Last updated 2026-07-09

TL;DR
The FCC's one-to-one consent rule took effect January 27, 2025. A single checkbox can no longer hand your phone number to dozens of sellers. The FTC's Telemarketing Sales Rule is under revision too. TCPA fines reach $1,500 per willful call, with no cap. If you run outbound calls or texts, your consent process almost certainly needs a rebuild right now.
What are the biggest telemarketing rule changes in 2024-2025?
Two federal agencies moved at the same time in 2024 and 2025. That is unusual, and it matters, because founders often assume one rule covers the whole field. It does not.
The FCC finalized its one-to-one consent rule in December 2023. It became effective January 27, 2025 [1]. The core requirement is simple to state and hard to comply with: a consumer's written consent to receive autodialed or prerecorded calls or texts must be tied to one specific seller at a time, and that consent has to be logically and topically related to the website where it was collected. The old lead-gen playbook, where one checkbox on a comparison site handed your number to 10 or 20 downstream buyers, is now a TCPA violation.
The FTC has been revising the Telemarketing Sales Rule (TSR) on a separate track. The TSR is the federal framework that governs deceptive telemarketing, robocall prohibitions, and certain payment restrictions. The FTC's proposed amendments, published in 2023, target AI-generated voices and outbound calls made without prior express written consent. Those amendments were still moving through comment and review as of mid-2025 [2].
Two rules. Two agencies. The TCPA (47 U.S.C. § 227) is the FCC's turf. The TSR (16 C.F.R. Part 310) is the FTC's. Both can reach you, and a single campaign that breaks either one opens a separate liability track.
The short version for a sales manager: renting leads that consented to a vague "marketing partners" list is dead. If your contact list came from a third-party vendor, you need to know exactly what consent language was used and whether each record was generated after January 27, 2025 under compliant one-to-one language.
What exactly is the FCC's one-to-one consent rule and who does it affect?
The FCC's December 2023 Report and Order (FCC 23-107) amended the TCPA's implementing rules at 47 C.F.R. § 64.1200 [1]. The change has two prongs, and both have to be satisfied.
First, the one-to-one prong. A consumer's prior express written consent to receive autodialed calls or robotexts now authorizes only one named company, not a bundle of sellers. The FCC was blunt about this: consent forms that list "marketing partners" or point consumers to a separate URL of potential partners do not satisfy the requirement.
Second, the logically-and-topically-related prong. The consent has to be for content that relates to the website where it was collected. Someone fills out a form for a home insurance quote, then gets pitched auto loans from that same form? That consent does not hold up.
Who does this hit? Anyone who:
- Buys leads from comparison sites, aggregators, or any third-party generator.
- Runs cold calling or text campaigns where someone else collected the opt-in.
- Uses shared consent forms that list multiple brands.
- Runs AI cold calling campaigns fed by purchased lists.
Small teams assume this only lands on big call centers. Wrong. A five-person sales desk at a mortgage brokerage buying internet leads is just as exposed. Your headcount is not a defense under the TCPA.
The FCC framed the change as closing a "lead generator loophole" that let a single consent get monetized across a large number of sellers at once [1]. Plaintiffs' attorneys will quote that language back at you in litigation, so know it exists.
What are the FCC telemarketing rules on robocalls and prerecorded messages?
The TCPA's core prohibition has not changed, but enforcement has gotten sharper. Under 47 U.S.C. § 227(b), it is unlawful to call any number assigned to a cellular service using an automatic telephone dialing system (ATDS) or an artificial or prerecorded voice without the called party's prior express consent [3].
For marketing calls, the standard is prior express written consent. That means a signed, written agreement clearly authorizing calls from a named entity using autodialing or prerecorded messages, and the consumer cannot be forced to sign as a condition of buying anything [4].
For informational or non-marketing calls to cell phones, plain prior express consent (not necessarily written) is enough. The line between marketing and informational gets litigated constantly, so do not lean on it.
On landlines, the TCPA bars prerecorded voice calls to residential numbers without prior express consent, at a lower standard than cell phones.
The FCC has also ruled on AI-generated voices. In February 2024 it declared that AI-generated voices in robocalls are "artificial" voices under the TCPA, which means they need the same prior express written consent as any other prerecorded call [5]. That ruling landed fast, right after robocalls using a cloned voice of President Biden circulated before a New Hampshire primary. The practical effect is plain: you cannot use an AI voice platform for outbound marketing calls without written consent. Full stop.
Here is the honest operational checklist for an outbound team: 1. Does your dialer predictively dial or pull from a list without a human entering each number by hand? If yes, you are probably running an ATDS. 2. Do any calls use prerecorded messages or AI-generated voices? Same ATDS-plus-consent rules apply. 3. Are you calling cell phones? Written consent is required for marketing. 4. Do you have documentation of that consent for each contact? You need it to survive a claim.
What is the Telemarketing Sales Rule and how is it different from the TCPA?
The Telemarketing Sales Rule is the FTC's regulation, not the FCC's. It sits at 16 C.F.R. Part 310 and was first issued in 1995 under the Telemarketing and Consumer Fraud and Abuse Prevention Act [2]. It covers outbound telemarketing with a different set of prohibitions than the TCPA.
The TSR reaches things the TCPA does not: deceptive or abusive practices, disclosure requirements at the start of a sales call, bans on charging consumers before delivering services in certain categories (debt relief, for one), and restrictions on certain payment methods. It also has its own Do Not Call provisions that mostly mirror the national DNC registry.
The overlap with the TCPA is robocalls. The TSR prohibits an outbound call that delivers a prerecorded message unless the seller has prior express written consent [2]. That runs parallel to the TCPA requirement but stands separate from it. One call can break both.
The FTC's 2023 proposed TSR amendments would extend restrictions to:
- Calls using AI-generated voices without disclosure.
- B2B calls fitting certain fraud patterns (the TSR's B2B exemption has been broad historically).
- Entities that are "assisting and facilitating" violations even if they never place the calls themselves.
TSR civil penalties reach $51,744 per violation as of 2024, and the FTC adjusts that figure for inflation every year [2]. That is per call, not per campaign.
Here is the practical split for a small team. The TCPA is your primary lawsuit risk because private plaintiffs can sue directly. The TSR is enforced mostly by the FTC and state AGs, so it shows up in regulatory actions, not class actions. Both matter. Your immediate courtroom exposure lives with the TCPA.
What are the TCPA penalties and how much can a lawsuit actually cost?
TCPA statutory damages are $500 per violation for negligent violations and $1,500 per violation for willful or knowing ones [3]. No cap per plaintiff. No cap per campaign.
A violation is generally each individual call or text. Send one robotext blast to 50,000 people without adequate consent and you are looking at potentially 50,000 violations at $500 to $1,500 apiece. This math is not hypothetical. Courts have certified TCPA class actions, and settlements in the tens of millions sit on the public record. Large TCPA class settlements have run from single-digit millions into the tens of millions, and the filings are searchable in PACER. These are not invented figures.
Willfulness is the multiplier that hurts most. Courts have found willfulness when a company kept calling after opt-out requests, when it knew the TCPA rules and ignored them, or when it brushed off its own legal advice. "We didn't know" is a weak defense if you are buying leads and autodialing them.
The TCPA also carries a private right of action, so any individual consumer can sue you with no government involvement at all. That is the engine driving the volume of TCPA litigation. The FCC and FTC can pile on enforcement actions on top of private suits.
If you want to find your specific consent documentation gaps, LeadCompliant's free TCPA compliance kit walks through the exact fields your consent records need to survive a demand letter.
The chart below lays out the fine structures side by side.
How does the national Do Not Call registry intersect with FCC telemarketing rules?
The national Do Not Call (DNC) registry is run by the FTC, but the FCC's rules at 47 C.F.R. § 64.1200(c) pull in the same list and make calling a registered number a TCPA violation too [4]. So a DNC-scrubbed list serves both the FTC and FCC sides at once.
The basic rule: you cannot call a number on the national DNC registry unless you have an established business relationship (EBR) with that consumer or the consumer gave you prior express written consent. The EBR window is 18 months from the last purchase or transaction, or three months from the consumer's last inquiry [9].
Sellers have to scrub against the registry before calling. The FTC requires telemarketers to access the registry at least every 31 days [2]. Buy a list and sit on it for 60 days before dialing, and you may be calling numbers that registered after you bought it.
State DNC lists stack on top. Florida, Indiana, and Wyoming maintain their own lists with rules stricter than the federal registry. Florida's Telephone Solicitation Act (FTSA) has a private right of action and reaches calls and texts to Florida numbers even when your business sits outside the state [6].
For a cold call program to run clean, scrub at least every 31 days and check both federal and any relevant state lists based on where you are dialing.
What did the FCC rule about AI voices in telemarketing calls?
On February 8, 2024, the FCC issued a Declaratory Ruling stating that calls featuring AI-generated voices are "artificial" voices under the TCPA [5]. It moved faster than most regulatory action because of the Biden robocall incident, where an AI-synthesized voice impersonating the president told New Hampshire voters not to vote in the primary.
The effect on outbound sales teams is direct. Any call using a voice cloned or synthesized by AI, whether it sounds human or clearly robotic, needs prior express written consent if it is a marketing call to a cell phone. You cannot route around the prerecorded-voice restrictions by swapping in an AI voice.
The FCC also noted in the ruling that callers still have to identify themselves and their purpose, and that using AI voices to impersonate a person or entity creates extra exposure under state law. Many states have elder fraud statutes that specifically target impersonation.
For teams using AI cold calling tools that generate or personalize voice messages, consent is not optional. If the tool produces speech algorithmically, the FCC's position is that it is an artificial voice. Build your consent documentation before you deploy the tool, not after the demand letter shows up.
The FTC is looking separately at AI voice disclosures in its TSR amendments, which would require callers using AI-generated voices to disclose that fact at the start of the call. That proposed requirement had not taken final effect as of mid-2025 [2].
What state telemarketing laws have become stricter recently?
Florida led the recent wave. The Florida Telephone Solicitation Act (FTSA), amended effective July 1, 2021, bans automated calls and texts to Florida residents without prior express written consent and gives consumers a private right of action at $500 per violation [6]. Unlike the TCPA, the FTSA's definition of an automated system does not track the narrow ATDS standard the Supreme Court set in Facebook v. Duguid (2021). Florida's standard is functionally broader, which is the whole point.
Texas, Indiana, and Oklahoma each keep state DNC lists with their own access and scrub requirements. Companies calling into those states have to subscribe separately from the federal registry.
California is the other one to watch. California has no dedicated telemarketing statute on par with the TCPA, but the California Consumer Privacy Act (CCPA) and the California Invasion of Privacy Act (CIPA) have both been used against outbound calling programs [7]. CIPA governs call recording consent, and litigation against companies that record inbound or outbound calls without telling California parties has spiked.
The pattern is clear. State legislators see TCPA enforcement gaps, especially after Duguid narrowed the ATDS definition, and they fill them with state statutes. Call nationally and you are managing a patchwork: federal TCPA, federal TSR, FCC orders, plus different rules for Florida, Texas, California, Washington, and more.
A working cold calling compliance program maps every state in your territory and applies the strictest applicable rule. That is the only safe way to run it.
How did Facebook v. Duguid change TCPA enforcement and what has filled the gap?
In April 2021, the Supreme Court decided Facebook, Inc. v. Duguid, 592 U.S. 395 (2021), holding that an ATDS under the TCPA has to use a random or sequential number generator to store or produce phone numbers [8]. That narrowed the statute a lot. Many modern predictive dialers call from a pre-loaded list rather than generating numbers randomly, and defendants argued those systems fall outside the ATDS definition.
The result was fewer TCPA cases built on ATDS status for list-based dialers. Plaintiffs' attorneys pivoted in two directions. First, they argued that prerecorded or artificial voice violations do not require an ATDS finding, so they pursued those claims on their own. Second, they filed in states with broader automated dialing statutes, Florida above all.
The FCC answered in part with the one-to-one consent rule, which does not hinge on ATDS classification at all. Even if your dialer is not an ATDS under Duguid, prerecorded voice calls or robotexts still need consent. And consent collected under an old shared-consent model is invalid after January 27, 2025.
For teams running power dialers or click-to-dial systems with no random number generation, Duguid may have narrowed your ATDS exposure, but it did nothing to your consent obligations for prerecorded messages or AI voices. Understanding what is cold calling in sales from a legal angle now means knowing which dialing technology you use and which legal regime applies to it.
What does a compliant consent form actually need to include?
Under the FCC's post-2025 framework, a prior express written consent form for autodialed marketing calls or texts has to contain [1][4]:
1. A clear, unambiguous disclosure that the consumer is authorizing calls or texts. 2. The name of the specific seller. If more than one, each named individually, with separate checkboxes. 3. The phone number the consumer is authorizing to be called. 4. A statement that consent is not required as a condition of purchase. 5. A statement that calls or texts may use an autodialer or prerecorded messages. 6. For texts, an approximate message frequency (required under CTIA guidelines, though the TCPA does not specify it directly).
What no longer works: a single checkbox reading "I agree to be contacted by our marketing partners" with a link to a partner list. That was standard lead-gen practice for years. It fails the one-to-one requirement as of January 27, 2025.
You also have to retain evidence of consent. Sued? You will need to produce the timestamp, the IP address, the form version, and the exact consent language the consumer saw at the moment they opted in. Courts have thrown out consent defenses where companies could not produce this documentation.
To build compliant consent records, the free tools at LeadCompliant.com include a consent form checker and a TCPA compliance kit that maps the FCC's current requirements to the specific form fields you need.
One practical move: if you use a third-party lead vendor, put it in the contract that they hand over the consent timestamp, IP address, form URL, and exact consent language for every lead. If they will not provide that, the lead is not safe to call under the post-2025 rules.
What should outbound teams actually change in their process right now?
Here is what the current rules require in practice, minus the legal hedging.
Audit your lead sources first. Every source you buy from needs a check against the one-to-one standard. Ask the vendor for sample consent language. If it reads "by clicking you agree to be contacted by our partners" without naming you specifically, those leads are non-compliant for TCPA purposes as of January 27, 2025.
Scrub before every dial session. Use the national DNC registry (at least every 31 days) plus any state lists that apply to your territory. Bake it into the workflow so nobody forgets it.
Document everything. Consent records, scrub logs, call recordings where legally required, opt-out requests and how fast you honored them. The TSR sets a 10-business-day window to honor opt-outs [2][11]. The TCPA does not set an exact window, but courts have treated slow honoring as evidence of willfulness.
Review your dialing technology. If you run a predictive or power dialer, know whether it meets the post-Duguid ATDS definition in the states you call into. If you use prerecorded messages or AI voices, written consent is required no matter the dialer type.
Train your reps on the basics. They need to know the call time window (8 a.m. to 9 p.m. local time at the called party's location under the TCPA [4]), how to handle an opt-out in real time, and what they can and cannot say under TSR disclosure rules.
Review your cold calling scripts and cold call scripts against current TSR disclosure requirements. The TSR requires disclosures at the outset of a sales call: the seller's name, that the call is a sales call, and the nature of the goods or services [11]. A script that jumps straight into the pitch without them is a TSR violation.
It is a lot. The structure is not complicated once you map it. The cost of skipping it is measured in per-call statutory damages.
Frequently asked questions
When did the FCC's one-to-one consent rule take effect?
The FCC's one-to-one consent rule, adopted in its December 2023 Report and Order (FCC 23-107), took effect January 27, 2025. Any lead contacted or generated after that date must have been consented under the new individual-seller requirement. Leads carrying older shared-consent forms are risky to call even if the form predates the effective date, because courts examine the form language itself.
Does the TCPA apply to text messages, or just phone calls?
Yes, the TCPA covers text messages. The FCC has consistently treated automated texts as calls under 47 U.S.C. § 227(b). Prior express written consent is required for autodialed or prerecorded marketing texts to cell phones. The one-to-one consent rule applies to texts too. A robotext blast to a purchased list without proper consent carries the same $500 to $1,500 per-message exposure as a voice call.
What is the difference between the FCC and FTC telemarketing rules?
The FCC enforces the TCPA (47 U.S.C. § 227), covering autodialed calls, prerecorded messages, and texts. The FTC enforces the Telemarketing Sales Rule (16 C.F.R. Part 310), covering deceptive practices, certain payment restrictions, and its own robocall prohibitions. Both can apply to the same call. Private plaintiffs can sue under the TCPA. TSR violations are pursued mainly by the FTC and state attorneys general.
Are B2B cold calls covered by the TCPA and TSR?
The TCPA's autodialed-call restrictions apply whether the number belongs to a business or a consumer, because the cell phone owner's consent is what matters, not the business context. The TSR historically exempted most B2B calls, but the FTC's 2023 proposed amendments would narrow that exemption for calls fitting certain fraud patterns. Check the number type: a business owner's personal cell is still a personal cell.
How often do I need to scrub my calling list against the Do Not Call registry?
The FTC's Telemarketing Sales Rule requires sellers and telemarketers to access and scrub against the national DNC registry at least every 31 days. Sit on a list for 60 or 90 days before running a campaign and numbers that registered since your last scrub are now protected. Build scrubbing into your workflow before each campaign run, not on a fixed monthly calendar.
What did the Supreme Court's Facebook v. Duguid decision mean for telemarketers?
The April 2021 Supreme Court ruling in Facebook v. Duguid narrowed the TCPA's ATDS definition to systems using random or sequential number generators. List-based dialers that do not generate numbers randomly may fall outside it. But prerecorded voice and AI voice violations do not require ATDS status, and Florida's FTSA uses a broader standard. Duguid reduced some exposure. It did not eliminate the need for consent.
Can I use a lead list I bought before January 27, 2025 for outbound calls?
Only if the consent behind each lead was one-to-one, named your company specifically, and met all other TCPA requirements when it was collected. Leads gathered under old shared-consent "marketing partners" language do not become compliant retroactively. If you cannot verify the consent language, calling that list with an autodialer or prerecorded message is risky. Manually dialed live-agent calls to non-DNC numbers carry a different, though not zero, risk profile.
What disclosures does the Telemarketing Sales Rule require at the start of a call?
The TSR requires that within the first 30 seconds of an outbound telemarketing call, the caller identify the seller's name, state that the purpose is a sales call, and identify the product or service. These disclosures must be truthful and made before any pitch begins. Failing to make them is a deceptive practice under the TSR, subject to FTC civil penalties up to $51,744 per violation.
What are the call time restrictions under the TCPA?
Under FCC rules at 47 C.F.R. § 64.1200(c)(1), telemarketers may not call residential numbers before 8 a.m. or after 9 p.m., measured at the called party's local time. The TSR contains the same restriction. Some states go further, and a few prohibit calls after 8 p.m. Always apply the stricter of the federal or applicable state rule for the number's area code.
How does Florida's FTSA differ from the federal TCPA?
Florida's Telephone Solicitation Act (amended effective July 1, 2021) uses a broader definition of automated calling systems than the TCPA's post-Duguid ATDS standard, does not require random or sequential number generation, and gives consumers a private right of action at $500 per violation. It applies to calls and texts to Florida numbers from any seller, regardless of the seller's location. It fills the gap Duguid left, at least in Florida.
What records do I need to keep to defend a TCPA lawsuit?
At minimum: the consent timestamp and date, the exact consent language the consumer saw, the URL of the consent form, the consumer's IP address at opt-in, the phone number consented, and your company name as it appeared on the form. You also need call logs showing when you called and from what number, DNC scrub records, and opt-out logs showing when requests came in and were honored. Courts have dismissed consent defenses where companies could not produce these records.
Does the FCC's AI voice ruling affect live sales agents using AI-assisted tools?
The February 2024 FCC ruling addresses AI-generated voices in calls, meaning calls where the voice itself is synthesized by AI. A live human agent using an AI tool for real-time talking points or transcription is not an AI-generated voice call. But if your tool auto-generates or delivers prerecorded AI-synthesized voice messages in the call flow, even as a greeting or voicemail, that portion is covered by the ruling.
What is the established business relationship (EBR) exception to the Do Not Call rules?
An EBR lets you call someone on the DNC registry if they made a purchase or transaction with you within the past 18 months, or made an inquiry or application within the past 3 months. The EBR applies only to calls from your company specifically. If you acquire a company or buy customer records, those customers' EBRs with the former company do not transfer to you. The EBR also does not override an explicit do-not-call request from that person.
What happens if a consumer tells my rep they want to be removed from our call list?
You honor it. Under the TCPA, once a consumer asks to be placed on your company-specific do-not-call list, you have to record the request and stop calling them. The TSR requires companies to honor opt-out requests within 10 business days. Calling after an opt-out is strong evidence of willfulness, which triggers the $1,500-per-violation tier instead of $500.
Sources
- FTC, Telemarketing Sales Rule, 16 C.F.R. Part 310: TSR requires scrubbing against DNC registry every 31 days; civil penalties up to $51,744 per violation; 2023 proposed amendments cover AI voice disclosures
- U.S. Code, 47 U.S.C. § 227, Telephone Consumer Protection Act: TCPA statutory damages are $500 per violation and $1,500 for willful or knowing violations; prohibits ATDS calls to cell phones without consent
- FCC, 47 C.F.R. § 64.1200, Delivery restrictions: Prior express written consent requirements for autodialed marketing calls; call time restriction 8 a.m. to 9 p.m. local time
- Florida Legislature, Florida Telephone Solicitation Act, Fla. Stat. § 501.059: FTSA amended effective July 1, 2021; broader ATDS definition than TCPA; private right of action at $500 per violation
- California Legislature, California Invasion of Privacy Act, Cal. Penal Code § 630 et seq.: CIPA governs call recording consent in California; used in litigation against outbound calling programs
- U.S. Supreme Court, Facebook Inc. v. Duguid, 592 U.S. 395 (2021): ATDS under TCPA requires use of random or sequential number generator; issued April 2021
- FTC, National Do Not Call Registry, Information for Businesses: Sellers must access DNC registry before calling; established business relationship window is 18 months from purchase or 3 months from inquiry
- FTC, Complying with the Telemarketing Sales Rule guidance document: TSR requires within 30 seconds: identification of seller name, purpose as a sales call, and product or service; opt-outs must be honored within 10 business days