Last updated 2026-07-10

TL;DR
A TCPA compliance policy is a written internal document that tells your team who they can call or text, what consent they need first, how to handle opt-outs, and what records to keep. Without one, every outbound call or text is a potential $500 to $1,500 violation. Regulators and plaintiff attorneys both read a missing policy as evidence of willfulness.
What is a TCPA compliance policy and why does your team need one?
A TCPA compliance policy is the written document that turns federal calling law into daily rules your reps can actually follow. The Telephone Consumer Protection Act, codified at 47 U.S.C. § 227, restricts autodialed calls, prerecorded messages, and texts sent to consumers without the right consent [1]. Your policy is what stands between that statute and a rep dialing on autopilot.
Here is why you cannot skip it. The statute sets a baseline penalty of $500 per violation, and courts can triple it to $1,500 per call or text when the violation is willful or knowing [1]. One SMS blast to 10,000 people who never consented is not one mistake. It is 10,000 violations, each worth up to $1,500. Do that math once and the policy pays for itself.
A written policy also proves something a jury cares about. It shows you took the rules seriously before the lawsuit landed. In UnitedHealthcare's $2.5 million TCPA settlement, the absence of consistent consent-verification processes sat at the center of the exposure. In the Credit One TCPA settlement, the volume of calls to wrong-number recipients suggested nobody was scrubbing systematically.
A policy does not make you sue-proof. TCPA litigation is a cottage industry, and some plaintiffs file no matter what you do. What a policy buys you is a defense, longer odds against class certification, and usually a faster, cheaper exit.
What does the TCPA actually prohibit? The statutory rules your policy must reflect
The TCPA has four restrictions that matter for outbound sales, all set out in 47 U.S.C. § 227 [1]. Before you write one line of policy, get a plain-English read of each.
First, you cannot use an automatic telephone dialing system (ATDS) or a prerecorded voice to call a residential line without prior express consent. Second, you cannot use an ATDS, prerecorded voice, or artificial voice to call a cell phone without prior express consent. Third, telemarketing calls to cell phones need prior express written consent, a stricter tier. Fourth, you have to honor the National Do Not Call Registry and keep your own internal DNC list.
The FCC read the ATDS definition broadly in its 2015 Omnibus Order [2]. The Supreme Court narrowed it in 2021. In Facebook v. Duguid, the Court held that an autodialer must have the capacity to "store a telephone number using a random or sequential number generator, or to produce a telephone number using a random or sequential number generator" [3]. That matters for your policy because it decides which dialing technology triggers the strictest consent rules. If your dialer pulls from a defined list of opted-in contacts and does not generate numbers randomly, the toughest ATDS rules may not apply. You still need consent for prerecorded messages. You still have to honor DNC registrations.
The residential landline carve-out for an established business relationship (EBR) is narrower than most people think. An EBR lets you call a residential number within 18 months of a transaction or 3 months of an inquiry. It does not reach wireless numbers for telemarketing, and it does not override a written DNC request [4].
Your policy has to carry all of this. A policy that says "get consent" without specifying written versus oral, prior versus retroactive, and cell versus landline is not a policy. It is a placeholder, and it will not protect you.
What are the different types of TCPA consent and which does your program need?
Consent under the TCPA is not one thing. There are three tiers, and the right one depends on what you send and where.
Prior express consent covers informational calls and texts to wireless numbers. The consumer gave you their number as part of the transaction or relationship, and they can reasonably expect to hear from you. Appointment reminders. Package delivery alerts.
Prior express written consent is required for any telemarketing call or text to a wireless number. The FCC's 2012 rules define this as a written agreement, electronic signatures included, that clearly authorizes the seller to send autodialed or prerecorded telemarketing messages to a specific number [10]. The agreement has to disclose that consent is not a condition of purchase. This is the tier most outbound sales teams need and most often get wrong.
Oral consent can work for non-telemarketing informational calls to landlines. It is hard to document and almost impossible to produce in discovery. If your team leans on verbal consent, you need a system that records exactly when it was given, by whom, and to which number.
One table to keep close:
| Call/Text Type | Line Type | Required Consent Level |
|---|---|---|
| Telemarketing (ATDS or prerecorded) | Cell phone | Prior express written |
| Telemarketing (ATDS or prerecorded) | Residential landline | Prior express (oral OK) |
| Informational/transactional (ATDS) | Cell phone | Prior express |
| Informational/transactional (ATDS) | Residential landline | Prior express |
| Live agent, manual dial, telemarketing | Cell phone | No TCPA consent required (DNC rules still apply) |
| Prerecorded, any purpose | Cell phone | Prior express written |
Note: "live agent, manual dial" means genuinely human-initiated, no autodialer involved. If your system still runs predictive or power dialing features, the ATDS analysis gets harder after Facebook v. Duguid, and you should have counsel look at your specific technology.
Your policy needs to name the consent tier for each campaign type and channel. Naming the tier beats a vague "written consent required." See more on consent mechanics in text message marketing.
What records does a TCPA compliance policy require you to keep?
Records are where most small teams lose. The FTC's Telemarketing Sales Rule requires you to keep a name or number on your internal DNC list, and honor the request, for at least 5 years [4]. Litigation asks for far more.
In a TCPA class action, the plaintiff's attorney issues discovery for consent records, call logs, dialer settings, scrub logs, and training materials. If you cannot produce documented consent for every number in the putative class, you are defending against an inference of liability instead of disproving it. The Truist Bank TCPA class action and the Albertsons/Safeway TCPA settlement both show how thin consent records push settlement value up.
At a minimum, your policy should require you to retain:
- Signed or electronically captured consent forms, with the timestamp, IP address, and the exact disclosure language shown at the moment of consent
- Call detail records: number called, time of call, campaign ID, agent ID, dialer used
- Inbound opt-out requests and the date your team honored each
- DNC scrub logs showing which lists were checked before each campaign and when
- Employee training completion records
- Third-party lead vendor contracts specifying what consent the vendor obtained on your behalf
Four years is the floor for most of these, because TCPA private actions run on the 4-year federal catch-all statute of limitations under 28 U.S.C. § 1658 [5]. Five years is safer and matches what the TSR demands for your internal DNC list.
Store records so you can pull them by phone number. If a demand letter arrives and you cannot surface consent documentation for a specific number within a day, you have a documentation problem, even when the consent was captured correctly the first time.
How do you handle opt-outs and do-not-call requests under a TCPA policy?
Opt-out mechanics are one of the easiest ways to create liability, because the rules are exact and courts have no patience for delays. Honor a stop request fast. Sync it everywhere.
For phone calls, the FCC requires prerecorded telemarketing messages to include an automated opt-out mechanism the consumer can use during the call, and the number has to go on your internal DNC list right away [4]. "Right away" is the target. Some guidance references a 30-day outer window, but class actions have hit companies that waited when a consumer called back the following week.
For texts, the standard practice is to honor STOP, UNSUBSCRIBE, CANCEL, END, and QUIT as opt-out keywords, then send a single confirmation text. After that, silence. No more marketing to that number. Courts have found that a single follow-up marketing text after a STOP request is a violation [6].
Your policy should spell out:
1. Which keywords trigger an opt-out in your SMS platform (and confirm the platform suppresses automatically) 2. The maximum time between opt-out request and suppression (24 hours is a reasonable hard ceiling; real-time is the goal) 3. How opt-outs sync across campaigns, so a STOP to one campaign suppresses the number everywhere 4. How telephone DNC requests are captured, timestamped, and loaded into your dialer's suppression list 5. Who owns the monthly (or more frequent) rescrub of active call lists against the National DNC Registry [4]
Here is what surprises teams: consumers can revoke consent at any time, by any reasonable means, even if the original form said "call me." The D.C. Circuit left that principle standing in ACA International v. FCC, and the FCC has said it repeatedly [12]. Your policy has to treat any clear "stop calling me" as a binding opt-out, whatever channel carries it.
How do you vet third-party lead vendors in your TCPA policy?
Buying leads from a third party does not move the risk to the vendor. Courts have held again and again that the company placing the call, not the lead generator, is liable under the TCPA when consent is missing or defective.
The FCC's one-to-one consent rule tightened this. Before it took effect, a consumer who opted in on a lead aggregator's website could arguably consent to calls from many buyers at once. Under the new rule, consent has to run to a specific seller and be logically and topically related to the site where it was given [7]. Generic "our marketing partners" language is dead.
Your policy should require every lead vendor to provide:
- A copy of the consent disclosure language used on the site or form where data was captured
- Confirmation that the disclosure named your company specifically
- The source URL and date of the consent
- A contractual representation and warranty that all data was collected in TCPA compliance
- Indemnification for TCPA violations traced to their leads
None of this saves you if the vendor fabricated consent. It does establish reasonable due diligence, which matters for damages and for shifting liability by contract. Spot-audit your vendors. A lead file with an unusually high opt-out rate or DNC-hit rate on first scrub is a signal the consent chain is weak.
What should your TCPA compliance policy document actually contain?
A real policy is a document people can open and follow, not a legal memo. Here are the sections it needs.
Scope and applicability. Who the policy covers (employees, contractors, lead vendors, agency partners) and which channels it governs (outbound calls, SMS, prerecorded messages, ringless voicemail).
Consent requirements by channel and campaign type. A lookup table or decision tree. For each type of outbound contact you make, the policy states exactly what consent is required and how to verify it before dialing or sending.
Prohibited practices list. A short, explicit list of things that are never allowed: calling before 8 a.m. or after 9 p.m. local time of the called party [1], texting numbers on your suppression list, using a prerecorded message without the required opt-out mechanism, calling a number that has been on your internal DNC list for less than 5 years.
DNC scrub procedure. Step by step: how often you scrub (at least every 31 days for the National Registry [4]), which lists you check (National DNC, state-specific DNC lists, your internal DNC list), who runs the scrub, and where the log is saved.
Opt-out handling. Exactly as described above.
Record retention. Record types, retention periods, storage location, and the person responsible.
Training requirements. Who must complete TCPA training, how often, and how completion is documented.
Incident response. What to do when a potential violation surfaces: who is notified, whether to preserve records, when to loop in counsel.
Vendor due diligence. The checklist from the vendor section, folded into procurement.
Policy owner and review cadence. TCPA rules change. The FCC issues new orders. Courts publish decisions that move the line. Your policy needs an owner who reviews it at least once a year and after any major FCC rulemaking.
LeadCompliant's compliance kit includes template policy language and a pre-built scrub checklist you can adapt instead of starting from a blank page. Useful if you are building this for the first time and want a structural head start.
What do real TCPA lawsuits look like and what policy gaps caused them?
Actual settlements tell you more than any checklist. Each one traces back to a specific gap.
The Kaiser TCPA settlement involved prerecorded calls to cell phone numbers without adequate prior express written consent. The gap: the consent taken at enrollment did not clearly authorize autodialed calls, and nobody had checked the language against FCC requirements after the 2012 update.
In the Cash App TCPA class action, texts kept coming after users submitted opt-out requests. The gap: opt-out suppression was not applied consistently across message types, so transactional templates slipped past the suppression list.
The Joseph Snyder / Credit One TCPA case involved calls to a wrong number, where the original account holder had consented but the number had been reassigned. The gap: no wireless reassignment scrubbing before calling.
These patterns repeat across hundreds of cases. The top five policy gaps that drive TCPA litigation:
1. Consent language that is vague, buried, or does not name the seller 2. Opt-out requests not honored fast or not synced across all campaigns 3. Calls to reassigned wireless numbers 4. DNC lists not scrubbed on schedule 5. Third-party lead data used without verifying the consent chain
All five are fixable with a written policy and the discipline to enforce it. None need sophisticated technology. They need someone to own the process.
How do state TCPA-equivalent laws affect your compliance policy?
The federal TCPA sets a floor, not a ceiling. Several states go further, and your policy has to account for where your contacts live, not where your company sits.
Florida's Telephone Solicitation Act, revised in 2021, bans autodialed commercial calls and texts without prior express written consent and drops the common carrier exemption that gave some companies cover under federal law [8]. Florida is also one of the busiest states for TCPA-adjacent private litigation.
California layers its own consumer protection framework on top of the TCPA, which compounds exposure. California runs its own DNC list and adds disclosure requirements for automated calls.
Washington, Oklahoma, and several other states keep separate DNC registries that need their own registration and scrubbing beyond the federal list [4].
Your policy should include a geographic review step: before launching any campaign, check whether the target states have laws stricter than federal TCPA. If you call nationwide, the practical move is to default to the strictest requirements everywhere (prior express written consent for all ATDS contacts, independent state DNC scrubs) rather than segmenting by state. The admin cost of segmentation usually beats the cost of just meeting the highest standard everywhere.
For regional teams, including those working with TCPA lawyers in Kentucky or other state markets, local enforcement patterns matter as much as the statute text.
How often should you review and update your TCPA compliance policy?
The honest answer: more often than most teams manage. Review it once a year at a minimum, and right after any major rule change.
The FCC issues orders and declaratory rulings on a regular basis. The one-to-one consent rule is the obvious example. Companies that last reviewed their policy in 2022 were suddenly running consent frameworks that no longer held up [7]. Courts move the rules too. The TCPA landscape after Facebook v. Duguid looks different enough from 2019 that a policy written back then may be outdated on the ATDS analysis even if everything else is fine.
A workable review schedule:
- Full policy review once per year, minimum
- Immediate review triggered by any significant FCC order, a Supreme Court or circuit decision in your region affecting the ATDS definition or consent rules, a lawsuit or demand letter you receive, or a material change in your dialing technology or lead sources
- Quarterly spot-check of operational compliance: are scrubs running on schedule, are opt-outs honored, are training records current?
Assign the review to a named person or role. "The legal team handles it" with no owner means it does not happen. If you have no in-house counsel, a compliance consultant reviewing it once a year for a few hundred dollars costs far less than a demand letter.
How do you train your team on TCPA compliance?
A policy that lives in a shared folder and nobody reads is liability documentation, not compliance. Training turns the policy into behavior.
For outbound sales teams, the minimum program covers four things: what the TCPA is and why it matters (framed in dollars per violation, not legal theory), how to verify consent status before a call or send, what to do when someone says stop calling, and how to escalate a problem.
Train every new hire who will make outbound calls or send texts at onboarding, then annually. Document it. A sign-off form or a completion record in your LMS is fine. What matters is that you can produce evidence of training in discovery.
Scripts and call flows are part of training, not a separate thing. If your script implies the call is not a sales call when it is, or if your opt-out step is buried where consumers cannot reach it, those are compliance problems baked into your operational materials.
One exercise works well: role-play an opt-out during onboarding. Have the trainer play an angry consumer who says "take me off your list." The rep should know exactly what to say, how to document it, and who to notify. If they fumble it in training, they will fumble it on a live call with a plaintiff attorney's investigator on the other end.
Keep an eye on TCPA news so your training materials stay current with recent enforcement trends.
What tools help implement a TCPA compliance policy operationally?
The policy is the what. Tools are the how. A few categories matter for small outbound teams.
DNC scrubbing tools. You need to scrub call lists against the National DNC Registry at least every 31 days [4]. The FTC licenses access; you can use its API directly or use a compliance service that queries it for you. Some services also aggregate state DNC lists. Prices vary widely. The FTC's direct data licensing starts at a few hundred dollars per area code per year and scales from there.
Wireless number identification and reassignment checks. If you call cell phones, you need to know the number still belongs to the person you believe consented. The FCC's Reassigned Numbers Database, launched in 2021, lets callers check whether a number has been reassigned since consent was given [9]. Querying it before each call is the safest practice.
Consent management and capture. Web forms that collect phone numbers for marketing have to capture and store the consent record: timestamp, IP, form version, disclosure text. Off-the-shelf CRM tools often do not do this natively. Purpose-built consent management platforms do.
Call recording and logging. Your dialer should produce call detail records that are retained and searchable. Cloud dialers usually log this automatically, but confirm the logs get exported and stored outside the dialer in case you change vendors.
SMS platform compliance features. Any outbound SMS platform should handle keyword opt-outs automatically (STOP, UNSUBSCRIBE), timestamp suppression records, and sync suppression at the campaign level.
LeadCompliant offers free number checker tools and a one-time compliance kit covering the core documents and process templates. Useful if you are building this out without a dedicated compliance team.
For more on text-based outreach, see text messaging marketing for a channel-specific breakdown.
What does a TCPA compliance policy not protect you from?
This part matters. A policy is not a force field.
If a consumer never consented and you have no record that they did, a policy does not manufacture consent after the fact. If your dialer falls within the ATDS definition and you called cell phones without prior express written consent, a policy that required written consent goes to damages, not to liability.
A policy also does not shield you from vicarious liability for a vendor's actions if you had reason to know they were cutting corners. Courts have found sellers liable for lead generators' TCPA violations when the seller saw the warning signs and ignored them [6].
And a policy does nothing if your team ignores it. If an employee skips the opt-out procedure and the consumer gets three more texts, you have the policy and you still have the violation. Policy, training, auditing, accountability. That is the full package. The policy alone is step one.
To see TCPA exposure from the other side, how to stop robocalls from the consumer's view shows you what prompts complaints and class action targeting in the first place.
Frequently asked questions
Do small businesses need a written TCPA compliance policy?
Yes. The TCPA applies to any business that makes telemarketing calls or sends marketing texts, whatever its size. The $500 per-violation baseline and $1,500 willfulness multiplier have no small-business exemption. A written policy costs very little to create and gives you real evidence of good faith if you get sued or draw an FCC inquiry.
How much does a TCPA violation actually cost?
The statute sets $500 per call or text for standard violations and up to $1,500 per call or text when a court finds the violation willful or knowing. Because TCPA claims often come as class actions, aggregate exposure scales with the number of contacts. Real settlements have run from tens of thousands of dollars for small cases to multi-million-dollar deals for companies with large contact lists.
What is prior express written consent under the TCPA?
Prior express written consent is a signed agreement, paper or electronic, that clearly authorizes a specific seller to send autodialed or prerecorded telemarketing messages to a specific phone number. The FCC's 2012 rule requires the agreement to disclose that consent is not required to make a purchase, and the consumer must take an affirmative action to give it. Pre-checked boxes do not satisfy this standard.
How long do you have to honor a do-not-call request?
Right away in practice. Some guidance references a 30-day outer window. Your internal DNC list has to keep the opt-out on file for at least 5 years under the FTC's Telemarketing Sales Rule. Courts have found liability where companies honored the request but called again weeks later because the suppression did not sync across all campaigns or lists.
Does TCPA apply to B2B calls?
The TCPA's restrictions on ATDS calls and prerecorded messages technically apply to any telephone number. The FTC's Telemarketing Sales Rule DNC provisions generally protect residential subscribers. Courts have sometimes found narrower TCPA exposure for purely B2B calling to business landlines, but calls to individual employees' cell phones stay covered. Do not assume B2B calling is exempt without a specific legal analysis of your dialing setup.
Can I use a purchased contact list for outbound calls?
You can call purchased lists with a live agent and no autodialer for non-telemarketing purposes, subject to DNC scrubbing. For telemarketing using an ATDS or prerecorded message, the contacts must have given prior express written consent to hear from your company specifically. Under the FCC's one-to-one consent rule, generic third-party consent covering many sellers is no longer valid.
What is the TCPA statute of limitations?
TCPA private actions run on the 4-year federal catch-all statute of limitations under 28 U.S.C. § 1658. A plaintiff can sue for calls or texts made up to 4 years before filing. That is why your records retention policy should cover at least 4 to 5 years of consent documentation, call logs, and scrub records.
Does the TCPA apply to text messages?
Yes. The FCC has consistently held that text messages are calls under the TCPA. The ATDS restrictions, the prior express written consent requirements for telemarketing, and the opt-out obligations all apply equally to SMS and MMS marketing messages. Ringless voicemail's status has been more contested, but the FCC has indicated it falls under the prerecorded voice provisions.
What happened with the FCC's one-to-one consent rule?
The FCC issued a rule in December 2023 requiring that TCPA consent for telemarketing calls be obtained on a one-to-one basis: one consumer, one seller, per consent event. Lead generator websites that bundled consent to dozens of marketing partners at once no longer meet the standard. Companies using aggregated leads need to verify that consent records name them specifically. Check current FCC guidance for the operative effective date.
What calling hours are allowed under the TCPA?
Federal law prohibits telemarketing calls before 8 a.m. or after 9 p.m. local time at the called party's location. That means the time zone of the consumer's phone number, not your office. Some states set stricter windows. Your policy should hardcode these limits into your dialer configuration so agents cannot accidentally call outside permitted hours, and should document state-specific overrides where they apply.
How often must you scrub against the National DNC Registry?
The FTC's Telemarketing Sales Rule requires you to scrub call lists against the National DNC Registry no more than 31 days before making a call. In practice, most compliance teams run scrubs weekly or at campaign launch. You also have to register your organization to access the registry and pay the applicable subscription fees based on the area codes you cover.
What is the FCC's Reassigned Numbers Database and do you need to use it?
The FCC's Reassigned Numbers Database launched in 2021 and lets callers check whether a phone number has been reassigned to a new subscriber since they obtained consent. The FCC built it to address TCPA liability from calls to reassigned wireless numbers. Checking it before each outbound call is not legally required, but it provides a safe harbor defense if the number was in fact reassigned and you called without knowing.
Can consent be revoked under the TCPA?
Yes. Courts and the FCC have established that consumers can revoke TCPA consent at any time through any reasonable means. A consumer who originally opted in on a web form can later revoke by calling, texting STOP, sending an email, or telling an agent verbally. Once revoked, any later autodialed or prerecorded marketing contact violates the TCPA. Your policy must treat any clear revocation as binding no matter how it arrives.
What should a TCPA incident response process look like?
When a potential violation surfaces, through a consumer complaint, a demand letter, or an internal audit finding, preserve all relevant records immediately and do not delete call logs or consent records. Notify your compliance owner and, if a demand letter has arrived, outside counsel. Run a root cause review to find the policy or operational gap. Document your response. In most cases, a credible remediation plan carries a lot of weight in later settlement discussions.
Sources
- U.S. Government, 47 U.S.C. § 227 (Telephone Consumer Protection Act): TCPA prohibitions on autodialed calls, prerecorded messages, and penalties of $500 to $1,500 per violation
- U.S. Supreme Court, Facebook, Inc. v. Duguid, 592 U.S. 395 (2021): Supreme Court narrowed ATDS definition to systems using random or sequential number generators to store or produce telephone numbers
- FTC, Telemarketing Sales Rule (TSR), 16 C.F.R. Part 310: National DNC Registry scrub requirement (31-day window), 5-year internal DNC list retention, established business relationship provisions
- U.S. Code, 28 U.S.C. § 1658 (Federal catch-all statute of limitations): Four-year statute of limitations applicable to TCPA private actions
- Florida Legislature, Florida Telephone Solicitation Act (FTSA), Fla. Stat. § 501.059: Florida's 2021 amendments banning autodialed commercial calls and texts without prior express written consent
- FCC, Reassigned Numbers Database: FCC's Reassigned Numbers Database launched 2021 for callers to check number reassignment; provides safe harbor defense
- FTC, National Do Not Call Registry: National DNC Registry access and registration requirements for telemarketers
- U.S. Court of Appeals, D.C. Circuit, ACA International v. FCC, 885 F.3d 687 (D.C. Cir. 2018): Court decision leaving intact the principle that consumers may revoke consent by any reasonable means