Last updated 2026-07-09

TL;DR
No company, lawyer, or software tool can legally guarantee TCPA compliance, because liability turns on facts that change call by call. What you can do is build a consent-capture system, scrub against the National DNC Registry, honor revocations inside the required window, and document everything. Done right, that stack makes a winning TCPA suit against you very hard to bring.
What does 'guaranteed TCPA compliance' actually mean?
Bluntly: nothing. No vendor, law firm, or software platform can promise you will never face a TCPA claim, because TCPA liability turns on facts that change with every call and text. Did you have prior express written consent for that exact number? Was the number reassigned after you captured consent? Did the consumer revoke, and did you honor it in time? Nobody can guarantee those answers in advance.
The Telephone Consumer Protection Act, 47 U.S.C. § 227, was signed in 1991 and has been amended and reinterpreted dozens of times since [1]. Its core rule is simple. You generally cannot use an autodialer or prerecorded voice to call a cell phone, or send a marketing text, without prior express written consent. The word "autodialer" alone has been fought all the way to the Supreme Court. The statute says an ATDS "has the capacity to store or produce telephone numbers to be called, using a random or sequential number generator, and to dial such numbers." [1] Figuring out what that means in practice has cost companies hundreds of millions in legal fees.
When a vendor sells "guaranteed compliance," read the fine print. They usually mean they will indemnify you if their data or dialing platform causes a violation, and only up to a contractual cap. That is useful. It is not a promise you will never get sued.
What are the actual TCPA rules you need to follow?
Four pillars carry most of the weight. Miss any one and you are exposed.
1. Prior express written consent for marketing calls and texts to cell phones. The FCC's 2012 rule change made written consent (electronic or paper) mandatory for autodialed or prerecorded marketing calls to wireless numbers [2]. The consent has to be signed (electronic signatures count), has to clearly authorize calls from your company, has to disclose that consent is not a condition of purchase, and has to specifically reference autodialed or prerecorded calls. Verbal consent does not clear this bar for marketing.
2. National Do Not Call Registry scrubbing. If you make telemarketing calls, you must access the FTC's National DNC Registry, scrub your list within 31 days before dialing, and honor any number that appears on it [3]. The safe harbor asks for a written policy, trained staff, and a company-specific DNC list kept internally alongside the federal registry.
3. Calling time windows. Under 47 C.F.R. § 64.1200, calls may only be placed between 8 a.m. and 9 p.m. local time at the called party's location [2]. That is the federal floor. Plenty of states set tighter windows.
4. Revocation of consent. The FCC's 2024 Order, effective January 27, 2025, requires callers to honor a revocation request within 10 business days [4]. Consumers can revoke by any reasonable means, which the FCC has said includes replying STOP to a text, telling an agent verbally, or sending an email. You cannot dictate how someone revokes.
Those four cover the bulk of TCPA exposure. There are extra rules on abandoned call rates (no more than 3 percent for predictive dialers), caller ID transmission, and prerecorded message identification, but the four above are where most lawsuits start.
What does TCPA compliance actually cost if you get it wrong?
The statute sets damages at $500 per violation, and up to $1,500 per willful violation [1]. Each call or text is its own violation. Run a campaign of 10,000 texts to people who never gave compliant consent and you are staring at exposure up to $5 million before attorneys' fees, which plaintiffs in class actions recover on top of that.
Real settlements show the range. UnitedHealthcare paid $2.5 million to resolve alleged TCPA violations involving automated calls. Credit One Bank faced a major TCPA settlement over autodialed calls to cell phones. Truist Bank settled a TCPA class action over similar allegations. Albertsons and Safeway resolved a TCPA class action tied to text message marketing. One thread runs through every one of these: no consent, or bad consent capture.
The table below shows how damages stack up across common campaign sizes.
| Campaign size (messages) | Statutory damages ($500/violation) | Trebled damages if willful ($1,500) |
|---|---|---|
| 1,000 | $500,000 | $1,500,000 |
| 10,000 | $5,000,000 | $15,000,000 |
| 100,000 | $50,000,000 | $150,000,000 |
| 1,000,000 | $500,000,000 | $1,500,000,000 |
Those numbers explain why plaintiffs' firms hunt these cases. Class certification turns a small compliance gap into an existential threat. The Cash App TCPA class action settlement is a recent example of how fast a single consent failure scales into nine-figure exposure.
Can any vendor or tool actually guarantee TCPA compliance?
No. The promise is structurally impossible, for three reasons.
First, consent is your responsibility. A lead vendor can sell you a list with attestations that each contact consented, but you are the one dialing. Courts have held again and again that the caller, not the data provider, carries primary liability. The FCC's 2024 one-to-one consent rule, effective January 2025, sharpened this by requiring that consent be obtained specifically for your company, not for a vague bucket of "marketing partners" [4].
Second, number reassignment is outside your control. The FCC's Reassigned Numbers Database (RND) exists precisely because numbers get recycled, and the previous owner may have given consent while the new owner never did [5]. Dialing a reassigned number is a TCPA violation even if your original consent record is perfect. The database gives you one free-look safe harbor, but only if you actually run the query.
Third, consent records get challenged. A plaintiff's attorney will subpoena your consent documentation. If your records show a checkbox on a web form but no timestamp, IP address, specific disclosure language, and version of the form the consumer saw, a jury may find the consent insufficient.
What a good compliance vendor can do: scrub lists against the DNC Registry, query the RND, provide audit-ready consent forms, and contractually indemnify you for errors in their data. That is worth paying for. Just do not confuse it with a guarantee.
What is the FCC's one-to-one consent rule and how does it change things?
The FCC adopted new rules in December 2023 requiring that prior express written consent for telemarketing calls and texts come from one specific seller at a time [4]. The rule shut the loophole where a single lead-gen form could list dozens of companies as "marketing partners" and claim consumers consented to all of them at once.
Under the rule, if you buy leads from a third party, the consent form has to name your company specifically, not a category. The consumer has to take an affirmative step, like checking a box, for your company in particular. Bundled or comparison-shopping forms that list 20 companies in a scrollable list no longer clear the standard.
The FCC also said consent must be logically and topically related to the website where it is obtained. A consumer who fills out a form to get a car insurance quote has not consented to calls about home security systems, even if a disclosure buried in the form claims they have [4].
For teams buying aged or shared leads, this rule is a real problem. Many lead vendors still have not updated their capture forms. Request the exact consent language and a screenshot of the form for any leads you purchase, then have counsel review whether the disclosure meets the new standard. If you cannot get that documentation, do not dial those numbers.
How do you actually build a TCPA-compliant outbound process?
This is where most articles go vague. Here is what the process looks like in practice.
Consent capture. Build or buy a consent form that includes a clear description of the calls and texts the consumer is agreeing to receive, your company name specifically, a statement that consent is not required to buy anything, an unchecked checkbox (pre-checked boxes fail most courts' analysis), and a timestamp plus IP address logged at submission. Store that record indefinitely. You will need it in court three years from now.
List scrubbing. Before every dial campaign, scrub against the National DNC Registry [3]. The FTC requires you to access the registry no more than 31 days before calling. Run numbers through the FCC's Reassigned Numbers Database too [5]. Both checks take minutes with API access and cost a sliver of a single lawsuit.
Internal DNC list. Keep your own do-not-call list. Anyone who asks not to be called goes on it right away. Federal rules give you 30 days to honor a request. Many state laws give you fewer. Honor requests within 24 hours if you can. For texts, set your platform to suppress any number that replied STOP, CANCEL, UNSUBSCRIBE, or any other revocation keyword immediately.
Revocation tracking. Under the 2024 FCC Order, you have 10 business days to honor revocation [4]. That sounds like plenty until you remember your CRM, your dialer, and your text platform are three separate systems. The process for syncing an opt-out across all three needs to be documented and tested before you run a campaign, not after a lawsuit lands.
Call recording and documentation. Record outbound calls where state law permits (check two-party consent states first). Keep records of consent, scrub logs, and revocation confirmations. Courts will ask for these.
LeadCompliant's free compliance kit includes a ready-to-use consent form template, a DNC scrub checklist, and a revocation log template. It is a practical starting point if you are building this from scratch.
Caller ID. Transmit your actual number or a number that reaches your company. Spoofing is a separate TCPA and Truth in Caller ID Act violation, but even sloppy caller ID setup creates liability.
Text message marketing overlaps heavily with the above, with extra wrinkles around short codes and carrier requirements. See our text message marketing guide for that detail.
What is the 'safe harbor' and does it actually protect you?
The TCPA includes a safe harbor for companies that keep a written do-not-call policy, train their staff, maintain and honor an internal DNC list, and access the National DNC Registry [3]. Meet all of those, and if a call slips through on an administrative error, the safe harbor can be a defense.
Key word: defense. It does not stop anyone from suing you. It means that if you are sued and the violation came from a genuine error despite reasonable procedures, you may dodge the $500 to $1,500 per-call damages.
The safe harbor does not cover consent failures. Say you called someone on the DNC Registry but had their prior express written consent for telemarketing. You had an argument the Registry listing does not matter. Now flip it. If you had no consent and the number was on the Registry, the safe harbor for scrubbing errors does not save you, because the underlying problem is the missing consent, not a scrubbing slip.
Do not treat the safe harbor as a strategy. Treat it as a backstop for the rare true operational error after you have done everything else right.
What state laws make federal TCPA compliance insufficient?
The TCPA explicitly preserves state laws that offer more protection than the federal statute [1]. Several states have gone further.
California's Auto-Calls statute and the California Consumer Privacy Act interact with the TCPA in ways that need separate analysis. Florida's Telemarketing Act limits calls to residential numbers to between 8 a.m. and 9 p.m., same as federal, but Florida's Mini-TCPA (SB 1120, effective July 1, 2021) created a private right of action for state-law violations with damages up to $500 per call, stacked on top of federal exposure [6]. Florida was briefly the most aggressive state for TCPA-style litigation after that law passed.
Texas, Indiana, and Washington each run telemarketing statutes with their own registration and consent requirements. Maryland requires telemarketers to register with the state. Oklahoma's No-Call Act keeps its own list, separate from the federal DNC Registry.
If you call into multiple states, you need a matrix of state restrictions layered on top of your federal program. Our TCPA news hub tracks state-level developments as they land.
For local counsel in specific jurisdictions, resources like our TCPA lawyer Kentucky page can help you find practitioners who know state-specific exposure.
How do courts decide if an ATDS was used, and why does it matter?
The definition of an automatic telephone dialing system (ATDS) is one of the most litigated questions in TCPA history. In Facebook, Inc. v. Duguid, 592 U.S. 395 (2021), the Supreme Court held that an ATDS has to use a random or sequential number generator to store or produce numbers [7]. A system that just dials from a stored list of specific, targeted numbers is not an ATDS under that reading.
That mattered a lot, because it shrank the universe of systems that trigger the ATDS consent requirement. A predictive dialer working from a curated lead list arguably does not qualify, depending on its architecture. Manual text-to-cell programs may not either.
The relief was partial. Prerecorded voice calls to cell phones still require prior express written consent, ATDS or not [1]. And the FCC has kept pushing interpretations that hold plenty of dialing technology inside the statute's reach. Several circuits are still working through post-Duguid questions.
Practical takeaway: Duguid cut ATDS risk, it did not erase it. If your platform uses automated queuing, preview dialing, or click-to-dial with automation assist, get a written opinion from counsel on whether it counts as an ATDS under current circuit law in the states where you operate. Do not assume Duguid made you safe.
What records should you keep, and for how long?
The TCPA statute of limitations is four years under 28 U.S.C. § 1658 [8]. Keep everything for at least four years from the date of the last call or text to any given contact.
What you keep:
- Signed consent records with timestamp, IP address, form version, and the disclosure language shown at capture
- DNC scrub logs, with the date of each scrub and the version of the registry queried
- Reassigned Numbers Database query logs
- Your internal DNC list, with who requested removal and when
- Revocation records, with the date the request came in and the date you suppressed the number
- Call recordings (where legally permitted)
- Dialer configuration records showing calling-hours settings
- Your written do-not-call policy and training documentation
If you ever get a demand letter or a lawsuit, these records are the difference between a quick dismissal and a six-figure settlement. Plaintiffs' attorneys know exactly what to demand in discovery. If you cannot produce a timestamped consent record for a specific phone number, you are settling.
What do real TCPA lawsuits look like, and who gets sued?
The typical TCPA plaintiff got calls or texts they never consented to, or got called after revoking consent. A big share of TCPA suits come from serial litigants who hunt violations systematically, but the class action mechanism means any single plaintiff can stand in for thousands of people in the same spot.
Look at the cases that settled recently. Kaiser Permanente faced a TCPA settlement involving automated calls. A named plaintiff in a case like Joseph Snyder v. Credit One Bank shows how one individual complaint becomes a class action. In every one, the core question was the same. Did the caller have valid, documented consent at the moment of each call?
Small businesses are not immune. The statute does not scale damages to company size. A startup with 5 employees and a $50,000 texting budget can face the same $500-per-text exposure as a Fortune 500 company. Small companies are often more vulnerable, because they lack dedicated compliance staff, lean on lead vendors without auditing consent quality, and never built the documentation systems needed to defend a suit.
Financial services, healthcare, and insurance face the most TCPA litigation. Solar, home improvement, and political campaigns have all seen case volume jump over the past three years. If you are doing robocalls or text blasts to generate leads at high volume, build this infrastructure before you dial, not after.
How close to 'guaranteed' can you actually get?
Honest answer: very close, but not all the way.
Build a first-party consent process where every contact opts in on a form that names your company, discloses autodialing, and is not a condition of purchase. Store those records with timestamps and IP logs. Scrub against the National DNC Registry within 31 days of every campaign. Query the Reassigned Numbers Database for every number. Honor all revocations within 10 business days or faster. Train your team on calling hours. Keep a written compliance policy. Do all of that, and your actual risk of losing a TCPA lawsuit approaches zero.
Not literally zero. A rogue employee can ignore the rules. A vendor can make a database error. A consumer can lie about their identity when giving consent. The legal standard for an ATDS may shift again. But the practical risk gets small and the safe harbor defenses get strong.
The companies that lose TCPA cases almost always failed at step one. They skipped consent entirely, leaned on vague bundled consent from a lead vendor, or had no documentation to produce in discovery. Those failures are preventable.
LeadCompliant offers free tools, including a DNC checker and a one-time compliance kit with the templates above. Those help you build the paper trail. The underlying legal structure still needs you to execute consistently, and the calls about your specific dialing technology and lead sources still benefit from counsel review.
For updates as the FCC and courts keep reshaping the rules, see our TCPA news coverage and our text messaging marketing compliance guide.
Frequently asked questions
Can a compliance vendor guarantee I will never get a TCPA lawsuit?
No vendor can make that promise. They can indemnify you for errors in their specific data or platform, up to a contractual cap. Liability for whether you had valid consent, whether you honored revocations, and whether your dialer counts as an ATDS rests with you as the caller. A vendor guarantee is a contractual remedy, not a shield against being sued.
How much does a TCPA violation cost per call or text?
The statute sets $500 per violation and up to $1,500 for willful violations. Each call or text is a separate violation. A campaign of 10,000 texts without proper consent could expose you to $5 million in statutory damages before attorneys' fees. Courts have upheld multi-million-dollar class action settlements in cases involving millions of contacts. Source: 47 U.S.C. § 227(b)(3).
What counts as prior express written consent under the TCPA?
The FCC requires a written agreement (electronic signatures count) that clearly authorizes autodialed or prerecorded marketing calls or texts, names the specific seller, states that consent is not required to make a purchase, and is signed by the consumer through an affirmative act like checking an unchecked box. Verbal consent, pre-checked boxes, and consent buried in terms of service do not meet the standard.
Does the Supreme Court's Duguid decision mean I no longer need consent for my dialer?
Not fully. Duguid narrowed the ATDS definition to systems that use a random or sequential number generator. But prerecorded voice calls to cell phones still require prior express written consent regardless of dialer type. And your dialer's architecture may still qualify as an ATDS depending on its design. Duguid cut risk in some scenarios. It did not remove the consent requirement.
How often do I need to scrub my list against the National DNC Registry?
The FTC requires scrubbing no more than 31 days before calling. In practice, most teams scrub before every campaign. The registry is updated monthly and costs roughly $70 per area code per year beyond a free baseline of five area codes. Skipping the scrub is one of the most common causes of TCPA liability.
What is the FCC's one-to-one consent rule and when did it take effect?
The FCC adopted rules in December 2023 requiring that telemarketing consent be obtained for one specific seller at a time. It took effect January 27, 2025. Lead-gen forms that list multiple companies and claim blanket consent for all of them no longer meet the standard. Each company must be named individually and each consumer must take a separate affirmative step for each company.
How quickly do I have to honor a do-not-call or opt-out request?
Under the FCC's 2024 Order, you must honor a revocation request within 10 business days. Federal DNC rules allow up to 30 days for registration on your internal list, but many state laws are shorter. For text messages, STOP replies should suppress future messages immediately through your platform. Documenting the date of the request and the date you suppressed the number is essential.
Are small businesses exempt from TCPA requirements?
No. The TCPA applies regardless of company size. Damages of $500 to $1,500 per call or text apply equally to a two-person startup and a Fortune 500 company. Small businesses are often more vulnerable because they lack compliance infrastructure and rely on lead vendors without auditing consent quality. There is no small-business carve-out anywhere in 47 U.S.C. § 227.
What records do I need to keep to defend a TCPA claim?
Keep consent records with timestamp, IP address, and the exact disclosure language shown at capture. Keep DNC scrub logs, Reassigned Numbers Database query logs, internal opt-out lists with dates, revocation records, and your written compliance policy. The TCPA statute of limitations is four years, so retain everything for at least that long from the date of the last contact with any given number.
Does the TCPA apply to B2B calls and texts?
The TCPA's autodialer and prerecorded-call consent requirements apply to calls to wireless numbers regardless of whether the recipient is a consumer or a business employee. If you are texting or robocalling a cell phone owned by an individual (even a business owner), TCPA applies. Calls to landline business numbers have narrower restrictions, mainly around prerecorded calls and DNC rules.
What is the Reassigned Numbers Database and do I have to use it?
The FCC's Reassigned Numbers Database (RND) tracks numbers that have been disconnected and reassigned to new owners. Using it before dialing gives you a safe harbor if you call a reassigned number: if the database did not flag the number and you called in good faith, you may avoid liability for that call. It is not legally mandatory, but skipping it removes a key defense. Access costs vary but start at a few cents per query.
Can I buy leads and dial them without capturing consent myself?
Technically yes, but it is high risk. You are responsible for the validity of the consent, not the lead vendor. Under the FCC's 2024 one-to-one consent rule, the consent must name your company specifically. If the vendor's form named a different company or used bundled consent, that consent does not cover your calls. Always get the actual consent form language and a screenshot before dialing purchased leads.
What states have stricter TCPA-like laws I need to know about?
Florida's Mini-TCPA (SB 1120, effective July 2021) is among the most aggressive, creating a private right of action under state law with damages up to $500 per call on top of federal exposure. California, Texas, Indiana, Washington, Maryland, and Oklahoma all have telemarketing statutes with requirements that exceed federal minimums. If you call into multiple states, you need a state-by-state compliance matrix.
What is the TCPA safe harbor and when does it protect me?
The safe harbor protects callers who maintain a written DNC policy, train staff, keep an internal DNC list, and access the National DNC Registry, if a violation happens despite those procedures. It is a defense against damages, not a bar to being sued. It covers operational errors in DNC scrubbing, not consent failures. Meeting the safe harbor requirements is a baseline, not a compliance strategy.
Sources
- Cornell Law School LII, 47 U.S.C. § 227 - Telephone Consumer Protection Act: Statutory text of TCPA including ATDS definition, $500/$1,500 per-violation damages, and preservation of state law
- Legal Information Institute, 47 C.F.R. § 64.1200 (FCC rules implementing the TCPA, prior express written consent and 8am-9pm calling hours): FCC requirement for prior express written consent for autodialed/prerecorded marketing calls to wireless numbers; 8am-9pm calling hour restriction
- FTC, National Do Not Call Registry - business information: Requirement to scrub against the National DNC Registry within 31 days before calling; safe harbor conditions
- FCC, Reassigned Numbers Database (official program page): FCC database tracking disconnected and reassigned telephone numbers; one-free-look safe harbor for callers
- Florida Senate, SB 1120 (2021) - Florida Telephone Solicitation Act amendments: Florida Mini-TCPA effective July 1, 2021; state private right of action; damages up to $500 per call
- U.S. Supreme Court, Facebook, Inc. v. Duguid, 592 U.S. 395 (2021): ATDS must use random or sequential number generator; dialing from a stored list of targeted numbers does not qualify
- Cornell Law School LII, 28 U.S.C. § 1658 - Statute of limitations for federal claims: Four-year statute of limitations applicable to TCPA civil actions
- FTC, Telemarketing Sales Rule, 16 C.F.R. Part 310: TSR requirements for DNC scrubbing, internal DNC lists, written policies, and staff training as conditions for safe harbor