacy Act): California Penal Code 632 requires all-party consent to record telephone conversations; civil penalty is the greater of $5,000 or three times actual damages per violation; criminal fine up to $5,000.
- California Public Utilities Commission, General Order 168: CPUC General Order 168 governs telemarketing conduct by PUC-regulated entities and California maintains a separate state do-not-call framework for regulated telephone solicitors.
- California Department of Financial Protection and Innovation (DFPI), Rosenthal and FDCPA enforcement: California DFPI enforces the Rosenthal Fair Debt Collection Practices Act alongside private litigation.
- California Privacy Protection Agency (CPPA), enforcement and rulemaking: CPPA is the primary enforcement agency for CCPA/CPRA; it has announced active investigation of lead generation data flows starting 2024.
- California Legislative Information, Business and Professions Code Section 17200 (Unfair Competition Law): B&P 17200 allows the California AG and private plaintiffs to sue for any unlawful, unfair, or fraudulent business practice including violations of B&P 17592; remedies include injunction and restitution without a per-violation cap.