Last updated 2026-07-11

TL;DR
The TCPA wrong number safe harbor protects callers who reach a reassigned number in good faith, but only for the first call. After that, every call is a potential $500 to $1,500 violation under 47 U.S.C. § 227(b)(3). The moment you learn a number is wrong, log it, suppress it across every dialing system, and never redial. Here is exactly what that process looks like.
What is the TCPA wrong number safe harbor?
The wrong number safe harbor is a narrow protection built into the FCC's rules under the Telephone Consumer Protection Act, 47 U.S.C. § 227 [1]. It says that if you call or text a number in good faith, believing you have consent, but the number has been reassigned to a new subscriber who never gave you consent, you are not automatically liable for that first contact. One call. That's the limit.
The FCC formalized this in its 2015 Omnibus TCPA Order (FCC 15-72) [2], which introduced a single-call safe harbor for reassigned numbers. The reasoning was simple. Callers cannot always know in real time that a phone number has changed hands. Carriers don't alert marketers. People switch numbers or port them constantly. So the FCC gave callers exactly one contact to discover the error before liability attaches fully.
Here's what the safe harbor does NOT cover. It does not protect you if you had actual knowledge the number was reassigned. It does not protect you on the second call. It does not protect you if you ignored a voicemail, a bounce code, or a live person saying "wrong number." The word "safe" is doing a lot of work here, and courts have held the line tight.
Small teams read "safe harbor" and assume it means a buffer. It does not. Think of it as a single-use card that disappears the moment the call ends.
How does a number get reassigned, and why does that create TCPA liability?
Phone number reassignment happens constantly. The FCC seeded its Reassigned Numbers Database with hundreds of millions of disconnected number records at launch [3]. The CTIA has estimated that tens of millions of numbers are reassigned in the United States each year, though nobody has a precise annual figure that all sources agree on.
When a subscriber gives up a number, the carrier usually holds it for a quarantine period (often around 90 days, sometimes less) before reissuing it. That new subscriber never consented to your calls. But your CRM still shows the old subscriber's opt-in. So you call thinking you have permission, and you reach a stranger.
Under 47 U.S.C. § 227(b)(1), making an autodialed or prerecorded call to a cell number without the current subscriber's prior express consent is a violation [1]. The key word is "current." Consent from the old subscriber does not transfer to whoever holds the number now. Courts have been consistent on this.
The exposure is real. Statutory damages run $500 per call for standard violations and up to $1,500 per call if a court finds a willful or knowing violation [1]. Class actions built on reassigned number fact patterns have settled in the tens of millions of dollars. The Cash App TCPA class action settlement and the Credit One TCPA settlement both involved large calling programs where consent records did not match current subscribers. That is how fast exposure scales.
What exactly triggers the safe harbor, and what kills it?
To qualify for the single-call safe harbor, three things generally need to be true.
1. You had a reasonable basis to believe the number belonged to a consenting party (a prior opt-in, a written consent record, a purchase record). 2. The first contact revealed, or should have revealed, that the number no longer belongs to that party. 3. You stopped all further automated or prerecorded contact to that number after that first call.
The safe harbor dies in any of these situations:
- The called party said they were not your customer, and you called again.
- You got a text reply, bounce code, or voicemail showing the person doesn't know you, and you kept dialing.
- Your system logged a "not in service" message, but a human later overrode the suppression.
- You had prior litigation, complaints, or internal notes flagging problems with the number.
The FCC's 2015 Order stated that a caller "will not be liable for the first call to a wireless number following reassignment," but it also warned that constructive knowledge matters [2]. If reasonable diligence would have caught the reassignment before the call, you cannot claim good faith.
One detail that has caused real confusion in litigation: the safe harbor protects the first call, not the first call per campaign. It is per number. If 555-867-5309 gets flagged as potentially reassigned from any source, the window has opened. Stop, check, and suppress before you touch that number again.
What must you do immediately after a wrong number call?
Speed matters here in a way it does not for most compliance tasks. The steps below are what any reasonable process should run, ideally automatically or inside the same business day.
Step 1: Log the discovery with a timestamp. The moment you get any signal that a number may belong to the wrong person, capture it. A text reply of "who is this," a live caller saying "you have the wrong number," a voicemail from an unknown person, a carrier code showing the subscriber changed. Your CRM entry needs a date-stamped note and the source of the discovery.
Step 2: Suppress the number across every active campaign now. Not tonight. Not at the next data sync. Now. Every dialer, every SMS platform, every outbound queue that touches that number needs a suppression entry before the next dial run. If you use multiple tools or a third-party dialer, each one needs to receive that suppression. One missed integration is how people get sued on call number four.
Step 3: Quarantine the record in your CRM. Do not delete it. You may need the original consent documentation if litigation ever surfaces. Mark the record suppressed, add the wrong-number flag with the timestamp, and block any automated process from re-activating it.
Step 4: Document the chain of events. Write down when you called, what the signal was, who flagged it, and when suppression was applied. One paragraph in a ticket system or compliance log is enough. If a plaintiff's attorney sends a demand letter, this documentation is the difference between a fast dismissal and a long fight.
Step 5: Review adjacent records. If one number in a data batch came back reassigned, check whether other numbers from the same source or lead vendor have the same problem. One bad number is a warning sign about the whole list.
Does the FCC's Reassigned Numbers Database change anything?
Yes, a lot. The FCC launched the Reassigned Numbers Database (RND) in late 2021, with mandatory use phased in for certain callers [3]. The database lets you ask whether a number has been disconnected since a specific date. If you got consent on January 1, 2023, you can query the RND and ask: has this number been reassigned since then? If the answer is yes, you cannot rely on that consent.
The FCC's rules give callers who check the RND before dialing, and get a "no reassignment" result, a safe harbor against liability even if a reassignment actually happened but wasn't yet reflected in the database [3]. This is the stronger safe harbor. It is database-driven, not after-the-fact.
The RND is not free. It is operated by Somos, Inc. under FCC authorization, and callers pay per query or by subscription. Pricing tiers exist for low-volume and high-volume users, and rates are set by Somos and change over time. Check the FCC's RND page or Somos directly for current pricing [3].
Here is the practical read. If you run any meaningful volume of outbound calls or texts to cell phones, query the RND before each dial cycle rather than leaning on the single-call safe harbor after the fact. The single-call harbor is a backstop for when things fall through. The RND is the actual prevention tool.
Teams doing cold calling at scale have built RND queries into their pre-dial scrub alongside do not call list checks. Running both before dialing is the current standard of care for anyone who wants to stay out of court.
How do courts actually interpret the safe harbor in litigation?
The case law is not perfectly uniform, but a few patterns are clear.
In ACA International v. FCC (D.C. Circuit, 2018) [4], the court vacated parts of the FCC's 2015 TCPA Order, including some of the autodialer definition. The reassigned number framework and the single-call safe harbor were not the main targets of that ruling. The safe harbor concept survived, though courts keep arguing about its edges.
In Marks v. Crunch San Diego (9th Cir., 2018) [5], the court reworked the autodialer definition in ways that affected which calls could even trigger TCPA liability. The consent-transfer problem, which is what the wrong number safe harbor addresses, was untouched.
Where courts have been consistent: if a caller got any affirmative notice that the number belonged to a non-consenting person and kept calling, no safe harbor applies. In multiple district court decisions, even a single text reply of "stop" or "wrong number" has been treated as actual knowledge, wiping out the defense [6].
The "willful or knowing" enhancement matters here. If internal records show your team knew the number was flagged and called anyway, a $500 violation becomes $1,500 per call, and plaintiffs' attorneys will point to those records in discovery. A poorly documented suppression process is often more damaging than the original wrong number call.
For a sense of the dollar exposure, see the chart below, which shows how per-call statutory damages compound at scale.
What if the person tells you it's a wrong number during the call itself?
This is the clearest scenario, and the one you most need to handle right.
If a live person picks up and says "you have the wrong number," "I'm not [name]," or any clear variation, that call has consumed your single-call safe harbor. The moment the call ends, you are in the full-liability zone for any future call to that number. There is no grace period. There is no "we need to investigate." The number must be suppressed before your system can dial it again.
The same logic applies to a voicemail that clearly belongs to a different person (different name, different company). Courts have held that a caller who listens to a voicemail and can identify the subscriber has constructive knowledge of the reassignment [6].
If the person on the line asks you to stop calling, that's both a wrong number situation and an opt-out request under the TCPA. Those two things coexist, and honoring both is the only safe path. The opt-out obligation under 47 U.S.C. § 227(b)(2)(B) requires automated systems to honor do-not-call requests [1], so the number should hit both your wrong-number suppression list and your internal DNC list at once.
For teams running text message marketing, the same rule covers inbound "wrong number" replies on SMS. A reply of "I don't know you" or "wrong person" is functionally identical to a verbal wrong number disclosure. Suppress and document.
What records do you need to keep, and for how long?
The TCPA sets no single explicit record-retention period. The standard of practice, driven by the four-year federal statute of limitations for TCPA claims under 28 U.S.C. § 1658 [7], is to keep consent records and suppression records for at least four years from the date of the last call to that number.
Here is what your records should contain at minimum:
| Record Type | What to Capture | Retention |
|---|---|---|
| Original consent record | Timestamp, source, method (web form, verbal, etc.) | 4+ years |
| Call log | Date, time, number dialed, system used | 4+ years |
| Wrong number discovery | Date, signal type, who logged it | 4+ years |
| Suppression entry | Date applied, which systems received it | 4+ years |
| Internal DNC addition | Date, reason code | 4+ years |
Keep these in a format you can export. If you get a demand letter or a subpoena, you need to produce this fast. A compliance log buried in a dead CRM that nobody can export is nearly as bad as no log at all.
LeadCompliant's free compliance kit includes a suppression log template and a wrong number incident report form you can adapt without starting from scratch. The core requirement is simple: documentation that is timestamped, complete, and searchable.
Can a wrong number call create class action exposure, more than individual claims?
Yes, and this is where the numbers get alarming.
Reassigned number fact patterns attract class action plaintiffs' attorneys because they usually come from systematic failures. If your dialer called 50,000 numbers from a purchased list and 3,000 had been reassigned, that is a potential class of 3,000 people, each with a $500 minimum claim. That is $1.5 million before any willfulness enhancement, and before attorney fees.
Class certification in TCPA cases has historically been relatively accessible for plaintiffs because the violations are uniform: same calling system, same lack of valid consent, same statutory damages formula. Courts in the 9th and 11th Circuits have certified TCPA classes repeatedly. Post-2021 Supreme Court precedent on standing (TransUnion LLC v. Ramirez, 2021 [8]) has made it somewhat harder for plaintiffs to certify classes where members cannot show concrete harm beyond the bare statutory violation.
The practical implication is stark. A single wrong number call to one person is a small claim. A systematic pattern of calling reassigned numbers is an existential threat to a small business. The difference usually comes down to whether you had a documented, working suppression process. Running regular scrubs against the mobile phone do not call list and the RND, and keeping records of those scrubs, is what separates a defensible mistake from a class action target.
For teams building a compliance process before they scale outbound, reviewing the do not call telemarketer list requirements alongside reassigned number checks gives a clearer picture of the full pre-dial scrub stack.
What is a reasonable wrong number response process for a small team?
Most small outbound teams have no dedicated compliance officer. The founder or sales manager owns this. Here is a process that is realistic for a team under 20 people.
Before dialing (prevention): Query the FCC's Reassigned Numbers Database for any number you haven't called in more than 30 days, or any number from a purchased list. Layer a standard National DNC scrub on top. This is the highest-ROI compliance action you can take, because it catches most wrong numbers before any call goes out.
During the campaign: Train every rep, and build it into every script, that a "wrong number" response (live or voicemail) gets logged in the CRM with a timestamp before the rep moves to the next call. Not at end of day. Before the next dial.
Within one hour of discovery: The number is suppressed across all dialing systems and SMS platforms. If your team uses a CRM with dialer integration, test that suppression path monthly. Integration failures are common and invisible until you need them.
Weekly audit: Pull any numbers flagged as wrong number in the past seven days and confirm each has a suppression record in every active system. A five-minute check that could save you from a $1,500-per-call exposure.
Quarterly review of data sources: If more than 2 percent of your wrong number flags come from one data vendor, that vendor's list quality is probably poor. Drop them or demand fresher data. The how do I get the do not call list process is one part of data hygiene; RND checking is another.
This is not a perfect system. No system is. But documented effort at each step is what defense attorneys use to argue against willfulness, and what judges look at when deciding whether to grant summary judgment.
Are there state laws that add requirements beyond the TCPA safe harbor?
Several states have their own telephone solicitation laws, and some are less forgiving than the TCPA's federal safe harbor framework.
Florida's Telephone Solicitation Act (FTSA), amended in 2021 [9], allows a private right of action for unsolicited calls and texts and does not copy the federal single-call safe harbor. Florida plaintiffs can sue under the FTSA on what would be the first call under federal law, if that call lacks consent under the state standard, which is stricter about prior express written consent for auto-dialed calls.
California's Automatic Dialing-Announcing Device rules under California Public Utilities Code § 2871 [10] add another layer, especially for robocalls. The California rules predate the TCPA in some respects and have been read strictly by state courts.
Washington, Texas, and Maryland each have state DNC or telemarketing statutes with per-violation penalties that can stack on top of TCPA exposure. Calling a reassigned number in one of those states can trigger federal and state liability at once, with no single-call state-level safe harbor available in most cases.
The takeaway is blunt. The federal wrong number safe harbor is a federal protection only. It does not shield you from state claims, and it does not give you one free call in every jurisdiction. Multi-state calling programs should have counsel review the applicable state statutes, because a "safe" first call under federal law can still be an actionable call under Florida or Washington law.
How does this apply to text messages, more than phone calls?
The TCPA covers "calls," and the FCC has read text messages as calls under 47 U.S.C. § 227(b)(1)(A) [1]. Every rule above applies to SMS and MMS sent by an autodialer or automated system.
The wrong number safe harbor works the same way: one text to a reassigned number without knowledge of the reassignment, then stop. The FCC's 2015 Order [2] addressed this for text messages specifically, noting the single-call safe harbor covers texts sent to reassigned numbers.
For texts, the wrong number signals look a little different. You might get an inbound reply of "who is this" or "wrong number." You might get an opt-out from a name that does not match your contact record. You might see a delivery error code from your SMS provider showing the number is no longer active.
All of those signals trigger the same obligation: log the discovery, suppress the number, document everything. The fact that it's a text and not a voice call buys you no extra flexibility. If anything, SMS compliance draws more scrutiny in current litigation, partly because text records are easier to preserve and produce in discovery than call recordings.
For a broader view of how SMS fits into your outbound picture, the cold call rules and SMS rules overlap more than most teams realize, especially for campaigns that pair voice and text touches on the same leads.
Frequently asked questions
How many calls can I make before the TCPA wrong number safe harbor disappears?
One. The FCC's 2015 Omnibus Order (FCC 15-72) limits the wrong number safe harbor to a single call to a reassigned number. From the second call onward, if you know or should know the number belongs to a non-consenting subscriber, you are fully liable under 47 U.S.C. § 227(b)(1). There is no second chance built into the rule.
Does the wrong number safe harbor apply to texts too?
Yes. The FCC treats text messages as calls under the TCPA, so the single-call wrong number safe harbor covers both voice calls and automated texts. If you get any signal that a text reached the wrong person, you must suppress the number before sending another message. A reply of 'who is this' counts as that signal.
What is the FCC Reassigned Numbers Database and does it replace the safe harbor?
The FCC's Reassigned Numbers Database (RND), operated by Somos Inc. since 2021, lets callers check whether a number has been disconnected since a specific consent date. Callers who query the RND before dialing and get a 'no reassignment' result have a separate safe harbor under FCC rules, even if the database was not yet updated. The RND is a prevention tool; the single-call safe harbor is a backstop.
What counts as 'notice' that I reached the wrong person?
Courts and the FCC have treated several signals as notice: a live person saying they are not your contact, a voicemail with a different name, a text reply of 'wrong number' or 'who is this,' and carrier codes showing the subscriber changed. Constructive knowledge, meaning signals you should have caught even if you didn't, also counts. Ignoring an obvious signal is not a defense.
How long do I have to suppress a number after I discover it's a wrong number?
The TCPA and FCC rules set no explicit clock, but the standard of care is immediate suppression, before the number can be dialed or texted again. If your dialer runs batches overnight, the suppression must hit every system before that batch runs. Same-business-day is the outer edge of reasonable; same-hour is the real target for any team that wants to defend against a willfulness claim.
Can a wrong number recipient sue me even if I only called once?
Yes. The safe harbor is a defense, not a bar to suit. A plaintiff can still file, arguing you lacked a good-faith basis to believe you had consent, or that you should have known the number was reassigned before you called. You would need to prove the elements of the safe harbor in litigation. That is why pre-call RND scrubbing and solid consent documentation matter so much.
Does the safe harbor apply if I bought a list and the number was already reassigned when I got it?
Probably not, unless you can show a reasonable basis for believing the current subscriber consented. The safe harbor requires good-faith reliance on a consent record you actually hold. A purchased list alone, with no underlying consent chain, does not establish that good faith. Courts and the FCC both look at whether the original consent was valid and attributable to the current subscriber.
What statutory damages apply if the safe harbor does not protect me?
Under 47 U.S.C. § 227(b)(3), statutory damages are $500 per call for standard violations and up to $1,500 per call if the court finds the violation was willful or knowing. There is no per-defendant cap in individual suits; in class actions, total exposure is the per-call amount times the number of class members. Documented disregard of known wrong number flags is the clearest path to the $1,500 enhancement.
Does the wrong number safe harbor protect me from state law claims too?
No. The federal single-call safe harbor is a federal TCPA defense only. States like Florida, California, Washington, and Texas have their own telephone solicitation statutes, and most do not copy the federal safe harbor. A call protected under federal law can still create state liability, especially in Florida under the FTSA, which has been actively litigated since its 2021 amendment.
What records should I keep after a wrong number discovery?
Keep a timestamped log of the original consent record, the call or text log showing when contact occurred, the specific signal that indicated a wrong number, when suppression was applied, and which systems received the suppression entry. Retain all of it for at least four years from the last contact, matching the federal TCPA statute of limitations under 28 U.S.C. § 1658.
How do wrong number issues fit into a broader TCPA compliance program?
Wrong number suppression is one layer of a pre-dial scrub stack that should also include National DNC checks, internal DNC checks, and consent verification. Teams doing outbound calls should scrub each number against the FCC Reassigned Numbers Database before dialing, add wrong-number flags to their internal suppression list in real time, and audit those lists regularly. The single-call safe harbor is a last line, not a program.
Can class actions really be built on reassigned number calls?
Yes. Reassigned number fact patterns are common class action vehicles because the violations are often systemic: same calling program, same data vendor, same lack of valid consent across thousands of numbers. TCPA classes have been certified in the 9th and 11th Circuits on these grounds. The 2021 TransUnion v. Ramirez decision raised the standing bar slightly, but cases with concrete harm to identifiable class members still proceed regularly.
Sources
- U.S. Congress, 47 U.S.C. § 227 (Telephone Consumer Protection Act), via Cornell Law School Legal Information Institute: Statutory text establishing $500-$1,500 per-call damages, prohibiting autodialed calls to cellular numbers without prior express consent, and requiring opt-out honoring under 47 U.S.C. § 227(b)
- D.C. Circuit Court of Appeals, ACA International v. FCC, No. 15-1211 (2018): Court vacated portions of the FCC's 2015 TCPA Order on autodialer definition; the reassigned number single-call safe harbor framework was not the primary subject of the ruling
- 9th Circuit Court of Appeals, Marks v. Crunch San Diego, LLC, No. 17-56581 (2018): 9th Circuit addressed the TCPA autodialer definition; consent-transfer and reassigned number liability rules remained unaffected by this decision
- Federal Trade Commission, Telemarketing and consumer protection overview: Agency guidance and case patterns confirming that affirmative notice of a wrong number, including text replies and voicemails from non-matching subscribers, constitutes actual or constructive knowledge
- U.S. Congress, 28 U.S.C. § 1658 (federal statute of limitations), via Cornell Law School Legal Information Institute: Four-year federal statute of limitations for TCPA claims, establishing the minimum record retention period for consent and suppression records
- U.S. Supreme Court, TransUnion LLC v. Ramirez, 594 U.S. 413 (2021): Supreme Court raised the Article III standing bar for class plaintiffs who cannot show concrete harm; relevant to TCPA class certification on reassigned number claims
- Florida Legislature, Florida Telephone Solicitation Act (FTSA), Fla. Stat. § 501.059: Florida's FTSA, amended in 2021, provides a private right of action for unsolicited calls and texts and does not replicate the federal single-call safe harbor
- California Public Utilities Code § 2871, Automatic Dialing-Announcing Devices: California state-level restrictions on automatic dialing devices; predate the TCPA in some respects and interpreted strictly by California courts, adding state exposure beyond the federal safe harbor