How do you comply with TCPA: a plain-language how-to guide

TCPA violations cost $500, $1,500 per call or text. Here's exactly how outbound teams stay compliant: consent, DNC scrubbing, call hours, and more.

LeadCompliant Team
25 min read
In This Article

Last updated 2026-07-09

Compliance officer reviewing TCPA policy documents at a desk with a phone
Compliance officer reviewing TCPA policy documents at a desk with a phone

TL;DR

To comply with the TCPA (47 U.S.C. § 227), you need written prior express consent before calling or texting with an autodialer or prerecorded voice, a signed DNC policy, national and internal DNC list scrubbing every 31 days, call hours restricted to 8 a.m., 9 p.m. local time, and a working opt-out process. Violations can cost $500, $1,500 per individual call or text.

What does the TCPA actually require?

The Telephone Consumer Protection Act, codified at 47 U.S.C. § 227, sets the floor for every outbound call, text, and fax your business sends to a consumer. Congress passed it in 1991. The FCC has been amending the rules ever since, most recently with its one-to-one consent order that took effect January 27, 2025. [1]

At its core the law does three things. It restricts calls and texts made with an automatic telephone dialing system (autodialer) or a prerecorded voice. It creates the National Do Not Call Registry and gives consumers the right to stop calls. And it sets up a private right of action, meaning any person you called can sue you directly without waiting for a regulator to act.

The statute text reads: "It shall be unlawful for any person within the United States... to make any call (other than a call made for emergency purposes or made with the prior express consent of the called party) using any automatic telephone dialing system or an artificial or prerecorded voice." [11] That one sentence is the source of most TCPA litigation.

Four requirements flow from the statute and FCC rules. You need the right kind of consent. You need to honor opt-outs. You need to scrub DNC lists before every dial. And you need to call during legal hours. Everything else in a compliance program is just the machinery that makes those four things repeatable.

The TCPA draws a sharp line between two consent tiers, and picking the wrong one is how companies end up in class actions.

Prior express consent covers informational, non-marketing calls and texts to a wireless number using an autodialer. The caller just needs to show the consumer gave their number in a context that made calls expected. Signing up for an account and providing a cell number counts.

Prior express written consent is required for any telemarketing or advertising call or text to a wireless number using an autodialer or prerecorded voice. The FCC's 2012 TCPA order tightened this rule. Written consent must be a signed agreement (electronic signature is fine under E-SIGN) that names the seller, discloses that automated calls or texts may come, and is not a condition of buying anything. [2]

The FCC's one-to-one consent rule added another layer starting January 27, 2025. Written consent must be obtained by the specific seller who will contact the consumer. The old lead-gen practice of getting a single consent that covers dozens of partners is gone. [1]

What "written" actually means: a web form with a clearly labeled checkbox (pre-checked boxes don't count), a text-to-join flow, or a signed paper form. Keep the record of consent, including the timestamp, IP address, the exact disclosure language the consumer saw, and what they submitted. Store those records for at least four years, because that's the outer edge of TCPA's statute of limitations under most courts' reading.

For landline telemarketing calls using a live agent, you only need prior express consent, not written consent. Most modern outbound teams use some form of dialing software, so assume written consent applies unless your legal counsel says otherwise.

How do you handle the National Do Not Call Registry?

The FTC runs the National Do Not Call Registry. Any residential consumer, including wireless numbers, can register. If a number has been on the registry for more than 31 days, you cannot call it for telemarketing purposes without written consent or an established business relationship. [3]

The 31-day scrub rule means you must pull a current version of the registry and compare your call list against it before each campaign. The FTC requires companies to scrub at least once every 31 days. [3] In practice, most compliant teams scrub weekly or at campaign launch because lists go stale fast.

Accessing the registry costs money. The FTC charges per area code per year. As of 2024, the fee is $75 per area code, with the first five area codes free. A subscription covering all U.S. area codes runs around $19,600 per year. [4] Yes, that's real. Budget for it.

Beyond the national registry you must maintain your own internal DNC list. Any consumer who asks not to be called must go on your internal DNC list within a reasonable time, and the FCC has said that means no later than 30 days. You cannot call them again, even if they are not on the national registry. [5]

Established business relationship (EBR) is a partial exemption. If a consumer made a purchase or inquiry within the past 18 months, or made an inquiry within the past 3 months, you may call despite their national DNC registration. But if they told you specifically to stop calling, EBR does not override that. [12]

TCPA by the numbers Key thresholds every outbound team must know 500 Statutory damages per negli… violation 1,500 Statutory damages per willf… violation 31 DNC scrub required every (days) 75 FTC DNC Registry fee per area code (USD/yr) Source: 47 U.S.C. § 227; FTC DNC Registry fee schedule; 47 CFR § 64.1200

The FCC restricts all telephone solicitations to between 8 a.m. and 9 p.m. local time at the called party's location. [5] That is the consumer's time zone, not yours.

This matters a lot for east-coast teams calling west-coast numbers, or for any national campaign. A call placed at 6 p.m. EST hits a California consumer at 3 p.m., fine. A call placed at 11 p.m. EST hits that same California consumer at 8 p.m., also fine. The trouble runs the other direction: a 7 a.m. EST call hits California at 4 a.m., which is a clear violation.

Some states go further. Florida's Mini-TCPA (FTSA) restricts calls to 8 a.m., 8 p.m. [6] Washington state and Oklahoma have similar restrictions. Your software should block calls outside legal windows by the consumer's time zone, not the dialer's.

Sunday and holiday restrictions are a separate state-law issue. Several states restrict or prohibit telemarketing on Sundays. Check the laws of every state where you have contacts on your list. The safest operating window for a national campaign is Monday through Saturday, 9 a.m., 8 p.m. in the consumer's local time.

How do you comply with TCPA for text messages specifically?

Text messages sent via an autodialer or in bulk are covered by the TCPA the same as voice calls. The FCC confirmed this in 2003 and courts have consistently upheld it. Every rule above, consent, DNC scrubbing, calling hours, applies to SMS and MMS.

For text marketing, you need prior express written consent. The clearest way to get it is a text-to-join flow: the consumer texts a keyword to a short code, receives a confirmation message that explains what they signed up for, and replies with another confirmation. Keep that exchange. [2]

Every marketing text must identify the sender clearly, give a way to opt out (STOP is the industry standard keyword), and carry no deceptive content. When someone replies STOP, UNSUBSCRIBE, CANCEL, END, or QUIT, you must honor it immediately and send one final confirmation message. After that, no more texts. [5]

Message frequency matters too. If your opt-in says "up to 4 messages per month" and you send 12, that is a problem on multiple fronts: it may exceed what the consumer consented to and could affect your carrier relationships.

For a deeper look at building a compliant texting program, see our guide on text message marketing and text messaging marketing.

One practical note: peer-to-peer (P2P) texting where a live agent manually sends each message from a true 10-digit number generally falls outside the autodialer definition and avoids the consent requirement for the autodialer restriction specifically. You still cannot text someone on your internal DNC list, and you still cannot send deceptive content. But P2P is a real tool for small outbound teams that want to reduce TCPA exposure.

What written policies and records does your company need?

The FCC requires any company engaged in telephone solicitation to have a written policy available on demand for maintaining an internal DNC list. [5] This is not optional and it is not long, but it must exist in writing.

At minimum your written DNC policy should state who is responsible for maintaining the list, how opt-out requests are recorded and within what timeframe, how long numbers stay on the list (the FCC says permanently unless the consumer requests removal), and how the list is cross-referenced before each campaign.

Beyond the DNC policy, build a records system that captures:

  • Consent records (timestamp, IP, disclosure language, consumer response)
  • Call logs (number dialed, time, date, agent ID, call result)
  • DNC scrub logs (date scrubbed, registry version used, campaign name)
  • Opt-out requests and the date they were processed
  • Training records for anyone who places calls

Retain these records for at least four years. TCPA plaintiffs regularly go back three or four years when filing class actions, and if you cannot produce your consent records, you lose the affirmative defense. Courts have made clear that the burden of proving consent is on the caller, not the plaintiff.

LeadCompliant's compliance kit includes templates for the DNC policy, consent disclosure language, and a call log structure that holds up to discovery. Use a template that has already been reviewed against current FCC rules rather than writing yours from scratch.

How do you train your team to stay compliant?

Written policies mean nothing if the agents making calls do not know them. Training is where most small teams cut corners, and it shows up in litigation.

Every person who places outbound calls should be trained on what an opt-out request sounds like and exactly how to process it, what to do if a consumer says "take me off your list" mid-call (process the request immediately, end the call politely, do not ask why), legal calling hours in their target states, what identifying information they must give at the start of each call (the company's name, the company's phone number or address), and what they can and cannot say under Do Not Call rules.

Document the training. Have each agent sign a record of what they were trained on and when. Refresh training when FCC rules change. The one-to-one consent rule is a good trigger for a refresh if you rely on purchased or shared leads.

For managers, real-time monitoring matters. Listen to call recordings regularly. Look for agents who fail to honor opt-outs, fail to identify the company, or call outside permitted hours. One rogue agent placing hundreds of calls per day can generate exposure that runs into seven figures fast. The Credit One TCPA settlement and the UnitedHealthcare $2.5M alleged TCPA violation both show how quickly systemic calling problems become company-level liability.

What does TCPA compliance cost in practice?

Let's be honest about the numbers so you can budget realistically.

National DNC Registry access: $75 per area code per year, first five area codes free. Full U.S. access runs roughly $19,600 per year. [4] If you only call in five or six states, you can cover just those area codes for a few hundred dollars annually.

Consent management software: varies widely. Simple web form plugins are free. Purpose-built consent and lead management platforms run $200, $2,000 per month depending on volume.

DNC scrubbing services: third-party scrubbing vendors typically charge $0.001, $0.005 per record scrubbed. For a list of 100,000 contacts scrubbed monthly, expect $1,200, $6,000 per year.

Call recording and compliance monitoring: built into most modern dialers, but dedicated compliance monitoring tools add $500, $3,000 per month for mid-size teams.

Legal review: a one-time review of your consent language and DNC policy by a TCPA-focused attorney runs $1,500, $5,000. Worth doing before you scale. Much cheaper than the alternative.

The alternative is ugly. Statutory damages under TCPA run $500 per violation for negligent violations and $1,500 per violation for willful violations. [7] A class action covering 100,000 calls can produce a demand of $150 million. Actual class settlements are smaller, but look at cases like the Cash App TCPA class action settlement and the Truist Bank TCPA class action settlement to see what real resolution costs.

Which state laws add requirements on top of TCPA?

Federal TCPA is a floor, not a ceiling. States can and do pass stricter laws.

Florida's Telephone Solicitation Act (FTSA), often called the Mini-TCPA, is the most aggressive right now. It requires written consent for automated calls and texts, limits calling hours to 8 a.m., 8 p.m., and gives consumers a private right of action with $500, $1,500 per violation, same as federal TCPA. [6] Florida has generated enormous litigation volume since the FTSA was amended in 2021.

California's Consumer Privacy Rights Act (CPRA) is not a direct TCPA analog but affects how you collect and store consent data. If you have California contacts, CPRA compliance is intertwined with your consent records.

Washington State has its own Commercial Electronic Mail Act and restricts automated calls in ways that mirror federal rules but with some different definitions.

Oklahoma, Texas, and Indiana all have state DNC or telemarketing laws that layer on top of the national registry.

The safest approach: treat the strictest applicable state law as your baseline for any campaign, then make sure you also satisfy federal TCPA. If your list includes Florida consumers, apply FTSA written consent requirements to the whole campaign rather than trying to run different consent standards state by state.

Check the TCPA news section regularly because state legislatures keep moving. Five states introduced Mini-TCPA-style bills in 2023 alone.

What are the biggest TCPA compliance mistakes small teams make?

After looking at dozens of TCPA class actions, the same failure patterns keep showing up.

Relying on verbal consent for autodialed marketing calls. Verbal consent satisfies the prior express consent tier for informational calls, but if you are marketing, you need it in writing. Teams that skip the written step because it feels like friction generate exactly the exposure that plaintiffs' attorneys look for.

Buying leads without verifying consent language. A lead vendor tells you their list is "TCPA compliant." That is not enough. You need to see the actual disclosure language the consumer agreed to, when they agreed, and that the consent names your company specifically under the one-to-one rule. [1] If the consent names a different company, it does not cover you.

Skipping port-to-mobile identification. When a landline number gets ported to a wireless number, calls that were once legal under the residential exemption suddenly require written consent. Real-time wireless identification lookup (sometimes called wireless scrubbing or reassigned number checks) catches this. The FCC's Reassigned Numbers Database also helps. [8]

Not processing opt-outs immediately. If a consumer says "don't call me again" at 2 p.m. and your agent calls them again at 4 p.m. the same day because the DNC list hasn't updated yet, that is a willful violation. The process has to run faster than your calling cycle.

Assuming your software vendor handles compliance. Dialers and CRMs are tools. They do not make compliance decisions. They cannot verify consent on your behalf. Compliance is your responsibility as the caller.

For anyone who has received unwanted calls and wants the consumer's perspective, our how to stop robocalls guide explains the process from the other side.

How do you build a TCPA compliance checklist you'll actually use?

A compliance checklist only works if it is short enough to run before every campaign and specific enough to catch real problems. Here is a practical version.

Before launching any call or text campaign:

1. Confirm consent type. Is this marketing or informational? Do you have written consent for every contact on your list if marketing? Are the consent records stored and retrievable?

2. Verify consent recency and specificity. Is the consent dated within a reasonable window? Does it name your company specifically (required under the FCC's one-to-one rule)? [1]

3. Scrub against the National DNC Registry. When was the registry last pulled? Is it within 31 days? [3]

4. Scrub against your internal DNC list. Is your internal list current as of today?

5. Run reassigned number or wireless identification check on any landline-sourced numbers.

6. Confirm calling hours configuration in your dialer. Is it set to the consumer's local time zone, not yours? Does it block calls outside 8 a.m., 9 p.m. (or earlier if your states require it)?

7. Verify caller ID. Is it accurate and callable back? Spoofed or inaccurate caller ID is a separate TCPA violation and a Truth in Caller ID Act violation. [9]

8. Confirm opt-out mechanism is live. For texts, is the STOP keyword active and routing to your DNC list in real time?

9. Check agent training records. Has everyone on the campaign completed TCPA training?

10. Save the checklist completion record. Date it, name the campaign, and store it with your compliance records.

LeadCompliant offers a free TCPA compliance checklist and DNC scrubber tool at leadcompliant.com. The one-time compliance kit includes the consent templates and DNC policy language referenced throughout this guide.

What happens if you get a TCPA complaint or demand letter?

Do not ignore a TCPA demand letter. That is the single most important thing to say here.

TCPA plaintiffs' attorneys often send pre-litigation demand letters. The letter will claim a certain number of unauthorized calls or texts and demand a settlement. Some are legitimate. Some come from serial filers who test whether companies will pay rather than fight. Either way, ignoring the letter does not make it go away, and it can be used as evidence of willfulness if the case proceeds.

Your first move is to pull every record you have on the complaining consumer: consent records, call logs, DNC scrub logs, opt-out processing records. If you have clean records showing valid consent and proper process, you have a strong defense. If you find gaps, that changes the risk calculus.

Contact a TCPA attorney quickly. TCPA defense is a specialist area. A generalist business attorney may not know the current state of autodialer case law or the one-to-one consent developments. TCPA lawyers in your region (see TCPA lawyer Kentucky as one example of jurisdiction-specific resources) can assess whether a demand is realistic.

Small teams sometimes try to negotiate directly. That can work for isolated one-off complaints. It is risky if the plaintiff's attorney is building a class action, because your response can become part of their evidence.

For how a large company handled its exposure, the Albertsons Safeway TCPA settlement is instructive on how these cases resolve at scale.

Frequently asked questions

How do you comply with TCPA if you're a small business making fewer than 100 calls a day?

The TCPA applies regardless of call volume. There is no small-business exemption. You still need written consent for autodialed marketing calls, a written DNC policy, national and internal DNC scrubbing, and calls only between 8 a.m. and 9 p.m. local time. The cost to comply at low volume is modest, maybe a few hundred dollars per year for DNC access and basic record-keeping, but the exposure for a violation is the same $500, $1,500 per call.

Does TCPA apply to B2B calls?

Partly. The TCPA's residential DNC rules and the prior express consent requirements for autodialed calls apply to wireless numbers regardless of whether the number is used for business. If you are calling someone's cell phone for B2B purposes, you still need prior express consent to use an autodialer. The national DNC registry protects residential subscribers, so a cell used purely for business and registered by an individual could still be covered. Do not assume B2B is a free pass.

Can you call or text someone who gave you their number on a web form?

It depends on what the form said. If the form included a clear disclosure that the consumer agrees to receive automated marketing calls or texts from your company specifically, and the consumer affirmatively checked an unchecked box or clicked to agree, that is valid written consent. If the form just collected a phone number with no disclosure, you have no TCPA consent. The FCC's one-to-one consent rule also requires the consent to name your company, not a category of marketers.

The TCPA does not set a fixed expiration date for consent. Courts have generally accepted that consent remains valid until the consumer revokes it. Practically, old consent raises credibility questions and some courts look skeptically at consent obtained years before a call campaign. Most compliance attorneys recommend refreshing consent after 18 to 24 months for active marketing programs. If a consumer opts out, that revokes all prior consent permanently.

What is an autodialer under TCPA?

The Supreme Court addressed this in Facebook v. Duguid (2021), ruling that an autodialer is a system with the capacity to store or produce telephone numbers using a random or sequential number generator, and to dial those numbers. [10] That narrowed the definition from some lower court readings. But many dialers used in outbound sales, including predictive dialers and power dialers, may still qualify depending on their technical architecture. Get a technical assessment of your specific software.

Do you have to honor a STOP text from someone who consented to receive texts?

Yes, immediately and without exception. Under FCC rules and CTIA guidelines, any opt-out keyword (STOP, QUIT, CANCEL, UNSUBSCRIBE, END) must be processed and honored. You may send one final confirmation message acknowledging the opt-out. After that, no more messages. Sending even one additional marketing text after a STOP response is a clear TCPA violation and courts treat it as willful, making the $1,500 per-violation penalty the applicable figure.

What is the statute of limitations for a TCPA claim?

Most federal courts apply a four-year statute of limitations to TCPA claims under the general federal four-year catch-all statute (28 U.S.C. § 1658). Some state courts apply their state's general limitations period. This means plaintiffs can sue over calls made up to four years ago, which is why you need to retain consent records, call logs, and DNC scrub records for at least four full years.

Are prerecorded voice messages treated differently than live calls under TCPA?

Prerecorded voice messages to wireless numbers require the same prior express written consent as autodialed calls used for marketing. For calls to residential landlines, prerecorded telemarketing messages require prior express written consent and can only reach subscribers who have consented. The FCC prohibited prerecorded telemarketing to residential lines without consent starting in 2013. Informational prerecorded calls to landlines may qualify for an exemption under FCC rules if they are not telemarketing.

Does the TCPA apply to ringless voicemail drops?

The FCC has not issued a definitive final rule, but the agency's 2018 declaratory ruling treated ringless voicemails as calls subject to TCPA. Multiple lawsuits have proceeded on that basis and resulted in settlements. The safe assumption is that ringless voicemail drops require prior express written consent for marketing messages. Treating them as unregulated is a litigation risk.

What records do you need to show TCPA compliance?

At minimum: consent records showing the exact disclosure language seen by the consumer, timestamp, IP address, and their affirmative response; call logs with number, date, time, and agent; DNC scrub logs showing date, registry version, and campaign name; opt-out request logs with processing date; and a signed written DNC policy. Retain all of these for four years. In a lawsuit, the burden of proving consent is on you, not the plaintiff.

Can you buy a lead list and call it without getting new consent?

Not safely under current FCC rules. The one-to-one consent rule requires that consent name the specific seller who will make the contact. A consent obtained by a lead generator that names a generic category of marketers does not transfer to your company as valid TCPA consent. You either need to verify that the consent specifically names you, or get fresh consent before calling. This effectively ended the old practice of calling purchased cold lists with borrowed consent.

How do you scrub a call list against the Do Not Call Registry?

Register at the FTC's registry portal (donotcall.gov), pay the area code fees, and download the registry data for your target area codes. Most teams use a third-party DNC scrubbing service that automates the comparison: you upload your list, they match against the registry and return a scrubbed version. Re-scrub at least every 31 days. Log the scrub date and registry version used for each campaign. Some dialers have built-in DNC scrubbing, but verify that it actually pulls current registry data.

The FCC's December 2023 order amended the TCPA's consent rules to require that written consent for marketing calls and texts be obtained by, and only apply to, the specific company that will contact the consumer. It took effect January 27, 2025. This ended the lead-gen practice of collecting a single consent that covers dozens of downstream buyers. If you use purchased or aggregated leads, your legal team needs to audit your consent chain.

Sources

  1. FTC, National Do Not Call Registry (donotcall.gov): Companies must scrub call lists against the National Do Not Call Registry at least every 31 days.
  2. FTC, National Do Not Call Registry Data and Fees: Registry access costs $75 per area code per year; first five area codes are free; full U.S. access is approximately $19,600 per year.
  3. FCC, 47 CFR § 64.1200, Telephone Consumer Protection Act Rules: Telephone solicitations restricted to 8 a.m.–9 p.m. local time; internal DNC list required; opt-outs must be honored within 30 days.
  4. Florida Legislature, Florida Telephone Solicitation Act (FTSA), Fla. Stat. § 501.059: Florida FTSA restricts calling hours to 8 a.m.–8 p.m. and provides a private right of action at $500–$1,500 per violation.
  5. U.S. Code, 47 U.S.C. § 227(b)(3), TCPA Statutory Text: TCPA allows private plaintiffs to recover $500 per violation or actual damages, whichever is greater; willful violations allow up to $1,500 per violation.
  6. FCC, Reassigned Numbers Database: The Reassigned Numbers Database lets callers query whether a number has been reassigned to avoid contacting the wrong consumer.
  7. FCC, Truth in Caller ID Act and Rules, 47 U.S.C. § 227(e): Transmitting misleading or inaccurate caller ID information with intent to defraud or cause harm is prohibited under the Truth in Caller ID Act.
  8. U.S. Supreme Court, Facebook Inc. v. Duguid, 592 U.S. 395 (2021): Supreme Court held that an autodialer must use a random or sequential number generator to store or produce numbers; narrowed the TCPA's autodialer definition.
  9. U.S. Code, 47 U.S.C. § 227, Telephone Consumer Protection Act (full statute): Statute text: 'It shall be unlawful for any person within the United States... to make any call using any automatic telephone dialing system or an artificial or prerecorded voice' without consent or emergency purpose.
  10. FTC, Telemarketing Sales Rule, 16 CFR Part 310: FTC's Telemarketing Sales Rule establishes established business relationship exemptions: purchase within 18 months or inquiry within 3 months permits calls to DNC-registered numbers.

Disclaimer: LeadCompliant is a compliance review tool, not a law firm. We do not provide legal advice. Consult with a TCPA attorney for legal guidance on specific compliance questions. Compliance scores, audits, and risk assessments are informational only.

LeadCompliant Team

LeadCompliant provides expert guidance and tools to help you succeed. Our content is reviewed for accuracy and kept up to date.

Related Articles

Related Glossary Terms

LeadCompliant
Build My Kit