Last updated 2026-07-09

TL;DR
TCPA stands for Telephone Consumer Protection Act, a 1991 federal law (47 U.S.C. § 227) that restricts unsolicited robocalls, autodialed texts, and fax advertisements. Violators owe $500 per violation, or $1,500 if the violation is willful. Being TCPA compliant means you have prior express consent from every contact before using automated calling or texting technology to reach them.
What does TCPA stand for and where did it come from?
TCPA stands for Telephone Consumer Protection Act. Congress passed it in 1991 and President George H.W. Bush signed it into law on December 20 of that year [1]. The Federal Communications Commission writes and enforces the implementing regulations.
The law is codified at 47 U.S.C. § 227. That citation matters. Courts, class-action complaints, and FCC orders all use it, and knowing it lets you read the primary source instead of trusting a summary that got the details wrong.
Here is why the law exists. By the late 1980s, autodialing machines could blast thousands of calls an hour with almost no human labor. Congress heard from enough angry constituents that pre-recorded sales pitches were tying up their home phones and jamming their business fax lines. It decided the burden was landing on the wrong party. The TCPA flipped that. It put the legal and financial risk on the caller.
The FCC has amended its rules many times since 1991. The changes that matter most came in 2003 (the national Do Not Call registry, built with the FTC), 2012 (the prior express written consent requirement for telemarketing), and 2024 (one-to-one consent rules aimed at lead generators) [2]. The statute itself has barely moved. The regulatory teeth got sharper with each rulemaking cycle.
What does the TCPA actually prohibit?
The statute bans four kinds of conduct. Treat them separately, because the consent standard and the penalty math differ across all four.
1. Autodialed or prerecorded calls to cell phones. The TCPA makes it unlawful to call any cell phone using an automatic telephone dialing system (ATDS) or an artificial or prerecorded voice without prior express consent [1]. This category drives most class-action litigation. "Call" in the FCC's reading includes text messages, which is why your SMS campaigns land here.
2. Prerecorded calls to residential landlines for telemarketing. A live agent can call a landline without consent (subject to Do Not Call rules). A prerecorded sales pitch to a home landline needs prior express written consent.
3. National Do Not Call Registry violations. Calling a number that has sat on the federal DNC registry for more than 31 days is a separate TCPA violation. The FTC runs the registry. The TCPA gives individuals the right to sue over it [2].
4. Unsolicited fax advertisements. Faxing an ad to someone who never gave prior express invitation or permission violates the TCPA. Fax cases are rarer now but still get filed, often against healthcare marketers.
The core prohibition reads, in the statute's own words: "It shall be unlawful for any person within the United States... to make any call (other than a call made for emergency purposes or made with the prior express consent of the called party) using any automatic telephone dialing system or an artificial or prerecorded voice" [1]. That phrase "prior express consent" is where compliance programs live or die.
Two categories sit outside most restrictions: calls for emergency purposes, and calls by or on behalf of tax-exempt nonprofits in certain situations. Debt collection calls to cell phones have long occupied a gray zone. The Supreme Court's 2021 Facebook v. Duguid decision narrowed what counts as an ATDS and shifted the litigation landscape, though collectors still face exposure under other theories [3].
What does TCPA compliant mean in practice?
TCPA compliant means your outbound calling and texting program satisfies every applicable requirement of 47 U.S.C. § 227 and the FCC's rules at 47 C.F.R. Part 64. In practice, that breaks into four operational pillars.
Consent is valid and documented. For autodialed or prerecorded marketing calls and texts to cell phones, you need prior express written consent. That means a signed agreement (electronic signatures count under the E-SIGN Act) where the consumer clearly authorizes calls or texts from your company, to a specific number, using an ATDS or prerecorded voice. The disclosure has to be clear and conspicuous. It cannot hide inside general terms and conditions. The FCC's 2024 one-to-one consent rule pushed this further, requiring consent be specific to your company by name rather than a catch-all grant to a lead generator's whole client list [2].
Your calling lists are scrubbed. You keep an internal DNC list and suppress against it. You scrub against the national DNC registry at least every 31 days if you make telemarketing calls. You honor opt-out requests promptly, and "promptly" in most readings means 10 business days at the outside.
Your technology qualifies. After Facebook v. Duguid, an ATDS is a system that uses a random or sequential number generator to store or produce numbers to be dialed [3]. If your system only dials from a pre-loaded list without that generation function, it may fall outside the statutory ATDS definition. But your dialer still has to satisfy state law, which often reaches further, so do not treat the Supreme Court decision as a clean pass.
Time-of-day rules are followed. The FCC restricts calls to the hours of 8 a.m. to 9 p.m. in the called party's local time [4]. Automated texts sent outside that window carry the same exposure.
TCPA compliance is not a checkbox you tick once. Consent ages out when your relationship with a consumer changes, when a carrier reassigns a number to a new subscriber, or when the consumer revokes it. Keeping a clean, current, consented list is ongoing work, not a setup task.
What are the TCPA penalties per violation?
The TCPA sets statutory damages at $500 per violation [1]. If a court finds the violation willful or knowing, that trebles to $1,500 per violation. There is no cap on aggregate damages in a class action, which is how one bad campaign becomes a nine-figure lawsuit.
The per-call number looks small. It is not. An autodialer can place 10,000 calls in a day. At $500 each, that is $5,000,000 in potential statutory exposure from a single day of dialing. Class actions routinely cover months of calling, and class sizes can run into the millions of numbers.
A few real settlements show the scale. UnitedHealthcare agreed to pay $2.5 million to resolve TCPA allegations about automated calls [see /articles/tcpa-basics/unitedhealthcare-to-pay-2-5m-for-alleged-tcpa-violations]. Truist Bank faced a class action over similar allegations [see /articles/tcpa-basics/truist-bank-tcpa-class-action-settlement]. Albertsons/Safeway settled a TCPA case over text messages [see /articles/tcpa-basics/albertsons-safeway-tcpa-settlement]. These are not outliers. TCPA class actions rank among the most-filed consumer protection cases in federal court every year.
The private right of action is the real enforcement engine. The FTC and FCC can levy fines, but individual consumers and class-action plaintiffs sue directly in federal or state court with no agency involvement at all. That is what sets TCPA exposure apart from most regulatory compliance. You do not need a government investigation to end up in court.
The statute of limitations for a TCPA claim is four years under the federal catch-all statute (28 U.S.C. § 1658), though this has been litigated. Some courts apply a shorter period. If you are defending a suit, ask counsel about the rules in your jurisdiction [5].
What is an automatic telephone dialing system (ATDS) under the TCPA?
An ATDS, or autodialer, is the technology trigger for the TCPA's cell phone restrictions. The statute defines it as equipment that has the capacity to store or produce telephone numbers to be called, using a random or sequential number generator, and to dial those numbers [1].
The Supreme Court in Facebook, Inc. v. Duguid (2021) held that this definition requires random or sequential number generation as part of the storing or producing function [3]. A system that just dials numbers off a pre-uploaded list, with no random or sequential generation, does not meet the statutory ATDS definition under that ruling.
This matters for predictive dialers and CRM-integrated click-to-dial systems. Plenty of lawyers expected Duguid to close off a big chunk of TCPA cell phone cases. It did cut some exposure. Two things kept the litigation alive. First, many state TCPA analogs define autodialers more broadly. California's Automatic Telephone Dialing Systems statute (Cal. Bus. & Prof. Code § 17538.41) and Washington's law both use different definitions. Second, plaintiffs pivoted to prerecorded voice claims and DNC claims, neither of which turns on the ATDS definition.
Here is the practical read. If your dialing system has any capacity to generate numbers randomly or sequentially, even if you never use that feature, talk to counsel before you assume Duguid protects you. Courts have split on the "capacity" language.
What consent do you need to comply with the TCPA?
The TCPA has two tiers of consent. Which one you need depends on what you are doing.
Prior express consent covers non-telemarketing contact, like informational calls or texts. It can be oral or written. A consumer who hands you their cell number inside an existing business relationship has generally given prior express consent for that kind of contact. The FCC confirmed this in its 2012 order [4].
Prior express written consent is the standard for telemarketing calls and texts made with an ATDS or prerecorded voice. The FCC's rules require the consent be in writing (electronic is fine), clearly authorize your specific company to contact the consumer at a specific number, and avoid burying the disclosure in fine print.
The FCC's 2024 one-to-one consent order, effective January 2025, held that consent captured through a lead generator or comparison site could not be a blanket grant covering dozens of companies. Every company named on the disclosure had to be identified specifically [2]. That rule reshaped lead-gen business models almost overnight, though an appeals court later vacated it (more on that below).
Consent can be revoked. The FCC's rules require callers to honor revocation requests "through any reasonable means," which includes texting "STOP," telling a live agent to stop calling, or using any other channel to say so. Once consent is revoked, you cannot lawfully keep up the autodialed contact.
For teams running text message marketing campaigns, the written consent requirement is non-negotiable. A verbal opt-in a sales rep jotted down does not meet the standard for telemarketing texts.
How does the national Do Not Call registry relate to the TCPA?
The national Do Not Call (DNC) registry runs under the FTC's Telemarketing Sales Rule, but the TCPA gives consumers a private right to sue over DNC violations [2]. That overlap matters. A single DNC violation can be enforced by the FTC, the FCC, a state attorney general, or the consumer who took the call.
A number becomes protected 31 days after registration. After that, a telemarketing call to that number, absent a prior business relationship or written permission, is a violation. The safe harbor for numbers registered fewer than 31 days is narrow and demands documented procedures.
The FTC charges data access fees to companies pulling DNC lists for scrubbing. There is a small business exception for anyone making fewer than 5 calls per year to DNC-listed numbers, but that threshold is so low it is meaningless for any real sales operation.
Want to know how to keep unwanted calls off your own phone? The practical consumer steps are in our guide to how to stop robocalls.
Many states run their own DNC lists on top of the federal one. Some charge for access. Some are free. Texas, Indiana, Wyoming, and a handful of others keep separate lists that operate independently of the federal registry. A number missing from the federal DNC may still sit on a state list.
What is the difference between the TCPA and the Telemarketing Sales Rule?
These two laws cover overlapping ground but come from different agencies and target different things. The TCPA (FCC) governs the technology used to make calls. The Telemarketing Sales Rule (FTC) governs deceptive and abusive telemarketing practices.
The TCPA primarily regulates autodialers and prerecorded voices, and it applies whether or not the call is a sales call. An autodialed appointment reminder from your dentist is covered by the TCPA even though it sells nothing.
The Telemarketing Sales Rule (TSR) covers the national DNC registry, mandates certain disclosures, and restricts calling hours. It applies to the content and manner of telemarketing regardless of whether a dialer was used.
Run a telemarketing program on a predictive dialer and you can trip both if something goes wrong. You can hold valid TCPA consent and still violate the TSR by calling numbers on the national DNC registry without an exception. The rules stack. They are cumulative, not alternative.
| Feature | TCPA (FCC) | Telemarketing Sales Rule (FTC) |
|---|---|---|
| Enforcing agency | FCC | FTC |
| Private right of action | Yes, individuals can sue | No direct private right; state AGs can act |
| Primary focus | Dialing technology and consent | Deception, DNC, calling practices |
| Damages | $500, $1,500 per call | FTC civil penalties up to $51,744 per violation [6] |
| Applies to texts | Yes (FCC treats as calls) | Limited; primarily phone calls |
| Time-of-day rules | 8 a.m., 9 p.m. recipient's local time | 8 a.m., 9 p.m. recipient's local time |
Which calls and texts are exempt from the TCPA?
The TCPA carries several statutory and regulatory exemptions. None of them run as wide as marketers hope.
Emergency calls. Calls for emergency purposes are exempt. This is narrow. A bank's autodialed fraud alert generally qualifies. A lender's collection call does not.
Calls to landlines with a live agent. The autodialer restrictions apply to cell phones and prerecorded calls to residential lines. A live agent dialing a residential landline is not subject to the TCPA's consent requirement, though DNC and TSR rules still apply.
Healthcare calls with a HIPAA nexus. The FCC created a limited exemption for certain healthcare messages: appointment reminders, wellness checkups, prescription notifications, and the like. The call must be free to the recipient (no charge if it hits a cell phone), brief, and free of any marketing content [4].
Prior business relationship. This is where compliance programs go wrong. A prior business relationship (EBR) is a valid defense for some DNC violations. It is not a free pass for autodialed cell phone calls. The TCPA's cell phone consent requirement has no EBR exemption the way the TSR does. Your existing customer still has to have consented before you autodial their cell.
Nonprofits. Tax-exempt nonprofits get some exemptions for autodialed calls placed by volunteers. Commercial fundraising firms calling on their behalf generally do not share that protection.
If your team runs text messaging marketing campaigns and someone tells you EBR covers your texting, that is wrong for cell phones. Push back. Ask them to show you the specific FCC ruling.
How has TCPA litigation changed in recent years?
TCPA class actions stay near the top of the volume charts for consumer protection cases in federal court. The landscape has shifted in a few clear ways since 2021.
Facebook v. Duguid narrowed the ATDS definition and shut off some cell phone autodialer claims [3]. Plaintiffs responded by leaning on prerecorded voice claims (no ATDS finding required) and DNC violations. Lead generators became a bigger target.
The FCC's 2024 one-to-one consent order drew a court challenge fast. The Eleventh Circuit vacated the rule in January 2025, finding the FCC had exceeded its statutory authority on that specific provision [7]. That is exactly the kind of fast-moving change that makes TCPA compliance hard to manage without current sources. The underlying consent requirement still stands under earlier FCC rules. Only the one-to-one enhancement got voided.
State laws are filling the space. Washington's CEMA (Commercial Electronic Mail Act) and Florida's 2021 Mini-TCPA (the Florida Telephone Solicitation Act, or FTSA) have produced heavy litigation. The FTSA's autodialer definition runs broader than the post-Duguid federal one, which is why Florida shows up in so many recent TCPA-adjacent class actions [11].
For ongoing coverage of settlements and rulemaking, TCPA news tracks the cases worth watching. Real outcomes, like the Cash App TCPA class action settlement and the Credit One TCPA settlement, show how courts value these claims in practice.
Here is the honest answer for teams building compliance programs. The rules change faster than most compliance checklists get updated. A point-in-time tool is a start. Pairing it with a compliance kit that gets revised as the regulations move, like the one LeadCompliant offers at no cost, is a workable middle ground before you can justify outside counsel on retainer.
What steps does a small outbound team need to take to be TCPA compliant?
Small teams get no exemption. The TCPA applies the same way to a five-person SDR team and a 500-seat call center. Here is how a small operation builds a defensible program without a full legal department.
Audit your technology first. Find out whether your dialing system is an ATDS under the post-Duguid definition. Ask your vendor. Get the answer in writing. If they cannot tell you, treat it as an ATDS and require consent accordingly.
Map your consent collection. For every channel where you collect leads, trace how the consent language reads. Is it specific to your company? Is it clear and conspicuous? Does it mention autodialed calls and texts? If you buy leads from a third party, get the consent language they used and hold it against what the FCC requires.
Build a suppression list. Keep an internal DNC list. Every opt-out goes on it immediately. If you make telemarketing calls, scrub against the national DNC registry. The FTC's registry access system is at donotcall.gov, with costs starting at $75 for the first area code and scaling from there [8].
Set time-of-day controls. Your dialer should enforce 8 a.m. to 9 p.m. in the recipient's local time zone. Basic, and small teams miss it constantly by setting the window in their own time zone.
Train your team on opt-outs. A consumer who tells a live agent "stop calling me" has revoked consent. Your agent needs to know how to log that and where it goes, so the number drops out before the next dial list gets built.
Document everything. In a TCPA dispute, the burden of proving consent sits on the caller. Courts have held this consistently [5]. If you cannot produce a timestamped record of how, when, and to what a consumer consented, you are litigating with no evidence.
LeadCompliant has a free TCPA compliance kit that walks these steps with checklists and sample consent language. It is a starting point, not a replacement for legal advice tailored to your program.
Is the TCPA the same as CAN-SPAM?
No. Different channels, different agencies.
CAN-SPAM (the Controlling the Assault of Non-Solicited Pornography And Marketing Act of 2003) governs commercial email and is enforced by the FTC. Its requirements: a working opt-out mechanism, honest subject lines, a physical address in the message, and a clear disclosure that the email is an advertisement [9]. Violations carry FTC civil penalties, but consumers have no private right of action under CAN-SPAM.
The TCPA covers phone calls, text messages, and faxes, and the FCC enforces it. Consumers can sue directly with no FTC involvement.
Run a multi-channel outbound program and you need both. An email with compliant CAN-SPAM headers is still a TCPA problem the moment it triggers an autodialed follow-up call to unconsented cell numbers. Compliance in one channel does not carry into another.
What should you do if you receive a TCPA demand letter or lawsuit?
Do not panic, and do not answer the plaintiff's attorney directly before you have your own counsel. TCPA demand letters are common. Many go out speculatively to companies that may or may not have called the plaintiff.
Preserve everything. Call logs, dialing records, consent records, opt-out logs, CRM data. All of it becomes relevant. Deleting records after a demand letter arrives creates spoliation problems worse than the underlying TCPA claim.
Verify the facts. Pull your records for the number in the letter. Did you call it? When? On what consent basis? Was it on your DNC suppression list? Those answers tell you whether you have a defense or whether early settlement makes more sense.
TCPA class actions often settle before certification. Amounts swing hard depending on the size of the alleged class, the quality of your consent records, and the jurisdiction. Individual statutory damages cases sometimes settle for a few thousand dollars. Class cases with weak documentation can run into millions.
If you are in Kentucky and hunting for regional counsel who knows TCPA defense, our resource on TCPA lawyers in Kentucky covers what to look for. The Joseph Snyder Credit One TCPA case is a useful example of how an individual plaintiff case plays out at the district court level.
This article is general information, not legal advice. If you have a TCPA lawsuit or demand letter in hand, consult a licensed attorney.
Frequently asked questions
What does TCPA mean?
TCPA stands for Telephone Consumer Protection Act, a federal law passed in 1991 and codified at 47 U.S.C. § 227. It restricts unsolicited robocalls, autodialed texts, and junk faxes. The FCC enforces it, but individual consumers can also sue directly without involving any government agency, which is what makes it a major source of class-action litigation.
What does TCPA compliant mean?
TCPA compliant means your calling and texting program meets all requirements of 47 U.S.C. § 227 and FCC implementing rules. At minimum: you have valid documented consent from every contact before using automated or prerecorded contact, you scrub against the national DNC registry, you honor opt-outs promptly, and you only call between 8 a.m. and 9 p.m. in the recipient's local time.
Does the TCPA apply to text messages?
Yes. The FCC ruled that text messages are calls for TCPA purposes. Autodialed marketing texts to cell phones require prior express written consent, the same standard as autodialed voice calls. This means your SMS opt-in flow must include clear disclosure that the consumer is authorizing automated texts from your specific company.
What is the TCPA penalty per violation?
The statute sets $500 per violation. Courts can treble that to $1,500 per violation if the violation was willful or knowing. There is no cap on aggregate class action damages, so a campaign that placed 100,000 unconsented autodialed calls carries up to $50 million in potential statutory exposure before any negotiation.
Who enforces the TCPA?
The FCC writes and enforces the TCPA's implementing rules. But the statute gives individual consumers a private right of action, meaning anyone who received an unlawful call can sue directly in federal or state court. Class-action attorneys are the practical enforcement mechanism. The FTC handles related violations under the Telemarketing Sales Rule and DNC registry.
Does the TCPA apply to B2B calls?
Partly. The TCPA's cell phone autodialer restrictions apply regardless of whether the number is used for business or personal purposes. If you are autodialing a business owner's cell phone, you need consent. Calls to business landlines have more latitude, though state laws and the TSR still apply. The national DNC registry covers personal numbers but not business-only numbers.
What is prior express written consent under the TCPA?
Prior express written consent is a signed agreement (physical or electronic) where the consumer authorizes your specific company to contact them at a specific phone number using an autodialer or prerecorded voice. The consent disclosure must be clear and conspicuous, cannot be buried in general terms and conditions, and cannot be a blanket grant covering an unspecified list of companies.
Can I call someone back who called me first under the TCPA?
Providing a number to a business for a transaction generally counts as prior express consent for that business to call back about the same transaction. It does not automatically authorize autodialed marketing calls on unrelated topics, and it does not override a DNC registration. The scope of consent is tied to the context in which the number was given.
Does buying a lead list mean I have TCPA consent to call those leads?
No. Buying a list does not transfer consent. You need to verify that each contact on the list actually consented to be contacted by your company, using language specific enough to meet FCC standards. After the FCC's 2024 one-to-one consent rulemaking (even with its partial vacatur), blanket consent granted to a lead generator's entire client network does not satisfy the requirement.
How long do I have to honor a TCPA opt-out request?
The FTC's TSR requires DNC opt-outs be honored within 30 days; FCC guidance generally expects faster action. Most compliance programs treat 10 business days as the practical maximum, with best practice being suppression before the next campaign runs. Real-time suppression is the standard for text message opt-outs, where sending even one more message after a STOP request is a separate violation.
What changed after the Supreme Court's Facebook v. Duguid ruling on the TCPA?
The Supreme Court held in 2021 that an ATDS must use a random or sequential number generator to store or produce numbers dialed. Systems that only dial pre-loaded lists without that generation function may not meet the statutory ATDS definition. This reduced some autodialer claims, but prerecorded voice claims and DNC violations are unaffected by the ruling, and many state laws define autodialers more broadly.
Is there a TCPA exemption for existing customers?
There is no existing business relationship exemption from the TCPA's requirement to have consent before autodialing a customer's cell phone for marketing. An EBR helps with some DNC claims under the TSR but does not substitute for TCPA consent. Many companies discover this gap when they face suit over automated win-back campaigns sent to customers who never explicitly consented to autodialed contact.
What hours can I legally call under the TCPA?
FCC rules restrict calls to between 8 a.m. and 9 p.m. in the called party's local time zone. Calls outside those windows are a separate TCPA violation even if you otherwise have valid consent. This applies to both voice calls and autodialed text messages. Time-zone detection needs to be based on the area code and exchange of the recipient's number, not your own location.
Does the TCPA apply to calls made to numbers that were reassigned to a new subscriber?
Yes, and this is a real risk. If the person who consented to be called no longer owns a number because it was reassigned by the carrier, calling that number reaches an unconsented party. The FCC created the Reassigned Numbers Database (RND) to help callers check for reassignments before dialing. Using it does not guarantee immunity but demonstrates reasonable precautions.
Sources
- U.S. Congress, Telephone Consumer Protection Act, 47 U.S.C. § 227 (via Legal Information Institute, Cornell Law School): TCPA enacted 1991; prohibits ATDS or prerecorded calls to cell phones without prior express consent; $500 per violation, $1,500 if willful
- Supreme Court of the United States, Facebook, Inc. v. Duguid, 592 U.S. 395 (2021), opinion available via Supreme Court opinions section: ATDS definition requires random or sequential number generation; narrowed scope of autodialer claims under TCPA
- Federal Judicial Center, TCPA litigation overview: Burden of proving consent falls on caller; four-year federal statute of limitations under 28 U.S.C. § 1658 commonly applied
- FTC, Telemarketing Sales Rule, 16 C.F.R. Part 310: TSR civil penalties up to $51,744 per violation; FTC enforcement of national DNC registry
- U.S. Court of Appeals, Eleventh Circuit, Insurance Marketing Coalition v. FCC (2025): Eleventh Circuit vacated FCC's 2024 one-to-one consent rule in January 2025, finding FCC exceeded statutory authority
- FTC, National Do Not Call Registry, donotcall.gov: Telemarketers must register and pay fees to access DNC data; starts at $75 per area code; 31-day grace period after registration
- FTC, CAN-SPAM Act compliance guide for business: CAN-SPAM governs commercial email; enforced by FTC; no private right of action; separate from TCPA
- Florida Legislature, Florida Telephone Solicitation Act (FTSA), Fla. Stat. § 501.059: Florida's 2021 Mini-TCPA defines autodialers more broadly than post-Duguid federal definition; significant source of state-level TCPA-analog litigation