Last updated 2026-07-10

TL;DR
TCPA compliance means following the Telephone Consumer Protection Act (47 U.S.C. 227) every time you call or text a consumer. At minimum, that means getting prior express written consent before using an autodialer or sending marketing texts, honoring do-not-call requests within 30 days, and keeping records that prove you did both. Violations start at $500 per call or text and reach $1,500 for willful ones.
What does TCPA compliance actually mean?
TCPA compliance means your outbound calling and texting practices satisfy every requirement in the Telephone Consumer Protection Act, codified at 47 U.S.C. 227, plus the FCC rules that put it into effect. [1] There is no certificate. There is no one-time audit that clears you forever. It is an ongoing set of operational choices: who you call, how you reach them, what technology you dial with, and whether you have documented proof of permission.
Congress passed the law in 1991, long before smartphones and text marketing existed. Since then the FCC has issued order after order stretching its reach to cover SMS, ringless voicemail, and AI-generated voice calls. The framework rests on three pillars: consent before you contact someone, do-not-call obligations once they tell you to stop, and calling-hours limits that cap when you can legally dial.
Every campaign comes down to three questions. Do I have the right kind of consent for this contact method? Have I scrubbed against the National Do Not Call Registry and my own suppression list? Is the technology I am using classified as an autodialer under current FCC guidance? Miss any one, and each individual call or text becomes its own statutory violation.
See TCPA guidelines: what every outbound team must know in 2025 for a full breakdown of the current rule set.
What law is TCPA compliance based on, and what does the statute actually say?
The statute is 47 U.S.C. 227, the Telephone Consumer Protection Act. Congress passed it to deal with the flood of unsolicited telemarketing calls in the late 1980s. The FCC administers it. Enforcement also runs through private lawsuits, because the statute hands individuals a private right of action.
Section 227(b)(1)(A) prohibits using an automatic telephone dialing system or a prerecorded voice to call any number assigned to a cellular telephone service without the prior express consent of the called party. [1] That single sentence drives most TCPA litigation today. "Prior express consent" sounds simple. What qualifies has been fought over for three decades.
Section 227(c) covers the National Do Not Call Registry. A person who gets more than one call within 12 months from the same entity, on a number registered on the do-not-call list, can sue. [1] That is a different basis for liability than the autodialer provisions. A company can face TCPA exposure from two directions at once, even when it thinks it has one of them handled.
The FCC's authority to write the implementing rules comes from Section 227(b)(2). Those rules live at 47 C.F.R. Part 64 and hold the specifics: the 30-day limit for honoring opt-out requests, the written consent requirements for marketing messages, and more. [2]
For a plain-English walk through what the acronym means at each layer, see What does TCPA mean? The plain-English breakdown.
Who has to comply with the TCPA?
Any person or entity that makes telephone solicitations or uses automated technology to contact consumers in the United States has to comply. That covers a solo insurance agent texting leads from a CRM, a 500-seat call center running a predictive dialer, and everyone in between.
The FCC's rules hold the initiating party liable, which in practice is the seller or marketer whose goods or services get promoted, even when a third-party vendor places the actual calls. [2] Lead generators and aggregators can also catch exposure when they send leads to buyers who call with autodialers and the consent chain is broken.
Some exemptions are real. Purely informational calls with no commercial pitch, emergency calls, calls to businesses (with important caveats), and calls made by or on behalf of tax-exempt nonprofits carry different or reduced requirements. [1] The B2B space is tangled enough to need its own analysis; see TCPA b2b exemption for AI calls: what businesses actually get.
Healthcare organizations often think HIPAA shields them from TCPA. It does not. HIPAA and TCPA are separate statutes with separate rules. A hospital that autodials patients about appointment reminders without consent can still face TCPA liability.
What is prior express written consent and why does it matter so much?
Prior express written consent is the strictest consent standard under the TCPA. The FCC's 2012 rules require it for telemarketing calls and texts that use an autodialer or a prerecorded voice. Market anything to a cell phone with automated technology, and a spoken yes or a checkbox buried in terms of service is not enough. [2]
The rule spells out the standard. The consumer has to sign an agreement (wet or electronic signature both qualify) that clearly and conspicuously authorizes the seller to contact them with an autodialer or prerecorded voice, and the authorization has to include the phone number to be called. The agreement cannot be a condition of buying anything. [2]
That last part trips up a lot of teams. If your checkout says "by purchasing you agree to receive marketing texts," that consent is legally void, because you tied the purchase to it.
For texts, consent has to run to that specific seller for that specific purpose. A December 2023 FCC order tightened the "one-to-one" consent rule so a consumer's yes to one company could not be sold or handed to a list of unrelated marketers. [3] The Eleventh Circuit vacated that rule in January 2025, so it is not in effect today, but the FCC's direction is plain. [4]
Oral consent works for non-commercial informational calls to cell phones, and calls to residential landlines sit at a lower bar still. Knowing which standard maps to which contact method is the first competence your team needs. See TCPA existing business relationship: what actually protects you for how a prior relationship factors in.
What are the TCPA's do-not-call rules and how do they differ from consent rules?
The do-not-call (DNC) rules are a separate track of liability that runs independent of the autodialer consent rules. A fully consented call can still violate the DNC provisions if you dialed someone on the National Do Not Call Registry without a valid exemption.
The FTC maintains the National DNC Registry, not the FCC, and telemarketers have to access and scrub against it before they call. [5] You register your organization, pay an annual fee for the data (free for the first five area codes as of 2024), and re-scrub your lists at least every 31 days. Numbers stay on the registry permanently unless the consumer removes them.
The TCPA also requires companies to keep their own internal do-not-call lists. Any consumer who asks not to be called goes on your internal list within 30 days, and you honor that request for at least five years. [2] A request made to one division of your company applies across your whole organization, more than that product line.
Here is the rule that surprises small teams most. Call a number on the DNC registry more than once in 12 months and that consumer can sue, with the burden of proving an established business relationship or express invitation shifting to you. [1]
| DNC Scrub Requirement | Frequency | Authority |
|---|---|---|
| National DNC Registry | Every 31 days minimum | FTC / 16 C.F.R. 310 |
| Internal DNC list updates | Within 30 days of request | FCC / 47 C.F.R. 64.1200 |
| Internal DNC list retention | Minimum 5 years | FCC / 47 C.F.R. 64.1200 |
| National DNC registration renewal | Annual | FTC |
For practical steps on blocking unwanted calls from the consumer side, see how to stop robocalls.
What calling hours does the TCPA allow?
Federal TCPA rules limit telephone solicitations to 8 a.m. through 9 p.m. local time at the called party's location. [1] That is the consumer's time zone, not yours. A 9 p.m. call from a Chicago office is legal if the consumer sits in Denver (8 p.m. there) but breaks the rule if the consumer is in New York (10 p.m. there).
Many states run tighter windows. Florida's Mini-TCPA (the Florida Telephone Solicitation Act, amended in 2021) caps calls at 8 a.m. to 8 p.m. [6] Some states add a Sunday restriction or ban calls on federal holidays entirely. Run a national campaign and your time-of-day logic has to apply the most restrictive rule for each consumer's state.
Time-of-day violations are not a footnote. Each call outside the window is a separate violation at $500 to $1,500, same as any other TCPA breach. A batch job that autodials 10,000 numbers at 9:05 p.m. Eastern to consumers in that zone is $5 million to $15 million in exposure before a plaintiff's attorney has even sized the class.
What does TCPA compliance cost when you get it wrong?
Statutory damages run $500 per violation for negligent violations and $1,500 per violation for willful or knowing ones. [1] Every individual call or text is a separate violation, and TCPA cases almost always proceed as class actions, so the numbers climb fast.
The average TCPA settlement is hard to pin down, because most settle confidentially. Public settlements show the range. UnitedHealthcare paid $2.5 million for alleged TCPA violations in one matter. Credit One faced a multi-million dollar settlement over autodialed calls. Truist Bank settled a class action on similar allegations. Albertsons and Safeway settled a TCPA suit tied to text marketing. These are not outliers. They are the standard exposure profile for a mid-size company that cuts corners.
Small companies are not off the hook. A one-person shop that texts 1,000 unconsented numbers with an autodialer carries, on paper, $500,000 to $1.5 million in statutory exposure. Plaintiff's attorneys take these on contingency because the damages are calculable and the statute does not make the plaintiff prove actual harm.
The FCC can also bring its own enforcement actions, with civil penalties reaching $23,727 per violation under the current inflation-adjusted forfeiture schedule, though FCC action against small businesses is far rarer than private litigation. [7]
For how 2025 rule changes shift your cost exposure, see TCPA 2025: what changed, what it costs, and how to stay compliant.
What technology triggers TCPA's autodialer rules?
The definition of an automatic telephone dialing system (ATDS), or autodialer, has been the most contested question in TCPA law for years. The Supreme Court settled part of it in Facebook, Inc. v. Duguid (2021), holding that an ATDS must have the capacity to produce telephone numbers using a random or sequential number generator, not merely store and dial numbers from a list. The opinion states the equipment must "use a random or sequential number generator." [8]
That ruling narrowed the definition a lot. A predictive dialer that pulls from a preloaded list of your own leads may not qualify as an ATDS under the federal standard after Duguid. But it is not that clean in practice, for two reasons.
First, some state laws define autodialer more broadly than the federal standard. A system that is not an ATDS under federal law can still trigger state-level liability. California's Invasion of Privacy Act and the Florida Telephone Solicitation Act both carry their own definitions that do not map onto Duguid. [6]
Second, prerecorded voice calls sit on their own liability track that does not care whether the equipment is an ATDS. If your system plays a recorded message when a call connects, even after manual dialing, you may still need prior express consent depending on the purpose of the call. [1]
If you are running AI voice agents, the analysis gets even less settled. See TCPA b2b exemption for AI calls: what businesses actually get for where that stands.
How does TCPA compliance work for text message marketing?
SMS gets treated the same as a call to a cell phone under the TCPA. Send a marketing text via an autodialer to a cell number and you need prior express written consent. [2] The fact that it is just a text does not lower the liability. If anything, texting is where most TCPA class actions start today, because it is easy to automate at scale and the consent records tend to be weak.
Text marketing compliance means a short list you have to hit every time. Collect written consent at a specific opt-in point that names your brand and describes the message types you will send. Keep a timestamped record of it. Honor opt-out keywords (STOP is the standard). Process opt-outs inside the required window. Never send to a number that has opted out.
The CTIA, the wireless industry's trade association, publishes messaging best practices that carriers use to police their networks. [9] Break them and your short code or toll-free number can get flagged or suspended by the carrier, which is an operational problem before any lawsuit lands. FCC rules and CTIA carrier guidelines are separate requirements. You satisfy both.
For deeper coverage of building a compliant text program, see text message marketing.
LeadCompliant's free phone number checker tells you whether a number is a cell or landline before you send, which is a basic first step in any scrubbing workflow.
What records do you need to prove TCPA compliance?
Consent records are your main defense in a TCPA lawsuit. The burden of proving consent sits on the caller, not the consumer. [2] If you cannot produce a timestamped, auditable record showing that a specific person consented to be contacted at a specific number by your specific company, you are fighting the case without your best weapon.
At minimum you need the date and time consent was given, the exact mechanism it came through (a copy of the web form, the call recording, the text opt-in), the IP address or other identifier tying the consent to that consumer, and the specific phone number consented to.
For do-not-call compliance you need records showing when each number went on your internal suppression list, the date of your most recent DNC scrub, and the version of the DNC data you used. The FTC recommends keeping these scrub records indefinitely, or at least through any possible litigation hold.
Your consent records have to survive employee turnover, CRM migrations, and platform shutdowns. Storing consent only inside a vendor's platform you later drop is a real and common trap. Export and archive your consent data to storage you control.
LeadCompliant's compliance kit includes consent log templates and a pre-campaign checklist mapped to these record-keeping requirements.
How do state laws add requirements on top of federal TCPA compliance?
Federal TCPA compliance is the floor, not the ceiling. States pass their own laws that go further, and those stack on top of the federal rules. A campaign that is fully compliant at the federal level can still expose you to state-law liability.
Florida's Telephone Solicitation Act (amended 2021) added restrictions on calls and texts made with autodialing technology to Florida numbers and narrowed calling hours to 8 a.m. to 8 p.m. [6] California's Consumer Privacy Act adds data-handling duties for consumer information, and the California Invasion of Privacy Act (CIPA) governs recording consent in a way that intersects with telemarketing workflows.
Texas, Oklahoma, and several other states run their own do-not-call lists on top of the National DNC Registry. Call into those states and you have to scrub against the state list too, which means separate registrations and separate access fees.
The practical answer for multi-state campaigns is straightforward. Identify the most restrictive applicable rule for each state you call into, and build your controls around it. Time-of-day logic, consent language, and opt-out processing all get calibrated by state.
For current state-level developments see Telemarketing rules news: what changed and what's coming in 2025-2026.
What are the most common TCPA compliance mistakes small teams make?
The most common mistake is treating consent as a one-time event instead of a documented, auditable record. Teams have some consent, somewhere, in some form, but they cannot produce it when challenged. In a lawsuit that is the same as having no consent at all.
Second most common: not scrubbing the National DNC Registry often enough. Teams scrub at the start of a campaign, then keep dialing for 90 days without a refresh. Numbers get added to the DNC every day. Your 31-day scrub window is a legal requirement, not a suggestion.
Third: buying leads where the consent chain is fuzzy. A vendor writing "all leads are TCPA compliant" into a contract is not proof of consent. You need to know the exact opt-in language the consumer saw, whether it named your company, and whether it described the communications they would get. The FCC's one-to-one consent rule, even in its vacated form, reflects years of enforcement pressure on vague, aggregated lead consent.
Fourth: letting your opt-out process lag. Get an opt-out by text and keep calling that number because your systems are not synced, and once you are on notice, that is a willful violation. The $1,500 per-call rate applies to those calls.
Fifth: assuming your dialer is not an autodialer because a vendor said so. Get a legal opinion on whether your specific configuration triggers ATDS treatment, especially if you dial from lists in any automated way. Vendor assurances are not a defense.
For recent examples of what these cost, the Cash App TCPA class action settlement and Kaiser TCPA settlement show the pattern.
Frequently asked questions
What is the simplest definition of TCPA compliance?
TCPA compliance means following 47 U.S.C. 227 and the FCC's implementing rules before every marketing call or text you send. At its core that requires documented prior express written consent before using automated technology or sending marketing texts, active do-not-call scrubbing, and honoring opt-out requests within 30 days. Every violation risks $500 to $1,500 in statutory damages per individual contact.
Does TCPA apply to B2B calls?
TCPA applies to calls made to cell phones whether the recipient is a business or a consumer. Calls to business landlines carry reduced requirements, but most professionals use cell phones as their primary work number, so the full framework applies to those calls. The B2B exemption is narrower than most teams assume and turns heavily on whether you are dialing a cell phone or a business landline.
How long do I have to honor a do-not-call request?
FCC rules require you to honor an internal do-not-call request for at least five years, and you must implement it within 30 days of when the consumer made it. You also have to apply that request across your entire organization, more than one product line or department. Calling the same person after they asked you to stop, even once, is a separate TCPA violation.
Can a consumer sue me directly under the TCPA?
Yes. The TCPA gives individual consumers a private right of action to sue in federal or state court without showing actual damages. They can recover $500 per violation or actual damages, whichever is greater. Courts can award $1,500 per violation for willful ones. Because each call or text is its own violation, cases often become class actions with aggregate damages in the millions.
Does TCPA compliance apply to emails?
No. The TCPA governs telephone calls and text messages. Email marketing falls under the CAN-SPAM Act, which has a different and generally lighter framework. But if you use a text-to-email gateway that delivers a message to a phone number as a text, the TCPA may apply to that delivery path. Analyze the delivery mechanism, not the message format.
What counts as prior express written consent for a text message?
The FCC requires a signed agreement (digital signatures qualify) that clearly authorizes your specific company to send marketing texts using an autodialer or prerecorded voice to a specific phone number. The consent cannot hide in general terms of service, has to describe the kind of messages the consumer will receive, and cannot be required as a condition of purchase. The signature and date must be retrievable as evidence.
Is an existing business relationship enough to call someone without consent?
An established business relationship (EBR) exempts you from the National DNC Registry for up to 18 months after a transaction and up to 3 months after an inquiry. It does not exempt you from getting prior express written consent before using an autodialer or sending marketing texts to a cell phone. The EBR is a narrower defense than most teams believe.
How often do I need to scrub against the National Do Not Call Registry?
The FTC's Telemarketing Sales Rule and the FCC's rules require you to scrub your call lists against the National DNC Registry at least every 31 days. You also have to register your organization with the FTC to access the full data. The first five area codes are free; more access costs money. Calling a registered number more than once in 12 months triggers the consumer's right to sue.
What is the difference between the FCC and FTC in TCPA enforcement?
The FCC administers the TCPA (47 U.S.C. 227) and issues the implementing rules for calls and texts. The FTC administers the Telemarketing Sales Rule (16 C.F.R. 310), which covers the National Do Not Call Registry and telemarketing fraud. Both agencies have enforcement power, and both rule sets apply to most outbound campaigns. Private lawsuits are the most common enforcement path regardless of which agency's rules are at issue.
Do TCPA rules apply to ringless voicemail drops?
This is still unsettled. The FCC issued a declaratory ruling in 2022 stating that ringless voicemail delivered to a consumer's voicemail box, without ringing their phone, is still a "call" under the TCPA. That position faces ongoing legal challenges, but the safest bet is to treat ringless voicemail like a standard call to a cell phone and get prior express consent before using it for marketing.
What records do I need to keep to defend a TCPA claim?
You need timestamped consent records tied to specific phone numbers, records of every DNC scrub showing the date and registry version used, copies of opt-out requests and when you processed them, and documentation of your policies and training. The burden of proving consent sits on the caller. If you cannot produce these records for a specific disputed call or text, you are effectively fighting without a defense.
How does the 2024 FCC one-to-one consent rule affect lead generation?
The FCC adopted a rule in December 2023 requiring consumer consent for marketing calls to name one specific seller rather than authorizing a broad list of unaffiliated partners. The Eleventh Circuit vacated the rule in January 2025, so it is not currently in effect. The FCC's intent is still clear, and lead buyers should audit the consent language in their lead contracts regardless of the ruling's status.
Sources
- U.S. Congress, 47 U.S.C. 227 (Telephone Consumer Protection Act): Statute text: prohibits ATDS calls to cell phones without prior express consent; DNC private right of action; $500-$1,500 per-violation damages; 8am-9pm calling hours
- FCC, 47 C.F.R. Part 64 (Subpart L, Restrictions on Telemarketing and Telephone Solicitation): FCC implementing rules: prior express written consent definition, 30-day opt-out implementation window, 5-year internal DNC list retention, written consent cannot be conditioned on purchase
- FCC, Report and Order FCC 24-13, In the Matter of Rules and Regulations Implementing the Telephone Consumer Protection Act (2024 one-to-one consent rule): 2024 FCC ruling requiring one-to-one consent for marketing contacts, prohibiting consent to unaffiliated lists of sellers
- U.S. Court of Appeals, Eleventh Circuit, Insurance Marketing Coalition Ltd. v. FCC (2025 ruling vacating one-to-one consent rule): Eleventh Circuit vacated the FCC's one-to-one consent rule in January 2025
- FTC, National Do Not Call Registry: National DNC Registry administered by FTC; telemarketers required to access and scrub against it; first five area codes free
- Florida Legislature, Florida Telephone Solicitation Act (Fla. Stat. 501.059, as amended 2021): Florida's amended TCPA-analog restricts calls and texts using autodialing technology and limits calling hours to 8am-8pm
- U.S. Supreme Court, Facebook, Inc. v. Duguid, 592 U.S. 395 (2021): Supreme Court held an ATDS must produce numbers using a random or sequential number generator; narrowed autodialer definition
- FTC, Telemarketing Sales Rule, 16 C.F.R. Part 310: FTC TSR requires 31-day DNC scrub cycle and governs telemarketing fraud in parallel with TCPA