TCPA compliance in 2021: what changed and what still applies

The Supreme Court narrowed ATDS in April 2021. Here's what TCPA compliance meant that year, what fines look like, and what rules still govern your calls today.

LeadCompliant Team
22 min read
In This Article

Last updated 2026-07-09

Compliance professional reviewing outbound call documents at desk with telephone
Compliance professional reviewing outbound call documents at desk with telephone

TL;DR

In April 2021, the Supreme Court's Facebook v. Duguid decision narrowed what counts as an automatic telephone dialing system, which helped many callers. Per-violation fines of $500 to $1,500 stayed intact. Prior express written consent still governs most marketing calls. State mini-TCPA laws filled the gaps the ruling left open. The framework from 2021 still runs outbound teams today.

What is TCPA compliance and why did 2021 matter so much?

The Telephone Consumer Protection Act, codified at 47 U.S.C. § 227, was signed in 1991. But the rules that actually bite businesses got layered on through FCC rulemaking in 2003, 2012, and 2015 [1]. Compliance means getting the right consent before calling or texting a cell phone with an autodialer or an artificial or prerecorded voice, honoring Do Not Call requests, and keeping records that prove you did both.

2021 mattered because one Supreme Court case rewrote the most litigated definition in the statute. A separate FCC order that year reshaped robocall blocking. The Facebook v. Duguid ruling in April 2021 was the first time the Court directly addressed what qualifies as an automatic telephone dialing system (ATDS) under the law. That one clarification changed the risk math for every company running a modern CRM dialer.

For outbound sales teams, 2021 was the year the question "does our dialer trigger TCPA?" finally had a federal ceiling. State floors kept rising anyway. Anyone who told you compliance got easy after April 2021 was half right at best.

What did the Supreme Court decide in Facebook v. Duguid in 2021?

Facebook v. Duguid, 592 U.S. ___ (2021), decided April 1, 2021, was a unanimous 9-0 ruling [2]. The question was whether a system that dials from a stored list, without randomly or sequentially generating numbers, counts as an ATDS under 47 U.S.C. § 227(a)(1).

The Court said no, with a caveat. To qualify as an ATDS, a system must have the capacity to store or produce numbers using a random or sequential number generator. Dialing from a fixed stored list, without that generator capacity, does not meet the federal definition. Justice Sotomayor wrote for the Court: "To qualify as an 'automatic telephone dialing system,' a device must have the capacity either to store a telephone number using a random or sequential generator or to produce a telephone number using a random or sequential number generator." [2]

Most cloud CRM dialers, predictive dialers working off contact lists, and SMS platforms that send to uploaded lists do not generate numbers randomly or sequentially. They work from lists. After Duguid, those systems have a stronger argument that the federal ATDS definition does not reach them on cell phone calls.

Three things did not change:

1. Calls and texts using an artificial or prerecorded voice still require prior express consent regardless of ATDS status [1]. 2. National Do Not Call Registry rules at 47 C.F.R. § 64.1200 still apply to residential numbers no matter how the call gets placed [3]. 3. Several states (Florida, Oklahoma, Washington) had or passed mini-TCPA laws with ATDS definitions broader than the federal one. Duguid did not touch those.

What are the TCPA fine amounts per violation in 2021?

Fines live in the statute itself at 47 U.S.C. § 227(b)(3) and have not changed since 1991 [1]. Each violation carries a fixed dollar figure, and willful conduct triples it.

Violation typeStatutory damages per call/text
Standard TCPA violation$500
Willful or knowing violation$1,500 (trebled by court)
State AG enforcement (varies)Up to $25,000 per violation in some states

TCPA is strict liability for most purposes, so class actions can pile thousands or millions of individual calls into one number. A company that sent 1 million texts without proper consent faces up to $500 million at the statutory minimum, before any trebling. That is the whole reason plaintiff firms chase these cases.

Real settlements from around that period show the range. UnitedHealthcare paid $2.5 million for alleged TCPA violations, and cases like the Credit One TCPA settlement and Truist Bank TCPA class action settlement landed at figures that track how fast per-call exposure compounds. The $500 floor stops being small the moment you multiply it across a campaign.

Key TCPA numbers every outbound team should know Statutory thresholds and timelines set by 47 U.S.C. § 227 and FCC rules 500 Standard fine per violation 1,500 Fine per willful violation (trebled) 31 Days before DNC registration must be honored 4 Years to retain consent records (federal SOL) Source: Cornell LII (47 U.S.C. § 227) and FCC TCPA rules, 2021

The FCC's 2012 amendment to its TCPA rules, effective October 16, 2013, set the consent tiers that still applied in 2021 [4]. There are three, and they map to what you are calling and why.

For marketing calls and texts to cell phones using an ATDS or prerecorded voice, you need prior express written consent. The FCC defines this as a signed written agreement (electronic signature counts) that clearly authorizes you to call or text that specific number for marketing, that includes the number to be called, and that is not a condition of purchase.

For informational or non-marketing calls to cell phones (appointment reminders, fraud alerts, delivery notices), prior express consent without the written element is enough. Consent still has to be documented.

For calls to residential landlines using a prerecorded voice, prior express written consent is required if the call carries a marketing component.

Consent must come before the first contact. You cannot send a text asking someone to consent and then count that text as compliant. That is a common and expensive mistake.

Your consent record needs to capture who gave it, when, what disclosures they saw, and which phone number they consented to. If you cannot produce that record in litigation, you do not have proof of consent. Courts have held again and again that the burden falls on the caller, not the consumer.

How does the National Do Not Call Registry apply in 2021?

The National DNC Registry runs under the FTC's Telemarketing Sales Rule at 16 C.F.R. Part 310, and the FCC enforces parallel telemarketing rules under 47 C.F.R. § 64.1200 [3][10]. Businesses making telemarketing calls have to scrub their lists against the registry every 31 days at minimum. A number added to the registry takes effect within 31 days, and you must honor it by day 31.

The registry covers residential phones, including cell phones that consumers register. It does not cover calls to businesses. It also does not apply to calls where the consumer has an established business relationship, though that exemption has limits and does not override TCPA's separate ATDS rules for cell phones.

Access to the DNC registry takes a subscription. For 2021, the FTC charged area-code-based access fees. A small business calling into only a few area codes can pull up to five area codes free per year through the FTC's system [5]. The fee schedule for broader access is published on donotcall.gov.

Not scrubbing is one of the easiest violations for a plaintiff to prove. Register a number, wait for the calls, document them. The FTC and state AGs also bring enforcement straight off the registry data.

What changed with robocall rules in 2021 beyond the Duguid decision?

On June 17, 2021, the FCC released a Report and Order (FCC 21-62) that expanded safe harbors letting voice service providers block calls showing signs of illegal robocalling [6]. This was part of the TRACED Act (Telephone Robocall Abuse Criminal Enforcement and Deterrence Act) rollout. Carriers could now block calls that failed STIR/SHAKEN authentication or matched known robocall patterns, without liability for doing so.

For businesses making legitimate outbound calls, that created a practical problem separate from TCPA itself. A call can be perfectly legal and still get blocked at the network level if the calling number is not registered or if it fires at volume patterns flagged as robocall-like. The fix is registering your outbound numbers with carriers and enrolling in STIR/SHAKEN as an originating service provider, or using a calling platform that handles it for you.

The FCC also tightened caller ID spoofing rules under the TRACED Act in 2021. Calls showing false or misleading caller ID face separate penalties under the Truth in Caller ID Act, stacked on top of TCPA exposure [7].

So a business in 2021 had to track five things at once: the ATDS definition, consent tiers, DNC scrubbing, STIR/SHAKEN enrollment, and state law variation. That is a heavy load for a small sales team.

Which state laws created additional TCPA-like obligations in 2021?

Florida's amendment to the Florida Telephone Solicitation Act (FTSA), effective July 1, 2021, was the most aggressive state move of the year [8]. It reshaped the risk map for anyone texting Florida numbers.

Florida's law:

  • Created its own definition of an "automated system for the selection or dialing of telephone numbers" that reads broader than even the pre-Duguid federal ATDS definition
  • Applied to texts explicitly, not only calls
  • Allowed a private right of action at $500 per call or text, matching federal TCPA
  • Did not require a federally-defined ATDS; using any system that automatically selects or dials can trigger it

After Duguid, a Florida resident getting texts from a list-dialing system could still sue under the FTSA even when the federal TCPA claim looked weak. That is the whole point of a mini-TCPA law.

Oklahoma's Commercial Telephone Solicitation Act carried similar teeth. Washington's Commercial Electronic Mail Act reached texts in certain fact patterns.

Here is the rule to live by. If any recipient sits in a state with a mini-TCPA, that state's law shapes that recipient's claim. You cannot design a compliance program around federal law alone and ignore where your contacts actually live.

See current TCPA news for ongoing state developments.

What records do you need to keep to prove TCPA compliance?

The FCC's rules do not name a single retention period for TCPA consent records. Litigation practice pushes toward keeping consent documentation for at least four years, matching the federal civil statute of limitations under 28 U.S.C. § 1658 that courts commonly apply to TCPA claims [9]. Keep it four years. It costs almost nothing and it saves you in discovery.

At minimum, your records should capture:

  • The consent language the consumer saw when they opted in
  • The date, time, and source of the consent (web form URL, paper form ID, call recording reference)
  • The specific phone number consented
  • The identity of the person consenting (name, email, or other identifier)
  • Any revocation records: date, method, and how you pulled the number from your calling list

Revocation matters as much as the original consent. The FCC has said consumers can revoke at any time, in any reasonable manner. Once a consumer says "stop calling me" on a call, you honor it. There is no requirement that they use a magic keyword or a specific portal. If your system cannot capture and act on a verbal revocation, that is a gap a plaintiff will find.

For DNC compliance, keep your scrub logs: the date you pulled the registry data, which version or file you used, and confirmation that your dialing list got filtered against it.

LeadCompliant's free compliance tools include a consent record template and a DNC scrub log structure you can adapt to your own database. Paper records are legal. Digital records with timestamps are far easier to produce when a lawyer asks for them.

How do you build a TCPA-compliant opt-in process for SMS marketing?

An SMS opt-in that survives TCPA scrutiny needs four things on the page or form where the consumer types their number: a clear disclosure that they will get automated marketing texts, the name of the company that will text them, a statement that consent is not a condition of purchase, and instructions for how to opt out (usually "reply STOP").

Those disclosures have to be present before the consumer submits the number, not in a confirmation message afterward. If they hide behind a link or sit inside a general terms-of-service document a reasonable person would never notice, courts and the FTC have found that insufficient.

For text message marketing, the carrier compliance layer adds one more requirement. Your short code or 10-digit long code (10DLC) has to be registered with The Campaign Registry, a process mobile carriers introduced in 2021 to cut spam. Skip registration and carriers can filter or block your texts even when your consent is valid under TCPA.

Double opt-in (sending a confirmation text the consumer must reply to before they get marketing messages) is not required by TCPA. But it builds a strong consent record, because the reply timestamp and number sit in your own system. It also cuts complaints and improves deliverability. Do it.

For more on running a lawful SMS program, see text messaging marketing best practices.

What does a TCPA lawsuit actually look like in practice?

Most TCPA suits follow one script. A plaintiff receives calls or texts they say they never consented to, or to a number they say sits on the DNC list. Their attorney files a class action in federal court, alleging violations on behalf of everyone who got similar calls in the past four years.

The defendant then picks a lane. Fight on the merits (consent existed, the dialer was not an ATDS, the calls were informational and not marketing) or negotiate a class settlement. Discovery leans hard on the defendant's calling records, dialer technology, and consent documentation. When records are thin or consent language was fuzzy, settlement becomes the rational move fast.

Settlements swing widely. The Albertsons/Safeway TCPA settlement and the Cash App TCPA class action settlement show how large consumer brands resolve these claims. Both paid millions to class members.

For a small business without that kind of reserve, one TCPA class action can end the company. The plaintiff does not need to show real harm beyond receiving the call. Statutory damages start at $500 per call with no proof of injury required [1]. That asymmetry is exactly why plaintiff attorneys file these constantly.

If you are defending or trying to understand a specific case, finding a TCPA lawyer in your region is a reasonable place to start.

What compliance steps should outbound teams actually take based on 2021 rules?

Here is what the 2021 rules require of a normal outbound sales or marketing team, in plain operational terms. Work it in four phases.

Before your first campaign: Check your dialing technology against the Duguid definition (random or sequential number generation means ATDS; list dialing probably is not a federal ATDS, but check your state). Get legal review of your consent forms. Register your 10DLC or short code with The Campaign Registry if you text. Enroll your outbound calling numbers in STIR/SHAKEN through your carrier or platform.

Before each campaign run: Scrub your list against the National DNC Registry (every 31 days at minimum). Check your internal do-not-contact list for prior opt-outs. Confirm you hold consent records for every contact you plan to reach.

During campaigns: Log call dispositions, including any verbal revocation request. Keep timestamps. For texts, process STOP replies immediately. Most platforms do this automatically. Verify yours actually does.

After campaigns: Retain consent records and scrub logs. Archive the exact version of your consent language that was live during each campaign, more than the current version.

Nobody runs all of this perfectly on day one. The realistic goal is closing the biggest gaps first: consent documentation, DNC scrubbing, and revocation handling. Those are the three things plaintiffs and regulators probe before anything else.

LeadCompliant's one-time compliance kit covers each step with templates and a checklist you can walk through with your team.

This tripped up plenty of companies before and after 2021, and it still does. "Written" under the FCC's rules means a signed agreement, and an electronic signature counts: a check-box agreeing to terms, a typed name in a form field, a click [4]. So the "written" part is usually easy.

The "prior express" part is where teams get burned. "Prior" means before the first call or text, full stop. "Express" means the consumer specifically agreed to marketing calls or texts, more than agreed to general terms of service. Courts have held that burying a consent clause in a multi-page terms document does not satisfy the "express" requirement if a reasonable person would never notice it.

The FCC's 2012 order said the consent must "clearly and conspicuously" disclose that the consumer agrees to receive automated calls or texts from the specific seller. If you aggregate leads from a third-party generator, the consent form the consumer saw must have named your company specifically, more than a vague "partners" or "affiliates" bucket. The FCC issued guidance reinforcing this in 2023, after 2021 but building on the same doctrine, which made lead-gen consent one of the riskiest areas for anyone buying lists [4].

So, if you use a lead vendor, get a copy of the actual consent form the lead saw. Do not trust the vendor's word that consent happened. If you cannot produce the form in court, the consent did not happen as far as a jury is concerned.

Frequently asked questions

Did the Supreme Court eliminate TCPA liability in 2021?

No. Facebook v. Duguid narrowed the definition of an automatic telephone dialing system, which reduced liability for callers using list-based dialers. It did not touch prerecorded voice rules, DNC requirements, or state mini-TCPA laws. Companies can still face $500 to $1,500 per violation for calls and texts that break other TCPA provisions or state analogs like Florida's FTSA.

What counts as an ATDS after the 2021 Duguid ruling?

After Duguid, a system must have the capacity to generate phone numbers using a random or sequential number generator to qualify as an ATDS under federal TCPA. Dialers that call from a stored list without that generator function are not ATDS under the federal definition. Florida and some other states use broader definitions that can still cover list-based systems.

Not necessarily. Giving you a number for one purpose (completing a purchase, filling out a form) does not automatically create prior express written consent for marketing calls using an ATDS or prerecorded voice. The FCC requires the consent disclosure be clear, conspicuous, and specific to marketing calls or texts. Consent tied to a transaction alone is usually not enough.

How often do you need to scrub your list against the DNC registry?

At least every 31 days under FTC and FCC rules. You cannot use a scrub from 60 or 90 days ago and claim compliance. Numbers added to the registry take effect within 31 days of registration. Dated scrub logs matter because the burden falls on you to prove you checked before each campaign run.

Do TCPA rules apply to B2B calls?

TCPA's ATDS and prerecorded voice rules apply to calls to cell phones whether the recipient is a consumer or a business person. The DNC registry mainly covers residential numbers, and businesses generally do not register there. But if a business contact uses a personal cell phone, TCPA applies to calls and texts to that number.

What is the statute of limitations for a TCPA claim?

Federal courts generally apply the four-year catchall limitations period under 28 U.S.C. § 1658. Some circuits have used a two-year period based on analogous state law. The practical result: plaintiffs have four years in most jurisdictions from the date of the violating call or text, and they can aggregate calls across that entire window in a class action.

Does a consumer have to say a specific phrase to revoke TCPA consent?

No. The FCC has ruled that consumers can revoke consent through any reasonable means. A verbal "stop calling me" on a call, a STOP reply to a text, or an email request all qualify. You cannot contractually force consumers to use only one revocation method. Once revocation is received, honor it promptly. Continued calls after a revocation are willful violations subject to $1,500 per call.

What did Florida's 2021 FTSA amendment change for text message senders?

Florida's FTSA amendment, effective July 1, 2021, created a private right of action for texts sent with any automated system that selects or dials numbers, broader than the federal ATDS definition post-Duguid. It covers texts explicitly and allows $500 per text. Companies texting Florida numbers faced more exposure even after the Supreme Court narrowed the federal ATDS definition.

What is STIR/SHAKEN and why does it matter for TCPA compliance?

STIR/SHAKEN is a caller ID authentication framework the FCC required under TRACED Act implementation. Carriers must sign and verify caller ID information. If your outbound calls are not authenticated, carriers can legally block them. STIR/SHAKEN is not a TCPA requirement itself, but failing it means calls may never reach the consumer, so your dialing spend goes nowhere regardless of legal compliance.

Only if your company is specifically identified in the consent form the consumer saw. The FCC has held that generic "partners and affiliates" language is not enough for prior express written consent. If you buy leads, see the actual consent form, confirm your name appeared on it, and keep a copy. Relying on the vendor's assurance without documentation leaves you exposed if the consent is ever challenged.

What records should I keep to defend a TCPA claim?

Keep the consent form exactly as the consumer saw it, with a timestamp. Keep the scrub log showing you ran the contact against the DNC registry before calling. Keep call records showing who was called, when, and the result. Keep opt-out records showing revocations were acted on. Retain all of these for at least four years. Courts put the burden of proving consent on the caller.

How can someone stop receiving robocalls that violate TCPA?

Consumers can register their number on the National DNC Registry at donotcall.gov. They can also revoke consent directly with any company by saying so on a call or replying STOP to a text. For persistent illegal robocalls, filing a complaint with the FCC or FTC creates an enforcement record. For more on blocking options, see our guide on how to stop robocalls.

Sources

  1. Cornell Legal Information Institute, 47 U.S.C. § 227 (TCPA statute text): Statutory damages of $500 per violation, trebled to $1,500 for willful or knowing violations, and the definition of automatic telephone dialing system
  2. U.S. Supreme Court, Facebook, Inc. v. Duguid, 592 U.S. (2021): Unanimous 9-0 ruling holding that an ATDS must have the capacity to generate numbers using a random or sequential number generator; Justice Sotomayor's majority opinion definition
  3. Cornell Legal Information Institute, 47 C.F.R. § 64.1200 (FCC telemarketing rules): DNC registry scrubbing requirement every 31 days and Do Not Call rules for residential numbers
  4. Cornell Legal Information Institute, 47 C.F.R. § 64.1200 (prior express written consent definition from the FCC's 2012 order): FCC's 2012 rule requiring prior express written consent for autodialed or prerecorded marketing calls to cell phones, with electronic signature qualifying as written
  5. FTC, National Do Not Call Registry (business access and fee information): Businesses can access up to five area codes free per year for DNC registry access; fee structure for broader access
  6. Florida Legislature, Florida Telephone Solicitation Act, Section 501.059, F.S. (2021 amendment): Florida FTSA amendment effective July 1, 2021 creating broader automated system definition and private right of action at $500 per text or call
  7. Cornell Legal Information Institute, 28 U.S.C. § 1658 (general federal four-year statute of limitations): Four-year catchall federal civil statute of limitations commonly applied by courts to TCPA claims
  8. FTC, Telemarketing Sales Rule, 16 C.F.R. Part 310: Telemarketing Sales Rule requirements including DNC list scrubbing obligations and established business relationship exemption limits

Disclaimer: LeadCompliant is a compliance review tool, not a law firm. We do not provide legal advice. Consult with a TCPA attorney for legal guidance on specific compliance questions. Compliance scores, audits, and risk assessments are informational only.

LeadCompliant Team

LeadCompliant provides expert guidance and tools to help you succeed. Our content is reviewed for accuracy and kept up to date.

Related Articles

Related Glossary Terms

LeadCompliant
Build My Kit