Last updated 2026-07-09

TL;DR
Auto dialing compliance under the TCPA requires written prior express consent before calling or texting cell phones with an automatic telephone dialing system or prerecorded voice. Violations cost $500 to $1,500 per call or text. The FCC's 2024 one-to-one consent rule, effective January 2025, changed how lead generators must collect and document that consent.
What is auto dialing compliance, and why does it matter right now?
Auto dialing compliance means following the rules that govern when and how you can use automated or semi-automated technology to call or text people. The federal baseline is the Telephone Consumer Protection Act, 47 U.S.C. § 227, passed in 1991 and amended repeatedly since [1]. The FCC implements it. Private plaintiffs enforce it, and they do so aggressively because the statute lets individuals sue for $500 per violation and $1,500 per willful violation with no cap on class size [2].
The stakes are real. A single text blast to 100,000 opted-out numbers could generate nine figures of exposure before you ever see a courtroom. Why does this matter now specifically? The FCC's November 2023 Report and Order on one-to-one consent took effect January 27, 2025 [3]. That order rewrote the lead generation consent model most outbound teams had relied on for a decade. If your consent flows predate early 2025 and you haven't audited them, you're probably out of compliance today.
For more on the broader TCPA framework, the tcpa overview covers the statute's full structure. This article focuses on the auto dialer piece: what counts as an ATDS, what consent you need, what exemptions exist, and how to build a defensible process.
What counts as an automatic telephone dialing system (ATDS) under the TCPA?
This is the most litigated question in TCPA history, and the honest answer is that it's still contested, though it got cleaner after the Supreme Court's 2021 Facebook v. Duguid decision [4].
The statute defines an ATDS as equipment with the capacity "to store or produce telephone numbers to be called, using a random or sequential number generator; and to dial such numbers" [1]. Facebook v. Duguid held that the random-or-sequential-number-generator clause modifies both storing and producing. So a system that dials only from a stored list of specific numbers (without generating numbers randomly or sequentially) is not an ATDS under the statute's text.
This matters a lot in practice. A true predictive dialer that generates numbers or pulls from a random-number pool is almost certainly an ATDS. A power dialer that clicks through a pre-uploaded list of known contacts is arguably not, after Facebook. But courts in the Ninth and Eleventh Circuits have applied the ruling differently on edge cases, and the FCC has signaled it may define ATDS more broadly in future rulemaking.
Here's what I'd do. Don't bet your compliance program on the "it's just a list dialer" argument unless you have a lawyer who knows your specific system's architecture and the circuit you operate in. The safer posture is to get consent as if everything you use is an ATDS, because prerecorded voice calls carry their own separate prohibition that has no ATDS requirement at all [1]. Use any kind of recorded message or artificial voice, and you need consent regardless of the dialer type.
Also worth knowing: the FCC's 2015 Omnibus Order defined ATDS very broadly, but the D.C. Circuit largely vacated that order in 2018 in ACA International v. FCC [5]. So there's a gap between 2018 and 2021 where nobody agreed on what an ATDS was. Some carriers and plaintiffs' lawyers are still litigating calls made during that window.
What consent do you need before using an auto dialer?
The TCPA creates different consent tiers depending on the type of call and the purpose. The table below lays them out.
| Call/Text Type | Number Type | Required Consent |
|---|---|---|
| Telemarketing/solicitation call or text | Cell phone | Prior express written consent |
| Telemarketing/solicitation call | Residential landline | Prior express consent (can be oral) |
| Informational/non-commercial call or text | Cell phone | Prior express consent (written not required) |
| Prerecorded voice, any purpose | Cell phone | Prior express written consent |
| Prerecorded voice, informational only | Residential landline | Prior express consent (can be oral) |
For almost every outbound sales or marketing use case, you're in the top row: prior express written consent. The FCC defines this as "an agreement, in writing, bearing the signature of the person called that clearly authorizes the seller to deliver or cause to be delivered to the person called advertisements or telemarketing messages using an automatic telephone dialing system or an artificial or prerecorded voice" [2].
Electronic signatures count. A checkbox on a web form counts, as long as it meets the requirements: the disclosure must be clear, the consumer must not be required to consent as a condition of purchase, and the consent must go to a specifically identified seller (this is the part that changed in 2025, covered below).
Oral consent for non-commercial informational calls is real, but it's almost impossible to document reliably at scale. For transactional texts like appointment reminders or fraud alerts, oral or implied consent is generally enough. For anything that promotes a product or service, get it in writing.
For a deeper look at how to structure the actual opt-in form, the sms opt in guide walks through the required language and disclosure format. The sms opt-in form article covers the technical implementation.
How did the FCC's 2025 one-to-one consent rule change things?
The old model let a consumer check one box on a lead generation form, and that consent could be shared or sold to dozens of sellers at once. A mortgage lead form might say "I agree to be contacted by our partners" and then distribute that lead to 50 lenders. Each lender could claim TCPA consent based on that single click.
The FCC's November 2023 Report and Order killed that model. The rule, which took effect January 27, 2025, requires that prior express written consent "be obtained on a per-seller basis" and that the consent form "contain a clear and conspicuous disclosure" identifying the specific seller who will be contacting the consumer [3]. Each seller must be named. A consumer must separately agree to hear from each one.
The FCC's order states that consent is valid only where "a consumer has signed an agreement with a single seller at a time" [3]. Blanket multi-seller consent forms no longer satisfy the statute.
Here's what it means operationally. If you buy leads from a third party, you can't rely on the lead vendor's consent form unless it specifically names your company and obtains consent solely for you. You need to either generate your own leads with compliant forms, or get the vendor to show you the exact consent language the consumer saw and confirm it named you. Most lead vendors aren't doing this correctly yet. Verify before you dial.
The rule also requires that the consent be "logically and topically related" to the website where it was collected. A consumer who signs up for a home insurance quote can't then be contacted about solar panels on that same consent. This is a meaningful change for aggregator sites that cover multiple verticals.
For ongoing news on how this rule is being enforced, the tcpa news today and lead generation compliance news sections track FCC orders and cases as they happen.
What are the TCPA's calling time restrictions and do they apply to texts?
The TCPA and its implementing regulations in 47 C.F.R. § 64.1200 prohibit telephone solicitations to residential numbers before 8 a.m. or after 9 p.m., local time at the called party's location [2]. The FCC has applied this same window to text messages used for marketing, treating texts as calls under the statute.
Local time means the recipient's time zone, not yours. If you're in Los Angeles and your list has numbers in New York, your cutoff is 6 p.m. Pacific for the east coast contacts. This trips up a lot of small teams who run one send time across a national list.
Some states are stricter. Florida's Mini-TCPA (Florida Statutes § 501.059) restricts calls to 8 a.m. to 8 p.m. local time for solicitations and adds restrictions on texting [6]. Oklahoma, Washington, and several others have their own time windows or registration requirements.
For B2B calls, the time restrictions are less clear. The TCPA's residential calling restrictions technically apply to "residential telephone subscribers," and most courts have held that cell phones belonging to business owners can qualify. I wouldn't assume B2B gives you a pass on time windows. It just means your exposure is lower if you use a person's business phone number for a business purpose.
State laws layer on top of the TCPA. Compliance with federal rules is a floor, not a ceiling.
Which TCPA exemptions actually apply to auto dialers?
The TCPA has exemptions, but they're narrower than most sales teams hope.
The most commonly cited is the established business relationship (EBR) exemption for residential landline solicitations. If a consumer has done business with you in the past 18 months or made an inquiry in the past 3 months, you can call their residential landline even if they're on the national DNC list. But this exemption does not extend to cell phones and does not help with ATDS calls [2]. A lot of teams think their existing customer base is fully covered by EBR. For cell phones, it isn't.
The emergency purposes exemption covers calls made to protect the health or safety of the recipient or a third party. It's a narrow carve-out for genuine emergencies, not upsells framed as urgent.
Healthcare-related calls have a complicated set of exemptions under HIPAA-adjacent guidance, but the FCC's healthcare exemption rules are specific and conditional. Don't assume "we're in healthcare" means ATDS rules don't apply.
The most practical exemption for outbound teams is the transactional and relationship message exemption for cell phones. If you're sending a text that is purely informational (confirming an appointment, notifying someone their order shipped, sending a fraud alert), you need only prior express consent, not written consent. The moment you add a promotional element, you need written consent and the whole framework snaps back into place.
One more worth knowing: calls to numbers the consumer gave you for the purpose of being contacted qualify for an implied consent argument. If someone gives you their cell number on a contact form asking for a callback, calling them back on that number is generally safe even without a formal TCPA disclosure, as long as the subject of the call matches what they asked about.
How does the national Do Not Call list interact with ATDS rules?
The National Do Not Call Registry and the TCPA's ATDS restrictions are separate but overlapping systems. You can violate one without violating the other, and often you violate both at once.
The DNC Registry, maintained by the FTC under the Telemarketing Sales Rule (16 C.F.R. § 310), prohibits telephone solicitations to registered numbers regardless of whether you use an auto dialer [7]. You must scrub your call list against the registry before each campaign. The FTC charges $17,868 per area code per year for full access (as of 2024; this figure changes annually), and you need to check within 31 days before contacting a number [7].
The TCPA's ATDS rules are separate: they require consent for auto-dialed or prerecorded calls to cell phones regardless of DNC registration. A consumer can be on the DNC list and have given you written TCPA consent, in which case you can call them. A consumer can be off the DNC list but not have given you TCPA consent, in which case you still can't use an auto dialer on their cell.
The practical takeaway: run both checks before any outbound campaign. Scrub against the national DNC and your internal DNC list (which you're required to maintain), and separately verify that you have documented TCPA consent for any cell numbers you plan to auto-dial or text. These are two separate records with different retention needs.
For tcpa sms compliance, the intersection of DNC rules and texting is covered in more detail, including how SMS unsubscribe requests feed into your internal DNC obligations.
What do TCPA violations from auto dialers actually cost?
The statute sets $500 per violation for negligent violations and $1,500 per violation for willful or knowing violations [1]. Each call or text is a separate violation. There's no cap.
Most individual cases settle for far less than the statutory maximum, because defendants can argue good-faith compliance efforts. Class actions are different. The class action mechanism is what makes TCPA litigation expensive enough to threaten small businesses.
Some real numbers from settled or decided cases. In 2019, Capital One agreed to pay $75.5 million to settle a TCPA class action over automated calls to cell phones [8]. In 2017, Dish Network faced a $280 million judgment from the FTC for DNC and TCPA violations, though that figure was later modified on appeal. Papa John's settled a TCPA text message class for $16.5 million in 2013.
For small outbound teams, the more common threat is individual demand letters. A plaintiff's attorney sends a letter claiming 20 calls at $1,500 each, demanding a $28,000 settlement. Most small teams pay because litigation costs more than the demand. This is the business model of the TCPA plaintiffs' bar, and it works.
The best defense is documentation: consent records with timestamps and IP addresses, call logs showing you checked DNC, and opt-out records showing you honored revocations promptly. Show a good-faith compliance program and you have more room in settlement talks and more protection at trial.
LeadCompliant's free compliance kit includes consent log templates and a DNC scrub checklist built for small teams who don't have in-house legal. That kind of documentation is exactly what shifts a settlement conversation in your favor.
How do you handle revocation of consent for auto-dialed calls and texts?
The FCC clarified revocation rules in its 2024 Report and Order on the subject: consumers can revoke consent "at any time through any reasonable means" [9]. The order gives examples: texting STOP, asking verbally during a call, sending an email. You don't get to dictate the only acceptable method.
Once a consumer revokes, you must honor it within a reasonable time. The FCC's 2024 order created a safe harbor: honor revocations within 10 business days and you're protected from liability for calls made before the revocation was processed [9]. This is the number to build your process around.
For texting specifically, STOP (and STOP ALL, UNSUBSCRIBE, CANCEL, END, QUIT) must be recognized as opt-out keywords. You can't require consumers to use a specific format. If someone texts "please take me off your list," that's a valid revocation. Your text message marketing software or SMS platform needs to handle these in real time and sync them to your CRM before the next send.
One thing teams get wrong: revocation from one channel doesn't automatically mean revocation from all channels. If someone opts out of texts, that doesn't necessarily mean they've revoked consent for phone calls, unless they said so clearly. The safer approach is to honor a revocation across all channels unless you have a clear business reason to treat them separately and your original consent captured channel-specific permissions.
For sms double opt-in, the confirmation message is also your first chance to set expectations about how to opt out, which reduces the ambiguous revocation problem later.
What specific records do you need to keep to prove ATDS compliance?
If you can't prove it, you didn't do it. That's the practical reality of TCPA defense.
These are the records you need for every auto-dialed or automated text campaign.
Consent records: the exact opt-in language the consumer saw, the date and time of opt-in, the IP address, and the specific seller or brand they consented to hear from. These need to tie to the specific phone number you contacted. Retention period: at minimum 4 years, because the TCPA's statute of limitations is 4 years under 28 U.S.C. § 1658, and some courts have allowed equitable tolling arguments that stretch it further.
DNC scrub records: documentation that you queried the national registry within 31 days before each campaign, including the date of the query and the list you checked against. The FTC's rules require this, and it's your paper trail that you ran a compliant process.
Call and text logs: outbound records showing the number called, the time, and the campaign it belonged to. Most dialers and SMS platforms log this automatically, but you need to export and store it somewhere you control, more than in the vendor's dashboard.
Revocation records: date and method of every opt-out, with confirmation that the number was suppressed before the next outreach cycle. This is what shows the 10-business-day safe harbor was honored.
Internal DNC list: a running list of all numbers that have requested no further contact, separate from the national registry. You're required to maintain this indefinitely.
For marketing text message service platforms, ask vendors exactly what they log, what format it's exported in, and how long they retain it before deleting. Don't assume your vendor stores everything you'd need in litigation.
Do ATDS rules apply differently for B2B calls?
Partially. The TCPA's restrictions on auto-dialed calls to cell phones apply based on the number type, not the purpose of the call. The statute protects "cellular telephone services" without distinguishing personal from business use [1]. So if a business owner uses a personal cell for business, calling them on that cell with an ATDS requires TCPA consent even if the call is B2B.
The FCC has acknowledged that consent can be implied in certain B2B contexts. If a contact lists their cell number on a business card, a website, or a company directory as their primary contact number, there's a reasonable implied consent argument for calls related to their business role. This is not a safe harbor. It's a defense that has worked in some cases and failed in others.
The cleaner B2B approach is to get express consent during the lead generation process. If you use a web form, a trade show scan, or a content download gate, put a TCPA disclosure in the consent language. It costs you almost nothing to add the disclosure, and it removes a big chunk of litigation risk.
For b2b lead generation platforms gdpr compliance, the overlap of TCPA consent and GDPR lawful basis gets complicated for any operation that contacts EU-based contacts, but the TCPA piece for US B2B is cleaner if you build consent into your lead capture flow.
The practical guidance: treat every cell phone as requiring TCPA consent regardless of whether the contact is a business professional. The cost of the disclosure is zero. The cost of being wrong is not.
How do you build an auto dialing compliance program that holds up?
You don't need a $400/hour lawyer on retainer to run a defensible program. You need documented processes, the right technology configuration, and a consistent audit habit.
Start with your consent flow. Go back to every web form, landing page, chatbot, and offline intake process that captures phone numbers. For each one, ask: does the disclosure name your company specifically, does it clearly state that auto-dialed calls or texts may be sent, and does it avoid making consent a condition of purchase? If any of those are missing, fix the form before your next campaign.
Next, configure your dialer and SMS platform to enforce suppression. Your internal DNC list should load automatically before any campaign launches. Build it so a human override requires a documented reason. Most compliance failures in case filings aren't intentional. They're process gaps where someone manually re-added a suppressed number or launched a campaign before the DNC scrub finished.
Get a process for handling revocations in real time. Text STOP replies should auto-suppress in your platform and sync to your CRM within the same business day. Verbal opt-outs during calls need a clear workflow: the agent marks it, it flows to the suppression list, and it's confirmed in the call log. The 10-business-day FCC safe harbor is your legal target, not your operational goal. Faster is always better.
Run a quarterly internal audit. Pull a random sample of 50 contacts you called or texted in the past 90 days, and for each one verify: consent record exists and is dated before first contact, number was scrubbed against DNC within 31 days of contact, call fell within the 8 a.m. to 9 p.m. window in the recipient's time zone, and any revocation was honored within 10 business days. This takes half a day. Do it every quarter.
LeadCompliant's free compliance kit has the consent form language, audit checklist, and suppression log template laid out in a format small teams can actually use without a dedicated compliance officer. Use it as a starting point, then adapt it for your specific channels and states.
For industry-specific contexts like real estate text message marketing, the consent and disclosure requirements are the same, but the "condition of purchase" prohibition matters even more because many real estate lead forms bundle consent with a request for a property valuation.
Frequently asked questions
Does the TCPA apply to text messages sent by an auto dialer?
Yes. The FCC has consistently held that SMS and MMS messages sent using an ATDS are subject to the same TCPA rules as voice calls. Each text to a cell phone without prior express written consent for marketing purposes is a separate violation carrying a $500 to $1,500 statutory penalty. The FCC's 2015 Omnibus Order, while partly vacated, confirmed this interpretation, and no later ruling has undone it.
Can I use a ringless voicemail drop without triggering TCPA?
Probably not. The FCC declined in 2018 to classify ringless voicemail as outside the TCPA, and most legal practitioners treat ringless voicemail drops to cell phones as calls under the statute. You still need prior express consent, especially if the message is promotional. This is an area where the law isn't fully settled, but assuming you need consent is the only defensible posture.
What happens if I buy leads and the consent form didn't name my company?
Under the FCC's January 2025 one-to-one consent rule, consent that doesn't name your specific company is invalid for TCPA purposes. Calling or texting those numbers with an auto dialer exposes you to liability even if the lead vendor claims consent was obtained. You need to either verify the exact consent language before using purchased leads or collect your own consent naming your company directly.
Is a power dialer or click-to-dial system an ATDS under the TCPA?
After Facebook v. Duguid (2021), systems that dial only from a pre-loaded list without random or sequential number generation are stronger candidates for the "not an ATDS" argument. But this depends on the system's technical architecture and your circuit. Prerecorded voice restrictions apply separately and require no ATDS finding. Get a lawyer to review your specific dialer's mechanics before relying on the non-ATDS argument.
How long do I have to honor a text opt-out request?
The FCC's 2024 revocation order created a 10-business-day safe harbor: honor a revocation within 10 business days and you're protected from liability for any contacts made before the revocation was processed. In practice, your SMS platform should suppress the number automatically the moment a STOP message arrives, making this effectively instant. The 10-day period is a legal floor, not an operational target.
Do I need to scrub cell phones against the national DNC registry?
Yes, for telemarketing calls and texts. The national DNC Registry covers residential telephone numbers, and the FTC applies it to cell phones used for personal purposes. You must scrub within 31 days before contacting any number on a telemarketing campaign. DNC compliance is separate from TCPA consent compliance; you need both, not one or the other.
What's the statute of limitations for a TCPA lawsuit?
Four years under 28 U.S.C. § 1658, the federal catch-all limitations period. Some courts have allowed equitable tolling arguments that extend this in class actions where plaintiffs argue they couldn't have discovered the violation sooner. Retain your consent records, call logs, and DNC scrub documentation for at least five years to be safe.
Are there state laws that are stricter than the TCPA on auto dialing?
Several. Florida's Mini-TCPA (Fla. Stat. § 501.059) restricts calls to 8 a.m. to 8 p.m. and has broader ATDS definitions that don't require the random-or-sequential-generator element the Supreme Court imposed in Facebook v. Duguid. Washington, Oklahoma, and Maryland also have state-level calling restrictions. California's CCPA adds consent and data handling obligations on top of TCPA. State laws apply concurrently with federal rules; the stricter standard governs.
Can a consumer sue me directly, or does the FCC handle TCPA enforcement?
Both, independently. The FCC and FTC can bring enforcement actions and impose substantial fines. But the TCPA also creates a private right of action: any individual can sue you in federal or state court for $500 to $1,500 per call without filing a complaint with any agency first. This private right of action is why TCPA class actions are common; plaintiffs' attorneys aggregate large numbers of small statutory damages into nine-figure cases.
Does the TCPA apply to calls made by a live agent without any auto dialer?
Live manual calls using no ATDS or prerecorded voice aren't covered by the TCPA's auto dialer or artificial voice restrictions. They're still covered by the national DNC Registry rules and the FTC's Telemarketing Sales Rule. You can't call numbers on the DNC list with a live agent for solicitation purposes, and time-of-day restrictions still apply. TCPA consent requirements kick back in the moment you use any automated technology.
What's the difference between prior express consent and prior express written consent?
Prior express written consent is the higher standard, required for telemarketing calls or texts to cell phones using an ATDS or prerecorded voice. It must be in writing (electronic signatures count), must clearly authorize the specific type of contact, and must not be bundled as a purchase condition. Prior express consent (without "written") is the lower standard, sufficient for informational calls to cell phones and for telemarketing calls to residential landlines.
How do I handle an employee's personal cell phone used for outbound sales calls?
The TCPA applies to the calling party's use of an ATDS, not to the individual making the call. If your sales team uses a predictive dialer or auto-dialing software, even calls made through their cell phones are subject to TCPA rules. Manual dialing by a live agent from a personal cell without any automated system is not an ATDS call, but the DNC and TSR rules still govern solicitations.
Is there an exemption for non-profit organizations using auto dialers?
Partially. The TCPA's prohibition on auto-dialed calls covers calls made for telemarketing and solicitation purposes. Purely informational calls by non-profits may not count as telemarketing, lowering the required consent level. But non-profits that make fundraising calls are generally treated as solicitations, and most courts have held that TCPA protections apply regardless of the caller's tax status. Non-profits still need consent for ATDS calls to cell phones.
What should I look for in a dialer or SMS platform to stay TCPA compliant?
Look for platforms that automatically enforce suppression lists before each campaign launch, recognize STOP keywords and sync opt-outs to your CRM in real time, maintain exportable logs of every outbound contact with timestamps, and store consent records tied to individual phone numbers. Ask vendors specifically what happens when a number appears on your DNC list after a campaign is queued; the answer tells you a lot about how seriously they treat compliance.
Sources
- U.S. House of Representatives, 47 U.S.C. § 227, Telephone Consumer Protection Act: TCPA statutory text defining ATDS, $500/$1,500 penalties, and prerecorded voice restrictions
- FCC, 47 C.F.R. § 64.1200, Rules and Regulations Implementing the Telephone Consumer Protection Act: FCC implementing regulations on prior express written consent definition, time-of-day restrictions, and EBR exemption
- U.S. Supreme Court, Facebook, Inc. v. Duguid, 592 U.S. 395 (2021): Supreme Court ruling that ATDS definition requires random or sequential number generation, limiting TCPA ATDS scope
- U.S. Court of Appeals for the D.C. Circuit, ACA International v. FCC, 885 F.3d 687 (D.C. Cir. 2018): D.C. Circuit vacated the FCC's 2015 Omnibus Order's broad ATDS definition
- Florida Legislature, Florida Statutes § 501.059, Telephone solicitation: Florida Mini-TCPA restricts calling hours to 8 a.m. to 8 p.m. and has ATDS definition broader than federal statute
- FTC, Complying with the Telemarketing Sales Rule, business guidance: FTC requires DNC registry scrub within 31 days before each telemarketing campaign; registry access fees updated annually
- U.S. District Court for the Southern District of Florida, Bridging Communities et al. v. Capital One, TCPA class settlement, $75.5 million, 2019: Capital One's $75.5 million TCPA class action settlement in 2019 for automated calls to cell phones without consent
- FTC, Telemarketing Sales Rule, 16 C.F.R. Part 310: TSR governs DNC registry requirements, calling time windows, and telemarketing solicitation rules independent of TCPA
- U.S. Code, 28 U.S.C. § 1658, Statute of limitations for federal civil actions: Four-year federal catch-all statute of limitations applies to TCPA private lawsuits