Last updated 2026-07-09

TL;DR
The Telephone Consumer Protection Act (47 U.S.C. § 227) limits autodialed calls, prerecorded messages, and marketing texts to cell phones. You need prior express written consent before sending promotional texts or robocalls to wireless numbers. Violations cost $500 to $1,500 per message. The FCC's one-to-one consent rule took effect January 2025, ending the practice of letting one checkbox hand consent to dozens of sellers.
What is the TCPA and who does it actually cover?
The TCPA is a 1991 federal law, codified at 47 U.S.C. § 227 [1], that restricts how you can call and text people. It covers calls made with an automatic telephone dialing system (ATDS), prerecorded or artificial voice messages, and fax advertisements. The law reaches anyone who initiates or causes the initiation of a covered communication. That means sellers, their lead vendors, and their dialing platforms can all end up on the hook.
Residential landlines get some protection, mostly around prerecorded calls and the National Do Not Call Registry. The law bites hardest on cell phones. Autodialed or prerecorded calls to wireless numbers need consent whether or not the number sits on the DNC list.
Small businesses are not exempt. There's no carve-out for companies under a certain size or revenue. If you dial cell phones with an autodialer or blast marketing texts, you're covered.
The FCC writes the rules and enforces the TCPA. The FTC enforces the separate Telemarketing Sales Rule, which overlaps on DNC. Private plaintiffs can also sue you directly, and that's where most of the real exposure lives. TCPA class actions have produced some of the largest consumer settlements in U.S. history. UnitedHealthcare, for instance, agreed to pay $2.5 million to resolve alleged TCPA violations.
What are the core TCPA consent requirements?
Consent under the TCPA is not one-size-fits-all. The law and FCC rules create three tiers, and which tier you need depends on what you're sending and how you're sending it.
Tier 1: No consent required. Calls to residential landlines that are purely informational, made by a live agent, and not for a commercial purpose generally don't trigger TCPA consent rules.
Tier 2: Prior express consent. Autodialed or prerecorded calls to wireless numbers that are purely informational (not marketing) require that the called party gave you their number in a context that reasonably suggested they expected calls. A patient handing their cell number to a hospital fits here.
Tier 3: Prior express written consent (PEWC). Any telemarketing call or text to a wireless number, made with an ATDS or prerecorded voice, requires PEWC. The FCC defines this as a written agreement (electronic form counts) that clearly authorizes the specific seller to contact the consumer at that number using those methods, and that discloses the consumer isn't required to consent as a condition of buying anything [2].
Written consent means a signed opt-in form, a checkbox on a web form, a keyword text reply, or a recorded verbal agreement captured in a compliant script. A business card, a prior purchase, or a pre-checked box does not clear this bar.
The one-to-one consent rule, effective January 27, 2025, added a hard new requirement: each written consent must name a single seller specifically. Bundling consent for a "marketing partner network" of hundreds of companies in fine print is dead [3].
How does the one-to-one consent rule change things in 2025?
For years, lead generation companies ran on a consent daisy-chain. A consumer fills out a mortgage comparison form, checks a box agreeing to hear from "our partners," and suddenly 30 lenders claim TCPA consent. Some courts went along with it. The FCC's 2024 order killed it.
The FCC's December 2023 Report and Order (FCC 23-107) requires that prior express written consent for telemarketing calls and texts identify the specific seller who will be calling. One consent, one seller, full stop [3]. The rule took effect January 27, 2025.
Here's what that means in practice. If you buy leads from a vendor, you cannot assume the consumer agreed to hear from you. The consent form has to name your company. If it doesn't, you need a new consent process or you need to stop calling those leads.
Vendors who never updated their consent flows are handing you toxic leads. Ask every vendor for a copy of the actual consent language before you dial. If they can't produce it, or it doesn't name you, that's a compliance problem you inherit the moment you call.
The order also requires that the consent be logically and topically related to the website where it was collected. A survivalist gear site cannot collect consent for insurance calls. That's the topic-relatedness piece of the same order [3].
What counts as an automatic telephone dialing system (ATDS) after Facebook v. Duguid?
The Supreme Court narrowed the ATDS definition hard in Facebook, Inc. v. Duguid (2021). The Court held that an ATDS must have the capacity to store or produce telephone numbers "using a random or sequential number generator" [4]. A system that just dials from a pre-loaded list, with no random or sequential generation, doesn't meet that definition under the statute.
This was a big win for businesses. A basic dialer working from a curated list of known contacts may not qualify as an ATDS, and may not trigger the consent requirement for informational calls.
The litigation risk didn't vanish, though. Several state laws, California's included, use broader definitions. And if your platform can generate numbers randomly even when you never use that function, plaintiffs will argue the capacity test still catches you. Lower courts are still fighting over this.
One trap for platforms sold as "ringless voicemail" or "ringless drop" tools: the FCC ruled in 2023 that ringless voicemail to wireless phones is a call under the TCPA [5]. You still need consent.
Honest bottom line. If you run any automated or semi-automated dialing platform, talk to a TCPA attorney before you assume Duguid protects you. The safe play is to get consent anyway.
What are the TCPA calling time restrictions and DNC rules?
The TCPA and its FCC rules ban telemarketing calls before 8 a.m. or after 9 p.m. in the called party's local time [1]. Their local time, not your call center's. If you're in New York dialing a 206 area code (Seattle), you can't call before 8 a.m. Pacific.
Separately, callers have to keep an internal Do Not Call list and honor opt-out requests within 30 days. If someone tells you never to call again, you have 30 days to scrub them off your active lists. Good teams do it the same day, and that's the right instinct.
For the National DNC Registry: telemarketers register with the FTC and scrub their lists against it at least every 31 days [6]. Calls to registered numbers without an established business relationship (EBR) or written consent are violations. The EBR exception covers calls for up to 18 months after a transaction or 3 months after an inquiry, but it never overrides a specific DNC request from that consumer.
The FTC charges for DNC access above 5 phone numbers a year. As of the 2024 fee schedule, access runs $18,849 for the full national list, with a per-area-code fee of $76 [6]. If you're skipping scrubs because you think they cost too much, run the math against a single $500-per-call settlement.
State DNC lists add another layer. Florida, Indiana, Texas, and other states run their own registries that need separate registration and scrubbing. See the state section below.
How much do TCPA violations actually cost?
The statute sets damages at $500 per violation for negligent violations and $1,500 per willful or knowing violation [1]. Every call and every text is a separate violation. A single campaign to 10,000 numbers without proper consent can produce $5 million to $15 million in statutory damages before a plaintiff argues a dime of actual harm.
Courts award these damages without the plaintiff proving any injury at all. The call happened, consent was missing, the violation occurred. That's the whole test.
Class actions hold the real exposure. The recent settlements tell the story. Credit One Bank settled a TCPA class action for a reported $14.5 million. Truist Bank reached a TCPA class action settlement. Cash App faced a TCPA class action settlement. Albertsons and Safeway settled TCPA claims over marketing texts. These aren't outliers. They're the price of one bad campaign or one flawed consent process run at scale.
The FCC can also impose forfeitures on its own, separate from any private suit. In 2021 the agency proposed a $225 million forfeiture against health insurance telemarketers for spoofed robocalls, the largest in its history at the time [7].
Nobody has clean data on average settlement amounts, because most resolve confidentially. The best public sources are class action databases and reported decisions. The $500/$1,500 floor is what drives settlement pressure. Defendants settle because the math on even a small class is terrifying, not because they'd necessarily lose at trial.
| Violation type | Statutory damages per occurrence |
|---|---|
| Standard violation (negligent) | $500 |
| Willful or knowing violation | $1,500 |
| Unsolicited fax (separate provision) | $500, trebled to $1,500 if willful |
| FCC administrative forfeiture | Up to $10,000+ per violation |
What TCPA exemptions actually exist?
There are real exemptions, though fewer than most sales teams hope for.
Emergency calls. Calls made for emergency purposes are exempt. Public health alerts, natural disaster notices, hospital outreach about urgent care. This does not cover sales calls dressed up as urgent.
Non-commercial calls to residential lines. Survey calls, political calls, and calls from tax-exempt nonprofits to residential landlines are generally exempt from the autodialer consent requirement. Wireless numbers get complicated fast.
Healthcare calls. HIPAA-covered entities have a narrow FCC exemption for healthcare calls that meet specific conditions: the call has to be free to the called party, limited to one call per day and three per week, informational only (no sales pitch), and the patient must have provided the number [8]. Miss any one condition and the exemption is gone.
Established business relationship (EBR). EBR is not a TCPA exemption for wireless numbers. It applies only to residential landline calls and the DNC rules. Plenty of sales teams get this wrong and dial cell phones thinking EBR covers them. It doesn't, not for ATDS or prerecorded calls.
Debt collection. Government-debt collection got exempted under a 2015 budget amendment, but the Supreme Court struck that exemption down in Barr v. AAPC (2020) [9]. What's left is murky. Debt collectors generally still need TCPA consent for cell phones unless a different legal basis applies.
When in doubt, get consent. The exemptions read wider in a law review than they play out in court.
What do TCPA guidelines say about text message marketing?
Texts are treated as calls under the TCPA [1]. An autodialed or prerecorded text to a wireless number carries the same legal status as an autodialed call. The prior express written consent requirement applies in full.
For SMS and MMS marketing, the practical compliance floor looks like this.
Get written consent before the first message. A keyword opt-in (text YES to 12345), a web form checkbox, or a signed paper form all work. The consent has to be affirmative and unambiguous. Pre-checked boxes don't count.
Identify yourself in every message. FCC rules require the caller or sender to identify themselves at the start of a telemarketing message [2].
Honor opt-outs immediately. Industry standard is to support STOP, QUIT, CANCEL, UNSUBSCRIBE, and END as opt-out keywords. Process them before your next send. Any text after a valid STOP is a separate violation.
Keep records of consent. The statute of limitations for TCPA claims is four years [10]. You need to prove consent existed on the date of every message, for four years after. Screenshots, timestamps, and database records are your evidence.
There's more detail on the mechanics of compliant text programs at text message marketing and text messaging marketing.
One note on lead lists bought for SMS: the one-to-one consent rule applies here too. Purchased lists almost never carry consent that names your specific company. Buy a phone list, text it without verifying consent, and you're building a class action against yourself.
How do state laws interact with TCPA guidelines?
The TCPA is a federal floor, not a ceiling. States can and do go stricter.
California's CCPA and its Rosenthal Fair Debt Collection Practices Act add obligations around disclosure and data use. Florida's Telephone Solicitation Act (FTSA) went through big changes in 2021 and 2023. At its peak the FTSA required written consent for any autodialed call or text to a Florida number and created a private right of action that set off a wave of suits. The 2023 amendment narrowed it, but Florida stays a high-risk state [11].
Texas, Oklahoma, and Indiana run their own state DNC registries. Texas law includes its own consent requirements and can produce liability separate from the TCPA.
New York has aggressive enforcement through the state AG and a plaintiff-friendly court environment.
Practical advice: map your call list by state area code before every campaign. Flag the high-risk states (California, Florida, Texas, New York) and confirm your consent language and process clears those states' standards, which run above the federal baseline. A TCPA lawyer in those states is worth a consult if you're dialing at volume. A TCPA lawyer in Kentucky or nearby states can help if your campaigns touch the Southeast.
Nobody keeps a clean national map of every state telemarketing law in one place. The closest public resource is the National Conference of State Legislatures, and even that lags real developments.
What should a TCPA compliance program actually look like?
Compliance is not a one-time checklist. It's a set of repeating operational processes. Here's what a working program looks like for a small outbound team.
Consent collection. Every lead source needs a documented consent flow. Web forms have to disclose clearly what the consumer is agreeing to, name your company specifically, and keep the consent out of a general terms-of-service link. Store a timestamp and IP address for every digital consent.
List hygiene. Scrub against the National DNC Registry at least every 31 days. Scrub your internal DNC list before every campaign. If you buy leads, require vendors to certify the consent language in writing and keep that certification. Run numbers through the FCC's Reassigned Numbers Database, which launched in 2021 and lets callers check whether a number has been reassigned to someone new [12].
Dialer review. Test your platform against the post-Duguid ATDS definition. If it can generate random or sequential numbers, treat it as an ATDS no matter how you use it.
Training. Agents need to know the time zone rule, how to handle a verbal DNC request (honor it immediately, document it, process within 30 days), and what to do when someone says they never consented.
Recordkeeping. Four-year retention minimum on consent records, call logs, opt-out records, and DNC scrub certifications.
Vendor contracts. Every lead vendor, dialing platform, and marketing partner needs a contract with TCPA representations and indemnification language. It won't transfer all your liability, but it matters in settlement talks.
LeadCompliant's free compliance kit includes consent disclosure templates and a DNC scrub log checklist you can adapt without starting from scratch.
For rule changes as they happen, tcpa news is worth bookmarking. The FCC has been busy.
How do you defend against a TCPA claim if you get sued?
The strongest defense is documented consent. If you can produce a timestamped record showing the plaintiff affirmatively opted in through a compliant disclosure that named your company, you're in good shape. Courts read the consent record closely.
Other workable defenses: the number wasn't assigned to the plaintiff when you called (the reassigned number defense), the communication wasn't made with an ATDS (post-Duguid), the call was exempt (emergency, or healthcare under the proper conditions), or the called party had an EBR on a landline DNC claim.
The EBR defense and the "I got the number from a third party" argument are weak. Courts have generally rejected the idea that buying a list or receiving a lead form satisfies consent. The Ninth and Eleventh Circuits have both issued decisions making that clear.
One practical point that saves people money: respond to a demand letter fast. Many TCPA plaintiffs file strategically and will settle for a few thousand dollars before ever suing. Ignore the letter, or sit on it for weeks, and a $2,000 problem often becomes a $50,000 one. Get a TCPA-specific attorney involved right away.
Want to see what real settlements look like? Joseph Snyder's Credit One TCPA case and the Kaiser TCPA settlement claim process show how these cases resolve and what defendants actually paid.
Also useful: if you get calls you never agreed to, how to stop robocalls walks through the consumer side, which is good background for understanding what your called parties go through.
What are the most common TCPA compliance mistakes outbound teams make?
These are the patterns that show up in complaints, demand letters, and class action filings again and again.
Using a purchased list without verifying consent. The broker says the list is "TCPA compliant." That certification is worth close to nothing without the actual consent language, the specific company named, and the date. Most purchased lists fall apart under the 2025 one-to-one standard.
Ignoring reassigned numbers. A consumer who owned a number three years ago may have consented to your calls. If that number got reassigned to someone else, every call to the new owner is a potential violation. The FCC's Reassigned Numbers Database exists for exactly this, and scrubbing it is now an expected practice [12].
Calling outside the 8 a.m. to 9 p.m. window in the called party's time zone. Dialing 8:15 a.m. Eastern to a 310 area code (Los Angeles) is an illegal call at 5:15 a.m. local time.
Treating a verbal opt-in as written consent. For marketing texts and autodialed sales calls to cell phones, you need written consent. A verbal "sure, you can text me" during a sales call doesn't cut it.
Skipping a company-specific DNC list. Even when a number isn't on the National DNC Registry, you have to honor internal DNC requests. Calling a number 90 days after someone asked you to stop is a violation.
Reviewing consent forms once and never again. FCC rules change. The one-to-one consent rule proves it. A form that was fine in 2023 can be deficient today.
Frequently asked questions
Does the TCPA apply to B2B calls?
Mostly yes, with nuance. The TCPA applies to calls made to wireless numbers regardless of whether the recipient is a consumer or a business employee using a work cell phone. If you're autodialing cell phones to reach business contacts, consent and ATDS rules still apply. Calls to landline business numbers face fewer TCPA restrictions but can still trigger FTC Telemarketing Sales Rule requirements depending on the call content.
What is the statute of limitations for TCPA claims?
Four years. TCPA claims fall under the general federal four-year statute of limitations at 28 U.S.C. § 1658. A plaintiff can sue over a call or text made up to four years before filing. That's why consent records need to survive for at least four years after your last contact with any given number.
Can I call someone who gave me their number on a contact form?
It depends on what the form said. If the form disclosed that submitting it meant agreeing to receive autodialed marketing calls from your company specifically, and they checked an affirmative box, you likely have prior express written consent. If the form just said 'we may contact you' or buried consent in a privacy policy, that's almost certainly not enough under current FCC standards for marketing calls to wireless numbers.
What is the FCC's Reassigned Numbers Database and do I have to use it?
The FCC launched its Reassigned Numbers Database in 2021 so callers can check whether a number has been reassigned to a new subscriber since the last consent was given [12]. The FCC has indicated that callers who query the database before calling get a safe harbor against liability for calling a reassigned number. It's not legally mandatory, but skipping it removes a key defense. Access runs through the FCC's reassigned numbers program.
Does the TCPA apply to ringless voicemail?
Yes. The FCC ruled in 2023 that ringless voicemail drops to wireless phones are calls under the TCPA and require prior express written consent for marketing messages [5]. The fact that the phone never rings doesn't change the legal analysis. Ringless voicemail platforms that claimed an exemption before 2023 were sitting in a gray area that no longer exists.
What does 'prior express written consent' have to include?
Under 47 C.F.R. § 64.1200(f)(9), prior express written consent must be a signed written agreement (electronic signatures count) that clearly authorizes the seller to deliver marketing messages using an ATDS or prerecorded voice, lists the specific telephone number for contact, and states plainly that the consumer isn't required to consent as a condition of any purchase [2]. The 2025 one-to-one rule adds that the named seller has to be the one calling.
How often do I have to scrub my call list against the National DNC Registry?
At minimum every 31 days under FCC rules [6]. The FTC's DNC requirements say you can't call a number more than 31 days after your last scrub. Most compliant teams scrub weekly or before every campaign, which is safer. You also have to honor numbers added to your internal DNC list within 30 days of a consumer's request.
Can a lead generation vendor's consent form cover my company?
Since January 27, 2025, no. The FCC's one-to-one consent rule requires prior express written consent for telemarketing to name the specific seller who will be calling. A generic 'marketing partners' consent form no longer satisfies the TCPA [3]. You need to be named explicitly on the consent form, or you obtain fresh consent yourself before contacting leads bought from a vendor.
Are text message autoresponders subject to TCPA rules?
Yes, with a narrow exception. A single confirmatory text sent right after a consumer texts in to opt out, or a one-time reply to a consumer-initiated text, may qualify for a transactional exception. But automated promotional reply sequences and welcome-series texts sent to new subscribers require prior express written consent and full compliance with opt-out obligations.
What should I do if I receive a TCPA demand letter?
Don't ignore it, and don't respond without legal counsel. TCPA demand letters often come right before a class action filing. Pull your consent records for the claimed call or text immediately. Hire a TCPA-experienced attorney before you respond. Many of these disputes settle for a few thousand dollars when handled promptly; the same dispute handled poorly can climb into six figures. Time matters.
Is the TCPA the same as the Telemarketing Sales Rule?
No, they're separate laws enforced by different agencies. The TCPA (47 U.S.C. § 227) is an FCC statute focused on autodialers, prerecorded messages, and the National DNC Registry. The FTC's Telemarketing Sales Rule covers deceptive telemarketing practices, calling time restrictions, and DNC rules for live calls. Plenty of campaigns trigger both, and complying with one doesn't guarantee compliance with the other.
Do TCPA rules apply to political calls and texts?
Partially. Political calls made by a live human agent to any number are generally not covered by TCPA consent requirements. Autodialed or prerecorded political calls to residential landlines are also exempt. But autodialed or prerecorded political calls and texts to wireless numbers do require prior express consent under the TCPA. The FCC has never created a blanket political exemption for cell phones.
What records do I need to keep for TCPA compliance?
At minimum: timestamped consent records for every contacted wireless number (with IP address for digital consent), DNC scrub certifications showing the date and database used, internal DNC list records with opt-out timestamps, call logs showing time and date of each outbound attempt, and any vendor consent certifications. The four-year statute of limitations means you keep these records for four years after your last contact.
Sources
- U.S. Government Publishing Office, 47 U.S.C. § 227 (TCPA statute text): TCPA text establishing $500/$1,500 per-violation damages, 8 a.m.–9 p.m. calling window, and autodialer/prerecorded voice restrictions
- FCC, 47 C.F.R. § 64.1200 (TCPA implementing regulations, via eCFR): Definition of prior express written consent and requirement that callers identify themselves in telemarketing messages
- U.S. Supreme Court, Facebook, Inc. v. Duguid, 592 U.S. 395 (2021): Supreme Court held ATDS must use a random or sequential number generator; systems dialing from a stored list without such generation do not qualify
- FTC, Complying with the Telemarketing Sales Rule (Business Guidance): Telemarketers must scrub lists against the DNC Registry at least every 31 days; FTC charges for registry access above 5 numbers per year
- FCC, 47 C.F.R. § 64.1200 healthcare-related call conditions (via eCFR): Healthcare entities may call patients without prior express written consent only if the call is free to the recipient, limited to one per day and three per week, purely informational, and the patient provided their number
- U.S. Supreme Court, Barr v. American Association of Political Consultants, 591 U.S. 610 (2020): Supreme Court struck down the government-debt exception to the TCPA's automated call restrictions as an unconstitutional content-based speech restriction
- U.S. Government Publishing Office, 28 U.S.C. § 1658 (four-year federal statute of limitations): TCPA claims are subject to the general four-year federal statute of limitations under 28 U.S.C. § 1658
- Florida Legislature, Florida Telephone Solicitation Act, Fla. Stat. § 501.059: Florida's FTSA creates state-level requirements for autodialed calls and texts to Florida numbers, with a private right of action