Robocalling laws: what every outbound team must know

TCPA fines start at $500 per call and hit $1,500 for willful violations. Here's every robocalling law your team must follow before dialing.

LeadCompliant Team
25 min read
In This Article

Last updated 2026-07-09

Landline telephone on a wooden desk with afternoon sunlight, representing robocalling laws
Landline telephone on a wooden desk with afternoon sunlight, representing robocalling laws

TL;DR

Federal robocalling law lives in 47 U.S.C. § 227 (the TCPA), enforced by the FCC and FTC. Violations cost $500 to $1,500 per call, per recipient, with no cap on class actions. You need prior express written consent before auto-dialing cell phones for marketing. Dozens of states add their own rules on top. This guide covers every major requirement.

What law actually governs robocalls in the United States?

The Telephone Consumer Protection Act, passed in 1991 and codified at 47 U.S.C. § 227, is the primary federal law on robocalls. [1] It restricts autodialed calls, prerecorded voice messages, and artificial voice calls to cell phones, residential lines, and fax machines. The FCC writes the implementing regulations under 47 C.F.R. Part 64. The FTC enforces the Telemarketing Sales Rule (TSR) under 16 C.F.R. Part 310, which overlaps with the TCPA for telemarketing specifically. [2]

Those two agencies have different enforcement angles. The FCC looks at the technology: did you use an autodialer or a prerecorded message? The FTC looks at the transaction: were you selling something? Most outbound sales teams trigger both.

State attorneys general can sue under the TCPA directly (47 U.S.C. § 227(g)), and private citizens can file their own lawsuits. That private right of action is what makes TCPA litigation so common. You don't need a regulator to move against you. Any individual you called can sue you in small claims or federal court.

The TSR layers on more: specific disclosures at the start of a call, calling-hour limits, and its own Do Not Call registry rules. [2] The TCPA and TSR usually demand the same things. Where they conflict, you follow whichever is stricter.

What counts as a robocall under the TCPA?

A "robocall" in legal terms is a call made with an automatic telephone dialing system (ATDS), or a call using a prerecorded or artificial voice. [1] The statute defines an ATDS as equipment with the capacity to store or produce telephone numbers using a random or sequential number generator and dial them without human intervention.

The Supreme Court narrowed that definition in Facebook v. Duguid (2021). A system only qualifies as an ATDS if it uses a random or sequential number generator to store or produce numbers. [3] A system that dials from a static stored list of specific numbers, with no random or sequential generation, is arguably not an ATDS under the federal definition. That ruling gave some relief to outbound teams running predictive dialers off pre-loaded contact lists.

Here's the catch. Prerecorded and artificial voice calls are regulated separately, whether or not an ATDS is involved. [1] If you drop a ringless voicemail, play a recorded message, or use AI-generated speech, that call is covered even when your dialing equipment is not technically an ATDS. The FCC has treated ringless voicemails as covered calls under the TCPA. [4]

Most predictive dialers still carry legal risk. Courts and the FCC have not settled every edge case after Facebook v. Duguid, and state laws often use broader definitions than the federal ATDS standard. My rule of thumb: if your system dials faster than a human punching numbers, treat it as regulated.

What are the penalties for illegal robocalls?

The TCPA sets statutory damages at $500 per violation. [1] A court that finds you willfully or knowingly broke the statute can triple that to $1,500 per call. There is no cap. A class action covering a million consumers is a $1.5 billion exposure on paper.

Real settlements confirm this is not hypothetical. Dish Network settled an FTC/DOJ telemarketing case in 2009 for $5.99 million, then lost a separate civil case that produced a $280 million judgment in 2017. [5] Smaller companies routinely settle TCPA class actions for $2 million to $10 million once class certification lands.

FCC forfeitures are separate from civil litigation. Under 47 U.S.C. § 503(b), the FCC can issue forfeiture orders up to $10,000 per violation and up to $1,000,000 for a continuing violation. In practice the agency has aimed at gateway carriers and lead generators more than small businesses, but enforcement against individual companies does happen.

State attorneys general add exposure. Texas, for one, can seek civil penalties under its Business & Commerce Code Chapter 305 on top of federal TCPA damages. [7] The math turns brutal fast. One bad campaign to 10,000 people without proper consent is a $5 million to $15 million problem before you negotiate a single settlement dollar.

TCPA and state robocalling: statutory damages per violation Per-call penalties under federal and key state laws, before multipliers for class size TCPA (standard) $500 TCPA (willful) $1,500 Florida FTSA (standard) $500 Florida FTSA (willful) $1,500 Texas B&C Ch. 305 (max) $5,000 FCC forfeiture (per violation max) $10k Source: 47 U.S.C. § 227 [1]; Fla. Stat. § 501.059 [6]; Tex. B&C Code Ch. 305 [7]; DOJ v. Dish Network [5]

Yes. The type of consent you need depends on what you're calling about and where.

Marketing calls to cell phones using an ATDS or prerecorded voice need prior express written consent. [1] That means a signed agreement (electronic signatures count under the E-SIGN Act) where the person clearly authorizes autodialed or prerecorded marketing calls from your specific company, to a specific number. A checkbox burying consent in your terms of service does not clear the bar. The FCC's 2012 rule changes tightened this hard.

Informational or transactional calls to cell phones (appointment reminders, order confirmations, bank alerts) need only prior express consent, which can be oral or shown through the context of your relationship. [1]

Calls to residential landlines with a prerecorded marketing message still need prior express written consent. For non-marketing prerecorded calls to landlines, oral consent or a pre-existing relationship once sufficed, but that exception is narrow.

Live-agent calls to cell phones, using no ATDS and no prerecorded voice, do not require consent under the TCPA itself. The National Do Not Call Registry still applies. [2] You cannot call a number on the DNC list even with a live agent, unless you have an established business relationship or the person's prior express invitation.

The FCC issued a rule in January 2024 requiring that consent be obtained for each seller who will contact the consumer, not bundled across a group of marketers. [4] The 11th Circuit vacated that one-to-one consent rule in January 2025 (Insurance Marketing Coalition Ltd. v. FCC). [9] Check current FCC guidance before you assume bundled consent is permanently cleared.

What are the time-of-day rules for robocalls?

The TCPA and the FTC's Telemarketing Sales Rule both limit calling hours. Under the TSR, telemarketers cannot call before 8 a.m. or after 9 p.m. local time at the called party's location. [2] The TCPA regulations at 47 C.F.R. § 64.1200 apply the same 8 a.m. to 9 p.m. window.

Local time means the consumer's time zone, not yours. Call a Florida resident from California and you calculate on Eastern time. Most dialers can apply time-zone scrubbing automatically, and you should turn that on. Calling at 7:59 a.m. Eastern while your system thinks it's on Pacific is still a violation.

Some states are stricter. Florida's Telephone Solicitation Act limits calls to 8 a.m. to 8 p.m. [6] Apply whichever window is narrower.

These windows cover telemarketing calls. Strictly transactional or emergency calls get more room under the TSR, but stretching that exception to cover any hint of a sales pitch is a bad bet. Courts look at the purpose of the call, not the label you slap on it.

How does the National Do Not Call Registry affect robocalling?

The National Do Not Call Registry, run by the FTC, lets consumers opt out of telemarketing calls. [11] Telemarketers must scrub their call lists against the registry no more than 31 days before using a list. Numbers registered more than 31 days are off-limits for marketing calls unless you have written permission from the consumer, or an established business relationship (EBR) that ended no more than 18 months ago.

The EBR exception does not override a direct do-not-call request. If someone tells you "don't call me again," you honor that within 30 days, full stop, no matter your prior relationship. You also have to keep your own internal do-not-call list and honor it. [2]

Registry access costs money. Telemarketers pay the FTC annual fees to reach area codes beyond the free annual allotment. As of 2024, the fee runs roughly $75 per area code per year (check the FTC's official fee schedule for the current number). [11]

Robocalls for political campaigns, charities, and purely informational purposes (no sale) are generally exempt from the DNC registry under the TSR. But prerecorded political calls to cell phones still face TCPA restrictions. The exemptions are narrower than most people assume.

For a broader look at the underlying statute, see our guide on tcpa law.

What state robocalling laws do I need to worry about?

Plenty of them. The TCPA is a floor, not a ceiling. States can pass stricter laws, and many have.

Florida's Telephone Solicitation Act (FTSA) is arguably the most aggressive state robocalling law in the country. Since July 2021 it requires prior express written consent for any autodialed call or text to a Florida consumer, mirroring the TCPA standard, and it creates a private right of action under state law with damages of $500 per call and $1,500 for willful violations. [6] Florida amended the statute in 2023 to shorten the limitations period and add procedural changes, but the law is still a serious trap for outbound teams.

Texas Business & Commerce Code Chapter 305 restricts automated calls and requires certain solicitors to register with the state. [7] Texas keeps its own do-not-call list too. Violations can bring civil penalties up to $5,000 per violation.

California's Invasion of Privacy Act covers call-recording consent (all-party in most situations), and the California Consumer Privacy Act (CCPA) shapes how you store and use phone numbers for calling campaigns. [8]

Oklahoma, Washington, and Indiana all have their own robocall or telemarketing statutes. Indiana's Automated Dialing Machine law restricts autodialed calls independent of the federal TCPA framework.

The table below sums up the key state differences.

StateKey restriction beyond TCPAPrivate right of action?Notable penalty
FloridaPEWC for all autodialed calls/texts; 8am-8pm windowYes$500-$1,500/call
TexasState DNC list; solicitor registration requiredLimited (AG primary)Up to $5,000/violation
CaliforniaCCPA data requirements for contact listsYes (CCPA)$100-$750/consumer/incident
OklahomaBroader ATDS definition than post-Facebook federal standardYes$500/violation
IndianaSeparate automated dialing restrictionsYesVaries

State laws also govern call recording, which touches every robocall campaign. For multi-party recording consent, see telephone call recording laws and is it against the law to record phone calls.

Are there exemptions to robocalling rules?

Yes, but fewer than most sales teams hope.

The TCPA exempts calls made for emergency purposes, calls made with the prior express consent of the called party, and calls made by or on behalf of tax-exempt nonprofit organizations. [1] The statute at 47 U.S.C. § 227(b)(1)(B) also carves out calls to residential lines that do not use a prerecorded voice and are not for commercial purposes.

The FCC has created exemptions by order for certain prerecorded calls to residential lines: healthcare providers calling about treatment, package delivery notices, bank and financial account alerts, and school notifications. [4] These are not unlimited. They come with conditions. The calls must be free to the consumer, must relate to the specific transaction or relationship, and must include opt-out mechanisms.

The TSR exempts calls from sellers with an established business relationship, but a specific do-not-call request from that consumer beats the EBR.

Political robocalls to landlines fall outside the TSR, which covers commercial telemarketing. Political prerecorded calls to cell phones still need TCPA consent. That catches a lot of campaigns off guard.

The exemption people misuse most is the "informational call" carve-out. A prerecorded message that opens with "Hi, just checking in" but is built to generate a sale gets treated as a marketing call. Content and purpose decide the classification, not what you call it internally.

What did the FCC's 2024 and 2025 rule changes do to robocalling law?

The FCC has been busy. The most talked-about change was the January 2024 order on "one-to-one consent" for lead generators and comparison shopping sites. [4] Under that rule, a consumer filling out a form on a comparison site could not have their information shared with dozens of marketers under a single consent. Each seller would need individual, specific consent before calling.

The 11th Circuit vacated that rule in January 2025 in Insurance Marketing Coalition Ltd. v. FCC, finding the agency exceeded its statutory authority. [9] So one-to-one consent is not in effect at the federal level right now. The FCC may try a revised rule, and some state laws (Florida in particular) impose similar standards on their own.

The FCC also finalized rules requiring "do not originate" lists to block illegal robocall traffic at the gateway, and mandated STIR/SHAKEN caller ID authentication. [4] STIR/SHAKEN doesn't limit what you say. It affects whether your calls reach anyone. A voice carrier without proper STIR/SHAKEN attestation can have its traffic blocked wholesale. If your call completion rates have dropped, this is often the reason.

The FTC has moved on AI voice too. Using a cloned or AI-synthesized human voice in a robocall triggers the same rules as any other prerecorded call, and the FTC has said deceptive AI voice cloning in robocalls violates the FTC Act independent of the TSR. [10]

For teams building compliance workflows around these changes, a structured tcpa law reference is a good starting point.

How do you build a compliant robocalling operation?

Start with consent documentation. Before you dial a single number with an autodialer or drop a prerecorded message, you need documented proof of prior express written consent from each recipient. That means a timestamped record showing the phone number, the disclosure language, and the consumer's affirmative agreement. Store it so you can produce it in court within 24 hours. Consent records get subpoenaed in almost every TCPA lawsuit.

Scrub your lists. Run your contact list against the National Do Not Call Registry within 31 days of any campaign. [11] Keep your own internal DNC list and merge it before every run. If you operate in Texas, scrub against the Texas DNC list too. [7] Add Florida to your scrub process for any Florida residents, given the FTSA's strength.

Apply time-zone restrictions at the dialer level. Don't rely on reps to time calls by hand. Your platform should block outbound attempts outside the 8 a.m. to 9 p.m. local window, and tighten automatically for states like Florida.

Audit your technology. After Facebook v. Duguid, check whether your dialing system meets the ATDS definition. Don't stop there. Confirm whether you play prerecorded messages, use AI voice, or drop ringless voicemails, because those are covered regardless of ATDS status.

Train your team. Reps need to know how to handle real-time do-not-call requests, what they can and cannot say about your company, and how to log oral consent if live agents confirm consent on the phone.

LeadCompliant offers a free TCPA compliance kit with consent language templates, DNC scrubbing tools, and a call-before-you-dial checklist covering the federal and major state requirements in one place.

For call recording, which affects every recorded sales call your team makes, see recorded phone call laws and state guides like pa call recording laws and maryland call recording laws.

What does the TCPA say about text messages?

Text messages sent using an ATDS or prerecorded message count as "calls" under the TCPA. [1] The FCC has confirmed this repeatedly, and courts have consistently held that marketing texts need the same prior express written consent as autodialed voice calls to cell phones.

The practical fallout is large. Send promotional texts through any platform that automates delivery (which is nearly every SMS marketing tool on the market) and you need documented written consent from each recipient. That consent has to authorize text messages specifically. Consent to call and consent to text are not interchangeable.

The DNC registry covers texts too. The FCC held in 2012 that marketing text messages to numbers on the DNC registry violate the TCPA unless consent or an EBR exception applies. [4]

Peer-to-peer (P2P) texting platforms, where a human sends each individual message by hand, are generally not treated as an ATDS under the post-Facebook v. Duguid standard. But if your P2P platform has any automated queuing or delivery function, the analysis shifts. This is genuinely contested territory right now.

How does STIR/SHAKEN affect robocall compliance?

STIR/SHAKEN (Secure Telephone Identity Revisited / Signature-based Handling of Asserted information using toKENs) is a caller ID authentication framework the FCC mandated under the TRACED Act. [12] It assigns an attestation level to outbound calls: A (full, the carrier knows the subscriber and that they have the right to use the number), B (partial), or C (gateway attestation for calls of uncertain origin).

A-level attestation means your calls are less likely to get labeled "Spam Risk" or blocked by carrier analytics platforms like Hiya, First Orion, or TNS. C-level calls often get blocked entirely, especially on AT&T, Verizon, and T-Mobile networks.

This matters practically for legitimate teams. If you call from a VoIP platform and your carrier has no direct relationship with your actual business, your calls may draw B or C attestation even when you're fully compliant with TCPA consent rules. The fix is to work with a voice carrier that can give you A-level attestation for your registered numbers, and to register those numbers within the STIR/SHAKEN framework where applicable.

The FCC can block entire voice service providers for non-compliance. That has happened to several gateway carriers. If your outbound volume routes through an affected provider, your legitimate calls get caught in the same block.

STIR/SHAKEN does not replace TCPA compliance. It's a separate technical requirement that affects deliverability. You need both.

Frequently asked questions

Is it illegal to receive a robocall?

Receiving a robocall is not illegal for the recipient. The law restricts the caller, not the person answering. If you got an illegal robocall, you can file a complaint with the FCC at fcc.gov or with the FTC at donotcall.gov. You may also have the right to sue the caller directly under 47 U.S.C. § 227 for $500 to $1,500 per call.

Do robocalling laws apply to B2B calls?

The TCPA's ATDS and prerecorded voice restrictions apply to calls to cell phones whether the recipient is a business or a consumer. Most courts have found that calls to business landlines fall outside the TCPA's residential protections. The National Do Not Call Registry and the TSR also apply more narrowly to B2B telemarketing. State laws vary. Always check whether the number is a cell phone, because that's where federal exposure is highest.

Can I robocall someone who gave me their phone number?

Handing you a phone number does not equal consent to receive autodialed marketing calls. The TCPA requires prior express written consent for marketing robocalls to cell phones, meaning a clear, affirmative written agreement that specifically authorizes automated or prerecorded contact for marketing. A number entered on a web form meets that standard only if the form included explicit consent language and the person actively agreed to it.

What is the do-not-call list and who has to follow it?

The National Do Not Call Registry is a database run by the FTC where consumers register numbers they don't want telemarketing calls on. Any company doing telephone solicitation must scrub its call lists against the registry within 31 days of each campaign. Charities, political callers, and survey-only callers are generally exempt under the TSR, but TCPA cell-phone rules still apply to those groups for prerecorded calls.

How long does it take for a number to be protected after DNC registration?

A number on the National Do Not Call Registry becomes protected 31 days after registration. Telemarketers must honor the registry within that window. After 31 days, the number must be excluded from any telemarketing list. Registration does not expire. Numbers stay on the registry permanently unless the consumer removes them or the number is reassigned.

Political robocalls to residential landlines fall outside the FTC's Telemarketing Sales Rule, which covers commercial solicitation, so the DNC registry does not block them under the TSR. But the TCPA still requires prior express consent for autodialed or prerecorded calls to cell phones, political or not. Campaigns calling cell phones without consent face the same $500 to $1,500 per call TCPA exposure as commercial callers.

Under the TCPA, prior express written consent requires a signed agreement (paper or electronic) in which the consumer clearly authorizes autodialed or prerecorded marketing calls to a specific number. The agreement must include the phone number, the name of the company authorized to call, and language showing the consumer understands they are agreeing to automated calls. The FCC's 2012 rules made oral consent insufficient for marketing autodialed calls to cell phones.

The FCC issued a one-to-one consent rule in January 2024 requiring each seller to get individual consent rather than bundling consent across many marketers on a lead generation form. The 11th Circuit vacated the rule in January 2025, finding the FCC exceeded its statutory authority. As of mid-2025 the bundled consent approach is no longer federally prohibited, but the FCC could try a revised rule, and Florida's law imposes similar restrictions on its own.

Can I text someone who is on the do-not-call list?

No. The FCC confirmed that marketing text messages sent via an autodialer face the same TCPA restrictions as voice calls, including the DNC registry. Sending a marketing text to a number on the DNC list without consent violates the TCPA just as an autodialed voice call would. Scrub your SMS marketing lists against the DNC registry the same way you scrub call lists.

What is the TRACED Act and how does it affect robocall compliance?

The Telephone Robocall Abuse Criminal Enforcement and Deterrence (TRACED) Act, signed into law in December 2019, directed the FCC to mandate STIR/SHAKEN caller ID authentication, raised penalties for intentional TCPA violations, and pushed federal agencies to coordinate robocall enforcement. It let the FCC impose penalties up to $10,000 per call for illegal robocalls without the prior warning requirement that used to apply. Carriers must now implement STIR/SHAKEN or face FCC enforcement.

Do robocall laws apply to ringless voicemails?

Yes. The FCC has treated ringless voicemails dropped straight to a consumer's voicemail server as covered calls under the TCPA. They need the same prior express written consent as a prerecorded voice call to a cell phone for marketing. The argument that ringless voicemails escape TCPA coverage because they don't make the phone ring has been rejected by the FCC.

What states have their own robocall laws stricter than the TCPA?

Florida, Texas, California, Oklahoma, and Indiana all have state telemarketing or automated-calling statutes that go beyond the federal TCPA minimum. Florida's Telephone Solicitation Act is the most litigated, requiring prior express written consent for all autodialed calls and texts and allowing a private right of action with $500 to $1,500 per violation. Texas requires certain telephone solicitors to register with the state and keeps its own DNC list.

How long do I have to honor a do-not-call request from someone I called?

Under the TCPA and TSR, you must honor a consumer's do-not-call request within 30 days of receiving it. The number goes on your internal suppression list and comes off all future marketing calls. There is no exception for existing customers or established business relationships once a specific do-not-call request is made. Calling the number again after the 30-day window is a clear TCPA violation.

Can a robocall lawsuit be filed as a class action?

Yes, and that's why TCPA exposure is so severe for outbound teams. The private right of action ($500 to $1,500 per call) plus the class action mechanism means one bad campaign can become a nine-figure lawsuit. Courts have certified TCPA class actions over campaigns involving tens of thousands to millions of recipients. There is no TCPA damages cap. Dish Network faced a $280 million judgment in 2017 from a TCPA/TSR enforcement action.

Sources

  1. U.S. Government, 47 U.S.C. § 227 (Telephone Consumer Protection Act), via Cornell Legal Information Institute: The TCPA restricts autodialed calls, prerecorded voice messages, and artificial voice calls; sets damages at $500 per violation and $1,500 for willful violations; and gives state AGs and private citizens the right to sue.
  2. Federal Trade Commission, Telemarketing Sales Rule (16 C.F.R. Part 310): The TSR prohibits telemarketing calls before 8 a.m. or after 9 p.m. local time, requires DNC list compliance, and mandates specific call disclosures.
  3. U.S. Supreme Court, Facebook, Inc. v. Duguid, 592 U.S. 395 (2021), opinion via Cornell Legal Information Institute: The Supreme Court held that an ATDS must use a random or sequential number generator to store or produce numbers; dialing from a static pre-loaded list does not qualify.
  4. U.S. Department of Justice, United States v. Dish Network LLC, No. 3:09-cv-03073 (C.D. Ill. 2017): A federal court ordered Dish Network to pay $280 million in civil penalties for TCPA and TSR violations, the largest telemarketing civil penalty at that time.
  5. Florida Legislature, Florida Telephone Solicitation Act, Fla. Stat. § 501.059: Florida's FTSA requires prior express written consent for autodialed calls and texts to Florida consumers, restricts calling to 8 a.m. to 8 p.m., and allows a private right of action for $500 to $1,500 per violation.
  6. Texas Legislature, Business & Commerce Code Chapter 305 (Telephone Solicitation): Texas Business & Commerce Code Chapter 305 restricts automated calls and requires registration with the state for certain solicitors, with penalties up to $5,000 per violation.
  7. California Attorney General, California Consumer Privacy Act: The CCPA imposes requirements on how businesses store and use personal information including phone numbers, with statutory damages of $100 to $750 per consumer per incident.
  8. U.S. Court of Appeals for the 11th Circuit, Insurance Marketing Coalition Ltd. v. FCC (2025): The 11th Circuit vacated the FCC's January 2024 one-to-one consent rule in January 2025, finding the FCC exceeded its statutory authority under the TCPA.
  9. Federal Trade Commission, legal library and enforcement guidance: The FTC has stated that using cloned or AI-synthesized human voices in robocalls triggers the same TSR rules as prerecorded calls and may independently violate the FTC Act as a deceptive practice.
  10. FTC, National Do Not Call Registry for telemarketers: Telemarketers must scrub call lists against the DNC Registry within 31 days of each campaign use; area code access fees apply beyond the free annual allotment.

Disclaimer: LeadCompliant is a compliance review tool, not a law firm. We do not provide legal advice. Consult with a TCPA attorney for legal guidance on specific compliance questions. Compliance scores, audits, and risk assessments are informational only.

LeadCompliant Team

LeadCompliant provides expert guidance and tools to help you succeed. Our content is reviewed for accuracy and kept up to date.

Related Articles

LeadCompliant
Build My Kit