Laws about robocalls: what every caller must know in 2025

TCPA fines run $500, $1,500 per call. This guide covers every major robocall law, recent FCC rules, and what your team must do to stay legal.

LeadCompliant Team
24 min read
In This Article

Last updated 2026-07-11

Old office landline phone on a desk beside compliance paperwork in afternoon light
Old office landline phone on a desk beside compliance paperwork in afternoon light

TL;DR

The Telephone Consumer Protection Act (47 U.S.C. § 227) is the main federal law governing robocalls. It bans autodialed or prerecorded calls to cell phones without prior express consent, caps damages at $500 to $1,500 per violation, and the FCC keeps adding rules, including a February 2024 AI-voice ruling. State laws can be stricter. There is no safe harbor for guessing.

What is the main federal law about robocalls?

The Telephone Consumer Protection Act, codified at 47 U.S.C. § 227, is the federal law that governs robocalls, autodialed calls, and prerecorded voice messages. Congress passed it in 1991, back when home phone lines were drowning in automated calls. The FCC enforces it and writes the implementing rules under 47 C.F.R. Part 64. [1]

The statute makes it unlawful "to make any call (other than a call made for emergency purposes or made with the prior express consent of the called party) using any automatic telephone dialing system or an artificial or prerecorded voice" to any emergency line, hospital line, cellular telephone, or any service where the called party pays for the call. [1] That one sentence is the foundation under thousands of class action lawsuits.

The FTC runs a parallel track over telemarketing under the Telemarketing Sales Rule (16 C.F.R. Part 310). It overlaps with the TCPA but stays a separate rule. The TSR covers deceptive practices and the National Do Not Call Registry. The TCPA covers the dialing technology and the consent to be called. [7]

Read those two rules before anything else. State laws, FCC orders, and private litigation all stack on top of them.

What counts as a robocall under the law?

A robocall, in legal terms, is any call placed with an Automatic Telephone Dialing System (ATDS) or any call that plays a prerecorded or artificial voice. The TCPA treats those as two separate triggers. You can face liability for a prerecorded message even if a human dialed the number by hand. [1]

The ATDS definition has been fought over for years. In Facebook v. Duguid (2021), the Supreme Court narrowed it, holding that an ATDS must use a random or sequential number generator to store or produce numbers, more than dial from a stored list. [3] That helped a lot of companies. It did not clear the field, because the prerecorded-voice prong still bites no matter what dialed the call.

So if your platform plays a recorded message, or uses text-to-speech to deliver a personalized line, you are almost certainly inside the statute. The clean zone is a live agent calling from a manually operated phone with no prerecorded component. Even then, a cell number still means you honor the National DNC Registry.

One more piece. The FCC has confirmed that AI-generated voices are artificial voices under the TCPA. A February 2024 Declaratory Ruling put it plainly: calls using AI-generated voices need the same prior express written consent as any other prerecorded call. [4] That closed a door some vendors had been slipping through.

The consent standard turns on what you are calling about. Marketing gets the strict rule. Informational calls get a softer one.

For telemarketing calls to cell phones using an ATDS or prerecorded voice, the TCPA requires prior express written consent. The FCC defines that as a signed agreement (paper or electronic) that names the specific seller, authorizes autodialed or prerecorded marketing calls, and lists the number the consumer is authorizing. The agreement has to say that consent is not a condition of purchase. [5]

For non-telemarketing informational calls (appointment reminders, delivery notices, fraud alerts), the standard is prior express consent, a lower bar. The consumer just needs to have handed you their number in a context where calls are expected.

Prerecorded telemarketing calls to residential landlines also require prior express written consent under FCC rules updated in 2012. People forget landlines are covered. They are.

Consent is call-specific. A consumer who gave you a number to finish a purchase did not sign up for autodialed marketing from your partners. This is where the FCC's one-to-one consent rule lands. Adopted in December 2023 and effective in 2025, it requires consent to name one seller at a time. [5] Lead generators who relied on broad language covering hundreds of partners lost that model overnight.

The short version: if you cannot point to a signed, specific, dated consent record for a number, do not autodial it with a marketing message.

What are the TCPA penalties per robocall violation?

The TCPA sets statutory damages at $500 per violation for negligent violations. If a court finds the violation was willful or knowing, damages climb to $1,500 per call. [1] There is no cap per lawsuit, only per call. A class action covering 100,000 calls can carry $50 million to $150 million in exposure before attorneys' fees.

The FCC can also assess forfeitures on its own, separate from private suits. In 2021 the FCC proposed a $225 million forfeiture against a health insurance robocall operation, the largest robocall fine it had ever proposed at the time. [6]

Private plaintiffs do not need to prove a dollar of actual harm. Getting the illegal call is enough to sue. Per-call damages plus a zero actual-harm standing bar is exactly why TCPA class actions are a favorite of the plaintiff's bar.

State attorneys general bring their own actions, and some states pile on multipliers. Texas allows up to $10,000 per knowing violation under its Business and Commerce Code. Florida's Mini-TCPA, passed in 2021, carries its own definitions and its own private right of action.

The table below lays out the core federal penalty structure next to a few notable state laws.

JurisdictionStatutePer-Violation Fine (Civil)Notes
Federal (TCPA)47 U.S.C. § 227$500 (negligent) / $1,500 (willful)Private right of action, class actions common
Federal (TSR)16 C.F.R. § 310Up to $51,744 per day per violation (FTC)Government enforcement only
FloridaFla. Stat. § 501.059$500 / $1,500 (willful)Covers calls with an "automated system"
TexasTex. Bus. & Com. Code § 305.053Up to $10,000 per knowing violationAG enforcement
CaliforniaCal. Pub. Util. Code § 2874Varies; CIPA suits common at $5,000/callOften combined with TCPA claims[1][6]
TCPA and related robocall violation penalties Civil penalty per violation by law or enforcement action TCPA (negligent) $500 TCPA (willful/knowing) $1,500 Texas state law (knowing violatio… $10k FTC TSR (per day, per violation) $52k Source: 47 U.S.C. § 227 [1]; FTC TSR 16 C.F.R. § 310 [7]; FCC 2021 enforcement action [6]

What new laws about robocalls have passed recently?

Several new laws and rules have taken effect since 2019, and a couple more are worth watching. Here is what changed.

TRACED Act (2019): The Pallone-Thune TRACED Act (Pub. L. 116-105) required voice providers to implement STIR/SHAKEN call authentication by June 2021. STIR/SHAKEN cryptographically signs caller ID so the receiving carrier can check whether the displayed number matches the originating carrier's records. The point was to cut down on spoofed caller ID. By mid-2022, major carriers had it running for most IP-based calls. [10]

FCC one-to-one consent rule (effective 2025): The FCC's December 2023 order requires written consent for automated marketing calls to name a single seller and to be logically and topically related to the site or interaction where consent was captured. A consent form on a home insurance comparison page can no longer bundle consent for a hundred unrelated lenders. [5]

FCC AI voice ruling (February 2024): The FCC declared that calls using AI-generated voices carry the same prior express written consent requirement as any other prerecorded call. [4] It came right after the January 2024 New Hampshire primary, where an AI-generated voice mimicking a political figure went out in robocalls.

Origination liability proposals: As of mid-2025, the FCC has open proceedings on extending STIR/SHAKEN to smaller voice providers and tightening rules on carriers that originate illegal traffic. Nothing is final. But originating carriers that knowingly pass illegal robocall traffic face growing scrutiny.

The TRACED Act also told the FCC to report on STIR/SHAKEN's effectiveness. Those reports are public and show real drops in spoofed calls reaching consumers, though total illegal robocall volume is still high.

How does the National Do Not Call Registry apply to robocalls?

The National Do Not Call Registry, run by the FTC at donotcall.gov, lets consumers register residential and cell numbers. Once a number has been listed for 31 days, telemarketers cannot call it. [2]

The registry covers telemarketing calls whether they are automated or not. A live agent making a manual outbound call to a cell number still cannot call a registered number without an established business relationship or an express invitation. The TCPA and the TSR work together here: the registry is the TSR mechanism, and violating it can also create TCPA exposure.

Exemptions cover political organizations, charities soliciting donations, survey calls (gray areas exist), and numbers where you have an established business relationship (EBR). The EBR exemption expires: 18 months from the last purchase or financial transaction, or 3 months from an inquiry. After that, the registration controls.

Businesses have to scrub call lists against the registry at least every 31 days. The FTC gives registered organizations API access to check numbers. Failing to scrub is a violation on its own, whether or not you actually dial a registered number.

State DNC rules can be stricter. Indiana runs its own state list with extra restrictions. You can read more at Indiana do not call list. Tennessee has similar state-level rules covered at Tennessee do not call list.

Do robocall laws apply differently to cell phones versus landlines?

Yes, and the gap is wide. Cell phones get stronger protection under the TCPA than residential landlines do.

For cell phones, the TCPA requires prior express consent for any autodialed call or text, and prior express written consent for any telemarketing call made with an ATDS or prerecorded voice. That holds whether or not the number sits on the DNC registry. Courts have argued over the exact scope, but the consent requirement reaches even purely informational calls under many readings. [1]

For residential landlines, the bar is lower for purely informational (non-telemarketing) autodialed calls. Prerecorded telemarketing calls to landlines still require prior express written consent under the FCC's 2012 rules. The old established business relationship exemption for prerecorded landline calls died in 2012.

Here is the practical trap. Numbers port between landline and cell service all the time. A number you scrubbed as a landline three months ago may be a cell today. The FCC has said callers carry that risk.

The Reassigned Numbers Database (RND), launched by the FCC in 2021, is a subscription database tracking numbers that moved from one subscriber to another. It offers a safe harbor: check the RND, call a number the database says was not reassigned after you got consent, and you have protection against a claim from a new subscriber who never consented. [8]

What are the rules for political and nonprofit robocalls?

Political robocalls sit in an odd spot. The TCPA exempts political calls from the DNC Registry, so campaigns and advocacy groups can call registered numbers. The cell phone consent requirement does not budge, though. It still applies to autodialed calls no matter the content. [1]

So an autodialed political call to a cell phone without consent still violates the TCPA, even though it is exempt from DNC rules. Courts have held this over and over, and campaigns have been sued for blast-texting and robocalling cell numbers without consent.

Nonprofit charitable solicitations are also exempt from the DNC Registry under the TSR. Same catch: autodialing cell phones without consent is a separate TCPA problem the exemption does not fix.

The February 2024 FCC AI voice ruling cited the New Hampshire primary incident directly, a signal that the FCC plans to apply TCPA rules to political robocalls using AI voices. [4]

Bottom line for political and nonprofit callers: you can call DNC-registered numbers, but you cannot autodial or send prerecorded calls to cell phones without consent, and AI voice calls need written consent like any other prerecorded call.

What do state robocall laws add on top of federal rules?

Federal law sets a floor, not a ceiling. Plenty of states have passed their own robocall and autodialed call rules that reach further.

Florida's Telephone Solicitation Act, amended in 2021 and known as the Florida Mini-TCPA, defines "automated system" more broadly than the federal ATDS standard and applies to calls and texts to Florida numbers regardless of where the caller sits. It has its own private right of action. Florida courts have handled heavy TCPA-style litigation under this state law since 2021.

California's Invasion of Privacy Act (CIPA) governs call recording and shows up alongside autodialer claims. California call recording laws covers the recording side in depth.

Washington state runs both a DNC list and call recording rules. The Do not call list Washington page covers what callers need there.

Pennsylvania has its own Telemarketer Registration Act on top of federal rules. See Pennsylvania do not call list for specifics.

Illinois maintains a state DNC list run by the AG's office, with its own telemarketer registration. Do not call list Illinois has the details.

Many states also have call recording laws that apply on their own. A robocall carrying a recorded message can trip recording consent laws in two-party consent states. See is it against the law to record phone calls for a state-by-state breakdown.

The practical point: if you call into multiple states, comply with the strictest applicable law for each recipient's state, more than federal law.

What must a compliant robocall or prerecorded message include?

Even with proper consent, the TCPA and FCC rules require specific disclosures in every prerecorded telemarketing message. None of them are optional. [1]

At the start of the message, it has to state the name of the business, person, or entity the call is made on behalf of. During or after the message, it has to give a phone number where the business can be reached, and that number must work during regular business hours.

Telemarketing calls need one more thing: an automated opt-out mechanism. The called party has to be able to opt out of future calls right during the call, usually by pressing a key. Use it, and you cannot call that person again. The opt-out has to cost the consumer nothing.

Time-of-day limits apply too. Telemarketing calls, robocall or live, cannot go out before 8 a.m. or after 9 p.m. in the called party's local time. That is the federal floor. Some states are tighter.

Keeping consent records is not a nicety. It is your defense. The FCC's rules and plaintiff discovery both demand you produce them. If you cannot show the signed consent form, the capture date, and the signature or IP address, court gets brutal fast.

LeadCompliant's compliance kit includes a consent record template and a prerecorded message checklist built to match these FCC requirements, if you want a structured starting point.

STIR/SHAKEN is a technical framework mandated by the TRACED Act (2019) to attack caller ID spoofing, the trick robocallers use to hide where a call really comes from. STIR stands for Secure Telephone Identity Revisited. SHAKEN stands for Signature-based Handling of Asserted information using toKENs. [10]

Under the framework, the originating carrier cryptographically signs the caller ID it passes with a call. The terminating carrier (the one delivering it to your phone) checks that signature. Each call gets an attestation level: A (full, the carrier knows the customer and that the number is authorized), B (partial), or C (gateway, limited info). Calls with no attestation or C-level attestation can get flagged as "Spam Likely."

STIR/SHAKEN does not hand consumers a private right of action. It is a carrier-level obligation. Failing to implement it can bring FCC enforcement against the carrier, and the FCC runs a Robocall Mitigation Database where carriers file their mitigation plans. Carriers that fail to file can be cut off from the US phone network. [10]

For outbound sales teams, the effect is direct. Calls from numbers with poor attestation, or from providers missing from the database, get filtered or blocked by major carriers before they ever reach a consumer. That is a revenue problem as much as a legal one. A reputable originating carrier with proper STIR/SHAKEN implementation is both a compliance requirement and a deliverability one.

What should you actually do to comply with robocall laws right now?

Here is the practical part. You do not need a law firm on retainer for basic compliance. You do need documented processes.

Start with consent. Every number you plan to autodial or hit with a prerecorded call needs a written consent record. If you bought a list, that list almost certainly does not carry consent records that meet the TCPA, let alone the 2025 one-to-one rule. Treat purchased lists as undialable until you verify consent or move to manual, non-prerecorded outreach.

Scrub against the National DNC Registry every 31 days at a minimum. If you work states with their own lists (Indiana, Tennessee, Washington, Pennsylvania, Illinois), scrub those separately on the same schedule.

Check the FCC's Reassigned Numbers Database before calling any number whose consent record is more than a few months old. For real call volume, the safe harbor is worth the subscription. [8]

Set time-of-day controls in your dialer so nothing goes out before 8 a.m. or after 9 p.m. in the recipient's time zone. Make it automatic, not a thing someone remembers to do.

Every prerecorded message has to name your company, give a callback number, and carry a working opt-out. Save the script you used and keep a copy.

If your team is unsure where to start, LeadCompliant's free compliance kit has a DNC scrub checklist, a consent capture template, and a message disclosure audit form. Free tools, not a replacement for counsel on the hard cases.

Document everything. The first thing a plaintiff's attorney asks for in discovery is your consent records and your DNC scrub logs. If those do not exist, the case gets a lot harder to win.

Frequently asked questions

Is there a new law against robocalls in 2024 or 2025?

Yes. Two big changes hit recently. In February 2024, the FCC issued a Declaratory Ruling that AI-generated voice calls fall under the TCPA's prior express written consent requirement, effectively banning AI robocalls without consent. In 2025, the FCC's one-to-one consent rule took effect, requiring each consent to name a single specific seller. Neither is a brand-new statute, but both are binding new rules.

Can I legally robocall someone who gave me their number?

It depends on how they gave it and what you're calling about. Giving a number to complete a transaction is prior express consent for informational calls but not for autodialed telemarketing. For marketing calls to cell phones, you need prior express written consent: a signed agreement specifically authorizing autodialed or prerecorded marketing calls from your company. A phone number on a web form without that language is not enough.

What is the TRACED Act and does it still matter?

The TRACED Act (Pub. L. 116-105), signed in December 2019, required carriers to implement STIR/SHAKEN caller ID authentication and gave the FCC stronger enforcement power over illegal robocallers. It still matters because it created ongoing carrier obligations and the Robocall Mitigation Database, which the FCC uses to block non-compliant carriers. For callers, it means spoofed caller ID is increasingly detectable and risky.

Political robocalls are exempt from the National DNC Registry, so campaigns can call registered numbers. But the TCPA's cell phone consent requirement still applies. Autodialing cell phones without prior express consent is illegal regardless of the political content. The FCC's 2024 AI voice ruling also covers political calls using AI-generated voices, which need prior express written consent just like any other prerecorded call.

What is the fine for making an illegal robocall?

Under the TCPA, $500 per call for negligent violations and up to $1,500 per call for willful or knowing violations. There is no lawsuit cap, only a per-call cap, so class actions over millions of calls can reach nine-figure liability. The FTC can separately assess civil penalties under the Telemarketing Sales Rule of up to $51,744 per day per violation. State laws like Texas add up to $10,000 per knowing violation on top.

Do robocall laws apply to text messages?

Yes. The TCPA applies to text messages sent using an automatic telephone dialing system. The FCC confirmed this in 2003 and courts have upheld it since. An autodialed marketing text to a cell phone without prior express written consent violates the TCPA the same way an autodialed voice call does. The consent requirements, DNC scrubbing obligations, and opt-out rules all apply to texts.

What is STIR/SHAKEN and do I need to worry about it?

STIR/SHAKEN is a caller ID authentication framework required by the TRACED Act. Carriers cryptographically sign outbound calls so receiving carriers can verify the number is legitimate. For callers, the effect is that calls from unattested numbers or from providers missing from the FCC's Robocall Mitigation Database get filtered as spam more often. A compliant originating carrier matters for both legal compliance and answer rates.

How does the National Do Not Call Registry work for robocalls?

The FTC's National DNC Registry lets consumers register numbers to block telemarketing calls. After 31 days on the registry, telemarketers cannot call that number. Businesses must scrub call lists against the registry at least every 31 days. Exemptions exist for political calls, charities, and existing business relationships (up to 18 months post-transaction). Failure to scrub is a violation on its own, separate from whether you reach a registered number.

What did Facebook v. Duguid change about robocall law?

In 2021, the Supreme Court narrowed the TCPA's ATDS definition, holding it covers only systems that use a random or sequential number generator to store or produce numbers. Systems that dial from a pre-loaded list without random generation may not qualify as an ATDS. But the prerecorded-voice prong of the TCPA still applies on its own, so many robocall scenarios stay illegal even when the ATDS definition is not met.

Can my business use ringless voicemail without violating the TCPA?

This is contested. Ringless voicemail (RVM) drops a message straight into a voicemail server without the phone ringing. Some argue it is not a 'call' under the TCPA. Others argue it is. The FCC has not issued a definitive ruling, and courts have split. Several states have moved to treat RVM as a call under their own laws. Treating RVM as requiring the same consent as a prerecorded call is the conservative, defensible position until the FCC rules.

Do robocall laws apply if I'm calling businesses (B2B)?

The TCPA is read broadly to cover calls to any cellular number, including numbers used for business. If the number is a cell phone, consent requirements apply. Calls to business landlines face fewer TCPA restrictions, but state laws and the FTC's TSR may still apply. The safe approach is to treat any cell number as subject to full TCPA requirements, whether it belongs to an individual or a business contact.

What records do I need to keep to defend a TCPA lawsuit?

At minimum: the signed consent record for each called number (date, time, IP address, exact consent language), your DNC scrub logs showing when you scrubbed lists and which database version you used, your call logs, any opt-out records, and copies of your prerecorded message scripts. Courts expect you to produce these in discovery. If you cannot, summary judgment gets very hard. Keep these records for at least four years, which covers the TCPA's statute of limitations.

The FCC's one-to-one consent rule requires that written consent for autodialed or prerecorded telemarketing calls name one specific seller, not a group of unaffiliated companies. Consent also has to be logically and topically related to the site or interaction where it was captured. Lead generation sites that bundled consent for hundreds of partners in a single checkbox now operate outside the rule. Each seller needs its own separate, individually named consent.

Sources

  1. U.S. Congress / FCC, Telephone Consumer Protection Act, 47 U.S.C. § 227: TCPA bans autodialed and prerecorded calls to cell phones without prior express consent; sets $500/$1,500 per-violation damages
  2. FTC, National Do Not Call Registry information for businesses: National DNC Registry requires telemarketers to scrub lists every 31 days; exemptions for political, charitable, and EBR calls
  3. U.S. Supreme Court, Facebook, Inc. v. Duguid, 592 U.S. 395 (2021): Supreme Court narrowed ATDS definition to systems using random or sequential number generation
  4. FCC, Declaratory Ruling on AI-Generated Voice Calls (February 2024): FCC declared AI-generated voice calls are artificial or prerecorded voices under TCPA, requiring prior express written consent
  5. FCC, Report and Order on One-to-One Consent (FCC 23-107, December 2023, effective 2025): FCC's one-to-one consent rule requires written consent to name a single seller
  6. FTC, Telemarketing Sales Rule, 16 C.F.R. Part 310: TSR governs deceptive telemarketing practices; FTC civil penalties up to $51,744 per day per violation
  7. FCC, Reassigned Numbers Database (official portal): FCC launched Reassigned Numbers Database in 2021; checking it provides safe harbor against claims from new subscribers
  8. eCFR, Telemarketing Sales Rule, 16 C.F.R. Part 310: TSR governs deceptive telemarketing practices and the National Do Not Call Registry; FTC civil penalties up to $51,744 per day per violation
  9. U.S. Congress, TRACED Act (Pub. L. 116-105), December 2019: TRACED Act mandated STIR/SHAKEN and gave FCC stronger enforcement authority over illegal robocallers

Disclaimer: LeadCompliant is a compliance review tool, not a law firm. We do not provide legal advice. Consult with a TCPA attorney for legal guidance on specific compliance questions. Compliance scores, audits, and risk assessments are informational only.

LeadCompliant Team

LeadCompliant provides expert guidance and tools to help you succeed. Our content is reviewed for accuracy and kept up to date.

Related Articles

LeadCompliant
Build My Kit