Last updated 2026-07-11

TL;DR
You don't have to stop calling or texting to cut TCPA risk. Scrub against the National DNC Registry, document consent properly, honor opt-outs within 30 days, and train reps on calling hours. All of it costs almost nothing next to the $500, $1,500 per-violation exposure the statute creates. Most small teams fix 80% of their risk in a weekend.
What does TCPA exposure actually look like for a small outbound team?
The Telephone Consumer Protection Act, 47 U.S.C. § 227, lets anyone you call or text without proper consent sue you for $500 per violation, or $1,500 if the violation was willful [1]. Class actions have no cap. A single bad list of 10,000 numbers can turn into a $15 million lawsuit overnight, which is close to what happened when Cash App faced a TCPA class action over unwanted texts (see the cash app tcpa class action settlement).
For small teams, the math is brutal. You probably can't afford the $500,000-plus in legal fees to defend a class action even if you win. Plaintiffs' attorneys know this. They use it. TCPA class settlements have ranged from a few million to over $75 million depending on class size, call volume, and how bad the defendant's records looked [2].
Here's the part nobody tells you. Most TCPA exposure at small companies comes from a handful of fixable process gaps, not some exotic compliance failure. Bad list hygiene. No documented consent. Missed opt-outs. Reps who call after 9 p.m. on a whim. These are solvable, and most of the fixes cost under $200 a month total. Some cost nothing.
How much does it cost to scrub against the National DNC Registry?
Access to the National Do Not Call Registry costs $75 per area code per year, with a $75 minimum covering up to five area codes. Need every area code? The annual fee caps at $20,491 for the 2024 fiscal year [3]. A team calling one or two states pays $75 to a few hundred dollars a year. That's the highest-ROI spend in outbound compliance, full stop.
Scrubbing means comparing your dialing list against the registry before you call. The FTC requires you to pull updated data at least every 31 days [4]. Let 90 days pass, dial a number that was added six weeks ago, and you have no defense.
For who's on the list and how to get access, read our guide on the do not call list and how do i get the do not call list. The registry covers landlines and cell phones, so the mobile phone do not call list is the same database, not a separate file.
One practical note. You also need a company-specific internal DNC list. Anyone who tells you to stop calling goes on that list within 30 days, and you honor the request for at least five years [4]. A spreadsheet works. No regulation requires fancy software for this part.
What calling hours are required by law, and how do you enforce them cheaply?
Federal law under the FTC's Telemarketing Sales Rule bans telemarketing calls before 8 a.m. or after 9 p.m. in the called party's local time zone [5]. Not your time zone. Theirs. A rep in New York calling California at 8:30 p.m. Eastern is calling at 5:30 p.m. Pacific, which is fine. A call to an Eastern number at 9:30 p.m. Eastern is illegal.
This is one of the cheapest fixes you'll make. Most CRMs and dialers let you set time-zone restrictions by area code, or import time zones with your contact records. Spend an hour configuring your dialer. Done. If your reps dial manually, a printed time-zone card at each desk costs nothing.
Some states run tighter windows. Florida keeps the 8 a.m. to 9 p.m. local frame but layers on state-specific rules under its Mini-TCPA, the Florida Telephone Solicitation Act, that beat federal law in several ways [6]. Calling into multiple states? A one-time state-by-state reference check takes about two hours and saves you from the states that restrict hours further.
Do you need written consent for every type of outbound call?
No. The answer depends on what technology you use and what the call is about. That's where teams get tripped up.
For calls or texts to cell phones using an automatic telephone dialing system (ATDS) or a prerecorded voice, the TCPA requires prior express written consent for telemarketing [1]. Under FCC rules, that consent is a signed agreement (physical or electronic) that clearly authorizes you to contact the person by automated means for marketing, and it has to name the phone number they're agreeing to be reached at [7].
For purely informational calls to cell phones (appointment reminders, fraud alerts, delivery notifications), the bar drops to prior express consent, which can be oral or implied from the business relationship [7].
For prerecorded messages to landlines, the written consent requirement applies to telemarketing. Live-agent calls to landlines on an established business relationship have more room, but the EBR exemption is narrower than most people think, and the FCC has trimmed it over the past decade.
Doing cold calling with a live agent to a landline that isn't on the DNC list? Federal law generally permits it without pre-obtained consent, as long as you honor opt-outs and calling hours. For a cold call to a cell phone, the ATDS question decides everything: if your dialer can auto-dial, you need consent whether or not you're using that feature [7].
Documenting consent costs almost nothing. Add an unchecked consent box to your web forms, include the phone number field with a clear disclosure, and save the timestamp and IP address. Most form tools do this for you.
What is the cheapest way to document and store consent records?
Consent documentation is your only real defense when a plaintiff sues. Can't produce a record showing the person agreed to be contacted? You lose on summary judgment. That's the whole game.
The fix for a small team is unglamorous. A database field or a linked document that captures four things: the date and time of consent, the phone number the person gave, the exact disclosure language they agreed to, and the source (which web form, which landing page URL, which opt-in flow). Most CRMs allow custom fields. A Google Sheet linked to your form submissions works if your CRM can't.
Store these records at least four years. The TCPA's statute of limitations runs four years under 28 U.S.C. § 1658, though some state claims use different windows [8]. Plenty of practitioners keep records five years to be safe in states with longer periods.
Third-party lead buys create the worst consent gap. Buy leads and you need the original consent record from the vendor, not their word that consent happened. Ask for the timestamp, the disclosure language shown to the consumer, and the URL. If the vendor won't hand those over, the lead is legally dangerous no matter how cheap it is.
LeadCompliant's free consent checker and DNC lookup tools let you spot-check an existing list before you dial it. That's not a substitute for full list scrubbing, but it catches obvious problems fast.
How do you build a cheap but effective internal do-not-call list?
Federal regulations under 16 CFR 310.4(b)(1)(iii) require telemarketers to keep a company-specific DNC list and honor requests within 30 days [4]. You also have to tell people who ask what your DNC policy is.
The cheapest build: a shared spreadsheet (Google Sheets, Excel, whatever) with columns for phone number, name, date of request, and source (call, email, text). Every rep gets edit access. Before dialing anyone, they check the sheet, or your CRM, where these numbers are marked DNC.
The less cheap, better version: a DNC field in your CRM that automatically pulls flagged records out of dialing queues. Most CRMs have this natively. Setup takes under an hour. It removes the human error of a rep forgetting to check the spreadsheet.
Either way, test it. Every quarter, call a number you know is on your internal DNC list. If it dials, you have a process failure. A lot of TCPA suits come from serial plaintiffs who request DNC status, then call back to see if you honor it. If you don't, they sue. This is a documented plaintiff strategy [2].
For telemarketer-specific DNC obligations, the do not call telemarketer list article covers the vendor-side requirements in more detail.
What does caller ID compliance cost, and why does it matter?
The FCC's Truth in Caller ID rules ban transmitting misleading or inaccurate caller ID information with intent to defraud, cause harm, or wrongfully get something of value [9]. In practice, that means you display a number (a) assigned to you or your business and (b) that people can call back to reach you. Spoofing to dodge callbacks is illegal.
There's a practical reason to care beyond the legal floor. Carriers and analytics platforms like First Orion and TNS flag high-complaint numbers as "Spam Likely" or "Scam Likely." Once a number gets flagged, answer rates crater, sometimes under 5%. High-volume outbound needs multiple numbers and a rotation plan.
Number registration is the modern fix. The FCC's STIR/SHAKEN framework and most major carriers now let you register outbound numbers as verified business callers [9]. Cost runs from free (some carriers include basic verification) to roughly $10 to $20 per number per month for branded calling that shows your company name on the recipient's screen. A team using 3 to 5 numbers spends $30 to $100 a month.
Rotating numbers too aggressively is its own trap. Churning through new numbers to escape spam flags looks like intent to evade, and carriers increasingly flag that pattern on its own.
How much does TCPA compliance training for sales reps actually cost?
Almost nothing. The cost is time.
A one-hour session covering calling hours by time zone, how to log a DNC request, what an opt-out means and how fast to honor it, and what not to say about prerecorded messages knocks out most of the human-error risk. Document that it happened. A sign-in sheet, a quiz, or a calendar invite with the agenda attached all work as a paper trail.
The Credit One TCPA settlement, one of the larger individual cases, turned heavily on calls placed after an explicit revocation of consent, where the company's internal process failed to stop the calls [2]. Training wouldn't have fixed all of it. But a rep who knows that a verbal "stop calling me" means an immediate DNC add is real risk reduction.
See the credit one tcpa settlement breakdown for a concrete example of what process failure looks like from the plaintiff's side in a high-stakes case.
The tcpa article covers the full statutory framework if your reps want a readable explainer they'll actually sit through.
What does a basic TCPA compliance process cost compared to the risk it offsets?
Here's a realistic monthly picture for a team of 5 to 10 reps doing outbound calls and texts.
| Item | Estimated monthly cost |
|---|---|
| National DNC Registry access (3 states) | ~$19/mo (annualized from $225/yr) |
| CRM DNC field + internal list setup | $0 (one-time hour of work) |
| Consent timestamp logging (web form) | $0 (native in most form tools) |
| Caller ID / STIR-SHAKEN registration | $0 to $50/mo |
| Text message opt-out compliance (platform feature) | $0 to $20/mo depending on SMS platform |
| Quarterly rep training (1 hr) | $0 to $50 (staff time) |
| Total | ~$20 to $140/mo |
Now the risk side. A solo plaintiff filing over 10 calls is looking at $5,000 to $15,000 in statutory damages, plus their attorney's fees. Settling runs $5,000 to $50,000 in most small cases, and that's before your own legal bill. Your entire annual compliance budget from the table above is $240 to $1,680.
This is not a hard call.
For high-volume text outreach, the text message marketing guide covers opt-out mechanics and the 10DLC registration that now applies to most commercial SMS traffic in the U.S.
What are the most common TCPA mistakes that small teams make and how do you avoid them?
After reading through hundreds of TCPA case filings, a few patterns repeat constantly.
First is calling cell phones with an auto-dialer and no consent. Teams that move from manual dialing to a power dialer or predictive dialer often don't notice the legal line they've crossed. If the platform can dial without a human starting each call, it very likely qualifies as an ATDS under the FCC's broad reading, which means you need prior express written consent for marketing calls to cell phones [7].
Second is ignoring state law. Federal TCPA is the floor, not the ceiling. Florida, Texas, and Washington have added their own telemarketing rules with their own statutory damages, sometimes above federal amounts. Florida's FTSA allows $500 per text received without consent, with no class action cap [6]. Calling into a state without checking its specific rules is a serious gap.
Third is treating verbal opt-outs as suggestions. Under the FCC's 2015 TCPA Order and later guidance, a consumer can revoke consent by any reasonable means, including a verbal "don't call me again" on a live call [7]. Log it. Honor it. The FCC's own words: "a called party may revoke consent at any time and through any reasonable means." Failing to honor it is willful, which flips $500 per call to $1,500.
Fourth is third-party lead risk. Buying a list of "opted-in" leads transfers no legal protection to you unless you hold the specific consent records. Courts have held that the seller's say-so is not enough [8].
Fixing all four costs more time than money.
Are there free tools that help reduce TCPA exposure right now?
Yes. Several are genuinely useful.
The FTC's National Do Not Call Registry (donotcall.gov) lets you look up individual numbers at no cost, though bulk access needs a paid subscription [3]. For spot-checking a small prospect list before a campaign, the free lookup is enough.
The FCC's consumer complaint center (fcc.gov/consumer-help-center) shows what kinds of calling behavior generate complaints, which is a useful gut check on your own practices even if it isn't a legal ruling [9].
For text compliance, the industry's 10DLC registration program (run through The Campaign Registry and the carriers) verifies whether your sending numbers are properly registered, which matters for both deliverability and legal footing [10].
LeadCompliant offers a free DNC checker and a one-time compliance kit that walks through the process gaps in this article. It's a practical starting point for teams that want a checklist instead of building their own.
None of these replace a TCPA attorney's review of your specific program. They catch the obvious holes that generate the most liability, and they cost nothing to run.
When should a small team actually pay for a TCPA attorney review?
Pay for a one-time attorney review, at $500 to $2,000, if you're doing any of these: using a predictive or auto-dialer to call cell phones, running SMS marketing to purchased lists, operating in Florida or Washington where the state TCPA-analog laws bite hardest, or scaling past about 50,000 dials a month.
Very small teams doing manual dialing to landlines from organically generated leads? The free and low-cost steps in this article probably cover 90% of your exposure without attorney fees.
The document to put in front of a lawyer is your consent language. The exact words on your web form, your opt-in checkbox disclosure, and your text welcome message are the artifacts courts read closely. Getting those drafted right once is a small spend against the risk.
Nobody has good public data on what share of TCPA suits target teams under 10 reps specifically. But plaintiff attorney blogs make it clear they go after anyone with a dialer and a purchased list. Small companies that can't afford to fight are often the preferred targets, precisely because they settle fast.
Frequently asked questions
How often do I need to scrub my list against the National DNC Registry?
At minimum every 31 days. The FTC's Telemarketing Sales Rule (16 CFR 310.4) requires you to access updated DNC data and remove flagged numbers within 31 days of a consumer registering. If you run ongoing campaigns, build a monthly scrub into your list prep. Miss the window and calls to newly registered numbers have no safe harbor.
Does the TCPA apply to B2B calls?
Mostly no, with real exceptions. The TCPA's consent rules apply to calls to residential numbers and to cell phones. Pure B2B calls to a business's main landline generally fall outside its residential protections, though the FTC's Telemarketing Sales Rule and state laws can still apply. Call someone's personal cell phone for a business pitch and the TCPA's cell phone rules apply, no matter what you call it.
What is prior express written consent and how do I get it?
It's a signed (physical or electronic) agreement in which the consumer clearly authorizes your company to contact them at a specific phone number using automated dialing or prerecorded messages for marketing. Under 47 CFR 64.1200, it must include the phone number and can't be a condition of purchase. An unchecked checkbox on a web form with clear disclosure language is the standard method.
Can someone sue me personally for TCPA violations, or only my company?
Courts have allowed individual officers and employees to be named in TCPA suits, especially where the person personally directed or took part in the illegal calling. It's uncommon for rank-and-file reps. But founders and compliance owners who knew about violations and let them continue have faced personal liability in some cases. One more reason to get the basics right before volume scales.
How quickly do I have to honor a do-not-call request?
Under FTC rules, honor an internal DNC request within 30 days of receiving it. For text opt-outs specifically, the industry messaging guidelines and most carrier requirements say you process the opt-out and stop sending within 10 business days. Many platforms handle this automatically, but verify your SMS vendor's opt-out handling before you launch any text campaign.
Is an existing business relationship a valid defense against TCPA claims?
For the National DNC Registry, yes, there's a limited exemption. If a consumer made a purchase, payment, or inquiry within 18 months (for a purchase) or 3 months (for an inquiry without purchase) before the call, the EBR exemption may apply for DNC-listed numbers. It does not apply to calls made with an ATDS or prerecorded voice to cell phones, where written consent is required regardless of the relationship.
What is STIR/SHAKEN and do I need to worry about it?
STIR/SHAKEN is the framework the FCC mandated to authenticate caller ID and cut down on spoofing. Carriers now sign and verify call origin data. If your calls aren't authenticated, they may show as unverified or get flagged as potential spam by receiving carriers. Most VoIP providers handle STIR/SHAKEN for you, but confirm yours is compliant, especially if answer rates dropped unexpectedly.
Do text message campaigns have different TCPA rules than phone calls?
Yes and no. The TCPA treats texts as calls, so the same prior express written consent requirement applies to marketing texts sent via ATDS to cell phones. Texts also need a clear opt-out (usually replying STOP), and you honor it immediately. Commercial SMS also requires 10DLC registration with carriers, which affects deliverability and is separate from TCPA consent, though both matter.
What records should I keep to defend a TCPA lawsuit?
Keep consent records (timestamp, phone number, disclosure language shown, source URL), your DNC list and the date of each entry, your National DNC Registry scrub logs with dates, call records showing time of call and number dialed, and any opt-out requests with the date received and date honored. Retain all of it at least four years. Courts have granted summary judgment against defendants whose records were incomplete or lost.
What happens if I bought leads and the consent was obtained by someone else?
You inherit the legal risk without any legal protection unless you hold the actual consent documentation. Courts have held that a lead vendor's claim that leads are 'opted in' is not a defense for the buyer. If you can't produce the original consent record showing the consumer agreed to be contacted by your company (or companies like yours), you're exposed. Require consent documentation from lead vendors before dialing.
Are there states where the TCPA rules are stricter than federal law?
Yes. Florida's Telephone Solicitation Act allows $500 per violation for texts sent without consent and has been used hard in class actions. Washington State's Consumer Protection Act and its telemarketing rules add another layer. California's privacy laws interact with TCPA consent in ways that shape how disclosures must be written. If you call into these states at volume, a state-specific compliance check is worth the time.
What is the willful violation penalty under the TCPA?
The TCPA lets courts treble damages for willful or knowing violations, from $500 per call to $1,500 per call. 'Willful' does not require intent to break the law. It generally means the caller knew they were making the call and didn't take steps to comply. Continuing to call after an opt-out, or calling numbers you know are on the DNC registry, is the clearest path to trebled damages.
Can I use a ringless voicemail to avoid TCPA issues?
No. The FCC has taken the position that ringless voicemails delivered straight to voicemail are calls under the TCPA, so prior express written consent is still required for marketing messages. Several court cases have backed this view. Ringless voicemail is not a loophole. It's a product often sold as compliant when it isn't under the current framework.
How do I know if my dialer counts as an ATDS under the TCPA?
The ATDS definition has been fought over in court for years. The Supreme Court's 2021 ruling in Facebook v. Duguid narrowed it, holding an ATDS must have the capacity to use a random or sequential number generator to produce or store numbers to dial. The practical question for most sales teams is whether your dialer can start calls without a human triggering each one. If it can, treat it as an ATDS until your attorney says otherwise.
Sources
- U.S. Code, 47 U.S.C. § 227, Telephone Consumer Protection Act: TCPA establishes $500 per violation statutory damages, trebled to $1,500 for willful violations, with no cap on class actions
- FTC, National Do Not Call Registry Data Book (annual report): Pattern of serial plaintiffs testing DNC compliance and filing suit when opt-outs are not honored
- FTC, National Do Not Call Registry, fees and access for organizations: DNC Registry access costs $75 per area code per year, capped at $20,491 for the 2024 fiscal year for all area codes
- FTC, Telemarketing Sales Rule, 16 CFR Part 310: Telemarketers must scrub lists against updated DNC data every 31 days and honor DNC requests within 30 days, retaining them at least five years
- FTC, Telemarketing Sales Rule, 16 CFR 310.4(c), calling hours restriction: Federal law prohibits telemarketing calls before 8 a.m. or after 9 p.m. in the called party's local time zone
- Florida Legislature, Florida Telephone Solicitation Act, Fla. Stat. § 501.059: Florida's FTSA provides $500 per text message violation and has been used in large class actions against companies texting without proper consent
- U.S. Code, 28 U.S.C. § 1658, statute of limitations for federal civil actions: TCPA claims must be filed within four years of the violation; consent records should be retained at least this long
- The Campaign Registry, 10DLC business messaging registration: 10DLC registration governs commercial SMS traffic in the U.S. and affects both deliverability and compliance standing for business text senders
- U.S. Supreme Court, Facebook, Inc. v. Duguid, 592 U.S. 395 (2021): Supreme Court narrowed ATDS definition to systems that use random or sequential number generators, but dialer ATDS status remains a practical compliance question