Sales manager guide to preventing TCPA violations by reps

TCPA fines run $500 to $1,500 per call or text. This sales manager guide shows you exactly how to stop reps from triggering violations before they happen.

LeadCompliant Team
24 min read
In This Article

Last updated 2026-07-11

Sales manager reviewing call records at a desk to check for TCPA compliance issues
Sales manager reviewing call records at a desk to check for TCPA compliance issues

TL;DR

Under 47 U.S.C. § 227, each illegal call or text to a cell phone costs $500 to $1,500. Courts hold sales organizations liable for rep conduct under agency theories, and managers own the controls that defend those cases. This guide covers consent rules, DNC scrubbing, rep training, call monitoring, and the policies that stop violations before a plaintiff's attorney finds them.

Why should a sales manager care about TCPA personally?

Most managers assume TCPA liability lands on the company, never on them. That assumption is expensive. Courts have held sales organizations vicariously liable for rep conduct under both ratification and apparent authority theories. If you knew a rep was calling without consent and you let it continue, the company's liability becomes yours to explain to a jury.

The statute, 47 U.S.C. § 227, sets no cap on aggregate damages [1]. One rep who dials 500 cell phones off a bad list without prior express written consent can generate $250,000 at the $500-per-call floor, or $750,000 at the treble level if a court finds the conduct willful [1]. Class actions multiply that math by thousands of consumers. The Cash App TCPA class action resolved for $7.5 million (see the cash app tcpa class action settlement). The credit one tcpa settlement reached $12.5 million. Neither is an outlier.

Here's the blunt version. One untrained rep, one bad list, one auto-dialer, and a small company is done. Your job is to close that gap before it opens.

What does the TCPA actually prohibit in an outbound sales context?

The tcpa (Telephone Consumer Protection Act, 47 U.S.C. § 227) bars using an automatic telephone dialing system (ATDS) or a prerecorded voice to call or text a cell phone without the called party's prior express consent [1]. Telemarketing raises the bar to prior express written consent: a signed agreement, wet or electronic, that clearly authorizes the specific type of contact [2].

For residential landlines, the prohibition covers prerecorded messages without consent and any call to a number on the National Do Not Call Registry [3]. The FCC's rules at 47 C.F.R. § 64.1200 fill in the details, including the duty to keep an internal DNC list and honor opt-outs within a set timeframe [2].

What matters most on a sales floor:

  • Calling or texting a cell with an ATDS-type tool and no written consent: $500 to $1,500 per contact [1]
  • Calling a number on the National DNC list: $500 to $1,500 per call [3]
  • Failing to identify your company and give a callback number: violation of the Telemarketing Sales Rule at 16 C.F.R. Part 310 [4]
  • Calling outside 8 a.m. to 9 p.m. at the called party's local time: violation of 47 C.F.R. § 64.1200(c)(1) [2]

The FCC's one-to-one consent rule, effective January 27, 2025, tightened this further. Written consent has to name one seller at a time, not a broad network of marketing partners [5]. If your leads come from shared lead generators, that rule almost certainly changed your exposure.

What is vicarious liability and how does it expose your company for rep mistakes?

The FCC addressed this head-on in its 2013 Declaratory Ruling (FCC 13-54), holding that sellers can be liable under federal common law agency principles for TCPA violations by telemarketers acting on their behalf [6]. Three theories apply: actual authority, apparent authority, and ratification.

Ratification is the one that bites managers hardest. A rep violates the TCPA, you learn about it, you do nothing, and a court can find the company ratified the conduct. That turns an employee's mistake into company policy. The burden shifts to you to prove you had controls and enforced them.

Apparent authority applies when a consumer reasonably believes a vendor or lead generator acts for your company, even if your contract says otherwise. Courts have held sellers liable for vendor conduct under this theory when the seller supplied the scripts, directed the dialing, or took the leads.

So here is the takeaway. Documented training, written policies, call monitoring, and fast corrective action are evidence, not busywork. They are the exhibits you hand a court to beat a ratification or apparent authority claim. Without that paper trail, you argue on the raw facts alone, and plaintiffs' attorneys know exactly which facts to hunt for.

TCPA violation cost thresholds at a glance Statutory damages per call or text under 47 U.S.C. § 227 $500 Standard violation (per cal… $1,500 Willful/knowing violation (… $12.5M Credit One TCPA class settlement (millions) $7.5M Cash App TCPA class settlement (millions) Source: 47 U.S.C. § 227(b)(3), Cornell Law School LII

How should you scrub your lists before reps ever dial?

List hygiene is the highest-leverage move you make before a rep touches a phone. Two separate scrubs are non-negotiable: the National DNC registry scrub and your internal DNC scrub.

The National Do Not Call Registry is run by the FTC and covers residential and cell numbers consumers have registered [3]. You access it through the FTC's subscription system (free for organizations pulling fewer than five area codes, up to a few hundred dollars a year for national access) and you re-scrub against a download no older than 31 days before any call [2]. The FCC's rule is explicit on that 31-day window.

Your internal DNC list is a different animal. Any consumer who says don't call has to go on that list within a reasonable time, and you honor it for at least five years [2]. The FCC's rules require you to process opt-outs "as soon as possible" and treat them as effective immediately, so a rep who dials back the next day is already in violation.

Cell phones need one more check: reassigned numbers. The FCC's Reassigned Numbers Database launched in 2021 so callers can verify whether a number moved to a new subscriber after consent was captured [7]. Consent follows the person, not the number. Your customer gave consent, then ported away, and a new subscriber took that number? Your consent is gone.

A scrub sequence that works:

StepToolFrequencyRisk if skipped
National DNC scrubFTC registry subscriptionEvery 31 days max$500-$1,500 per call to registered number
Internal DNC scrubYour CRM opt-out listBefore every campaignSame statutory exposure
Reassigned number checkFCC Reassigned Numbers DatabaseBefore each dial cycleCalled-party mismatch, consent void
Cell vs. landline identificationThird-party data appendOn list acquisitionATDS rules apply to cell, not landline

Buying leads from a third party? Get a written representation that the list was scrubbed and ask for the scrub date. That does not fully protect you in court, but it is evidence of reasonable diligence. Read the do not call list rules before you set a schedule, and check how do i get the do not call list for access details.

The FCC defines prior express written consent at 47 C.F.R. § 64.1200(f)(9) as "an agreement, in writing, bearing the signature of the person called, that clearly authorizes the seller to deliver or cause to be delivered to the person called advertisements or telemarketing messages using an automatic telephone dialing system or an artificial or prerecorded voice" [2]. That is the regulatory text, word for word. The term "written" covers electronic records that meet the E-SIGN Act.

Four things valid consent must contain:

1. The consumer's telephone number 2. The name of the specific seller being authorized (post-2025, one seller at a time, not a generic partner network) 3. A clear and conspicuous disclosure that calls or texts may go out via ATDS or prerecorded voice 4. An acknowledgment that consent is not a condition of purchase

That last point trips up a lot of teams. If a rep says "I need your phone number before I can give you a quote," and the quote is the thing the consumer wants, you may have conditioned consent on a purchase. That voids the consent even when everything else is right.

For SMS, put the consent language on the same page as the disclosure, not three clicks deep in a privacy policy. Use a standalone checkbox, not pre-checked, with the disclosure sitting right next to it.

Keep consent records indefinitely, or at least four years past the last contact. The federal TCPA statute of limitations is four years under 28 U.S.C. § 1658. If you can't prove consent, you don't have it. Not in court, anyway.

How do you train reps to avoid TCPA violations without killing their productivity?

Training has to be specific. Generic "follow the law" sessions do nothing. Reps need to know which exact actions trigger a violation and what to do instead.

Cover these in every new-hire compliance session, with a signed acknowledgment after:

  • What an ATDS is and whether their tools qualify (if your dialer previews numbers and auto-places calls, assume it qualifies until counsel says otherwise)
  • The 8 a.m. to 9 p.m. local time rule, including how to read the consumer's local time across zones
  • How to handle a verbal opt-out: stop the call, log it immediately, add to internal DNC before end of shift
  • What counts as a DNC request. "Take me off your list," "don't call me again," "I'm not interested, stop calling" all qualify. Reps don't get to decide whether a request was formal enough.
  • The consent-is-not-a-condition-of-purchase rule
  • What to do on a "wrong number": stop, document, no re-dial until the number is verified

Run refreshers quarterly, not annually. Laws move. The one-to-one consent rule is a clean example; plenty of reps at lead-gen-heavy teams never heard of it.

For cold calling, role-play the opt-out scenarios. Reps freeze when a prospect turns hostile, and they keep talking instead of documenting. A ten-second uncomfortable silence costs nothing. Ignoring an opt-out costs $500 minimum.

Document every session: date, attendees, topics, the rep's signature. That record is your best defense if a rep goes rogue and you need to show the court your program was real.

What call monitoring and QA controls actually catch violations before they become lawsuits?

Monitoring is where small teams are weakest. They run a training, feel good, and never listen to the calls. A plaintiff's attorney finds the recordings faster than you do.

A working QA program for TCPA risk has four parts:

1. Call recording with searchable storage. Record 100% of outbound calls, not a sample. Storage is cheap. Discovery is not. Keep recordings at least four years.

2. Structured scoring for compliance markers. Every evaluation checks: Did the rep identify the company and give a callback number? Did the call fall inside allowed hours? Did the rep honor any opt-out immediately? Did the rep use script language that implies consent is required to buy? Score these apart from sales quality.

3. Triggered reviews for flagged events. Wrong-number complaints, consumer hang-ups under 30 seconds, and short calls to numbers dialed more than once in the same week all get a human review. Set your CRM or dialer to flag these automatically.

4. Opt-out reconciliation. Every week, match logged opt-out requests against internal DNC additions. If reps logged 12 verbal opt-outs but only 3 hit the DNC list, you have a process failure. Catch it weekly, not when a demand letter shows up.

LeadCompliant's free TCPA compliance checkers help you spot gaps in your scrubbing and consent workflows before you build a full QA program.

Text campaigns get the same rigor. The TCPA covers SMS the same as voice. More on the specifics is at text message marketing.

How should you handle leads from third-party vendors and lead generators?

Third-party leads carry the most TCPA exposure for outbound teams. The consumer gave consent on someone else's website, under terms you never controlled, and now your rep is calling.

The one-to-one consent rule (effective January 27, 2025) makes this harder [5]. Consent has to name your company. A lead form that reads "I agree to be contacted by our network of marketing partners" no longer satisfies the rule. The consumer had to check a box that named you.

Before you dial any third-party lead, verify:

  • The date and time consent was obtained
  • The exact disclosure language the consumer saw
  • Whether your company's name appeared on the consent form
  • Whether consent was tied to getting something (a free quote, say), which voids it
  • Whether the number was reassigned after consent was captured

Get that documentation contractually. Your vendor agreement should require the lead generator to hand over, on request, a copy of the consent record for any number you dial. If they won't agree to that, don't buy their leads.

Some teams try to cure bad consent by calling once, getting a verbal yes to more calls, and treating that as fresh consent. Courts split on this and the FCC has never blessed it. It is not a safe harbor. Better to skip any number you can't back with documented written consent from the start.

Check the do not call telemarketer list requirements too. They apply whether or not the consumer consented to marketing calls.

What written policies does a sales team actually need in place?

Policy documents do two jobs. They tell reps what to do, and they prove you had a compliance program when someone claims you had none. Both count.

At minimum, an outbound team needs these:

TCPA compliance policy. Defines permitted dialing systems, consent standards by campaign type, opt-out handling, call hours, and the internal DNC process. One to three pages. Not 30 pages of boilerplate nobody reads.

Internal DNC list management procedure. Who enters opt-outs, in which system, within what timeframe, and who audits the list. Name the person. If it's "someone in ops," it won't get done.

Third-party vendor due diligence checklist. The questions you ask before buying leads and the documentation you demand. Update it whenever a law changes.

Rep acknowledgment form. One page each rep signs confirming they read the TCPA policy, attended training, and understand that violations can lead to termination and personal liability referrals. Keep the personal liability line in. It changes behavior.

Incident response procedure. What happens when a consumer complains, sends a demand letter, or files suit. Who gets notified, who preserves records, who calls counsel. Write it before you need it, or you'll make pressure decisions that make things worse.

Store all of it with version control and dates. Courts care about when you had the policy, more than the fact that you have one now.

How do you respond when a rep causes a potential TCPA violation?

Speed and documentation decide this stage. The moment you learn of a potential violation, the clock starts on your ratification exposure.

First, preserve the record. Pull the call recording, the CRM entry, the dialer log, and any consent documentation right away. Don't let routine purges overwrite them. Litigation holds exist for exactly this.

Second, stop the harmful practice. If the rep was working a list that now looks problematic, pause those calls until you review the consent documentation. One more call after you knew there was a problem turns a mistake into ratification.

Third, document the corrective action. If the rep broke policy, put it in writing: what they did, which policy it violated, what consequence followed. This isn't about punishing the rep. It's about showing a future fact-finder you took it seriously.

Fourth, if a demand letter or class action notice lands, call litigation counsel that day, not next week. TCPA class actions move fast, and courts have certified classes on dialer logs that show a systematic pattern. Early legal advice is far cheaper than late.

On scale, the cash app tcpa class action settlement ($7.5 million) and the credit one tcpa settlement ($12.5 million) show what "just a few bad calls" reaches at class scale. Both involved systematic practices, not one rogue rep. But certification turns on pattern evidence, and your dialer logs are pattern evidence.

What are the state-level rules that layer on top of federal TCPA requirements?

Federal TCPA is the floor, never the ceiling. Several states go stricter, and a call that clears federal rules can still trigger state liability.

Florida's Telephone Solicitation Act, after its 2023 amendment, requires prior express written consent before you use any automated system to call or text Florida consumers, including systems that don't qualify as an ATDS under federal readings [8]. Florida residents drive a disproportionate share of TCPA and FTSA litigation. Calling Florida numbers? Apply the strictest consent standard you have.

California's rules interact with the CCPA and CPRA in ways that touch consent records. California consumers can opt out of the sale of their personal information, which affects how lead data flows between a generator and your company [9].

Washington, Texas, and Oklahoma each run their own telemarketing statutes with DNC rules and time-of-day limits. Some define "solicitation" more broadly than federal law, sweeping in calls that wouldn't count as telemarketing under the TSR.

For small teams, the practical answer is simple. Build your program to the strictest requirement across every state you call. One extra consent field on a form costs nothing. State-by-state process variations cost little. A state enforcement action costs plenty.

Cell numbers already carry stricter federal rules than landlines. See mobile phone do not call list for how cell numbers get handled.

What tools and processes should a small outbound team actually have in place?

You don't need enterprise compliance software to run a clean outbound team. You need a short list of tools used the same way every time.

A dialer with ATDS clarity. Know whether your dialer qualifies as an ATDS under current FCC readings. After the Supreme Court's 2021 decision in Facebook v. Duguid, the definition narrowed to systems that use a random or sequential number generator [10]. State courts and evolving FCC rules mean the question isn't settled. If your dialer auto-places calls from a stored list with no human click per call, talk to counsel before you assume you're safe.

A CRM with opt-out fields and audit trails. Every opt-out is a dated, timestamped record tied to a phone number and the rep who logged it. Spreadsheets fall apart at litigation scale.

A DNC scrubbing integration. Several third-party services connect straight to the FTC's registry and automate the 31-day cycle. Automate it. Manual scrubs get skipped.

A consent documentation system. If you generate leads through your own web forms, capture the IP address, timestamp, and form content at submission. That's your consent record. Store it in a format you can export.

Call recording storage. Four years minimum, indexed by date, phone number, and rep.

LeadCompliant's free compliance kit includes a consent record template and an internal DNC process checklist you can drop into your CRM workflow.

For cold call operations, process discipline beats tooling. A perfect tech stack with undertrained reps still fails.

Frequently asked questions

Can a sales manager be personally sued for a rep's TCPA violation?

Managers are rarely named personally, but it happens when they are also owners or when plaintiffs pursue individual corporate officers. The bigger risk is company liability that the manager owns. If you knew a rep was violating the TCPA and took no corrective action, a court can find the company ratified the conduct, which strips your best defenses. Document corrective action every time.

How much does a TCPA violation actually cost per call or text?

Under 47 U.S.C. § 227(b)(3), statutory damages are $500 per violation. If a court finds the violation was willful or knowing, damages can be trebled to $1,500 per call or text. There's no cap on aggregate damages, so class actions reach into the millions. The Cash App TCPA class action settled for $7.5 million and the Credit One settlement for $12.5 million.

Does the TCPA apply to text messages the same way it applies to calls?

Yes. The FCC has long held that text messages are "calls" under the TCPA. Sending a marketing text to a cell phone with an ATDS and no prior express written consent carries the same $500 to $1,500 per-message exposure as a voice call. Opt-out replies (STOP) must be honored immediately. Every text campaign needs the same consent documentation as a voice campaign.

What counts as a valid opt-out from a consumer?

Any clear indication that the consumer doesn't want more calls or texts. The FCC has not required magic words. "Take me off your list," "don't call me again," and "stop texting me" all qualify. For texts, a reply of STOP is industry standard and legally recognized. Once a consumer opts out, honor it immediately and add the number to your internal DNC list before the next dial cycle.

How often do you need to scrub lists against the National DNC registry?

Under 47 C.F.R. § 64.1200(c)(2), you must have accessed a version of the registry no more than 31 days before each call. If a campaign runs over several weeks, you re-scrub at least every 31 days. Downloading the registry once at the start of the year and running it all year is a violation.

Can you call a cell phone number without an ATDS and avoid TCPA restrictions?

If a human rep manually dials each call with no automated component, the ATDS restrictions under 47 U.S.C. § 227(b) don't apply to that call. You still comply with DNC rules, calling hours, and the Telemarketing Sales Rule. Manually dialed calls to cell phones without consent aren't subject to the same per-call statutory damages as ATDS calls, unless they involve prerecorded messages.

The rule, effective January 27, 2025, requires consent for marketing calls and texts to name one specific seller, not a broad list of partners. A lead form saying the consumer agrees to contact from "our network of partners" no longer satisfies it. Each seller must be named individually with affirmative consent. Lead generators selling to multiple buyers must obtain separate consent for each buyer.

Do established business relationship exemptions let you skip written consent for existing customers?

For the National DNC registry, an established business relationship created within the last 18 months by a prior transaction allows calls even to DNC-registered numbers, unless the consumer has asked not to be called. But the EBR exemption doesn't eliminate the written consent requirement for ATDS calls to cell phones under 47 U.S.C. § 227(b). Two different rules. Don't conflate them.

What time zone applies to the 8 a.m. to 9 p.m. calling hours rule?

The FCC's rule uses the called party's local time. A rep in Chicago calling a California number at 7:30 p.m. Central is dialing 5:30 p.m. Pacific and is fine. Calling a New York number at 8:30 p.m. Central is 9:30 p.m. Eastern and is a violation. Your dialer should set time zone from the area code, or better, from a database that accounts for number portability.

The TCPA statute of limitations for federal claims is four years under 28 U.S.C. § 1658. Some state TCPA-equivalent claims run longer. A reasonable policy keeps records four years from the last contact tied to a consent record. Call recordings, four years minimum. For consent records, many compliance counsel recommend indefinite retention given the cost of defending a claim without documentation.

Are ringless voicemails subject to TCPA restrictions?

The FCC ruled in 2022 that ringless voicemails (direct-to-voicemail technology) fall under TCPA restrictions because they are a form of "call" under the statute. Consent requirements apply the same as for live calls. Some platforms marketed ringless voicemail as a TCPA workaround before that ruling. If your team uses it, verify the consent documentation meets the same standard as for ATDS calls.

What's the difference between the federal DNC registry and a company's internal DNC list?

The National DNC Registry is maintained by the FTC and covers consumers who opted out of telemarketing from all companies. Your internal DNC list covers consumers who told your company specifically not to call. Both are legally required. You scrub against the national registry before campaigns and keep your own internal list permanently. A number can be on one, both, or neither.

Can an employee's verbal opt-out log count as proof of an internal DNC entry?

Only if it's documented in a system with a timestamp and the number is actually blocked from further dialing. A rep saying "I told my manager" is not a record. The record has to live in your CRM or DNC system with the date, the phone number, and who logged it. Audit this weekly to confirm opt-outs reach the system instead of stalling at the rep level.

Do TCPA rules apply to B2B outbound sales calls?

Partly. The DNC registry protections apply to residential numbers, not business numbers. But if a rep calls a cell phone that a business contact uses personally, the ATDS and consent rules still apply because it's a personal cell. Many B2B reps dial mobile numbers without realizing the cell phone rules attach. If you call mobiles in a B2B context, the same written consent standard applies for ATDS use.

Sources

  1. U.S. Code, 47 U.S.C. § 227, Telephone Consumer Protection Act: Statutory damages of $500 per violation, trebled to $1,500 for willful violations; no aggregate cap
  2. FCC, 47 C.F.R. § 64.1200, Subpart L, Restrictions on Telemarketing: Prior express written consent definition; 31-day DNC scrub window; internal DNC list requirements; 8am-9pm calling hours
  3. FTC, National Do Not Call Registry, donotcall.gov: National DNC Registry operated by FTC; $500-$1,500 per call to registered number
  4. FTC, Telemarketing Sales Rule, 16 C.F.R. Part 310: Requirement to identify the company and provide callback number during telemarketing calls
  5. Florida Legislature, Florida Telephone Solicitation Act, Fla. Stat. § 501.059: Florida FTSA 2023 amendment requires prior express written consent before using automated systems for calls or texts to Florida consumers
  6. California Attorney General, California Consumer Privacy Act (CCPA/CPRA) overview: California consumers' right to opt out of sale of personal information affects how lead data can flow between lead generators and buyers
  7. U.S. Supreme Court, Facebook, Inc. v. Duguid, 592 U.S. 395 (2021): ATDS narrowed to systems using a random or sequential number generator; stored-list auto-dialers may not qualify under this interpretation
  8. FTC, Complying with the Telemarketing Sales Rule: Caller ID requirements and Do Not Call compliance obligations for telemarketers

Disclaimer: LeadCompliant is a compliance review tool, not a law firm. We do not provide legal advice. Consult with a TCPA attorney for legal guidance on specific compliance questions. Compliance scores, audits, and risk assessments are informational only.

LeadCompliant Team

LeadCompliant provides expert guidance and tools to help you succeed. Our content is reviewed for accuracy and kept up to date.

Related Articles

Related Glossary Terms

LeadCompliant
Build My Kit