Last updated 2026-07-10

TL;DR
The FCC issued no new TCPA rule in December 2025. The pressure came from earlier 2025 moves. The one-to-one consent rule (effective January 27, 2025) rewrote lead generation. The Supreme Court's Loper Bright decision kept shaking loose old FCC interpretations. Private TCPA litigation ran at full speed, with settlements still landing in the millions.
What was the biggest FCC TCPA development heading into December 2025?
The one-to-one consent requirement was the year's biggest shift, effective January 27, 2025. It came out of the FCC's December 2023 Report and Order (FCC 23-107), and it rewrote how lead generators and their buyers handle prior express written consent [1]. Under the old rule, a consumer could check one box on a comparison website and consent to calls from dozens of companies at once. The FCC killed that. After January 27, 2025, each seller has to get consent individually, and that consent must name the specific company doing the calling.
By December 2025 the rule had been live for nearly a year. Problems that were theoretical in late 2024 were producing real litigation exposure. Any team still pulling leads off multi-seller opt-in forms without auditing them was carrying documented liability into 2026.
The FCC also demanded that calls or texts based on that consent stay "logically and topically" related to what the consumer asked about [1]. That phrase sounds soft. It isn't. A consumer who asked about auto insurance quotes does not, under this standard, consent to debt consolidation calls from a partner company buried in the terms.
December 2025 itself was quiet at the agency. For ongoing TCPA news and how it lands on sales teams, the story was the rule's first full year, not a fresh rulemaking. Enforcement ripples and litigation filings citing the new standard, not new law.
Did the FCC issue any new TCPA orders or rules in December 2025?
No. No major new TCPA rulemaking came out of the FCC in December 2025. The Commission had a busy year, but December was not a period of new TCPA rule adoption.
What the FCC kept doing was processing robocall enforcement under the TRACED Act. The TRACED Act (enacted December 2019) gave the FCC more time to act on robocall violations, up to four years in some cases, and widened the range of entities it can fine [2]. The pipeline of TRACED Act enforcement referrals to the DOJ stayed active through late 2025.
The FCC's Robocall Response Team kept pushing gateway providers to block or reject unsigned traffic under the STIR/SHAKEN framework. If you run outbound calls, your terminating carrier's authentication status matters more now than it did two years ago. Calls that fail STIR/SHAKEN attestation get blocked or labeled as spam before they ever reach a consumer.
One thing to watch going into 2026: AI-generated voice calls. In February 2024 the FCC ruled that AI-generated voices in robocalls count as "artificial or prerecorded" voices under 47 U.S.C. § 227(b)(1)(A), which means they need the same consent as any other autodialed or prerecorded call [3]. Enforcement actions citing that ruling in late 2025 set the precedents that will shape 2026.
How did the Supreme Court's Loper Bright decision affect TCPA enforcement in 2025?
This is where it gets genuinely messy. In June 2024 the Supreme Court overturned Chevron deference in Loper Bright Enterprises v. Raimondo (144 S. Ct. 2244, 2024) [4]. Chevron had told courts to defer to a federal agency's reasonable reading of an ambiguous statute. Loper Bright ended that. Courts now make their own call about what a statute means.
For the TCPA, this matters because the FCC has spent decades issuing orders that interpret "automatic telephone dialing system," "prior express consent," and related terms. Some of those readings are contested. After Loper Bright, defendants have a stronger argument that courts owe the FCC's definitions no special weight.
By December 2025, several district courts had cited Loper Bright in TCPA cases, mostly while fighting over what qualifies as an ATDS after the Supreme Court's own Facebook v. Duguid decision (592 U.S. 395, 2021) [5]. Duguid had already narrowed the ATDS definition, requiring that a dialer use a random or sequential number generator to produce or store numbers. Loper Bright handed defendants another tool to push back on FCC readings that stretch past that.
Here's the honest takeaway. The law is uncertain in spots, and courts are not consistent. What flies in the Ninth Circuit may not fly in the Eleventh. That uncertainty is no excuse to skip consent practices. It does mean your legal bill runs higher if you get sued, because you're litigating questions the courts haven't settled.
What TCPA settlements and enforcement actions were notable in late 2025?
TCPA private litigation never slowed down. The per-violation damages (up to $500 per negligent violation, up to $1,500 per willful violation under 47 U.S.C. § 227(b)(3)) [6] make class actions attractive for plaintiffs' attorneys, and no FCC rulemaking changes that math.
Several of the year's big settlements came from financial services and healthcare companies, continuing a years-long pattern. UnitedHealthcare settled a TCPA case for $2.5 million over alleged autodialed calls. Truist Bank faced a class action settlement tied to similar call practices. Albertsons and Safeway settled a TCPA class action over text message marketing to customers.
These cases share a thread. The conduct usually involved one of three things: calling numbers on the Do Not Call Registry with no established business relationship, using an ATDS without proper written consent, or sending marketing texts to people who never opted in through a compliant mechanism.
The Credit One TCPA settlement and related actions like Joseph Snyder's case against Credit One show how repeat violations pile up damages. The Cash App TCPA class action settlement shows that well-funded tech companies aren't immune either.
December 2025 had a calendar effect. Many cases filed in mid-2025 were entering discovery or settlement talks, and those phases tend to produce public filings and settlement announcements in the December to January window as companies close their books.
What does the one-to-one consent rule actually require in practice?
The FCC's one-to-one consent rule under 47 C.F.R. § 64.1200 (as amended by FCC 23-107) comes down to a few concrete requirements [1].
Written consent has to come from a single seller at a time. A consumer on a mortgage comparison site must see a separate, unambiguous consent request for each lender that wants to contact them by autodialer or prerecorded voice. Bundled consents that list ten companies are gone.
The contact has to be "logically and topically related" to the interaction that generated the consent. If someone fills out a form about homeowner's insurance, a call about life insurance from a different product line at the same company is at least arguably outside the consent scope.
The disclosure must be "clear and conspicuous" under the FCC's standard. It cannot hide in a paragraph of fine print. The consent language needs a font size and placement that a reasonable person would notice before clicking submit.
Buying leads from a third party? You need written documentation that the lead generator got consent meeting this standard for your company specifically. "They told us the leads were compliant" is not a defense. Courts increasingly hold companies responsible for consent quality when they should have known the process was broken.
For teams running their own text message marketing or text messaging marketing, the one-to-one rule covers texts sent via ATDS the same way it covers calls. A web form collecting phone numbers for SMS campaigns has to clearly identify that the consumer is consenting to texts from your specific company.
How does the STIR/SHAKEN framework affect outbound call compliance in December 2025?
STIR/SHAKEN is not a TCPA rule, but it touches TCPA compliance in a practical way teams miss. STIR (Secure Telephone Identity Revisited) and SHAKEN (Signature-based Handling of Asserted information using toKENs) is an industry standard, mandated by the FCC under the TRACED Act, that authenticates caller ID information [2].
Every call gets an attestation level. A means full attestation (the originating provider certifies the caller is authorized to use that number). B means partial attestation. C means gateway attestation (the provider can only confirm it received the call, not who originated it). Carriers and analytics platforms use these levels, plus other signals, to decide whether to block a call or slap a "Spam Likely" label on it.
By late 2025, most major carriers ran robocall mitigation programs that filtered C-attestation traffic hard. If your outbound team uses a voice over IP provider or a contact center platform, ask them straight out what attestation level your calls get and whether your numbers are registered in the FCC's Robocall Mitigation Database.
Failing STIR/SHAKEN doesn't by itself create TCPA liability. It creates a different problem. Your calls don't reach people, or they reach people who see a spam label and are already hostile when they pick up. That's a business problem stacked on top of any legal risk.
For teams thinking about how to stop robocalls from wrecking their own customers' experience, STIR/SHAKEN is part of the answer the FCC points to.
What are the current TCPA penalties and how are they calculated?
The base TCPA statutory damages are set by 47 U.S.C. § 227(b)(3): $500 per violation for standard violations, $1,500 per violation when a court finds the violation was willful or knowing [6]. Each call or text counts as a separate violation.
The FCC can also impose forfeiture penalties in its own enforcement actions. Under 47 U.S.C. § 503(b), the FCC can assess up to $23,727 per violation (this figure adjusts for inflation and was updated in 2024; confirm the current number at fcc.gov for any enforcement context) [7]. These administrative fines are separate from private litigation damages, and they can stack.
The table below shows the math at different call volumes in a private class action.
| Calls Made | Class Size (Est.) | Damages at $500/call | Damages at $1,500/call |
|---|---|---|---|
| 10,000 | 10,000 | $5,000,000 | $15,000,000 |
| 50,000 | 50,000 | $25,000,000 | $75,000,000 |
| 100,000 | 100,000 | $50,000,000 | $150,000,000 |
Courts do have discretion to cut damages that are wildly disproportionate, but that isn't guaranteed. Many cases settle for amounts between the $500 floor and the $1,500 ceiling per class member, adjusted by how much litigation risk each side is carrying.
For healthcare teams, the Kaiser TCPA settlement is a useful reference for what large-scale exposure looks like in that sector.
What should outbound sales teams actually do right now to stay compliant?
Concrete steps beat general advice here. This is what a small outbound team should have in place as of December 2025.
Document your consent chain. For every phone number in your dialing list, keep a record of when consent was obtained, how, the exact consent language the consumer saw, and the IP address or other identifier tying that person to that consent event. If you bought the lead, get the vendor's written confirmation that this information exists and is accurate for your company specifically.
Audit your ATDS use. After Facebook v. Duguid, the ATDS definition is narrower [5]. The test is what your system does, not what you call it. If your dialer runs a predictive or power mode that generates or sequences numbers automatically, get a written technical opinion from your vendor on how they characterize the system's functions.
Check the National DNC Registry before every campaign. Scrubbing is required within 31 days for numbers on your active calling list under 16 C.F.R. § 310.4(b)(3)(iv) [8]. The FTC's DNC Registry is separate from the TCPA's private right of action, but the violations overlap and compound.
Keep a written internal DNC list. Under 47 C.F.R. § 64.1200(d), companies that make telemarketing calls must maintain their own DNC list and honor opt-out requests within 30 days [9]. A consumer who asks you to stop calling goes on that list, and you check the list before you dial.
Train your team. This sounds basic. Most TCPA violations that end in litigation involve someone on the sales floor who didn't know the rules, or knew and ignored them under pressure to hit a number. A one-hour documented training session per quarter beats a thick compliance manual nobody reads.
LeadCompliant's free compliance kit and number-checker tools are a reasonable starting point for small teams without a compliance attorney on retainer.
How does the TCPA treat text messages differently from phone calls?
Short answer: not very differently. The TCPA's autodialer prohibition at 47 U.S.C. § 227(b)(1) applies to calls "to any telephone number assigned to a... cellular telephone service" [6]. The FCC and courts have held for years that a text message is a "call" under the TCPA. So the ATDS restrictions, the prior express written consent requirements for marketing messages, and the per-violation damages all apply to SMS and MMS.
The one practical difference is that the FCC has separate rules under 47 C.F.R. § 64.1200(a)(2) requiring prior express written consent specifically for autodialed marketing texts to cell phones [9]. That written consent has to clear the same bar as it does for calls: clear, conspicuous, specific to the company, and not a condition of purchase.
One place texts differ slightly. The "established business relationship" exception that covers some DNC Registry restrictions does not give a blanket pass for autodialed marketing texts. You still need prior express written consent for those texts even if the person is a current customer, unless the text is purely informational (like a transaction confirmation) and not promotional.
For teams building SMS campaigns, the legal framework around text messaging marketing is close enough to call compliance that the same documentation practices carry over. Collect written consent. Keep the records. Honor opt-outs right away. Don't run your SMS platform in a mode that qualifies as an ATDS without consent in place.
What are TCPA lawyers watching in December 2025 and into 2026?
Plaintiffs' attorneys who work TCPA cases are watching a few specific areas as 2025 closes.
The one-to-one consent rule is generating its first wave of litigation over violations that happened after January 27, 2025. Cases filed now cite the new rule directly, which can make willfulness easier to argue, because the requirements were well-publicized across the industry all year.
AI-generated voice content is a growing frontier. The FCC's February 2024 declaratory ruling on AI voices [3] set a framework, but courts haven't worked through many cases applying it yet. Any company using AI voice synthesis in outbound calls, for interactive voice response, sales scripting, or anything else, should treat those calls as triggering the full TCPA written consent requirement.
Web-to-phone flows are another live area. A consumer fills out a web form, and that triggers an automated call or text within seconds. Courts have split on whether that immediate response counts as an ATDS-generated call. The risk is real enough that you should have written consent in the web form no matter how the call gets classified.
For teams in states with extra laws, watch closely. Florida's mini-TCPA (FL Stat. § 501.059) is stricter than the federal statute in several ways and has driven a lot of state-level litigation. TCPA lawyers in Kentucky and other states are stacking state-level claims on top of federal TCPA claims in the same lawsuit.
What state laws layered on top of the TCPA matter most in 2025 and 2026?
Several states have their own calling and texting restrictions that go past federal TCPA requirements. Compliance teams have to apply the stricter of federal or state law, and in a lot of states, state law now wins that comparison.
Florida's Telephone Solicitation Act (FTSA, FL Stat. § 501.059) is the most aggressive. It bans autodialed calls and texts to Florida area code numbers without prior express written consent, no matter where the consumer actually is. It carries a private right of action with $500 per violation minimums. It was amended in 2023 to slow a flood of litigation, but the core restrictions stayed tough [10].
California runs multiple overlapping frameworks. The TCPA applies, and so do CCPA data rights that affect how you keep consent records and answer deletion requests. A consumer exercising a CCPA deletion right for their phone number effectively revokes consent for calls.
Oklahoma, Washington, and several other states have updated their telemarketing statutes in the past two or three years with provisions that parallel TCPA requirements but carry different definitions or exceptions. The National Conference of State Legislatures tracks these [11].
The safest posture for a small team is to apply the most restrictive standard across your whole list rather than juggle different rules by area code. The operational headache of running two consent standards isn't worth the thin coverage you gain from the looser federal rule in non-FTSA states.
Where can I find the actual FCC TCPA rules and orders?
The FCC publishes its rules in Title 47 of the Code of Federal Regulations. The TCPA implementing rules sit mostly at 47 C.F.R. § 64.1200 [9]. The FCC's website at fcc.gov has a Consumer and Governmental Affairs Bureau section with guidance documents, declaratory rulings, and enforcement actions [7].
The enabling statute is 47 U.S.C. § 227, which you can read directly on congress.gov [6]. The statute text controls when it conflicts with an FCC rule, and post-Loper Bright, courts are reading that text more independently.
For recent orders, the FCC's Electronic Comment Filing System (ECFS) lets you search by docket number. The one-to-one consent rule sat in docket CG 02-278 [1]. The AI voice ruling was a separate declaratory ruling in early 2024.
The FTC's DNC Registry rules live at 16 C.F.R. Part 310 (the Telemarketing Sales Rule) [8]. The FTC and FCC have overlapping jurisdiction over telemarketing, and both can bring enforcement actions. They coordinate but operate independently.
Frequently asked questions
When did the FCC's one-to-one consent rule take effect?
The FCC's one-to-one consent rule, adopted in FCC 23-107, took effect January 27, 2025. It requires each seller to get consent individually and bars the bundled opt-in forms that let multiple companies share a single consumer consent. Any lead generation campaign that started after that date without individual consents is potentially non-compliant.
What is the TCPA penalty per illegal call or text in 2025?
The TCPA sets statutory damages at $500 per violation for standard violations and $1,500 per violation for willful or knowing violations, under 47 U.S.C. § 227(b)(3). Each individual call or text counts as a separate violation. In a class action, these amounts multiply by the number of class members, which is why even modest-volume campaigns can generate multi-million dollar exposure.
Does the FCC's AI voice ruling from 2024 still apply in December 2025?
Yes. The FCC's February 2024 declaratory ruling held that AI-generated voices in robocalls are "artificial or prerecorded" voices under 47 U.S.C. § 227(b)(1)(A). That ruling was not overturned in 2025. Any outbound call using AI voice synthesis for marketing purposes requires the same prior express written consent as a traditional prerecorded robocall.
How does Loper Bright affect TCPA cases in 2025?
The Supreme Court's June 2024 Loper Bright decision ended Chevron deference, meaning courts no longer automatically defer to FCC interpretations of ambiguous TCPA terms. Defendants are using Loper Bright to challenge FCC definitions of ATDS and consent. The practical effect is more litigation uncertainty, not less compliance obligation. Courts still enforce the statute; they just interpret it independently.
What is the difference between the FCC's DNC rules and the FTC's DNC Registry?
The FTC administers the National Do Not Call Registry under the Telemarketing Sales Rule (16 C.F.R. Part 310). Companies must scrub their lists against the registry every 31 days. The FCC's TCPA rules at 47 C.F.R. § 64.1200(d) separately require companies to maintain their own internal DNC list and honor opt-out requests within 30 days. Both apply simultaneously; violating either one creates separate liability.
Are text messages covered by the TCPA the same way as phone calls?
Yes. The FCC and courts have consistently held that a text message is a "call" under 47 U.S.C. § 227(b)(1). Marketing texts sent via autodialer to cell phones require prior express written consent. The one-to-one consent rule applies to texts. Opt-out requests from texting campaigns must be honored immediately, and senders must maintain internal DNC records.
How often do I need to scrub my call list against the National DNC Registry?
Under 16 C.F.R. § 310.4(b)(3)(iv), you must scrub your calling list against the National Do Not Call Registry no more than 31 days before making a call. If a number appears on the registry and you don't have an established business relationship or prior express written consent, you cannot call it. Annual registry access fees apply to most commercial callers.
What is STIR/SHAKEN and why does it matter for outbound call compliance?
STIR/SHAKEN is a call authentication framework mandated by the FCC under the TRACED Act. It assigns attestation levels (A, B, or C) to calls based on whether the originating carrier can verify the caller ID. Calls with low attestation are more likely to be blocked or labeled spam by terminating carriers. It doesn't create TCPA liability directly, but calls that can't reach consumers create both business and compliance tracking problems.
What is the 'logically and topically related' requirement under the FCC's consent rule?
Under the FCC's one-to-one consent rule (FCC 23-107), any call or text made on the basis of prior express written consent must be logically and topically related to the interaction through which consent was obtained. If a consumer consented while asking about auto insurance, calls about debt consolidation or unrelated products fall outside the consent scope, even from the same company.
Can I rely on a lead vendor's assurance that their leads are TCPA-compliant?
No. Courts have held that companies bear responsibility for verifying the consent quality of leads they purchase when they had reason to know the consent process was deficient. Verbal assurances from lead vendors aren't enough. You need written documentation showing the specific consent language the consumer saw, when they saw it, and that it named your company specifically under the one-to-one consent rule.
What states have their own TCPA-style laws that go beyond federal requirements?
Florida's Telephone Solicitation Act (FL Stat. § 501.059) is the most aggressive, banning autodialed calls and texts to Florida area code numbers without prior express written consent and providing a private right of action. Oklahoma, Washington, and several other states have also updated telemarketing statutes in recent years. California's CCPA creates additional consent record obligations that interact with calling compliance.
How long does a consumer have to file a TCPA lawsuit?
The TCPA's statute of limitations is four years under 28 U.S.C. § 1658, which provides the general federal four-year limitations period for federal statutory claims. Some courts have applied a two-year period based on state law analogies, but four years is the dominant rule. This means violations from early 2022 could still be the basis of litigation filed in late 2025.
What happened with FCC enforcement actions in late 2025?
The FCC continued processing TRACED Act enforcement referrals in late 2025. The TRACED Act extended the FCC's enforcement window and expanded the entities it can fine for robocall violations. Gateway providers carrying high volumes of unauthenticated calls were a primary focus. Specific December 2025 enforcement actions had not been publicly confirmed at time of publication; check fcc.gov for current enforcement releases.
Does the established business relationship exception still protect marketers from DNC rules?
The established business relationship (EBR) exception still allows calls to customers who have transacted with you within 18 months, or inquired within 3 months, even if their number is on the National DNC Registry. But the EBR does not override the TCPA's prior express written consent requirement for autodialed or prerecorded calls to cell phones, and it does not satisfy the FCC's one-to-one consent rule for those call types.
Sources
- FCC, Report and Order FCC 23-107 (Docket CG 02-278), One-to-One Consent Rule: The FCC's one-to-one consent rule (FCC 23-107) required individual seller consent and 'logically and topically related' contact, effective January 27, 2025
- U.S. Congress, TRACED Act (Pallone-Thune Telephone Robocall Abuse Criminal Enforcement and Deterrence Act), Public Law 116-105: The TRACED Act extended FCC enforcement timeframes and mandated STIR/SHAKEN call authentication by carriers
- FCC, Declaratory Ruling on AI-Generated Voices in Robocalls (February 2024): The FCC ruled in February 2024 that AI-generated voices in robocalls qualify as 'artificial or prerecorded' voices under 47 U.S.C. § 227(b)(1)(A)
- Supreme Court of the United States, Loper Bright Enterprises v. Raimondo, 144 S. Ct. 2244 (2024): The Supreme Court's June 2024 Loper Bright decision overturned Chevron deference, requiring courts to independently interpret ambiguous federal statutes rather than defer to agency interpretations
- Supreme Court of the United States, Facebook Inc. v. Duguid, 592 U.S. 395 (2021): Facebook v. Duguid held that an ATDS must use a random or sequential number generator to produce or store numbers, narrowing the ATDS definition under the TCPA
- U.S. Congress, 47 U.S.C. § 227, Telephone Consumer Protection Act: 47 U.S.C. § 227(b)(3) sets TCPA statutory damages at $500 per violation and $1,500 per willful or knowing violation; § 227(b)(1) applies the autodialer prohibition to calls to cellular telephone service numbers
- FTC, Telemarketing Sales Rule, 16 C.F.R. Part 310: 16 C.F.R. § 310.4(b)(3)(iv) requires companies to scrub calling lists against the National DNC Registry no more than 31 days before making a call
- Electronic Code of Federal Regulations, 47 C.F.R. § 64.1200, TCPA implementing rules: 47 C.F.R. § 64.1200(a)(2) requires prior express written consent for autodialed marketing texts to cell phones; § 64.1200(d) requires maintenance of an internal DNC list with opt-outs honored within 30 days
- Florida Legislature, FL Stat. § 501.059, Florida Telephone Solicitation Act: Florida's FTSA bans autodialed calls and texts to Florida area code numbers without prior express written consent and provides a private right of action at $500 per violation minimums
- National Conference of State Legislatures, Telemarketing and Robocall State Legislation: Multiple states including Oklahoma and Washington have updated their telemarketing statutes in recent years with provisions that parallel or exceed federal TCPA requirements