Last updated 2026-07-10

TL;DR
The TCPA applies to SaaS companies the same way it applies to any business making outbound calls or texts. You need prior express written consent before sending marketing texts or calling cell phones with an autodialer. Violations cost $500 to $1,500 per message. Class actions are the real threat. This guide covers what the law requires, where SaaS teams get it wrong, and what a workable process looks like.
Does the TCPA actually apply to SaaS companies?
Yes, fully. The Telephone Consumer Protection Act (47 U.S.C. § 227) does not carve out software companies, B2B sellers, or anyone who thinks they are "just doing product-led growth." If your team sends automated texts or calls cell phones using equipment that qualifies as an autodialer, the TCPA governs that activity. [1]
SaaS companies tend to assume the law only covers spammy consumer lenders or debt collectors. That is wrong, and believing it is expensive. The FCC has held that B2B calls to a cell phone require the same consent analysis as B2C calls. The phone number is what matters, not the relationship.
The statute defines an automatic telephone dialing system (ATDS) as equipment that has "the capacity to store or produce telephone numbers to be called, using a random or sequential number generator" and to dial those numbers. [1] After the Supreme Court's 2021 ruling in Facebook v. Duguid, courts apply a narrower definition that turns on whether the system uses a random or sequential number generator. But platforms that send bulk texts or use queued dialing can still qualify. [2] The line is blurry enough that relying on "we're not an ATDS" as your only defense is a bad bet.
For a broader overview of what the law covers, see our article on TCPA.
What consent do SaaS outbound teams actually need?
It depends on what you are sending and how. Three tiers, and the gap between them decides your risk.
Marketing texts or prerecorded voice calls to a cell phone need prior express written consent. That means a signed agreement (electronic signatures count under the E-SIGN Act) where the person clearly authorizes you to contact them using an ATDS or prerecorded message, for marketing purposes, at a specific number. The FCC's 2012 rule codified this at 47 C.F.R. § 64.1200(a)(2). [3]
Non-marketing, purely informational calls or texts to a cell phone drop to prior express consent, which can be oral or written. A SaaS company sending a transactional text like a password reset or a billing alert can arguably meet this with implied consent from the account sign-up. The safer move is a checkbox at sign-up that names text messages directly.
Live, non-automated calls sit outside the ATDS restrictions, though the Do Not Call rules still apply. If a rep manually dials every number with no predictive or progressive dialer involved, TCPA autodialer liability is largely off the table. Many small SaaS teams operate this way and never realize it is their cleanest path.
A change landed from the FCC's one-to-one consent rule, which took effect in January 2025. Under that order, a single consent cannot cover multiple sellers. If a lead fills out a form on a partner site and the fine print tries to consent them to contact from dozens of companies, that consent is invalid for you. [4] SaaS companies that buy leads from aggregators or run co-registration campaigns are directly in the crosshairs.
The table below shows how consent requirements stack up across contact types.
What is the one-to-one consent rule and why does it matter for SaaS?
The FCC's December 2023 order, effective January 27, 2025, requires that consent be given to one seller at a time, for a logically and topically related message. [4] The FCC adopted it specifically to shut down the lead generation practice of getting blanket consent for hundreds of companies through a single checkbox buried in a website's terms.
For SaaS companies, the impact shows up in a few places. If you generate inbound leads through content partnerships, affiliate referral programs, or any arrangement where a third-party site collects contact info and passes it to you, you now need to verify that the consent obtained at that site named you specifically. Generic "partner companies" language is not enough.
It also hits SaaS companies that resell or white-label other software and generate leads through shared landing pages. If the page lists multiple brands or product lines, the consent has to clearly identify which entity will be calling or texting.
Audit every lead source. Ask your vendors to show you exactly what consent language appears on the page where a lead fills out a form. If they cannot or will not, stop using that source until they can. The one-to-one rule makes vendor consent documentation a first-party problem, not a vendor problem.
How does the Do Not Call registry affect SaaS outbound calling?
The National Do Not Call Registry, maintained by the FTC under 16 C.F.R. Part 310, applies to telemarketing calls to residential numbers. [5] For SaaS companies calling cell phones, which are treated as residential lines for DNC purposes, this matters every time you dial a prospect who has registered their number.
The rule is plain. If a number is on the National DNC registry, you cannot call it for marketing purposes unless you have an established business relationship (EBR) with that person, or they gave you express written permission to call. An EBR is created when someone makes a purchase, inquiry, or application with your company. It lasts 18 months from the last transaction or 3 months from an inquiry. [5]
SaaS teams running outbound to cold lists should scrub against the DNC registry before every campaign. You can access the registry through the FTC's telemarketer access portal. For practical guidance on accessing and using the list, see how do i get the do not call list.
State DNC lists add another layer. Several states, including Texas, Indiana, and Wyoming, maintain their own registries that require separate scrubbing. [6] If your outbound covers multiple states, check each one. No single aggregator covers all state lists reliably, so this is manual work or a vendor problem you have to solve on purpose.
Cell phones are a common point of confusion. Mobile numbers can appear on the National DNC registry, and the TCPA independently restricts calls to cell phones via autodialer regardless of DNC status. The two regimes overlap, but neither one fully replaces the other. See our breakdown of the mobile phone do not call list for more on that distinction.
What TCPA penalties could a SaaS company face?
The TCPA provides a private right of action with statutory damages of $500 per violation for negligent violations and $1,500 per violation for knowing or willful violations. [1] There is no cap per plaintiff, and class actions are allowed.
That $500/$1,500 structure makes class actions dangerous in a way few founders price in. A campaign of 50,000 texts sent without proper consent is not a $1,500 problem. It is a $25 million to $75 million problem, before attorney fees. Plaintiffs' firms file TCPA class actions routinely because the math works in their favor even with a steep discount at settlement.
Real settlements give you a sense of scale. Capital One paid $75.5 million to settle a TCPA class action related to debt collection calls. [7] For a look at how large a single company's exposure can get, see our breakdown of the credit one tcpa settlement. Cash App settled a TCPA class action as well; the cash app tcpa class action settlement shows the pattern holds across industries.
For SaaS companies, the risk is rarely a single regulatory fine from the FCC. The risk is a plaintiff's attorney who signs up a few people who received your outbound texts without consent and files in federal court. TCPA suits are filed in the thousands every year, and a large share settle in the low-to-mid six figures because defendants calculate that fighting costs more.
The FCC also has authority to impose forfeitures. In 2024, the FCC proposed a $6 million forfeiture against a single entity for spoofed robocall violations. [8] FCC enforcement tends to target high-volume bad actors, but the agency has pursued smaller businesses too.
What makes a TCPA-compliant consent form for SaaS sign-ups?
A compliant consent form for marketing calls and texts has to do four things clearly. Identify who is doing the contacting. Identify the number that will be contacted. Describe what kind of messages the person is consenting to receive. State that consent is not a condition of purchase.
That last requirement is statutory. 47 C.F.R. § 64.1200(a)(2) prohibits making any good or service purchase contingent on agreeing to receive autodialed or prerecorded calls. [3] A checkbox that says "check here to receive texts about our product, consent not required to use our service" is the standard formulation.
Here is what a consent disclosure should include:
- The full legal name of the company that will send messages
- A plain description of message types (e.g., "marketing messages about [Product Name], pricing updates, and product announcements")
- That an ATDS or automated system may be used
- That message and data rates may apply
- How to opt out (e.g., reply STOP to stop)
- The statement that consent is not required to make a purchase
What it should not do is bury the consent inside a long terms of service document. Courts have rejected consent hidden in fine print or on a separate page linked from a checkbox. The consent has to be clear and conspicuous. [9]
For SaaS free trial sign-ups specifically, many teams try to treat the email address collection as implicit consent for all future outreach. Email follow-up is governed by CAN-SPAM, not the TCPA, so that is a separate question. But if you plan to follow up by text or outbound call using any automated system, you need explicit TCPA consent at sign-up, separate from the email marketing opt-in.
How should a SaaS company handle opt-outs?
Opt-out handling is where a lot of otherwise-careful teams create liability. The TCPA and FCC rules require that opt-out requests be honored promptly. The FCC's 2003 order established that businesses must honor a do-not-call request within 30 days, but the practical standard is faster, because sending one more message after a clear opt-out is a standalone violation. [10]
For SMS, industry practice (and increasingly FCC expectation) is that a reply of STOP immediately removes the number from all future campaigns. Your platform should handle this automatically. If you use a third-party SMS provider, confirm that STOP handling is in place and that the suppression carries across every campaign, more than the message thread that got the reply.
For voice outbound, opt-outs need to go into a company-specific do-not-call list and be suppressed before the next dialing session. The regulations require companies to maintain an internal do-not-call list and honor it. [10] If you use a CRM or dialing platform, your suppression list needs to sync before every campaign, not once at setup.
A few failure points to avoid. Acquired leads often come with no suppression data, so run every imported list against your internal suppression list before first contact. If you have multiple products or sub-brands under one company, a do-not-call request for one generally covers the whole enterprise, more than the brand the person contacted. And test your opt-out mechanism regularly. Send a test STOP reply and confirm it works end to end.
Do TCPA rules apply differently for B2B outbound?
Every SaaS founder asks this, and the honest answer is: B2B outbound is partially, not fully, exempt.
The DNC rules under the FCC's implementing regulations technically apply to "residential" telephone subscribers. A call to a business landline is generally outside the DNC rule. But most business calls today go to cell phones, and cell phones are treated as residential lines for DNC purposes. So if you call a prospect's mobile number because that is the number on LinkedIn, the residential rules apply even if you are pitching enterprise software.
The ATDS restrictions in 47 U.S.C. § 227(b) apply to any call to a cell phone using an autodialer or prerecorded voice, with no residential-versus-business distinction in the statute. [1] A call to a CFO's personal cell phone promoting your accounting SaaS is subject to the ATDS rules.
What B2B does change: the FTC's Telemarketing Sales Rule has a business-to-business exemption for calls where the recipient is a business entity, not an individual. [5] But that exemption has limits and does not override the TCPA's cell phone restrictions.
The practical upshot. If your reps manually dial the cell phones of individual decision-makers with no autodialer involvement, your TCPA ATDS exposure is low. If your team uses a power dialer, a parallel dialer, or any platform that queues and auto-initiates calls, get a legal opinion on whether that platform qualifies as an ATDS before you scale.
For a deeper look at how cold calling rules apply in practice, including the equipment questions, that article covers the mechanics.
What internal processes should a SaaS team build to stay compliant?
Compliance is not a document you file once. It is a set of operational habits. Here is what a workable TCPA process looks like for a team of 5 to 50 SDRs.
Start with consent capture at every lead entry point. Whether a lead comes from a demo request form, a content download, a trade show badge scan, or a purchased list, document what consent was captured, when, and how. A simple field in your CRM that records consent source and timestamp is the minimum. If you cannot answer "where did this person consent to receive calls or texts from us" for any given record, you should not be calling or texting them with automated tools.
Next, list scrubbing before every campaign. Scrub against the National DNC registry, your internal suppression list, and any applicable state DNC lists. This is not a quarterly task. It is a pre-campaign task, every time. The FTC requires that you subscribe to the registry and access it regularly if you make telemarketing calls. [5]
Then vendor documentation. For any third party that generates leads for you, collect and store a copy of the consent language that appeared on the page where the lead opted in. With the FCC's one-to-one consent rule in effect, you need this to defend yourself if a lead claims they never consented to contact from your company. [4]
Training matters too. Your SDRs need to understand what they can and cannot say about consent, what to do when someone says they never signed up, and how to log do-not-call requests. TCPA liability can follow a company for individual rep actions if the company ratified the conduct.
Finally, audit. Quarterly, pull a random sample of records that received outbound messages and trace the consent chain back to source. If that chain has gaps, tighten the process before the next campaign.
LeadCompliant offers a free TCPA compliance kit that includes a consent language template, a pre-campaign scrubbing checklist, and an opt-out process audit. It is a decent starting point for teams without a dedicated compliance function.
The do not call list article covers the DNC scrubbing mechanics in more detail.
How do state laws add to the TCPA burden for SaaS teams?
Federal TCPA compliance is the floor, not the ceiling. Several states have enacted laws that go further.
Florida's Telephone Solicitation Act (FTSA), amended in 2023, extended TCPA-style protections to intrastate calls and texts and added a private right of action. [6] Florida matters because it has a large population of mobile users and a well-organized plaintiffs' bar. SaaS companies with any prospect base in Florida should treat FTSA compliance as a near-equal concern to federal TCPA.
California's CCPA and related regulations do not directly replicate TCPA consent requirements, but they add data handling obligations around the personal information you collect during consent. If you store consent records that include name, number, and IP address, that is personal information under the CCPA and subject to its access and deletion rights. [11]
Washington, Oklahoma, and a growing list of states have strengthened their telemarketing laws in recent years. The trend runs toward more state-level private rights of action, which multiplies litigation risk.
The practical answer for a SaaS company with national outbound: default to the strictest requirements in your contact geography. If you cannot segment by state, apply the most restrictive consent standard everywhere. It is a higher operational bar, but the alternative is running 50 different rule sets.
For more detail on how state rules layer onto federal law, our article on text message marketing covers SMS-specific state requirements.
What tools and platforms help with TCPA compliance for outbound?
Tools solve some problems and create others. Here is an honest breakdown.
DNC scrubbing services like DNC.com, Gryphon Networks, and several others offer API-based scrubbing against the National DNC registry and state lists. These cost roughly $15 to $100 per month for small-to-mid volume teams, depending on lookup volume. The registry itself is accessible for free via the FTC's telemarketer portal if you want to handle it in-house. [5] The catch with in-house scrubbing is discipline: it only works if you run it before every campaign, not once at setup.
Consent management is thinner than people expect. Most CRMs (Salesforce, HubSpot) can store consent fields, but they do not validate consent language or enforce pre-campaign checks. You build that workflow yourself or buy an add-on. Some compliance platforms layer on top of your CRM and flag records with missing or expired consent before they enter a sequence.
SMS platforms like Twilio and Bandwidth handle STOP processing automatically at the network level, which is a baseline expectation. What they do not do is confirm that you had consent before the first message went out. That is your responsibility.
Dialers are where ATDS classification gets platform-specific. If you use a parallel dialer that initiates calls without a rep clicking "dial" for each number, get a written legal opinion on whether it constitutes an ATDS under post-Facebook v. Duguid analysis before you scale. A vendor saying "we're compliant" is not a legal opinion.
LeadCompliant's free phone number checker can tell you whether a number is on the National DNC registry before you dial, a useful sanity check for small teams that do not want to pay for a full scrubbing subscription.
For a closer look at how to handle individual cold call compliance decisions in real time, that article goes into rep-level protocol.
What does TCPA litigation actually look like for a SaaS company?
Most TCPA suits against SaaS companies start the same way. A prospect who never consented, or who opted out and kept receiving messages, contacts a plaintiffs' attorney. Sometimes the attorney's own phone received your text. Plaintiffs' firms monitor for TCPA violations as a business model.
The complaint alleges violations of 47 U.S.C. § 227(b) (ATDS calls to cell phones without consent) or § 227(c) (DNC violations), often both. It seeks class certification, which is the real threat, because certification turns a single plaintiff's $500 claim into a multi-million-dollar exposure.
At the class certification stage, courts look at whether common questions predominate. In TCPA cases that often hinges on whether the consent question is individualized (different for each class member) or common (none of them consented). If your campaign ran off a single list with no individual consent, courts often certify the class. That is when settlement pressure becomes enormous.
Most TCPA class actions settle in the range of $2 million to $76 million, with small-company settlements typically in the $500,000 to $3 million range. [7] Defendants pay settlement funds plus their own legal fees, which easily reach six figures in a contested case.
The defense that works best is documented, individualized consent. If you can show, for each class member, a record of when and how they consented, with the exact disclosure language they saw, class certification gets much harder because the consent question is no longer common across the class. That is why consent documentation is the compliance investment with the highest return.
To be clear: this is general information about how TCPA litigation typically works, not legal advice. If you receive a TCPA complaint or demand letter, get an attorney who handles telecommunications defense immediately.
Frequently asked questions
Is a SaaS company's outbound sales process subject to the TCPA even if it targets businesses?
Yes, when you call or text individual decision-makers on their cell phones. The TCPA's autodialer restrictions apply to calls to cell phones regardless of whether the call is B2B or B2C. Business landlines have more protection from DNC rules, but most B2B outbound today goes to mobile numbers, which the statute fully covers.
Does using a CRM sequence tool like Outreach or Salesloft create TCPA liability?
For emails, no, CAN-SPAM governs those. For automated texts sent through those platforms, yes. If the platform sends SMS messages automatically without a rep manually initiating each one, the ATDS analysis applies. Check whether your sequence tool integrates SMS, and if so, confirm you have proper written consent before enrolling anyone in an SMS step.
How long do we need to keep consent records?
No federal statute specifies an exact retention period, but the FTC recommends keeping records long enough to defend a complaint. Given that TCPA claims can be filed within the statute of limitations (generally 4 years under 28 U.S.C. § 1658 for federal claims), retaining consent records for at least 4 years from the last contact with that person is a reasonable standard.
Can we call or text someone who gave us their number on a demo request form without separate TCPA consent?
For a live, non-automated follow-up call, probably yes, since filling out a demo form implies consent to be contacted about the demo. For automated texts or prerecorded calls about marketing, you need explicit written consent. The safest approach is adding a clear TCPA consent checkbox to your demo request form at sign-up.
What happens if a lead vendor gave us bad consent and we called someone who never agreed?
You bear the liability. The TCPA does not let you pass blame to a vendor whose consent language was deficient. You can pursue the vendor for indemnification if your contract requires it, but the plaintiff sues you. This is why the FCC's one-to-one consent rule places the burden on the calling party to verify vendor consent documentation before using the list.
What is the FCC's one-to-one consent rule and when did it take effect?
The FCC's December 2023 order, effective January 27, 2025, requires that written consent for marketing calls and texts identify a single seller. Blanket consent forms covering multiple companies are no longer valid. SaaS companies using shared lead generation landing pages or purchased lead lists must verify that the consent specifically named their company before contacting anyone on that list.
Do we need to scrub against the Do Not Call list if we only text, not call?
Technically, the National DNC registry covers telemarketing calls, and the FTC's Telemarketing Sales Rule defines calls to include texts in some contexts. The safer position is to scrub texts against the DNC registry as well, and many compliance attorneys recommend it. The TCPA's SMS consent requirements are a separate and often stricter requirement that runs alongside DNC scrubbing.
How does Facebook v. Duguid change TCPA risk for SaaS outbound?
The 2021 Supreme Court ruling narrowed the ATDS definition, requiring that the system use a random or sequential number generator to qualify. This reduced liability for platforms that dial from a specific list without random number generation. But courts are still split on edge cases, and bulk SMS platforms and parallel dialers can still qualify. It lowered the risk for manual dialing; it did not eliminate it for automated tools.
Are international calls or texts to U.S. numbers covered by the TCPA?
Yes. The TCPA applies based on the U.S. phone number receiving the call or text, not where the call originates. A SaaS company based in another country that texts or calls U.S. cell phone numbers is subject to the TCPA. U.S. courts have jurisdiction, and plaintiffs can file suit regardless of where the sending company is located.
What should we do if we receive a TCPA demand letter?
Do not ignore it, and do not respond without an attorney. Demand letters are often the opening of a negotiation, not a final lawsuit, but the deadline matters. Preserve all records related to the contacts mentioned, including consent documentation, call logs, and campaign records. Engage a TCPA defense attorney before any communication with the sender. Early engagement typically reduces exposure.
Does the TCPA apply to voicemail drops (ringless voicemail)?
This is unsettled law. The FCC has not issued a definitive ruling that ringless voicemail is a call under the TCPA, but several federal courts have held it is. The FCC received a petition in 2017 to classify ringless voicemail as a call and has not resolved it. Given the litigation risk, treating ringless voicemail the same as an autodialed call for consent purposes is the prudent approach.
How often should we scrub our contact lists against the DNC registry?
The FTC's TSR requires that telemarketers access the registry data no more than 31 days before calling a number. In practice, scrub before every campaign, especially if you run outbound continuously. For evergreen SDR sequences, set up a recurring scrub every 30 days or build an API integration so every number is checked at the time of dialing.
Can we rely on a partner's or reseller's existing consent to contact their customers?
Generally no, unless the original consent disclosure explicitly named your company and the type of messages you will send. The FCC's one-to-one consent rule makes third-party consent transfers unreliable. If a partner collected consent for their own communications, that consent does not transfer to you by default. You need your own consent from that individual.
Sources
- U.S. Government Publishing Office, 47 U.S.C. § 227 (TCPA statute text): The TCPA provides statutory damages of $500 per violation and $1,500 for willful violations, and defines ATDS as equipment with capacity to store or produce telephone numbers using a random or sequential number generator.
- Supreme Court of the United States, Facebook, Inc. v. Duguid, 592 U.S. 395 (2021): The Supreme Court narrowed the ATDS definition in 2021, requiring that the system use a random or sequential number generator to qualify under the TCPA.
- Electronic Code of Federal Regulations, 47 C.F.R. § 64.1200: Prior express written consent is required for marketing calls or texts to cell phones using an ATDS, and consent cannot be a condition of purchase.
- Federal Trade Commission, Telemarketing Sales Rule (16 C.F.R. Part 310): The TSR requires telemarketers to access the National DNC Registry no more than 31 days before calling a number, and provides an established business relationship exception lasting 18 months from last transaction.
- Florida Legislature, Florida Telephone Solicitation Act, § 501.059, F.S.: Florida's FTSA, amended in 2023, extends TCPA-style protections to intrastate calls and texts and provides a private right of action for violations.
- Federal Trade Commission, news and press releases: Capital One paid $75.5 million to settle a TCPA class action related to automated debt collection calls.
- Electronic Code of Federal Regulations, 47 C.F.R. § 64.1200: Consent for marketing calls and texts must be clear and conspicuous; courts have rejected consent buried in fine print or on a separate linked page.
- FCC, Rules and Regulations Implementing the TCPA, 47 C.F.R. § 64.1200(d): Companies must honor do-not-call requests within 30 days and maintain an internal do-not-call list; a request to one entity generally covers the enterprise.
- California Attorney General, California Consumer Privacy Act (CCPA) guidance: Under the CCPA, consent records containing name, phone number, and IP address constitute personal information subject to access and deletion rights.
- FTC, National Do Not Call Registry, telemarketer access information: Telemarketers must subscribe to and scrub against the National DNC Registry before making marketing calls to registered numbers.