Last updated 2026-07-10

TL;DR
The biggest TCPA update in years is the FCC's January 2025 one-to-one consent rule, which kills lead-gen comparison-shopping loopholes and requires each seller to get its own written consent before sending robocalls or robotexts. Statutory damages still run $500 to $1,500 per call. The FCC has also tightened revocation rules and is pushing toward stricter caller-ID authentication requirements.
What is the TCPA and why do rule changes matter so much?
The Telephone Consumer Protection Act, 47 U.S.C. § 227, was signed in 1991 to stop predatory telemarketing. It restricts autodialed calls, prerecorded voice messages, and text messages to cell phones without prior express consent [1]. Congress hasn't rewritten the statute in any real way since then. But the FCC rewrites its implementing rules regularly, and those rules carry the same legal weight as the statute itself.
Why does any of this matter for a small outbound team? The penalty structure is brutal. Each individual call or text that violates the TCPA exposes you to $500 in statutory damages, bumped to $1,500 if the violation is willful [1]. There's no cap per lawsuit. A single bad calling campaign can generate a class of thousands of plaintiffs, which is exactly why TCPA lawsuits and settlements make news constantly.
The FCC is not the only enforcement body. State attorneys general can sue. Private plaintiffs can sue on their own with no administrative exhaustion requirement. That combination of easy private right of action plus per-call damages is what makes TCPA exposure so different from most other marketing regulations.
What is the FCC's 2024 one-to-one consent rule and when did it take effect?
This is the update most teams are scrambling to understand. On December 13, 2023, the FCC released its Report and Order (FCC 23-107) tightening the "prior express written consent" standard for robocalls and robotexts [2]. The rule became effective January 27, 2025 [2].
The core change is simple to state and painful to implement. A single blanket consent form that lists dozens of sellers no longer satisfies the TCPA. Each seller must obtain its own individual written consent from the consumer before sending autodialed or prerecorded messages. The FCC's own summary of the order says consent must be given "on a one-to-one basis" and must be "logically and topically associated" with the website where it was obtained [2].
That second piece, the logical-and-topical requirement, is the killer for lead-gen aggregators. Someone fills out a form on a mortgage comparison site. A payday lender buys that lead and claims TCPA consent. Under the new rule, that argument fails. The consent has to be tied to the subject matter of the specific site where the consumer typed their number. A general "I agree to be contacted by our partners" checkbox is dead.
For outbound teams that buy leads, this forces a real audit of every lead source. You need a paper trail showing the vendor got lawful, seller-specific consent before you ever dial. If your vendor can't produce that documentation, you're exposed no matter what their contract says about indemnification.
Small teams that generate their own leads through web forms have the easier path. Update the consent language on your form to name your company, describe the kinds of messages you'll send, and make the consumer's affirmative action (a standalone checkbox, never a pre-checked one) unambiguous.
What changed about consent revocation under the TCPA?
The same FCC 2024 rulemaking tightened revocation. Before this order, there was real ambiguity about what counted as a valid opt-out and how fast a business had to honor it [2]. The new rule says consumers can revoke consent through any reasonable means, oral or written, and sets a 10-business-day outer limit for honoring that revocation [2].
That 10-day window is not a grace period to keep texting. It's the maximum time you have to update your systems before the first message after revocation becomes a TCPA violation. If someone texts STOP and your platform takes two weeks to process it, every message in between is potentially a $500 to $1,500 claim.
The rule also says businesses cannot contractually limit the channels through which a consumer can revoke. A clause that says "you may only revoke by certified mail" is now unenforceable under the TCPA. If a consumer calls your sales line and says "stop texting me," that's legally valid revocation even if they never replied STOP to a text.
So your CRM, your SMS platform, and your calling platform all need to talk to each other. A revocation captured in one channel has to propagate everywhere within hours, not days. This is an integration problem as much as a legal one.
How does the TRACED Act fit into the current TCPA landscape?
The Telephone Robocall Abuse Criminal Enforcement and Deterrence Act (TRACED Act) was signed December 30, 2019 [3]. It's separate from the TCPA but layered on top of it, and it created some of the most operationally significant changes of the last five years.
TRACED required carriers to implement STIR/SHAKEN, the call authentication framework that assigns a "confidence" level to whether a caller's displayed number is real [3]. By June 30, 2021, large carriers had to have it running. By June 30, 2023, the FCC extended the mandate to smaller carriers with limited waivers [4]. Here's what that means in practice. Calls placed with spoofed or unverified caller IDs increasingly get flagged as "Spam Likely" or dropped entirely before they reach the recipient.
For legitimate outbound teams, STIR/SHAKEN is mostly a nuisance that rewards good actors over time, because verified numbers display better to recipients. But if your outbound numbers aren't registered through your carrier's attestation process, you may be getting flagged even on legal calls. That's a deliverability problem more than a compliance problem.
TRACED also increased FCC civil penalties for intentional violations and gave the agency broader authority to act on illegal robocall investigations, freed from the prior statute-of-limitations constraints that had hampered enforcement [3].
What did the Supreme Court say in Facebook v. Duguid about autodialers?
Facebook, Inc. v. Duguid, decided April 1, 2021, was the most significant judicial TCPA development in a decade [5]. The question was what counts as an "automatic telephone dialing system" (ATDS) under 47 U.S.C. § 227(a)(1). The statute defines an ATDS as equipment with the capacity to "store or produce telephone numbers to be called, using a random or sequential number generator" [1].
The Court held 9-0 that a dialing system must use a random or sequential number generator to qualify as an ATDS. A system that simply dials from a stored list of specific numbers, without generating those numbers randomly or sequentially, is not an ATDS under the TCPA [5].
For practical outbound dialing, this was welcome news. Most modern predictive and power dialers work from uploaded contact lists, not from randomly generated number sequences. Under Duguid, those systems generally don't meet the ATDS definition, which strips away one layer of TCPA exposure.
Don't get too comfortable. The decision didn't immunize all outbound calling. Prerecorded messages to cell phones require prior express consent regardless of whether the equipment qualifies as an ATDS [1]. And the one-to-one consent rule applies to any "robocall" or "robotext," a category the FCC defines more broadly than the ATDS question alone. Some circuits are still working through what Duguid means for their existing case law, so the landscape isn't fully settled in every jurisdiction.
How much do TCPA violations actually cost companies?
Statutory damages are $500 per violation, trebled to $1,500 for willful violations [1]. Those numbers are per call or per text. The math turns terrifying fast at scale.
Real settlements give the clearest picture. UnitedHealthcare paid $2.5 million to resolve TCPA allegations. Credit One Bank faced a major settlement over autodialed calls to wrong-number recipients. Truist Bank and Albertsons/Safeway have both worked through TCPA class actions. Cash App settled a class action tied to text message practices. None of these companies set out to break the law. Most violations come from bad data, inherited consent problems, or opt-out processing that lags.
For small teams, the bigger financial risk isn't a $50 million settlement. It's a nuisance class action that costs $200,000 to $500,000 to settle because litigation defense alone runs past that figure. Plaintiffs' attorneys file these on contingency, and they know even weak cases often settle.
The FCC can also impose separate administrative penalties. Under TRACED, those reach $10,000 per illegal call for intentional violations [3]. State attorneys general add another layer, and some states have their own per-call statutes that stack on top of federal claims.
| Violation Type | Statutory Damages | Source |
|---|---|---|
| Standard TCPA violation | $500 per call/text | 47 U.S.C. § 227(b)(3) |
| Willful TCPA violation | $1,500 per call/text | 47 U.S.C. § 227(b)(3) |
| TRACED Act (intentional illegal robocall) | Up to $10,000 per call | TRACED Act, Pub. L. 116-105 |
| State laws (e.g., Florida FTSA) | Varies; FL is $500/call | Fla. Stat. § 501.059 |
What state TCPA-equivalent laws should outbound teams worry about most?
Federal TCPA is the floor, not the ceiling. Several states have passed their own laws that add requirements or increase exposure.
Florida's Telephone Solicitation Act (FTSA), Fla. Stat. § 501.059, is the one that surprises teams most. As amended in 2021, it created a private right of action for unsolicited texts sent using an auto-dialer, with damages of $500 per text [6]. Florida's definition of "auto-dialer" is broader than the post-Duguid federal standard, which means systems that escape ATDS scrutiny federally can still trigger FTSA liability. Florida amended the law again in 2023 to require a "double opt-in" for texts, though litigation over that provision is ongoing.
California has its own Invasion of Privacy Act and various consumer protection statutes that plaintiffs layer with TCPA claims. Washington, Oklahoma, and Texas also have state telemarketing rules that create independent exposure.
The practical implication is blunt. "We're TCPA-compliant" doesn't mean you're state-law-compliant. If you're calling Florida cell phones, you need to know the FTSA. If you're running a national campaign, a quick state-by-state review is worth the time.
For any team managing outbound SMS, the text message marketing compliance guide covers how these state layers interact with federal consent rules.
What do the FCC's 2024 lead generation rules mean for companies that buy leads?
Lead buyers carry more risk under the 2025 rules than they did before. Under the old "established business relationship" and blanket-consent interpretations, it was easy to argue that a consumer who filled out any online form had consented to be contacted by downstream buyers.
That argument is dead now. The FCC's 2023 Report and Order explicitly targets "comparison shopping websites and lead generators" and says consent obtained through those channels must be seller-specific and topically connected to what the consumer was actually shopping for [2]. A consumer researching solar panels has not consented to hear from a home security company just because both were listed as "partners" on the same form.
If you buy leads, you need contracts with your vendors that specifically represent three things: that consent was obtained for your company by name, that consent was tied to the product or service you sell, and that the vendor will produce documentary evidence of consent for any lead you request. Vendor indemnification clauses help but don't erase your exposure, because the FCC and private plaintiffs chase the caller more than the data seller.
The safest move is to shift toward first-party lead generation where you control the consent flow. That's not always commercially realistic. But every lead you generate yourself is a lead you don't have to audit for chain-of-custody consent problems.
How has FCC enforcement changed and what companies are getting targeted?
FCC enforcement has historically been uneven. The agency has brought relatively few administrative actions compared to the volume of private TCPA litigation. TRACED shifted that somewhat by increasing FCC resources for robocall enforcement and loosening procedural constraints [3].
The FCC's Enforcement Bureau has focused heavily on illegal spoofed robocall campaigns, gateway providers that pass illegal traffic, and large-scale prerecorded message operations. In 2023 and 2024, the Bureau issued several large Notices of Apparent Liability running into the tens of millions of dollars against robocall operators.
For legitimate outbound sales teams, the more immediate enforcement risk isn't the FCC. It's private class action litigation. Cases like Joseph Snyder v. Credit One show how individual plaintiffs bring claims that balloon into class actions. The TCPA's private right of action, with no minimum injury requirement beyond the call itself, means any consumer who received an unwanted call has standing.
The FCC is also pushing carriers to block calls that fail STIR/SHAKEN authentication or that appear on the Robocall Mitigation Database's non-compliant list [4]. If your outbound calls are getting blocked at the carrier level before they ever reach prospects, you have a STIR/SHAKEN or number registration problem. Fixing that isn't a compliance issue. It's a basic operational one.
What steps should a small outbound team take right now to stay compliant?
Start with your consent documentation. For every channel you use, text or call, you need written records showing that each contact consented to be reached by your specific company for your specific product. If you're buying leads, get the consent records from your vendor for a random sample. If they can't produce them, that vendor relationship needs to change.
Audit your opt-out processing. Map exactly how a consumer can revoke consent on each channel and how that revocation propagates to every platform in your stack. The FCC's 10-business-day maximum is the outer bound, not the target. Same-day or next-business-day is where you want to be.
Verify your STIR/SHAKEN attestation status with your carrier or VoIP provider. If your outbound numbers aren't registered and attested, fix that before you worry about anything else. Calls that don't reach prospects can't convert, and they can still generate complaints.
Review your lead vendor contracts and add TCPA reps and warranties if they aren't there. Demand that vendors can produce individual consent records for leads they sell you.
Check your calling scripts for any prerecorded or AI-generated messages. Those require prior express written consent to cell phones no matter how you dial [1].
For teams that want a structured starting point, LeadCompliant's free compliance kit walks through consent language templates, opt-out workflow checklists, and a vendor audit questionnaire. That kind of operational scaffolding makes the steps above manageable without calling outside counsel for every question.
Document everything you do. A compliance program that lives only in someone's head offers no protection in litigation. Written policies, dated records of consent, logs of opt-out processing: all of that becomes your defense if you ever get sued.
What TCPA changes are still pending or likely to come?
The FCC's 2024 rulemaking was significant, but it wasn't the end of the regulatory cycle. A few items are still working through the process.
AI-generated voice calls are an active target. The FCC issued a declaratory ruling in February 2024 clarifying that AI-generated voices in robocalls count as "artificial or prerecorded" voices under the TCPA, which means they require prior express consent to cell phones and are subject to the same rules as any other prerecorded call [7]. That ruling handled the immediate concern, but rules on disclosure and labeling of AI voice calls are still being developed.
The FCC has also signaled interest in tightening how the National Do Not Call Registry interacts with the consent framework. Right now, written consent overrides the DNC for the consenting company. But questions about how long consent lasts, whether it survives a company acquisition, and how to handle consent obtained before the one-to-one rules took effect are still being litigated and interpreted.
Congress has periodic TCPA reform discussions. The most consistent ask from the business community is a private right of action fix that would require some actual injury beyond receiving a call. That reform hasn't moved seriously in recent sessions, so don't build your compliance strategy on the assumption it's coming.
State activity will keep filling gaps. When federal rules lag, states act. The Florida and California models keep spreading. Watching TCPA news is genuinely useful for catching state-level changes before they take effect.
One more thing worth tracking. The FCC's Robocall Mitigation Database requires all voice service providers to file robocall mitigation certifications [4]. If a provider you use isn't in that database, carriers are allowed to block their traffic entirely. Check your VoIP or outbound calling vendor's compliance status there directly.
Frequently asked questions
When did the FCC's one-to-one consent rule take effect?
The FCC's one-to-one consent rule, established in FCC Report and Order 23-107 released December 2023, became effective January 27, 2025. It requires each seller to obtain separate prior express written consent from a consumer before sending autodialed or prerecorded calls or texts. Blanket consent forms covering multiple sellers no longer satisfy the TCPA's written consent standard.
What counts as prior express written consent under the TCPA?
Prior express written consent means a written agreement, signed by the consumer, authorizing the specific seller to send autodialed or prerecorded calls or texts to a specific number. As of January 2025, that consent must name the seller, must be logically related to the website where it was collected, and must come from a clear affirmative action by the consumer. Pre-checked boxes don't qualify.
Does Facebook v. Duguid mean I don't need to worry about the ATDS definition anymore?
Not entirely. Duguid narrowed the ATDS definition so that dialers working from pre-set contact lists generally don't qualify. But prerecorded and AI-generated voice messages to cell phones require prior express consent regardless of ATDS status. And the FCC's consent rules apply to 'robocalls' broadly. Duguid removed one risk layer. It didn't eliminate TCPA exposure.
How quickly do I have to honor a consumer's opt-out request?
The FCC's 2024 rules set a 10-business-day maximum to honor revocation of consent, but that's a ceiling, not a target. Honor opt-outs as fast as your systems allow. Any message sent after a valid revocation, even within the 10-day window, carries legal risk depending on the circumstances. Oral and written revocations through any reasonable channel must both be honored.
Can I still use a lead vendor after the 2025 TCPA consent changes?
Yes, but with much stricter documentation requirements. Your vendor must be able to show that the consumer consented to contact by your company specifically, for your product category, through a clear affirmative action. Get that in your vendor contract as a rep and warranty. Demand sample consent records before you buy. If a vendor can't produce them, that lead carries real TCPA exposure for your company.
What is the TRACED Act and how does it affect outbound calling?
The TRACED Act, signed December 2019, mandated STIR/SHAKEN caller-ID authentication across carriers, increased FCC penalties for intentional illegal robocalls up to $10,000 per call, and expanded the FCC's enforcement authority. For outbound teams, the practical impact is that unverified or spoofed caller IDs increasingly get flagged as spam or blocked by carriers before reaching the called party.
What are the TCPA penalties per text message?
Each text message that violates the TCPA carries $500 in statutory damages, increased to $1,500 per text for willful violations. There's no cap on the number of violations in a single case. A mass-text campaign to a list with improper consent can generate thousands of individual $500 claims, which is why TCPA class actions over text programs regularly settle in the millions.
Does the TCPA apply to B2B calls?
The TCPA's autodialer and prerecorded-call restrictions apply to calls made to cell phones regardless of whether the recipient is a business or consumer. Calling a business owner's personal cell number without consent is the same exposure as calling a consumer. The National DNC Registry exemptions for established business relationships are narrower than many teams assume, and they don't apply to autodialed cell calls without consent.
Are AI-generated voices covered by the TCPA?
Yes. In February 2024, the FCC issued a declaratory ruling confirming that AI-generated voices in calls qualify as 'artificial or prerecorded' voices under 47 U.S.C. § 227. That means calls using AI voice technology to cell phones require prior express consent just like traditional prerecorded messages. This ruling came after political robocalls using cloned celebrity voices sparked public attention.
What is Florida's Telephone Solicitation Act and why does it matter?
Florida's FTSA, Fla. Stat. § 501.059, creates a private right of action for unsolicited texts or calls made with an auto-dialer to Florida consumers, with $500 per-call damages. Florida's auto-dialer definition is broader than the post-Duguid federal standard, so systems that escape TCPA ATDS liability can still trigger FTSA claims. Florida is one of the highest-risk states for outbound text and call campaigns.
How do I check if my lead vendor is TCPA-compliant?
Ask for a sample of consent records for leads they've sold you. Each record should show the consumer's name, the specific language they agreed to, your company named explicitly, the timestamp, and the IP address of the device used. If they can't produce this on request, that's your answer. Also verify they're generating leads on topically-relevant pages, not generic comparison portals that bundle unrelated sellers.
What happened with TCPA enforcement cases in 2023 and 2024?
Private class action filings stayed high throughout 2023 and 2024. Major settlements included healthcare, financial services, and retail companies. The FCC focused enforcement on illegal spoofed robocall operations and gateway carriers passing illegal traffic. The most significant regulatory action was the December 2023 Report and Order on one-to-one consent, which went into effect January 2025 and reshaped how consent must be documented.
Does TCPA consent expire?
The TCPA statute doesn't set an explicit expiration on consent, but courts and the FCC have signaled that consent can go stale if significant time passes or if the relationship changes. The cleaner interpretation is that consent stays valid until revoked, but 'prior express written consent' obtained years ago for a different product may not cover your current campaign. When in doubt, refresh consent rather than rely on old records.
If I get sued for TCPA violations, what should I do first?
Stop the conduct that's alleged immediately, even before legal evaluation is complete. Preserve all records: consent documentation, call logs, opt-out logs, vendor contracts, platform exports. Get a TCPA-experienced attorney fast, because early TCPA cases often settle and the window to negotiate before class certification moves quickly. Don't contact the plaintiff directly. Your defense lives in your documentation, so having none is the worst starting position.
Sources
- U.S. Government, 47 U.S.C. § 227, Telephone Consumer Protection Act (full statute text via Cornell Legal Information Institute): TCPA prohibits autodialed calls and prerecorded messages to cell phones without prior express consent; statutory damages are $500 per violation, trebled to $1,500 for willful violations
- FCC, Report and Order FCC 23-107, In the Matter of Rules and Regulations Implementing the TCPA (adopted December 2023, effective January 27 2025): One-to-one consent rule requiring seller-specific written consent logically and topically associated with the website where it was obtained; 10-business-day revocation window; effective January 27 2025
- U.S. Congress, Telephone Robocall Abuse Criminal Enforcement and Deterrence Act (TRACED Act), Pub. L. 116-105, signed December 30 2019: TRACED Act required STIR/SHAKEN caller-ID authentication, increased FCC civil penalties up to $10,000 per illegal call for intentional violations, and expanded FCC enforcement authority
- U.S. Supreme Court, Facebook, Inc. v. Duguid, 592 U.S. 395 (2021), decided April 1 2021: 9-0 ruling that an ATDS requires use of a random or sequential number generator; dialers that call from stored lists without generating numbers randomly are not ATDs under 47 U.S.C. § 227(a)(1)
- Florida Legislature, Florida Telephone Solicitation Act, Fla. Stat. § 501.059: Florida FTSA creates private right of action with $500 per-call/text damages for unsolicited autodialed solicitations; Florida's auto-dialer definition is broader than the post-Duguid federal standard
- FCC, Declaratory Ruling on AI-Generated Voice Robocalls (adopted February 2024): FCC ruled February 2024 that AI-generated voices qualify as 'artificial or prerecorded' voices under 47 U.S.C. § 227, requiring prior express consent for calls to cell phones
- FTC, National Do Not Call Registry information for businesses: National DNC Registry maintained by FTC; telemarketers required to scrub against registry; exemptions include established business relationships and express written consent
- U.S. Congress, Congressional Research Service, TCPA Overview and Selected Issues (CRS report R46780): CRS analysis of TCPA enforcement history, private right of action structure, and relationship between FCC rulemaking and statutory text