Last updated 2026-07-09

TL;DR
The TCPA lets you call and text for marketing, but only with the right level of consent, only to numbers off the National DNC Registry (unless you have a relationship), and only with compliant technology. Get prior express written consent before marketing texts or autodialed calls. Break those rules and exposure starts at $500 per violation, tripling to $1,500 if a court finds willfulness.
What does the TCPA actually allow marketers to do?
The TCPA is not a ban on outbound marketing. It is a rule about how you do it. You can call people. You can text them. You can use automated systems. What the law does is attach conditions to each activity depending on the technology you use and the number you dial. The Telephone Consumer Protection Act, 47 U.S.C. § 227, sets those conditions. [1]
Here is the core structure. Call a landline for commercial purposes and you need prior express consent. Call or text a mobile number using an autodialer or a prerecorded voice and you need prior express written consent for marketing. Dial manually and the restrictions get lighter, though the National DNC Registry rules still apply. [1][2]
The FCC layered on more: time-of-day limits (8 a.m. to 9 p.m. local time at the called party's location), mandatory opt-out mechanisms, and a requirement to keep your own internal do-not-call list that you honor within 30 days of a request. [2]
So the honest answer to 'what can I do' is: quite a lot, as long as you match the right consent type to the right channel and scrub your lists. Most teams that get sued did not lack a compliance program entirely. They had gaps, usually around consent documentation or list hygiene, and a plaintiff's attorney found one.
What is prior express written consent and why does it matter so much?
Prior express written consent is the highest consent standard under the TCPA. You need it before sending any marketing text or making any marketing robocall to a cell phone. The FCC defines it as a written agreement that clearly authorizes the seller to deliver messages using an automatic telephone dialing system or a prerecorded voice, to a specific phone number. The agreement must also disclose that consent is not a condition of purchase. [2]
That last part trips up a lot of teams. If your checkout flow says 'by completing your purchase you agree to receive marketing texts,' that is almost certainly invalid, because it conditions the sale on the consent. The consent has to be genuinely voluntary. [2]
Writing, for TCPA purposes, includes electronic signatures. A checked box on a web form works, as long as the disclosure language is there, the box is not pre-checked, and you can prove what the person saw when they checked it. That means storing a timestamp, the IP address, the version of the form, and the exact disclosure language at that moment. Without that record, your consent is worthless in litigation.
The FCC's 2024 one-to-one consent rule, which took effect in January 2025, added another layer. A single blanket consent cannot cover multiple sellers. If you are a lead generator passing consent to dozens of buyers, each buyer now needs to be specifically named, or the consent does not cover them. [3] This broke a lot of the lead-gen industry's standard practice, and litigation around it is active.
For a look at what happens when consent practices fail at scale, the Credit One TCPA settlement is instructive. So is the UnitedHealthcare $2.5M settlement, which involved calls to numbers where consent was disputed.
Do you need consent for every type of marketing contact?
No, and this is where a lot of teams overcorrect and make compliance more painful than it needs to be. The consent tier you need depends on three things: the technology you use, the type of phone you are calling, and whether the call is marketing or informational.
Here is the plain breakdown:
| Contact Type | Technology | Consent Required |
|---|---|---|
| Marketing call to cell | Autodialer or prerecorded | Prior express written consent |
| Marketing call to cell | Live agent, manual dial | Prior express consent (written not required) |
| Marketing call to landline | Prerecorded | Prior express written consent |
| Marketing call to landline | Live agent | No TCPA consent required (DNC rules still apply) |
| Informational/transactional text | Autodialer | Prior express consent |
| Marketing text | Autodialer | Prior express written consent |
The 'informational' carve-out is narrower than most teams assume. A text that confirms a shipment is informational. A text that says 'your shipment is on the way, and here is a 20% off coupon for your next order' has crossed into marketing and needs written consent. Courts have not drawn a perfectly bright line, but any message designed to generate a sale is treated as marketing. [1][2]
Manual dialing to cell phones is a real strategy some teams use to sidestep the autodialer rules. It works. It also has limits. The autodialer section below covers how courts define autodialing, which matters a lot after the Supreme Court's 2021 decision in Facebook v. Duguid. [4]
What counts as an autodialer under the TCPA today?
This question got a lot cleaner after the Supreme Court decided Facebook, Inc. v. Duguid in April 2021. The Court held that an autodialer must have the capacity to produce phone numbers using a random or sequential number generator, more than the ability to store and dial a list. [4]
That ruling wiped out a wave of claims against companies using list-based dialers, because dialing from a stored list alone does not make a system an autodialer under the federal definition. If your platform dials numbers from a CRM list without any random or sequential generation step, you are probably outside the federal ATDS definition.
Probably, not definitely. Several states have their own definitions that run broader than the federal one. Florida passed its own law in 2021, the Florida Telephone Solicitation Act, with a different and broader autodialer definition. [5] If you are dialing into Florida, treat your technology as an autodialer for state-law purposes regardless of what Duguid says about federal law.
The takeaway is simple. Know what your dialing technology does at a technical level. Get a written statement from your vendor about whether the system uses random or sequential number generation. That documentation matters if you ever have to defend a claim.
How do you stay compliant with the National DNC Registry?
The National Do Not Call Registry is run by the FTC and covers residential landlines and cell phones. Call a listed number for marketing without an established business relationship or written permission, and you have a separate violation stacked on top of any TCPA issue. [6]
The rules are concrete. You must scrub your call lists against the registry at least every 31 days. You have to register with the FTC's Telemarketing Sales Rule database to access the registry, which costs around $79 per area code per year (the first five area codes are free; a national file runs about $22,038 for the 2024 fee year, though FTC pricing changes annually so check their site before you budget). [6]
The established business relationship (EBR) exemption lets you call someone on the DNC list if they purchased from you, inquired about your services, or had a financial transaction with you within the past 18 months. But the moment they ask you to stop calling, the EBR ends and you must add them to your internal DNC list. [6]
Your internal DNC list is not optional. The TCPA requires you to maintain one and honor suppression requests within 30 days. Most companies doing this right suppress within 24 to 48 hours, because the 30-day window is not a grace period to keep calling. It is a compliance deadline.
For a sense of what DNC and consent failures look like in real outcomes, the Truist Bank TCPA class action and the Albertsons/Safeway TCPA settlement are both worth reading.
What are the rules specific to text message marketing?
Text message marketing under the TCPA works like this. Sending marketing texts through any automated platform (which covers virtually every SMS tool on the market) means you need prior express written consent before the first message goes out. Every message must identify who sent it. Every message must include a clear opt-out. And you must honor opt-outs immediately. [1][2]
The FCC's guidance treats 'STOP' as the standard opt-out keyword, and most platforms are built around it. But the FCC has said you cannot require a specific format for opt-out requests. If someone replies 'remove me' or 'unsubscribe,' that has to work too, and your system needs to catch it.
Time-of-day rules apply to texts exactly as they apply to calls: 8 a.m. to 9 p.m. in the recipient's local time zone. Schedule a campaign for 9 a.m. Eastern to a national list and you are texting people on the West Coast at 6 a.m. That is a violation.
The Cash App TCPA class action settlement is a good example of SMS marketing gone wrong at scale. The core issue in most of these cases is the same. Consent records that could not survive scrutiny, or opt-outs that were not processed fast enough.
For a deeper look at building a compliant text program, the guide on text message marketing covers the channel-specific mechanics.
What penalties are you actually exposed to if you get it wrong?
The TCPA's statutory damages are $500 per violation for negligent violations and $1,500 per violation for willful or knowing violations. [1] A violation is generally each individual call or text. This is why class actions under the TCPA are so common and so expensive. Send 100,000 texts without proper consent and your exposure before any settlement talk is $50 million to $150 million.
There is no cap in the statute. Courts have discretion to reduce awards that seem disproportionate, and some have done so, but no guaranteed ceiling exists.
Beyond the statutory exposure, state attorneys general can bring enforcement actions, and the FCC can levy fines separately from private suits. Several states (Texas, Florida, California, Indiana) have their own telemarketing laws running alongside the TCPA that add exposure. [5]
The plaintiff's bar is very active here. TCPA cases make up a large share of federal class action filings, and professional plaintiffs who put their number on marketing lists specifically to generate claims are a real phenomenon. Your best defense is a consent record and a scrubbed list that make the math unfavorable for a plaintiff's attorney.
LeadCompliant's free DNC checker and consent audit tools can help you spot gaps before someone else does. If you want a structured starting point, the compliance kit walks through every checklist item in order.
For context on recent settlement amounts, the Kaiser TCPA settlement shows how large healthcare-sector exposure can get. The TCPA news section tracks ongoing enforcement for teams that want to stay current.
How do you build a consent capture process that actually holds up?
Consent you cannot prove might as well not exist. Courts treat consent as an affirmative defense. If a plaintiff says they never consented, you bear the burden of proving they did. You cannot meet that burden with a general statement like 'we get consent from all our leads.' You need a record. [7]
A defensible consent record looks like this:
- The exact phone number the person entered
- The timestamp (ideally in UTC)
- The IP address of the session
- The URL of the page where consent was given
- The exact text of the disclosure language the person saw
- The version of the form (in case your form changes over time)
- A record that the consent box was not pre-checked
Store this data for at least four years. The TCPA's statute of limitations is four years under 28 U.S.C. § 1658, the general federal four-year statute, though some case law suggests it could be shorter in certain circuits. Four years is the safe standard. [9]
Buying leads from a third party? You need to confirm the lead source captured consent that covers you specifically, post-January 2025, per the FCC's one-to-one consent rule. A contract clause saying 'seller warrants consent was obtained' is not enough on its own. You need to know what disclosure language the consumer actually saw, and whether your company was named. [3]
Audit your consent flows at least quarterly. Forms get changed by developers who do not know the compliance requirements, and a single template update can silently break your consent capture for months before anyone notices.
What should your internal do-not-call process look like?
The mechanics are straightforward. The execution failures are common. You need a single suppression list that every campaign, every channel, and every agent pulls from before dialing or sending. If your sales team runs a CRM, an SMS platform, and a dialer as separate systems, you need an integration or a daily export/import process to keep them in sync. Gaps between systems are where violations happen.
When someone asks to stop receiving calls or texts, that request must be honored across all your marketing. A request to stop texts does not technically require you to stop calls under the TCPA, but most plaintiffs' attorneys will argue otherwise if you keep calling someone who said 'stop contacting me.' Treat any opt-out as a full suppression unless the person specifically says they only want to stop one channel.
For calls, agents need to be trained to say 'I will add you to our do-not-call list' and then actually do it, with a timestamp. Verbal opt-outs over the phone carry the same weight as written ones.
Scrub against the National DNC Registry at least every 31 days. Some teams scrub more often, especially on high-volume campaigns. There is no rule against scrubbing more, and it is a cheap step compared to the exposure.
If you have a small team building this from scratch, the how to stop robocalls guide has useful background on what the registry covers from the consumer side, which helps you understand exactly what you are suppressing against.
Are there any safe harbors or exemptions that might apply to your marketing?
A few exemptions matter in practice.
The established business relationship exemption for DNC calls came up above. It gives you an 18-month window after a transaction and a 3-month window after an inquiry. These are not unlimited. The consumer can revoke them by asking to go on your internal DNC list, and they do not override the TCPA's consent requirements for autodialed or prerecorded calls to cell phones.
Nonprofit organizations have a partial exemption from the DNC rules, though they still must follow the TCPA's consent rules for autodialed and prerecorded calls. [6]
The emergency purpose exemption covers calls made necessary by an emergency affecting the health or safety of consumers. Healthcare and public safety organizations have used it, but courts read it narrowly. Pandemic-era attempts to stretch it into broad outreach got mixed results.
Calls or texts from a business-owned phone to reach consumers are still subject to TCPA rules. The 'business-to-business' exemption some teams try to claim is narrower than most assume. The TCPA has no blanket B2B exemption, though the practical enforcement risk for B2B calls is lower, especially for live-agent calls to business phone numbers.
One exemption worth knowing: the TCPA does not apply to calls or texts to numbers the called party provided specifically for the purpose of being called. If a customer gives you their cell number on a purchase form, that is generally treated as prior express consent for informational calls related to that purchase, though not for unrelated marketing. [1]
What does a compliant marketing workflow look like end to end?
Here is the sequence a team doing this right actually follows:
1. Consent capture. Every lead source is audited. Web forms have proper disclosure language, unchecked opt-in boxes, and logged consent records. Third-party leads come with documentation of what the consumer saw.
2. List building. Numbers run through the National DNC Registry and your internal suppression list before any campaign. This happens before every send, more than when the list is first acquired.
3. Technology check. If the campaign uses an autodialer or prerecorded message, only numbers with prior express written consent go in. If it uses live agents dialing manually, prior express consent (written not required) is enough, though you still cannot call DNC numbers without an EBR or written permission.
4. Message compliance. Every marketing text identifies the sender. Every message has a clear opt-out. Calls use required identification scripts. Time-of-day rules are enforced at the platform level, more than in policy.
5. Opt-out processing. Opt-out requests hit the suppression list within 24 hours. The suppression list syncs to every active campaign and every future list build.
6. Record keeping. Consent records, suppression logs, and campaign records are kept for four years minimum.
7. Quarterly audit. Someone reviews the consent capture forms, the suppression integration, and a sample of recent campaigns against the compliance checklist.
This is not glamorous work. It is operational hygiene. But it is exactly what separates the teams that market for years without incident from the ones that end up as named defendants. The Joseph Snyder Credit One TCPA case is a useful example of how individual fact patterns get scrutinized in litigation.
Frequently asked questions
How are you supposed to market with the TCPA?
Market using the right consent for the right channel. Manual calls to cell phones for marketing need prior express consent. Autodialed or prerecorded marketing calls and texts to cell phones need prior express written consent. All marketing calls have to respect the National DNC Registry and your internal suppression list. Time-of-day rules (8 a.m. to 9 p.m. local time) apply to both calls and texts. Document everything.
Can I send cold marketing texts to people who have not opted in?
No. Marketing texts sent via an automated platform to cell phones require prior express written consent before the first message. Cold texting without consent is a direct TCPA violation. The penalty starts at $500 per text and rises to $1,500 per text for willful violations. There is no safe harbor for texting someone who simply gave you their number at some point without a specific marketing disclosure.
Does the TCPA apply to business-to-business calls?
The TCPA has no blanket B2B exemption. Calls to a person's cell phone can trigger TCPA liability even in a business context. The practical enforcement risk for B2B live-agent calls to office numbers is lower, and the FCC has indicated B2B prerecorded calls fall outside some exemptions. If you are calling mobile numbers, assume TCPA rules apply regardless of the business purpose.
What time of day can I legally call or text someone for marketing?
The TCPA and FCC rules permit marketing calls and texts only between 8 a.m. and 9 p.m. in the called party's local time zone. Not yours. Schedule a campaign for 9 a.m. Eastern and your list includes West Coast numbers, and you are calling those people at 6 a.m., which is a violation. Platform-level time zone enforcement is the only reliable way to handle a national list.
How long do I have to honor a do-not-call request?
You must add the number to your internal DNC list within 30 days of the request and honor it for at least five years. Practically, most compliant teams process suppression within 24 to 48 hours, because the 30-day window is a deadline, not a grace period that allows continued calling. If you call someone back inside the 30 days and they bring a claim, 'we were within the 30-day window' is not a defense courts have reliably accepted.
Does a checked box on a web form count as TCPA consent?
It can, if the box is not pre-checked, the disclosure language near the box clearly states the consumer is agreeing to receive autodialed marketing calls or texts, the disclosure says consent is not required for purchase, and you log the timestamp, IP address, and exact form text. Without that logged record, you cannot prove in litigation that the person actually checked the box and saw the correct disclosure.
What is the FCC's one-to-one consent rule and does it affect me?
The FCC's January 2025 one-to-one consent rule says a single consent cannot authorize marketing contacts from multiple unrelated sellers. If you buy leads from a generator whose form listed dozens of potential buyers, that consent probably does not cover you. You need consent that specifically names your company. This rule directly affects lead buyers and any business using third-party lead sources for autodialed or prerecorded marketing.
How often do I need to scrub my list against the National DNC Registry?
At minimum every 31 days. The FTC's rules require call lists to be checked against the registry no more than 31 days before a call is made. Running high-volume campaigns? Scrub more often. The cost of over-scrubbing is zero. The cost of a DNC violation starts at $500 per call under the TCPA and can reach $51,744 per violation under FTC enforcement as of 2024.
Can I still call someone on the DNC list if we have an existing business relationship?
Yes, under the established business relationship exemption, for up to 18 months after a transaction or 3 months after an inquiry. But if they ask you to stop calling, the EBR ends immediately and you must suppress the number. The EBR exemption applies to the DNC Registry rules. It does not override the TCPA's requirement for prior express written consent if you are using an autodialer or prerecorded voice to reach their cell phone.
What records should I keep to defend a TCPA claim?
Keep for at least four years: consent records (timestamp, IP, form URL, exact disclosure text), your suppression list and opt-out logs, DNC scrub reports with dates, campaign records showing which numbers were contacted and when, and any revocation or opt-out requests with the date received and the date suppressed. Courts have dismissed TCPA claims when defendants produced clean, complete consent records that the plaintiff could not rebut.
What is the difference between prior express consent and prior express written consent?
Prior express consent means the person gave you permission to contact them, usually orally or through an action like entering their number on a form. Prior express written consent is the higher standard required for marketing messages using an autodialer. It requires a signed agreement (including electronic) with a clear disclosure that the person is agreeing to receive autodialed marketing calls or texts, and that consent is not a purchase condition.
How does the Facebook v. Duguid decision change what counts as an autodialer?
The Supreme Court's 2021 Facebook v. Duguid decision held that an ATDS under the TCPA must produce numbers using a random or sequential number generator. A system that merely dials from a stored list does not qualify as an ATDS under the federal definition. This narrowed federal TCPA exposure sharply for list-based dialers, but several states have broader definitions, so check state law in any high-volume market.
Do small businesses really get sued under the TCPA?
Yes. The TCPA's private right of action means any individual or class can sue without waiting for a government agency to act first. Small businesses are attractive targets for exactly this reason. They often lack formal compliance programs, their consent records are poor, and settling is cheaper than litigating. A single marketing campaign with a few thousand texts and no written consent could generate a six-figure demand. Size does not protect you.
What state laws do I need to worry about on top of the TCPA?
Florida's FTSA has a broader autodialer definition and a $500 per-call damages floor. California's CCPA adds data and consent obligations for California residents. Texas, Indiana, and several other states have their own telemarketing laws with separate penalty structures. If you run national campaigns, Florida and California deserve specific attention, because the plaintiff's bar is active in both and the laws amplify your exposure beyond federal minimums.
Sources
- Cornell Law School Legal Information Institute, 47 U.S.C. § 227 (TCPA statute text): TCPA statutory text including $500/$1,500 per-violation damages, consent requirements for autodialed and prerecorded calls, and informational vs. marketing call distinctions
- Supreme Court of the United States, Facebook, Inc. v. Duguid, 592 U.S. 651 (2021): Supreme Court held that an ATDS under the TCPA must use a random or sequential number generator; dialing from a stored list alone does not qualify
- Florida Legislature, Florida Telephone Solicitation Act, § 501.059 Fla. Stat.: Florida's FTSA uses a broader autodialer definition than the federal TCPA and creates independent state-law exposure for callers in Florida
- FTC, National Do Not Call Registry (business information): DNC Registry scrubbing requirement (every 31 days), established business relationship exemption (18 months post-transaction, 3 months post-inquiry), and registry access pricing for telemarketers
- Electronic Code of Federal Regulations, 47 CFR Part 64 (FCC rules implementing the TCPA): FCC regulations implementing TCPA consent requirements, internal DNC list obligations, and identification requirements for marketing callers
- FTC, Telemarketing Sales Rule, 16 CFR Part 310: TSR civil penalty authority and telemarketing rules that run alongside the TCPA including the FTC's separate enforcement authority
- Cornell Law School Legal Information Institute, 28 U.S.C. § 1658 (federal statute of limitations): Four-year statute of limitations for federal civil actions under statutes enacted after December 1, 1990, applicable to TCPA claims
- Electronic Code of Federal Regulations, 47 CFR 64.1200 (TCPA telephone solicitation rules): FCC rules on prior express written consent, revocation rights, internal do-not-call list requirements, and treatment of reassigned numbers under the TCPA