CCPA and TCPA overlap for California outbound calling teams

California outbound teams face both TCPA and CCPA. Learn how consent, data rights, and opt-outs collide, plus fines up to $7,500 per record. Plain-English guide.

LeadCompliant Team
25 min read
In This Article

Last updated 2026-07-11

Sales manager reviewing outbound call compliance documents at a California office desk
Sales manager reviewing outbound call compliance documents at a California office desk

TL;DR

California outbound calling teams have to satisfy two overlapping laws at once. The TCPA governs how you contact people (consent for autodialed calls and texts, DNC scrubbing). The CCPA governs the personal data behind those contacts (collection disclosure, opt-out of sale, deletion). A consent gap or a data-rights failure can trigger liability under either law, and California regulators can pile both on the same fact pattern.

What is the TCPA and what does it require for outbound calls?

The Telephone Consumer Protection Act, codified at 47 U.S.C. § 227, is the federal law that controls how businesses call and text consumers [1]. Congress passed it in 1991. The FCC has amended the rules many times since, most recently tightening the definition of an autodialer after the Supreme Court's 2021 ruling in Facebook v. Duguid [10].

For outbound teams, the core TCPA rules come down to four things. You need prior express written consent before placing autodialed or prerecorded calls to any wireless number. You need prior express consent (written or oral) before placing a prerecorded call to a residential landline. You must honor the National Do Not Call Registry and any company-specific DNC list. And you can only call between 8 a.m. and 9 p.m. local time at the called party's location [1].

The statute's private right of action is what makes the TCPA dangerous. Any individual can sue without proving actual damages. Statutory damages run $500 per negligent violation and $1,500 per willful violation, and class actions under the TCPA regularly settle in the millions. The cash app tcpa class action settlement and the credit one tcpa settlement show how fast exposure scales when you have a large call list.

For California teams, the TCPA is the floor, not the ceiling. California adds a second statutory layer that most outbound teams underestimate.

What is the CCPA and how does it apply to outbound sales data?

The California Consumer Privacy Act (CCPA), enacted in 2018 and amended by the California Privacy Rights Act (CPRA) in 2020, gives California residents rights over personal information that businesses collect, use, or share [2]. It took effect January 1, 2020. The CPRA amendments became enforceable July 1, 2023.

The CCPA applies to for-profit businesses doing business in California that meet at least one of three thresholds: annual gross revenues over $25 million, annual buying or selling of personal information of 100,000 or more consumers or households, or deriving 50% or more of annual revenues from selling or sharing personal information [2]. If your outbound team buys lead lists, receives data from a marketing partner, or builds its own prospect database from web scraping or form fills, you are almost certainly handling personal information under the CCPA definition.

A phone number is personal information under the CCPA. So is an email, a name, a job title, and any inference you draw from those data points. Build a lead record and every field in it is likely covered [2].

The CCPA gives consumers four core rights that hit outbound calling directly: the right to know what data you hold, the right to delete it, the right to correct it, and the right to opt out of the sale or sharing of their data. The California Privacy Protection Agency (CPPA) enforces these rights and can assess fines up to $7,500 per intentional violation [2].

Many outbound teams treat CCPA as a website privacy policy problem. It isn't. Every prospect record in your CRM is a potential enforcement point.

Where do the CCPA and TCPA actually overlap?

The overlap is bigger than most compliance guides admit. Here are the four pressure points where both laws can bite you on the same fact pattern.

1. Consent is required by both laws, but they define it differently.

The TCPA requires prior express written consent for autodialed calls to cell phones. That consent has to be a signed written agreement, clearly authorizing calls to a specific number, from a specific company or companies, using an autodialer or prerecorded voice [1]. The CCPA does not require consent to call, but it does require that you disclose your data practices and, in some cases, get opt-in consent before processing sensitive personal information [2]. If your consent capture form does both jobs at once (TCPA authorization plus CCPA disclosure), a flaw in that form creates exposure under both statutes.

2. Opt-out requests touch both laws.

A consumer who texts STOP to your SMS campaign has exercised a TCPA opt-out. That same person may also have a CCPA right to opt out of the sale of their phone number to third parties. If your systems process the STOP but keep selling the contact to your affiliate network, you've honored the TCPA opt-out and violated the CCPA opt-out right. These two systems rarely talk to each other inside a small outbound operation [3].

3. Purchased lead lists create liability under both laws at once.

Buy a list and call numbers on it without verifying consent, and you face TCPA exposure because you have no proof of prior express written consent. You also face CCPA exposure, because you may have received personal information from a third party without adequate contractual controls (a data processing agreement or similar) and without giving the consumer the required notice [2]. The FTC has flagged this exact combination, lead lists used without verified consent, as an enforcement concern [4].

4. Data retention overlaps with TCPA record-keeping.

Most compliance counsel keep TCPA consent records for four to five years, roughly as long as the statute of limitations for TCPA claims. The CCPA pulls the other way: it requires you to delete personal information when a consumer requests it, and you generally cannot retain data beyond the purpose for which it was collected [2]. Holding consent records as evidence is smart. Holding personal data longer than you need it creates CCPA exposure. The fix is to keep consent proof while purging or anonymizing the underlying contact record once it serves no active business purpose. That is harder to build than it sounds.

Maximum per-violation penalties for California outbound calling Willful or intentional violations, each statute applied independently TCPA (willful violation) $1,500 CCPA/CPRA (intentional violation) $7,500 CIPA (per violation) $5,000 FTC TSR (per call, 2024) $52k Source: FCC (47 U.S.C. § 227), CPPA (CCPA/CPRA), Cal. Penal Code § 637.2, FTC (16 C.F.R. § 310), 2024

Do California state laws add any extra calling rules beyond the TCPA?

Yes. California has its own version of the TCPA in the California Invasion of Privacy Act (CIPA), codified at Cal. Penal Code § 637.2 [5]. CIPA predates the TCPA and covers conduct the federal law does not, including recording calls without all-party consent. California is an all-party consent state, so you must tell every person on a call that it is being recorded before the recording begins. Violating CIPA carries statutory damages of $5,000 per violation, and CIPA has its own private right of action, so plaintiffs stack CIPA and TCPA claims in the same lawsuit [5].

The California Do Not Call law (Business and Professions Code § 17592) runs parallel to the federal DNC rules [6]. It applies to telephone solicitations to California residents and requires compliance with the National DNC Registry. If you want to know how to get access, the FTC's guidance on how do i get the do not call list covers the subscription process.

So a California outbound team operates under at least four overlapping legal frameworks: the federal TCPA, the federal DNC rules, CIPA, and the CCPA/CPRA. That is not an exaggeration. It is the actual legal environment.

What are the real penalties when both laws apply to the same violation?

Penalties are additive, not capped at one statute. That is the short answer.

Under the TCPA, a single call or text to a cell phone without consent carries $500 in statutory damages. A willful violation is $1,500 [1]. Multiply that by 10,000 calls and you're looking at $5 million to $15 million in exposure before legal fees. That math is why TCPA class actions settle so readily.

Under the CCPA, the California Privacy Protection Agency can fine up to $2,500 per unintentional violation and $7,500 per intentional violation [2]. Attorney General enforcement under the CCPA also allows injunctive relief. The CCPA's private right of action is narrower than the TCPA's: consumers can sue individually only for data breaches, not for every disclosure violation. But the CPPA's administrative enforcement has no such limit.

When both statutes apply to the same conduct, a plaintiff's attorney can file a TCPA class action while the CPPA separately investigates the same company for CCPA violations. No double-jeopardy protection stops this. The FTC can layer on Section 5 unfair practices claims if the conduct is egregious enough [4].

Nobody has good public data on how often joint TCPA/CCPA enforcement happens, because most CCPA enforcement actions settle without a public court docket. What the CPPA's public enforcement activity does make clear is that consumer-facing data practices in marketing are a priority [7].

StatutePer-violation fine (max)Private right of actionWho enforces
TCPA (47 U.S.C. § 227)$1,500 (willful)Yes, any individualFCC; private plaintiffs
CCPA/CPRA$7,500 (intentional)Limited (data breach only)CPPA; CA Attorney General
CIPA (Cal. Penal Code § 637.2)$5,000Yes, any individualPrivate plaintiffs; CA AG
National DNC (16 C.F.R. § 310)$51,744 per call (2024 FTC rate)LimitedFTC; state AGs

You need a consent workflow that does three things at once: captures TCPA-compliant prior express written consent, provides CCPA-required disclosure of data collection and use, and logs both in a way you can produce in litigation or an agency investigation. That is the honest answer.

Here is what it looks like in practice for a lead generation or outbound sales flow.

At the point of lead capture, your form or landing page needs a checkbox (unchecked by default) with language that covers who is calling (the specific company, or the specific companies if you share leads), the fact that an autodialer or prerecorded message may be used, the phone number being consented to, and the fact that consent is not a condition of purchase [1]. That checkbox is your TCPA consent.

On the same page, your privacy notice or a clearly linked privacy policy needs to disclose what categories of personal information you collect, why you collect them, whether you share or sell that data, and how consumers can exercise their CCPA rights including the right to opt out of sale [2]. California requires this notice at or before the point of collection.

The two disclosures serve different masters. The TCPA checkbox authorizes a specific type of communication. The CCPA notice informs someone of their data rights. Put both on the same page if you like, but keep them visually separate so neither disclosure gets buried.

For purchased leads, you need a data processing agreement or data service agreement with the vendor confirming the data was collected with TCPA-compliant consent and in compliance with the CCPA [3]. Get that contract in writing and keep it. If a vendor cannot produce consent records on demand, stop using them.

Store consent records separately from your contact records if you can. Then, if someone exercises a CCPA deletion right, you can wipe their contact data from your CRM while keeping an anonymized token or hash that proves consent existed. Run this architecture by your legal counsel before you rely on it.

How does the CCPA right to delete affect your calling and texting lists?

This is one of the most underappreciated operational problems for outbound teams. A verified CCPA deletion request means you must delete the consumer's personal information from your records within 45 days of receiving the request (with a possible 45-day extension if you notify the consumer) [2]. That includes their phone number, name, email, and any other field in your CRM.

Once you delete, you cannot call or text that person again, because you have no record they exist. But if they show up on a purchased list you receive later, you could end up calling them again without knowing they previously opted out. This is why a suppression list is not optional. A suppression list stores a hashed or tokenized version of the phone number or email (not the raw personal data) and blocks future imports from matching records. It lets you honor the deletion while preventing re-contact.

Building a suppression list is good TCPA hygiene too. The FTC's Telemarketing Sales Rule requires you to maintain an internal do-not-call list and honor it for five years [8]. The do not call list article covers the federal DNC side of this in more detail.

Some teams use their CRM's built-in opt-out fields for this. That works if your import process reliably checks those fields before dialing. It breaks the moment you import a new list that includes a phone number you previously deleted. The cleaner solution is a dedicated suppression database that sits between your lead source and your dialer.

It stays with your team. This is one of the most common misconceptions in outbound sales.

Under the TCPA, the calling party is liable for calls made without consent. If you bought a lead list and the consent on it was defective or fabricated, you are the one who made the call. Courts have been consistent: you cannot outsource your TCPA compliance to a lead vendor [1]. The vendor may be jointly liable, and you can sue them for indemnification, but that is a separate fight after you've already been sued.

Under the CCPA, if you receive personal information from a third party, you must make sure the collection and transfer were lawful. If the vendor gave no proper notice at collection or ignored prior opt-outs, your receipt and use of that data may itself violate the CCPA [2].

Do two things before you use any purchased list. Scrub it against the National DNC Registry, your internal DNC list, and any known litigant databases. Then get a written representation from the vendor that the data was collected with TCPA-compliant consent and in compliance with applicable state privacy laws. Neither step guarantees safety. Both reduce your exposure and improve your position if a claim gets filed.

For more on the mechanics of list scrubbing, the do not call telemarketer list article is a practical starting point.

What records does a California outbound team need to keep for both laws?

Record-keeping is where most small teams fall short. Both statutes require documentation, and both enforcement actions begin with a document request.

For TCPA compliance, you need the original consent record for each phone number you call or text (form submission timestamp, IP address, the exact consent language the consumer agreed to, and the phone number), your DNC scrub logs (date of scrub, registry version used), your internal DNC list, and call logs showing time and date of each contact [1]. Keep these for at least four years, which covers the TCPA's four-year statute of limitations under 28 U.S.C. § 1658.

For CCPA compliance, you need your privacy notice as it appeared at each point of collection (archive prior versions, more than the current one), records of consumer rights requests received and how you responded, records of data processing agreements with vendors, and a data map showing what personal information you hold, where it came from, and who you share it with [2]. Companies without a current data map face longer investigations and worse outcomes.

These two record sets overlap a lot. A well-organized CRM or consent management platform can store both, but someone has to own the maintenance. If your team has no designated compliance owner, pick one. Even a part-time owner beats none.

LeadCompliant's free compliance kit includes template consent language, a record-keeping checklist, and a DNC scrub log template that covers both TCPA and CCPA requirements. Useful if you want to build this without starting at a blank page.

How do mobile numbers complicate CCPA and TCPA compliance at the same time?

Mobile numbers sit at the intersection of both laws in the sharpest way. Under the TCPA, calling or texting a cell phone with an autodialer without prior express written consent is a strict-liability violation. There is no knowledge defense: no consent plus a call to a cell phone equals exposure [1].

Under the CCPA, a mobile phone number is personal information and is sometimes treated as sensitive personal information depending on context (for example, precise geolocation data tied to a mobile device). The CCPA's opt-out-of-sale right applies to mobile numbers the same way it applies to any other personal information [2].

The practical complication is number porting. A landline number can become a cell number. Scrub a list six months ago and mark a number as a landline, and it may be a cell phone by now. The FCC has made clear that you need consent based on the number's current status, not its status when you first collected it [9]. Services like Neustar or Twilio's Lookup API can check current line type before a call. For a high-volume outbound operation, that check is worth the cost.

For more detail on the specific rules around mobile phone do not call list compliance, that article covers how cell numbers interact with DNC requirements.

What should a small California outbound team do right now to reduce exposure?

Start with the things that carry the highest legal risk and the lowest cost to fix.

Audit your consent records this week. Pull 50 random records from your active call list and check whether each one has documented prior express written consent that names your company, the phone number, and the autodialer disclosure. If more than a handful are missing, stop your outbound calling until you fix the consent flow. No revenue opportunity is worth a seven-figure class action.

Post a compliant CCPA privacy notice if you don't have one. The California AG's office publishes guidance and model concepts [6]. It takes a few hours to adapt for your business. If you collect data from California residents and your revenue is above $25 million, you should have this already.

Build or buy a suppression list tool. At minimum, this is a spreadsheet of opted-out phone numbers and emails that your import process checks before loading a new list. A proper suppression database is better. Either way, hashed identifiers are safer than raw contact data for CCPA compliance.

Scrub your current list against the National DNC Registry. The FTC requires a subscription for commercial telemarketers, and access is organized by area code [8]. If you haven't scrubbed in the last 31 days, your list is stale by FTC standards.

Review your lead vendor contracts. If they don't include a written representation that data was collected lawfully and a TCPA-consent warranty, add one or switch vendors.

The LeadCompliant free TCPA consent checker and compliance kit can handle the consent audit step if you want a structured starting point rather than building it from scratch.

For the broader picture of what a compliant cold calling program looks like, that article covers the federal and state requirements in one place.

How do text message campaigns fit into the CCPA and TCPA overlap?

SMS campaigns follow the same TCPA consent rules as autodialed calls: prior express written consent before you send a marketing text to a cell phone [1]. The FCC's December 2023 order, effective in early 2025, tightened the one-to-one consent requirement, meaning a single consent obtained through a lead aggregator cannot be shared among multiple companies without disclosure of each company by name [9].

On the CCPA side, a phone number used for texting is personal information, and the messages themselves may generate more data (click behavior, response patterns) that is also personal information subject to CCPA rights [2].

The text message opt-out creates the clearest overlap scenario. When someone texts STOP, your system must stop texting them immediately (TCPA requirement). Your system must also be able to honor a CCPA deletion request for that same number within 45 days. And your suppression list must prevent that number from being re-imported off a new list.

For a full treatment of SMS compliance mechanics, the text message marketing article covers opt-in mechanics, message content rules, and short-code versus long-code compliance in more detail.

Frequently asked questions

Does the CCPA apply to B2B outbound calling in California?

Mostly yes. The CCPA covers personal information of California residents, and employees and sole proprietors count as consumers under the law. B2B contacts who are California residents have CCPA rights. The CPRA removed a former exemption for employee and business-contact data, so a rep calling a business list that includes California employees has to meet CCPA disclosure and rights requirements, on top of the TCPA.

Can a TCPA opt-out and a CCPA opt-out come from the same consumer request?

Yes, and you should treat them as separate obligations even when they arrive together. A STOP text honors the TCPA opt-out for that messaging channel. A CCPA opt-out-of-sale request requires you to stop sharing that consumer's personal information, which may touch multiple systems and third-party relationships. One request does not automatically satisfy both laws unless your workflow is built to handle both.

What happens if a California resident asks me to delete their phone number under CCPA but I still have TCPA consent on file?

You must delete the personal information from your active records, but you can keep an anonymized token or consent log as evidence that consent existed, if your counsel agrees this meets CCPA's data minimization standard. You also need to add the number to your suppression list to prevent re-contact. Once the contact record is gone, you can no longer call or text that person without fresh consent.

Do I need a data processing agreement with every lead vendor to satisfy the CCPA?

If the vendor is a service provider (processes data on your behalf) you need a written contract with CCPA-required terms. If the vendor is a third party selling you data outright, you need at least a written representation that the data was collected lawfully and that prior CCPA opt-outs were honored. The CPPA's regulations specify the required contract terms for service providers; your legal counsel should confirm which category your vendor falls into.

How often do I need to re-scrub my call list against the National DNC Registry?

The FTC's Telemarketing Sales Rule requires you to scrub no more than 31 days before a call [8]. For a California outbound team, monthly scrubbing is the minimum. Some compliance teams scrub weekly to catch new registrations faster. The FTC's DNC subscription provides access by area code, and the cost scales to how many area codes you need.

Is a web form checkbox enough to satisfy TCPA written consent under California law?

Yes. An electronic signature on a web form satisfies the TCPA's written consent requirement under the E-SIGN Act, as long as the checkbox is unchecked by default, the consent language names the caller, references autodialed calls, and states that consent is not required for purchase [1]. Log the timestamp, IP address, and exact consent language. A pre-checked box does not satisfy the requirement.

Can a California consumer sue me under both the TCPA and the CCPA for the same call?

For a single call, a TCPA private lawsuit is straightforward. The CCPA's private right of action is narrower: it applies to data breaches, not general disclosure violations. But a California consumer can file a TCPA suit while the CPPA separately investigates for CCPA violations. California's Unfair Competition Law can also create a private cause of action based on a CCPA violation, which widens the private enforcement picture.

The FCC's December 2023 order, effective in early 2025, requires TCPA consent for telemarketing calls to be obtained one-to-one: one consumer, one company [9]. A consent form that lists or implies dozens of companies cannot serve as valid consent for all of them. For California lead generation, your consent forms have to name your company specifically. Aggregators who share a single consent among multiple buyers now operate outside the rule.

Does the CCPA cover automated text messages, or just voice calls?

The CCPA covers all personal information, including a phone number used for texting. The law does not distinguish by communication channel. If you collect a phone number, send texts to it, and process data generated by those texts (such as whether the person clicked a link), all of it falls under CCPA. Your privacy notice must disclose the texting use case if it isn't already covered.

What is CIPA and how does it add to CCPA and TCPA compliance for California callers?

The California Invasion of Privacy Act (Cal. Penal Code § 637.2) requires all-party consent before recording a call in California [5]. It carries $5,000 per violation and has its own private right of action. Plaintiffs regularly stack CIPA claims with TCPA claims in the same lawsuit. If you record sales calls and any party is in California, you must disclose the recording at the start of every call and get consent before recording begins.

The TCPA's statute of limitations is four years under 28 U.S.C. § 1658, so most compliance counsel keep consent records at least four to five years. CCPA's data minimization principle says you should not retain personal information beyond the purpose for which it was collected. The practical resolution is to keep an anonymized consent log (timestamp, hashed identifier, consent language version) after deleting the raw personal data, but run this approach by your legal counsel.

Are there any safe harbors under the TCPA or CCPA that protect California outbound teams?

The TCPA has a limited established business relationship exemption for certain residential landline calls, but it does not apply to cell phones or autodialed calls. The CCPA has no general safe harbor for marketing. Both laws require affirmative compliance steps. The closest thing to a safe harbor under either law is documented, specific, properly stored consent, which reduces but does not eliminate litigation risk.

Sources

  1. California Privacy Protection Agency, CCPA regulations: CCPA/CPRA covers personal information of California residents; fines up to $7,500 per intentional violation; covers phone numbers as personal information; deletion requests must be honored within 45 days
  2. California Attorney General, CCPA overview: Consumers have the right to opt out of sale or sharing of personal information including phone numbers; businesses must honor opt-outs and include required contract terms with third parties
  3. FTC, reports on lead generation and telemarketing enforcement: FTC has flagged purchased lead lists used without verified consent as an enforcement concern combining telemarketing and data privacy violations
  4. California Legislative Information, Penal Code § 637.2 (CIPA): CIPA requires all-party consent for recorded calls in California; statutory damages $5,000 per violation; private right of action exists
  5. California Attorney General, privacy and Do Not Call guidance: California Business and Professions Code § 17592 requires compliance with the National DNC Registry for telephone solicitations to California residents
  6. California Privacy Protection Agency, enforcement information: CPPA enforcement activity has identified consumer-facing marketing data practices as a priority area
  7. FTC, Telemarketing Sales Rule (16 C.F.R. Part 310): TSR requires scrubbing the National DNC Registry no more than 31 days before a call; internal DNC lists must be maintained for five years; per-call civil penalties up to $51,744 (2024 rate)
  8. Supreme Court of the United States, Facebook Inc. v. Duguid, 592 U.S. 395 (2021): Supreme Court narrowed the definition of an autodialer under the TCPA in 2021, requiring the system to have the capacity to produce numbers using a random or sequential number generator
  9. FTC, National Do Not Call Registry Data Book: The National DNC Registry contains hundreds of millions of active registrations as reported in the FTC's annual Data Book

Disclaimer: LeadCompliant is a compliance review tool, not a law firm. We do not provide legal advice. Consult with a TCPA attorney for legal guidance on specific compliance questions. Compliance scores, audits, and risk assessments are informational only.

LeadCompliant Team

LeadCompliant provides expert guidance and tools to help you succeed. Our content is reviewed for accuracy and kept up to date.

Related Articles

Related Glossary Terms

LeadCompliant
Build My Kit