Last updated 2026-07-09

TL;DR
In 2025 the TCPA got its biggest rewrite in a decade. The FCC's one-to-one consent rule requires each seller to collect its own written consent before automated calls or texts. Robocall violations still cost $500 to $1,500 per message. Opt-outs must be honored within 10 business days. Buying shared lead lists without individual consent is the fastest route to a class action.
What is the TCPA and why does 2025 matter so much?
The Telephone Consumer Protection Act (47 U.S.C. § 227) passed in 1991, and it has never sat still. It restricts automated calls, prerecorded messages, and texts sent to cell phones without the recipient's prior express written consent. Damages start at $500 per call or text and triple to $1,500 when a court finds the violation was willful. No actual harm required. That math turns brutal in a class action.
Here's what makes 2025 different. The FCC's December 2023 order, which adopted the one-to-one consent framework, was set to take effect on January 27, 2025. Lead generators challenged it in court, and a federal appeals court stayed that specific provision in late 2024, which pushed the timeline back. As of mid-2025 the legal fight is still live, but the FCC has been clear this rule is coming. Companies that built their programs around the old bundled-consent model are already exposed. Waiting for the stay to lift is not a strategy. It's a bet.
The rest of the 2025 picture, including the texting revocation rules and Do Not Call enforcement, is not stayed and is fully in effect. If your team still buys shared lead lists and blasts them without per-seller consent records, you are operating in the riskiest zone the law has ever had. [1][2]
What does the FCC's one-to-one consent rule actually require?
The FCC's one-to-one rule requires each seller to get its own prior express written consent before making an automated call or sending a marketing text to a wireless number. One buried checkbox can no longer authorize 30 companies at once. The consent also has to relate to the website or context where it was collected.
The old framework let a single disclosure cover dozens of sellers. A consumer filled out a form, a line of fine print said something like "I agree to be contacted by our partners," and that one consent got sold to 20 or 30 companies. Whole businesses ran on that model.
The new rule kills it. If a consumer fills out a form about home insurance, that consent cannot be handed to a solar company. The topic has to match. [2]
The FCC's Second Report and Order stated the goal plainly: to ensure "that consumers who want to hear from one company are not inundated with calls and texts from dozens of strangers as a result of a single consent." That line is from the order itself, and it tells you exactly where enforcement will aim.
For outbound sales teams, the consequence is blunt. Third-party lead lists are now high-risk unless the vendor can prove every record carries consent obtained specifically for your product category. Most vendors cannot prove that. Collecting your own first-party consent through your own web forms, with a disclosure that names your company and describes what you'll send, is the safer road. [1][2]
What are the new TCPA revocation rules for 2025?
The FCC's revocation rules require companies to honor an opt-out request within 10 business days. That deadline covers texts, prerecorded calls, and automated calls. The rules took effect in April 2024 and rolled into full enforcement through 2025. [3]
Before this, the statute said "reasonable" time, and courts read that all over the map. Now there's a hard ceiling. If a consumer texts STOP and you send another marketing message 12 business days later, that's a clean violation at $500 to $1,500.
The rules also say consumers can revoke consent in any reasonable way, not only through a keyword like STOP. If someone says "take me off your list" on a recorded call, that counts. Your team needs a process that captures verbal revocations, tickets them, and suppresses that number across every calling system before the 10-day window closes. Relying on one CRM field that only your texting platform reads is a common way to lose.
One nuance worth knowing. A company can send a single confirmatory text after a revocation request, as long as it carries no marketing content and goes out only once. A confirmation followed by a "we'll miss you, here's a discount" message is still a violation. [3]
How much does a TCPA violation actually cost in 2025?
The statute sets $500 per violation as the floor and $1,500 per willful violation as the ceiling. Every call or text counts separately. That's been true since 1991. What recent settlements show is how ugly it gets at scale.
UnitedHealthcare paid $2.5 million to resolve alleged TCPA violations. You can read more at UnitedHealthcare's TCPA settlement. Credit One Bank has faced multiple suits; one major case involving Joseph Snyder is covered at Joseph Snyder v. Credit One TCPA, with more background on the broader Credit One TCPA settlement. Cash App faced a class action too. These are not fringe plaintiffs. They're mainstream companies that misjudged their consent records.
Class actions are what turn $500 per text into a threat to the whole business. Take a list of 50,000 people, each getting 3 texts without proper consent. That's 150,000 violations. At the statutory floor, $75 million. At the treble ceiling, $225 million. Courts rarely award full damages in class cases, but settlements in the $5 million to $30 million range show up often enough that TCPA defense is its own practice area. [4][5]
Small companies face a different kind of pain. Say you have 10 reps making 100 calls a day, and 5% of those calls hit numbers where consent is shaky. A single plaintiff's attorney can demand a settlement in the $50,000 to $200,000 range just to make the litigation go away. Plenty of small teams pay it rather than fight, even when they think they were compliant. [4]
What counts as an ATDS in 2025 after the Facebook v. Duguid decision?
After Facebook, Inc. v. Duguid (2021), an automatic telephone dialing system (ATDS) must use a random or sequential number generator to produce or store numbers. A system that dials from a stored list of specific numbers, without generating them randomly, does not meet the federal definition. The Supreme Court narrowed the term sharply. [6]
In practice, a lot of predictive dialers and CRM-integrated calling tools no longer count as ATDSs under the federal TCPA. Good news for high-volume call centers. Two catches sink most of the relief.
First, prerecorded voice calls don't need an ATDS to trigger liability. If your dialer drops a prerecorded voicemail or plays a recorded message, the ATDS question is beside the point. You still need prior express written consent no matter how the call started. [7]
Second, state laws fill the gap. California's Automatic Dialer Law uses a broader definition than the post-Duguid federal standard. Florida, Oklahoma, and others have their own mini-TCPA laws with different thresholds. Cross state lines and you can't lean on the narrow federal ATDS definition alone. You need to know which states your contacts live in. [8]
What state TCPA laws changed in 2024 and 2025?
State legislatures are adding private rights of action and damage floors of their own, which hands plaintiff attorneys more tools. A call that survives federal TCPA scrutiny can still generate liability under state law. For teams calling nationally, mapping exposure state by state is not optional.
Florida's FTSA (Florida Telephone Solicitation Act) has been the outlier since 2021 because it reaches any call made with an autodialer as Florida defines it, which is broader than post-Duguid federal law. Florida amended the FTSA in 2023 to require an actual human initiating each call before autodialing begins, among other limits. Enforcement carried into 2025, and Florida stays one of the top states for TCPA-style litigation. [8]
Texas passed its own Business and Commerce Code restrictions on robocalls and texts. Oklahoma enacted a mini-TCPA in 2022 with a private right of action. Washington's Commercial Electronic Mail Act adds limits on commercial texts that run past the federal standard.
Say your business is in Kentucky and you're making outbound calls. Knowing your state-specific exposure matters, and resources like TCPA lawyers in Kentucky cover the local litigation landscape. [8][9]
How do you build a TCPA-compliant consent flow in 2025?
The consent flow is where most outbound teams lose, not on intent but on documentation. A defensible one in 2025 names your company, captures proof, and stores it where you can find it years later. Here's what that looks like piece by piece.
Your web form has to name your company specifically. "You may be contacted by us and our partners" is now the exact language regulators and plaintiffs will attack. The disclosure should read something like: "By submitting this form, you agree that [Company Name] may contact you at the number provided using automated dialing technology and prerecorded messages about [specific product or service]. Consent is not a condition of purchase. Message and data rates may apply."
For every consent record, capture and store the exact disclosure language shown at the time, the IP address of the submission, a timestamp, the form URL, the phone number, and the person's name. Keep it in a system you can pull from three years out. Plaintiffs' attorneys will ask for all of it.
For SMS programs, the CTIA guidelines and the TCPA both call for a double opt-in or a clear single opt-in with full disclosure. You cannot infer consent from someone texting your main business number for a service question and then drop them onto a marketing list. [10]
LeadCompliant's free consent-checker and compliance kit can help you audit existing forms and find gaps before a plaintiff's attorney does. It's a starting point, not a replacement for a lawyer.
For a wider look at running compliant text programs, the text message marketing guide and the text messaging marketing overview cover the mechanics.
What's the Do Not Call Registry overlap with TCPA in 2025?
The National Do Not Call Registry is a separate system from the TCPA, run by the FTC under 16 C.F.R. Part 310. DNC violations can still feed TCPA liability when calls go out on an ATDS or with prerecorded voice. Companies must scrub their call lists against the registry at least every 31 days. [11]
You can call a number on the DNC list only if you have an established business relationship (within 18 months of the last purchase or 3 months of the last inquiry) or the person gave express written consent to be called.
Through 2025 the FTC has kept pressing DNC enforcement alongside FCC TCPA cases. The agencies share complaint data, and a spike in DNC complaints against a company is often what triggers a formal investigation. If consumers are calling the FTC about your unwanted calls, your TCPA exposure is real whether or not you think your consent records hold up.
Consumers who want off call lists can read the how to stop robocalls guide for the practical steps. For your team, the takeaway is simple: DNC scrubbing is not a one-time setup. It's a recurring job that needs a named owner. [11][12]
What does TCPA enforcement look like in 2025: FCC, FTC, or private suits?
Enforcement comes from three directions, and they run independently. The FCC issues forfeitures, the FTC enforces the DNC and telemarketing rules, and private plaintiffs file the overwhelming majority of cases.
The FCC can impose forfeiture orders directly. Its Enforcement Bureau issues citations and refers egregious cases to the Department of Justice. In recent years it has focused hard on robocall scam networks and gateway providers carrying illegal traffic, but legitimate businesses are not off the hook. [13]
The FTC enforces the Telemarketing Sales Rule and DNC rules. Its penalties sit apart from TCPA statutory damages and run up to $51,744 per violation under current inflation adjustments. [11]
Private suits are where the volume lives. The TCPA carries a private right of action, so any individual can sue with no government involvement at all. Plaintiffs' attorneys file thousands of TCPA cases a year, and class actions drive the big settlements. Most land in federal district court, with heavy concentrations in California, Florida, Illinois, and New York.
Recent settlements give a sense of the range. Truist Bank's TCPA class action settlement, the Albertsons and Safeway TCPA settlement, and the Kaiser TCPA settlement all ended in multi-million-dollar resolutions. None of these were fly-by-night shops. They were large, well-funded companies with compliance teams that still paid.
For ongoing updates, the TCPA news tracker covers recent FCC orders and major case outcomes as they land.
What are the biggest TCPA compliance mistakes outbound teams make in 2025?
The patterns are consistent, and they repeat across almost every team that gets sued. Five mistakes cause most of the damage.
The biggest one is buying third-party leads and assuming the vendor's consent language covers you. It almost never does under the one-to-one framework, and even under the old rules, lead vendors leaned on broad or vague language that courts found too thin.
Second is failing to suppress revocations across every channel. A consumer texts STOP to your SMS platform. Your dialer never syncs that list. Three days later a rep dials the number. Most courts treat that as a knowing violation, because you had the information and didn't use it.
Third is treating compliance as a setup task instead of an ongoing process. Consent records age. Established business relationships expire at 18 months. Staff turns over, and new hires don't always follow the consent flow. Compliance needs regular audits, not a one-time configuration.
Fourth is ignoring the cell-phone versus landline split in your data. The TCPA's automated-call and text restrictions apply specifically to wireless numbers. If your list mixes landlines and cell phones, you need a wireless number identification service to sort them before you can treat them differently.
Fifth is running prerecorded messages or ringless voicemail while assuming the Duguid ATDS narrowing saves you. It doesn't. Prerecorded voice content triggers TCPA consent requirements no matter how the call was technically launched. [6][7]
How should a small outbound team build a practical TCPA compliance program in 2025?
You don't need a legal department to run a defensible program. You need five things working together, and every one of them is boring on purpose.
First, a consent collection process that names your company, describes what you'll send, and captures the timestamp, IP, and form text for every record. Build it into your lead forms as a standard, not a patch you add later.
Second, a suppression list that runs before every dial session. It should include your internal opt-outs, DNC scrub results (refreshed every 31 days), and any litigant or known-plaintiff numbers from commercial databases. Yes, companies sell lists of known TCPA plaintiffs. However you feel about that, it lowers your exposure.
Third, a revocation process with a named owner. Every inbound opt-out, by text, call, email, or letter, gets logged, timestamped, and pushed to all active calling and texting platforms within 24 hours. That keeps you well inside the 10-business-day window.
Fourth, a records retention policy that keeps consent documentation for at least four years. The TCPA statute of limitations is four years under 28 U.S.C. § 1658. If a suit lands in year three, you need records from year zero.
Fifth, regular training for anyone who touches calling or texting. This is not a law school course. A 30-minute annual session on what consent means, how to handle a consumer who says "stop calling me," and what to do when something breaks is enough to show a good-faith compliance effort, which matters in court.
LeadCompliant's compliance kit covers each step with templates and checklists you can adapt without starting from scratch.
What should you watch for in TCPA compliance changes through the rest of 2025?
Track the one-to-one consent litigation first. It's the single most important thread. The lead generation industry petitioned the courts to strike the rule, won a stay, and the FCC is defending its authority. The outcome decides whether the biggest structural change to TCPA compliance in a generation actually holds. Even if the rule is vacated, the FCC has signaled it will chase the same policy through other routes. Plan for it to take effect at some point.
AI in calling and texting is drawing fresh scrutiny. In February 2024 the FCC ruled that AI-generated voices in robocalls are covered by the TCPA, closing the argument that an AI voice was not a "prerecorded" message. That ruling is in effect. [3]
STIR/SHAKEN call authentication keeps affecting legitimate callers too. Calls that fail attestation are more likely to get labeled spam by carriers and call-display apps. If your outbound numbers are getting flagged, that's a business problem and a warning sign that your dialing patterns look like spam traffic to carrier algorithms.
Watch the states. Several introduced bills in the 2024 and 2025 sessions that would add or expand private rights of action for robocall violations. State-level risk is climbing faster than the federal picture is getting resolved. [8][9]
Frequently asked questions
Did the TCPA one-to-one consent rule take effect in January 2025?
The FCC adopted the one-to-one consent rule in December 2023 with a January 27, 2025 effective date, but a federal court stayed that specific provision in late 2024 after lead generator challenges. As of mid-2025, the stay is in place and litigation continues. The rest of the 2025 TCPA rules, including the 10-business-day revocation deadline, are fully in effect. Build toward the one-to-one standard regardless of when the stay lifts.
What is prior express written consent under the TCPA?
Prior express written consent means a signed, written agreement (electronic signatures count) where the consumer clearly authorizes a specific company to contact them using automated dialing equipment or prerecorded messages. The disclosure must state that consent is not required to make a purchase. Verbal consent alone is not enough for marketing calls or texts to wireless numbers under 47 C.F.R. § 64.1200.
How much is a TCPA violation worth per text message in 2025?
Each unsolicited automated text carries statutory damages of $500. If a court finds the violation was willful or knowing, damages triple to $1,500 per message. No actual harm is required to collect. In a class action, even a small campaign can generate tens of millions of dollars in aggregate exposure, which is why TCPA defense settlements routinely run into seven figures.
Does ringless voicemail require TCPA consent?
Yes. The FCC has consistently treated ringless voicemail as a "call" under the TCPA, so it requires prior express written consent when delivered to a wireless number using an autodialer or prerecorded content. The argument that a message dropped straight into voicemail without causing a ring is not a "call" has failed in regulatory and most court proceedings. Treat ringless voicemail like any other automated call.
Can I still buy leads and call them in 2025?
You can buy leads, but you cannot safely call or text them with automated technology unless the vendor can document that consent was collected specifically for your company and product category. Under the one-to-one framework, broad bundled consent forms listing dozens of sellers don't cut it. Verify your vendor's consent language and documentation before you dial. If they can't produce it, the risk is yours.
What is the TCPA statute of limitations?
Federal courts apply the general four-year federal statute of limitations under 28 U.S.C. § 1658 to TCPA claims. Some state courts have applied shorter periods when hearing state-law analogues. In practice, retain consent documentation, call records, and opt-out logs for at least four years from the date of each communication, not from the end of your campaign.
Are B2B calls covered by the TCPA?
The TCPA applies to calls made to wireless numbers whether the recipient is a business or a consumer. If you call a salesperson's cell phone for a B2B pitch, TCPA consent requirements apply to that number. Calls to business landlines using prerecorded messages get somewhat different treatment under FCC rules, but for any call to a mobile number, apply full TCPA standards.
How often do I need to scrub against the Do Not Call Registry?
The FTC's Telemarketing Sales Rule requires companies to scrub call lists against the National Do Not Call Registry at least every 31 days. A newly registered number takes up to 31 days to appear, and you have 31 days after it appears to stop calling it. Scrubbing monthly keeps you within the safe harbor. The DNC subscription for commercial callers is available through the FTC's website.
What did the FCC rule about AI-generated voices and the TCPA?
In February 2024 the FCC ruled that AI-generated voices used in robocalls are covered by the TCPA as "artificial or prerecorded" voices. The ruling closed the argument that a synthetically generated voice is neither artificial in a legal sense nor prerecorded. Any automated call using an AI voice to reach a wireless number requires prior express written consent, the same as a traditional prerecorded message.
What is the 10-business-day revocation rule and when did it start?
The FCC's rules, effective in 2024, require companies to honor consumer opt-out requests within 10 business days. Before this, the standard was a vague "reasonable time." Now, if a consumer texts STOP or verbally asks to be removed and you contact them again after 10 business days, that's a clean violation. Companies may send one non-marketing confirmatory text after a revocation, but nothing else during the window.
Does STIR/SHAKEN affect my outbound calling compliance?
STIR/SHAKEN is a call authentication framework mandated by the FCC that assigns attestation levels based on whether the carrier can verify the calling number. Full attestation (A-level) means the carrier confirmed the call came from the displayed number. Calls without it are more likely to get labeled spam by downstream carriers and apps. It's not a TCPA consent issue directly, but a high spam-label rate signals problematic dialing patterns and can precede enforcement attention.
How is TCPA enforcement different from FTC enforcement?
The FCC enforces the TCPA itself and can issue forfeiture orders and refer cases to the DOJ. The FTC enforces the Telemarketing Sales Rule and Do Not Call rules under separate authority, with civil penalties up to $51,744 per violation (inflation-adjusted). Both agencies share complaint data. But the vast majority of TCPA cases, and all class actions, are private suits filed directly in federal court under the statute's private right of action, with no agency involved.
What records do I need to keep to defend a TCPA lawsuit?
At minimum: the exact consent disclosure text shown at collection, the timestamp of consent, the IP address, the phone number, and the consumer's name. You also need records of every opt-out request and suppression list update with timestamps, call records showing which numbers were dialed when, and any third-party consent documentation from lead vendors. Retain all of it for four years. If you can't produce consent records, you will almost certainly settle.
Sources
- U.S. Courts, Federal Judiciary case statistics: TCPA class actions are routinely filed in federal district courts; mid-sized class settlements commonly fall in the $5 million to $30 million range.
- 47 U.S.C. § 227, Telephone Consumer Protection Act (statute text): TCPA statutory damages are $500 per violation, trebled to $1,500 for willful violations; each call or text is a separate violation.
- Supreme Court of the United States, Facebook, Inc. v. Duguid, 592 U.S. 395 (2021): An ATDS must use a random or sequential number generator to produce or store numbers; a system dialing from a stored list of specific numbers does not qualify.
- FCC, 47 C.F.R. § 64.1200 (TCPA implementing regulations): Prerecorded voice messages require prior express written consent for wireless numbers regardless of how the call is technically initiated.
- Florida Legislature, Florida Telephone Solicitation Act (Fla. Stat. § 501.059): Florida's FTSA uses a broader autodialer definition than post-Duguid federal law and was amended in 2023 to require human initiation before autodialing; it carries a private right of action.
- National Conference of State Legislatures, telemarketing and robocall laws: Multiple states including Texas, Oklahoma, and Washington have enacted mini-TCPA laws or DNC statutes with private rights of action that exceed federal protections.
- FTC, Telemarketing Sales Rule, 16 C.F.R. Part 310: Companies must scrub call lists against the National DNC Registry at least every 31 days; civil penalties run up to $51,744 per violation under current inflation adjustments.
- FTC, National Do Not Call Registry: The DNC Registry is administered by the FTC; commercial callers must register and pay access fees to scrub lists.