Last updated 2026-07-09

TL;DR
The TCPA (47 U.S.C. § 227) limits when and how you can call or text consumers. Each violation costs $500 to $1,500 per message or call. Your reps don't need the statute. They need five rules: get written consent before texting, scrub the DNC list before calling, never autodial a cell without consent, honor opt-outs the second they happen, and document everything.
What is the TCPA and why should a sales rep care?
The Telephone Consumer Protection Act, passed in 1991 and codified at 47 U.S.C. § 227, is the federal law that controls how businesses call and text consumers [1]. The FCC writes the rules. Courts enforce them. Private citizens sue you directly, and that last part is what most reps miss until a demand letter shows up.
Small doesn't mean safe. A single rep who fires off 500 unconsented texts has created $250,000 in exposure at the $500 baseline, or up to $750,000 if a court calls it willful. One rep. One bad afternoon.
The TCPA covers four activities: (1) calls to cell phones using an automatic telephone dialing system (ATDS) or prerecorded voice, (2) calls to residential landlines using a prerecorded or artificial voice, (3) texts to cell phones, treated legally the same as calls, and (4) calls to numbers on the National Do Not Call Registry [2]. Each category carries its own consent rules, and we'll walk through them in plain language.
Here's the honest framing for your team. The law isn't trying to stop them from selling. It's trying to stop spam. Follow three or four basic habits and they'll never be the person who triggers a lawsuit.
What does the TCPA actually prohibit in plain English?
The statute bars automated and recorded outreach to cell phones without consent, bans prerecorded telemarketing to landlines, and treats texts exactly like calls. Section 227(b)(1)(A) prohibits any call "using any automatic telephone dialing system or an artificial or prerecorded voice" to a cell phone without prior express consent [1]. That one sentence drives most TCPA litigation.
Break it down for your reps this way:
"Automatic telephone dialing system" (ATDS): software that dials numbers automatically instead of by hand. If the system generates the dial, it likely qualifies. The Supreme Court narrowed this definition in Facebook v. Duguid (2021), but predictive dialers and power dialers still get contested constantly [3].
"Prerecorded voice": any recorded message, voicemail drop, or ringless voicemail. The rep doesn't have to be on the line. If a recorded voice plays, TCPA coverage kicks in on a cell phone.
"Prior express consent": for general calls to a cell, the consumer must have agreed to be contacted. For telemarketing calls and texts, the bar is higher: prior express written consent, with a clear disclosure that they agree to receive autodialed or prerecorded messages [4].
On landlines: unsolicited prerecorded telemarketing calls are banned whether or not you use an autodialer. A rep reading a live script is generally fine. A recorded message with no consent is not.
Do Not Call is a separate bucket. The National DNC Registry, run by the FTC, restricts telemarketing calls to any registered number, landline or cell, no matter what technology you use [2]. Your reps need to see these as two different tests. You can fail one and pass the other, or fail both at once.
What are the penalties per violation, and how do real cases play out?
Statutory damages run $500 per violation, and a treble provision pushes that to $1,500 per willful or knowing violation [1]. There's no per-plaintiff cap in an individual case, and TCPA claims get filed as class actions all the time.
Put real numbers on it. The Cash App TCPA class action settlement reached $6.7 million, covering consumers who alleged they got texts without proper consent see [cash app tcpa class action settlement]. Credit One Bank settled a TCPA case for $12.5 million see [credit one tcpa settlement]. These aren't freak outcomes. TCPA class actions rank among the most commonly filed consumer suits in federal court.
The pattern repeats in nearly every case. A company had a list. The list lacked consent documentation. A consumer sued. Discovery showed they couldn't prove consent. That gap is exactly what your training needs to close.
Small teams face lower class action risk than big operations, purely because of scale. But individual suits and TCPA demand letters (where an attorney sends a settlement demand before ever filing) hit teams of any size. A single professional TCPA plaintiff can cost $5,000 to $35,000 to make go away, because fighting costs more than paying early. Training is cheap next to that.
What consent do reps need before calling or texting someone?
It depends on two things: the technology you're using and whether the call is a sale. Live manual calls need no TCPA consent (though DNC still applies). Anything autodialed, prerecorded, or texted for marketing needs prior express written consent. That's the whole map, and the table below fills it in.
| Scenario | Consent Required |
|---|---|
| Live manual call to cell, no pitch | None under TCPA (DNC rules may still apply) |
| Live manual call to cell, telemarketing | No TCPA written consent required, but DNC applies |
| Autodialed or prerecorded call to cell | Prior express consent at minimum |
| Autodialed or prerecorded telemarketing call/text to cell | Prior express written consent |
| Prerecorded call to residential landline, telemarketing | Prior express written consent |
| Text message for marketing purposes | Prior express written consent |
Prior express written consent for telemarketing means the consumer signed something, clicked a checkbox, or gave some affirmative agreement that specifically says they'll accept autodialed or prerecorded calls or texts from your company (or a company named by category) for marketing [4]. A generic "I agree to the terms" doesn't cut it. The FCC is explicit: the agreement has to clearly authorize the type of message you're sending.
For teams buying leads, the consent must name your company, or the lead form must clearly say the consumer agrees to hear from companies in a named category that matches your business. Third-party lead consent is a huge gray area and a litigation magnet. If a vendor says "fully consented," get the actual consent language and confirm it covers you by name or category before you dial [4].
Give reps this rule: if you can't show a record of consent, treat the number as unconsented until proven otherwise.
How do you explain the Do Not Call list to reps who have never heard of it?
The National Do Not Call Registry is a list of consumer phone numbers kept by the FTC [2]. People register their numbers to stop telemarketing calls. Telemarketers have to check the list before calling and can't call registered numbers, with narrow exceptions.
Reps need three facts about DNC:
First, the list covers landlines and cell phones both. There's no separate cell phone DNC list, despite the myth. The mobile phone do not call list article breaks down how cell numbers work in the registry. Short version: cell numbers can sit on the national list, and you have to respect it.
Second, a company that subscribes to the registry has to pull fresh data at least every 31 days before calling [10]. You access the registry before you dial, not after.
Third, there's an established business relationship (EBR) exception. If a consumer bought from you or asked about your product in the last 18 months, you can call them even if they're on the DNC list, as long as they haven't asked you directly to stop [10]. A direct request to stop overrides the EBR on the spot.
For most small teams the process is simple: subscribe to the national registry through the FTC, run your list against it before each campaign, and log that you did. That step is called "scrubbing." For the technical side of how to get the do not call list as a data file, the FTC provides access to organizations that register as telemarketing companies.
State DNC lists sit on top of this and run stricter in some places. Florida, Texas, and Indiana keep their own registries with their own rules. Calling into those states means checking both.
What should a rep do when someone asks to be removed or says stop texting?
Honor it right then. Opt-outs aren't optional, and there's no grace period you should rely on. Under the TCPA and FCC rules, when a consumer asks off your call list or replies STOP to a text, you stop [4]. The FCC's 2024 texting updates tightened this further: opt-out requests must be honored within a reasonable time, and any contact after a clear opt-out is almost certainly willful, which means $1,500 per message instead of $500.
Train your reps on this above everything else. The moment someone says "don't call me again," "take me off your list," "stop," or anything close, the call or message ends and the number goes into your internal DNC list. Not at the end of the shift. Not after the campaign. Right then.
For texts, your platform should process STOP replies automatically and pull the number before another message goes out. Handle opt-outs by hand and you're one busy afternoon away from texting someone who already said stop.
For live calls, the rep can say: "I've noted your request and I'm removing your number from our calling list right now. You won't hear from us again." Then they log it and remove it. Simple.
Timestamp every opt-out. The first thing discovery asks for is your opt-out records.
How should managers structure a TCPA training session for a sales team?
One 30-minute session for every new hire, scenario-based, backed by a signed acknowledgment and a 15-minute annual refresher. That's the whole program. Most reps won't survive a 90-minute compliance lecture, and they don't need one.
Here's the format that works.
One 30-minute session, once, for all new hires. Cover what the TCPA is (two minutes), the five rules they must follow (fifteen minutes), what to do when someone says stop (five minutes), and how to log calls and opt-outs (eight minutes). Keep it in real situations. Scenarios stick where statute text slides off.
The five rules, in plain language: 1. If you're using dialer software to blast calls or texts, get written consent first. 2. Check every number against the DNC list before it goes into a campaign. 3. The second anyone says stop, remove them and log it. 4. Never drop a prerecorded voicemail on a cell without prior consent. 5. Keep records of consent: where it came from, when, and what the consumer agreed to.
A short written acknowledgment. After training, each rep signs a one-page document confirming they got the training and understand the five rules. This protects the company if a rep goes rogue, and it signals you mean it.
Annual refreshers. TCPA rules move. The FCC issued new rules effective January 2025 around lead generation consent [5]. A 15-minute yearly refresher keeps the team current and documents your ongoing effort, which matters if you're ever audited or sued.
LeadCompliant's compliance kit includes a ready-made rep training checklist and consent documentation templates you can hand straight to your team, so you're not building from scratch.
For teams doing heavy cold calling, spend the most time on consent and DNC. That's where violations actually happen.
What records do reps need to keep, and for how long?
Keep consent records, DNC scrub logs, opt-out logs, and call and text logs for at least four years, because that's the TCPA statute of limitations. Records are the difference between winning and losing a TCPA suit. Have them and you can defend. Miss them and you're guessing, and juries don't reward guessing.
Here's the full list.
Consent records. Every lead gets a consent record: the date the consumer opted in, the exact language they agreed to, and the source (web form URL, call recording, signed document). Using a third-party lead vendor? You need their consent records, not their assurances.
DNC scrub logs. Before each campaign, scrub your list against the national registry. Log when you scrubbed, which version of the registry you used (the FTC updates it monthly), and which numbers came out.
Opt-out logs. Every opt-out request, timestamped, with the number, the date, and how it arrived (verbal on a call, text reply, web form).
Call and text logs. Your dialer and texting platform almost certainly log these already. Make sure you're keeping them and can pull them. Some platforms delete logs after 90 days by default.
How long? The TCPA carries a four-year statute of limitations [6]. Keep everything at least four years from the last contact with that consumer. Some practitioners hold records five years as a buffer.
For teams doing text message marketing, each subscriber's consent record should include the opt-in timestamp and the exact message they responded to. Screenshots of the opt-in flow make good supporting documentation.
What common mistakes do sales reps make that trigger TCPA violations?
The violations that show up in litigation and FCC enforcement are almost always process failures, not bad intent. Here they are, stripped of legalese.
Using a dialer without checking consent status. The rep loads a list into the softphone or power dialer and starts calling. Nobody verified whether those numbers had ATDS-compatible consent. This is the most common mistake, and it happens to reps who are otherwise careful.
Importing a purchased list and assuming consent is handled. Lead vendors love to call their leads "TCPA compliant," but that phrase has no legal meaning. After the 2024 FCC ruling that took effect in January 2025, one-to-many consent (a consumer agreeing to be contacted by a broad category of companies through one form) got heavily restricted [5]. A single consent for a single named company is now the cleaner standard.
Letting opt-outs sit in a spreadsheet. If the rep logs an opt-out but never pushes it to the platform, the platform may dial that number tomorrow. The opt-out process has to connect directly to the dialing list.
Leaving ringless voicemails without consent. Plenty of reps think ringless voicemail or "drop" services are legally different from calls. They aren't, for TCPA purposes. The FCC treats them as calls under the statute [8].
Calling back a number that already said stop. A lead gets recycled, or a manager pushes an old list back into the queue. If a number carries a prior opt-out in your system and shows up again, that call is a knowing violation.
Honestly, most violations aren't intentional. They're broken processes. The fix is less about policing reps and more about making the right thing the automatic thing: consent verified before the dial, scrubbing before the send, opt-outs that flow straight to the dialer's suppression list.
How do state laws layer on top of the TCPA for outbound teams?
The TCPA is a federal floor, not a ceiling. States can and do go stricter, and several have. Your reps can follow the federal rules perfectly and still break state law.
Florida's Telephone Solicitation Act (FTSA) requires prior express written consent before autodialed or prerecorded calls or texts to Florida numbers, close to the TCPA but paired with a private right of action that has driven a wave of Florida-specific litigation [7]. Florida also keeps its own do not call list.
California layers the California Consumer Privacy Act (CCPA) onto contact data, adding data-rights duties on top of calling restrictions [9]. If a California consumer asks you to delete their data, that's a CCPA obligation, separate from any TCPA opt-out.
Texas, Oklahoma, and Indiana all run state DNC registries. Calling into those states means scrubbing against the state list along with the national one.
For training, the rule is short: reps need to know which states they're calling into. If your campaigns hit specific states hard, build those rules into the training directly. A two-page state addendum, reviewed once a year, handles it without swamping anyone.
The do not call list overview lays out how state registries relate to the national one. For teams targeting Florida, the FTSA exposure is real and the plaintiffs' bar is busy. Know before you dial.
What tools help teams stay compliant without slowing down the sales process?
You need three pieces: a DNC scrubbing tool, a dialer or texting platform with automatic opt-out suppression, and a searchable consent tracking system. Good compliance infrastructure doesn't have to cost much. It has to be automatic.
A DNC scrubbing tool or service. Subscribe to the national registry directly through the FTC for $75 per area code per year (current FTC fee schedule), or use a third-party service that handles the subscription and matching [2]. Third-party scrubbing usually runs $0.01 to $0.05 per number, depending on volume. For small teams, the direct FTC subscription is often plenty. LeadCompliant's free do not call telemarketer list checker lets you verify numbers against the national registry before you build the campaign.
A dialer or texting platform with opt-out suppression built in. When someone texts STOP, the platform should add that number to a suppression list and block future messages with zero human steps. Most modern SMS platforms (Twilio, Bandwidth, and similar) do this natively. If yours doesn't, that's a platform problem worth fixing.
A consent tracking system. Nothing fancy required. A CRM field logging consent source and date, backed by the actual records (form screenshot, call recording URL, vendor consent documentation), is enough for most small teams. The one requirement is that it's searchable. When a plaintiff's attorney sends a demand letter about a specific number, you need that consent record in hours, not days.
For teams doing cold calls, a pre-campaign checklist (DNC scrub done, consent verified for any autodialed numbers, opt-out list updated) takes about ten minutes and closes most of the common violation paths.
How do you test whether your reps actually understand the TCPA rules after training?
Give them a five-question scenario quiz. Training you don't test doesn't stick. A signed acknowledgment is the floor. A short quiz built on real situations separates the reps who understood from the reps who nodded along, and it takes under ten minutes.
Scenario 1: A lead from last week gave their email on a web form, but the form never mentioned phone calls. Can you autodial them? (Answer: No. Consent has to specifically authorize autodialed calls.)
Scenario 2: A prospect says "I'm not interested, please don't call again" and hangs up. What do you do? (Answer: Log the opt-out immediately, pull the number from all active campaigns, add it to internal DNC.)
Scenario 3: A manager hands you 200 numbers from a purchased lead database. What do you check before dialing? (Answer: DNC scrub first, then confirm the consent records actually cover autodialed telemarketing calls if you're on a power dialer.)
Scenario 4: You want to send a voicemail drop to 500 cell numbers to save time. Okay? (Answer: Only with prior express consent from each of those cell numbers for prerecorded messages.)
Scenario 5: How long do you keep opt-out records? (Answer: At least four years.)
Reps who miss scenario 2 or 3 need a follow-up conversation. Those are the highest-risk mistakes in practice. Reps who nail all five don't need more basics, so move them to state-specific rules or advanced consent documentation.
Frequently asked questions
Does the TCPA apply to B2B sales calls?
The TCPA still applies to B2B calls if you're dialing a cell phone. The autodialer and prerecorded message rules cover cell numbers whether the person is a business owner or a consumer. The Do Not Call Registry is mainly a consumer tool, so registered residential numbers are covered and dedicated business lines generally aren't. But a business owner's personal cell is still protected under the TCPA's cell phone rules.
Can I call a cell phone manually without TCPA issues?
A truly manual call, where a human dials each digit with no automated equipment, generally falls outside the ATDS definition under the Supreme Court's 2021 Facebook v. Duguid ruling. But if the number sits on the national DNC list, you still can't make a telemarketing call to it, no matter how you dialed. Most modern sales dialers automate something, so "manual" is harder to prove than reps assume.
What counts as prior express written consent for texting?
The consumer must affirmatively agree, in writing (including electronic), to receive autodialed or prerecorded calls or texts from your company for marketing. The agreement must name or clearly identify who's sending the messages. A generic terms-of-service checkbox isn't enough. The FCC requires a clear and conspicuous disclosure of what the consumer is authorizing, and it can't be a condition of purchase.
What is the national Do Not Call Registry and how do I access it?
The National Do Not Call Registry is maintained by the FTC at donotcall.gov. Telemarketers register as a telemarketing organization and pay a fee (currently $75 per area code per year) to access the data. You download it, compare it against your calling list, and remove matches before dialing. The registry updates monthly. You must access it at least every 31 days while actively calling.
How quickly do you have to honor a do not call request?
You must honor a do not call request within a reasonable time, which the FTC and FCC treat as no more than 30 days. But a call made after a clear request, even inside that window, is still a violation if a court views it as willful. The practical standard for most teams should be immediate: log it the moment the rep hears it, and suppress the number before any further outreach.
Can a business get sued by one person for a TCPA violation, or is it always a class action?
Both. Individual TCPA suits are common, especially from professional plaintiffs who register on the DNC list and document calls carefully. Individual suits still produce $500 to $1,500 per violation in statutory damages, and many plaintiffs settle for a few thousand dollars rather than litigate, which makes demand letters a viable income stream for attorneys. Class actions happen when one violation hits many people from the same campaign or list.
What is the statute of limitations for TCPA claims?
Four years, under the general federal question statute of limitations at 28 U.S.C. § 1658. A consumer can file a TCPA claim up to four years after the offending call or text. That's why four-year record retention matters: if a lawsuit arrives in year three, you need consent and opt-out documentation from year one to defend it.
Do ringless voicemails require TCPA consent?
Yes. The FCC's position, reinforced in its 2018 declaratory ruling, is that ringless voicemails delivered straight to a consumer's voicemail without the phone ringing are still calls under the TCPA. They use a telephone network to deliver a prerecorded message to a cell phone, which requires prior express consent. Reps using voicemail drop services without verified consent carry the same liability as any other prerecorded call.
What happened to one-to-many lead consent after the 2024 FCC ruling?
The FCC issued a rule in December 2023, effective January 2025, requiring that TCPA consent in lead generation contexts be limited to a single, specifically named seller instead of a broad category of companies. A consumer opting in on a mortgage comparison site no longer grants consent to every lender who buys that lead. Each seller must be identified by name, or the consent flow must let the consumer choose specific companies. This changes how third-party leads should be evaluated.
What should I do if a lead vendor says their leads are TCPA compliant?
Ask for the actual consent language and the source URL where consent was collected. Verify that your company is named in that consent, or that the described category clearly covers your business. After the FCC's January 2025 rule change on one-to-many consent, blanket vendor claims of TCPA compliance aren't enough. If they can't produce the specific consent records, treat the list as unconsented for autodialing and texting.
Is there a difference between the TCPA rules for texts and calls?
The TCPA treats text messages the same as calls for the core autodialer and prerecorded voice rules. Both require prior express written consent for telemarketing. The practical difference is opt-outs: texts have a cleaner automated STOP mechanism, and text platforms are generally better at enforcing suppression lists automatically. Voice calls rely on human or system-level logging and suppression, which is harder to automate perfectly.
How often should sales reps be retrained on TCPA rules?
At least once a year, plus any time a significant rule change takes effect. The FCC issued major new rules in 2023 and 2024, and state laws like Florida's FTSA generate fresh case law every year. A 15-minute annual refresher paired with a written acknowledgment is enough for most teams. New hires should be trained before their first dial, not after their first week.
Does the TCPA apply to text messages sent through a CRM or email service provider?
Yes, if the CRM or platform sends texts using an ATDS, the TCPA applies. The platform's name doesn't matter; what matters is whether the system can autodial or send in bulk automatically. Most modern CRM texting tools qualify. Even one-off texts sent through a platform with bulk-sending capacity can draw scrutiny. Consent documentation is required no matter which tool you use.
Sources
- U.S. Government, 47 U.S.C. § 227 (Telephone Consumer Protection Act): TCPA statutory damages are $500 per violation, up to $1,500 for willful violations; core prohibition covers autodialed and prerecorded calls to cell phones without prior express consent
- Federal Trade Commission, National Do Not Call Registry: The National DNC Registry is maintained by the FTC; telemarketers must pay $75 per area code per year to access it; the registry covers both landlines and cell phones
- U.S. Supreme Court, Facebook, Inc. v. Duguid, 592 U.S. 395 (2021): Supreme Court narrowed the ATDS definition in 2021, requiring that an autodialer store or produce numbers using a random or sequential number generator
- Federal Communications Commission, 47 CFR § 64.1200 (TCPA implementing rules): Prior express written consent for telemarketing requires a clear and conspicuous disclosure and an affirmative agreement; cannot be a condition of purchase; must specifically authorize autodialed or prerecorded calls/texts
- U.S. Code, 28 U.S.C. § 1658 (federal statute of limitations): The four-year federal statute of limitations applies to TCPA claims
- Florida Statutes § 501.059 (Florida Telephone Solicitation Act): Florida FTSA requires prior express written consent before autodialed or prerecorded calls or texts to Florida numbers and provides a private right of action
- California Attorney General, California Consumer Privacy Act (CCPA): CCPA imposes data rights obligations on California consumer contact data, including deletion rights, separate from TCPA opt-out requirements
- Federal Trade Commission, Complying with the Telemarketing Sales Rule: Telemarketers must access the DNC registry within 31 days before calling; the established business relationship exception lasts 18 months from last purchase or inquiry