Anti-robocall law: what every outbound team must know

Federal anti-robocall law lets courts award $500, $1,500 per illegal call. Here's what TCPA, TRACED, and FCC rules require before you dial.

LeadCompliant Team
25 min read
In This Article

Last updated 2026-07-11

Landline telephone off its cradle on a desk, anti-robocall law concept
Landline telephone off its cradle on a desk, anti-robocall law concept

TL;DR

The primary federal anti-robocall law is the Telephone Consumer Protection Act (47 U.S.C. § 227), strengthened in 2019 by the TRACED Act. Together they restrict autodialed and prerecorded calls, require prior express consent, mandate caller ID authentication (STIR/SHAKEN), and expose violators to $500 to $1,500 per call in statutory damages. State laws add further restrictions on top of the federal floor.

What is the main federal anti-robocall law?

The Telephone Consumer Protection Act, codified at 47 U.S.C. § 227, is the backbone of federal anti-robocall law in the United States. Congress passed it in 1991, and it has been amended several times since. The Federal Communications Commission enforces it at the agency level, and private citizens can sue directly in state or federal court. That private right of action is what makes it dangerous for outbound teams. [1]

The statute covers three transmission types: calls and texts to cell phones using an automatic telephone dialing system (ATDS) or a prerecorded voice, calls to residential landlines using a prerecorded voice, and unsolicited fax advertisements. For most sales and marketing teams, the cell phone provision is the one that creates liability. The consent requirements are strict, and the per-violation damages are fixed by statute, not by actual harm.

The private right of action is what funds the plaintiffs' bar. You don't need to prove actual damages to collect. The statute says a recipient may recover "actual monetary loss" or "$500 in damages for each such violation," whichever is greater, and up to $1,500 per violation if the court finds the violation was willful or knowing. [1] At scale, that arithmetic ends companies.

The FCC has issued dozens of orders interpreting the TCPA over the decades. The 2015 Omnibus Ruling expanded the ATDS definition and the revocation rules. The 2023 Lead Generator Order (effective January 2025) tightened consent further, requiring one-to-one consent so a single form can no longer authorize calls from multiple sellers. [2]

What did the TRACED Act add to robocall law?

The Telephone Robocall Abuse Criminal Enforcement and Deterrence Act, known as the TRACED Act, became law on December 30, 2019. [3] It is the biggest federal update to robocall law since the TCPA itself. It targets both the technology side (spoofed caller ID) and the enforcement side (bigger penalties, more agencies in the fight).

Here are the additions TRACED made:

ProvisionWhat it requires
STIR/SHAKEN mandateVoice service providers must implement caller ID authentication standards
Extended penalty windowFCC can pursue TCPA violations up to 4 years after discovery (up from 2 years)
Minimum civil forfeitureAt least $100 per call for intentional violations, no cap stated in the Act
Interagency coordinationFCC, DOJ, FTC, and state AGs required to share enforcement resources
Call blocking safe harborCarriers can block calls that fail authentication without TCPA liability

STIR/SHAKEN is the part that hits outbound sales teams directly. Your voice service provider cryptographically signs outbound calls so the receiving carrier can verify whether your caller ID is legitimate. Calls that fail attestation get labeled "Spam Likely" or blocked outright. [4] If your VoIP provider hasn't implemented STIR/SHAKEN, your answered-call rate suffers long before any legal issue touches you.

The extended statute of limitations matters too. Under the old rules, the FCC had two years to act on a complaint. Four years is a long time. Conduct that felt consequence-free in 2022 can still generate an FCC enforcement action in 2026.

What are the current FCC rules on robocalls?

The FCC's robocall rules layer on top of the TCPA statute and change through formal rulemaking. Three areas need tracking in 2025: consent rules, do-not-call obligations, and call authentication.

On consent, the FCC's January 2025 rule (from its 2023 Lead Generator Order) requires that written express consent for marketing calls to cell phones name the specific seller, more than a generic consent-to-receive-calls from "our partners." [2] The FCC's own language in the 2023 order states that consumers must "consent to receive calls or texts from one seller at a time." That one-to-one requirement broke the lead generation model hundreds of companies relied on, and the litigation fallout is still unfolding.

On do-not-call, the TCPA incorporates the National Do Not Call Registry rules. Telemarketers must scrub against the registry and cannot call registered numbers without prior express written consent or an established business relationship. [5] The FTC runs the registry. The FCC enforces the TCPA angle.

On call authentication, the FCC's 2021 and 2022 orders under TRACED required all voice providers to implement STIR/SHAKEN and file robocall mitigation plans in the FCC's database. [4] Providers who don't file can have their traffic blocked by downstream carriers. If you use an intermediate provider to route calls, that provider needs to be in the FCC's Robocall Mitigation Database or your calls may never reach their destination.

The FCC also caps abandoned calls at 3% of answered calls per campaign per day, requires disclosures at the start of prerecorded messages, and mandates opt-out mechanisms inside prerecorded messages. [6]

Key numbers in federal anti-robocall law Thresholds and penalties every outbound team must know 500 Statutory damages per viola… (standard) 1,500 Statutory damages per viola… (willful) 4 FCC enforcement window under TRACED Act (years) 3 Max abandoned call rate per campaign per day Source: 47 U.S.C. § 227, TRACED Act (P.L. 116-105), FCC 47 C.F.R. § 64.1200

How much does violating anti-robocall law actually cost?

Statutory damages under 47 U.S.C. § 227(b)(3) are $500 per violation for standard violations and $1,500 per violation if the court trebles damages for willful or knowing conduct. [1] Each individual call or text to a number that should not have been contacted is a separate violation. That is the number that ruins people.

Class actions amplify it fast. A campaign that sends 500,000 texts to a list that was not properly scrubbed can expose the sender to $250 million at $500 per text before trebling. Courts sometimes reduce class action TCPA awards on due process grounds. That is not a plan you can count on.

Real enforcement gives a better sense of outcomes. The FCC issued a $225 million forfeiture against health insurance robocallers in 2021 for roughly 1 billion spoofed calls. [7] In 2023, the FCC proposed a $300 million fine against a single robocall operation. Private class action settlements routinely land in the tens of millions, even for smaller defendants. Solo plaintiffs' attorneys regularly collect $5,000 to $25,000 per defendant in individual demand letters before anyone files a lawsuit.

State attorneys general are active too. Texas, Florida, and Indiana have all brought TCPA-parallel state actions in recent years. Call into those states with a non-compliant campaign and you face exposure from both the private plaintiffs' bar and the state AG at the same time. texas-call-recording-laws and do not call list washington give state-specific context on how these rules compound.

What calls and texts does anti-robocall law actually restrict?

The TCPA turns on three variables: who you're calling (cell or landline), what equipment you're using (ATDS or prerecorded voice), and whether you have the right consent. Get all three right and you're fine. Get one wrong and you have a problem.

For cell phones, any call or text made using an ATDS or a prerecorded/artificial voice requires prior express consent for informational messages and prior express written consent for marketing messages. [1] The ATDS definition has been fought over in courts for years. The Supreme Court narrowed it in Facebook v. Duguid (2021), holding that an ATDS must have the capacity to generate random or sequential numbers, more than dial from a stored list. [8] That decision helped defendants. It didn't make the TCPA go away, and many plaintiffs still argue that specific platform features amount to ATDS functionality.

For residential landlines, the restriction is narrower. Prerecorded voice calls for marketing require prior express written consent. A live agent call to a landline is not restricted the same way, though it is still subject to DNC rules.

Texts (SMS and MMS) count as "calls" under the TCPA. [1] That surprises teams who assume texting runs under a different framework. It doesn't. The same consent and opt-out rules apply.

Exemptions exist for emergency calls, calls by or on behalf of tax-exempt nonprofits in certain contexts, and calls to numbers the called party gave for the specific purpose of being called. Healthcare providers have narrow carve-outs under FCC rules for certain appointment reminders and health messages, and those are often misunderstood.

One trap for small teams: calling a cell phone with a live agent from a manual dialer is generally not a TCPA violation on its own (post-Facebook v. Duguid). But if your CRM auto-populates a dial queue and launches calls without human initiation, you may be back in ATDS territory depending on how the system works.

Prior express written consent is the gold standard for marketing calls and texts to cell phones under the TCPA. The FCC's rules at 47 C.F.R. § 64.1200(f)(9) define it as an agreement in writing that bears the signature of the person called and clearly authorizes the seller to send autodialed or prerecorded marketing messages to a specific number. [6] The agreement must also tell the person they are not required to consent as a condition of buying anything.

In practice, that means a web form with a clear disclosure, a checkbox the consumer affirmatively clicks (pre-checked boxes don't count), and language that names your company specifically. After January 2025, naming "our marketing partners" is not enough. The FCC's one-to-one consent rule means the form has to name your company or the specific brand making the calls. [2]

Revocation is the piece teams ignore until it bites. Consumers can revoke consent by any reasonable means: texting "STOP," calling in to request removal, or telling a live agent to stop calling. The FCC requires you to honor revocation within a reasonable time, and courts read that as promptly, generally within a few business days. Ignoring a revocation and continuing to call is essentially a willful violation. That is exactly where the $1,500 per call exposure lives.

To check consent status and scrub lists before campaigns, LeadCompliant's free compliance checkers help you catch gaps without pulling in outside counsel for every campaign.

Recording calls as proof of consent is a separate legal question with its own state-law overlay. If you record consent calls, read is it against the law to record phone calls before you assume one-party consent applies in every state you're calling.

What is the National Do Not Call Registry and how does it relate to anti-robocall law?

The National Do Not Call Registry is run by the Federal Trade Commission under the Telemarketing Sales Rule (16 C.F.R. Part 310) and the Do-Not-Call Implementation Act of 2003. [5] The TCPA incorporates it by requiring telemarketers to scrub their lists against the registry. The FCC enforces the TCPA angle. The FTC enforces the TSR angle. You can be hit by both.

Registration is permanent. Numbers stay on the registry until they are disconnected and reassigned, or the consumer removes them. Telemarketers must access the registry at least every 31 days and cannot call registered numbers without an established business relationship (EBR) or prior express written consent.

The EBR exemption lasts 18 months from the last transaction or 3 months from the last inquiry. Once that window closes, the number is off-limits for marketing calls no matter what other relationship you have with the customer.

State DNC lists are a separate layer. Many states, including Indiana and Tennessee, run their own lists that may cover numbers not on the federal registry and impose stricter rules. Check indiana do not call list and tennessee do not call list for specifics before running campaigns into those states.

Reassigned numbers are a chronic source of TCPA liability. A number that belonged to a consenting customer may now belong to a stranger. The FCC created a Reassigned Numbers Database (RND) in 2021 to help callers check whether a number has been reassigned since consent was obtained. [4] Using the RND is not legally required, but skipping it when you have easy access is exactly the fact pattern plaintiffs use to argue willful disregard.

What are STIR/SHAKEN and robocall mitigation, and do they apply to your business?

STIR/SHAKEN (Secure Telephone Identity Revisited / Signature-based Handling of Asserted information using toKENs) is a technical standard that lets phone carriers verify whether an outbound call's caller ID matches the actual originating number. The FCC mandated implementation for large voice providers by June 2021 and extended the deadline for smaller providers to December 2023, with more flexibility for certain rural carriers. [4]

If you're a direct carrier or you own your own SIP trunks, you may have a robocall mitigation obligation. But most outbound sales teams are just customers of a VoIP or CCaaS provider, not voice providers themselves. In that case, your job is to pick a provider that has implemented STIR/SHAKEN and filed a robocall mitigation plan. Check any provider in the FCC's Robocall Mitigation Database at fcc.gov. If your provider isn't listed with a filed plan, downstream carriers can block your traffic legally and without warning.

Each call gets an attestation level: A (full attestation, the originating carrier confirms it knows the caller and the number), B (partial), or C (gateway, meaning the carrier can't vouch for the caller). Calls with C-level attestation are far more likely to be labeled as spam or blocked. If you're seeing high spam-label rates on your outbound, your carrier's attestation setup is the first place to look, ahead of your content or calling patterns.

A bad attestation level means a lower answer rate, which hurts revenue before any legal exposure shows up. That is the STIR/SHAKEN argument that lands with revenue-focused founders more than the regulatory one.

How do state anti-robocall laws differ from federal law?

Federal law sets a floor. States can and do go further. Several have enacted their own robocall and telemarketing statutes that are stricter than the TCPA in ways that matter.

Florida's Telephone Solicitation Act, amended in 2021, added a separate prior express written consent requirement for autodialed and prerecorded calls, with no EBR exemption and a private right of action worth $500 per call. [9] Florida plaintiffs can now stack federal TCPA claims with state TSA claims for the same call.

Maryland's rules cover outbound calling hours more strictly and carry their own DNC provisions. maryland-call-recording-laws covers recording requirements in that state, which often travel alongside the robocall questions.

Call recording laws are distinct from robocall laws but matter to outbound teams because they apply to the same calls. Eleven states require all-party consent to record a conversation. If you record calls for quality assurance or to document consent, you need the recording law for every state you call into. telephone call recording laws and pennsylvania do not call list are good starting points for two of the more active enforcement states.

The practical advice: treat federal law as the baseline, never the ceiling. Build your compliance stack to the strictest state you call into, and you're covered everywhere else by default. That costs more upfront in process design and far less than defending a Florida TSA class action.

What should outbound teams do right now to comply with anti-robocall law?

This is the part most articles wave past. Here is what actually needs to happen, in roughly the order that matters.

First, audit your dialing technology. Know whether your platform can function as an ATDS under any reasonable reading of the definition. Most modern predictive dialers sit in a gray zone post-Facebook v. Duguid, which is not the same as no risk. Get your vendor to give you a written description of how the system works, and have someone who knows the TCPA read it. This is a one-time task, not an ongoing expense.

Second, fix your consent collection. Every web form, landing page, or inbound call script that collects consent for outbound marketing needs to name your company specifically, use an affirmative opt-in (no pre-checked boxes), state that consent is not a condition of purchase, and capture a timestamp and source URL. Store those fields so they're retrievable for at least four years, given the TRACED Act's extended enforcement window.

Third, build a real-time scrubbing process. Before any campaign sends, scrub your list against the federal DNC registry (every 31 days at minimum), any relevant state DNC lists, your internal DNC list, and the FCC's Reassigned Numbers Database. A list that was clean six months ago is not clean today. [5]

Fourth, document your opt-out handling. Every opt-out, whether it arrives by text, call, web form, or verbally, needs to be logged with a timestamp and pulled from active campaigns within a reasonable time. The FCC treats failure to honor opt-outs as some of the most clear-cut willful violations.

Fifth, check your carrier's STIR/SHAKEN status. Log into the FCC's Robocall Mitigation Database and confirm your provider has a current filing. If they don't, that's worth a conversation with your provider or a reason to switch.

LeadCompliant's one-time compliance kit walks through each step with templates for consent language, opt-out logs, and carrier verification. It's built for teams without in-house legal that still need a documented process. None of this is legal advice, and if you're running a high-volume campaign, outside counsel review of your specific setup is money well spent.

For teams calling into specific states, the state details matter. do not call list illinois and do not call list pa cover two of the more actively enforced state regimes.

Are there exemptions to federal robocall law for certain callers?

Yes, but they are narrower than most teams assume. The most misunderstood exemptions are these.

Political calls: Autodialed or prerecorded calls to cell phones for political purposes still require prior express consent under the TCPA. There is no political exemption for cell phone calls. [1] Some political callers got this wrong and faced enforcement.

Nonprofit calls: Tax-exempt nonprofits under 501(c)(3) have some protection for calls made on their own behalf. That does not extend to calls made by commercial vendors on behalf of the nonprofit. The exemption is narrow and limits what can be discussed.

Healthcare: The FCC has issued specific exemptions for certain healthcare calls, including appointment reminders and prescription notifications, subject to HIPAA and other conditions. These must be free to the recipient, non-commercial, and short. They do not cover sales of health insurance or wellness products.

Established business relationship: For landline calls, an EBR exemption exists. For cell phone calls using an ATDS or prerecorded voice, there is no EBR exemption. This one surprises companies who have existing customers on their books and assume they can freely market to those customers by automated text.

Emergency calls: Calls made necessary by an emergency are exempt. This is genuinely narrow and does not cover general business communications.

The safest position for a commercial outbound team is to assume no exemption applies unless you have reviewed the specific statutory language and FCC guidance for your exact use case. The cost of being wrong about an exemption is the same $500 to $1,500 per call as any other TCPA violation.

Frequently asked questions

What is the federal anti-robocall law called?

The primary federal anti-robocall law is the Telephone Consumer Protection Act, or TCPA, codified at 47 U.S.C. § 227. The TRACED Act of 2019 strengthened it by requiring caller ID authentication (STIR/SHAKEN), extending the FCC's enforcement window to four years, and increasing coordination between federal agencies. Both laws are still in effect and are actively enforced.

What is the new federal robocall law passed in 2019?

The TRACED Act (Telephone Robocall Abuse Criminal Enforcement and Deterrence Act) was signed into law on December 30, 2019. It required voice carriers to implement STIR/SHAKEN caller ID authentication, extended the FCC's penalty window, and increased coordination among the FCC, DOJ, FTC, and state attorneys general. It built on the existing TCPA framework rather than replacing it.

What are the new FCC robocall rules that took effect in 2025?

The FCC's one-to-one consent rule, finalized in its 2023 Lead Generator Order, took effect in January 2025. It requires that written express consent for marketing calls and texts name a single, specific seller. A consumer's consent on a lead-gen form can no longer authorize calls from multiple companies. This ended the broad consent model that much of the lead generation industry relied on.

How much can a company be fined for illegal robocalls?

Under 47 U.S.C. § 227(b)(3), statutory damages are $500 per illegal call or text and up to $1,500 per violation if the court finds the violation was willful or knowing. The FCC can also issue civil forfeiture orders: recent examples include a $225 million forfeiture in 2021 and a $300 million proposed fine in 2023. Class actions can aggregate per-call damages into the hundreds of millions.

Does the TCPA apply to text messages?

Yes. The FCC has consistently held that SMS and MMS text messages are "calls" under the TCPA. The same prior express written consent requirement applies to marketing texts sent using an ATDS as applies to autodialed voice calls. Opt-out obligations are also identical: honor STOP requests promptly and do not send further messages after a valid opt-out.

Can I call cell phones with a live agent without TCPA consent?

After the Supreme Court's 2021 decision in Facebook v. Duguid, calls made from a system that dials from a stored list without a random or sequential number generator are less likely to be classified as using an ATDS. A truly manual dial-by-hand call to a cell phone is generally not a TCPA violation. But you still cannot call DNC-registered numbers for marketing, and many modern dialer platforms may still qualify as an ATDS depending on their features.

What is STIR/SHAKEN and why does it matter for outbound sales?

STIR/SHAKEN is a caller ID authentication framework the FCC mandated under the TRACED Act. Your voice provider cryptographically signs outbound calls with an attestation level: A (fully verified), B (partial), or C (unverifiable). Calls with C attestation are commonly labeled "Spam Likely" or blocked. For outbound sales, this directly affects answer rates, so using a provider with proper STIR/SHAKEN implementation is both a compliance and a revenue issue.

How do I check if a number is on the Do Not Call list?

The FTC's National Do Not Call Registry is available at donotcall.gov. Telemarketers must access an updated version of the registry at least every 31 days before running campaigns. The FCC's Reassigned Numbers Database (RND) at fcc.gov is a separate tool that helps identify whether a consented number has since been reassigned to a different person, which is a separate source of TCPA liability.

Political calls to landlines using prerecorded messages are allowed under certain conditions. Political autodialed or prerecorded calls to cell phones require prior express consent under the TCPA, just like commercial calls. There is no general political exemption for cell phone robocalls. Several political organizations have faced FCC enforcement and class action suits for ignoring this rule.

What states have their own anti-robocall or telemarketing laws?

Most states have telemarketing statutes that add requirements on top of the TCPA. Florida's Telephone Solicitation Act (amended 2021) is one of the most aggressive, with its own private right of action and consent requirements. Indiana, Texas, Illinois, Pennsylvania, and Washington all have state DNC lists or telemarketing rules that outbound teams must comply with separately from federal law.

The TCPA does not specify a minimum retention period, but the TRACED Act extended the FCC's enforcement window to four years after discovery of a violation. Practically, retain consent records, timestamps, source URLs, and opt-out logs for at least five years to cover the discovery period plus buffer. Paper or screenshot consent records that can't be queried by phone number are nearly useless in litigation.

What is the Reassigned Numbers Database and do I have to use it?

The FCC's Reassigned Numbers Database (RND) lets callers check whether a phone number has been reassigned to a new person since they obtained consent. Using it is not legally mandatory, but if a number was reassigned and you call the new owner without consent, that is a TCPA violation. Courts have found that ignoring the RND when it is readily available can support a finding of willful disregard.

Can someone sue me personally for TCPA violations, or only my company?

The TCPA's private right of action runs against the entity that made or initiated the call, which is usually the company. However, officers and individuals who direct, authorize, or personally participate in illegal calling campaigns have been held personally liable in some cases. This is more likely when the corporate structure is thin or when the individual was the primary decision-maker for the non-compliant campaign.

Does the anti-robocall law apply to B2B calls?

The TCPA applies to calls based on the type of number called, not the purpose of the call. If a business prospect gets your autodialed or prerecorded call on their personal cell phone, the TCPA applies regardless of whether your pitch is B2B. If the number is a direct business landline, the restrictions are lighter. The practical problem is that many business contacts use personal cell phones as their primary number.

Sources

  1. U.S. Code, 47 U.S.C. § 227, Telephone Consumer Protection Act: Statutory damages of $500 per violation, up to $1,500 for willful violations; restrictions on autodialed and prerecorded calls to cell phones; private right of action
  2. FCC, Report and Order FCC 23-107, Lead Generator One-to-One Consent Rule: FCC 2023 order requiring one-to-one consent for marketing calls, effective January 2025; consumers must consent to receive calls from one seller at a time
  3. Congress.gov, TRACED Act (Public Law 116-105): TRACED Act signed into law December 30, 2019; requires STIR/SHAKEN, extends FCC enforcement window to 4 years, increases interagency coordination
  4. FTC, National Do Not Call Registry, Business Guidance: Telemarketers must scrub against the registry every 31 days; EBR exemption lasts 18 months from last transaction or 3 months from last inquiry
  5. FCC, 47 C.F.R. § 64.1200, Rules and Regulations Implementing the TCPA: Definition of prior express written consent; abandoned call rule (3% cap); required opt-out mechanisms in prerecorded messages
  6. U.S. Supreme Court, Facebook, Inc. v. Duguid, 592 U.S. 395 (2021): Supreme Court held that an ATDS must have the capacity to generate random or sequential numbers, not merely dial from a stored list; narrowed ATDS definition
  7. Florida Legislature, Florida Telephone Solicitation Act, Fla. Stat. § 501.059: Florida's 2021 TSA amendment created a state-law private right of action of $500 per call for autodialed or prerecorded marketing calls without prior express written consent
  8. FTC, Telemarketing Sales Rule, 16 C.F.R. Part 310: TSR governs the National Do Not Call Registry and imposes telemarketing restrictions enforceable by the FTC alongside TCPA enforcement by the FCC

Disclaimer: LeadCompliant is a compliance review tool, not a law firm. We do not provide legal advice. Consult with a TCPA attorney for legal guidance on specific compliance questions. Compliance scores, audits, and risk assessments are informational only.

LeadCompliant Team

LeadCompliant provides expert guidance and tools to help you succeed. Our content is reviewed for accuracy and kept up to date.

Related Articles

Related Glossary Terms

LeadCompliant
Build My Kit