Last updated 2026-07-09

TL;DR
There is no single government portal where you 'register' for TCPA compliance. Compliance is a set of required actions: subscribe to the National Do Not Call Registry, complete 10DLC brand and campaign registration for business SMS, collect proper consent, write a Do Not Call policy, and train your team. Skip any step and fines start at $500 per violation.
What does 'registering for TCPA compliance' actually mean?
There is no government portal where you fill out a form and get a TCPA compliance certificate. People search for one all the time. It does not exist. The Telephone Consumer Protection Act, codified at 47 U.S.C. § 227, creates legal obligations, not a registration desk. Satisfying those obligations means completing several separate registration and enrollment steps with different agencies and carriers.
Think of it like a building inspection, not a business license. You have to actually do the things, more than sign up for them.
Five concrete actions make up what most people mean by 'TCPA registration.' Register with the National Do Not Call Registry. Complete 10DLC brand and campaign registration if you text customers. Build and document a consent process. Write a Do Not Call policy. Train your staff. Each one has its own cost, timeline, and governing authority. This guide walks through all five, in order.
Do you need to register with the National Do Not Call Registry?
Yes, if you make telemarketing calls to consumers in the United States. The Federal Trade Commission runs the National Do Not Call Registry under the Telemarketing Sales Rule, and scrubbing your lists against it takes a paid subscription through the FTC's telemarketer portal [1].
Here is what it costs as of 2024. Call fewer than 5 numbers on the registry in a 12-month period and access is free. Above that, you pay $76 per area code per year, capped at $21,986 per year for nationwide access [1]. Those figures get adjusted, so check the FTC's fee schedule before you budget.
Register and you get a Subscription Account Number (SAN). You use that SAN to download the registry and scrub your call lists before dialing. The FTC requires you to scrub against a version of the registry no older than 31 days before a call [1]. Call a number that has been on the registry longer than 31 days without written consent, and you have a violation. The FCC can assess penalties up to $51,744 per call as of 2024, adjusted annually for inflation [2].
A few things the registry does not cover: calls to businesses, calls to people who gave you prior express written consent, calls to existing customers inside the applicable safe harbor window, and calls from tax-exempt nonprofits. Do not assume you sit in a safe harbor without documenting why.
What is 10DLC registration and does your business need it?
10DLC stands for 10-Digit Long Code. It is the standard US phone number format (like 555-867-5309) most businesses use for application-to-person (A2P) SMS. Starting in 2021 and fully enforced by 2023, carriers required businesses sending commercial texts on 10DLC numbers to register their brand and each messaging campaign with The Campaign Registry (TCR) [3].
This is the closest thing to a 'TCPA registration' in the SMS world, and it matters. Unregistered traffic gets filtered, throttled, or blocked. And sending marketing texts without proper consent is an independent TCPA violation no matter what your carrier registration says.
Registration has two parts. First, your brand. You submit your legal business name, EIN, address, industry, and a few other fields to TCR through your messaging provider. Brand registration costs around $4 one-time and is nearly instant. Second, each campaign, meaning each type of message you send: marketing, account notifications, alerts, and so on. Campaign registration runs $10 to $25 per campaign per month depending on the use case and your provider's markup [3].
Shared short codes, which many businesses used before 2021, got deprecated because they made it impossible to attribute a message to a specific sender. Unregistered 10DLC traffic faces the same filtering. Send marketing SMS, get registered.
Very high-volume senders (millions of messages per month) can lease a dedicated short code instead. Short codes cost $500 to $1,000 per month and take 8 to 12 weeks to provision. Most small outbound teams do not need one. 10DLC is the right tool.
See the text message marketing guide for a fuller breakdown of SMS campaign setup.
What consent records do you need before calling or texting?
The TCPA sorts consent into three tiers, and which one you need depends on what you send and how [4].
For calls or texts to a mobile number using an autodialer or a prerecorded voice for marketing, you need prior express written consent. The FCC defines this in 47 C.F.R. § 64.1200(f)(9) as a signed written agreement that authorizes contact at that specific number and includes a clear disclosure that consent is not a condition of purchase [4].
For informational, non-marketing calls or texts to a mobile number (appointment reminders, order confirmations), prior express consent without the 'written' part is enough. That can be as simple as someone handing you their number in a context that reasonably implies you will contact them.
For a prerecorded marketing message to a residential landline, you also need prior express written consent.
For live, non-automated marketing calls to a mobile or landline, the TCPA imposes no consent requirement, though the DNC rules still apply.
Here is what trips up small teams. Consent you collected before the FCC's October 2013 written consent rule may not meet today's standard. And consent does not travel. If you bought a lead list and the original opt-in said 'a partner may contact you,' that is not written consent for your company to text. The FCC's 2024 one-to-one consent rule tightened this further, requiring consent to name your specific company rather than a broad category of marketers [5].
Store every consent record with a timestamp, the source URL or form name, the exact disclosure language shown, and the consumer's IP address where you have it. You will need these if you get sued. Courts put the burden of proving consent on the caller, not the consumer.
How do you write a written Do Not Call policy?
FCC rules at 47 C.F.R. § 64.1200(d) require any person or entity making telemarketing calls to keep a written Do Not Call policy and make it available on demand [6]. This is not optional, and registering with the FTC's DNC portal does not cover it. It is a separate TCPA requirement.
Your policy needs four things at minimum. The name of the company it applies to. The process for someone to ask to be added to your internal DNC list. The timeframe for honoring that request (federal law says within 30 days). The training process for staff who make calls.
Publish it somewhere accessible. A dedicated page on your website works. A PDF you email to anyone who asks works too. What does not work is having no document, which is one of the first things a plaintiff's attorney reaches for in early discovery.
You also need a matching internal DNC list. When someone asks not to be called, that number goes on your internal list and stays there. Even if they later show up on a fresh purchased list, you cannot call them. The company-specific DNC is permanent unless the consumer affirmatively re-consents.
What are the actual steps to complete TCPA compliance setup?
Here is the process in order, with rough time and cost estimates for a small outbound team.
Step 1: Audit your current practices (Week 1) Before you register anything, understand what you actually do. Are you calling mobile numbers? Running an autodialer or predictive dialer? Sending marketing texts? Buying lead lists? Each of these triggers specific rules. Document your call and text flows, the consent language on your forms, and any existing DNC lists.
Step 2: Register with the National DNC Registry (Week 1, same day) Go to the FTC's telemarketer portal at donotcall.gov and create an account [1]. Pay the fee for the area codes you need. Download the registry. Most compliance-aware dialers can ingest the file directly or connect via API.
Step 3: Register your brand and campaigns with TCR via your SMS provider (Week 1-2) Sending business SMS? Log into your messaging provider (Twilio, Bandwidth, Sinch, etc.) and complete the 10DLC brand registration. Then register each campaign use case. Approval takes hours to a few days for most brands. High-risk verticals (financial services, insurance, cannabis) can take longer [3].
Step 4: Audit and repair your consent flows (Weeks 2-4) Review every web form, chat widget, and lead source. Each one that feeds your outbound SMS or autodial list needs a compliant opt-in disclosure. The disclosure must name your company, describe the kinds of messages the consumer will get, confirm consent is not required for purchase, and provide an opt-out mechanism [4].
Step 5: Write your written DNC policy and publish it (Week 2) Draft the policy described above. Post it on your website and train every person who dials or texts on its contents.
Step 6: Set up ongoing scrubbing (Week 3-4) Build a workflow so every call or SMS list gets scrubbed against the federal DNC registry, any applicable state DNC lists, and your internal DNC list before a campaign launches. Most dialers do this. If yours does not, that is a red flag. Federal DNC scrubs must be no more than 31 days old. Some state lists run tighter windows.
Step 7: Document everything (Ongoing) TCPA plaintiffs win on documentation failures as often as on actual violations. Keep records of consent, opt-out requests, scrub dates, and policy versions. Three years is a reasonable minimum, though the TCPA's four-year federal statute of limitations argues for keeping them longer.
LeadCompliant's free compliance kit includes a DNC policy template, a consent audit checklist, and a scrub log template if you want a head start on steps 5 and 6.
| Step | Who handles it | Approx. cost | Approx. time |
|---|---|---|---|
| FTC DNC subscription | Business directly | $0 to $21,986/yr | Same day |
| 10DLC brand registration | Via SMS provider | ~$4 one-time | Hours to 1 day |
| 10DLC campaign registration | Via SMS provider | $10-$25/campaign/mo | 1-3 days |
| Consent flow audit/update | Internal or counsel | Varies | 1-3 weeks |
| Written DNC policy | Internal | $0 (use a template) | 1-2 days |
| Staff training | Internal | $0-$500 | Ongoing |
What are the penalties for skipping these steps?
The TCPA gives consumers a private right of action. That means anyone you called or texted in violation can sue you directly, no government agency required. It is why TCPA litigation volume runs so high. Plaintiffs' attorneys run this as a volume business.
The statute sets damages at $500 per violation for negligent violations and $1,500 per violation for willful or knowing ones [7]. Each call or text counts separately. A campaign that fires 10,000 unlawful texts before anyone notices is a $5 million to $15 million exposure on paper. Courts sometimes reduce class settlements to something more proportional. Sometimes they do not.
For context, UnitedHealthcare paid $2.5 million to settle alleged TCPA violations. Credit One Bank faced a significant TCPA suit that drew national attention. Truist Bank settled a TCPA class action too. These are not edge cases. They are companies that miscounted their exposure.
The FCC has its own enforcement authority. As of 2024, it can impose forfeitures up to $51,744 per unlawful call or text [2]. FCC enforcement tends to chase egregious robocall operations rather than single-company outbound teams, but the authority is there.
State laws stack on top. Texas, Florida, Washington, and Oklahoma all have state-level TCPA analogs with their own damages structures. Some allow per-violation damages above the federal amounts. Check your state's rules before you dial.
Does your business need a TCPA compliance officer or legal counsel?
It depends on your call volume and channels. Here is the honest breakdown.
For a team making a few hundred outbound calls a week to numbers from inbound leads with documented consent, a solid internal process plus a one-time legal review of your forms and policy is probably enough. Nothing in this guide requires an attorney to execute. Having one review your consent language is money well spent.
For a team running autodial campaigns, buying lead lists, or texting at volume, a TCPA-knowledgeable attorney earns their fee. Small teams almost always get hurt in two places: consent chain documentation for purchased lists, and autodialer status questions. Courts still wrestle with what counts as an ATDS after the Supreme Court's 2021 ruling in Facebook v. Duguid [8].
High-litigation state or industry (healthcare, debt collection, insurance, financial services)? Budget for an annual compliance review. The TCPA news feed moves fast. Rule interpretations settled in 2022 can be relitigated in 2025.
One thing I would not do: lean entirely on your dialer vendor or SMS platform to keep you compliant. They handle carrier-layer registration and can block calls to DNC numbers if you configure them right. They do not manage your consent records, your written policy, or your internal DNC list. That is your job.
Are there state-specific TCPA registration or compliance requirements?
Yes. Several states go beyond federal law, and a few impose registration-style obligations.
California layers on the Rosenthal Act and the California Invasion of Privacy Act (CIPA), which restrict call recording and certain dialing practices. CIPA section 632.7 bars recording a cellular or cordless call without the consent of all parties, which matters if you record for quality assurance [9].
Florida's Mini-TCPA (the Florida Telephone Solicitation Act, amended in 2021) requires an opt-out mechanism on the first call and restricts autodialed calls and texts without consent. Florida added its own private right of action separate from federal law.
Texas requires telemarketers to register with the Secretary of State and pay a $200 annual fee. That is an actual registration requirement. Firms that skip it face fines.
Washington's Commercial Electronic Mail Act and telephone solicitation laws add state-level requirements for calls and texts.
Operate nationally? The safest play is to comply with the most restrictive applicable state law for each contact, which usually means California or Florida standards across the board. More work, far less exposure.
For businesses asking about TCPA compliance in Kentucky, the state has no analog as aggressive as Florida or California, but federal TCPA rules apply fully.
How do you stay compliant after the initial setup?
Setup is the easy part. Staying compliant is an operational problem.
Four things break compliance over time. New lead sources that skip your consent check. Staff turnover where new dialers never got trained. DNC scrub files that go stale because nobody owns the refresh. And rule changes you missed.
Build a compliance calendar. At minimum: monthly DNC file refresh, quarterly review of consent language on all active lead forms, annual full policy and training review. Give each item an owner with a name, not a department. 'Compliance' as an owner means nobody does it.
Most dialers and SMS platforms offer DNC scrubbing, sometimes included, sometimes at a per-lookup cost. Confirm it is turned on and that it covers state DNC lists as well as the federal registry. Some state lists (Florida's, for one) sit apart from the national registry.
When someone opts out of calls or texts, that opt-out needs to hit your internal DNC list the same day, not at the next batch upload. Real-time opt-out processing is harder to build but legally required. The FCC requires you to honor wireless opt-out requests immediately [6].
Read the FCC's enforcement and rulemaking updates. The agency releases orders, and the significant ones (the 2024 one-to-one consent rule, TRACED Act implementation) change what you have to do. LeadCompliant's TCPA news section tracks the relevant ones if you would rather not monitor FCC dockets yourself.
What records do you need to keep to defend a TCPA lawsuit?
Get a TCPA demand letter or complaint, and the first thing defense counsel asks for is your consent records, your DNC scrub logs, and your written policy. Cannot produce them? You are in a much harder spot even if you did everything right.
Keep the following, with timestamps and ideally in a system with an audit trail: consent records (who, when, what disclosure they saw, from what form), DNC scrub records (when you pulled the registry, what version, which list you screened), opt-out requests and when you honored them, your written DNC policy and each version of it, and training completion records for staff.
The TCPA carries a four-year statute of limitations for federal claims under 28 U.S.C. § 1658, so records need to survive at least four years [10]. Some practitioners keep six to be safe, accounting for tolling arguments plaintiffs raise.
Cloud storage with version control is fine. The point is that you can pull a record for any outbound contact showing three things: the number was not on the DNC registry as of your last scrub date, you had consent (for autodial, prerecorded, or SMS to mobile), and any opt-out from that number got processed before the call.
One note. If you use a third-party data vendor and rely on their consent representations, document that too. Courts have found that good-faith reliance on vendor claims is not an affirmative defense under the TCPA, though it can affect the willfulness analysis. The joseph snyder credit one tcpa case shows how consent chain disputes get litigated.
Frequently asked questions
Is there an official government TCPA registration for businesses?
No. There is no federal portal where a business 'registers' for TCPA compliance. The obligations under 47 U.S.C. § 227 are self-executing: follow the rules or face civil liability. The closest things to registration steps are subscribing to the FTC's National DNC Registry and completing 10DLC brand and campaign registration for SMS, but neither grants you compliance status on its own.
How much does it cost to get set up for TCPA compliance?
For a small team, out-of-pocket costs stay modest. FTC DNC access starts at $76 per area code per year (free under 5 calls). 10DLC brand registration costs about $4 one-time. Campaign registration runs $10 to $25 per campaign per month. Legal review of your consent forms and DNC policy might run $500 to $2,000 depending on counsel. The real cost is internal time to audit and update your processes.
What is prior express written consent and how do I get it?
Prior express written consent is a signed agreement authorizing you to contact a specific number with marketing calls or texts using an autodialer or prerecorded voice. Under 47 C.F.R. § 64.1200(f)(9), it must include a clear disclosure that consent is not a condition of purchase. You collect it via a web form, e-signature, or paper form. The consumer must affirmatively opt in. A pre-checked box does not count.
Can I use purchased lead lists for outbound calls?
You can call purchased lists under some conditions, but the risks are real. For live, non-automated calls to numbers not on the DNC registry, federal TCPA rules allow it. For autodialed or prerecorded calls to mobile numbers, you need prior express written consent, and consent does not transfer from the original lead source to you unless the original disclosure named your company. Buying lists and treating the vendor's consent claims as your own is one of the most common paths into TCPA litigation.
Do I need to scrub against state DNC lists as well as the federal registry?
Yes, in states that maintain their own lists. Florida and Texas, among others, run Do Not Call registries separate from the federal list. Scrubbing only the federal registry is not enough if you call into those states. Your dialer vendor may handle state scrubbing, but confirm it in writing. Do not assume. Check each state's attorney general website for current list access procedures.
What is the TCPA statute of limitations for lawsuits against my company?
Federal TCPA claims carry a four-year statute of limitations under 28 U.S.C. § 1658. A consumer can sue you up to four years after a violating call or text. Some plaintiffs argue for tolling that could stretch this further in certain circumstances. This is why compliance records need to survive at least four years, and many practitioners keep them five or six years to be safe.
Does TCPA apply to B2B calls?
Mostly no, but not entirely. The DNC Registry rules apply to residential numbers, not business lines. But if a business employee's personal cell phone gets used for work and that number is on the DNC registry, the analysis gets messy. The autodialer consent rules under 47 U.S.C. § 227(b) apply to any call to a cellular number regardless of personal or business use. B2B calling to business landlines avoids most TCPA exposure. Mobile numbers used by employees are not automatically exempt.
What happens if someone on my team dials a DNC-listed number by accident?
If you established and maintained a written DNC policy, trained your staff, and scrubbed your list within the required 31-day window, the TCPA provides a safe harbor for isolated mistakes, specifically under 47 C.F.R. § 64.1200(c)(2)(i)(A). That safe harbor is narrow and requires documenting that the error was truly inadvertent. It does not protect you from systematic scrubbing failures or policy gaps. Document the error and how you corrected it.
How do I set up an internal Do Not Call list?
Start with a simple database or spreadsheet recording phone numbers, the date of an opt-out request, and the channel it came through (call, text, email request). Every number requesting no further contact goes on this list permanently. Before any outbound campaign launches, screen your call or text list against it. Most CRMs and dialers support a suppression list feature that automates this. Update it in real time when opt-outs come in, not in batches.
Does the TCPA apply to text messages?
Yes. The FCC has consistently interpreted the TCPA to cover text messages sent to wireless numbers, a position affirmed in multiple enforcement actions. Marketing texts to mobile numbers using an autodialer require prior express written consent under 47 C.F.R. § 64.1200(a)(2). Texts also trigger the 10DLC registration requirement at the carrier level. The penalties for non-compliant mass texting match those for calls: $500 to $1,500 per text.
What changed with the FCC's 2024 one-to-one consent rule?
The FCC issued a rule in December 2023 requiring that prior express written consent name the specific seller contacting the consumer, rather than allowing a broad 'marketing partner' category. A consumer opting in on a lead generation site now must consent to your company by name for that consent to cover your outbound calls and texts. This changes how lead aggregators and resellers operate and what consent language you need on third-party lead forms that feed your lists.
How do I handle TCPA compliance for outbound SMS specifically?
For outbound business SMS, you need three things in place: prior express written consent that names your company and describes the message type, 10DLC brand and campaign registration through your messaging provider, and a working opt-out mechanism (STOP should remove the number from your list immediately). For more detail on building a compliant SMS program, the text messaging marketing guide covers campaign setup end to end.
What is the TRACED Act and does it affect my compliance setup?
The Telephone Robocall Abuse Criminal Enforcement and Deterrence Act, signed in 2019, directed the FCC to implement STIR/SHAKEN caller ID authentication and strengthened penalties for illegal robocallers. For legitimate outbound teams, the main practical effect is that calls without STIR/SHAKEN attestation are more likely to get labeled as spam or blocked by carriers and call-blocking apps. Work with your voice provider to make sure your numbers carry full attestation where possible.
Where can I get a TCPA compliance checklist or policy template?
LeadCompliant offers a free one-time compliance kit with a written DNC policy template, a consent audit checklist, and a scrub log template. Beyond that, the FTC's Business Center publishes guidance on the DNC Registry requirements, and the FCC's consumer and enforcement pages cover the TCPA rules in plain language. For more complex operations, a TCPA-experienced attorney review is worth the cost before you scale.
Sources
- FTC, National Do Not Call Registry for telemarketers (donotcall.gov): DNC Registry access costs $76 per area code per year, capped at $21,986 for nationwide access; scrubbing must use a list no older than 31 days
- Legal Information Institute, 47 C.F.R. § 64.1200, prior express written consent definition (Cornell Law): Prior express written consent requires a signed written agreement authorizing contact at a specific number with disclosure that consent is not a condition of purchase
- Legal Information Institute, 47 C.F.R. § 64.1200(d), written DNC policy requirements (Cornell Law): FCC rules require entities making telemarketing calls to maintain a written Do Not Call policy and honor opt-out requests within 30 days
- U.S. Code, 47 U.S.C. § 227, Telephone Consumer Protection Act (Cornell Law): TCPA statutory damages are $500 per negligent violation and $1,500 per willful or knowing violation
- Supreme Court of the United States, Facebook, Inc. v. Duguid, 592 U.S. 395 (2021): Supreme Court narrowed the ATDS definition in 2021, holding that a device must have the capacity to use a random or sequential number generator to produce or store numbers
- California Legislative Information, California Invasion of Privacy Act, Penal Code § 632.7: CIPA § 632.7 prohibits recording a cellular or cordless call without consent of all parties
- U.S. Code, 28 U.S.C. § 1658, four-year federal statute of limitations (Cornell Law): Federal civil claims have a four-year statute of limitations, which applies to TCPA federal claims
- FTC, Telemarketing Sales Rule, 16 C.F.R. Part 310 (ftc.gov): TSR governs DNC Registry subscription requirements and scrubbing obligations for telemarketers