Last updated 2026-07-09

TL;DR
The TCPA's do-not-call rules bar telemarketing calls and texts to numbers on the National DNC Registry or a company's internal DNC list without prior express written consent. Each violating call or text costs $500, rising to $1,500 if willful. The rules cover telemarketing calls, robocalls, and most marketing texts to cell phones and landlines alike.
What is the TCPA and how does its do-not-call rule work?
The Telephone Consumer Protection Act is the federal law, codified at 47 U.S.C. § 227, that sets the floor for outbound calling and texting in the United States. Congress passed it in 1991. The FCC has issued dozens of orders interpreting it since. The do-not-call (DNC) provision at 47 U.S.C. § 227(c) gives consumers the right to opt out of telemarketing calls and tells the FCC to write rules protecting that right.[1]
The DNC regime runs on two tracks. Track one is the National Do Not Call Registry, run by the FTC. Track two is the internal, company-specific DNC list that every telemarketer keeps on its own. Both carry liability. You break the law by calling a number on the national registry, and you break it again by calling someone who already told your company to stop, even if that person never registered anywhere.
Here is the sentence that keeps TCPA lawyers in business. Section 227(c)(5) gives any person who receives more than one telephone solicitation in a 12-month period, in violation of the FCC's DNC rules, a private right of action. Plaintiffs don't have to prove actual damages. They collect $500 per violation as a baseline, and courts can award up to $1,500 per call when the violation was willful or knowing.[1]
The FCC's implementing rules live at 47 C.F.R. § 64.1200. That's the rule set your compliance process actually tracks, because the FCC updates it through orders while the statute text changes rarely.[2]
What does the National Do Not Call Registry actually cover?
The National Do Not Call Registry covers residential telephone numbers, including cell phones, used for personal, family, or household purposes.[3] It sits under the FTC's Telemarketing Sales Rule and gets enforced through the TCPA too. It does not cover business-to-business calls, so a direct-dial office line used only for business generally falls outside a national registry claim for that specific call.
Consumers register for free at donotcall.gov or by calling 1-888-382-1222. Registrations don't expire. The FTC dropped the old five-year expiration in 2008, so a number registered in 2004 is still protected today.[3]
You have to pull the registry before you dial. The FTC charges callers above a small volume an annual fee to download the data, roughly $75 per area code up to a federal cap that adjusts periodically. Check ftc.gov for current pricing.[7] Organizations placing fewer than 9,999 calls a year can access a limited slice of data for free.
The safe harbor at 47 U.S.C. § 227(c)(5) requires you to scrub your list against a version of the registry downloaded no more than 31 days before the call.[1] Older scrubs don't protect you. That 31-day window is a hard rule, and it burns teams that download once and forget to refresh.
Three groups sit outside the national registry: political organizations, charities soliciting donations, and survey companies (as long as the survey has no sales component). Tax-exempt nonprofits follow separate rules. Debt collectors have a messier story, because the TCPA's reach over debt collection calls keeps shifting through FCC interpretations and ongoing litigation.
What is the internal do-not-call list, and who has to keep one?
Any company placing telephone solicitations has to keep its own internal DNC list. The requirement comes from 47 C.F.R. § 64.1200(d), which sets the procedural minimums.[2] You can't hand this obligation entirely to a third-party dialing vendor. The responsibility stays with the seller whose goods or services get promoted.
When a consumer asks you to stop during a call, you add them to your internal list within a reasonable time, which the FCC reads as no more than 30 days. Then you don't call that person again for at least five years. That five-year window is separate from the national registry, which never expires. Your internal list basically grows forever unless a consumer affirmatively signs back up.
The rules also require a written policy for maintaining the internal list, training for anyone who makes solicitation calls, and honoring requests from people calling on someone's behalf. So if a spouse calls in and says stop, you honor it.[2]
Teams underestimate one thing. The internal DNC obligation applies even when you have prior express consent. Consent lets you make the call. Once someone says stop, consent is revoked and the internal DNC obligation kicks in. A consumer who opted in to your texts can still reply STOP, and from that second forward you treat them as an internal DNC number.
The FCC made this plain in its 2023 and 2024 orders on consent revocation. Consumers can revoke through any reasonable means, and revocation takes effect within a reasonable time. The FCC pointed to 10 business days as a benchmark in its 2024 order.[4]
How much does a TCPA do-not-call violation actually cost?
The statutory range is $500 to $1,500 per call or text.[1] Courts have generally treated each individual call or text as its own violation, so the math scales fast. A campaign that sent 50,000 texts to registered numbers without proper consent could expose a company to $75 million in statutory damages at the $1,500 rate.
That's not hypothetical. UnitedHealthcare paid $2.5 million to settle TCPA claims over alleged calling violations. Credit One Bank faced a major TCPA settlement on similar allegations. Truist Bank's TCPA class action settlement and the Albertsons/Safeway TCPA settlement show the exposure cuts across industries.
Class actions are the real financial threat. The TCPA is unusually class-friendly because damages are fixed by statute and plaintiffs don't have to prove individual harm. A class of 100,000 consumers, each getting two violating calls, represents $300 million in exposure at the willful rate. Companies settle these cases anywhere from a few hundred thousand dollars to tens of millions, with plaintiff attorneys taking 25 to 33 percent of the fund.
The FCC can also assess its own forfeiture penalties, separate from private suits. The base figure in the Communications Act is $10,000 per violation, and the FCC adjusts it for inflation each year to a cap above $20,000 per violation.[7] State attorneys general bring their own TCPA actions too, and some states stack extra penalties on top.
One honest note on the numbers. Nobody has clean aggregate data on total TCPA verdicts versus settlements across all courts. The closest tracking comes from WebRecon, a private firm that counts consumer finance litigation, including TCPA cases filed in federal court. Their data shows thousands of TCPA cases filed a year, with a spike after the Supreme Court's 2021 decision in Facebook v. Duguid narrowed the autodialer definition but left the DNC provisions untouched.[6]
What counts as a telephone solicitation under the TCPA?
The TCPA defines a telephone solicitation at 47 U.S.C. § 227(a)(4) as "the initiation of a telephone call or message for the purpose of encouraging the purchase or rental of, or investment in, property, goods, or services, which is transmitted to any person."[1] That definition reaches further than most people assume.
You don't have to be directly selling. An informational call that nudges someone toward a purchase, a call inviting someone to a sales webinar, a call about a "free" product funded by a cross-sell: courts have treated all of these as solicitations. The FCC reads "encouraging" a purchase broadly.
Some calls are carved out of the definition. Calls answering a consumer's own request. Calls to a person with whom the caller has an established business relationship (though that exemption has limits and is not a blanket pass on DNC rules). Calls with no commercial purpose at all. Political calls, charitable solicitations, and purely informational calls generally fall outside the definition.
Text messages count. The FCC confirmed decades ago that a text to a cell phone is a call under the TCPA. If the text promotes goods or services, it's a solicitation. Send it to a number on the national registry or your internal list, and you have a potential violation. Text message marketing runs on the same DNC framework, and the per-message penalty is identical.
Does the TCPA do-not-call rule apply to cell phones and text messages?
Yes. The TCPA restricts cell phone contact from two directions. The autodialer provisions at 47 U.S.C. § 227(b) restrict calls to cell phones made with an automatic telephone dialing system or a prerecorded voice, and those rules require prior express written consent for telemarketing. Separately, the DNC provisions at 47 U.S.C. § 227(c) reach telephone solicitations to any subscriber registered on the national list, cell phones included.
Consumers began registering cell numbers on the national registry around 2003, and the FTC and FCC confirmed cell coverage shortly after. Today most registered numbers are cell phones, not landlines.
Text messaging marketing works a little differently in practice. Texts to cell phones almost always trigger the § 227(b) autodialer rules, which demand prior express written consent whether or not the number sits on the DNC registry. So for outbound marketing texts, you need consent regardless, which makes the DNC question secondary. But a consumer can revoke consent (becoming an internal DNC) while staying off the national registry, so you still manage both lists.
The takeaway is simple. Send marketing texts or make marketing calls to cell phones without confirmed prior express written consent, and you carry two liability vectors, not one: autodialer rules and DNC rules. The per-message penalty is the same either way.
What consent do you need to call or text a number on the DNC registry?
The TCPA carves out an exception to the national DNC rule for calls made with the prior express invitation or permission of the called party.[1] For telemarketing calls and texts, the FCC's 2012 rules (updated in later orders) demand prior express written consent, a higher bar than any casual permission.
The FCC defines prior express written consent as a written agreement that clearly authorizes the seller to deliver telemarketing calls or texts using an automatic telephone dialing system or prerecorded message. The agreement has to disclose that consent is not a condition of purchase, and it has to carry the consumer's signature. An electronic signature counts under the E-Sign Act.[2]
The key word is written. A verbal opt-in on a prior call generally does not satisfy the written requirement for future marketing calls. You need a record: a signed form, a checked box tied to a specific disclosure, or a text opt-in that meets the FCC's terms.
Consent also has to be specific to your company. After the FCC's one-to-one consent rule took effect January 27, 2025 (from the agency's 2023 lead generation order), a blanket form authorizing calls from "our partners" or a broad list of sellers no longer satisfies consent for each individual seller. Every company that wants to call or text the consumer needs its own consent, captured separately.[4]
Bought leads from a third-party generator whose form named multiple sellers? That consent may not hold up under the new standard. This is one of the highest-risk areas in outbound sales right now, and LeadCompliant's free TCPA tools include a consent language checker that flags broad-consent problems before you burn through a list.
What is the established business relationship exemption, and does it still apply?
The established business relationship (EBR) exemption lets a company call a consumer who appears on the national DNC registry, if the consumer has an EBR with that company. The FCC defines an EBR at 47 C.F.R. § 64.1200(f)(5) as a prior or existing relationship formed by a voluntary two-way communication, on the basis of an inquiry, application, purchase, or transaction regarding the company's products or services.[2]
For purchase-based EBRs, the exemption runs 18 months from the most recent transaction. For inquiry-based EBRs (someone who asked for information or applied but didn't buy), the window is only three months from the inquiry. Once those windows close, the EBR no longer shields you from a DNC claim on registered numbers.
Here's the catch teams miss. The EBR exemption applies to the national registry. It does not override your internal DNC list. If a customer bought from you, forming an EBR, but then called and said "stop calling me," you honor that no matter what the EBR says. The internal DNC obligation is absolute once the consumer asks.
The EBR also does nothing against the § 227(b) autodialer rules for cell phones. Calling a prior customer's cell with an autodialer, without written consent, still violates the law even where the EBR would defeat the DNC claim. These two tracks get conflated constantly, and that's where teams get surprised in litigation.
What are the procedural rules every telemarketer must follow?
Beyond scrubbing your list, the FCC's rules at 47 C.F.R. § 64.1200(d) set a checklist of procedural requirements for any company placing telephone solicitations.[2] Miss any one of them and you can create liability whether or not you actually dialed a DNC number.
Here's how the requirements stack up:
| Requirement | Standard |
|---|---|
| Written internal DNC policy | Must exist and be available to any caller on request |
| Personnel training | All staff making solicitation calls must be trained on the DNC policy |
| Internal DNC list maintenance | Must honor requests within 30 days and keep for 5 years minimum |
| National registry scrub | Must scrub no more than 31 days before the call |
| Caller ID | Must transmit Caller ID; cannot block it |
| Identify caller | Must state name of individual caller and company at start of call |
| Telephone number disclosure | Must provide a number the consumer can call to make a DNC request |
| Time-of-day restrictions | Calls only between 8 a.m. and 9 p.m. local time of called party |
The time-of-day rule is simple and gets broken all the time by teams dialing across time zones without geo-lookup. Calling someone in Los Angeles at 7:45 a.m. Pacific from an East Coast room that opened at 10:45 a.m. Eastern is a violation. Every dialer should place calls by the recipient's local time. If yours doesn't, fix that today.
Caller ID spoofing is a separate violation under the Truth in Caller ID Act, which the FCC enforces on its own penalty schedule. Intentional Caller ID blocking or spoofing on a telemarketing call also wrecks any affirmative defense you'd otherwise raise in TCPA litigation.
How do state do-not-call laws interact with the TCPA?
The TCPA expressly lets states adopt tougher rules. About a dozen states run their own DNC registries or calling restrictions that go past the federal floor. Florida is the example everyone watches: the Florida Telephone Solicitation Act, amended heavily in 2021, reaches calls made with an automated system of any kind, a broader standard than the federal autodialer definition the Supreme Court narrowed in Facebook v. Duguid.[10]
California applies its own consumer protection statutes (including the California Consumer Privacy Act) to outbound calling data, and its Automatic Dialing-Announcing Device statute adds another layer. Texas runs a state DNC registry and requires registration with the state. Indiana, Michigan, Wyoming, and others keep their own registries you scrub separately from the federal list.
The rule of thumb is short. Before you call consumers in a given state, spend 30 minutes reading that state's telemarketing statutes. The federal TCPA is the floor, not the ceiling. State attorneys general can pursue violations, and in some states private plaintiffs can sue under unfair business practices statutes carrying different, sometimes higher, per-violation penalties.
For teams dialing nationally, the practical move is a compliance calendar that tracks state changes, a telemarketing law alert service, and state-specific scrubbing built into your list hygiene where required. Tedious work. But a state law violation stacked onto a federal TCPA claim raises settlement exposure fast.
What defenses actually work in a TCPA do-not-call lawsuit?
The statute hands you a safe harbor at 47 U.S.C. § 227(c)(5): a caller is not liable for a DNC violation if it shows the violation came from an error and that it followed established procedures to comply.[1] Meeting that safe harbor takes evidence, not assertions.
Courts look for specific things. Documented scrubbing procedures with timestamps showing you pulled registry data within 31 days of the campaign. A written internal DNC policy that predates the alleged violation. Training records showing staff knew the policy. And proof the error was genuinely unintentional (a database sync failure, a technical glitch, a newly registered number that surfaced after your last scrub).
Prior express written consent is the other big defense. If the consumer signed a compliant consent form before the call and you can produce it, the DNC claim fails. The trouble is that consent records have to survive the statute of limitations. Keep them at least four years. Some compliance attorneys keep them longer, and the consent has to be specific to your company under the post-2025 one-to-one rule.
What doesn't work: blaming your third-party vendor. The TCPA holds the seller (the company whose goods or services get promoted) responsible even when an outside dialing company placed the calls. You can add the vendor as a defendant and file cross-claims, but the seller rarely walks away by pointing a finger.
The FCC's 2023 and 2024 guidance also makes it harder to argue that a lead-generator consent form covers your company, if that form named multiple sellers or used vague language. Read the latest TCPA news to follow how courts apply the new one-to-one standard, because the case law is still moving fast.
Facing an actual lawsuit or demand letter? Hire a TCPA defense attorney right away. This article is general legal information, not legal advice, and a real case needs counsel who knows the current circuit-specific case law.
How should a small outbound team build a practical DNC compliance process?
Start with the basics any team can stand up before spending a dollar on software. Write a one-page internal DNC policy. Name one person who owns the internal DNC list. Set a calendar reminder to pull fresh national registry data every 30 days. Train anyone who dials on what to do when someone says stop. None of this needs a vendor, and all of it starts the documented record that safe-harbor defenses run on.
For the national scrub, register your organization with the FTC's National Do Not Call Registry (registration at ftc.gov) and subscribe for the area codes you call. Download a fresh copy before every new campaign and log the download date.[3]
For internal DNC management, a spreadsheet works for a tiny team, but it breaks fast once you're running multiple campaigns, multiple data sources, and staff turnover. Most modern dialers (Five9, Convoso, NOLA, PhoneBurner, and others) build internal DNC management in as a native feature. Make sure yours suppresses DNC numbers before the call goes out, not after.
Lead list hygiene is the step most teams skip. Before importing any new list, run it against both the national registry and your internal list. If you bought the leads, verify what consent language the form used and whether it's specific enough to cover your company after the 2025 one-to-one rule.
LeadCompliant's compliance kit includes a pre-campaign DNC checklist and a consent language review template, both free, at leadcompliant.com. Use them as a starting point, then have a TCPA attorney review your whole process once a year. A one-hour attorney review costs a few hundred dollars. The alternative is a class action where settlements start in the six figures and climb.
For teams studying high-profile cases and what went wrong, the how to stop robocalls guide covers the consumer side of enforcement, which is exactly the lens plaintiffs' attorneys use when they build a case.
Frequently asked questions
Can I call a cell phone number that's on the Do Not Call Registry if I have the person's consent?
Yes. Prior express written consent overrides the national DNC restriction for telemarketing calls. The consent must be in writing, signed by the consumer, and must clearly authorize calls from your specific company (not a broad list of sellers). After the FCC's 2025 one-to-one consent rule, a form naming multiple companies won't cover you individually. Keep the consent record for at least four years.
How long does a number stay on the National Do Not Call Registry?
Registrations don't expire. The FTC dropped the five-year expiration in 2008, so a number registered in 2003 is still protected today. You must check the registry no more than 31 days before each campaign. Recently registered numbers can take up to 31 days to appear in the database, so there's a brief window where a new registration might not show up in your scrub.
Does the TCPA do-not-call rule apply to B2B calls?
The national registry mostly covers residential numbers and numbers used for personal, family, or household purposes. Pure B2B calls to business lines used only for business generally fall outside the national DNC scope. But cell phones carried by businesspeople can be personal numbers, and the internal DNC obligation applies to anyone who asks your company to stop calling, business context or not.
What happens if a consumer registers their number on the DNC list after I already got their consent?
If you got valid prior express written consent before they registered, that consent still applies. Their remedy is to revoke consent directly with you, which triggers your internal DNC obligation. Simply registering on the national list after giving consent does not automatically void that consent for a company holding the documented record. But if the consumer contacts you to revoke, you must stop calling within 30 days.
How much does it cost to access the National Do Not Call Registry?
The FTC charges roughly $75 per area code per year for access, with the total fee capped at a federal maximum (check ftc.gov for current pricing, since it adjusts periodically). Organizations placing fewer than 9,999 calls a year can access a limited slice of data for free. Consumers pay nothing to register their own numbers.
Can a text message violate the TCPA do-not-call rules?
Yes. The FCC confirmed years ago that a text to a cell phone is a call under the TCPA. A marketing text sent to a number on the national registry, or on your internal list, is a potential DNC violation at $500 to $1,500 per message. Marketing texts also separately require prior express written consent under the autodialer provisions, giving you two liability vectors for non-compliant texting.
What is the difference between the TCPA and the FTC's Telemarketing Sales Rule?
The TCPA is a federal statute (47 U.S.C. § 227) enforced by the FCC, and it creates a private right of action letting consumers sue directly. The FTC's Telemarketing Sales Rule governs many of the same practices but is enforced by the FTC, not private parties. The national DNC Registry operates under both. Most outbound teams need to comply with both, and TSR violations can bring FTC enforcement actions with significant civil penalties.
Does the established business relationship exemption let me ignore an internal DNC request?
No. The EBR exemption applies to the national registry only, letting you call a registered number during the active EBR window (18 months for purchases, three months for inquiries). Once a consumer asks your company directly to stop calling, that triggers your internal DNC obligation regardless of any active EBR. Honor the request within 30 days and don't call that person for at least five years.
What must I say at the start of a telemarketing call to comply with TCPA rules?
FCC rules require you to identify the individual caller's name and the company on whose behalf the call is made, at the start of the call. You also have to provide a phone number or address where the consumer can make a do-not-call request. You cannot block Caller ID. These disclosures are procedural requirements separate from the scrubbing obligations, and failing them creates independent liability.
Can I be sued personally as a salesperson for TCPA violations, or only the company?
TCPA lawsuits usually target the company, not individual employees making calls. But corporate officers and principals who direct violating campaigns have faced personal liability in some cases, especially where a company was structured to limit assets and the individual made the decisions. Sellers who outsource to dialing vendors keep liability for the vendor's calls. Personal liability for an individual salesperson is rare, but not impossible where conduct is egregious or intentional.
How far back can a plaintiff sue for TCPA violations?
The TCPA's statute of limitations is four years under 28 U.S.C. § 1658, the general federal four-year period. Some courts have applied different analyses depending on the specific claim, but four years is the standard window plaintiffs rely on. So keep consent records, DNC scrub logs, and campaign records at least four years. Many compliance attorneys keep them five years for margin.
What should I do if a consumer on a call says 'don't call me again'?
Add the number to your internal DNC list immediately (the FCC allows up to 30 days, but same-day is best practice). Document the date, time, caller, and the request. Don't call that number again for at least five years. Train your team to catch DNC requests even when phrased loosely. A caller saying 'take me off your list' or 'I'm not interested, stop calling' counts as an opt-out.
Does the TCPA do-not-call rule apply to ringless voicemails?
This is unsettled. The FCC issued a notice of proposed rulemaking in 2017 on whether ringless voicemails (direct-to-voicemail drops that bypass the ringer) are calls under the TCPA, but never issued a final order. Several courts have found ringless voicemails are covered calls. The safer position for any team using ringless voicemail for marketing is to treat them as TCPA calls requiring consent and DNC scrubbing, because the litigation risk is real without a definitive ruling.
What is the FCC's one-to-one consent rule and when did it take effect?
The FCC's one-to-one consent rule, part of its 2023 lead generation order, requires that consent for telemarketing calls and texts be specific to a single seller, not a broad list of companies. It took effect January 27, 2025. A form saying 'I agree to receive calls from our marketing partners' no longer covers each individual partner. Every company needs its own specific consent captured directly from the consumer.
Sources
- U.S. Government Publishing Office, 47 U.S.C. § 227 (Telephone Consumer Protection Act): TCPA private right of action for DNC violations: $500 per violation, up to $1,500 for willful violations; definition of telephone solicitation; prior express consent exception
- FCC, 47 C.F.R. § 64.1200 (Delivery restrictions): FCC procedural requirements for internal DNC lists, caller ID disclosure, time-of-day restrictions, EBR definition, and written consent standards
- FTC, National Do Not Call Registry: Consumers register at donotcall.gov; registrations do not expire; cell phones covered; 31-day scrub requirement; FTC eliminated five-year expiration in 2008
- U.S. Supreme Court, Facebook Inc. v. Duguid, 592 U.S. 395 (2021): Supreme Court narrowed the TCPA autodialer definition in 2021; DNC provisions left intact by the ruling
- FTC, Telemarketing Sales Rule, 16 C.F.R. Part 310: FTC Telemarketing Sales Rule governs national DNC Registry access fees and telemarketing conduct separately from TCPA; registry fee roughly $75 per area code
- U.S. House of Representatives, Telephone Consumer Protection Act (Pub. L. 102-243, 1991): TCPA enacted in 1991; Congressional intent to protect consumers from unwanted telemarketing
- Florida Legislature, Florida Telephone Solicitation Act, Fla. Stat. § 501.059 (2021 amendments): Florida's 2021 FTSA amendments apply to any automated calling system, broader than the federal TCPA autodialer definition after Facebook v. Duguid
- 28 U.S.C. § 1658 (federal four-year statute of limitations): Four-year federal statute of limitations applicable to TCPA claims