TCPA rules: what every outbound team must know in 2025

TCPA violations cost $500 to $1,500 per call or text. Learn the 2025 rules on consent, robocalls, texting, and DNC compliance before your next campaign.

LeadCompliant Team
24 min read
In This Article

Last updated 2026-07-10

Empty outbound call center office at dusk with dark monitors and city view
Empty outbound call center office at dusk with dark monitors and city view

TL;DR

The Telephone Consumer Protection Act (47 U.S.C. § 227) restricts autodialed calls, prerecorded messages, and texts to cell phones without prior express consent. Violations cost $500 to $1,500 per call or text, with no cap per lawsuit. The FCC's one-to-one consent rule took effect January 27, 2025. If you run outbound sales or SMS, these rules apply to you right now.

What is the TCPA and who does it cover?

The Telephone Consumer Protection Act became law in 1991 and lives at 47 U.S.C. § 227 [1]. Congress passed it because consumers were drowning in telemarketing calls and had no real way to make them stop. The law gives the FCC authority to write the implementing rules, and those rules have changed many times since, most recently with a consent overhaul that took effect January 27, 2025 [2].

The TCPA covers anyone who makes calls or sends texts using an automatic telephone dialing system (ATDS), plays a prerecorded or artificial voice message, or sends unsolicited fax ads. That last category rarely touches a modern sales team. The first two touch almost every outbound dialing operation in the country.

Who is covered? If your company calls or texts consumers, you are. That includes insurance agencies, mortgage lenders, debt collectors, retailers, SaaS companies, nonprofits raising money, and political campaigns. The law carves out no exception for small businesses. A three-person startup running a power dialer has the same obligations as a Fortune 500 contact center.

The statute applies to calls and texts sent to any number assigned to a cellular service, and to residential landlines for prerecorded messages. The FCC has held for two decades that text messages count as "calls" under the TCPA, which is the foundation for every SMS compliance rule that follows [10].

What counts as an automatic telephone dialing system under the TCPA?

An ATDS is equipment that can store or produce phone numbers using a random or sequential number generator and dial them. That definition has been the most fought-over question in TCPA history, and it decides how you set up your dialing technology.

The statute defines an ATDS as equipment that "has the capacity to store or produce telephone numbers to be called, using a random or sequential number generator, and to dial such numbers" [1]. That reads narrow. Courts read it broadly for years anyway. Then the Supreme Court stepped in. In Facebook, Inc. v. Duguid (2021), the Court ruled 9-0 that an ATDS must actually use a random or sequential number generator to store or produce numbers [4]. That narrowed the definition a lot.

After Duguid, the real question is simple: does your dialer pull from a pre-loaded list, or does it generate numbers on the fly? Most predictive dialers, CRM-integrated dialers, and click-to-call tools work from a pre-loaded list. Under Duguid, those are less likely to qualify as an ATDS. Circuits still split on the edges, and plaintiffs' lawyers keep arguing that certain dialer designs meet the test. The risk did not vanish.

Here is the honest answer. If your system has any automated element, ask a TCPA attorney before you assume Duguid protects you. The safer play is to operate as if your system is an ATDS and get proper consent anyway. That protects you no matter how a court later labels your tech.

Prerecorded and artificial voice messages sit in their own bucket, separate from the ATDS definition. Drop a voicemail through a ringless voicemail service and it almost certainly counts as a prerecorded message. The FCC treats ringless voicemails as covered calls under the TCPA [10].

Consent is the whole game. The type you need turns on two things: who you're calling (cell or residential landline) and what kind of call it is (informational or telemarketing). Get one wrong and your consent record protects nothing.

Here is how the tiers break down:

Call/Text TypeNumber TypeConsent Required
Autodialed or prerecorded, non-telemarketingCell phonePrior express consent
Autodialed or prerecorded, telemarketingCell phonePrior express written consent
Prerecorded telemarketingResidential landlinePrior express written consent
Live agent, telemarketingResidential landlineNo consent required (but DNC rules apply)

Prior express consent means the consumer gave you permission before you called or texted. It can be oral. Prior express written consent is stricter. The consumer must sign (electronic signatures count) an agreement that clearly authorizes autodialed or prerecorded telemarketing calls or texts, and that signature cannot be a condition of buying anything [2].

The written consent has to include a clear disclosure that the person is authorizing contact by automatic dialing system or prerecorded message. Buried fine print fails. The FCC requires consent to be unambiguous.

For SMS, the standard practice is a double opt-in. The consumer texts a keyword to your short code, then confirms by replying YES to a follow-up message. That builds a clean paper trail. If you're running text campaigns, here is how SMS consent documentation works in practice: text message marketing.

One trap catches a lot of sales teams. An established business relationship does not create consent for autodialed calls to cell phones. EBR gives some cover for calls to residential landlines under the FCC's rules. For cell phones, you need actual consent. A past sale is not a permission slip.

The one-to-one rule ended shared-consent lead selling. As of January 27, 2025, a consumer's written telemarketing consent has to name the single seller who will contact them. One box checked once no longer covers a room full of buyers.

The FCC issued the Report and Order in December 2023 requiring that prior express written consent for telemarketing calls and texts be obtained on a one-to-one basis [2]. The rule took effect January 27, 2025.

Before this, a consumer could tick one box on a lead form and that consent could ship to dozens of sellers at once. Lead aggregators built whole businesses on it. Now a consumer's consent must identify the specific seller who will contact them, and that seller's name has to appear on the consent form.

The FCC's order states that consent must be given to "a single seller" and cannot extend to a "list or group of sellers" [2]. That single line broke the traditional shared-consent model.

What does it mean at your desk? If you buy leads, you have to verify that each lead's consent form named your company by name. A blanket line that says "you may be contacted by our marketing partners" does not satisfy the rule anymore. Get a copy of the exact consent language, the timestamp, and the IP address for every lead you buy.

The FCC also tightened the requirement that consent be logically and topically associated with the interaction. Consent to hear about one topic (say, home insurance) cannot stretch to an unrelated one (say, auto loans), even in a one-to-one format.

For tcpa news on how enforcement plays out, watch the FCC's Enforcement Bureau through 2025 and 2026. Early cases will set the tone.

What are the TCPA rules for calling times and the Do Not Call registry?

Two separate rule sets govern when and whether you can call. Teams mix them up constantly. Calling hours come from the TCPA. The Do Not Call registry comes mostly from the FTC. You have to follow both.

FCC regulations at 47 C.F.R. § 64.1200 restrict autodialed or prerecorded calls to between 8 a.m. and 9 p.m. local time at the called party's location [9]. You use the recipient's time zone, not yours. Call a Florida consumer from a California office at 7:30 p.m. Pacific and you just violated the rule, because it's 10:30 p.m. Eastern where the phone is.

The National Do Not Call Registry runs under the FTC's Telemarketing Sales Rule (16 C.F.R. Part 310), not the TCPA itself, but the FCC's TCPA rules fold DNC duties into telephone solicitation compliance [10]. Sellers have to scrub their call lists against the registry before calling. You must access the registry at least every 31 days and cannot call anyone who has been registered for more than 31 days without their consent.

Internal DNC lists are their own obligation. If a consumer tells you to stop calling, you add them to your company's internal DNC list within 30 days and you stop. This duty exists whether or not the number is on the national registry.

For the consumer side, and what rights callers can invoke against you, see how to stop robocalls. For your program, the takeaway is short. Scrub the national registry, keep your own list, honor opt-outs fast.

What are the TCPA penalties per violation?

TCPA damages run $500 per call or text, and up to $1,500 for a willful or knowing violation. There is no cap on total damages per lawsuit. That math is why plaintiffs' lawyers love this statute.

Violation TypeStatutory Damages
Standard violation$500 per call or text
Willful or knowing violationUp to $1,500 per call or text
State attorneys general can also seek$500 per violation on behalf of residents

The statute at 47 U.S.C. § 227(b)(3) creates a private right of action, so any consumer can sue you without a class action attorney [1]. The real exposure comes from class actions, where every person who got an unauthorized call or text is a potential class member.

The numbers get real fast. UnitedHealthcare paid $2.5 million to resolve TCPA claims. Credit One Bank faced a major TCPA settlement over autodialed calls to cell phones. The Cash App TCPA class action settlement and the Truist Bank TCPA settlement are more recent proof that an ordinary outbound program can turn into eight-figure liability.

There is no federal TCPA deductible. If a jury finds willfulness, the $1,500 per-contact number applies. A campaign that sent 50,000 unauthorized texts faces $75 million in statutory damages before anyone argues willfulness at all.

That is also why the Albertsons/Safeway TCPA settlement drew notice. A retail loyalty program's texting practices generated serious class exposure, which almost nobody expects from a grocery store.

TCPA statutory damages by violation type Per-call or per-text exposure under 47 U.S.C. § 227(b)(3) Standard violation $500 Willful or knowing violation $1,500 State AG action (per violation) $500 Source: Cornell Law School LII, 47 U.S.C. § 227 (Citation 1)

Do TCPA rules apply to text messages the same way they apply to calls?

Yes. The FCC held in 2003, and courts have held ever since, that SMS text messages are "calls" under the TCPA [10]. The same consent rules, opt-out duties, and time-of-day limits apply to texts as to voice calls.

Texting adds a few layers. The Cellular Telecommunications Industry Association (CTIA) publishes carrier-level requirements for short code and long code campaigns, covering opt-out handling, message frequency disclosures, and prohibited content. Carriers enforce these on their own, apart from the FCC, and can block or filter traffic that breaks them.

For telemarketing texts, you need prior express written consent. No exceptions. For transactional texts like an order confirmation, prior express consent (which can be oral or implied from the transaction) may be enough. The line between transactional and marketing is often blurry, and courts do not always draw it the same way.

SMS opt-outs get honored immediately. If a consumer replies STOP, you stop texting them promptly, and the FCC treats prompt as the standard. One more marketing text after a STOP reply is a standalone violation worth its own $500 to $1,500.

For a fuller look at running compliant campaigns, see text messaging marketing.

LeadCompliant's free consent checker audits whether your opt-in flow captures the elements the FCC actually requires, before you send your next SMS blast.

Are there exemptions to the TCPA rules?

There are exemptions, and they matter. Most are narrower than the people relying on them believe. None of them cover cold outreach to consumer cell phones.

Emergency calls. The TCPA does not restrict calls made for emergency purposes. This is genuinely narrow. Think hospital systems reaching patients about critical health information, not a sales team that really wants to close a deal this quarter.

Calls to non-cellular numbers with no charge to the called party. Call a traditional landline with a live agent (no ATDS, no prerecorded message) and the TCPA's wireless restrictions don't apply. DNC rules still do.

Government debt collection. Congress added an exemption in 2015 for calls made solely to collect debts owed to or guaranteed by the federal government. It covers some student loan and federally-backed mortgage servicing calls. The Supreme Court upheld the exemption in Barr v. American Association of Political Consultants (2020) but struck down its extension to political speech [4].

Informational calls from healthcare providers. The FCC has exempted certain healthcare calls and texts, including appointment reminders and prescription notifications, under strict conditions that include an easy way to opt out.

Political calls. Autodialed calls to cell phones for political purposes still need consent. There is no political exemption from the wireless consent requirement. Campaigns get caught on this over and over.

None of these help an outbound sales team cold-dialing consumer cell phones. If you're buying lead lists and dialing them, you need consent. Full stop.

What do state TCPA-equivalent laws add on top of the federal rules?

The federal TCPA sets a floor, not a ceiling. Several states go further, and a few have private rights of action that generate more lawsuits than the federal statute does.

California's Consumer Privacy Act (CCPA) touches TCPA work by adding data rights and opt-out mechanics that shape how you collect and store consent records. Florida rewrote its telemarketing law (the Florida Telephone Solicitation Act, or FTSA) in 2021 to create a private right of action that, for a stretch, ran broader than the federal TCPA in some respects. Florida amended the FTSA again in 2023 to narrow the autodialer definition and add a 15-day cure period for first-time violations, something the federal TCPA has never offered [6].

Washington state has its own Commercial Electronic Mail Act and separate telephone solicitation rules. Oklahoma, Texas, and other states run their own DNC registries with separate registration steps.

Kentucky has seen active TCPA litigation. If you operate there or get sued there, the local landscape matters. See tcpa lawyer kentucky for context.

The practical advice is blunt. Do not assume federal compliance covers every state you call into. If you're running high volume into Florida, California, or Washington, get state-specific counsel before the campaign, not after the demand letter.

For ongoing state developments, the National Conference of State Legislatures tracks telemarketing legislation across all 50 states [7].

How should a small outbound team build a basic TCPA compliance program?

You don't need a legal department. You need a process that runs the same way every week. Five parts: document consent, scrub lists, enforce calling hours, honor opt-outs, and audit your dialer.

Start with consent documentation. For every lead source, keep a written record of the exact consent language the consumer saw, the date and time, the IP address, and how you know the number matches the person who consented. If a lead vendor won't hand this over, stop buying from them. The 2025 one-to-one rule means a vendor's blanket assurance protects you from nothing.

Scrub your lists. Before any campaign touches a phone, run the numbers against the National DNC Registry (register at donotcall.gov [8]) and your internal DNC list. Do it at least every 31 days. Log the scrub dates.

Train the team on calling hours. Post the rule where people can see it: 8 a.m. to 9 p.m. local time for the consumer. If you call across time zones from one office, set your platform to use the recipient's local time, not yours.

Build an opt-out workflow that actually fires. Every inbound STOP text, every verbal do-not-call request on a live call, every email opt-out has to trigger an immediate update to your internal DNC list. Test it quarterly. Pretend to be a consumer and see if the STOP actually lands.

Audit your dialing technology. Ask your vendor to document how their system selects or generates numbers. Keep that document. If you land in litigation, proving your system is not an ATDS takes technical evidence, and you want it on file before you need it.

LeadCompliant's one-time compliance kit includes a consent audit template, an internal DNC log format, and a vendor due diligence checklist that covers exactly this ground, at no cost.

Look at the joseph snyder credit one tcpa case and others like it. The fact pattern is almost always the same. A company had a compliance process on paper and never ran it. Paper policies protect nobody. Running the process does.

Document everything. In a TCPA suit, the burden of proving consent falls on you, the defendant.

What should you do if you get a TCPA demand letter or lawsuit?

Do not ignore it. The TCPA's private right of action lets individual plaintiffs file in small claims or federal court, and default judgments are common when defendants sit on their hands. Move fast, preserve records, and get specialized counsel.

Preserve everything. A litigation hold means you stop deleting call logs, consent records, dialing system data, and internal messages about the campaigns at issue. Destroying evidence after a claim lands creates sanctions risk stacked on top of your TCPA exposure.

Pull your records fast. You want to know whether you hold a consent record for the person claiming you called without consent. If you do, your defense is straightforward. If you don't, size up your real exposure quickly.

Check your insurance. Some general liability policies cover TCPA claims. Many carry specific TCPA exclusions. Read the policy before you're in a fight, not during one.

Most TCPA demand letters come from serial plaintiffs or their attorneys fishing for a fast settlement. That doesn't make them wrong. It does mean the opening number (often $500 to $1,500 per contact claimed) is sometimes negotiable before a complaint gets filed.

Get a TCPA attorney, more than any litigator. This is a specialized field. The kaiser tcpa settlement claim deadline case and similar class actions show that even large organizations with legal teams underestimated their TCPA class exposure.

What not to do: don't call the plaintiff back without counsel, don't offer a settlement before you understand your full exposure, and don't assume the claim goes away on its own. It won't.

Frequently asked questions

Does the TCPA apply to B2B calls and texts?

Mostly, yes. The TCPA applies to calls and texts to cell phones no matter whether the recipient is a business or a consumer. If you autodial or text a person's cell phone, even for B2B, the TCPA applies. Calls to business landlines using a live agent are generally outside the wireless restrictions. But if you're dialing cell phones to reach business contacts, you need the same consent you'd need in B2C.

Can I call someone back who called me first without getting written consent?

Possibly, for informational calls. A consumer who gives you their number and calls you first has arguably given prior express consent for a callback. But if that callback is a telemarketing call using an autodialer or prerecorded message, you likely need prior express written consent under FCC rules. A live-agent informational callback to someone who contacted you first sits in a much safer zone. Don't stretch this to justify cold outreach.

What is the statute of limitations for TCPA claims?

Four years. TCPA claims fall under the federal catch-all limitations period at 28 U.S.C. § 1658, which courts have applied consistently to TCPA private actions. Some states apply different periods to their own state-law analogues. In practice, a campaign you ran four years ago can still generate a valid claim today, as long as the plaintiff files before that window closes.

Almost certainly yes. The FCC treats ringless voicemails deposited straight into a consumer's voicemail box as "calls" under the TCPA. The issue is not fully settled in every circuit, but the FCC's position strongly suggests that ringless voicemail to cell phones needs the same prior express written consent as any other autodialed telemarketing call. Running ringless drops without consent is a real risk, not a clever workaround.

How often do I need to scrub my call list against the national DNC registry?

Every 31 days. FCC rules require sellers to access the National Do Not Call Registry at least once every 31 days and not call numbers registered for more than 31 days. You also register your organization with the FTC's system and pay an annual fee based on how many area codes you access. As of 2024, fees run roughly $75 per area code per year, with a free tier for up to five area codes. Confirm current fees at donotcall.gov.

The FCC defines it as an agreement, signed by the consumer (electronic signatures count), that clearly authorizes the seller to deliver telemarketing calls or texts using an ATDS or prerecorded voice. The agreement must disclose that consent is not a condition of purchase. It can be a web form checkbox with a compliant disclosure, a signed paper form, or a typed agreement submitted online. Oral consent does not meet this standard for telemarketing.

What is the safe harbor for TCPA violations?

The TCPA offers a limited safe harbor if you can show the violation was an error and you had written DNC procedures in place, trained your staff, kept an internal DNC list, honored the national registry, and used a process to prevent calls to registered numbers. The safe harbor is narrow. Every one of those procedures has to be real and actually followed. It reduces exposure. It does not erase a claim.

No, not for autodialed or prerecorded calls to cell phones. There is no blanket political or nonprofit exemption from the TCPA's wireless consent requirements. A political campaign that autodials or sends prerecorded messages to cell phones without consent violates the TCPA just like a commercial seller. The political-speech holding in Barr v. American Association of Political Consultants applied to a different provision and created no consent exemption.

What records do I need to keep to defend a TCPA claim?

Keep the exact consent language the consumer saw, the timestamp and IP address of consent, the phone number it covered, the lead source, DNC scrub logs with dates, dialing system configuration docs, and every opt-out request with the date received and action taken. Retain all of it for at least four years given the limitations period. If you buy leads, keep the vendor's consent documentation too. A missing consent record in litigation is almost always treated as no consent.

Does the TCPA apply to calls made outside the United States?

The TCPA applies based on where the call is received, not where it starts. If your call center sits in another country but you're dialing U.S. phone numbers, the TCPA applies. Courts have held that the location of the called party's number sets jurisdiction. Offshore dialing operations are not a TCPA workaround, and treating them as one just adds distance between you and the evidence you'll need.

Starting January 27, 2025, prior express written consent for telemarketing must go to one specific seller at a time. The consumer's consent form has to name your company. A form granting consent to a list of marketing partners or an entire lead aggregator network no longer satisfies the rule. If you buy leads, verify that the consent form the lead source used named your business specifically, not a category of sellers or a partner network.

Yes, at any time and by any reasonable means. The FCC confirmed in a 2015 ruling that consumers can revoke TCPA consent through any reasonable method, including orally on a call, by text, by email, or through a web form. You cannot contractually limit how a consumer revokes (you can't require certified mail, for example). Once revocation reaches you, you stop contacting that person promptly.

How do class action TCPA lawsuits get certified?

Class certification under Rule 23 of the Federal Rules of Civil Procedure requires that the class be numerous, that common questions predominate, that the named plaintiff's claims are typical, and that the class is adequately represented. TCPA class actions often clear these bars because the common question (did the defendant make unauthorized automated calls?) is the same for everyone. The defendant's problem is scale. Even at $500 per call, multiply by millions of calls and the exposure turns catastrophic.

Sources

  1. Cornell Law School Legal Information Institute, 47 U.S.C. § 227 (Telephone Consumer Protection Act): Statute text defining ATDS, consent requirements, and $500/$1,500 per-violation damages
  2. Supreme Court of the United States, Facebook, Inc. v. Duguid, 592 U.S. 395 (2021): 9-0 ruling that an ATDS must use a random or sequential number generator to store or produce numbers
  3. Florida Legislature, Florida Telephone Solicitation Act (FTSA), Fla. Stat. § 501.059: Florida's 2023 FTSA amendment narrowing autodialer definition and adding a 15-day cure period for first violations
  4. National Conference of State Legislatures, Telephone Consumer Protection Act and State Telemarketing Laws: State-level telemarketing and TCPA-equivalent legislation tracker across all 50 states
  5. FTC, National Do Not Call Registry (donotcall.gov): Official registration and access portal for the National Do Not Call Registry; organizations must scrub lists every 31 days
  6. FCC regulation, 47 C.F.R. § 64.1200 (eCFR): FCC regulation restricting autodialed/prerecorded calls to 8 a.m.-9 p.m. local time at the called party's location
  7. FTC, Telemarketing Sales Rule, 16 C.F.R. Part 310: FTC rules governing DNC registry obligations and telemarketing conduct, complementary to TCPA; SMS treated as calls
  8. United States Courts, Federal Rules of Civil Procedure Rule 23 (Class Actions): Rule 23 requirements for class certification applicable to TCPA class action lawsuits

Disclaimer: LeadCompliant is a compliance review tool, not a law firm. We do not provide legal advice. Consult with a TCPA attorney for legal guidance on specific compliance questions. Compliance scores, audits, and risk assessments are informational only.

LeadCompliant Team

LeadCompliant provides expert guidance and tools to help you succeed. Our content is reviewed for accuracy and kept up to date.

Related Articles

Related Glossary Terms

LeadCompliant
Build My Kit