Last updated 2026-07-11

TL;DR
A TCPA compliance officer at a small company owns consent records, DNC scrubbing, call-time rules, employee training, and incident response. You don't need a dedicated hire. One organized person with real processes and the authority to stop a campaign covers it. Getting it wrong costs $500 per violation, or $1,500 for willful violations, under 47 U.S.C. § 227.
What is a TCPA compliance officer and does a small company actually need one?
A TCPA compliance officer is whoever owns the job of keeping your outbound calling and texting inside the rules of the Telephone Consumer Protection Act. At a Fortune 500 company that's a full-time role with a team. At a 10-person sales shop, it's the sales manager, the founder, or a part-time ops person who already juggles 15 other things.
You probably don't need a dedicated hire. You need someone who has clearly accepted the responsibility and has the authority to say "stop" when the team is about to do something that creates liability. That distinction matters. TCPA lawsuits don't care whether you had a compliance department. They care whether you made the calls.
The statute, 47 U.S.C. § 227, puts liability on the "person" or "entity" that initiates or causes the initiation of a prohibited call or text. [1] The FCC has stretched that to reach companies that are "so involved in the placing of a specific telephone call" that they should be deemed to have made it, even when a third-party dialer technically pressed the button. [2] That standard is why your compliance owner has to watch vendor behavior as closely as your own reps.
Small companies get sued under the TCPA constantly. The cash app tcpa class action settlement and the credit one tcpa settlement both involved large organizations, but plaintiff attorneys file against small businesses every week. Statutory damages are fixed and predictable regardless of company size. One bad calling list can spawn hundreds of individual $1,500 claims fast.
What are the core responsibilities of a TCPA compliance officer at a small company?
Seven things actually matter. Miss any one and you have a gap a plaintiff attorney will find.
1. Consent documentation You need written consent records for every number you call or text with an autodialer or prerecorded voice for marketing. The FCC's 2012 rules require "prior express written consent" for telemarketing calls to cell phones, and that consent must be signed (electronic signature counts), clearly name the company calling, and state that agreeing is not a condition of purchase. [3] The compliance officer makes sure that record exists and that you can produce it on demand.
2. Do-not-call list scrubbing Before any outbound campaign, your list gets scrubbed against the National DNC Registry. The FCC rules require scrubbing at least every 31 days. [4] The compliance officer sets the schedule, confirms it ran, and keeps records of when each scrub happened. See the do not call list for the full mechanics.
3. Internal DNC list maintenance Anyone who asks you directly not to call again goes on your internal company-specific DNC list within 30 days, honored for at least five years. [4] This is separate from the national registry. Your officer owns the list, the opt-out process, and training reps to pass those requests up the chain instead of ignoring them.
4. Call-time and caller-ID rules Outbound calls can only go out between 8 a.m. and 9 p.m. in the called party's local time zone. [4] Your caller ID has to transmit an accurate name and number. The compliance officer checks that the dialer is configured right and that time-zone logic runs off the recipient's area code, not your office clock.
5. Autodialer and prerecorded-voice audits The TCPA restricts equipment with the capacity to produce or store random or sequential numbers and dial them. [1] After the Supreme Court's 2021 ruling in Facebook v. Duguid, the definition narrowed, but lower courts still fight over it. [5] Your officer needs to know exactly what your dialer does, get written confirmation from the vendor, and document that assessment.
6. Employee training People make mistakes. Reps add leads without checking consent. Someone forgets to enter a DNC request. Your officer runs training at onboarding and at least once a year after that, and keeps attendance records. No training records means no defense.
7. Incident response When something breaks, a bad list gets loaded or a rep dials outside the window, your officer investigates, documents the facts, corrects the error, and decides whether to self-report or call counsel. A written incident log is itself a defense, because it shows the violation wasn't willful.
What does TCPA consent documentation actually look like for a small team?
Consent documentation is the piece small companies handle worst. Here's what it has to contain.
For marketing calls and texts to cell phones using an autodialer: a written record (paper or electronic) that shows (a) the consumer's signature or electronic equivalent, (b) the specific phone number they're consenting for, (c) the name of the company that will call, (d) a statement that consent is not required to make a purchase, and (e) a description of the type of calls or texts they'll get. [3]
For B2B calls to business lines, the bar is lower. Prior express consent, not written consent, is generally enough for calls that aren't purely telemarketing. The officer should still document how and when that consent came in, because the burden of proof lands on you.
In practice this means your web form has a clear, unchecked checkbox with compliant disclosure language, and your CRM records the timestamp, IP address, and form version at submission. That data has to live somewhere you can pull it in a day if a demand letter shows up. Most small companies keep it in their CRM or a linked spreadsheet. Either works, as long as it's complete and backed up.
One trap: consent captured by a third-party lead vendor does not automatically transfer to you. The FCC's 2023 one-to-one consent rule requires the consumer to specifically consent to hear from your company by name, not from "marketing partners." [6] If you buy leads, your officer needs to audit the exact disclosure language the vendor's form used before you call anyone.
How should a small company handle DNC scrubbing without a big compliance budget?
The National Do Not Call Registry is run by the FTC and requires a paid subscription to pull numbers for scrubbing. The fee is $75 per area code per year (as of 2024), capped at $19,335 for access to every area code. [7] Most small outbound teams buy a handful of area codes and pay a few hundred dollars a year.
You can scrub directly through the FTC's portal or through a third-party service that handles the API calls. Third-party vendors often run a few cents per number and keep the integration clean so you're not babysitting the FTC portal yourself. Either approach is fine. What's not fine is skipping the scrub, or scrubbing once and assuming it lasts forever.
The 31-day window means a number that wasn't on the registry when you pulled your list might be on it 32 days later. Your officer should set a calendar reminder and treat scrubbing as a recurring task, not a one-time setup. See how do i get the do not call list for a step-by-step walk through the FTC process.
For your internal DNC list, a simple spreadsheet with the phone number, the opt-out date, and who took the request is enough to start. As you grow, move it into your CRM so opt-outs suppress automatically on future campaigns. The officer's job is making sure suppression fires before the list hits the dialer, not after the calls go out.
What TCPA fines and lawsuit exposure should a small company plan around?
Statutory damages under 47 U.S.C. § 227(b)(3) run $500 per violation for negligent or unknowing violations and $1,500 per violation for willful or knowing ones. [1] Each call or text is a separate violation. Fire 500 unsolicited texts in one campaign and you're looking at up to $750,000 in statutory damages before attorney fees.
TCPA cases come as class actions constantly, which is what makes them so dangerous for small companies. The class mechanism lets plaintiff attorneys stack thousands of $500 claims into one suit worth millions, so settling gets rational even when the underlying conduct was minor. Nobody has clean data on the average settlement at the small-company level. Public TCPA class action settlements have run from roughly $1 million to $76 million for large defendants. [8] Small defendants often settle individual claims for $500 to $5,000 per plaintiff just to dodge litigation costs.
| Violation type | Statutory damages per call/text | Notes |
|---|---|---|
| Standard (unknowing) | $500 | Single violation |
| Willful or knowing | $1,500 | Court multiplies up to 3x |
| Class action (1,000 class members, standard) | $500,000 | Before attorney fees |
| Class action (1,000 class members, willful) | $1,500,000 | Before attorney fees |
The "willful" standard doesn't require you to have known the specific call was illegal. Courts have found willfulness where a company ignored a prior complaint, failed to train staff, or kept calling after an opt-out. [9] Your officer's training records and incident logs are your best argument that a violation wasn't willful.
For a closer look at how exposure compounds, the credit one tcpa settlement is a useful case study.
Who should be the TCPA compliance officer at a small company?
Pick whoever has the most process discipline on your team and give them the authority to halt a campaign. That's the real job description.
On a 5-person team, the founder owns this until you have a dedicated ops or legal hire. At 20 people with a head of sales, that person fits best because they control the dialing. The mistake small companies make is handing compliance to someone with no authority over sales behavior. If the compliance owner can't stop a campaign, they're not really the compliance officer.
The role does not need a law degree. It needs organizational skill, the ability to read a statute and an FCC order without panicking, and the willingness to push back when someone says "just add these numbers to the campaign." Legal counsel, outside or in-house, should review your program design and consent language. Day-to-day compliance is an operational job, not a legal one.
If you're doing any volume of cold calling or text marketing, write a job description that spells out these duties. It does two things. The person knows what's expected, and you build a paper trail that the company took compliance seriously, which matters in litigation.
What written policies does a small company's TCPA compliance program actually need?
You need four written documents at minimum. Not a 100-page manual. Four.
1. TCPA calling policy. Who you call, what technology you use, how consent is obtained and documented, call-time rules, and prohibited conduct. One to three pages.
2. Internal DNC procedure. How an opt-out gets recorded, who records it, and how it lands in the suppression list before the next campaign runs. One page.
3. Consent record retention policy. How long you keep consent records (at least four years past the last contact, longer if you're in a state with a longer statute of limitations), where they're stored, and who can access them.
4. Incident response procedure. What to do when a potential violation surfaces. Who gets notified, who investigates, when to call outside counsel, and how to document the outcome.
These documents do two jobs. They guide your team when nobody is watching. And in litigation, they help show that any violations were isolated mistakes by someone who ignored policy, which is a real difference from a company that had no policy at all. Courts have treated the existence of a compliance program as evidence against willfulness.
LeadCompliant has a free compliance kit with starter templates for exactly these documents, which saves you the drafting from scratch.
How does a small company handle TCPA compliance for SMS and text campaigns?
Text compliance under the TCPA is stricter than voice in one way: texts sent via autodialer to a cell phone require prior express written consent no matter whether the content is marketing or informational. [3] That's a higher bar than many teams realize.
For text message marketing, the consent capture has to name the texting program, describe the message types, carry the message-and-data-rates disclosure, and include opt-out instructions. The CTIA, the wireless industry trade group, publishes messaging best practices that carriers use to judge sender compliance. Break those principles and your short code or toll-free number gets deactivated, which is a business problem stacked on top of the legal exposure. [10]
Your officer runs the same DNC scrubbing for texts as for calls. A mobile phone do not call list lookup is part of that. Beyond the national registry, your text platform should suppress anyone who replied STOP, the standard opt-out keyword. Most compliant platforms handle STOP suppression automatically, but your officer should confirm the feature is on and test it now and then.
The FCC's 2023 rules also require that consent from a lead-gen form apply only to the company named on that form. If you share or buy leads, each company that wants to text a consumer needs its own separately obtained consent. [6]
What should a small company's TCPA compliance officer do when a lawsuit or demand letter arrives?
Stop. Don't respond yourself. Get outside counsel with TCPA experience on the phone that day.
Speed matters because of the litigation hold. The moment a lawsuit or pre-suit demand letter lands, a duty to preserve records attaches. You cannot delete anything that might be relevant: call logs, dialer data, consent records, employee emails, CRM notes. If records get destroyed after a hold should have been in place, courts can tell the jury to assume the destroyed evidence was harmful to you. That inference alone turns a defensible case into a settlement you didn't need.
Your officer's immediate job: (1) preserve all records, (2) do not talk to the plaintiff directly, (3) pull the consent record and call logs for the specific number involved, and (4) brief outside counsel.
With good records, many individual TCPA claims resolve without litigation. Plaintiffs filing individual cases, not class actions, are often testing whether you have documentation before deciding whether to push. Show a valid, properly documented consent and the claim frequently evaporates. Can't show it, and you're negotiating from weakness.
After any claim, the officer should run an internal review, logged in the incident record, to see whether the same gap touches other numbers in the database. Fixing it before it becomes a class is far cheaper than fixing it after.
How does a small company stay current on TCPA rule changes?
The TCPA is not a static law. The FCC has issued major updates in 2012, 2015, 2020, 2023, and 2024, and courts read the statute differently across circuits. If your officer set up a program three years ago and hasn't looked since, there's a real chance it's stale.
The FCC publishes its rulemaking orders and consumer guidance on robocalls and texts at fcc.gov. [4] Your officer should check the consumer guidance quarterly or subscribe to the FCC's rulemaking feed. For the operational DNC pieces, the FTC keeps its Do Not Call guidance at ftc.gov. [7]
The 2023 one-to-one consent rule is the biggest recent change for teams using lead generation. It targets bundling consent to many companies in a single checkbox. [6] If your lead-gen vendor hasn't updated their forms, you're exposed even when your own practices are clean.
For case law, a plain-text Google Alert for "TCPA" filtered to the past month is free and works well enough. Your outside counsel should flag anything circuit-relevant to your geography at least once a year. That's cheap if you already have a relationship with a firm that handles TCPA matters.
LeadCompliant publishes plain-English breakdowns of major TCPA changes at leadcompliant.com, worth bookmarking as a second monitoring source.
What records does a small company need to keep for TCPA compliance, and for how long?
The TCPA statute of limitations is four years under the federal catch-all, 28 U.S.C. § 1658. Some state claims run shorter, but planning around four years is the safe assumption. [11]
Your officer should keep the following for at least four years from the date of the relevant call or text:
- Consent records for each number contacted (form, timestamp, IP, disclosure language shown at capture)
- Dialer logs showing which numbers were called, when, from what caller ID
- DNC scrub logs showing when each scrub ran and against which list
- Internal DNC list with opt-out dates
- Training attendance records
- Incident reports
- Lead vendor contracts and their representations about consent practices
For lead-gen consent specifically, keep the form version or a screenshot of the disclosure language in effect when the lead came in. Disclosure language changes. If a suit arrives three years later and you can't show what the form said when the consumer signed up, you can't prove valid consent.
Where to store it? A dedicated shared folder (Google Drive, SharePoint, whatever you use) with access controls and a clear file-naming convention is fine for a small company. You don't need enterprise software. You need consistency and backup.
Frequently asked questions
Does a small company with fewer than 10 employees need a formal TCPA compliance officer?
No TCPA rule requires a formal title. But someone has to own the duties: consent documentation, DNC scrubbing, call-time rules, employee training, and incident response. At a team of 10 or fewer, that's usually the founder or head of sales. The danger is leaving it ambiguous, because then nobody does it and you get caught with no records when a lawsuit arrives.
What is the TCPA penalty for a small business that makes calls without consent?
The statutory penalty is $500 per call or text for unknowing violations and $1,500 per call or text for willful ones under 47 U.S.C. § 227(b)(3). There's no size exemption. A campaign of 200 unconsented calls generates up to $300,000 in statutory damages before attorney fees. Class actions can aggregate thousands of violations into a single suit, making the math much worse very quickly.
Can a TCPA compliance officer role be handled part-time or outsourced?
Yes. Many small companies outsource program design to a TCPA-specialized attorney or consultant who drafts the policies and consent language, then hands day-to-day execution back to an internal person. What can't be fully outsourced is the operational part: scrubbing lists, maintaining the internal DNC list, training reps, and reviewing incidents. Those need someone inside the company with access to your systems and authority over your sales team.
How often does a small company need to scrub its calling list against the DNC registry?
FCC rules require scrubbing at least once every 31 days before you call any number on the National Do Not Call Registry. A list you scrubbed on June 1 is stale after July 2. Many officers set a calendar reminder and scrub weekly or before each new campaign to build in a buffer. Scrubbing through the FTC portal or a third-party vendor both satisfy the requirement.
What is prior express written consent under the TCPA and how does a small company obtain it?
Prior express written consent is a signed (electronic counts) agreement by a consumer to receive autodialed or prerecorded marketing calls or texts. The FCC's 2012 rules require the agreement to name the calling company, state that consent is not a purchase condition, and describe the call types. In practice, that's a compliant checkbox on a web form with a disclosure statement. The signature can be a form submission; it doesn't need to be handwritten.
Does the TCPA apply to B2B calling or only consumer calls?
The TCPA applies to calls made to phone numbers, not to categories of callers. Calls to a consumer's personal cell phone are covered regardless of business context. Calls to a direct business line that isn't also a personal cell get less scrutiny, and the FCC has said business-to-business calls are less likely to fall under the residential DNC rules. But autodialed or prerecorded calls to a business employee's cell phone still carry TCPA exposure.
What should a small company's TCPA compliance officer do when a lead is purchased from a third party?
Get the lead vendor's consent documentation before you call. You need to know what disclosure language the consumer saw, that your company's name appeared in that disclosure, and that consent wasn't bundled with dozens of other companies. The FCC's one-to-one consent rule requires consent granted specifically to you by name. If the vendor can't produce that documentation, don't call the list.
How does the FCC's 2023 one-to-one consent rule change TCPA compliance for small companies?
The FCC's 2023 rule bans the common practice of capturing a single consent that covers multiple marketing companies. Each company that wants to call or text a consumer must have been specifically named in the consent disclosure, and the consent must be logically and topically related to the website where it was captured. This mainly hits companies that buy leads from aggregators, who must update their vendors' lead-gen forms to comply.
What training does a TCPA compliance officer need to give sales reps?
At minimum: what the TCPA is and why violations are expensive, how to recognize and record opt-out requests immediately, call-time rules in local time zones, what reps can't do with an autodialer without written consent, and how to escalate a potential violation. Training should happen at onboarding and at least annually. Keep attendance records. A signed acknowledgment from each employee is worth the five minutes it takes.
Is there a safe harbor for small companies that make TCPA violations by mistake?
There's a limited safe harbor for DNC violations: a company can avoid liability if it shows it has an established written do-not-call policy, trained staff, a procedure to honor requests, and that the call was made by mistake despite those safeguards. This safe harbor covers DNC violations, not all TCPA violations. It does not protect against calling without required consent or using an autodialer illegally.
Do state laws add compliance responsibilities beyond the federal TCPA?
Yes. Florida, Washington, and Oklahoma have passed their own telemarketing laws that are stricter than the TCPA in places, including lower thresholds for what counts as an autodialer or broader definitions of who can opt out. Your officer needs to know which states your called parties live in and whether any have mini-TCPA laws with extra requirements. Florida's FTSA, for example, allows $500-per-call damages for violations of its own rules.
What does a TCPA compliance officer do after a violation is discovered internally?
Document it immediately: what happened, when, how many numbers were affected, and why. Stop any ongoing violation. Assess whether affected numbers need to go on the internal DNC list. Decide with outside counsel whether to self-report and whether affected consumers should be notified. Fix the process gap and record the fix. A written incident log showing the violation was caught and corrected is evidence that the conduct wasn't willful.
What technology does a small company need to run a TCPA-compliant outbound program?
You need a dialer or texting platform that logs call records, enforces time-zone-based call windows, and handles STOP replies for texts automatically. You need access to the National DNC Registry or a third-party scrubbing service. And you need a CRM or database that stores consent records tied to each phone number. None of this requires enterprise software. Many compliant small teams run on a mid-market CRM and a straightforward VoIP or SMS platform.
Sources
- Cornell Law School Legal Information Institute, 47 U.S.C. § 227 (Telephone Consumer Protection Act): TCPA imposes $500 per violation (unknowing) and up to $1,500 per violation (willful) statutory damages and applies to persons who initiate or cause initiation of prohibited calls
- FCC, In the Matter of the Joint Petition Filed by DISH Network, LLC, Declaratory Ruling, FCC 13-54 (May 2013): FCC extended TCPA vicarious liability to entities so involved in placing a specific call that they should be deemed to have made it
- FCC, Report and Order Implementing the Telephone Consumer Protection Act of 1991, FCC 12-21 (February 2012), codified at 47 CFR 64.1200: FCC 2012 rules require prior express written consent for autodialed or prerecorded marketing calls and texts to cell phones, including a signed agreement naming the company and stating consent is not a purchase condition
- 47 CFR 64.1200 (FCC rules restricting telephone solicitation), Electronic Code of Federal Regulations: FCC rules require DNC scrubbing at least every 31 days, internal DNC list opt-outs honored within 30 days and for at least 5 years, and outbound calls only between 8 a.m. and 9 p.m. local time
- U.S. Supreme Court, Facebook, Inc. v. Duguid, 592 U.S. 395 (2021): Supreme Court ruled in 2021 that the ATDS definition requires the capacity to store or produce numbers using a random or sequential number generator, narrowing the definition of autodialer under the TCPA
- FCC, Report and Order FCC 23-107, closing the lead generator loophole (2023 one-to-one consent rule), codified at 47 CFR 64.1200: FCC 2023 rule requires consumer consent to be specific to each company by name and topically related to the website where it was captured, prohibiting bundled multi-company consent
- FTC, National Do Not Call Registry for telemarketers (fees and registration): FTC charges $75 per area code annually to access the DNC Registry for scrubbing, capped at approximately $19,335 for all area codes as of 2024
- WebRecon LLC, TCPA and consumer litigation statistics (annual tracker): Public TCPA class action settlements have ranged from approximately $1 million to $76 million for large defendants in documented cases
- Soppet v. Enhanced Recovery Co., 679 F.3d 637 (7th Cir. 2012): Courts have found willfulness under the TCPA when a company ignored prior complaints or continued calling after receiving opt-out requests
- CTIA, Messaging Principles and Best Practices: CTIA messaging principles are used by wireless carriers to evaluate sender compliance; violations can result in short code or toll-free number deactivation
- Cornell Law School Legal Information Institute, 28 U.S.C. § 1658 (statute of limitations for federal civil actions): The general federal statute of limitations is four years, which courts apply to TCPA claims