Last updated 2026-07-09

TL;DR
The Telephone Consumer Protection Act (47 U.S.C. § 227) restricts autodialed calls, prerecorded messages, and texts to cell phones. Each unauthorized contact costs $500, or $1,500 if the violation was willful. The core rules: written consent before marketing texts and autodialed cell calls, no calls before 8 a.m. or after 9 p.m. local time, and a DNC re-scrub at least every 31 days.
What is the TCPA and who does it apply to?
The Telephone Consumer Protection Act became law in 1991 and lives at 47 U.S.C. § 227 [1]. It sets the rules for how businesses can phone or text people. The Federal Communications Commission (FCC) writes the regulations that fill in the details, published at 47 C.F.R. Part 64, Subpart L [2].
The law reaches any person or company that makes telephone solicitations, uses an automatic telephone dialing system (ATDS), plays a prerecorded or artificial voice, or sends commercial texts. That means B2C sales teams, marketing agencies, debt collectors, political campaigns, and charities. B2B calls get no blanket pass. Dial a cell phone that a businessperson also uses personally, and the TCPA still applies.
A lot of small teams assume TCPA is a big-call-center problem. It isn't. A five-person sales team blasting SMS through Twilio or Salesforce Marketing Cloud carries the same exposure as a 500-seat dialer shop. Private plaintiffs can sue over every single contact, and class actions have settled for tens of millions. UnitedHealthcare paid $2.5 million to resolve alleged TCPA violations, and that number is ordinary for a mid-size defendant.
The FCC gets its authority from Congress. But state attorneys general and private citizens can enforce the statute directly, and there's no arbitration clause the agency can force onto plaintiffs. That private right of action is the engine behind the whole TCPA litigation industry.
What calls and texts does the TCPA actually cover?
The statute covers three kinds of communication, and each one carries its own consent standard.
Autodialed calls and texts to cell phones. An ATDS, defined at 47 U.S.C. § 227(a)(1), is equipment with the capacity to store or produce phone numbers using a random or sequential number generator and to dial them. The Supreme Court tightened this in Facebook, Inc. v. Duguid (2021), ruling that a system qualifies only if it uses a random or sequential number generator, not any system that dials automatically [3]. The decision helped some defendants. Plenty of modern dialers still qualify, and the litigation risk never went away.
Prerecorded or artificial voice calls. Any call that plays a recorded message the second someone picks up falls under TCPA restrictions, no matter what equipment placed it. That sweeps in voicemail drops and ringless voicemail, which the FCC treats as covered [2].
Calls to landlines for telemarketing. Prerecorded telemarketing calls to residential landlines need prior express written consent. Live-agent landline calls follow slightly different rules under the FTC's Telemarketing Sales Rule, but the TCPA's calling-hour and DNC provisions still bite.
Text messages count as calls under the TCPA. A text to a cell phone using an ATDS needs the same consent as an autodialed call. Short-code campaigns, 10DLC campaigns, and even some one-to-one CRM messages can qualify if the platform underneath has ATDS traits.
Fax solicitations are covered too, under 47 U.S.C. § 227(b)(1)(C), though that corner sees far less litigation now.
What consent is required before calling or texting someone?
Consent is the fight in almost every TCPA case. The FCC recognizes three tiers, and the tier you need depends entirely on what you're sending and where [2].
| Communication type | Required consent tier | Form required |
|---|---|---|
| Autodialed or prerecorded call/text to cell phone for marketing | Prior express written consent | Written signature (electronic OK) |
| Autodialed or prerecorded call/text to cell phone, informational only | Prior express consent | Oral or written |
| Live-agent telemarketing call to residential landline | Prior express invitation or permission | Oral or written |
| Prerecorded telemarketing call to residential landline | Prior express written consent | Written signature (electronic OK) |
Prior express written consent for marketing means a written agreement that clearly authorizes the seller to send autodialed or prerecorded messages, discloses that consent is not a condition of purchase, and names the specific phone number. The FCC locked in that standard in its 2012 Report and Order (FCC 12-21) [2].
In 2024 the FCC added a new twist: written consent has to name the specific seller, not a lead-generation aggregator that then hands the consent to dozens of downstream callers [4]. That rule took effect in January 2025. So if you buy leads from a third party, the consent that vendor collected almost certainly does not cover your calls unless your company is named by name.
Consent dies the moment someone revokes it, by any reasonable means. The FCC confirmed back in 2015 that a consumer saying "stop calling me" or texting "STOP" pulls consent, and you have to honor it fast. Ignore a revocation and each later contact is a separate willful violation.
For the mechanics of a clean opt-in, see text message marketing and text messaging marketing.
What are the TCPA calling hour restrictions?
The TCPA bans telephone solicitations to residences before 8 a.m. or after 9 p.m. in the called party's local time [1]. Read that again: the recipient's time zone, not yours. A New York team calling California at 9:30 p.m. Eastern is reaching them at 6:30 p.m. local, which is fine. A California team calling New York at 9:00 p.m. Pacific is ringing a phone at midnight. That's a violation.
The window applies to telephone solicitations, meaning calls that push a purchase. Purely informational calls or account calls to existing customers may have more room under some readings. The safe move is to run every outbound campaign inside the 8 a.m. to 9 p.m. window and stop guessing.
Some states go tighter. Florida's Mini-TCPA (the FTSA) once capped calls at 8 a.m. to 8 p.m. before amendments loosened it. Check the state rules before you assume the federal floor is your only limit.
How does the National Do Not Call Registry affect TCPA compliance?
The National Do Not Call (DNC) Registry runs under the FTC's rules at 16 C.F.R. Part 310, enforced separately from the FCC's TCPA rules, and the two overlap [5]. A consumer who registers is telling the world to stop the telemarketing. Call a registered number and you've broken both the Telemarketing Sales Rule and the TCPA's own do-not-call provision at 47 C.F.R. § 64.1200(c).
Access costs money. As of 2024, the FTC charges $79 per area code per year, capped at $18,503 for the full national list [5]. Any organization making more than a handful of telemarketing calls a year needs an account.
Scrub frequency is where teams get burned. The FCC requires you to check the DNC list and your internal list before calling, and re-scrub at least every 31 days [2]. Say someone added their number 45 days ago and you last scrubbed 60 days ago. That call is on you.
Three exemptions exist. The consumer gave prior express invitation or permission. The consumer has an established business relationship with you (EBR). Or the call isn't commercial. The EBR exemption has a clock: for telemarketing, it runs 18 months from the last purchase or transaction and 3 months from a consumer inquiry [2]. Write down those dates.
For the consumer side of the story, see how to stop robocalls.
What are the TCPA penalties per violation?
Statutory damages under 47 U.S.C. § 227(b)(3) run $500 per violation, and up to $1,500 per violation when the court finds the conduct knowing or willful [1]. There's no cap per plaintiff or per case. That's the part that makes class actions so dangerous. A campaign that fired off 100,000 unauthorized texts is staring at $50 million in statutory damages before any willfulness multiplier.
Courts can move the number up or down, but they rarely drop below $500. Repeat violators who had notice of the problem have seen awards trebled.
Real settlements paint the exposure better than any statute:
- Credit One Bank TCPA settlement: claims over autodialed calls to cell phones.
- Truist Bank TCPA class action: allegations of unwanted calls.
- Cash App TCPA class action: fintech exposure in one place.
- Albertsons and Safeway TCPA settlement: a grocery SMS campaign that drew class claims.
The FCC can also assess civil forfeitures on its own, up to $23,727 per violation, separate from any private lawsuit [2].
Here's the honest part. Most small companies settle fast because defense costs alone, even on a junk claim, run $50,000 to $200,000 in attorney fees before trial. Plaintiffs' attorneys work on contingency and they know the math cold.
What written policies and records does a TCPA compliance program require?
The FCC rules at 47 C.F.R. § 64.1200(d) require any entity making telephone solicitations to keep specific written policies and procedures [2]. These aren't suggestions. If you can't produce them during litigation or an FCC investigation, you forfeit the procedural defense that might cap your liability.
What a written do-not-call policy has to include: 1. A written policy, available on demand, describing your DNC procedures. 2. Training for everyone who makes telephone solicitations. 3. A company-specific DNC list logging every number where a person asked not to be called. 4. A process to honor DNC requests within 30 days. 5. A step that cross-references your internal DNC list before every outbound campaign.
The policy is only half of it. You also need consent records: the source (web form, verbal recording, paper form), the date and time collected, the IP address or session ID for web consent, and the exact language the consumer saw. The burden of proving consent sits with the caller, never the consumer [2].
Call recordings work as evidence for verbal opt-ins where recording is legal, which is why so many companies record inbound calls. On retention, there's no federal minimum for consent records, but TCPA claims land years after the fact. Keeping records at least four years is the sane default.
LeadCompliant's free compliance kit includes a policy template and a consent-log checklist you can adapt instead of building from a blank page.
Do the TCPA rules apply differently to B2B calls?
Partly. The autodialer and prerecorded-voice restrictions apply to any call or text sent to a cell phone, consumer or businessperson, no difference. Dial a sales rep's mobile with an ATDS and you need consent, even for a B2B pitch.
The do-not-call rules at 47 C.F.R. § 64.1200(c) apply to "residential telephone subscribers," so they technically don't cover calls to business landlines or numbers used only for business. The National DNC Registry likewise covers residential numbers.
In the real world the line blurs, because most business contacts now use a cell phone as their main number, and that number is often personal too. The safe play for any B2B campaign hitting mobiles is to treat them exactly like a B2C campaign.
The FTC's Telemarketing Sales Rule (16 C.F.R. Part 310) has an explicit B2B carve-out for certain calls. The TCPA has no such thing. Separate statutes, separate agencies, separate answers.
How do state telemarketing laws stack on top of TCPA?
The TCPA is a federal floor, not a ceiling. States can pile on stricter rules, and they've been doing it hard since 2021.
Florida passed the Florida Telephone Solicitation Act (FTSA) in 2021. It covers texts and calls made with any "automated system," a broader net than the federal ATDS definition after Facebook v. Duguid, and it hands consumers a private right of action worth $500 per violation [6]. The state amended it in 2023 to require an opt-in cure opportunity before suit, but it's still one of the most litigated state telemarketing laws in the country.
California stacks its own layers. The Invasion of Privacy Act (CIPA, Penal Code § 637.2) creates exposure for recording calls without consent [7], and the Consumer Privacy Act adds data-use obligations. Washington, Texas, and Oklahoma run their own mini-TCPA statutes.
So the job is concrete: map every state where your called parties live and layer in the local rules. This isn't paperwork for its own sake. Florida and California together drive a lopsided share of all TCPA and state telemarketing suits.
For ongoing state-by-state developments, see tcpa news.
What are the most common TCPA violations that lead to lawsuits?
The settled cases and FCC enforcement history keep repeating the same handful of mistakes.
No consent, or stale consent. The caller had consent years ago and assumed it aged like wine. Or a lead vendor collected it and never named the actual caller. The FCC's 2024 one-to-one consent rule [4] makes this trap worse for lead buyers.
Contacting someone after they revoked. A consumer texts STOP or says "remove me," and the CRM doesn't suppress the number fast enough. One more contact after a clear revocation is a willful violation, and willful means $1,500.
Scrubbing gaps. The team scrubs monthly, but the campaign runs on day 35. Numbers added during that gap get dialed.
Wrong time-zone logic. The platform defaults to the sender's clock instead of the recipient's, and evening calls turn into after-hours violations.
Assumed EBR coverage. Sales reps think any past customer is fair game forever. The 18-month clock ambushes them.
Third-party lead liability. The company bought leads and trusted the vendor on consent. Courts have put the liability on the calling party, not the vendor.
See Joseph Snyder v. Credit One for how an autodialer consent fight actually unfolds in court.
How should a small outbound team build a TCPA compliance checklist?
A working compliance program needs neither a legal department nor pricey software. It needs a short list of things done the same way every time.
Before any campaign launches:
- Identify the communication type (marketing vs. informational) and the consent tier it demands.
- Decide whether your platform qualifies as an ATDS. If it can blast a list without a human touching each number, assume it does.
- Confirm you hold documented, named, dated written consent for every number on the list.
- Scrub against the National DNC Registry (requires an FTC account) and your internal DNC list.
- Set calling hours to the recipient's local time.
After each campaign:
- Log every STOP, opt-out, or verbal DNC request to your internal suppression list within 24 hours.
- Re-scrub the DNC list before any new campaign if more than 31 days have passed.
- Retain consent records at least four years.
- Update your written policy whenever you add a channel (say, cold calls to SMS).
When buying leads:
- Get contractual reps that consent was collected under the FCC's one-to-one standard and that your company is named specifically.
- Spot-check a sample. Call or text a few individuals and ask if they remember opting in to your company by name. If they don't, you have a consent problem before message one goes out.
LeadCompliant runs a free TCPA compliance kit and number-status checker at leadcompliant.com, built for teams without in-house counsel.
For what skipping these steps looks like at scale, Kaiser's TCPA settlement is a useful read.
What recent FCC rule changes affect telemarketing compliance right now?
Two changes matter most for outbound teams right now.
One-to-one consent rule (effective January 2025). The FCC's 2024 Report and Order requires that written consent for autodialed or prerecorded marketing calls and texts name a single seller [4]. A lead form listing dozens of partner companies no longer satisfies the TCPA for those downstream callers. This changes how any lead buyer should judge a purchased list. If your source got consent before January 2025 under the old multi-seller model, that consent doesn't cover your calls now.
Revocation rules (also effective January 2025). The same order says consumers can revoke consent by any reasonable means at any time, and businesses have to honor it within a reasonable window, capped at ten business days [4]. Texting STOP, replying to a call, emailing, or saying it out loud all count.
The Facebook v. Duguid decision from April 2021 remains the operative Supreme Court definition of ATDS [3]. After Duguid, a platform that only dials from a fixed, pre-uploaded list with no random or sequential generation has a real argument that it isn't an ATDS. But that argument only helps if you also have proper consent, clean DNC scrubbing, and correct calling hours. Leaning on Duguid as your main defense is a thin plan.
Frequently asked questions
Does the TCPA apply to text messages?
Yes. The FCC has consistently treated SMS and MMS as calls under 47 U.S.C. § 227. A text sent through an automated platform to a cell phone needs the same prior express written consent as an autodialed marketing call. Texts sent manually, one at a time, from a standard cell phone with no automation arguably fall outside TCPA scope, but almost no real marketing program works that way.
Can I call someone who gave me their number on a website form?
Only if the form disclosed they were consenting to autodialed or prerecorded calls or texts from your specific company, and made clear consent wasn't required to buy anything. A plain contact form that grabs a phone number establishes no TCPA consent. Since January 2025, the FCC also requires your company to be named in the consent, not a lead aggregator standing in front of dozens of callers.
What is the established business relationship (EBR) exemption under TCPA?
An EBR exempts you from the residential DNC rules, not from the consent requirement for autodialed or prerecorded calls to cell phones. For telemarketing, the EBR lasts 18 months from the last purchase, transaction, or payment, and 3 months from a consumer inquiry or application. After that window it's gone. Document the dates precisely, because they often become the central dispute in litigation.
How much does it cost to access the National DNC Registry?
The FTC charges $79 per area code per year, capped at $18,503 for full national access as of 2024. Organizations making five or fewer calls a year can access the list free. Registration runs through the FTC's telemarketer portal and requires a business account. Many compliance platforms bundle DNC scrubbing into their subscription, which saves small teams the hassle.
What happens if I accidentally call a number on the DNC list?
If it was a one-off error and you have written DNC procedures, training records, and no pattern of violations, the safe harbor at 47 C.F.R. § 64.1200(c)(2)(i) may shield you from TCPA liability for that call. The safe harbor requires implemented written procedures, trained personnel, and an unintentional violation. A pattern of DNC calls destroys the argument entirely.
Can a business contact's personal cell phone still trigger TCPA?
Yes. TCPA attaches to the number, not to who owns the phone or how it's used. If a business contact's cell is also their personal phone, which is nearly universal now, an autodialed marketing call to that number needs prior express written consent. Your intent and the business context of the relationship don't change the analysis one bit.
What is prior express written consent and how do I document it?
Prior express written consent under FCC rules is a written or electronic agreement that authorizes autodialed or prerecorded marketing contacts, clearly states consent is not a condition of purchase, and is signed by the consumer. Electronic signatures count. Your documentation should capture the date, time, IP address, and exact language the consumer agreed to. Keep those records at least four years.
Does the TCPA cover ringless voicemail?
The FCC's position, stated in its rulemaking proceedings, is that ringless voicemail or "direct-to-voicemail" is a call under the TCPA and needs the same consent as a standard autodialed call. Several courts agree. Treating ringless voicemail as a way around consent is a litigation risk, not a compliance strategy.
How does the 2021 Facebook v. Duguid decision change TCPA compliance?
The Supreme Court held in April 2021 that an ATDS must use a random or sequential number generator to store or produce numbers, more than dial automatically. That narrowed the ATDS definition and gave some defendants an argument that their tech isn't an ATDS. Consent requirements, DNC obligations, and calling-hour limits all still apply regardless. Duguid helps on one issue and eliminates none of your other exposure.
What do I need to do when someone asks me to stop calling or texting them?
Honor it immediately and add the number to your internal DNC list within 30 days, though 24 hours is the practice you want. Under the FCC's 2024 rules effective January 2025, businesses must honor revocations within ten business days. Any contact after a clear revocation is a willful violation, which pushes damages to $1,500 per contact. Verbal, written, or text requests (STOP, unsubscribe, remove me) all count.
Are there TCPA exemptions for nonprofits or political campaigns?
Nonprofit calls made for non-commercial purposes are generally exempt from the residential DNC rules and from some consent requirements for prerecorded calls. Political campaign calls are exempt from the DNC rules for live-agent calls but still need consent for autodialed calls to cell phones. Neither is a free pass. Autodialing a cell phone for any purpose, political included, needs consent once the ATDS standard is met.
How long does a TCPA lawsuit take and what does it cost to defend?
Defending a single TCPA claim through summary judgment typically runs $50,000 to $200,000 in attorney fees, depending on complexity. Class actions cost far more. Cases often settle within six to eighteen months. Because plaintiffs' attorneys work on contingency, they can file cheap and wait you out. The economics push small defendants toward early settlement, even when the underlying claim is weak.
What is the TCPA statute of limitations?
The TCPA sets no limitations period of its own, so federal courts apply the closest state statute or, in many circuits, the four-year federal catch-all under 28 U.S.C. § 1658. Some circuits have used shorter periods. The practical answer: retain consent records and campaign logs at least four years from the date of each communication.
Do I need a lawyer to build a TCPA compliance program?
Not for the basics. Written DNC policies, consent documentation, calling-hour controls, and DNC scrubbing all run on templates and standard platform settings. Do consult a TCPA attorney before high-volume campaigns, new technology like AI dialers, or buying lead lists, because those raise risk that templates alone don't cover. This article is not legal advice.
Sources
- U.S. Government, 47 U.S.C. § 227 (Telephone Consumer Protection Act): TCPA statutory damages are $500 per violation and up to $1,500 for knowing or willful violations; calling hours restricted to 8 a.m. to 9 p.m. local time of called party
- FCC, 47 C.F.R. Part 64 Subpart L (Telemarketing and Telephone Solicitation regulations): FCC implementing regulations covering written consent requirements, DNC scrubbing every 31 days, EBR durations, written policy requirements, and ringless voicemail coverage
- U.S. Supreme Court, Facebook, Inc. v. Duguid, 592 U.S. 395 (2021): An ATDS must use a random or sequential number generator to store or produce numbers; systems that only dial from a fixed pre-uploaded list may not qualify
- FTC, National Do Not Call Registry, Fees and Registration: DNC Registry access costs $79 per area code up to a national cap of $18,503 as of 2024
- Florida Legislature, Florida Telephone Solicitation Act (FTSA), Fla. Stat. § 501.059: Florida FTSA imposes $500 per violation private right of action and uses a broader automated system definition than the federal ATDS standard post-Facebook v. Duguid
- California Legislative Information, CIPA Penal Code § 637.2: California Invasion of Privacy Act provides private right of action for unauthorized call recording, creating additional exposure for outbound callers in California
- FTC, Telemarketing Sales Rule, 16 C.F.R. Part 310: FTC's TSR governs telemarketing practices including DNC compliance, B2B exemptions, and works in conjunction with TCPA
- Congress.gov, 47 U.S.C. § 227(b)(3) statutory damages text: Private right of action provides $500 per violation and court discretion to triple to $1,500 for willful violations; no statutory cap on total class damages