TCPA compliance certification: what it is and do you need it

No single government TCPA certification exists, but courts and the FCC treat documented compliance programs as a key defense. Here's what actually works.

LeadCompliant Team
25 min read
In This Article

Last updated 2026-07-09

Compliance officer reviewing outbound call compliance documents at a desk
Compliance officer reviewing outbound call compliance documents at a desk

TL;DR

There is no government-issued TCPA compliance certificate. What courts and the FCC actually look for is a documented, running compliance program: written consent records, DNC scrubbing logs, call-time controls, and training records. Building that paper trail is what most people mean by 'getting certified,' and it matters enormously in litigation because it supports the established business relationship and bona fide error defenses.

Does a government-issued TCPA compliance certification exist?

No. There is no certificate the FCC, FTC, or any federal agency issues that lets you say 'we are TCPA certified' and gain legal protection from it. Nobody hands you a seal. This surprises a lot of founders who come from industries like food safety or financial services where third-party certification carries real regulatory weight.

What does exist is a body of statute and FCC rules, principally 47 U.S.C. § 227 [1], that define the conduct you must follow. Compliance with those rules is a legal obligation, not a credentialing program. The TCPA's private right of action means plaintiffs can sue you directly, without going through a regulator first, which is a big part of why the market for private 'TCPA compliance programs' and training certifications has grown.

Third-party organizations, law firms, and SaaS vendors do offer compliance training badges, audit reports, and certification letters. Some are genuinely useful as internal accountability tools. None of them insulate you from a lawsuit. A plaintiff's attorney does not care that an employee passed an online quiz. What matters in court is whether you had a lawful basis to make the call or send the text, and whether you have records proving it.

What does TCPA compliance actually require?

The statute at 47 U.S.C. § 227 [1] and the FCC's implementing regulations at 47 C.F.R. § 64.1200 [2] set out the core requirements. They break into five categories.

First, prior express written consent. For autodialed or prerecorded calls and texts to cell phones, you need written consent that is clear and conspicuous, identifies who you are, and says the person is agreeing to receive calls or texts from you. The FCC's 2012 order tightened this, eliminating the 'established business relationship' exception for calls to cell phones and requiring consent before the call, not after. [2]

Second, Do Not Call compliance. Residential numbers on the National DNC Registry [3] cannot receive telemarketing calls unless the consumer gave prior express written consent, or you have an established business relationship and they have not opted out. You must scrub your calling lists against the federal registry, and you must honor company-specific DNC requests within 30 days. [4]

Third, calling hours. The statute and FCC rules prohibit calls before 8 a.m. or after 9 p.m. local time at the called party's location. [1] Simple on paper. It trips up plenty of teams working across time zones.

Fourth, identification. Every autodialed or prerecorded call must state the name of the business or individual making the call and provide a callback number or address. [2]

Fifth, consent that is specific and revocable. The FCC's one-to-one consent rule, effective January 2025, requires that consent be specific to a single seller, not bundled across a list of companies. [5] Revocation must be honored promptly, and the FCC confirmed in 2024 that consumers can revoke by any reasonable means. [5]

A real compliance program addresses all five in writing, not in someone's head.

What does a TCPA compliance program actually look like in practice?

Think of it as a stack of documents and running processes, not a one-time exercise.

At the top is a written TCPA policy. This document names who owns compliance, defines which channels you use (voice, SMS, ringless voicemail), identifies your dialing technology, and spells out what consent standard applies to each campaign type. It should be short enough that a new sales rep actually reads it.

Below that are consent capture records. Every opt-in needs to be timestamped, tied to a source (web form URL, verbal recording, signed document), and stored somewhere you can retrieve it fast. Courts have awarded plaintiffs $500 to $1,500 per call where the company could not produce consent records during discovery. [6] That is not a theoretical risk.

Next are your DNC scrubbing logs. The National DNC Registry requires you to scrub within 31 days before calling. [3] Your logs should show when you downloaded the list, which numbers were suppressed, and who ran the process. If you use a vendor for this, keep the vendor's confirmation records too.

Training records matter more than most small teams realize. The 'bona fide error' defense under the TCPA requires showing the violation happened despite having maintained reasonable procedures to prevent it. [1] Courts read that narrowly, but documented, regular training is part of what 'maintained procedures' means.

Last, you need a complaint and revocation log. Every DNC request, every opt-out, every complaint should be recorded, actioned within the required window, and auditable. [4]

For SMS-specific operations, LeadCompliant's free compliance kit includes consent capture templates and DNC tracking worksheets that fit this structure without requiring a law firm to build everything from scratch.

How do courts view an existing compliance program when a lawsuit hits?

Documented compliance programs do not make you immune. They do change the economics of litigation, and that change is real.

The TCPA allows statutory damages of $500 per violation, trebled to $1,500 per violation if the court finds the violation was willful or knowing. [1] 'Willful' does not mean malicious. It means you had reason to know you were making calls that might violate the statute. A company with no written consent records, no DNC scrubbing logs, and no training documentation looks willful. A company with all of that, plus a documented process that a vendor error or human mistake disrupted, looks like a bona fide error.

The bona fide error defense at 47 U.S.C. § 227(c)(5) requires showing the violation was not intentional and resulted from a bona fide error notwithstanding the maintenance of procedures reasonably adapted to avoid any such error. [1] 'Maintenance of procedures' is the phrase that decides cases. You cannot assert the defense after the fact by scrambling to write a policy. It has to have existed before the violation.

Look at settlements like the UnitedHealthcare TCPA case, where $2.5 million changed hands partly because of consent record failures. Or the Credit One TCPA settlement, which ran into eight figures. The common thread in large TCPA settlements is almost always inadequate consent documentation or inadequate DNC compliance, not some exotic technical violation.

A compliance program does not stop a plaintiff from suing. It changes how expensive the case is to defend and whether class certification is feasible.

TCPA statutory damages by call volume Standard ($500/call) vs. willful ($1,500/call) exposure at common outbound volumes 100 calls, standard $50k 100 calls, willful $150k 1,000 calls, standard $500k 1,000 calls, willful $1.5M 10,000 calls, standard $5M 10,000 calls, willful $15M Source: 47 U.S.C. § 227 (TCPA statute)

What are the TCPA penalties you're trying to avoid?

The baseline is $500 per violating call or text. [1] Willful violations jump to $1,500 per call or text. There is no cap per plaintiff in a class action, which is how settlements reach seven and eight figures when a company called or texted a large list without proper consent.

The FCC can also issue forfeitures. In 2022 the FCC proposed forfeiture orders totaling roughly $300 million against two robocall operations, though collection on those orders has historically been difficult. [7] Private litigation is where most companies actually feel the pain, because the private right of action requires no FCC involvement.

State laws add another layer. Florida, Washington, and Oklahoma have passed laws that apply TCPA-style restrictions to more calling scenarios than federal law covers. Some states allow per-call damages on top of federal statutory damages. This is not a place to optimize for the floor.

The table below shows how per-violation costs scale with call volume.

Calls made$500/call (standard)$1,500/call (willful)
100$50,000$150,000
1,000$500,000$1,500,000
10,000$5,000,000$15,000,000
100,000$50,000,000$150,000,000

These numbers assume one violation per call, which courts have applied consistently. [6]

In December 2023 the FCC adopted a rule requiring that written consent for marketing calls and texts be specific to a single seller and obtained on a one-to-one basis. [5] The rule took effect January 27, 2025, and it killed the lead generation practice of having a consumer check a box consenting to receive calls from 'partners' or 'marketing networks' without naming each one.

For compliance programs, this means your consent capture process must now name your company specifically. A generic blanket consent to a long list of potential callers no longer satisfies the statute under FCC interpretation. If you buy leads from a third party, you need to verify that the consent specifically named you, not the lead generator's whole network of clients.

The FCC stated in the 2023 Order that consent must be "logically and topically associated" with the website where it is captured. [5] That phrase matters. A consumer on a mortgage comparison site did not consent to calls from an auto dealer even if the fine print listed the dealer.

This one change made many lead-buying compliance programs obsolete. If your program was written before 2024 and relies on aggregated consent, it needs a rewrite. For SMS marketers trying to get this right, the text message marketing guide covers consent language in detail.

What should a TCPA compliance audit cover?

An audit is a point-in-time snapshot of whether your program matches what the law actually requires. You can do a lightweight version yourself, or hire a TCPA attorney for a thorough one. Either version needs to cover the same ground.

Consent chain review. Pick 20 random records you called or texted in the last 90 days. Can you produce the consent record for each one? What does it say? Does it name your company? Was it captured before the first contact? If you cannot do this in under an hour for 20 records, you have a documentation problem.

Dialing technology assessment. The TCPA's original definition of an 'automatic telephone dialing system' (ATDS) was narrowed by the Supreme Court in Facebook v. Duguid (2021) [8], which held that an ATDS must use a random or sequential number generator to produce or store numbers. Plaintiffs still test this, and many state laws use broader definitions. Know what your system does technically, and document it.

DNC scrub frequency. Are you scrubbing against the National DNC Registry at least every 31 days? [3] Are you honoring company-specific DNC requests within 30 days? [4] Who owns this process, and is there a backup if that person leaves?

Calling hours controls. Does your dialer hard-block calls before 8 a.m. or after 9 p.m. local to the recipient? Or are you relying on reps to self-police? Relying on reps is how you get a 9:05 p.m. call to someone in California from a rep in New York who forgot to convert.

Vendor contracts. If a third-party dialer or lead provider causes a TCPA violation, plaintiffs often name both the vendor and you. Your contract should include TCPA compliance reps and warranties and indemnification. Audit whether those clauses exist.

Revocation handling. Do you have a documented process for opt-outs received by any channel: phone, text, email, verbal? The FCC's 2024 order confirmed that 'any reasonable means' of revocation must be honored. [5]

Are third-party TCPA certification programs worth the money?

Some are useful. Most are not worth what they charge if you treat the certificate as the goal.

A reputable compliance training program from a TCPA law firm or established compliance vendor helps your team understand the rules, build a shared vocabulary, and create accountability. The training records also help you document that you 'maintained procedures,' which supports the bona fide error defense. That part has real value.

What these programs do not do: they do not reduce your legal exposure as a matter of law, they do not certify your consent records as valid, and they do not stop a plaintiff from filing a class action. A certificate on the wall does not survive discovery if your consent records are a mess.

The honest cost range for third-party compliance audits from TCPA-specialized law firms runs from roughly $3,000 to $15,000 for a small operation, depending on complexity and firm size. Online training-only programs run $200 to $1,500 per seat. Neither figure has a clean published benchmark because the market is fragmented and most providers do not disclose pricing publicly.

For most small outbound teams, the better investment is building the actual program: consent templates, scrubbing workflows, a written policy, and audit logs. The LeadCompliant compliance kit covers this without the law firm price tag. An attorney review of your consent language before you go live is money well spent. An ongoing retainer for a certification badge often is not.

Consent is an affirmative defense. In litigation, the burden falls on you to prove it. Plaintiffs do not have to prove they did not consent. You have to prove they did. [6]

This flips the usual burden, and that is why consent records matter so much. If you cannot produce a timestamped, source-identified consent record for the number a plaintiff claims you called without permission, you are starting the case without your main defense in hand.

The FCC's rules require that consent be in writing, signed by the consumer, and contain a clear and conspicuous disclosure that the consumer authorizes the caller to contact them at the provided number using an autodialer or prerecorded voice. [2] 'Signed' under the E-SIGN Act includes electronic signatures, including clicking a checkbox on a website. [9]

Best practice is storing consent records with the full name and phone number of the consumer, the timestamp and IP address of the opt-in, the exact URL of the opt-in page, a screenshot or version-controlled copy of the page as it appeared at opt-in, and the opt-in language verbatim. Courts have rejected consent defenses where the company could prove a consumer visited a page but could not prove what the page said at that moment. [6]

If you buy leads, ask for all of the above from your vendor. If they cannot provide it, that is your answer about the quality of their consent.

What does TCPA compliance look like for SMS campaigns specifically?

SMS is where most of the new TCPA litigation is concentrated. Text messages are easy to document from the plaintiff's side (screenshots), and the autodialer question, while narrowed by Facebook v. Duguid [8], still comes up with many mass texting platforms.

For SMS, the consent standard that matters most is prior express written consent for marketing texts. [2] The CTIA (the wireless industry trade association) also publishes Messaging Principles and Best Practices [10] that carriers enforce through their short code and 10DLC registration systems. Fail those CTIA standards and your messages get blocked at the carrier level, which is a business problem before it ever becomes a legal one.

10DLC registration (registration of 10-digit long code numbers for business texting) is now effectively mandatory for US carriers. It is not a TCPA compliance program, but it does require you to document your campaign type and consent method, which creates a record that can matter in litigation.

Opt-out handling for SMS has a specific standard: STOP replies must be honored immediately and automatically. [10] You cannot make someone call a number or visit a website to opt out of texts. If your platform does not handle STOP replies automatically, that is a compliance failure.

The text messaging marketing guide covers the mechanics of SMS opt-in language and campaign structure in more detail, including what double opt-in actually protects you from and when it is overkill.

What records should you keep, and for how long?

There is no single federal law setting a retention period specifically for TCPA consent records. The TCPA's statute of limitations is four years under 28 U.S.C. § 1658 (the general federal four-year limitations period), though some courts have applied a two-year period. [11] The safest practice is keeping all consent records, DNC scrub logs, training records, and call logs for at least four years.

Here is the practical list of what to retain.

Consent records: indefinitely for any customer with an ongoing relationship, minimum four years after the last contact.

DNC scrub confirmations: four years, with enough detail to show which list version you scrubbed against on which date.

Opt-out records: indefinitely, or until the phone number is definitively reassigned. The FCC's Reassigned Numbers Database [12] exists precisely because a number can pass from a consenting customer to a new subscriber who never consented. Calling the new subscriber on old consent is a TCPA violation.

Training completion records: four years from the date of training.

Call logs (dialed numbers, timestamps, campaign identifiers): four years.

Store these in a searchable format. If you get a litigation hold letter and it takes a week to reconstruct which calls you made to a given number in a given month, you have a process problem that costs you in legal fees and possibly in sanctions.

How do you build a TCPA compliance program if you're starting from scratch?

Start with what is most likely to kill you in court: consent records and DNC scrubbing. Everything else matters, but those two gaps drive the bulk of large settlements.

Week one: write a one-page TCPA policy. It does not need to be elaborate. It needs to identify your channels, your consent standard, who owns compliance, and your DNC process. Get sign-off from whoever runs sales and store it somewhere version-controlled.

Week two: audit your consent capture. Pull your opt-in form or lead intake process and ask three questions. Does this consent specifically name my company? Does it say the consumer agrees to autodialed calls or texts? Is the timestamp and source captured automatically? Fix any gaps before you make another call.

Week three: set up DNC scrubbing. Register as a subscriber to the National DNC Registry at donotcall.gov [3] and pull your first scrub. Cost is $75 per area code per year, with a fee cap. Set a calendar reminder to re-scrub at least monthly.

Week four: train your team. Even 30 minutes covering what the TCPA prohibits, how to handle DNC requests, and what to do if someone threatens to sue is enough to start building a training record. Document who attended.

After that, the program is maintenance: quarterly audits, vendor contract reviews, and staying current on FCC rule changes. The FCC's enforcement and rulemaking pages [7] are worth bookmarking. For the consent templates and scrubbing checklists, the LeadCompliant compliance kit has free downloadable versions built for small outbound teams.

Frequently asked questions

Is there an official TCPA certification I can get from the FCC?

No. The FCC does not issue TCPA compliance certificates to businesses or individuals. Compliance is a legal obligation under 47 U.S.C. § 227, not a credentialing program. Third-party organizations offer training badges and audit letters, but none of these carry official regulatory weight. What matters in litigation is whether you actually followed the rules and kept records proving it.

How much does TCPA compliance cost per year for a small team?

National DNC Registry access costs $75 per area code per year, capped at roughly $18,000 for nationwide access. Legal review of consent language runs $500 to $3,000 for most small teams. A third-party compliance audit from a TCPA law firm runs $3,000 to $15,000. The biggest cost is usually staff time building and maintaining the consent documentation process. Most of the work can be done in-house with good templates.

What is the bona fide error defense under the TCPA?

The bona fide error defense at 47 U.S.C. § 227(c)(5) lets a company avoid liability if the violation was unintentional and occurred despite maintaining procedures reasonably adapted to prevent it. Courts read 'maintained procedures' to mean the procedures existed and were actually followed before the violation, not assembled after the fact. Documented training, consent records, and DNC logs are the core evidence for this defense.

Does Facebook v. Duguid mean I don't need to worry about ATDS rules anymore?

Not exactly. The Supreme Court's 2021 ruling in Facebook v. Duguid narrowed the definition of an automatic telephone dialing system to systems that use a random or sequential number generator to produce or store numbers. Many modern dialers do not meet this definition. But state TCPA analogs often use broader definitions, and plaintiffs still test ATDS status regularly. You still need consent; the ATDS question only affects which calls require prior express written consent versus prior express consent.

What happens if I call a number that was reassigned to a new subscriber?

Calling a reassigned number can be a TCPA violation even if you had valid consent from the previous subscriber. The FCC created the Reassigned Numbers Database (RND) to help callers identify numbers that have been reassigned. Courts have generally held that calling a reassigned number after a single contact with the new subscriber puts you on notice. Scrubbing against the RND before calling is increasingly a standard of care in the industry.

Do I need TCPA compliance documentation for cold email as well?

No. The TCPA covers telephone calls and text messages to phone numbers. Email is governed by the CAN-SPAM Act, which has separate requirements and does not require prior consent for commercial email (though it does require opt-out honoring). Your TCPA compliance program does not need to address email. Keep the two regulatory frameworks separate in your policies to avoid confusion.

Under the FCC's one-to-one consent rule effective January 27, 2025, consent must specifically name your company to be valid for your calls. Blanket consent to a 'marketing network' or list of unnamed partners no longer satisfies the rule. If you buy leads, you need to verify that your company is specifically named in the consent disclosure the consumer saw. If the vendor cannot show you that consent record, you are assuming liability you cannot defend.

How quickly do I have to honor a Do Not Call request?

The FCC's rules require you to honor company-specific DNC requests within 30 days and maintain the request for at least five years. For text message opt-outs via STOP reply, carriers and the CTIA require immediate automated processing. Waiting 30 days for an SMS opt-out is not acceptable in practice, because the carrier-level enforcement of STOP replies is separate from the 30-day statutory window.

What records do plaintiffs actually subpoena in TCPA cases?

In discovery, plaintiffs typically request call logs showing all contacts to the disputed number, the dialing system's configuration and logs, consent records including opt-in timestamps and page screenshots, DNC scrub records, and employee training records. They also often subpoena the dialing vendor directly. Teams that cannot produce these records quickly either settle early or face adverse inference instructions from the court.

Does the TCPA apply to B2B calls?

The TCPA's restrictions on autodialed calls and prerecorded messages apply to any call to a cell phone number, regardless of whether the recipient is a business or consumer. Many B2B salespeople call cell phones, which means the TCPA applies. The National DNC Registry restrictions apply specifically to residential numbers and do not cover business lines, but the cell phone consent requirements do not distinguish between personal and business use of a mobile number.

How often should I re-scrub my calling list against the National DNC Registry?

The FCC requires that you scrub within 31 days before calling a number. That means if you have a list you call continuously, you need to re-scrub at least monthly. Scrubbing once when you buy the list and never again is not compliant. Most compliance programs set a monthly calendar reminder tied to a specific person responsible for running the scrub and documenting the result.

What is the statute of limitations for a TCPA claim?

Most federal courts apply the four-year catch-all limitations period from 28 U.S.C. § 1658, though a minority have applied a two-year period. The practical implication is that you should retain consent records, call logs, and DNC scrub documentation for at least four years from the date of the last call or text in any campaign. Some plaintiff attorneys push for longer windows if the violation was alleged to be ongoing.

Are there state laws that are stricter than the federal TCPA?

Yes, several. Florida's Telephone Solicitation Act (FTSA) covers calls made with any technology that dials automatically, using a broader definition than the federal TCPA post-Facebook v. Duguid. Washington's CEMA and Oklahoma's TCPA analog also have teeth. Some states allow per-call damages on top of federal statutory damages. If you call into Florida, Washington, or other active enforcement states, your compliance program needs a state-law overlay on top of federal TCPA compliance.

The FCC's one-to-one consent rule, adopted in December 2023 and effective January 27, 2025, requires that prior express written consent for marketing calls and texts be given to a single named seller, not bundled across multiple companies. It also requires that the consent topic be logically related to the website where it was collected. The rule changed the lead generation industry's practice of obtaining broad consent covering multiple anonymous buyers.

Sources

  1. U.S. Code, 47 U.S.C. § 227 (Telephone Consumer Protection Act): Statutory basis for TCPA requirements including $500/$1,500 per violation damages, bona fide error defense, calling hour restrictions, and prior express consent requirements.
  2. FCC, 47 C.F.R. § 64.1200 (Implementing Regulations): FCC implementing rules requiring prior express written consent for autodialed/prerecorded calls to cell phones, identification requirements, and 2012 elimination of established business relationship exception.
  3. FTC, National Do Not Call Registry: National DNC Registry registration and scrubbing requirements; $75 per area code per year fee.
  4. FTC, Telemarketing Sales Rule and Do Not Call Enforcement: Consent is an affirmative defense; courts have awarded $500-$1,500 per call where companies could not produce consent records; burden falls on defendant to prove consent.
  5. Supreme Court of the United States, Facebook Inc. v. Duguid, 592 U.S. 395 (2021): ATDS definition narrowed to systems using a random or sequential number generator to produce or store numbers; decided April 1, 2021.
  6. U.S. Code, 15 U.S.C. § 7001 (E-SIGN Act): Electronic signatures including checkbox clicks on websites satisfy the 'signed' requirement for TCPA prior express written consent.
  7. U.S. Code, 28 U.S.C. § 1658 (General Federal Limitations Period): Four-year catch-all statute of limitations applied by most federal courts to TCPA claims; basis for four-year record retention standard.
  8. FCC, Reassigned Numbers Database: FCC database for identifying phone numbers reassigned to new subscribers; calling a reassigned number after initial contact with new subscriber creates TCPA exposure.

Disclaimer: LeadCompliant is a compliance review tool, not a law firm. We do not provide legal advice. Consult with a TCPA attorney for legal guidance on specific compliance questions. Compliance scores, audits, and risk assessments are informational only.

LeadCompliant Team

LeadCompliant provides expert guidance and tools to help you succeed. Our content is reviewed for accuracy and kept up to date.

Related Articles

Related Glossary Terms

LeadCompliant
Build My Kit