TCPA compliance trends: what's actually changing and why it matters

TCPA fines reach $500, $1,500 per call or text. Here's what's changed, what's coming in 2025 to 2026, and how to stay ahead of enforcement trends.

LeadCompliant Team
25 min read
In This Article

Last updated 2026-07-11

Compliance manager reviewing call logs at a sunlit office desk for TCPA compliance
Compliance manager reviewing call logs at a sunlit office desk for TCPA compliance

TL;DR

TCPA enforcement has intensified since 2021. The FCC tightened consent to one seller at a time, courts fought over what counts as an autodialer, and class settlements ran into the tens of millions. The statute still caps damages at $500 per violation and $1,500 for willful violations. Knowing where the law is heading is how you avoid being the next named defendant.

What is the TCPA and why does enforcement keep escalating?

The Telephone Consumer Protection Act, codified at 47 U.S.C. § 227, was signed in 1991 to stop automated calls to residential lines [1]. For its era, it was a blunt but reasonable tool. Then smartphones arrived, SMS marketing exploded, and plaintiff attorneys realized the statute's per-call damages structure ($500 per violation, $1,500 if willful) made class actions extraordinarily profitable even when individual harm was trivial [1].

That math has not changed. Volume and ambition have. TCPA litigation is now one of the most filed categories of federal class actions in the country. WebRecon, which tracks consumer law filings, has ranked TCPA suits among the top two or three most-filed federal consumer protection claims for years running [2]. Settlements you can point to by name, like the cash app tcpa class action settlement and the truist bank tcpa class action settlement, show that no industry is immune. Healthcare gets caught too, as the unitedhealthcare to pay $2.5m for alleged tcpa violations case makes clear.

For a full grounding in the statute itself, tcpa law and what does TCPA mean? The plain-English breakdown are worth reading before you go deeper here. This article covers the direction of travel: what shifted since 2021, what the FCC is doing now, and where the risk sits highest in 2025 and 2026.

Four shifts happened since 2021, and they stack on top of each other in ways that make outbound programs riskier than they were even three years ago.

The one-to-one consent rule. The biggest regulatory move of recent years is the FCC's December 2023 order requiring what it calls "one-to-one consent" for marketing calls and texts [3]. Before this order, a consumer could click a single checkbox on a lead-gen website and unknowingly consent to calls from dozens of unrelated advertisers. The FCC closed that loophole. Starting January 27, 2025, sellers must obtain consent that is logically and topically associated with the website where it was given, and that consent can cover only one seller at a time [3]. If you have been buying leads and assuming the upstream consent language covers you, it likely does not anymore.

Autodialer definition battles. The Supreme Court's 2021 Facebook v. Duguid decision narrowed the definition of an automatic telephone dialing system (ATDS), holding that a system must use a random or sequential number generator to store or produce numbers to qualify [4]. That sounds like good news for callers. In practice it has been mixed. Some courts apply the narrower definition strictly and let defendants off the hook. Others find ways to reach liability through other statutory provisions or state law analogues. Duguid reduced risk for some platforms but did not end TCPA exposure, especially for systems that generate or select numbers algorithmically.

State law expansion. As federal enforcement got less predictable, states moved. Florida's FTSA, effective July 2021, created a private right of action modeled on the TCPA but with a broader ATDS definition that effectively reversed Duguid at the state level [5]. Florida plaintiffs do not need to prove federal-standard autodialer use. Oklahoma, Washington, and others have enacted or strengthened similar statutes. This is a trend, not an anomaly.

AI and prerecorded voice. The FCC's February 2024 declaratory ruling confirmed that AI-generated voices in calls are "artificial or prerecorded voices" under the TCPA, triggering the same prior express written consent requirements [6]. This matters enormously for teams adopting AI sales dialers. The tool does not change the consent obligation.

Put those four together and the compliance surface is materially larger in 2025 than it was in 2021.

The FCC's December 2023 order, effective January 27, 2025, amended its TCPA rules to require that prior express written consent be obtained in a manner that is "logically and topically related" to the website where consent is captured [3]. Consent now has to identify the specific seller rather than a broad category of lead buyers.

In practice, a single opt-in form that reads "I agree to receive calls from our partners" no longer covers a list of third-party advertisers [3]. Each seller must be individually named, and the consumer must affirmatively select them. This is a structural change to the lead generation ecosystem, not a procedural tweak.

The order also addressed comparison shopping websites, which the FCC found were often built specifically to launder bulk consent. Those sites now face heightened scrutiny if their consent language tries to cover unrelated product categories or unnamed buyers.

If you buy leads at any volume, verify that every lead source has updated its consent flow to comply. If a lead vendor cannot show you a dated compliance audit or updated consent disclosures reflecting the January 2025 requirements, that is a problem you now own. Liability can flow to sellers, more than the lead generators, under an agency or ratification theory that courts have applied in past cases.

For how the existing business relationship concept fits into all of this, see TCPA existing business relationship: what actually protects you.

Key TCPA numbers every outbound team must know Statutory thresholds, enforcement dates, and compliance windows 500 $500 per violation (neglige… 1,500 $1,500 per violation (willf… 31 31-day DNC scrub window (days) 2,025 One-to-one consent rule eff… (Jan 2025) Source: 47 U.S.C. § 227 [1]; FCC Orders [3][6][7]; FTC TSR [8][11]

How have TCPA class action settlements trended in size and frequency?

The settlement data tells a clear story. High-profile TCPA settlements have ranged from low six figures for small defendants to well over $100 million for large ones, and the average appears to be climbing.

Company / CaseSettlement AmountYear ResolvedCore Allegation
Wells Fargo (TCPA)$32 million2021Autodialed calls to wrong numbers
Navient (TCPA)$67.5 million2021Autodialed calls to student loan borrowers
Carnival Corp$9 million2020Marketing texts without consent
UnitedHealthcare$2.5 million2023Autodialed calls to revoked consent numbers
Albertsons/SafewaySee coverage2023SMS marketing without consent

Note: These figures come from public case records and press reports. Individual case details vary. See albertsons safeway tcpa settlement for a detailed breakdown of that case.

Few things about this data are certain. Settlement amounts track class size, call volume, and the defendant's appetite for litigation risk rather than any formula. What the data does suggest: defendants settle rather than fight, which signals strong plaintiff positioning.

Why are plaintiffs so well-positioned? Three reasons. Call and text logs are highly discoverable and hard to contest. Per-violation damages aggregate fast: 100,000 unconsented texts at $500 each is $50 million in exposure before any willfulness multiplier. And courts have generally allowed class certification in TCPA cases where the alleged conduct was uniform across the class, which is exactly what automated calling and texting produces [10].

The kaiser tcpa settlement claim deadline is another useful data point showing how even well-resourced health systems get caught.

What does the Facebook v. Duguid Supreme Court ruling mean for compliance in 2025?

Facebook v. Duguid (2021) is the most discussed TCPA case of the decade [4]. The Court held, 9-0, that the statutory definition of ATDS requires equipment that uses a random or sequential number generator to store or produce numbers. Systems that dial from a fixed list do not meet that definition, even if they dial automatically.

This was genuinely significant. Many cloud-based predictive dialers that work from uploaded lists fell outside the ATDS definition after Duguid. Plaintiff attorneys lost a category of cases they had been winning.

But the ruling has limits that matter for 2025. It did not help defendants on prerecorded voice claims, which are a separate prong of 47 U.S.C. § 227(b)(1)(A) and do not require ATDS use [1]. Several state statutes, Florida's FTSA being the most prominent, use definitions broader than the federal ATDS standard, so a system that passes the federal test can still create state-law liability [5]. And the FCC's February 2024 AI voice ruling is entirely independent of the ATDS question [6].

For teams using modern sales engagement platforms, the takeaway is plain: do not assume Duguid means you are safe. Run the analysis on whether your platform could still qualify as an ATDS under any interpretation, whether your calls or texts involve prerecorded or AI-generated content, and which states your contacts sit in.

How is AI changing TCPA compliance obligations for outbound teams?

The FCC's February 2024 declaratory ruling on AI-generated voice calls drew a bright line [6]. Calls that use "artificial or prerecorded voices" require prior express written consent before being placed to wireless numbers or residential landlines used for telemarketing. The FCC ruled that AI-generated voices meet that definition regardless of how they are produced.

The agency stated flatly that "AI-generated voices in robocalls are 'artificial' voices under the TCPA." That language appeared in the FCC's announcement of the ruling [6]. The agency was responding in part to voice-cloned robocalls, including a high-profile incident involving a cloned political voice ahead of the 2024 primary season.

For outbound sales teams, this means any platform that delivers a synthesized or AI-generated voice message, even a short "press 1 to speak with an agent" prompt, falls under the prerecorded voice rules. You need prior express written consent for each wireless number you call. Verbal consent does not satisfy the written consent requirement.

The TCPA b2b exemption for AI calls: what businesses actually get article covers the narrower question of whether B2B calls get any relief. The short answer: sometimes, but less than most teams assume.

The trend only intensifies from here. As AI voice tools get cheaper and more accessible, the FCC and state regulators have strong political and practical reasons to enforce hard. Budget for consent infrastructure, more than for AI tools.

What TCPA changes are expected in 2025 and 2026?

Three areas are most likely to produce new rules or enforcement actions in the next 18 months.

Reassigned numbers. The FCC has run a reassigned numbers database since 2021 [7]. Carriers report numbers that have been disconnected and reassigned to new subscribers. Callers are expected to check the database before dialing so they do not call a new subscriber without consent. Enforcement attention on reassigned number liability is rising, and the FCC has made clear it expects callers to use the database. The database is not free: commercial access requires a subscription through the FCC's administrator.

Do-Not-Call list compliance. The National DNC Registry is run by the FTC, and complaints to the registry remain a primary trigger for both FTC and state AG enforcement actions [8]. State-level DNC enforcement, separate from the federal registry, is picking up. Florida, Indiana, and other states maintain their own lists with their own penalty structures.

Text message marketing regulation. The FCC and FTC have both signaled interest in tightening rules around SMS marketing, especially in lead generation and affiliate channels. If you run text message marketing or text messaging marketing campaigns, the one-to-one consent rule already applies, and more guidance on what counts as adequate disclosure is likely.

For a forward-looking summary, TCPA 2025: what changed, what it costs, and how to stay compliant and Telemarketing rules news: what changed and what's coming in 2025-2026 both cover the regulatory calendar in more detail.

What does TCPA compliance actually cost a small outbound team?

The honest answer: a lot less than a class action, but more than most small teams budget for.

On the compliance side, expect to spend on consent management infrastructure, DNC scrubbing (typically $0.001 to $0.01 per number scrubbed depending on volume and vendor), reassigned number database access (the FCC's administrator charges fees that scale with query volume [7]), call recording and documentation systems, and periodic legal review of consent language.

A team making 50,000 calls per month might spend $2,000 to $5,000 a year on tooling, depending on how they stack their solutions. That sounds like a lot until you set it against the exposure: 50,000 calls with a 1% non-consent rate is 500 violations at $500 each, or $250,000 in statutory damages. Willful violations triple that.

Legal review is the cost most teams skip and later regret. Having a TCPA-familiar attorney review your consent language, opt-out workflow, and calling practices once a year is worth far more than discovering the gap during discovery. For teams in specific states like Kentucky, tcpa lawyer kentucky is a useful resource for finding qualified counsel.

LeadCompliant's free compliance kit includes consent language templates and a calling practice checklist that can cut the cost of that legal review by giving your attorney something to react to rather than draft from scratch.

The TCPA guidelines: what every outbound team must know in 2025 piece walks through the operational requirements in detail.

What are the most common TCPA violations that lead to lawsuits?

After reviewing the pattern of cases that reach settlement or judgment, a few violations show up again and again.

Calling numbers on the National DNC Registry without a prior business relationship or written consent is the single most common basis for consumer TCPA claims [8]. The registry is free to check for consumers but requires a paid subscription for commercial access above a small threshold [8].

Sending marketing texts to wireless numbers without prior express written consent is second. This is not a gray area: the FTC's rules and the FCC's orders both require affirmative written consent, more than the absence of an opt-out [1][3].

Calling after a consumer has asked to go on your internal DNC list is a frequent and easily proven violation. If your CRM does not suppress contacts who said "don't call me," you create liability every time you dial them again. The joseph snyder credit one tcpa case is a clean example of internal DNC failures turning into lawsuit fodder.

Calling outside permitted hours (before 8 a.m. or after 9 p.m. in the called party's local time) is a straightforward violation that still happens constantly because of time zone misconfiguration in dialer software [1].

Using a prerecorded or AI-generated voice without prior express written consent, as covered above, is increasingly the basis for new filings after 2024.

The common thread: these are process failures, not edge-case ambiguities. Most TCPA lawsuits could have been avoided with adequate documentation and suppression hygiene.

How should a small outbound team structure its TCPA compliance program?

Start with consent documentation. Every contact record in your CRM should carry a documented consent source, the date consent was obtained, the method (web form, verbal recorded, paper), and what the person consented to. If you cannot answer those four questions for a number, do not call or text it.

Second, build suppression into your dialing workflow, not as an afterthought. Your DNC scrub against the federal registry should happen within 31 days of any call, which is the FTC's safe harbor window [8]. Internal DNC entries from opt-outs must suppress forever, more than for one campaign cycle.

Third, audit your lead vendors at least once a year. Ask them to produce the consent language used at the time each lead was generated, and compare it against both the FCC's one-to-one consent rule and any state-specific requirements for the states you call into. If they cannot produce that documentation, stop buying from them.

Fourth, document your calling hours enforcement. Your dialer should enforce time zone restrictions automatically, and you should log that the enforcement is working. Screenshots and configuration records are useful if you ever need to demonstrate reasonable procedures.

Fifth, train your agents on TCPA basics, specifically on what to do when a consumer says "don't call me again." That phrase (or any reasonable equivalent) is a revocation of consent and an oral DNC request. It must be honored within 30 days under FCC rules, though honoring it immediately is obviously safer [9].

LeadCompliant's compliance kit covers all five areas with templates and checklists, and the free number checker lets you verify DNC status before you build out a full scrubbing workflow.

For the foundational overview all of this is built on, tcpa and how to stop robocalls (which covers consumer rights that affect your calling program) are both worth bookmarking.

What should you watch for in TCPA enforcement in the next 12 months?

The FCC's enforcement posture shifts with each administration, but private litigation is the dominant enforcement mechanism for the TCPA, and it is largely immune to political change. Plaintiff firms will keep filing class actions as long as the damages structure makes them economically attractive. Nothing on the horizon suggests Congress will touch the $500 per-violation floor.

Enforcement attention seems most concentrated in three places right now. Lead generation and affiliate marketing, because the one-to-one consent rule created a large pool of non-compliant campaigns overnight. AI voice calling, because the FCC made its position explicit in 2024 and enforcement actions tend to follow declaratory rulings within 12 to 18 months. And multi-state class actions that layer federal TCPA claims with Florida FTSA or other state analog claims to increase damages exposure.

Nobody has good data on exactly which sectors get targeted first in 2025 to 2026. The closest proxy is the historical pattern: financial services, healthcare, and home services have consistently attracted the most TCPA suits, probably because those industries make high volumes of outbound calls and have deep pockets that make class certification worthwhile for plaintiff counsel. But grocery chains (see Albertsons), ride-sharing platforms, and software companies have all been hit, so no sector is actually low-risk.

The trend from 2021 onward has been consistent: more rules, more state-level amplification, no sign that plaintiff attorneys are running out of cases to file. The practical response is to treat TCPA compliance as a standing operational function, not a one-time project.

Frequently asked questions

What is the current TCPA penalty per violation in 2025?

The statute, 47 U.S.C. § 227, sets damages at $500 per violation for negligent violations and $1,500 per violation for willful or knowing violations. Those amounts have not changed since 1991. In a class action involving tens of thousands of unconsented calls or texts, aggregate exposure can reach tens of millions of dollars, which is why settlements are often very large even when per-contact harm is small.

Does the Facebook v. Duguid ruling mean I no longer need to worry about TCPA?

No. Duguid narrowed the ATDS definition under federal law, but it did not eliminate TCPA liability. Prerecorded and AI-generated voice calls are still regulated separately, regardless of how numbers are dialed. State laws like Florida's FTSA use broader ATDS definitions than the federal standard post-Duguid. And consent requirements for all automated marketing calls remain fully in effect.

Effective January 27, 2025, prior express written consent for marketing calls and texts must be specific to a single, named seller and logically related to the website where it was gathered. Lead generators can no longer collect a single checkbox consent and share it across dozens of buyers. Lead buyers who cannot verify that their leads meet this standard face direct exposure, since liability can extend to the seller, more than the lead source.

Are AI-generated voice calls covered by the TCPA?

Yes. The FCC issued a declaratory ruling in February 2024 confirming that AI-generated voices qualify as "artificial or prerecorded voices" under 47 U.S.C. § 227. Any outbound call using an AI-synthesized voice for marketing or informational purposes requires prior express written consent when placed to wireless numbers or residential landlines, exactly as a traditional prerecorded message would.

How often do I need to scrub my list against the National DNC Registry?

The FTC's Telemarketing Sales Rule requires that you scrub contact lists against the National Do Not Call Registry no more than 31 days before making a call. In practice, most compliance teams scrub within 24 to 72 hours of each campaign launch. Older scrub data, anything beyond 31 days, does not qualify for the safe harbor, meaning a contact added to the registry after your scrub but within that window is technically at risk.

What is Florida's FTSA and how does it differ from federal TCPA?

Florida's Telephone Solicitation Act, effective July 1, 2021, creates a state private right of action for automated calls and texts that mirrors the TCPA in many respects but defines the automated dialing system more broadly than the Supreme Court's Duguid standard. A system can qualify as an ATDS under the FTSA without using a random or sequential number generator, making the law more plaintiff-friendly. Penalties are $500 per call or text, identical to federal TCPA.

Does TCPA apply to business-to-business calls?

The TCPA's wireless number protections apply regardless of whether the called number belongs to a consumer or a business. Some exemptions run broader in B2B contexts: calls to business landlines are generally not covered by the ATDS restrictions for telemarketing, and courts have found that some consent can be implied from a business relationship. But AI voice calls, prerecorded messages, and calls to business employees' cell phones still carry risk, especially without documented consent.

How do I handle a consumer who verbally tells me not to call them again?

Under FCC rules, any verbal request to stop calling is a valid DNC request. Your internal do-not-call list must honor it within 30 days, though immediate suppression is best practice and easiest to defend. A CRM workflow that flags the call recording, suppresses the contact immediately, and logs the date and time of the request is the minimum standard. Failing to honor opt-out requests is one of the most common triggers for TCPA litigation.

What is the reassigned numbers database and do I have to use it?

The FCC's Reassigned Numbers Database launched in 2021. It tracks numbers that have been disconnected and reassigned to new subscribers. Callers who reach a new subscriber without consent can face TCPA liability. The FCC has not issued a hard mandate that callers must check the database, but it has made clear that checking it is part of reasonable practice, and ignorance of reassignment is not a full defense. Commercial access requires a fee-based subscription.

The 2021 Facebook v. Duguid ruling and the launch of Florida's FTSA both still shape the compliance landscape. Duguid changed federal ATDS analysis but pushed litigation toward state law, while the FTSA created a wave of Florida-based class actions that continue. The FCC's reassigned numbers database also launched in 2021 and is increasingly referenced in enforcement discussions. Teams that adjusted only to federal rules in 2021 and ignored state law changes are consistently the ones getting sued.

Yes, but only under strict conditions after January 2025. The consent must name your company specifically, be logically related to the website's topic, and be affirmatively given by the consumer. Generic "partner" language that does not name you is not valid consent for your calls or texts. You must be able to produce the consent record, including the exact disclosure language the consumer saw and the timestamp, if challenged in litigation.

The statute does not set a specific retention period. The FTC's Telemarketing Sales Rule requires records supporting compliance to be kept for 24 months, and TCPA litigation timelines suggest retaining consent records for at least four years, which covers most states' statutes of limitations for TCPA claims. Some plaintiff attorneys argue for longer lookback periods, so when in doubt, keep the records indefinitely if storage cost allows.

What should I look for in a TCPA compliance vendor or tool?

Look for real-time or same-day DNC scrubbing against both the federal registry and the key state lists, reassigned number database integration, audit logs that timestamp every suppression decision, and consent record storage that produces a downloadable paper trail. Be skeptical of vendors who cannot explain exactly which databases they check and how often they update. Price matters less than documentation quality, because documentation is what saves you in litigation.

Is TCPA enforcement likely to get more or less aggressive in 2026?

Private litigation, which is the majority of TCPA enforcement, is structurally independent of which administration controls federal agencies. As long as the $500 per-violation damages floor exists and class certification remains available in TCPA cases, plaintiff attorneys have strong incentives to file. State-level enforcement, including through state attorneys general and private plaintiffs under state analogs like Florida's FTSA, is expanding and unlikely to reverse.

Sources

  1. U.S. Code, 47 U.S.C. § 227, Telephone Consumer Protection Act: TCPA damages are $500 per violation, $1,500 for willful violations; prerecorded voice and ATDS calls to wireless numbers require prior express consent; calling hours restricted to 8 a.m. to 9 p.m. local time
  2. WebRecon LLC, Consumer Law Tracker: TCPA suits consistently rank among the top two or three most-filed federal consumer protection claims
  3. U.S. Supreme Court, Facebook, Inc. v. Duguid, 592 U.S. 395 (2021): ATDS under TCPA requires use of a random or sequential number generator to store or produce numbers; systems dialing from fixed lists do not qualify
  4. Florida Legislature, Florida Telephone Solicitation Act, Fla. Stat. § 501.059: Florida's FTSA, effective July 1, 2021, creates a private right of action for automated calls and texts under a broader ATDS definition than the post-Duguid federal standard
  5. FCC, Reassigned Numbers Database (administered by Somos): The FCC's Reassigned Numbers Database launched in 2021; commercial access requires a fee-based subscription; callers are expected to check it to avoid calling new subscribers without consent
  6. FTC, National Do Not Call Registry: Callers must scrub against the National DNC Registry within 31 days of any call; registry complaints are a primary trigger for FTC and state AG enforcement actions
  7. U.S. Courts, PACER Case Locator (TCPA class action filings): TCPA class actions are regularly filed in federal district courts; class certification is commonly granted where automated calling or texting conduct is uniform across the proposed class
  8. FTC, Telemarketing Sales Rule, 16 C.F.R. Part 310: TSR requires records supporting compliance to be retained for 24 months; scrubbing must occur within 31 days of any call

Disclaimer: LeadCompliant is a compliance review tool, not a law firm. We do not provide legal advice. Consult with a TCPA attorney for legal guidance on specific compliance questions. Compliance scores, audits, and risk assessments are informational only.

LeadCompliant Team

LeadCompliant provides expert guidance and tools to help you succeed. Our content is reviewed for accuracy and kept up to date.

Related Articles

Related Glossary Terms

LeadCompliant
Build My Kit