Ringless voicemail drops compliance checklist for outbound teams

RVMs can trigger TCPA liability up to $1,500 per drop. Use this checklist to verify consent, scrub DNC lists, and avoid class-action exposure before you send.

LeadCompliant Team
24 min read
In This Article

Last updated 2026-07-10

Compliance officer reviewing ringless voicemail campaign call logs at a wooden desk
Compliance officer reviewing ringless voicemail campaign call logs at a wooden desk

TL;DR

Ringless voicemail drops almost certainly count as "calls" under the TCPA. That means you need prior express written consent before dropping one to a cell phone. Without it, each drop can cost $500 to $1,500 in statutory damages. This checklist walks small outbound teams through consent verification, DNC scrubbing, state-law overlays, and the records you keep before every campaign.

Are ringless voicemail drops covered by the TCPA?

Yes, almost certainly. The TCPA, codified at 47 U.S.C. § 227, prohibits making any "call" to a cell phone using an automatic telephone dialing system or an artificial or prerecorded voice without the called party's prior express consent [1]. Ringless voicemail, sometimes called RVM or direct-to-voicemail, skips the ring and drops audio straight into a carrier's voicemail server. The fight has been over whether that delivery method is a "call."

The FCC took the question head-on in 2017. All About the Message LLC petitioned for a declaratory ruling that RVMs are not calls under the TCPA. The FCC never granted it. The petition was withdrawn, and the agency let the open question stand while courts moved ahead and held that RVMs do count as calls [2]. No court has ruled that ringless voicemail falls entirely outside the TCPA. Every compliance attorney I know treats RVMs as covered. You should too.

The FCC's one-to-one consent rule adds another layer. Under that rule, a consumer's prior express written consent has to name one identified seller at a time. It cannot be bundled across a lead-gen form that lists dozens of companies [3]. If your RVM campaign runs on leads bought from a third-party aggregator, that consent probably does not survive scrutiny under the newer standard.

For marketing content dropped to a cell phone, you need prior express written consent. That is the highest tier the TCPA and FCC rules recognize. The FCC's regulations define it as "an agreement, in writing, bearing the signature of the person called that clearly authorizes the seller to deliver or cause to be delivered to the person called advertisements or telemarketing messages using an automatic telephone dialing system or an artificial or prerecorded voice" [4].

A digital signature counts. A pre-checked opt-in box does not. The form has to disclose plainly that the person will get autodialed or prerecorded calls or voicemails, and it has to name your company. You cannot hide it in fine print or slip it in after a submit button.

For purely informational, non-marketing RVMs to existing customers, prior express consent (the lower tier) may be enough. But the line between informational and promotional is thin, and plaintiffs litigate it constantly. A voicemail that mentions a product, a deal, or an upsell has crossed into telemarketing. When you're not sure, get written consent.

Here's what valid written consent for an RVM campaign needs to include:

ElementWhat it must say
Your company nameNamed specifically, not "our partners"
Communication methodExplicitly mentions prerecorded voice or voicemail drops
PurposeAdvertising or telemarketing
Phone numberConsumer provides the number to be called
Voluntary agreementNo purchase required to withhold consent
Opt-out disclosureHow to stop future messages

Keep the signed record. You'll need it the day a recipient files a complaint or a plaintiff's attorney sends a preservation letter.

Which numbers do you need to scrub before sending an RVM?

Three lists, every time.

First, the National Do Not Call Registry. The FTC runs it, and telemarketers must scrub against it no more than 31 days before calling [5]. Residential numbers on the registry cannot get telemarketing calls or voicemails without prior express written consent. This is not a one-time job. You need a current pull, no older than 31 days, for every campaign. The FTC charges for commercial access, and the price scales with how many area codes you pull.

Second, your own internal do-not-call list. TCPA and FCC rules require every telemarketer to keep a company-specific DNC list and honor opt-outs within 30 days [4]. Someone tells you to stop calling in March, you drop an RVM in April, and now you're looking at individual liability plus a possible class claim. Your CRM needs a DNC flag that suppresses those records automatically.

Third, litigator lists. Not legally required. Still worth it. Certain numbers belong to known serial TCPA plaintiffs and attorneys who take calls on purpose to build a case. Data vendors sell litigator suppression lists, and the cost is small next to a single demand letter.

Our do not call list overview explains how the National Registry works and who has to follow it. For how these rules land on cell numbers specifically, see the mobile phone do not call list guide.

TCPA damages at a glance: RVM campaign exposure Per-drop statutory damages and FCC penalty ceiling under 47 U.S.C. § 227 and FCC enforcement guidelines $500 Per-violation damages (negl… $1,500 Per-violation damages (will… $24k FCC forfeiture max per violation Source: 47 U.S.C. § 227 [1]; FCC Enforcement [7]

What state laws add requirements on top of the federal TCPA?

Several, and they bite. Florida, Oklahoma, and Washington passed mini-TCPA statutes in recent years that go past federal law on certain points [6].

Florida's Mini-TCPA (Florida Statute § 501.059, amended in 2021) covers calls and texts made with an "automated system." It lets individuals sue for $500 per violation without proving any harm beyond getting the contact. Florida turned into one of the busiest states for TCPA-style litigation, largely because the statute reaches so broadly.

Oklahoma's Telephone Solicitation Act restricts automated telemarketing contacts too, and it creates a private right of action.

California has no separate mini-TCPA, but the California Consumer Privacy Act (CCPA) touches consent practices. If you collected a lead's personal data through a web form and now target them with it, CCPA opt-out rights can limit what you do with that data.

Washington State's Commercial Electronic Mail Act and its broader consumer protection statutes have been used against RVM-style campaigns.

The practical rule is simple. Scrub the state DNC lists for states that keep them (Texas and Indiana run their own, for example), and apply the strictest law that fits the recipient's location. Calling into Florida? Assume every contact needs prior express written consent and every opt-out gets honored within 30 days.

Our full state laws breakdown has the state-by-state comparison.

What should the RVM message itself include to stay compliant?

The FCC's rules on prerecorded message content hit RVMs the same way they hit live or robocall campaigns. Every RVM message has to do three things:

1. Identify the business, individual, or entity behind the call at the start of the message. 2. State the telephone number of that business during or after the message. It has to be a number people can call back to make a do-not-call request. 3. Include a toll-free interactive opt-out mechanism when the message goes to a residential line using an ATDS or prerecorded voice [4].

For cell phones, the opt-out requirement holds. In practice, your RVM script needs a callback number or, on some systems, a keypress option that logs the opt-out. If your platform can't do keypress, add a callback number the recipient can use.

Don't disguise the commercial nature of the message. Some teams try to make an RVM sound like a buddy left a casual voicemail. That almost certainly violates the FTC Act's ban on deceptive practices, and it can trip state consumer protection statutes separately from the TCPA.

Keep the audio file. If you get sued, the actual recording is your evidence of what you said.

Documentation is where small teams lose. Getting consent is step one. Proving you had it when a plaintiff's attorney demands records is step two, and it carries just as much weight.

For every contact who gets an RVM, you should be able to produce:

  • The consent record itself (the web form submission, signed agreement, or call recording where verbal consent was captured for an informational message)
  • The timestamp of consent
  • The IP address tied to digital consent
  • The exact disclosure language the person saw or heard
  • The date of the RVM drop
  • The phone number called
  • The DNC scrub date (within 31 days of the drop)
  • Any opt-out requests from that number and the date you honored them

Store these records for at least four years. The TCPA's statute of limitations runs four years under 28 U.S.C. § 1658, though some state claims run on different clocks [11].

LeadCompliant's free compliance kit includes a consent documentation template and a scrub log format built around this standard, so a team doesn't have to build them from scratch.

Your CRM should carry fields for consent date, consent source, and DNC status. If it doesn't, your operations team needs a parallel tracking sheet that links to each lead record. Sloppy records do more than raise legal risk. They make it impossible to audit your own data quality.

What does a TCPA violation from an RVM campaign actually cost?

The TCPA sets statutory damages at $500 per violation for negligent violations and $1,500 per violation for willful or knowing ones [1]. Each RVM drop to a non-consenting number is a separate violation. Send 10,000 drops with 5 percent lacking valid consent, and that's 500 violations at $500 to $1,500 each. Call it $250,000 to $750,000 before attorney fees.

Class actions multiply that fast. In a certified class, the math does not stop at a number that feels survivable. Courts have entered judgments and approved settlements in the tens of millions for automated call campaigns. The cash app tcpa class action settlement and the credit one tcpa settlement both show how big these numbers get once a campaign reaches millions of consumers.

The FCC can also hand out civil penalties on its own, separate from private suits. It can assess forfeiture penalties up to $23,727 per violation, the inflation-adjusted cap in recent years [7].

Small teams tend to assume they're too small to target. They're wrong. Plaintiff's attorneys hunt for companies running automated drops without consent, because the per-violation damages make even a small campaign worth suing over. A batch of 500 non-consented RVMs can generate a demand letter seeking six figures.

Does the TCPA's established business relationship exemption apply to RVMs?

Partly, and the limits matter. The established business relationship (EBR) exemption exists under the TCPA for residential landline telemarketing. If a consumer made a purchase, transaction, or inquiry with your company in the past 18 months, or submitted an inquiry in the past three months, you may call their residential number for telemarketing without separate prior express consent [1].

Here's the problem for RVM teams. The EBR exemption does not reach cell phones. For wireless numbers, the TCPA requires prior express consent no matter what prior relationship exists. Since most RVM campaigns target cell phones (that's the entire point of the technology, reaching people on mobile), the EBR exemption almost never rescues you.

Even on residential lines, the exemption disappears the moment the consumer registers the number on the National Do Not Call Registry and sends you a company-specific do-not-call request. An explicit opt-out kills it too.

Bottom line: don't lean on EBR as your consent basis for an RVM campaign to cell phones. It won't hold.

What is the step-by-step compliance checklist before launching an RVM campaign?

Work through this in order. Skipping steps is how teams end up in court.

Before you build the list:

  • [ ] Confirm every number was collected with prior express written consent that names your company, discloses prerecorded voice or voicemail drops, and meets the FCC's one-to-one consent standard.
  • [ ] Verify the consent records are stored and retrievable (timestamp, IP, disclosure language).
  • [ ] Flag and exclude every number that opted out of any prior campaign.

Before you send:

  • [ ] Scrub the full list against a National Do Not Call Registry pull dated within the last 31 days [5].
  • [ ] Scrub against your internal DNC list.
  • [ ] Scrub against state DNC lists for applicable states (Texas, Indiana, and others that run their own).
  • [ ] Optionally scrub against a commercial litigator list.
  • [ ] Remove disconnected or reassigned numbers. Reassignment creates liability when a consenting party's old number now belongs to someone who never consented. The FCC's Reassigned Numbers Database helps here [8].
  • [ ] Confirm the campaign only hits 8 a.m. to 9 p.m. local time at the recipient's location (the federal calling window under 47 C.F.R. § 64.1200).

The message itself:

  • [ ] Script names your company at the start.
  • [ ] Script includes a callback number for opt-out requests.
  • [ ] The opt-out mechanism works and gets logged in your system.
  • [ ] The message does not misrepresent the caller's identity or commercial purpose.
  • [ ] You have an audio archive of the exact message delivered.

After the campaign:

  • [ ] Log the drop date, list version, and scrub date for each batch.
  • [ ] Process opt-outs within 30 days (aim for 24 hours operationally).
  • [ ] Add opt-outs to your internal DNC list immediately.
  • [ ] Retain all records for at least four years.

If you also run live outbound dialing, the same consent and DNC framework applies. Our cold calling rules guide covers how the requirements shift between live agents and automated drops.

How do you handle opt-outs from ringless voicemail campaigns?

Every RVM has to give recipients a way to opt out, and your system has to honor it. The FCC requires telemarketers to keep and honor company-specific DNC lists, and an opt-out from an RVM campaign triggers that duty [4].

Here's how it works in practice.

If your RVM platform supports keypress, put the opt-out in the message. The recipient presses a digit, and their number gets flagged automatically. That's the cleanest workflow.

If your platform can't do keypress, put a callback number in the script. When someone calls to opt out, your team or an IVR has to capture the request and route it to your DNC list within 30 days. Thirty days is the legal ceiling. Process opt-outs within 24 hours so you don't re-contact someone before the cycle closes.

Don't rely on text or email opt-outs unless you explicitly offer and monitor those channels. The mechanism you advertise in the message is the one you have to honor.

An opt-out should suppress the number across every outbound channel, not only future RVM drops. Someone opts out of voicemail drops, you call them live next week, and that's still a violation of your company-specific DNC duty.

For how the do not call telemarketer list rules interact with your internal DNC obligations, that article covers the dual-registry framework in detail.

Are there any safe harbors or exemptions worth knowing about?

A few. None of them remove the need for consent on cell phones.

The one people cite most is the emergency exemption. The TCPA exempts calls "made for emergency purposes" from its consent requirements [1]. It's narrow. A real public safety emergency qualifies. A sales deadline or a limited-time offer does not. Don't try to cram a marketing campaign into it.

Non-profit organizations calling their own members get some extra room, but commercial businesses using an RVM vendor don't share that benefit.

Calls made by live human agents to manually dialed numbers fall outside the ATDS definition, and so outside the main TCPA consent requirement for the dial itself. The moment your system automates the dialing, that protection evaporates. In Facebook v. Duguid (2021), the Supreme Court narrowed the ATDS definition to systems that use a random or sequential number generator, which may pull some predictive dialers out of the strictest ATDS rules [9]. RVM platforms usually deliver to a server-side voicemail system in an automated batch, and most attorneys treat them as using a prerecorded voice even when the ATDS question stays murky. That matters, because the prerecorded voice prong doesn't require an ATDS at all. It applies to any call using a prerecorded message, full stop.

Bankruptcy notifications, healthcare appointment reminders, and certain financial account alerts qualify for specific FCC exemptions from the written consent requirement. These are narrow and carry their own content and timing limits [4]. If your RVM campaign is genuinely non-commercial and fits one of these buckets, talk to a lawyer before you rely on it.

How should you vet an RVM vendor for compliance?

Your vendor creates legal exposure for you. Under the TCPA, liability attaches to the party that initiates the call, and that includes you, the seller who hired the vendor. The FCC has held repeatedly that companies can't outsource their way out of TCPA liability by blaming the vendor.

Ask every RVM vendor these questions before you sign.

Do they scrub against the National DNC Registry themselves, or is that on you? If it's on you, make the contract spell out who owns the scrub step and how fresh the data has to be.

Can they handle opt-outs natively (keypress, callback logging)? If not, you build that process yourself and confirm the vendor can flag opt-outs in real time.

What do their delivery confirmation and logging look like? You need per-drop logs showing which numbers were called, at what time, from what originating number, and whether the drop landed. That's your audit trail.

Do they carry errors-and-omissions or TCPA-specific liability insurance? Some do. It doesn't move liability off you legally, but it signals they take compliance seriously.

What's their consent validation practice? A reputable vendor won't drop to numbers you can't prove consented. A vendor that offers to blast any list you upload without asking about consent is a red flag.

Get indemnification language in the contract. If the vendor's system delivers to a wrong number because of their technical error, you want contractual protection. Have your attorney review it before you sign.

Our tcpa overview covers how vendor relationships get treated under federal enforcement and where shared liability tends to fall.

Frequently asked questions

For telemarketing RVMs to residential landlines, you need at least prior express consent (oral or written). Written is safer. The established business relationship exemption can apply to landline telemarketing, but it disappears if the number is on the National DNC Registry and the consumer hasn't given you written permission. For any cell phone, prior express written consent is required regardless of line type.

Can I send an RVM to a number I already have a business relationship with?

Only if that number is a residential landline and the relationship is under 18 months old for a purchase or 3 months for an inquiry. The established business relationship exemption does not reach cell phones. Most RVM campaigns target mobile numbers, so EBR won't help. You need prior express written consent for every cell phone you drop to, regardless of prior dealings.

What time of day can I send ringless voicemail drops?

Federal TCPA rules limit telemarketing calls to 8 a.m. through 9 p.m. local time at the recipient's location, and that applies to RVMs. Use the recipient's area code to set local time, and when the location is ambiguous, use the more restrictive window. Some states are tighter. Florida limits calls to 8 a.m. through 8 p.m. Check the recipient's state law before you set the schedule.

How often do I need to re-scrub my list against the DNC registry?

At minimum, every 31 days before any campaign touches those numbers. The FCC's rules require a scrub no older than 31 days for each calling date. If you run rolling campaigns, build a calendar that pulls a fresh registry export monthly. Numbers get added continuously, so a 60-day-old scrub can expose you to liability for numbers added after your last pull.

What happens if a phone number was reassigned after I collected consent?

Reassignment is a real liability. If the original subscriber consented, then gave up the number, and a new person now holds it, your consent does not transfer to the new holder. The FCC's Reassigned Numbers Database helps you check whether a number changed hands since you collected consent. Scrubbing against it before each campaign isn't legally required today, but it's good practice and blocks a category of liability courts have found actionable.

Can a recipient sue me for a single ringless voicemail drop?

Yes. The TCPA gives a private right of action to any person who gets a call in violation of the statute. Each drop is a separate violation. A single non-consented RVM carries $500 in statutory damages, or up to $1,500 for a willful violation. Small claims filings for single TCPA violations are common, and plaintiff attorneys often bundle multiple claimants into class actions.

Do ringless voicemails require an opt-out mechanism in the message?

Yes. FCC rules require prerecorded telemarketing messages to include an automated, interactive opt-out that's announced at the start or end and stays active throughout the day the message is delivered. For RVMs, that usually means a callback number in your script. Some platforms support keypress opt-outs that feed straight into a suppression list, which is cleaner than relying on callbacks.

A lot. Under the rule, a consumer's written consent has to clearly and conspicuously authorize one specific seller to contact them, not a broad list of companies. Consent collected through lead aggregator forms that list dozens of "partner" companies doesn't satisfy the standard. If your lead source relies on that kind of bundled consent, verify the consent language before you use those lists for RVM drops.

Are B2B ringless voicemail drops covered by the TCPA?

The TCPA's cell phone restrictions attach to the called number, not the person's business or personal status. Drop an RVM to an employee's cell phone, even for a B2B pitch, and the TCPA applies because it's a wireless number. Calling a business landline with a prerecorded message falls under separate FCC rules and still requires prior express consent for telemarketing content. B2B does not mean exempt.

What records should I keep after an RVM campaign to defend against TCPA claims?

Keep the consent record for every number called (timestamp, IP, disclosure text), the DNC scrub date and registry version used, the exact audio file, drop logs showing which numbers got the message and when, any opt-out requests and the dates you honored them, and your internal DNC list as it stood during the campaign. Retain all of it for at least four years, matching the federal TCPA statute of limitations.

How do I get access to the National Do Not Call Registry for scrubbing?

Telemarketers register at donotcall.gov and pay FTC-set fees based on how many area codes they access. In recent years, the first five area codes are free per organization per year; additional area codes cost $72 each, up to a national file around $18,000 annually. The FTC updates the registry daily, but you only need a scrub within 31 days of each campaign. Our how do i get the do not call list article has a step-by-step walkthrough.

Can my RVM vendor be held liable instead of me if something goes wrong?

Not instead of you. The FCC reads the TCPA to hold the entity that initiates or causes the call liable. That's you, the seller, even when a vendor physically delivers the drops. You can seek indemnification through contract language, but that doesn't transfer your TCPA exposure to the vendor in a consumer suit. Vet the vendor and get indemnification language in writing.

Does calling cell phones with a ringless voicemail require a different type of consent than calling landlines?

Yes, stricter for cells. Cell phones require prior express written consent for any telemarketing call using an ATDS or prerecorded voice. Residential landlines require prior express consent for telemarketing, which can be oral, with an established business relationship as a partial alternative. Written consent is the gold standard for both, but it's legally required for mobile numbers under FCC rules.

Sources

  1. U.S. Code, 47 U.S.C. § 227, Telephone Consumer Protection Act: TCPA prohibits calls to cell phones using ATDS or prerecorded voice without prior express consent; statutory damages are $500 to $1,500 per violation; EBR exemption applies to residential landline telemarketing
  2. FCC, 47 C.F.R. § 64.1200, Delivery Restrictions on Telephone Solicitations: FCC rules define prior express written consent requirements, mandate opt-out mechanisms in prerecorded messages, require company-specific DNC lists, and set 30-day opt-out processing window
  3. FTC, National Do Not Call Registry, Telemarketers: Telemarketers must scrub lists against the National DNC Registry no more than 31 days before calling; registry access fees apply by area code
  4. Florida Legislature, Florida Statute § 501.059 (Florida Telephone Solicitation Act, 2021 amendments): Florida's 2021 mini-TCPA amendments apply to automated system contacts, provide $500 per violation private right of action, and restrict contacts to 8 a.m. to 8 p.m.
  5. FCC, Reassigned Numbers Database: The Reassigned Numbers Database helps callers check whether a number has been reassigned to a new subscriber since consent was collected
  6. U.S. Supreme Court, Facebook Inc. v. Duguid, 592 U.S. 395 (2021): Supreme Court held that an ATDS under the TCPA is limited to systems that use a random or sequential number generator, narrowing the definition from broader lower-court interpretations
  7. FTC, National Do Not Call Registry, fees for access: First five area codes are free per organization per year; additional area codes cost $72 each; national file costs approximately $18,000 annually
  8. U.S. Code, 28 U.S.C. § 1658, Statute of Limitations for Federal Civil Claims: Four-year federal statute of limitations applies to TCPA private suits, establishing the minimum records retention window for compliance documentation

Disclaimer: LeadCompliant is a compliance review tool, not a law firm. We do not provide legal advice. Consult with a TCPA attorney for legal guidance on specific compliance questions. Compliance scores, audits, and risk assessments are informational only.

LeadCompliant Team

LeadCompliant provides expert guidance and tools to help you succeed. Our content is reviewed for accuracy and kept up to date.

Related Articles

Related Glossary Terms

LeadCompliant
Build My Kit