Last updated 2026-07-10

TL;DR
The biggest TCPA shifts for 2026 are the FCC's one-to-one consent rule (effective January 27, 2025, and now the spine of every lead workflow), AI-voice calls treated as illegal artificial-voice robocalls without consent, class settlements running into eight figures, and states like Florida stacking their own consent laws on top. Haven't audited your lead sources yet? You're already exposed.
What is the single biggest TCPA change affecting outbound teams in 2026?
The one-to-one consent rule. That's it. Everything else in 2026 is noise next to it.
The FCC adopted this rule in December 2023 in its Report and Order in CG Docket No. 21-402 [1]. It took effect January 27, 2025. So if you're reading this mid-2026 and your consent flow still looks like it did in 2024, you've been carrying risk for more than a year.
Here's what the rule actually requires. Before the change, one consent checkbox on a comparison shopping site could legally cover dozens of sellers. A consumer clicked once and authorized calls from every company in the network. The FCC called that the "lead generator loophole" and shut it. Under the amended rule, prior express written consent has to go to each seller individually and by name [1]. One box, one seller. The consumer has to see your company's name and agree to hear from you specifically.
For teams buying leads from aggregators, this breaks the old model. The blanket consent forms don't cover you anymore. You need one of two things: a consent form that names your company, or a real-time consent setup where the opt-in is captured on a page that lists you as the recipient before the lead lands in your dialer.
The FCC also added a "logically and topically related" requirement [1]. Even with clean one-to-one consent, your calls and texts have to relate to what the consumer originally engaged with. Someone asked about car insurance quotes? You can't turn that consent into a home warranty pitch.
What happened with the FCC's AI call and text rules in 2025 and 2026?
AI voices are already illegal for cold outreach without consent. In February 2024, the FCC issued a Declaratory Ruling saying AI-generated voices in calls count as "artificial" voices under 47 U.S.C. § 227(b)(1)(B) [2]. No new statute needed. AI-voiced robocalls to cell phones without prior express consent are banned under the TCPA text that already exists.
By 2025 and into 2026, the enforcement picture sharpened. Carriers now flag AI-voiced calls through STIR/SHAKEN attestation gaps, and state attorneys general file actions alongside the FCC. The Commission proposed a $6 million forfeiture over AI-voice scam calls in late 2024, which tells you where its attention sits [3].
The practical question for legit teams: does a voice AI tool that pre-records your sales script count? Yes, if the system generates the voice artificially instead of playing back a real human recording. Two safe paths exist. Get prior express written consent before any AI-voiced call, or use live agents for cold outreach.
AI texting is a separate lane. An AI-drafted SMS sent through an ATDS, or a platform with ATDS characteristics, sits under the same consent rules as any other text. The fact that a model wrote the words changes nothing about the channel's consent requirements.
What major TCPA settlements and verdicts happened in 2025 and 2026?
Settlements stayed large and steady. A handful are worth knowing because they show exactly where plaintiffs' firms are hunting.
UnitedHealthcare agreed to pay $2.5 million over TCPA allegations tied to healthcare-related calls learn more about that case. Albertsons and Safeway faced a class action over SMS marketing sent to customers who disputed ever giving proper consent see the Albertsons/Safeway settlement breakdown. Credit One Bank has been a repeat defendant, including the Joseph Snyder matter details on Credit One's TCPA history and the Snyder-specific filing.
Cash App settled a class action with heavy class member participation read the Cash App TCPA class action breakdown. Truist Bank settled too see the Truist settlement details. Kaiser's settlement had a claim deadline that tripped up a lot of eligible consumers Kaiser TCPA settlement claim deadline explained.
The pattern is consistent. The alleged violations are calls or texts to cell phones without valid prior express consent, often after the consumer revoked consent or was already on the DNC registry. Statutory damages under 47 U.S.C. § 227(b)(3) run $500 per violation and up to $1,500 for willful ones [4]. Multiply that across a class of tens of thousands and eight-figure exposure is routine.
The lesson isn't about which industries get hit. It's all of them. The lesson is the consent documentation gap. Nearly every case turns on whether the defendant can prove valid consent existed at the time of each call or text. Most can't.
How does the one-to-one consent rule change lead buying in practice?
Buying leads from aggregators is still legal. The one-to-one rule didn't ban lead gen. It shifted who carries the consent risk and how you have to prove it.
Before January 2025, a compliant lead purchase came with a certificate from the aggregator saying the consumer consented to calls from "insurance providers" or "financial services companies." That's dead. Now you need documentation showing the consumer saw your company name and agreed to hear from you specifically.
Three implementations are showing up in 2026. First, real-time lead pings: the consumer's session is still active, the form dynamically inserts the buyer's name before submission, and a timestamped consent record travels with the lead. That's the cleanest setup, but it needs aggregators who actually built for it. Second, a pre-call consent verification step, where you send an SMS or email asking the consumer to confirm they want your company to contact them before your agent dials. It adds friction and creates a fresh, unambiguous consent record. Third, some teams are walking away from third-party lead buying for outbound calls entirely and moving budget to inbound or owned-list marketing where the consent trail is theirs.
Still buying under old blanket-consent terms? The aggregator's indemnification clause matters but won't save you. The TCPA lets plaintiffs sue the caller directly [4]. An indemnity promise only helps if the vendor has the money and the appetite to honor it.
For how consent documentation works in SMS, the text message marketing guide and text messaging marketing overview on this site walk through the mechanics.
What are the state-level TCPA-adjacent laws adding new requirements in 2026?
The federal TCPA is a floor, not a ceiling. Several states go further, and they enforce.
Florida's Telephone Solicitation Act (FTSA) is the most aggressive state analog. It requires written consent before any telephonic sales call, carries a private right of action, and sets $500 per violation [5]. The law explicitly covers texts. The litigation wave started in 2021 and ran straight through 2025 with no sign of slowing.
California layers on more. The CCPA and California's own robocall rules add requirements around data disclosure and honoring opt-outs. Put a California resident on your list and you're juggling federal TCPA plus state privacy law at the same time.
Texas, Oklahoma, and several others have tightened telemarketing registration. Texas makes telemarketers register with the Secretary of State and post a bond. Skip the registration and you've created a separate liability exposure sitting on top of any TCPA claim.
The development that matters most in 2026 is state attorneys general bringing TCPA-style enforcement, sometimes shoulder to shoulder with the FCC. Double-track enforcement means settling with the FCC doesn't close the book. The state can still come after you under its own law.
Operate in a high-exposure state? A few hours with regional TCPA counsel is money well spent. The TCPA lawyer Kentucky page shows how regional counsel gets pulled into these matters.
What is the FCC's current position on ATDS definition after Facebook v. Duguid?
This is where the law got cleaner but not simple. The Supreme Court's 2021 ruling in Facebook, Inc. v. Duguid, 592 U.S. 395 (2021), narrowed the ATDS definition a lot [6]. The Court held an ATDS must have the capacity to store or produce phone numbers using a random or sequential number generator. Dial from a stored list without that generation and you're not using an ATDS.
For most modern dialers, that was good news. A CRM-integrated dialer that calls down a prospect list isn't an ATDS under Duguid. But consent requirements for calls to cell phones using prerecorded or artificial voices stay in place no matter the ATDS status [4]. And the one-to-one consent rule reaches any call made for commercial purposes, well beyond ATDS calls.
In 2025 and 2026, plaintiffs' lawyers adapted. They lean less on ATDS claims when the technology is clearly list-based, and more on prerecorded voice claims, revocation claims, and DNC violations. The Duguid win didn't end TCPA litigation. It redirected it.
The FCC hasn't issued new rules redefining ATDS after Duguid. Its posture is to let the statutory text, as the Court read it, control, while spending its rulemaking energy on the consent side.
How does call time window and DNC compliance work in 2026?
Federal calling hours run 8 a.m. to 9 p.m. local time at the called party's location. Not your office's time zone. Under 47 U.S.C. § 227 and the FTC's Telemarketing Sales Rule, calls outside that window are prohibited [7]. A team in Arizona calling East Coast consumers has to stop at 9 p.m. Eastern, which might be 6 p.m. locally. The rule hasn't changed. Enforcement patterns have.
The National DNC Registry, run by the FTC, requires telemarketers to register and scrub their lists against it at least every 31 days [7]. Registry access ran $79 per area code per year in 2025, up to a capped total for large subscribers [7]. You also have to keep your own internal DNC list and honor company-specific opt-outs within 30 days.
One 2026 wrinkle: the FCC keeps pushing carriers toward more aggressive analytics-based call blocking. Legitimate high-volume callers are getting flagged even when they're technically clean. The fix is to register your numbers through the Robocall Mitigation Database, use STIR/SHAKEN attestation correctly, and avoid dialing patterns that look like robocall traffic no matter how compliant you actually are.
For the consumer side of unwanted calls, the how to stop robocalls guide covers what recipients can do.
What do the 2026 TCPA changes mean for SMS marketing specifically?
SMS is the highest-risk channel right now. TCPA violations count per message, so one bad campaign to 50,000 people is 50,000 potential $500 violations. That's $25 million in statutory exposure before a court even considers trebling for willfulness.
The one-to-one consent rule applies to commercial SMS. Text people to promote your services and you need prior express written consent from each recipient, and that consent has to specifically authorize texts from your company [1].
The CTIA's guidelines aren't law, but carriers enforce them and can cut off your messaging traffic if you break them [8]. Through 2025 and 2026, carriers got more aggressive about suspending short codes and 10DLC numbers from senders with high opt-out or spam-complaint rates. The practical floor looks like a 0.3% opt-out rate before carriers start reviewing your traffic.
For 10DLC, all commercial campaigns must be registered with The Campaign Registry (TCR). Unregistered 10DLC traffic gets filtered by every major carrier. Campaign registration runs $10 to $25 per campaign, plus carrier-specific fees that typically add $0.003 to $0.01 per message above the standard rate [8].
Revocation by text takes effect immediately. If a consumer texts STOP, you honor it fast, not on your next batch scrub cycle. The FCC's 2024 guidance made clear that "reasonable time" means quickly.
The TCPA news hub tracks SMS-relevant developments as new FCC orders land.
What should outbound teams actually do right now to reduce TCPA exposure in 2026?
Here's what I'd actually do, in rough priority order, if I ran an outbound team today.
First, audit every lead source and pull the consent records. For each source, answer four questions: when did this consumer consent, what exact language did they see, did that language name our company, and do we have a timestamp and IP address proving it? Can't answer all four for a given lead? Stop calling it until you can or until you get fresh consent.
Second, build an internal DNC list and a process that honors revocations within 24 hours, not 30 days. Thirty days is the legal maximum [7]. Twenty-four hours is what saves you from the plaintiff who got called three weeks after saying stop.
Third, if you use a third-party dialing platform, get it in writing that the vendor complies with the Robocall Mitigation Database requirements and that their system isn't an ATDS under Duguid. Get the attestation language. If they won't provide it, that tells you plenty.
Fourth, for SMS, register your 10DLC campaigns through TCR before sending, keep opt-out rates under 0.3%, and audit your consent capture forms every quarter.
Fifth, if you buy leads, write consent documentation into the vendor contract. Require each lead to arrive with a certificate that includes the consumer's IP address, the timestamp, the exact form URL, and the specific consent language that named your company.
LeadCompliant's free compliance kit and consent audit checklist give you a documented starting point for the lead source audit and the internal DNC process, which is where most teams have their widest gaps.
None of this replaces a lawyer. This is operational guidance, not legal advice. Already named in a TCPA complaint? Stop reading listicles and call counsel.
How are courts handling TCPA class certification in 2025 and 2026?
Class certification decides the economics of a TCPA case. Certify the class and the exposure math turns existential. Deny it and most individual plaintiffs don't have enough at stake to keep fighting.
Through 2025 and 2026, courts kept certifying classes in TCPA cases, especially where the core question is whether the defendant had valid consent. That question tends to be common to every class member when one flawed consent form or one lead aggregator sat at the center [9].
Defendants win against certification by showing individualized consent questions, meaning each class member's consent story is different enough that a single trial can't resolve them. That works when a company can show multiple lead sources with different consent forms. It fails when the company bought from one aggregator using one defective blanket form.
The other defense trend is standing, post-TransUnion LLC v. Ramirez, 594 U.S. 413 (2021) [10]. Courts have split on whether receiving an unwanted call or text is a concrete enough injury for Article III standing in federal court. Some dismiss TCPA cases for lack of standing. Others find the intangible harm sufficient. It's unsettled, and it drives venue strategy.
For small outbound teams, the takeaway is blunt. Class exposure is real even if you make a limited number of calls. One bad lead source used across a three-month campaign can build a class big enough to draw plaintiffs' firms.
What FCC proceedings should outbound teams watch in the second half of 2026?
A few open dockets matter. The FCC's proceeding on advanced methods to target and eliminate unlawful robocalls (CG Docket No. 17-59) has ongoing activity around carrier-level call blocking and the obligations of gateway providers who bring international robocall traffic onto US networks [11]. It aims at scam callers, but legitimate high-volume callers who don't authenticate through STIR/SHAKEN become collateral damage when carrier filtering gets aggressive.
The Commission has also been weighing how fast companies must honor opt-outs. The current revocation rules, clarified in the FCC's 2024 Report and Order, say companies can set reasonable methods for revocation but can't force consumers into a single method [12]. Text STOP, call in, or email a clear opt-out request, and that's effective revocation no matter what your terms of service claim about which channel to use.
There's an open question about whether the FCC will address predictive dialer regulation more directly, since Duguid left ambiguity around systems that use algorithmic list ordering. No rule has been proposed as of mid-2026, but the consumer bureau has flagged it as an area of interest.
The most reliable way to track FCC proceedings is the Commission's Electronic Comment Filing System (ECFS) at fcc.gov [11]. For TCPA rulemaking, CG Docket No. 02-278 is the core docket where most substantive changes show up.
Frequently asked questions
When did the FCC's one-to-one consent rule take effect?
January 27, 2025. The FCC adopted it in December 2023 as part of its Report and Order in CG Docket No. 21-402. Any call or text made after that date under a blanket consent form that doesn't name your company is potentially non-compliant. If your lead vendors haven't updated their forms since early 2025, treat those leads as risk.
What is the TCPA penalty per violation in 2026?
Statutory damages under 47 U.S.C. § 227(b)(3) are $500 per violation. For willful or knowing violations, courts can treble that to $1,500 per call or text. There's no cap on total damages in a class action, which is why a campaign that sends 50,000 texts without proper consent can theoretically generate $25 million to $75 million in exposure.
Does the one-to-one consent rule apply to text messages?
Yes. The FCC's rule reaches any telemarketing call or text made using an ATDS or prerecorded voice, and the consent has to name the specific seller. Commercial SMS marketing to cell phones requires prior express written consent under 47 U.S.C. § 227(b)(1)(A)(iii), and the one-to-one requirement means each message sender must be individually authorized in that consent.
Can I still use a predictive dialer after Facebook v. Duguid?
Probably yes, if your dialer calls from a stored list without using a random or sequential number generator to produce the numbers. The 2021 Duguid ruling narrowed the ATDS definition to systems that generate numbers randomly or sequentially. List-based dialers generally fall outside it. But if your dialer plays prerecorded voice messages, consent is still required for cell phone calls regardless of ATDS status.
How often do I need to scrub my list against the National DNC Registry?
At minimum every 31 days. The FTC's Telemarketing Sales Rule requires scrubbing against the National DNC Registry at least that often. You also have to keep your own internal DNC list and honor company-specific opt-out requests within 30 days. Tighter cycles, weekly if your list is large, shrink the window of liability when someone registers mid-cycle.
What calling hours are legal under federal TCPA rules in 2026?
Between 8 a.m. and 9 p.m. local time at the called party's location, not your office's time zone. The rules haven't changed. States can be stricter: Florida and several others apply the same or tighter windows. Calling across time zones, use the area code to estimate local time and build in a buffer, because getting this wrong is an easy-to-prove violation.
Do I need to register my 10DLC number before sending commercial texts in 2026?
Yes. All commercial 10DLC (10-digit long code) messaging must be registered through The Campaign Registry before you send. Unregistered traffic gets filtered by every major US carrier. Brand registration costs roughly $4 to $10, campaign registration runs $10 to $25 per campaign, and carriers add per-message surcharges. Skip registration and your messages likely won't deliver, and any that do drop you into carrier dispute territory.
Are AI-generated voices treated differently under the TCPA?
No, they're treated the same or worse. The FCC's February 2024 Declaratory Ruling said AI-generated voices qualify as artificial voices under 47 U.S.C. § 227(b)(1)(B). AI-voiced calls to cell phones without prior express consent are illegal under the existing statute. The AI authorship doesn't create a new category. It fits inside the existing prerecorded/artificial voice prohibition.
What happens if a lead vendor sold me a lead with invalid consent?
You're still the defendant. The TCPA puts liability on the party that initiates the call or text. Your contract with the vendor may include indemnification, and you can pursue the vendor separately, but plaintiffs sue you, not your vendor. The indemnity clause is only as good as the vendor's solvency and willingness to pay. Requiring valid consent documentation upfront is far better insurance.
How does a consumer revoke TCPA consent in 2026?
Through any reasonable means. The FCC's 2024 Report and Order on revocation made clear companies can't restrict consumers to a single channel. If someone texts STOP, calls your customer service line, or emails a clear opt-out request, that's legally effective revocation, and you have to honor it promptly. The FCC didn't set an exact time limit but signaled that delays of weeks aren't acceptable.
What states have the most aggressive TCPA-equivalent laws in 2026?
Florida is the most active. Its Telephone Solicitation Act has a private right of action and $500-per-violation damages for texts and calls made without written consent. California, Washington, Oklahoma, and Texas also have telemarketing laws that add registration, bonding, or stricter consent on top of federal rules. State attorneys general in multiple states have been coordinating with the FCC on enforcement.
Does the TCPA apply to B2B calls?
Partially. The TCPA's residential Do Not Call provisions apply to calls to residential lines and cell phones of individuals, including sole proprietors. Pure business-to-business calls to a company's landline usually aren't covered by the cell phone consent rules. But call a person's cell phone, even for a business purpose, and the TCPA applies. The line blurs fast with mobile-first workforces.
What is the Robocall Mitigation Database and do I need to register?
The Robocall Mitigation Database is maintained by the FCC and requires voice service providers to register and certify their robocall mitigation practices. If you're a business using a third-party carrier for outbound calling, your carrier handles the registration, not you. But confirm your provider is registered, because gateway providers must block traffic from unregistered originators, which means your calls could be blocked if your carrier hasn't complied.
Can TCPA violations be criminal?
The TCPA itself is a civil statute with civil penalties. The FCC can refer matters to the DOJ, and related conduct such as spoofing caller IDs is a criminal offense under the Truth in Caller ID Act. State fraud and deceptive practices statutes can carry criminal exposure for egregious telemarketing too. For a typical outbound team with sloppy consent practices, the realistic risk is civil class action and FCC forfeiture, not prison.
Sources
- FCC, Report and Order, CG Docket No. 21-402 (December 2023), on the Telephone Consumer Protection Act: FCC adopted one-to-one consent rule requiring prior express written consent to be given to each seller individually and by name; logically and topically related requirement also adopted
- FCC, Declaratory Ruling, February 2024, on AI-generated voices under the TCPA: FCC ruled that AI-generated voices qualify as artificial voices under 47 U.S.C. § 227(b)(1)(B), making AI-voiced robocalls to cell phones without consent illegal under existing TCPA
- U.S. Code, 47 U.S.C. § 227, Telephone Consumer Protection Act: Per-violation statutory damages are $500 per call or text, trebled to $1,500 for willful violations; TCPA imposes liability on the party that initiates the call
- Florida Legislature, Florida Telephone Solicitation Act, Fla. Stat. § 501.059: Florida's FTSA requires written consent before telephonic sales calls and texts, with $500 per violation and a private right of action
- Supreme Court of the United States, Facebook, Inc. v. Duguid, 592 U.S. 395 (2021): Supreme Court held ATDS must have capacity to store or produce numbers using random or sequential number generator; list-based dialers generally excluded from ATDS definition
- FTC, Telemarketing Sales Rule, 16 C.F.R. Part 310: Calls prohibited before 8 a.m. or after 9 p.m. local time at called party's location; DNC scrub required every 31 days; National DNC Registry access costs $79 per area code per year
- U.S. Courts, Federal Rules of Civil Procedure, Rule 23, Class Actions: TCPA class certification often granted when core question of valid consent is common to all class members due to a single defective consent form
- Supreme Court of the United States, TransUnion LLC v. Ramirez, 594 U.S. 413 (2021): Courts have split on whether receiving an unwanted call is a concrete enough injury for Article III standing post-TransUnion; affects TCPA case venue strategy
- FCC, Report and Order on revocation of consent, 2024, CG Docket No. 02-278: FCC 2024 order clarified companies cannot restrict consumers to a single opt-out channel; revocation through any reasonable means is legally effective