How to document that your dialer requires human intervention

Documenting human intervention in your dialer is your TCPA ATDS defense. Learn exactly what records to keep, which FCC orders matter, and a free checklist.

LeadCompliant Team
24 min read
In This Article

Last updated 2026-07-09

Compliance manager reviewing call logs and audit records at a standing desk
Compliance manager reviewing call logs and audit records at a standing desk

TL;DR

To beat a TCPA claim that your dialer is an ATDS, you need contemporaneous written records showing a human must actively start each call. That means system architecture docs, call initiation audit trails, agent action timestamps, a signed vendor attestation, and a dated internal policy. Courts and the FCC want evidence created at the time of calling, not after a lawsuit lands.

What does 'human intervention' actually mean under the TCPA?

Human intervention means a live person takes a specific action, like clicking a button or pressing a key, that directly causes your system to dial one number at that moment. The Telephone Consumer Protection Act, 47 U.S.C. § 227, restricts an automatic telephone dialing system, which the statute defines as equipment with the capacity to store or produce telephone numbers to be called using a random or sequential number generator, and to dial those numbers. [1] Whether your dialer qualifies as an ATDS is the most litigated question in TCPA history. The answer almost always comes down to whether a human must do something before each call goes out.

The Supreme Court set the outer boundary in Facebook, Inc. v. Duguid (2021), holding that a system must use a random or sequential number generator to qualify. [2] That narrowed the definition a lot. It did not end the fights. Plaintiffs now argue that many predictive and power dialers still qualify, and circuits disagree on the edge cases.

A dialer that marches through a queue without waiting for any agent input is the textbook ATDS problem. A dialer that sits idle until a human says go on each individual call is the textbook safe side.

The line is not always obvious in modern software. Preview dialers, where an agent reviews a contact record and then clicks to dial, generally fall on the safe side. Predictive dialers, which call ahead of agent availability, generally fall on the dangerous side. Power dialers sit somewhere between, depending on the exact configuration. Documentation is how you prove which side of the line your system is on.

Why does documentation matter if your dialer is already configured correctly?

Because a perfect configuration you cannot prove is worth nothing in court. You cannot walk into a TCPA case and say "trust me, our system requires human intervention." You need evidence created contemporaneously, meaning at or near the time the calls happened, not reconstructed years later when a plaintiff's attorney sends a demand letter.

TCPA cases settle for large sums even when the defendant ran a legitimate system, purely because the defendant could not produce records proving it. The Cash App TCPA class action settlement reached $8.5 million, and documentation gaps are a recurring reason defendants pay rather than litigate to judgment. [3] See the Credit One TCPA settlement for another case where record failures compounded the exposure.

The FCC's 2023 one-to-one consent order added pressure on the documentation side. That order focused on consent, but the agency's enforcement posture makes one thing clear: companies carry the burden of showing compliance. [4] You cannot hand that burden to a plaintiff. You carry it, with records.

There is a second reason that has nothing to do with lawsuits. If your vendor changes a setting, updates an algorithm, or quietly switches your dialing mode, your system might stop requiring human intervention and nobody on your team notices. Regular audit logs catch that. Without them, you could be exposed for months before anyone finds out.

What are the specific records you need to keep?

No single FCC checklist spells out exactly what proves human intervention. What courts have accepted, and what defense counsel keep recommending, falls into five buckets.

System architecture documentation. A written description of how your dialer works at the technical level: what triggers a call, what user action is required, and what the system cannot do on its own. Reference your vendor's published technical specs. Update it every time the vendor pushes a material change.

Vendor attestation. A signed letter from your dialer vendor stating, in plain language, that the system requires affirmative human action to start each individual call and that it does not use a random or sequential number generator to produce or store numbers. Some vendors hand this over as a standard document. Others draft one on request. If your vendor refuses, take that seriously.

Call initiation audit logs. Most modern dialers log, for each outbound call, which agent started it, at what timestamp, and what action triggered the dial. Export these weekly or monthly. Store them somewhere you control, not only in the vendor's cloud. Vendors get acquired, shut down, or change retention policies.

Agent action timestamps. Distinct from the raw call log, this shows the sequence: agent opens the record, agent takes an action, system dials. If your logs show the agent action and the dial event stamped identically to the millisecond with no human trigger, that reads as automated. You want a clear causal chain.

Written internal policy. A one-to-three page document defining how your team uses the dialer, which modes are allowed, who can change settings, and how you audit. Date it, version it, and make everyone who touches the dialer sign it every year.

Keep all of it for at least four years. The TCPA's statute of limitations is four years under 28 U.S.C. § 1658. [10] Records older than that window cannot help you. Records inside it can absolutely hurt you if they are missing.

TCPA ATDS defense: key numbers Core thresholds and damage figures every outbound team needs to know 500 Statutory damages per negli… violation 1,500 Max damages per willful violation 4 Years of records to retain (TCPA statute of 31 Days between required DNC Registry scrubs (max) Source: 47 U.S.C. § 227; 28 U.S.C. § 1658; FTC Telemarketing Sales Rule, 16 C.F.R. Part 310

How should you format and store these records?

Format matters more than most people expect. A spreadsheet you built last Tuesday looks nothing like a log your system generated in real time, and opposing counsel knows the difference.

For call initiation logs, export directly from your dialer in its native format (CSV, JSON, whatever the system produces) rather than hand-compiling a spreadsheet. The embedded metadata, including the file creation date and the field structure, is harder to attack than a document you clearly assembled yourself.

For policy documents and vendor attestations, use a document system that records creation date, version history, and who signed or reviewed. Google Workspace, Microsoft SharePoint, and most legal document platforms do this automatically. Do not park compliance documents in a personal inbox or a shared folder with no version control.

Store records in at least two places: your own secure storage plus a backup that does not depend on your dialer vendor. If the platform goes down or your contract ends, you still need the historical logs.

For high-volume operations, use a compliance log that is write-once, or at least append-only with version tracking. Courts are skeptical of records that could have been edited after a dispute started. The more your logging looks like it was built for running the business rather than defending a lawsuit, the more credible it is.

LeadCompliant's free TCPA compliance kit includes a template policy document and a vendor attestation request letter you can send straight to your dialer provider. It is a reasonable starting point if you are building this from scratch.

Which FCC orders and court decisions define the standard you are documenting against?

You are documenting against a standard that keeps moving, so you need to know where it stands. The FCC's 2003 order defined ATDS broadly and set off two decades of confusion. [5] The Ninth Circuit in Marks v. Crunch San Diego (2018) read the definition to cover any system with the present or future capacity to automate dialing, which created enormous exposure. [6] Facebook v. Duguid (2021) rejected that reading at the Supreme Court, holding that a system must use a random or sequential number generator to store or produce numbers. [2]

Duguid quoted the point plainly: to qualify as an ATDS, a device "must have the capacity either to store a telephone number using a random or sequential generator or to produce a telephone number using a random or sequential number generator."

After Duguid, courts wrestle with one hard question. What if a system dials from a pre-existing list without generating numbers randomly or sequentially, but does so automatically with no human involved? Some courts say that is not an ATDS. Others have found certain list-based autodialers still qualify. Circuits have split on similar facts.

The practical takeaway: document both that your system does not use a random or sequential number generator AND that it requires human intervention. The first protects you under Duguid. The second protects you in circuits that read Duguid narrowly, or when a plaintiff argues your list-based dialing still counts.

The FCC's 2024 rulemaking on AI-generated calls addressed robocalls and robotexts but did not redefine ATDS for live-agent dialing. [7] Watch for more rulemaking. The agency has signaled interest in revisiting the ATDS definition for modern dialing tech.

For anyone doing cold calling or running cold call campaigns at scale, human intervention documentation is your primary defense layer right now. It needs to be airtight.

What does the documentation process look like week by week?

A documentation process that only runs after a complaint lands is not a process. It is reconstruction, and courts treat it that way. Here is a real cadence for a small outbound team.

Weekly. Export call initiation logs from your dialer. Save them to your storage location with a filename that includes the date range. Spend five minutes spot-checking that the agent action field and dial event field look right and that no call shows a system trigger with no matching agent action.

Monthly. Review your dialer settings to confirm no vendor update changed your dialing mode. Check that only authorized users can touch dialing configuration. Log the review: who, when, what they found. A simple Google Form that writes a timestamped row works fine.

Quarterly. Revisit your system architecture document and update it if the vendor shipped a major change. Send a note to your vendor contact asking whether the dialing engine changed. Keep the thread.

Annually. Have everyone who touches the dialer re-sign the policy. Refresh the vendor attestation if the original is more than 12 months old. Do a full review of your log storage to confirm the past year is intact and accessible.

This sounds like a lot. It is not. The weekly export takes about 10 minutes, the monthly review about 20. The annual review takes a half-day. Set calendar reminders, name an owner, and treat it like payroll. It does not get skipped.

How do you get a vendor attestation letter and what should it say?

A vendor attestation is a written statement from the company whose software you use to make calls, confirming the system requires human intervention to dial. You do not file it anywhere. You produce it in discovery to show you did your homework.

Many major dialer vendors, including Five9, NICE CXone, and Genesys, keep form letters they hand out on request for exactly this. Ask your account manager or support team for a "TCPA human intervention attestation" or an "ATDS non-qualification letter." Use that exact language.

No standard form? Send a written request asking them to confirm three things: (1) the system requires an affirmative human action to start each individual outbound call; (2) the system does not use a random or sequential number generator to produce or store telephone numbers; and (3) the current software version and configuration on your account. Ask for company letterhead and a signature from someone with authority.

If the vendor declines or cannot confirm those three things, you have a problem no paper trail fixes. Either the system really is an ATDS, or the vendor will not stand behind its own design. Either way, deal with the root issue, more than the documentation.

Store the attestation with a note of when you got it and which software version it covers. When the vendor ships a major update, request a fresh letter.

What should your internal dialer policy document cover?

The internal policy is your strongest proof that you thought about this systematically before any lawsuit arrived. Here is what it needs.

Scope. Which systems and phone numbers does the policy cover? Which employees and contractors?

Permitted dialing modes. State which modes are authorized (preview only, for example) and which are banned (predictive, progressive, or any mode where the system dials before an agent is free). Name the software and version.

Required human action. Describe exactly what an agent must do before each call. "Agent must click the Call button on the contact record" beats "agent must initiate the call."

Configuration controls. Name the specific people allowed to change dialing settings. Require written approval and a log entry for any change.

Audit and review schedule. Reference the weekly, monthly, and quarterly cadence above. Name the person responsible for each.

Training. State that all users get trained on the policy before touching the dialer, and describe how completion is recorded.

Incident response. What happens when a misconfiguration turns up? Who gets notified? How fast must it be fixed?

Keep it short. One to three pages is plenty. Long compliance documents nobody reads are worse than short ones people follow. Date every version and keep the old ones.

How does this documentation interact with your DNC compliance records?

Human intervention records and do-not-call records are separate obligations, but they show up together in litigation. A plaintiff who proves you called them on the do not call list will also argue you used an ATDS to do it. Combining both defenses means combining both sets of records.

Your DNC records should show you scrubbed your call lists against the National Do Not Call Registry before calling and that you keep an internal DNC list. [8] The Telemarketing Sales Rule requires access to the Registry at least every 31 days for numbers you intend to call. [9] Store those scrub logs next to your call initiation logs. If one call ever comes into question, you can pull both the human intervention evidence AND proof the number was scrubbed first.

If you are not sure whether the numbers you are calling are properly registered, or whether your list carries mobile phone do not call list entries, a real-time checker helps, but the scrub records are what matter in court. Document when you scrubbed, which version of the Registry you scrubbed against, and how many numbers you suppressed.

If you are building the full stack, the do not call telemarketer list obligations layer on top of the TCPA's ATDS restrictions, not instead of them. You need both.

What are the biggest documentation mistakes outbound teams make?

Most small outbound teams make the same handful of mistakes. Learning them here is cheaper than learning them in discovery.

Relying entirely on vendor storage. If your only copy of call logs lives in a SaaS vendor's cloud, you are one contract termination or retention change away from losing your evidence. Export and save your own copy.

Creating records only after a complaint. A system architecture document dated three days after a demand letter is close to useless. Courts and opposing counsel notice. Build the records before you need them.

Not versioning the policy. If your policy has been updated five times but you only kept the current version, you cannot prove what it said during the calls at issue. Keep every version with its date.

Getting an attestation once and forgetting it. A 2021 letter covering software version 4.2 does nothing when you are running version 6.1 in 2025 after three major updates. Refresh it.

Confusing "preview dialer" with "human intervention" without checking. Not every product marketed as a preview dialer actually requires human action for each call. Verify the mechanics. Ignore the marketing label.

Failing to document who has configuration access. If anyone on the team can flip dialing modes without authorization, your careful setup can change with no record. Lock it down and document the access controls.

What does a documentation package look like in actual litigation?

In a TCPA case alleging ATDS use, a typical discovery request asks for everything that describes how the dialing system works, all call logs for the plaintiff's number, all records of human action before calls, all vendor communications about system capabilities, all written policies, and all training records for employees who used the dialer.

A company with good documentation produces a clean package: the system architecture document (updated and versioned); the vendor attestation letter; 12-plus months of call initiation logs in native export format; the internal policy (all versions); agent training acknowledgments; and the configuration change log showing who had access and what changed.

A company without good documentation hands over whatever it can find. Usually that is incomplete vendor call logs, a policy written last week, and employees testifying from memory about how they think they used the system. Much weaker.

The gap shows up in outcomes. Cases with strong documentation more often end in early dismissal or defendant-favorable summary judgment. Cases without it more often settle. The cash app tcpa class action settlement pattern, where a well-resourced defendant still pays millions because the defense is hard to prove without records, is the realistic benchmark for what thin documentation costs you.

Building from scratch? LeadCompliant's free kit includes templates for the vendor attestation request, the internal policy, and the audit log checklist. It cuts setup time a lot.

Is there a documentation standard for text message campaigns too?

Yes, and it is the same ATDS analysis. Outbound SMS to cell phones runs through the identical test. [1] You need records showing either that your texting platform does not use a random or sequential number generator, or that a human takes an affirmative action before each message sends, or both.

For text message marketing and tcpa SMS compliance, consent documentation matters even more than for voice, because the TCPA requires prior express written consent for marketing texts to cell phones. But the ATDS question still shows up when plaintiffs claim the texting platform is automated.

The package for text campaigns should include the platform vendor's attestation covering message delivery, records showing each recipient gave prior express written consent (with the date, the consent language they saw, and the IP address or submission timestamp), and send logs showing agent-initiated sends rather than system-triggered ones.

One practical difference from voice. Many texting platforms run on APIs that are plainly automated. If you are blasting mass texts through an API with no human intervention per message, you almost certainly have an ATDS issue no matter what your contract calls the product. Document accordingly, or restructure the program.

Frequently asked questions

Does every dialer need human intervention documentation, or only certain types?

Any dialer used to call cell phones should have this documentation. Telemarketing calls to landlines carry separate consent rules but benefit from the same records. Risk runs highest for predictive and power dialers making high volumes of cell calls. Even preview dialers can face ATDS allegations if the records do not clearly show agent-initiated dialing.

How long do I need to keep call initiation logs?

The TCPA's statute of limitations is four years under 28 U.S.C. § 1658. Keep call logs, policy documents, vendor attestations, and audit records for at least four years from the date of the calls they cover. Some attorneys recommend five years as a buffer. Store them in a format you can actually access and produce, not a backup archive nobody has ever tested.

What if my dialer vendor says their system doesn't qualify as an ATDS but won't give me anything in writing?

A verbal assurance is worth nothing in litigation. Push for written confirmation. If the vendor declines, treat it as a serious red flag. It may mean they are not confident in their legal position, the architecture is ambiguous, or their counsel told them not to commit in writing. Any of those means you carry risk you cannot document away.

Can I use a screenshot of the dialer interface as documentation of human intervention?

Screenshots help illustrate that the interface requires agent action, but they are weak on their own. A screenshot shows what the interface looks like. It does not prove what happened during specific calls. Pair interface screenshots with actual call initiation logs showing agent action timestamps per call, plus a written description of the action the agent must take.

What happens if a software update changes my dialer's behavior and I didn't notice?

That is exactly what monthly audits catch. If an update shifted your dialer from preview to a partially automated mode and you kept calling, you face exposure for every call made in that window. The audit log showing you checked, spotted the change, and corrected it is your best evidence that the problem was brief and unintentional rather than systematic.

Is a vendor's marketing material (like a brochure saying 'human-initiated') good enough?

No. Marketing material is written by salespeople, not engineers or attorneys, and it is not a binding statement about system architecture. Courts give it little weight. You need a document from someone at the vendor with authority, ideally on letterhead, addressed to your company specifically, describing the technical mechanism by which human intervention is required.

Do I need an attorney to set up this documentation system?

Not for the basic infrastructure. A template policy, a vendor attestation request, and a log export process are things most compliance managers can implement without outside counsel. Have an attorney review the full package at least once, and bring in TCPA counsel immediately if you get a demand letter or complaint. Build the records now so counsel has something solid to work with later.

What is the difference between a preview dialer and a predictive dialer for TCPA purposes?

A preview dialer shows an agent the contact record and waits for a click before dialing. That is the human intervention model. A predictive dialer calls numbers automatically, ahead of agent availability, using an algorithm to guess when agents will be free. Predictive dialers are the classic ATDS risk case. The configuration, not the product name, determines your exposure.

Can I document human intervention after a lawsuit is filed if I didn't keep records before?

You can try to reconstruct what exists, but it is a weak spot. Post-suit documentation looks built for litigation, not for running the business. Vendor logs may still be available if you move fast. Employee declarations about standard practice have some value but are easy to attack. The honest answer: retroactive documentation helps less than you hope and costs more in fees than building it prospectively would have.

Does the FCC require any specific documentation format for human intervention?

No. The FCC has not published a required format. The standard comes from what courts have found persuasive in actual TCPA cases. Contemporaneous call logs, written policies, and vendor attestations are the most frequently cited evidence in successful ATDS defenses. The FCC's 2023 and 2024 rulemakings focused on consent and AI-generated calls, not on any documentation format mandate.

If I only make a few hundred calls a month, do I really need all this?

Yes, because TCPA liability is per call, not per campaign. Statutory damages run from $500 to $1,500 per violation, with no cap. A plaintiff who got 10 unauthorized calls can sue for $5,000 to $15,000. At that scale, documentation costs a few hours of setup. Losing the lawsuit costs multiples of what the documentation would have.

How do I handle documentation for a third-party agency making calls on my behalf?

You can be liable for calls made on your behalf if you directed, approved, or ratified the campaign under FCC and court interpretations. So you need the same documentation from the agency: their system architecture, their attestation, their call logs. Write it into the contract. Require them to produce logs on request. Do not assume their compliance shields you without verifiable records.

What is the statutory damages range for a TCPA ATDS violation?

The TCPA provides $500 per violation for negligent violations and up to $1,500 per violation for willful or knowing ones, under 47 U.S.C. § 227(b)(3). There is no per-campaign cap. Class actions aggregate per-call damages across every affected recipient, which is why even mid-size campaigns can produce eight-figure settlement demands.

Should I document human intervention differently for calls to a purchased list versus an opt-in list?

The human intervention documentation stays the same regardless of list source. What changes is your consent documentation, a separate record set. For purchased lists, expect extra scrutiny about whether the numbers were ever properly consented to. Document the list source, the consent representations the seller made, and the date you acquired the list, alongside your standard human intervention records.

Sources

  1. U.S. Congress, 47 U.S.C. § 227 (TCPA statute text): The TCPA defines ATDS as equipment with the capacity to store or produce telephone numbers using a random or sequential number generator and to dial those numbers
  2. U.S. Supreme Court, Facebook, Inc. v. Duguid, 592 U.S. 395 (2021): The Supreme Court held in 2021 that an ATDS must use a random or sequential number generator to store or produce numbers, narrowing the ATDS definition
  3. Consumer Financial Protection Bureau: Cash App TCPA class action settlement reached $8.5 million, illustrating the scale of settlements in automated dialing cases
  4. U.S. Court of Appeals, Ninth Circuit, Marks v. Crunch San Diego, 904 F.3d 1041 (9th Cir. 2018): The Ninth Circuit in Marks v. Crunch San Diego (2018) held that ATDS included any system with the present or future capacity to automate dialing, a reading later rejected by the Supreme Court
  5. FTC, National Do Not Call Registry: The FTC requires companies to scrub call lists against the National Do Not Call Registry and to maintain an internal DNC list
  6. FTC, Telemarketing Sales Rule, 16 C.F.R. Part 310: The Telemarketing Sales Rule requires companies to access the National Do Not Call Registry at least every 31 days for numbers they intend to call
  7. U.S. Congress, 28 U.S.C. § 1658 (statute of limitations): The TCPA's statute of limitations is four years under 28 U.S.C. § 1658, setting the minimum record retention window
  8. U.S. Congress, 47 U.S.C. § 227(b)(3), TCPA damages provisions: The TCPA provides $500 per negligent violation and up to $1,500 per willful violation, with no per-campaign cap on aggregate damages

Disclaimer: LeadCompliant is a compliance review tool, not a law firm. We do not provide legal advice. Consult with a TCPA attorney for legal guidance on specific compliance questions. Compliance scores, audits, and risk assessments are informational only.

LeadCompliant Team

LeadCompliant provides expert guidance and tools to help you succeed. Our content is reviewed for accuracy and kept up to date.

Related Articles

Related Glossary Terms

LeadCompliant
Build My Kit