Last updated 2026-07-10

TL;DR
The federal robocall law is the Telephone Consumer Protection Act (TCPA), codified at 47 U.S.C. 227. It restricts autodialed calls and prerecorded messages to cell phones without prior express consent. Violations cost $500 to $1,500 per call, and private citizens can sue directly. The FCC enforces it, but plaintiffs' attorneys drive most litigation.
What is the federal robocall law?
The federal robocall law is the Telephone Consumer Protection Act, passed by Congress in 1991 and signed as Public Law 102-243. It lives at 47 U.S.C. § 227. The FCC writes rules under it, and those rules sit at 47 C.F.R. Part 64. [1][10]
Congress wrote the statute before smartphones existed. The FCC and the courts have stretched it well past rotary-dial landlines. Here is the core prohibition: you cannot use an automatic telephone dialing system (ATDS) or a prerecorded or artificial voice to call a cellphone without the called party's prior express consent. That single sentence has been litigated to death. The exact meaning of each word decides whether your dialer is legal.
The TCPA also governs fax advertising, calls to residential lines before 8 a.m. or after 9 p.m. local time, and the National Do Not Call Registry. Outbound sales teams get into TCPA trouble three ways: dialing cell numbers with an ATDS and no consent, dropping prerecorded voicemails without consent (ringless or otherwise), or calling numbers on the National DNC Registry. [2]
For a broader look at how the statute is structured and interpreted, see our full overview of tcpa law.
What exactly does 47 USC 227 prohibit?
Section 227(b)(1)(A) makes it unlawful "to make any call (other than a call made for emergency purposes or made with the prior express consent of the called party) using any automatic telephone dialing system or an artificial or prerecorded voice" to any cellular telephone number. [1] That is the verbatim text courts work from.
Here is what it means in practice.
Automatic telephone dialing system. After the Supreme Court's 2021 Facebook v. Duguid decision, an ATDS is equipment that has the capacity to store or produce numbers using a random or sequential number generator and dial them. A predictive dialer that only dials from a manually uploaded list may or may not qualify, depending on how it works. Courts still disagree. [3]
Artificial or prerecorded voice. A prerecorded message dropped to a voicemail or played when a person answers is covered whether or not an ATDS was involved. This matters for teams that drop ringless voicemails. The FCC treats ringless voicemail delivery as a "call" under the statute, though litigation on this point continues. [4]
Prior express consent. For most marketing calls and texts, you need prior express written consent. That means a signed written agreement (electronic signatures count) that clearly authorizes calls using an ATDS or prerecorded message to a specific number. The FCC's 2012 amended rules raised the bar from oral consent to written consent for telemarketing. [2]
The statute also holds the residential do-not-call rules at § 227(c), which is the legal hook for the National DNC Registry. Those rules reach live calls too, not only robocalls.
What are the penalties for violating federal robocall law?
The penalty math is what makes TCPA so dangerous for small teams. Section 227(b)(3) gives every individual who receives a prohibited call a private right of action. They can sue for $500 per violation. If the court finds the violation was willful or knowing, that triples to $1,500 per call. [1]
The statute sets no cap. A campaign that sent 10,000 illegal texts could face $15 million in statutory damages at the trebled rate, before any class certification. Class actions are the real threat. One named plaintiff can represent thousands of recipients, and settlements routinely run into the millions.
The FCC issues its own forfeiture orders under the Communications Act. In 2021 the agency imposed a $225 million penalty against a Texas-based health insurance robocall scheme, its largest ever for robocall violations. [5] That number puts the private-suit math in perspective.
State attorneys general have parallel enforcement authority under § 227(f). States can sue on behalf of their residents, and many have done so hard. That layer sits on top of the private right of action, so a bad campaign can draw a government action and a plaintiff's class action at the same time.
The chart below shows the TCPA damage tiers next to the FCC's record forfeiture, so you can see the scale.
How did the Facebook v. Duguid Supreme Court decision change things?
Facebook v. Duguid (2021) was the biggest TCPA ruling in years. Noah Duguid sued Facebook over automated login-notification texts sent to his cell number, a number he says he never gave the company. The whole case turned on one question: what counts as an ATDS. [3]
The Court ruled 9-0 that an ATDS must use a random or sequential number generator to store or produce telephone numbers. A system that dials from a stored list of specific, individually chosen numbers is not an ATDS under that reading. Companies running predictive dialers off curated contact lists got real relief.
The relief was narrower than many hoped. The ruling left the prerecorded voice prohibition untouched. It stands on its own. And it did not settle whether a dialer with the theoretical capacity to generate random numbers qualifies even when it never uses that function. Some courts still find ATDS status based on system architecture, not actual use.
Here is the practical read. If your team dials from a CRM export of named contacts, your ATDS exposure dropped after Duguid. If your platform has any random or sequential generation built in, you still have risk. Get a technical spec sheet from your vendor and keep it in your compliance file.
What consent is required before making robocalls or sending autodialed texts?
Consent requirements split two ways: the type of call (telemarketing vs. informational) and the line being called (cell vs. residential landline). [2]
For telemarketing calls or texts to a cell phone using an ATDS or prerecorded voice, you need prior express written consent. The FCC's rules (47 C.F.R. § 64.1200(f)(9)) define this as a written agreement that clearly authorizes the seller to deliver messages to a specific number using an ATDS or prerecorded voice, that the person signed, and that is not a condition of buying anything.
For non-telemarketing informational calls to a cell phone (account alerts, appointment reminders, service notifications), prior express consent is enough. Oral consent, or consent implied from someone giving you their number in a relevant context, can work. Document it anyway.
For prerecorded telemarketing calls to residential landlines, you also need prior express written consent under the 2012 amendments. Live-agent calls to residential numbers have more room but still cannot reach DNC-registered numbers without an established business relationship.
The FCC issued one-to-one consent rules in late 2023, set to take effect January 2025. They would have required consent specific to one seller at a time, which would have killed the lead-generation trick of a single checkbox authorizing calls from dozens of companies. A federal court vacated those rules in January 2025, but the FCC has signaled it may try again through another route. Watch this space. [6]
Does the federal robocall law cover text messages?
Yes. The FCC has long held that text messages are "calls" under the TCPA for the autodialer restrictions. The Commission first confirmed this in a 2003 declaratory ruling and has reaffirmed it since. [4]
Every TCPA consent and autodialer requirement that applies to voice calls applies to SMS and MMS sent through an ATDS. Run automated text campaigns, and you need the same written consent you would need for a prerecorded voice call.
A few nuances. P2P texting platforms, where a human agent manually clicks to send each text one at a time, may not count as ATDS use. The keyword is "manual." If the system queues messages and fires them without individual human action per message, it probably qualifies. Platforms increasingly market themselves as "manual" to dodge ATDS classification, but courts look at the actual technical function, not the label.
For any serious SMS campaign, you also have to meet the CTIA's Messaging Principles and Best Practices, which carriers enforce through deregistration and filtering. TCPA compliance and carrier compliance overlap but are not the same thing. Getting sued under TCPA and having your shortcode deregistered by carriers are two separate bad outcomes. You prevent them separately.
What is the National Do Not Call Registry and how does it connect to TCPA?
The National Do Not Call Registry is run by the FTC under the Telemarketing Sales Rule (16 C.F.R. Part 310), not directly under the TCPA. But the TCPA at § 227(c) authorizes the FCC to write its own residential DNC rules, and those rules incorporate the FTC's registry. The upshot: calling a number on the National DNC Registry can create liability under both the Telemarketing Sales Rule and the TCPA. [7][8]
Registrations are permanent. Consumers no longer re-register every five years. FTC data puts more than 245 million telephone numbers on the list. [7]
The TCPA safe harbor for DNC violations asks a lot of you: written procedures, trained personnel, your own internal DNC list, honoring DNC requests within 30 days (the statute says "a reasonable time" but the FCC rule says 30 days), scrubbing against the national registry at least every 31 days, and documenting all of it. [2] Miss any one step and you lose the safe harbor.
Established business relationship (EBR) is the main exception. If a consumer bought from you or made an inquiry within the prior 18 months, you can call them even if they are on the National DNC, unless they have told you specifically not to call. The EBR exception does not override a company-specific do-not-call request.
Who enforces federal robocall law and how are cases actually filed?
Enforcement comes from three directions: the FCC, the FTC (for the DNC and TSR side), and private plaintiffs. Private lawsuits are by far the most common. [5]
The private right of action in § 227(b)(3) and § 227(c)(5) lets anyone who receives a prohibited call sue without showing actual damages. The $500 and $1,500 per-call statutory damages are the whole ballgame, so there is no barrier to suit. Plaintiffs' firms have built entire practices around TCPA class actions. Many named plaintiffs are what the industry calls "professional plaintiffs," people who register multiple numbers and document calls carefully for later litigation.
Class certification is common in TCPA cases because the core question (did you send this message to thousands of people using an ATDS without consent?) is shared across the class. That makes TCPA a natural fit for class treatment under Rule 23(b)(3). Settlements of $10 million to $75 million are not unusual for large-scale violations. [11]
FCC enforcement usually targets big bad actors: telemarketers making billions of illegal calls, political robocall scammers, health insurance fraud rings. Small outbound sales teams rarely draw FCC forfeiture proceedings. They are squarely in scope for private class actions.
State AGs have gotten aggressive. The Washington, Indiana, and Florida attorneys general have all filed major TCPA and state-law robocall suits in recent years. If your state layers its own robocall statute on top of the TCPA (many do), your per-call exposure can run higher than under the federal law alone.
Are there exemptions from federal robocall law?
There are several. Each one is narrower than it sounds.
Emergency calls. Calls made for emergency purposes are exempt from the ATDS restrictions. This is genuinely narrow: utility outage alerts, hospital emergency notifications, not marketing dressed up as an emergency.
Healthcare. The FCC created HIPAA-adjacent exemptions for certain healthcare calls, including prescription reminders and appointment confirmations, but only when specific conditions are met: no charge to the patient, no marketing content, limited call duration and frequency. FCC healthcare exemption rules tightened some of these conditions. [4]
Government and government-contracted calls. Calls made by or on behalf of the federal government are exempt. That is why the IRS can robocall you (in theory) without TCPA liability.
Established business relationship for certain residential calls. As noted above, EBR gives some protection for DNC-list calls, but not for the ATDS and prerecorded voice restrictions on cell phones.
Live calls to landlines. Live-agent calls to residential landlines that do not use a prerecorded voice have more room under the statute, though state laws may add restrictions. See our guide to telephone call recording laws for the state-level layer.
None of these covers standard B2C or B2B sales dialing to cell phones without consent. If your pitch is "we're not marketing, we're just reaching out," that argument has failed over and over in federal court.
What is the "federal law to cash in on robocalls" that people mention?
This phrase comes from a common search, and it points to the TCPA's private right of action. Because the statute gives every individual the right to sue for $500 per call without proving harm, some people actively try to get illegal robocalls placed to their numbers so they can sue.
It is legal. Nothing requires a TCPA plaintiff to be an innocent bystander. Courts have allowed suits from people who registered multiple cell numbers, logged calls in careful detail, and filed hundreds of TCPA cases. The Supreme Court has not ruled that such plaintiffs lack standing, though some district courts have tried to limit their recovery on equitable grounds, with mixed results.
For outbound teams, the takeaway is that list quality matters enormously. A number that looks consented in your system may belong to someone who collects DNC-registered and ATDS-targeted numbers for litigation. Scrubbing against the National DNC Registry, checking cell vs. landline status, and keeping signed consent records are more than paperwork. They are your defense in court.
LeadCompliant's free phone number checker flags cell numbers and DNC-registered lines before you dial. It is the cheapest insurance against a professional plaintiff targeting your campaign.
The FCC estimated in 2019 that Americans receive roughly 4 billion robocalls per month. [5] Even a sliver of those being actionable generates enormous litigation volume.
How do state laws layer on top of federal robocall law?
The TCPA is a floor, not a ceiling. States can and do pass stricter laws. Florida's Telephone Solicitation Act (effective July 2021) added its own consent requirements and set per-call fines of $500 for a first violation and $1,500 for later ones, running parallel to TCPA damages. [9] Washington, Texas, and Indiana have similar state DNC and robocall statutes.
In some states, TCPA liability plus state-law liability roughly doubles your per-call exposure. A call that violates both the TCPA and Florida's law could generate $3,000 in combined per-call damages at the trebled rate.
State laws also reach areas the TCPA does not. Call recording consent is a big one. If your agent records a call in a two-party-consent state like California, Pennsylvania, or Maryland without disclosing it, you face separate criminal and civil exposure under state law, entirely apart from TCPA. See our guides on California call recording laws, pa call recording laws, and maryland call recording laws.
For do-not-call obligations, Pennsylvania and Illinois both keep state registries that require separate scrubbing beyond the National DNC list. Our guides on the Pennsylvania do not call list and do not call list Illinois cover those.
Here is the short version. Federal TCPA compliance is necessary but not enough. Build a state-law compliance layer for every state where you have real call volume.
What does a basic TCPA compliance program look like for a small outbound team?
You do not need a big compliance department to get this right. You need documented processes and the discipline to follow them.
Start with your list. Every cell number you plan to dial or text with an automated system needs documented prior express written consent tied to that specific number. Record when consent was obtained, through what form or flow, what the consent language said, and who opted in. You cannot rely on verbal consent for ATDS calls to cell phones under the 2012 FCC rules. [2]
Scrub against the National DNC Registry every 31 days at minimum. Keep the scrub logs. Access the registry through the FTC's subscription portal at donotcall.gov. [7] Scrub your own internal DNC list at the same time, and honor any opt-out from a prior call within 30 days.
Know your dialer. Get documentation from your vendor on how the platform works technically. If it can generate random or sequential numbers, that matters. If it is a true click-to-dial system, document that. Keep version records, because platforms update.
Honor time-of-day rules. No autodialed or prerecorded calls before 8 a.m. or after 9 p.m. local time for the called party. That means using time-zone data, more than call-center local time.
Train your team. The TCPA safe harbor for DNC violations requires actual training. Write it down. Keep attendance records.
LeadCompliant's TCPA compliance kit has template consent language, scrub log formats, and a time-zone verification checklist if you want a starting structure instead of building from scratch.
For the recording side of your calls, check the rules in each state where you operate. Our guide on is it against the law to record phone calls is a good starting point.
Frequently asked questions
What is the federal robocall law called?
The primary federal robocall law is the Telephone Consumer Protection Act (TCPA), enacted in 1991 and codified at 47 U.S.C. § 227. The FCC's implementing rules sit at 47 C.F.R. Part 64. The FTC's Telemarketing Sales Rule (16 C.F.R. Part 310) covers the National Do Not Call Registry side and often applies in tandem with the TCPA.
How much can someone sue you for under the TCPA?
Each violation carries $500 in statutory damages. If a court finds the violation was willful or knowing, that triples to $1,500 per call or text. There is no cap. A class action covering 10,000 recipients at the trebled rate could reach $15 million before legal fees. Most class actions settle, but settlements in the millions are common for mid-size violations.
Does the TCPA apply to text messages?
Yes. The FCC confirmed in a 2003 declaratory ruling that SMS text messages are "calls" under the TCPA for the autodialer restrictions. The same prior express written consent requirement that applies to autodialed voice calls to cell phones applies to automated text campaigns. This covers both SMS and MMS sent through an ATDS.
What counts as an automatic telephone dialing system (ATDS) after Facebook v. Duguid?
After the Supreme Court's 2021 ruling in Facebook v. Duguid, an ATDS is equipment that uses a random or sequential number generator to store or produce telephone numbers to dial. A predictive dialer working from a manually uploaded list of specific named contacts may not qualify. But if your platform has capacity to generate random or sequential numbers built into its architecture, ATDS classification is still possible even if you never use that function.
Can I call someone on the National Do Not Call Registry if we have an existing business relationship?
Yes, under the established business relationship (EBR) exception. If a consumer made a purchase or inquiry with your company in the prior 18 months, you can call them even if they are on the National DNC Registry, unless they have specifically asked you not to call. The EBR exception does not apply to the ATDS and prerecorded voice restrictions on cell phones. Those require separate prior express written consent.
Is it legal to sue a company for illegal robocalls to make money?
Legally, yes. The TCPA's private right of action has no good-faith victim requirement. Courts have allowed suits from so-called professional plaintiffs who register multiple numbers and document calls for litigation purposes. This is a real risk for outbound teams: a consented-looking number in your list may be held by someone actively building a TCPA case. List scrubbing and solid consent documentation are your main defenses.
What is the time-of-day rule for robocalls under federal law?
The TCPA and FCC rules prohibit autodialed, prerecorded, or artificial voice calls to residential lines before 8 a.m. or after 9 p.m. local time for the called party. "Local time" means the time zone where the called number is located, not where your call center sits. Many states have stricter windows, so check state law for every market where you call regularly.
Does the TCPA apply to B2B calls?
Partially. The TCPA's cell phone ATDS restrictions apply whether the number belongs to a consumer or a business. If you dial a person's cell phone using an autodialer without their consent, it does not matter that you are selling a business product. The National DNC Registry rules technically apply to residential lines, but many business professionals register personal cell phones. State laws may add B2B restrictions.
How often do I need to scrub my call list against the National DNC Registry?
FCC rules require scrubbing at least every 31 days to keep the safe harbor defense against DNC violations. You access the registry through the FTC's subscription portal at donotcall.gov. Keep logs of each scrub with dates, list version, and record counts. A missed scrub cycle does not automatically mean liability, but it costs you the safe harbor, so you have to fight the merits of any DNC claim without that shield.
What changed with the FCC's 2023 one-to-one consent rules?
The FCC adopted rules in late 2023 that would have required consumers to give consent to one specific company at a time, banning the lead generation practice of a single checkbox authorizing calls from dozens of sellers. A federal court vacated those rules in January 2025, finding they exceeded FCC authority. The rules are not in effect, but the FCC has indicated it may pursue similar limits through a different regulatory path.
Can states enforce their own robocall laws on top of the TCPA?
Yes. The TCPA explicitly preserves state law at § 227(f). States can and do pass stricter standards, and their attorneys general can sue robocallers on behalf of state residents. Some states like Florida have per-call fines that stack on top of TCPA damages. Several states also keep their own do-not-call registries requiring separate scrubbing beyond the National DNC list.
What records do I need to keep for TCPA compliance?
Keep signed consent records tied to specific phone numbers, including the date, consent form language, IP address or signature method, and source. Keep DNC scrub logs with dates and list versions. Keep internal do-not-call requests with the date received and the date honored. Keep dialer technical documentation. There is no TCPA-specified retention period, but four years is the standard recommendation given the four-year civil statute of limitations for TCPA claims.
Are ringless voicemails covered by the TCPA?
The FCC's position is that ringless voicemail delivery is a "call" under the TCPA because it is a transmission to the called party's voicemail system. That means the prerecorded voice restrictions apply, and you need prior express written consent for marketing ringless voicemails to cell phones. Litigation on this point is ongoing, but treating ringless voicemails as TCPA-covered is the safer operating assumption.
What is the statute of limitations for TCPA lawsuits?
TCPA claims are generally subject to a four-year federal statute of limitations under 28 U.S.C. § 1658, which courts apply because the TCPA does not specify its own limitations period. Some courts have applied state-specific limitations periods instead, and outcomes vary by circuit. The practical answer: assume someone can sue you four years after a call, and keep consent and scrub records at least that long.
Sources
- U.S. Government Publishing Office, 47 U.S.C. § 227 (Telephone Consumer Protection Act): Statutory text of TCPA prohibitions, private right of action at § 227(b)(3), and $500/$1,500 per-violation damages
- Code of Federal Regulations, 47 C.F.R. Part 64 (FCC TCPA rules): FCC implementing rules requiring prior express written consent for telemarketing robocalls, 30-day DNC honor period, and 31-day scrub requirement
- U.S. Supreme Court, Facebook, Inc. v. Duguid, 592 U.S. 395 (2021): Unanimous ruling that an ATDS must use a random or sequential number generator; dialing from a stored list of specific numbers may not qualify
- FTC, National Do Not Call Registry: More than 245 million telephone numbers registered; registrations are now permanent; telemarketers must access registry and scrub lists
- Federal Trade Commission, Telemarketing Sales Rule, 16 C.F.R. Part 310: FTC authority over National DNC Registry and TSR requirements that layer with TCPA obligations
- Florida Legislature, Florida Telephone Solicitation Act, Fla. Stat. § 501.059: Florida state robocall law effective July 2021 creating per-call fines of $500 (first violation) and $1,500 (subsequent) running parallel to TCPA
- Public Law 102-243, 105 Stat. 2394 (1991), TCPA enactment: Original enactment of the Telephone Consumer Protection Act in 1991
- U.S. Court of Appeals, Eleventh Circuit: TCPA class action settlements commonly range from $10 million to $75 million for large-scale violations