Last updated 2026-07-10

TL;DR
A 'compliance point' in TCPA context is the moment a caller or texter can prove consent was lawfully obtained, documented, and preserved for a specific number. Without a defensible compliance point for every contact, each call or text to a cell phone risks a $500 to $1,500 per-violation penalty under 47 U.S.C. § 227. Get the documentation right before you dial.
What does 'compliance point' actually mean under TCPA?
A compliance point is the go/no-go gate before a call or text leaves your system. The phrase is not in the statute. It names the moment in your workflow where you can prove, with a real paper trail, that every legal requirement under the Telephone Consumer Protection Act is met for a given number, on a given date, for a given message type.
Under 47 U.S.C. § 227, three core requirements drive most outbound programs: prior express consent for informational autodialed or prerecorded calls to cell phones, prior express written consent for any telemarketing call or text to a cell phone, and a number that is not on the National Do Not Call Registry (unless an exemption applies) for most outbound sales calls [1]. Your compliance point is where you confirm all three, together, before contact goes out.
The compliance point has four parts: the consent record itself, the scrub against DNC lists, the timestamp and source metadata, and an audit trail someone could hand a plaintiff's attorney tomorrow. Miss any one and the whole thing falls apart in discovery.
See also: TCPA guidelines: what every outbound team must know in 2025 and What does TCPA mean? The plain-English breakdown.
What does the TCPA actually require before you call or text?
The statute bars using an automatic telephone dialing system or a prerecorded voice to call a cell phone without 'prior express consent of the called party.' That is the language of 47 U.S.C. § 227(b)(1)(A) [1]. Marketing raises the bar higher.
The FCC's 2012 rule update (effective October 16, 2013) required 'prior express written consent' for telemarketing robocalls and texts. That means a signed written agreement with a clear disclosure that the consumer agrees to receive such calls and texts, and that consent is not a condition of buying anything [2].
The FCC's 2024 one-to-one consent rule took effect January 27, 2025. Consent now goes to one specific seller at a time. Lead generators can no longer collect a single blanket opt-in and share it across dozens of buyers [3]. That one change wiped out enormous consent databases built on multi-party checkbox language.
For DNC purposes, 47 C.F.R. § 64.1200(c) requires telemarketers to honor the National DNC Registry and keep their own internal DNC list [4]. You scrub against the federal registry before every campaign and honor opt-out requests within 30 days.
See also: TCPA 2025: what changed, what it costs, and how to stay compliant and Telemarketing rules news: what changed and what's coming in 2025-2026.
What does a defensible consent record look like?
A defensible consent record holds six things: the exact language the consumer saw, proof the consumer affirmatively agreed (a checkbox check, a signature, a recorded verbal confirmation), the date and time in UTC, the IP address or session identifier for web opt-ins, the URL of the page where consent was collected, and the specific seller or brand named. The FCC's 2024 one-to-one consent order requires that the seller be 'logically and topically associated' with the website where consent was obtained [3].
This is not paperwork for its own sake. When a TCPA suit lands, the first thing plaintiff's counsel demands in discovery is the consent record for each number on the call list. If you cannot produce a complete record, courts often treat that gap as evidence consent did not exist. In Baisden v. Credit Adjustments, Inc., the court confirmed the burden to prove prior express consent falls on the defendant, not the plaintiff [5].
Some things do not count as prior express written consent. A phone number typed into a general contact form that says nothing about marketing calls. A LinkedIn connection. A business card exchange. A generic privacy policy. People make these mistakes every week.
For a deeper look at what an existing relationship actually protects (and what it does not), see TCPA existing business relationship: what actually protects you.
How much does a TCPA violation actually cost per call?
Statutory damages under 47 U.S.C. § 227(b)(3) run $500 per violation for negligent violations and $1,500 per violation for willful or knowing violations [1]. Courts have generally treated each individual call or text as one violation. There is no annual cap.
The math gets ugly fast. A campaign that fires 10,000 texts to numbers without proper written consent is a potential $5 million to $15 million exposure before you count attorneys' fees. Class certification turns individual $500 claims into nine-figure liabilities overnight.
Real settlements bear this out. UnitedHealthcare paid $2.5 million to resolve alleged TCPA violations see [UnitedHealthcare settlement]. Credit One Bank has faced multiple TCPA actions see [Credit One TCPA settlement]. Cash App settled a TCPA class action see [Cash App TCPA class action settlement]. Truist Bank, Albertsons, Safeway, and Kaiser all landed on the same list see [Truist Bank TCPA settlement, Albertsons/Safeway TCPA settlement, Kaiser TCPA settlement]. The common thread across every one of those cases is missing or defective consent documentation.
Here is the honest part. For a small outbound team, the bigger near-term risk is not the headline class action. It is a serial plaintiff filing individual suits over a few dozen calls. Those settle for $2,000 to $10,000 each, and the legal fees to respond often cost more than the settlement.
What is the compliance point for SMS and text message marketing?
Text messages sent for marketing need prior express written consent. No exceptions. The FCC treats an SMS the same as a call to a cell phone under 47 U.S.C. § 227(b)(1)(A)(iii) [1]. Written consent for texts means an agreement, including an electronic one, that the consumer signed (clicked, typed, or otherwise affirmatively submitted) after seeing a clear disclosure of who is texting them, that they may receive autodialed marketing texts, and that consent is not required to buy anything [2].
The compliance point for SMS happens before the first message goes out, not at opt-in time. At send, verify four things. The consent record exists and is complete. The number has not been reassigned to a new subscriber since consent was collected (the FCC's Reassigned Numbers Database is the tool for this) [6]. The number is not on your internal suppression list. And the message content matches the category of consent you collected. Consent for 'appointment reminders' does not cover promotional discount texts.
For more on running a compliant text program, see text message marketing and text messaging marketing.
How does the FCC's 2024 one-to-one consent rule change where the compliance point sits?
The compliance point moved upstream. Before January 27, 2025, a lead generation company could drop a single checkbox on a web form and sell that opt-in to dozens of marketers. The FCC's Report and Order in FCC 23-107 ended that practice [3]. Written consent must now come from a single seller at a time, and the website where consent is collected must be 'logically and topically associated' with that seller.
You can no longer accept a shared lead and assume the consent that came with it covers your product. If you buy leads, you now need contractual representations from the seller that the consent was one-to-one, plus your own spot-check process to confirm the consent language named your brand specifically.
The FCC's stated goal was to stop 'consent farms' that tricked consumers into agreeing to calls from 'marketing partners' they never heard of. Courts had already grown skeptical of multi-seller consent forms before the rule change. The rule formalized what aggressive defense attorneys had argued for years.
If your campaigns run on purchased leads, this is the single biggest gap to audit right now. Pull ten random records. Check the consent page each one came from. Ask whether your brand name appears. If it does not, you have a problem.
What is the DNC scrub requirement and when must it happen?
Scrub your call list against the National Do Not Call Registry no more than 31 days before any telemarketing call [4]. This is the FTC and FCC joint requirement under 47 C.F.R. § 64.1200(c)(2) and 16 C.F.R. § 310.4(b)(3)(iv) [4][7]. Scrubbing once at list purchase and then calling that list for six months is not compliant.
You also keep your own internal DNC list. If a consumer tells your agent they do not want to be called, record that request and honor it within 30 days. The internal DNC requirement applies even to calls that have prior express consent, because a consumer can revoke consent at any time.
The reassigned numbers problem deserves its own line. You may hold valid consent from Person A, but if that number was reassigned to Person B, calling Person B is a TCPA violation no matter what your record for Person A says. The FCC launched the Reassigned Numbers Database in 2021 to let callers check for reassignment before dialing [6]. For any list older than a few months, running it through the RND is worth the small per-query cost.
For B2B teams wondering whether these rules touch business lines, the short answer is: sometimes. See TCPA b2b exemption for AI calls: what businesses actually get.
How do you build a compliance point into your outbound workflow?
Build a pre-send checklist that runs automatically before any contact leaves your system, or a manual gate for smaller teams. Here is what that checklist covers.
First, consent verification. Does a valid consent record exist for this number, for this message type, from this specific sender, dated within a reasonable window? For some categories (transactional SMS, appointment reminders) the window may be open-ended. For marketing, fresher is safer.
Second, DNC scrub. Has this number been run against the federal DNC registry within 31 days? Is it on your internal suppression list? Is the consumer in a state with a stricter state DNC law? Florida, Oklahoma, Washington, and Wyoming all carry extra rules.
Third, reassignment check. Is this number still held by the person who gave consent? Run it through the FCC's Reassigned Numbers Database if the consent is more than 90 days old.
Fourth, time-of-day compliance. Under 47 C.F.R. § 64.1200(c)(1), calls may only go out between 8 a.m. and 9 p.m. local time of the called party [4]. Set your dialer to respect time zones.
Fifth, record the check itself. Log the date, the scrub result, the consent record ID, and who or what system approved the contact. That log is your evidence if a lawsuit comes.
LeadCompliant's free checkers and compliance kit cover several of these steps with downloadable templates you can drop into your existing workflow.
To help contacts shut down inbound robocalls, see how to stop robocalls.
What records do you need to keep and for how long?
The TCPA does not spell out a retention period, but the statute of limitations for private TCPA actions is four years under 28 U.S.C. § 1658, the general federal statute of limitations for statutory claims [8]. State attorney general actions may run on different clocks. The working standard across the industry is to keep consent records, DNC scrub logs, and call records for at least four years from the last contact with a given number.
What to store: the original consent record with full metadata, every DNC scrub log with the list version and date, call disposition records (answered, voicemail, hung up, opt-out requested), opt-out requests with the date received and date honored, and any complaints or disputes. If you use a third-party lead vendor, keep the contract and any representations they made about consent quality.
Cloud storage is fine. Format matters less than completeness and fast retrieval. In litigation, if your attorney says 'pull the consent record for 555-867-5309, first contact April 3, 2024,' you need to produce it in under an hour.
Nobody has good industry-wide data on how often incomplete records cause settlements versus how often bad consent is the underlying problem. The two usually travel together. When the consent was actually good, companies tend to have kept better records of it.
What are the biggest compliance point mistakes outbound teams make?
The patterns in TCPA litigation repeat with grim consistency. Five mistakes account for most of it.
The biggest one is assuming a phone number on a purchased list arrives with compliant consent. It usually does not. The consent language on the original form may name a completely different industry or company. Post-2025, that is now a regulatory violation under the one-to-one rule, on top of the litigation risk.
Second is scrubbing too rarely. A list scrubbed in January is not compliant for April calls. Set a calendar reminder or automate it. This is a 31-day rule, not a once-per-campaign rule.
Third is capturing the wrong consent for the channel. Someone who opts in to email marketing has not consented to autodialed texts. Different channels, different consent categories, different requirements.
Fourth is honoring revocations too slowly. The FCC has stated consumers can revoke consent through any reasonable means. If a consumer replies STOP, tells your agent, or emails support, the clock starts. You get a reasonable window to suppress that number, not an unlimited one.
Fifth, and maybe the most avoidable, is no audit trail on the compliance check itself. You may have done everything right. But if you cannot prove it, you cannot defend it. Log the checks.
For recent enforcement context and case developments, see TCPA news. If you are in Kentucky and need local counsel, see TCPA lawyer Kentucky.
Does the TCPA apply differently to AI-generated calls and texts?
Yes, and the rules tightened sharply in 2024. The FCC issued a Declaratory Ruling in February 2024 finding that AI-generated voices in robocalls are 'artificial' voices under 47 U.S.C. § 227(b)(1)(A)(iii) [9]. Any call using an AI voice to a cell phone without prior express consent is a per-call TCPA violation, the same as a traditional prerecorded robocall.
This hits teams using AI sales dialers, voice cloning tools, and conversational AI agents. The technology is newer. The legal treatment is not. If the output is a prerecorded or synthesized voice delivered to a cell phone, the TCPA applies in full.
For text-based AI (chatbots sending SMS), the analysis matches any other autodialed text. If the system sends messages without human intervention to a list of numbers, it almost certainly qualifies as an automatic telephone dialing system under the FCC's reading, and written consent is required for marketing messages.
See also: TCPA b2b exemption for AI calls: what businesses actually get.
What compliance point documentation should you have before a lawsuit arrives?
Litigation readiness is the real test of whether your compliance point program works. Before any suit arrives, you want a consent record management system (even a well-organized spreadsheet beats nothing), a DNC scrub log with dated exports, a suppression list with opt-out timestamps, call recordings or disposition logs for the relevant period, your lead vendor contracts, and any internal compliance policies you have written down.
Get a demand letter and delete nothing. Litigation hold obligations attach the moment you have notice of a potential claim. Deleting records after receiving a complaint is spoliation, and it creates its own legal problem on top of the underlying TCPA issue.
Getting ready before a lawsuit is cheap. A compliance audit, some documentation templates, and a scrub subscription run a few hundred to a few thousand dollars a year for a small team. Compare that to a $50,000 defense and settlement over three bad calls.
LeadCompliant's one-time compliance kit has the core documentation templates and a pre-send checklist you can adapt to your dialer or CRM.
For detailed case examples showing what happens when documentation fails, see the Joseph Snyder Credit One TCPA matter.
Frequently asked questions
What is a compliance point in a TCPA context?
It is the moment in your outbound workflow where you can prove, with documented evidence, that prior express consent exists, the number has been scrubbed against the Do Not Call Registry, and all other TCPA requirements are met for that contact. Without a verifiable compliance point for each call or text, every outbound contact to a cell phone carries statutory risk of $500 to $1,500 per violation under 47 U.S.C. § 227.
Does every outbound call to a cell phone require written consent?
No. Calls made by a human without an autodialer and without a prerecorded message to a cell phone do not require prior express written consent under TCPA. The written consent requirement applies to autodialed or prerecorded calls and to any marketing text to a cell phone. Manual calls still have to respect the National DNC Registry and cannot go out before 8 a.m. or after 9 p.m. local time.
How often do I need to scrub my call list against the DNC registry?
Federal rules require a scrub no more than 31 days before any telemarketing call. A list purchased or scrubbed in January is not compliant for March calls without a fresh scrub. You also check your own internal suppression list before each campaign. The 31-day window is a ceiling, not a suggestion. Tighter is always safer.
What changed with the FCC's one-to-one consent rule in 2025?
Effective January 27, 2025, the FCC's 2024 order in FCC 23-107 requires that written consent be given to one specific seller at a time. The website where consent is collected must be logically and topically related to that seller's business. Shared or pooled consent that covered multiple unnamed 'marketing partners' is no longer valid. Any consent records built on multi-party checkboxes need to be re-evaluated.
Can a consumer revoke TCPA consent, and how fast must you honor it?
Yes. The FCC has made clear consumers can revoke consent through any reasonable channel: a text reply, a verbal request to an agent, an email, or a web form. You must honor revocation within a reasonable time. Industry practice, and FCC guidance, points to within 30 days. Continuing to contact someone after they revoke consent turns a possible mistake into a willful violation at $1,500 per contact.
Does TCPA apply to B2B calls and texts?
TCPA applies to calls made to cell phones regardless of whether the recipient is a consumer or a business professional. The relevant question is whether the number is a cell phone, not whether the person is a consumer. There are some narrower FCC exemptions for calls to business lines (non-cell), but most business professionals use personal cell phones for work, meaning full TCPA requirements apply.
What is the statute of limitations for a TCPA claim?
Four years under 28 U.S.C. § 1658, the general federal statute of limitations for statutory claims. Some state law claims filed alongside TCPA claims may run on different clocks. As a practical matter, keep consent records, DNC scrub logs, and call disposition records for at least four years from the date of last contact with any given number.
Are AI-generated voice calls covered by TCPA?
Yes. The FCC ruled in February 2024 that AI-generated voices qualify as artificial voices under 47 U.S.C. § 227(b)(1)(A), meaning calls using AI voice synthesis to a cell phone without prior express consent are TCPA violations on a per-call basis. The technology is new. The legal treatment is the same as a traditional prerecorded robocall. Prior express consent is required before the call goes out.
What happens if a phone number has been reassigned since consent was collected?
Calling a reassigned number is a TCPA violation even if you have valid consent from the prior subscriber. The FCC's Reassigned Numbers Database lets callers check whether a number has been reassigned before dialing. For any list older than 90 days, running numbers through the RND is a worthwhile step. Courts have generally not accepted 'I didn't know it was reassigned' as a full defense.
Do I need separate consent for calls versus texts?
In practice, yes. While the statute treats both as the same category, consent forms should specifically reference both calls and texts if you intend to use both channels. Consent collected only for 'phone calls' may not clearly cover texts, and a court or regulator could treat them as separate. Be explicit in your opt-in language: name both channels and your brand.
What is the difference between prior express consent and prior express written consent?
Prior express consent applies to informational or transactional autodialed calls to cell phones. It can be verbal or implied (giving your number in the context of an existing transaction). Prior express written consent is the higher bar required for telemarketing, meaning a signed or electronically submitted agreement with specific disclosure language about who will contact you and for what purpose. Marketing calls and texts always need the higher standard.
What records do I need to prove TCPA compliance in a lawsuit?
At minimum: the original consent record with the exact opt-in language, date, time, IP address, and URL; your DNC scrub log dated within 31 days of the call; your internal suppression list; call disposition logs; and any opt-out requests with the date honored. If you bought leads, keep the vendor contract and any consent representations they made. Being able to retrieve a specific number's full history within an hour is the practical test.
How much does a TCPA class action settlement typically cost?
It varies enormously by class size and violation type. Recent notable settlements include UnitedHealthcare at $2.5 million, Cash App's class action settlement, and multiple bank settlements in the eight-figure range. For a small team, individual serial-plaintiff suits settle in the $2,000 to $10,000 range per case, but defense legal fees often exceed the settlement itself. The per-violation statutory damages of $500 to $1,500 multiply by class size to produce the headline numbers.
Is an existing business relationship enough to skip getting written consent?
No, not for autodialed or prerecorded marketing calls to cell phones. An established business relationship was once a partial defense under older FCC rules, but the FCC eliminated it as a substitute for written consent for telemarketing purposes effective October 2013. An existing relationship may support a claim of prior express consent for informational calls, but it does not satisfy the written consent requirement for marketing. Do not rely on it alone.
Sources
- U.S. Code, 47 U.S.C. § 227, Telephone Consumer Protection Act (Cornell LII): Statutory damages of $500 per violation ($1,500 for willful violations); prohibition on autodialed or prerecorded calls to cell phones without prior express consent
- FCC, 2012 TCPA Order (FCC 12-21), prior express written consent requirement for telemarketing robocalls effective October 16, 2013: Prior express written consent required for autodialed or prerecorded telemarketing calls and texts to cell phones; consent not a condition of purchase
- FCC, Report and Order FCC 23-107, one-to-one consent rule effective January 27, 2025: Consent must be given to one specific seller at a time; website must be logically and topically associated with that seller
- FCC, 47 C.F.R. § 64.1200, Delivery restrictions on telephone solicitations and telemarketing (Cornell LII): Calls permitted only 8 a.m. to 9 p.m. local time; DNC scrub required within 31 days of call; internal DNC list must be maintained; opt-outs honored within 30 days
- Baisden v. Credit Adjustments, Inc., S.D. Ohio, burden of proof on defendant to establish prior express consent: Burden to prove prior express consent falls on the defendant caller, not the plaintiff
- FCC, Reassigned Numbers Database (official portal): FCC launched the Reassigned Numbers Database in 2021 to allow callers to verify whether a number has been reassigned before dialing
- FTC, 16 C.F.R. § 310.4, Telemarketing Sales Rule, DNC scrub requirements: Telemarketers must scrub against the National Do Not Call Registry no more than 31 days before each call under 16 C.F.R. § 310.4(b)(3)(iv)
- U.S. Code, 28 U.S.C. § 1658, general federal statute of limitations for statutory claims (four years) (Cornell LII): Four-year statute of limitations for private TCPA actions under the general federal statute of limitations for statutory claims
- FCC, Declaratory Ruling, February 2024, AI-generated voices as artificial voices under TCPA: FCC ruled in February 2024 that AI-generated voices constitute artificial voices under 47 U.S.C. § 227(b)(1)(A), making such calls subject to full TCPA consent requirements
- FTC, National Do Not Call Registry, business guidance: National Do Not Call Registry operated by FTC; telemarketers must access and honor registry before making outbound sales calls
- FTC, Consumer guidance on unwanted calls and revoking consent: Consumers can revoke consent through any reasonable means; consumer rights guidance under federal telemarketing and TCPA rules