TCPA regulations: what they are and when they apply

TCPA regulations ban unsolicited robocalls and texts and carry fines up to $1,500 per call. Learn what rules apply, who's covered, and what counts as consent.

LeadCompliant Team
25 min read
In This Article

Last updated 2026-07-10

Compliance officer reviewing phone call logs at desk under afternoon office light
Compliance officer reviewing phone call logs at desk under afternoon office light

TL;DR

The Telephone Consumer Protection Act (47 U.S.C. § 227) restricts robocalls, autodialed calls, prerecorded messages, and commercial texts to cell phones and residential lines. Violations cost $500 to $1,500 per call or text. The FCC writes the rules, but private plaintiffs drive most litigation. Marketing calls and texts to cell phones need written consent first.

What are TCPA regulations?

The Telephone Consumer Protection Act is a federal law passed in 1991 and codified at 47 U.S.C. § 227. [1] It restricts how businesses contact consumers by phone: cell phones, residential landlines, and fax machines. The Federal Communications Commission writes the rules that fill in the statute.

The TCPA does a handful of specific things. It bans calls and texts to cell phones using an automatic telephone dialing system (ATDS) or a prerecorded or artificial voice without prior express consent. It bans prerecorded calls to residential lines without consent. It bans calls to numbers on the National Do Not Call Registry. And it sets quiet hours: no calls before 8 a.m. or after 9 p.m. local time of the person you're calling. [2]

The statute also creates a private right of action. Any individual consumer can sue you in federal or state court instead of waiting for the FCC to act. Statutory damages run from $500 per violation for negligent violations up to $1,500 per violation for willful or knowing violations, with no cap on class size. [1] That math is why one mass-text campaign can turn into a nine-figure lawsuit.

The FCC updates its rules through orders, and those orders carry the force of law alongside the statute. The 2012 FCC order raised the consent standard for marketing calls to written prior express consent. [8] The FCC's 2024 one-to-one consent rule was set to take effect in early 2025, then got vacated by the Eleventh Circuit in January 2025 in Insurance Marketing Coalition v. FCC, so that specific rule is not in force. [3] Reading the statute is not enough. You have to track the orders too. For ongoing updates, tcpa news is worth bookmarking.

What exactly does the TCPA regulate?

The law covers four broad categories of contact.

Autodialed calls and texts to cell phones. The ATDS definition has been fought over for years. The Supreme Court narrowed it in Facebook v. Duguid (2021), holding that an ATDS must have the capacity to produce numbers using a random or sequential number generator, not merely store and dial numbers from a list. [4] So a predictive dialer that works purely off a stored list may not qualify as an ATDS under current case law, though courts still split on edge cases.

Prerecorded or artificial voice calls. These are covered whether or not the equipment is an ATDS. If a call plays a recorded message, it needs consent even when a human dialed it. That distinction matters. You can sometimes sidestep the ATDS problem with a human-initiated dialer, but a prerecorded message still triggers TCPA obligations.

Residential landline calls. The Do Not Call rules and the prerecorded call restrictions apply to residential lines. The FCC's recent robocall rules extended some protections and tightened authentication on voice carriers. [5]

Commercial text messages. The FCC ruled in 2003 that SMS messages to cell phones fall under the TCPA the same way calls do. [2] A mass-marketing text blast without written prior express consent is a violation, full stop. The text message marketing guide walks through how this works in practice.

Fax marketing also sits under the TCPA through the Junk Fax Prevention Act. Almost no outbound sales team uses fax anymore, so this article stays on calls and texts.

When does the TCPA apply to your calls or texts?

The TCPA applies any time you use covered technology to contact a covered number for a covered purpose. Get any one of those wrong and you have exposure.

Covered technology means an ATDS or a prerecorded/artificial voice system. After Facebook v. Duguid, whether your dialer counts as an ATDS depends on its architecture, not on how powerful it is. If your system generates numbers randomly or sequentially, it's an ATDS. If it dials only from a stored list using human-queued logic, courts are split on whether that qualifies. Get a written opinion from your dialer vendor. Do not assume you're safe.

Covered numbers means cell phones (for the ATDS and prerecorded rules) and residential landlines (for the prerecorded and DNC rules). Business lines are generally outside the TCPA's cell-phone provisions. But if a business number is actually a person's cell phone used for work, courts have held the TCPA can still apply.

Covered purpose is where most sales teams get tripped up. Informational or transactional calls, like appointment reminders or fraud alerts, need prior express consent (oral or written is fine). Marketing and promotional calls and texts need prior express written consent. The FCC counts electronic signatures and web form checkboxes as valid written consent, but the disclosure has to be clear and conspicuous and cannot be bundled with a purchase. [2]

Timing matters too. The quiet hours, 8 a.m. to 9 p.m. local time of the recipient, apply to calls made with an ATDS or prerecorded voice and to calls to DNC-listed numbers. Dialing across time zones? You need to schedule on the recipient's clock, not your office's.

TCPA key thresholds and penalties Core numbers every outbound team must know 500 Statutory damages per negli… violation 1,500 Statutory damages per willf… violation 31 DNC grace period after registration (days) 5 Internal DNC list retention minimum (years) Source: 47 U.S.C. § 227; 47 C.F.R. § 64.1200; FTC donotcall.gov

Does the TCPA apply to manually dialed calls?

Mostly no, but with real exceptions. This is probably the question outbound teams ask most, and the honest answer has three caveats attached.

The ATDS and prerecorded call restrictions under the TCPA's core cell-phone provision (47 U.S.C. § 227(b)) require an ATDS or a prerecorded voice. A purely manual call, where a live agent picks up a phone and dials the digits with no automated component, is not covered by the autodialer provisions. After Facebook v. Duguid, that line is cleaner than it was before 2021. [4]

Manual calling is still not a TCPA-free zone. Three things follow you regardless.

First, the Do Not Call rules apply no matter how the call is dialed. If a number is on the National DNC Registry or on your internal DNC list, you cannot call it for solicitation even on a fully manual dial. [2] The DNC rules live in a separate section (47 U.S.C. § 227(c)) and never required an ATDS.

Second, the prerecorded voice restriction is its own thing. Dial a number by hand, then play a recorded message, and the prerecorded rule kicks in. You need consent.

Third, state laws often reach further. Florida's mini-TCPA (the FTSA) covers "automated system" calls under a definition broader than the federal ATDS standard, and several other states have similar provisions. [6] A call that's clean under federal TCPA can still break state law.

So pure manual dialing with a live agent and no recorded message avoids the federal autodialer provisions. You still have to respect the DNC list, state statutes, and basic sense about harassment.

Consent comes in two tiers, and confusing them is one of the most expensive mistakes a sales team makes.

Prior express consent covers informational calls and texts. A bank texting a fraud alert on your account. A clinic leaving a voicemail about tomorrow's appointment. The consumer had to give their number in a context where it was clear they might get contacted. The FCC's 2012 order described valid consent as being "clearly and unmistakably stated." [8]

Prior express written consent is required for any call or text that advertises or promotes a product or service. The FCC regulation at 47 C.F.R. § 64.1200(f)(9) defines it as a signed agreement (electronic signatures count) that clearly authorizes the specific seller and discloses that agreeing is not a condition of any purchase. [2] A checkbox buried in terms of service does not cut it.

Lead generators and list brokers make this messy. If you buy leads, the consent has to name your company or, under older FCC interpretations, at least cover the category of seller and product. The vacated 2024 one-to-one rule would have forced your company to be named explicitly. Since the Eleventh Circuit struck it down in January 2025, the older standard technically applies, but courts don't agree on what "adequate" third-party consent looks like. [3] Buying leads and assuming the consent travels with them is a serious litigation risk. Here's what thin consent costs in practice: unitedhealthcare to pay $2.5m for alleged tcpa violations, credit one tcpa settlement, and albertsons safeway tcpa settlement.

Consent can be revoked at any time by any reasonable means. FCC guidance is clear that a consumer who says "stop texting me" has revoked consent, and you have to honor it promptly. Contacting someone after revocation is a willful violation, which triples your per-message exposure to $1,500.

What are the penalties for violating TCPA regulations?

The statutory damages are set to sting even when nobody proves actual harm. That's the whole design.

Each negligent violation costs $500. Each willful or knowing violation costs $1,500. [1] There's no cap per plaintiff, and class actions stack violations across every member of the class.

The math compounds fast. Send one marketing text to 100,000 people without proper written consent and you're looking at $50 million at $500 per message, or $150 million if the court finds the violation willful. Courts have certified large TCPA classes, and settlements regularly land in seven or eight figures. The cash app tcpa class action settlement and truist bank tcpa class action settlement show what real numbers look like.

The FCC can also impose forfeitures separately from private litigation. Over the past few years the agency has issued multi-million dollar forfeiture orders against robocall campaigns. [5]

State attorneys general can bring their own enforcement actions under 47 U.S.C. § 227(g), and some states run parallel statutes with extra penalties. California's CIPA, Florida's FTSA, and Washington's CEMA each add a layer on top of federal TCPA. [6]

One thing to understand about TCPA litigation: plaintiffs' attorneys take these cases on contingency because the math favors them. There's an entire industry of professional plaintiffs who sign up on websites specifically to build violation records. That isn't paranoia. Courts have acknowledged the practice. Sloppy compliance is a real, funded risk, not a theoretical one.

What exemptions exist under TCPA regulations?

The TCPA has several statutory and regulatory exemptions, and knowing them can save you real compliance cost. All of them are narrow.

Emergency calls. Calls made for emergency purposes are exempt. The FCC reads this narrowly. [2]

Non-commercial calls to residential lines. Calls to residential lines that aren't commercial solicitations face lighter restrictions, though the DNC rules can still reach them.

Established business relationship (EBR). For residential landline calls only, the FCC lets you call people you have an established business relationship with (a purchase, inquiry, or application within set time limits) even if they're on the National DNC Registry, subject to conditions. The EBR exemption does not cover autodialed or prerecorded calls to cell phones.

Government and healthcare exemptions. The FCC has carved out exemptions for certain government calls and healthcare-related calls (prescription reminders, appointment notifications) to cell phones, under strict limits on frequency and content. [5]

Free-to-end-user calls. Autodialed or prerecorded calls to cell phones that cost the recipient nothing and meet other conditions can qualify for reduced restrictions under specific FCC orders.

Exemptions get litigated constantly. If you plan to lean on one, get a compliance review from a TCPA attorney who actually knows the FCC orders, more than the statute. The statute text alone does not tell the whole story.

How do the TCPA regulations apply to text message marketing?

Text messages are treated as calls. The FCC confirmed that in 2003, and courts have upheld it since. [2] Every rule about autodialed calls applies with equal force to mass SMS campaigns.

For marketing texts specifically, you need prior express written consent before the first message goes out. The consent has to identify the sender (your company), describe the type of messages the consumer will get, and disclose any message-and-data rates. The consumer has to affirmatively agree, more than hand over a phone number.

Opt-out handling is non-negotiable. Every marketing text needs a clear way to opt out (usually replying STOP), and you have to honor opt-outs promptly. The FCC's rules require honoring a stop request before you send another marketing message. [2] One more message after a stop request is a willful violation at $1,500.

For a deeper look at building compliant text campaigns, the text messaging marketing guide covers the mechanics. If you're running SMS alongside outbound calls, keep the consent record for each channel separate and tied to a specific timestamp and source.

LeadCompliant's free consent checker can audit whether your current web forms collect consent language that meets the FCC's standard, before your next campaign ships.

What do TCPA regulations say about the Do Not Call list?

The National Do Not Call Registry is run by the FTC under the Telemarketing Sales Rule, but the TCPA independently prohibits calls to registered numbers. Both laws apply, and you can be sued under both. [7]

Registered numbers must not get telemarketing calls. Businesses have 31 days from the date a number is registered to stop calling it. After that window, dialing a registered number is a violation even if you'd had prior contact with that consumer.

You're required to scrub your call lists against the registry before each campaign. The FTC licenses access, and you have to register your organization to download the data. [7] Scrubbing is free for small volumes; larger commercial use requires a paid subscription.

The DNC rules also require an internal Do Not Call list. If a consumer asks not to be called, you add them to your company's internal DNC list and honor it for at least five years, whether or not they're on the national registry. You also have to offer a company-specific opt-out during any telemarketing call.

For a practical walkthrough on stopping unwanted calls and managing DNC compliance, how to stop robocalls covers the consumer side. Reading it tells you exactly what rights you're working around.

One practical note: the national registry is a floor, not a ceiling. State DNC lists (Connecticut, Indiana, Louisiana, Massachusetts, Missouri, Pennsylvania, Tennessee, Texas, and Wyoming all keep their own) add another layer. [6] Scrub both.

How does TCPA enforcement actually work?

Three enforcement channels run in parallel, and any one of them can reach you.

First, the FCC investigates complaints and can issue notices of apparent liability followed by forfeiture orders. The agency proposed a $225 million forfeiture against a single robocall operation in 2021, its largest to date, though collecting from bad actors is a separate fight. [5] For a legitimate business, an FCC investigation moves slower than private litigation but still costs a lot.

Second, state attorneys general can sue under 47 U.S.C. § 227(g) to stop violations and seek damages for residents. Several AGs have brought TCPA actions against companies running national call centers.

Third, and most common for outbound sales teams: private class actions. Any individual consumer has standing to sue in federal or state court. The plaintiff doesn't have to show harm beyond receiving the unwanted call or text. Law firms advertise for TCPA plaintiffs, and professional plaintiffs deliberately fill out lead forms and answer robocalls to document violations. Courts have certified nationwide classes of hundreds of thousands.

Settlement is the usual ending. Very few TCPA class actions reach trial. The kaiser tcpa settlement claim deadline and joseph snyder credit one tcpa cases show how these resolve. Settlement amounts for large companies routinely run from $5 million to over $75 million.

The takeaway is blunt. TCPA enforcement is not theoretical. Roughly 3,000 to 5,000 TCPA cases have been filed in federal court in recent years (PACER-derived counts fluctuate year to year). Compliance is cheaper than litigation. Every time.

What steps should a small outbound team take to comply with TCPA regulations?

Here's what actually works for small teams, based on how the rules read and where plaintiffs tend to find their cases.

Document consent at the point of collection. Every lead that enters your system should carry a timestamp, the source URL, and the exact consent language shown. Keep it for at least four years (the standard TCPA limitations period). No documented consent means you lose in discovery.

Scrub before every campaign. National DNC, state DNC lists, your internal DNC list, and reassigned-number checks. The FCC's Reassigned Numbers Database launched in 2021, and carriers must report reassignments to it. Calling a reassigned number that now belongs to someone who never consented is a violation. [5]

Audit your dialer. After Facebook v. Duguid, you need to know exactly how your system dials. Get written documentation from your vendor. If your dialer has a "random or sequential" mode, find out when it engages.

Train your agents. Call-time restrictions, required disclosures, and how to handle stop requests. A consumer saying "take me off your list" is a DNC request. Document it immediately.

Maintain an internal DNC list and honor it. Five-year minimum retention. Any verbal or written opt-out goes on it that day.

Check state laws. Calling or texting into Florida, California, Washington, or Oklahoma puts obligations on you beyond federal TCPA. [6]

LeadCompliant's free TCPA compliance kit covers the consent language templates, scrubbing workflow, and agent training checklist you need to get this in place without hiring outside counsel for the basics. The free DNC checker verifies numbers before a campaign.

If you're already getting demand letters or have a pending case, stop reading blog articles and hire a tcpa lawyer who knows the current FCC orders.

How have courts and the FCC changed TCPA regulations in recent years?

The TCPA landscape has shifted a lot since 2021. Do not rely on articles written before then.

Facebook, Inc. v. Duguid (2021): The Supreme Court held 9-0 that an ATDS must use a random or sequential number generator, narrowing the definition well below the expansive reading many lower courts had adopted. [4] A real win for businesses running list-based dialers, though litigation didn't stop. Plaintiffs pivoted to prerecorded voice claims and state law theories.

Insurance Marketing Coalition v. FCC (11th Cir., January 2025): The Eleventh Circuit vacated the FCC's 2024 one-to-one consent rule, which would have made lead generators get consent naming each specific seller. [3] The rule never took effect. The practical result is that the older, less specific consent standard stays operative for now, but the FCC has signaled it will keep pursuing stricter consent through rulemaking.

FCC robocall mitigation orders (2021-2024): The FCC has been rolling out STIR/SHAKEN call authentication on voice carriers and targeting gateway providers that carry illegal robocall traffic. [5] For legitimate outbound teams, this mostly means making sure your voice carrier is compliant. Calls from non-authenticated carriers are increasingly likely to get blocked or labeled as spam by carriers and call-screening apps.

State law expansion: Several states have passed their own mini-TCPA statutes since 2021, and plaintiffs' attorneys actively file where the standards or damages favor them. On balance the environment is getting stricter, not looser.

Frequently asked questions

What are TCPA regulations in plain terms?

The TCPA (47 U.S.C. § 227) is a federal law that restricts how businesses call or text consumers. It bans autodialed calls and texts to cell phones without written consent, bans prerecorded calls without consent, bans calls to numbers on the Do Not Call Registry, and limits calling to 8 a.m. to 9 p.m. local time. Violations cost $500 to $1,500 per call or text, and consumers can sue directly.

What is TCPA regulation and who enforces it?

The TCPA is enforced on two fronts. The FCC writes the rules and can issue forfeiture orders against violators. Individual consumers have a private right of action and can sue in federal or state court without proving actual harm beyond receiving the unwanted contact. State attorneys general can also bring TCPA suits for residents under 47 U.S.C. § 227(g). Private class actions drive most enforcement in practice.

When does the TCPA apply to a call or text?

The autodialer rules apply when you use an ATDS or a prerecorded/artificial voice to contact a cell phone or residential line. The Do Not Call rules apply no matter how the call is dialed. Marketing calls and texts need prior express written consent. Informational calls need at least prior express consent. The quiet hours rule (8 a.m. to 9 p.m. local time) applies to autodialed and prerecorded calls.

Does the TCPA apply to manually dialed calls?

Purely manual calls, where a live agent dials each digit by hand with no automated component, are not subject to the TCPA's autodialer restrictions. But manual calls are still covered by the Do Not Call rules. Play a recorded message on a manually dialed call and the prerecorded voice rules kick in. State mini-TCPA laws in Florida, California, and elsewhere may cover manual calls under broader definitions, so check state law too.

Marketing texts require prior express written consent. The consent must clearly identify your company, describe the type of messages the consumer will receive, and state that agreeing is not a condition of purchase. The consumer must affirmatively sign or check a box. A phone number alone, or consent buried in terms of service, does not meet this standard under 47 C.F.R. § 64.1200.

What are the TCPA penalties per text or call?

Statutory damages are $500 per violation for negligent violations and $1,500 per violation for willful or knowing violations. There's no per-case cap. A class action covering 100,000 consumers who each got one unauthorized text could generate $50 million to $150 million in damages exposure. Courts have approved settlements in that range for large companies.

Does the TCPA cover text messages?

Yes. The FCC ruled in 2003 that SMS messages to cell phones are covered by the TCPA the same way calls are. All consent requirements, calling-hour limits (applied to send times), and Do Not Call obligations apply to text campaigns. Every marketing text must include a clear opt-out, and stop requests must be honored promptly or the next message becomes a willful violation.

What is the TCPA statute of limitations?

The statute itself doesn't set a limitations period. Federal courts generally apply the four-year statute of limitations under 28 U.S.C. § 1658 for TCPA claims arising under federal law. Some states use different periods when TCPA claims are brought under state law theories. Four years is the standard safe planning horizon for retaining consent and call records.

Are B2B calls covered by TCPA regulations?

The cell-phone provisions apply to the line called, not the business purpose of the call. If the number you dial is a cell phone, the ATDS and prerecorded voice rules apply even for a business contact. The Do Not Call rules are generally aimed at residential subscribers and don't apply to business lines in most cases. If a businessperson's cell phone gets your autodialed call, they can still sue.

How does the TCPA's ATDS definition work after the Facebook v. Duguid ruling?

The Supreme Court ruled in Facebook v. Duguid (2021) that an ATDS must have the capacity to produce or store numbers using a random or sequential number generator. A system that only dials from a pre-stored contact list may not qualify. This narrowed exposure for list-based dialers but didn't eliminate it, since prerecorded voice claims and state law theories are still available to plaintiffs.

Yes, at any time by any reasonable means. Replying STOP to a text, telling a live agent not to call again, or sending a written request all count as valid revocation. After revocation you must stop marketing contact promptly. Even one more message or call after a clear revocation is treated as a willful violation, which raises the per-violation damages to $1,500.

Do TCPA regulations apply across state lines?

Federal TCPA applies nationwide regardless of where you or the consumer sit. Quiet hours track the recipient's local time zone. State mini-TCPA laws layer on top and apply if the consumer is in that state, no matter where you're calling from. Calling into Florida, California, Washington, or Texas means checking those states' specific telemarketing statutes on top of federal TCPA.

What is the National Do Not Call Registry and how does it relate to the TCPA?

The National DNC Registry is maintained by the FTC under the Telemarketing Sales Rule. The TCPA independently prohibits calls to registered numbers, so both laws apply at once. Businesses must scrub call lists against the registry at least every 31 days. Numbers registered for more than 31 days cannot receive telemarketing calls. You must register your organization with the FTC to access the scrubbing database.

What should I do if my company gets a TCPA demand letter?

Don't ignore it and don't respond without legal counsel. TCPA demand letters are often the first step toward a class action complaint. Preserve every record tied to the calls or texts in question immediately. Retain a TCPA defense attorney who knows the current FCC orders and post-Duguid case law. Demand letters frequently settle below full statutory exposure, but that calculation depends heavily on whether you have documented consent.

Sources

  1. U.S. Government, 47 U.S.C. § 227 (Telephone Consumer Protection Act), full statute text via Cornell Legal Information Institute: TCPA statutory damages of $500 per violation for negligent violations and $1,500 for willful violations, and the statute's private right of action
  2. FCC, 47 C.F.R. § 64.1200 (Delivery restrictions on telephone solicitations), via eCFR: Prior express written consent requirements for marketing calls and texts, quiet hours (8 a.m. to 9 p.m. local time), opt-out obligations, and SMS coverage under TCPA
  3. U.S. Court of Appeals for the Eleventh Circuit, Insurance Marketing Coalition Ltd. v. FCC (Jan. 2025), decision available via the Eleventh Circuit court site: The FCC's 2024 one-to-one consent rule was vacated by the Eleventh Circuit in January 2025 and never took effect
  4. U.S. Supreme Court, Facebook, Inc. v. Duguid, 592 U.S. 395 (2021), opinion available via the Supreme Court opinions section: ATDS definition requires capacity to produce numbers using random or sequential number generator; list-based dialers may not qualify
  5. National Conference of State Legislatures, telemarketing and state Do Not Call laws, NCSL.org: State mini-TCPA statutes including Florida FTSA and state DNC lists in Connecticut, Indiana, Louisiana, Massachusetts, Missouri, Pennsylvania, Tennessee, Texas, and Wyoming
  6. FTC, National Do Not Call Registry, donotcall.gov: National DNC Registry operation, 31-day grace period, business registration requirement, and scrubbing obligations
  7. FTC, Telemarketing Sales Rule, 16 C.F.R. Part 310, FTC.gov legal library: TSR requirements that apply alongside TCPA for telemarketing calls, including DNC obligations and calling hour rules
  8. FCC, Reassigned Numbers Database, official database portal: FCC's Reassigned Numbers Database launched 2021, carriers required to report number reassignments, calling reassigned numbers without consent is a TCPA violation

Disclaimer: LeadCompliant is a compliance review tool, not a law firm. We do not provide legal advice. Consult with a TCPA attorney for legal guidance on specific compliance questions. Compliance scores, audits, and risk assessments are informational only.

LeadCompliant Team

LeadCompliant provides expert guidance and tools to help you succeed. Our content is reviewed for accuracy and kept up to date.

Related Articles

Related Glossary Terms

LeadCompliant
Build My Kit