What independent US agency enforces the TCPA?

The FCC is the primary federal agency that enforces the TCPA. Learn who else has authority, what fines apply, and how private lawsuits work.

LeadCompliant Team
24 min read
In This Article

Last updated 2026-07-10

Empty federal office corridor in Washington DC, symbolic of TCPA regulatory enforcement
Empty federal office corridor in Washington DC, symbolic of TCPA regulatory enforcement

TL;DR

The Federal Communications Commission (FCC) is the independent US agency that writes and enforces the rules under the TCPA (47 U.S.C. 227). The FTC shares limited authority over certain do-not-call violations through the Telemarketing Sales Rule. Private citizens can sue directly, which is why most companies first meet the TCPA through a plaintiff's attorney, not a federal regulator.

What US agency enforces the TCPA?

The Federal Communications Commission enforces the Telephone Consumer Protection Act. Congress passed the TCPA in 1991 and handed the FCC explicit authority to prescribe regulations implementing the statute under 47 U.S.C. 227(b)(2). [1] The FCC writes the rules, interprets the vague terms, and brings its own enforcement actions against violators.

The FCC is an independent agency. It sits outside any executive department. Its five commissioners are appointed by the President and confirmed by the Senate, but they serve staggered five-year terms built to keep the agency at arm's length from day-to-day politics. [2] That independence has teeth. Major TCPA rulemaking can swing hard between administrations, but the enforcement machinery underneath keeps running.

The FTC has a role too, and it's narrower. The Federal Trade Commission enforces the Telemarketing Sales Rule (TSR) and administers the National Do Not Call Registry, which overlaps heavily with the TCPA's do-not-call requirements. [3] The FTC cannot bring a direct TCPA action. Its authority runs through the TSR and the FTC Act. So when you read that a company paid a fine for DNC violations, it could be an FCC action, an FTC action, a state attorney general action, or a private class-action settlement. Those are four different things, and the dollar math works differently in each.

State attorneys general can bring TCPA enforcement actions under 47 U.S.C. 227(g), which lets them file civil suits on behalf of state residents. [1] That provision gets used more than most compliance teams expect.

Who enforces the TCPA in practice, and how often do they actually act?

Private plaintiffs, not federal regulators, drive most TCPA enforcement. That's the honest picture. The statute gives any person who gets an unwanted call or text the right to sue for $500 per violation, trebled to $1,500 when the violation was willful. [1] No class certification is needed to recover statutory damages, which makes individual TCPA suits cheap to file and lucrative for plaintiffs' attorneys once they bundle them into class actions.

The FCC does issue forfeiture orders and consent decrees. Those actions are rare next to the thousands of private suits filed every year. The agency's Enforcement Bureau investigates complaints, issues notices of apparent liability, and can impose fines. A 2021 FCC forfeiture order against a Texas-based robocaller reached $225 million, though collecting large fines from fly-by-night operations is a separate headache entirely. [4]

The FTC pursues cases under its TSR authority and has collected big judgments, especially against debt collectors and warranty scam operations. TSR violations are not technically TCPA violations, even when the underlying conduct looks identical to a compliance officer.

For an outbound sales team, the real enforcement risk stacks up in this order: (1) private plaintiff or class action, (2) state AG action, (3) FCC enforcement, (4) FTC enforcement. Build your compliance program in that priority order. See TCPA news for recent enforcement updates across all four channels.

What exactly is the FCC's authority under the TCPA?

The FCC's authority under the TCPA is broad, and it has grown through decades of rulemaking. The core grant lives in 47 U.S.C. 227(b)(2), which directs the FCC to write regulations implementing the bans on autodialed calls, prerecorded voice calls, and fax advertising. [1]

Beyond that first grant, the FCC has used its power to define the terms Congress left fuzzy. The definition of an automatic telephone dialing system (ATDS) has been the most fought-over. The FCC issued orders in 2003, 2008, 2012, and 2015 that kept widening what counts as an ATDS, until the Ninth Circuit's 2018 ACA International decision and the Supreme Court's 2021 Facebook v. Duguid ruling yanked the definition back. [5] In Duguid, the Court held that an ATDS "must have the capacity either to store a telephone number using a random or sequential number generator or to produce a telephone number using a random or sequential number generator." The FCC then opened a fresh ATDS proceeding to respond. That whiplash shows how much of the substantive law flows from FCC rulemaking, not the statute's bare text.

The FCC also defines prior express written consent, sets the rules for revoking consent, and has issued guidance on reassigned number liability, which matters a lot to outbound callers whose lists go stale. The agency's Reassigned Numbers Database (RND) launched in 2021 and gives callers a safe harbor if they check it before dialing. [6]

On the do-not-call side, the FCC and FTC share the National DNC Registry. The FCC's rules implement the residential DNC protections that sit inside the TCPA itself (47 U.S.C. 227(c)), while the FTC's rules implement DNC protections through the TSR. [3] Both matter. Check both.

TCPA enforcement channels by penalty type Maximum statutory penalty per violation by enforcement actor FCC (per violation, standard cap) $10k FTC/TSR (per violation, 2024 cap) $52k Private plaintiff (willful violat… $1,500 Private plaintiff (standard viola… $500 Source: 47 U.S.C. 227, 47 U.S.C. 503, 16 C.F.R. Part 310 (FTC 2024 penalty figure)

How does the FCC actually bring an enforcement action?

The FCC's enforcement process starts with complaints. Consumers file them through the FCC's online complaint center, and the agency also takes referrals from carriers that spot illegal robocall traffic patterns under the STIR/SHAKEN caller ID authentication framework. [10]

The Enforcement Bureau reviews the complaints, investigates, and can issue a Notice of Apparent Liability (NAL) that names a proposed fine. The target gets to respond. The Bureau then issues a final forfeiture order. The target can pay, negotiate a consent decree (which usually bundles a compliance plan with a smaller payment), or fight the order in federal court.

FCC fines for TCPA violations can reach $10,000 per violation under 47 U.S.C. 503(b)(2)(D), with each individual call or text potentially counted separately. [8] In practice the FCC aggregates violations and applies a lump sum, but the theoretical exposure on a large campaign is enormous.

Consent decrees are the most common resolution in serious FCC TCPA cases. They close the investigation, require a civil penalty, and lock the company into a detailed compliance plan with reporting duties. Miss a compliance plan obligation and you can restart the enforcement clock.

Want to see how badly this goes for a real company? Look at UnitedHealthcare, which paid $2.5 million over alleged TCPA violations. That outcome was a consent decree with the FCC, not a private lawsuit, which shows the agency does act when the facts are clean.

What is the FTC's role in TCPA enforcement, and how does it differ from the FCC?

The FTC does not enforce the TCPA directly. Its authority comes from the Telemarketing Sales Rule (16 C.F.R. Part 310) and Section 5 of the FTC Act (15 U.S.C. 45), which bans unfair or deceptive acts in commerce. [9]

Here's where the overlap sits. Both the FCC's TCPA rules and the FTC's TSR ban calling numbers on the National Do Not Call Registry. Call a DNC number and the FCC can pursue a TCPA action, the FTC can pursue a TSR action, and a private plaintiff can sue under 47 U.S.C. 227(c). Three separate legal theories. In the ugliest cases, all three land at once.

The TSR carries its own consent requirements for prerecorded telemarketing calls, its own exemptions, and its own penalty structure under the FTC Act. Civil penalties under the FTC Act can reach $51,744 per violation as of 2024, and the FTC adjusts that figure annually for inflation. [9] That per-violation number often runs higher than the TCPA's $500/$1,500 private damages, which is why FTC enforcement can produce big headline totals even without a class action.

What this means for compliance: satisfy both rulebooks. Passing the FCC's TCPA requirements does not mean you pass the FTC's TSR, and the reverse is true too. They share a lot of ground and split apart in places, especially around B2B calls and certain exemptions.

Can state attorneys general enforce the TCPA?

Yes, and this gets overlooked. Section 227(g) of the TCPA explicitly authorizes state AGs to bring civil actions in federal district court on behalf of their residents. [1] The AG can seek an injunction, damages of $500 per violation (or $1,500 for willful violations, same math as the private right of action), and attorneys' fees.

Several states run active programs. Indiana's AG, for one, has pursued multiple TCPA-based actions. State AG enforcement tends to chase high-volume robocallers and warranty scammers rather than mainstream outbound sales shops, but that calculus shifts with who holds the office and which industries are generating constituent complaints.

Apart from the TCPA's own AG provision, most states run their own telemarketing statutes, mini-TCPA laws, or beefed-up DNC registries. Florida's Telephone Solicitation Act (FTSA) and Oklahoma's Telephone Solicitation Act each create state-law causes of action that can run alongside or exceed TCPA exposure. State law is its own topic, but it starts with one fact: federal enforcement is not the only enforcement out there.

Who enforces the TCPA when a private citizen sues?

Nobody enforces the TCPA on the plaintiff's behalf. The plaintiff enforces it. The TCPA's private right of action under 47 U.S.C. 227(b)(3) and 227(c)(5) lets any person sue in state or federal court without filing a complaint with the FCC first. [1] No government agency is involved unless it steps in as amicus or files its own parallel action.

This is the design feature that keeps TCPA litigation so busy. Congress built a self-executing enforcement engine into the statute. Every person on your call list is a potential plaintiff. Statutory damages of $500 per unwanted call or text stack fast once a class is certified. A 100,000-person campaign with a consent defect can theoretically expose a company to $50 million before trebling.

Real settlements confirm the scale. Credit One settled a TCPA class action after allegations of autodialed calls without consent. Cash App faced a TCPA class action settlement over similar claims at scale. Truist Bank reached a TCPA class action settlement over robocall practices. The pattern repeats: large calling program, consent gap, class action.

The practical read for a compliance owner is short. The plaintiff's bar is a more immediate threat than the FCC for most small and mid-sized outbound teams. Design your consent documentation, DNC scrubbing, and revocation processes to survive discovery in a class action, more than an FCC audit.

How do the FCC's TCPA rules interact with caller ID and robocall enforcement today?

The FCC has stacked new enforcement tools on top of the TCPA's original text in recent years, mostly through its robocall proceeding under the TRACED Act of 2019. [10] The TRACED Act directed the FCC to require STIR/SHAKEN caller ID authentication across voice networks. Major carriers finished that rollout by June 2021. [10]

STIR/SHAKEN does not create TCPA liability on its own, but it changes enforcement two ways. Carriers can now block calls that fail attestation, so non-compliant callers watch delivery rates collapse before any legal action gets filed. And the authentication records leave a cleaner evidentiary trail that the FCC and private plaintiffs can pull into litigation.

The FCC also requires voice service providers to keep a point of contact for traceback requests, which the Industry Traceback Group coordinates. When the FCC or a carrier suspects illegal robocall traffic, they can trace it to the originating provider within hours. That has shortened the gap between complaint and enforcement for high-volume bad actors.

For a legitimate outbound team, the takeaway is blunt. Caller ID compliance and STIR/SHAKEN attestation are now part of TCPA-adjacent compliance. Your terminating carrier's policies matter. If your traffic looks like robocall spam, your calls get blocked whether or not you technically have consent.

LeadCompliant's free robocall compliance checkers help you verify that your dialing infrastructure is registered properly before you run a campaign. Check your setup before your carrier flags your traffic.

What penalties can the FCC actually impose for TCPA violations?

The FCC can impose monetary forfeitures of up to $10,000 per violation under 47 U.S.C. 503(b)(2)(D), with each call or message counted separately. [8] The agency can also impose forfeiture amounts up to $100,000 per day for continuing violations, and up to $1,000,000 for any single act or failure to act.

Those statutory caps rarely get hit in isolation. The FCC usually calculates fines with its forfeiture guidelines, which start from a base amount and adjust up for the harm caused, the degree of culpability, a history of prior violations, and ability to pay. A first-time slip by a small company with modest harm draws a very different number than a systematic robocall campaign.

The $225 million forfeiture order against Texas-based Rising Eagle Capital Group in 2021 is the largest TCPA-related FCC fine on record, tied to roughly one billion illegal robocalls promoting health insurance. [4] The company appealed and the case ran into collection trouble, which shows the gap between a fine on paper and money in the bank.

For comparison, private TCPA settlements have produced some of the largest consumer protection payouts on record. The Albertsons/Safeway TCPA settlement and others in grocery and retail show that well-capitalized defendants settle rather than litigate to judgment, because trebled statutory damages at class scale are ruinous.

What is the difference between FCC TCPA enforcement and FTC DNC enforcement?

This table lays out the key differences:

DimensionFCC (TCPA)FTC (TSR/DNC)
Primary statute47 U.S.C. 22715 U.S.C. 45; 16 C.F.R. 310
Who can bring actionFCC, state AGs, private plaintiffsFTC, state AGs
Private right of actionYes, $500-$1,500/violationNo private right of action under TSR
Max civil penalty (agency)$10,000/violation (FCC)$51,744/violation (FTC, 2024) [9]
DNC registry adminShares with FTCAdministers registry operationally
Key coverageAutodialed/prerecorded calls, texts, faxesTelemarketing calls broadly
B2B exemptionsNarrowerBroader

The row that matters most is "Private right of action." There is none under the TSR. That single fact is why TCPA class actions flood the courts and TSR class actions basically don't exist. Plaintiffs need a private right of action to sue on their own behalf. The FTC has to bring TSR enforcement itself, which caps the volume.

For an outbound team, this splits your risk model in two. TCPA exposure (private suits) is a high-frequency, class-action-driven risk. TSR exposure (FTC enforcement) is lower-frequency but can produce very large per-violation fines when the FTC decides to move.

LeadCompliant's compliance kit covers the scrubbing, consent documentation, and calling hour rules you need to satisfy both frameworks. You can find it at leadcompliant.com.

How does the FCC coordinate with other agencies on TCPA enforcement?

The FCC and FTC operate under a formal memorandum of understanding (MOU) that splits enforcement responsibility for telemarketing law. [3] Under it, the FCC takes primary responsibility for TCPA enforcement, including the do-not-call rules baked into the TCPA itself. The FTC takes primary responsibility for the TSR, including its own version of the DNC rules. They share administration of the National DNC Registry, which runs on the FTC's donotcall.gov infrastructure.

In practice the two agencies refer cases to each other, share complaint data, and sometimes pursue coordinated actions against the same defendant. The 2020s brought more interagency cooperation on robocall enforcement, driven partly by the TRACED Act's mandate for cross-agency coordination. [10]

The Department of Justice steps in when TCPA violations cross into criminal fraud, though purely technical TCPA violations stay civil. DOJ has joined cases where the underlying scheme was fraudulent, not merely negligent.

Here's the practical upshot for a compliance team. There is no single agency to watch. Subscribe to the FCC's enforcement action feed, monitor the FTC's press releases, and track your state AG's consumer protection announcements. Enforcement trends surface in all three places before they hit companies that look like yours.

What should a small outbound team actually do with this information?

Knowing who enforces the TCPA tells you where your real risk lives. Most small teams will never face an FCC forfeiture order. They're far more likely to get a demand letter from a plaintiff's attorney, or a notice that they're named in a class action filed in federal court.

So your compliance priorities should map to private litigation risk, not regulatory audit risk. The conduct that generates private suits is specific: calling cell phones without prior express written consent, calling numbers on the DNC registry, calling after someone revokes consent, and running autodialing technology on lists where the consent paper trail is weak or gone.

Fix consent documentation first. A clear, TCPA-compliant consent disclosure at the point of capture, stored with a timestamp and the exact language the consumer saw, is your best defense in any forum: FCC, FTC, state AG, or federal class action.

Fix DNC scrubbing second. Scrub against the National DNC Registry at least every 31 days, the FCC's required interval. [6] Keep records of every scrub. Internal DNC lists count too. If someone tells you to stop calling, stop, and write it down.

For text message marketing, the written consent rules are stricter than for live calls. Get that documentation right before you run a single SMS campaign. See also text messaging marketing for the specific opt-in rules.

If you operate in a state with enhanced telemarketing rules, layer state-specific compliance on top. Florida, Oklahoma, Washington, and several others carry obligations that exceed the federal floor.

If someone is already suing you or threatening to, find a TCPA attorney in your jurisdiction now. For a sense of how local this practice has become, see tcpa lawyer kentucky as one example.

Frequently asked questions

What US agency enforces the TCPA?

The Federal Communications Commission (FCC) is the primary agency enforcing the TCPA under 47 U.S.C. 227. It writes the implementing rules, processes complaints, issues fines, and enters consent decrees. The FTC enforces the related Telemarketing Sales Rule (TSR) and administers the National DNC Registry, but cannot bring a direct TCPA action. State attorneys general can also sue under the TCPA on behalf of their residents.

Who enforces the TCPA?

Three parties enforce the TCPA: the FCC (through forfeiture orders and consent decrees), state attorneys general (through civil suits under 47 U.S.C. 227(g)), and private plaintiffs (through individual or class action lawsuits under the statute's private right of action). In practice, private plaintiffs and class action attorneys generate the vast majority of TCPA enforcement activity, not federal regulators.

Who enforces the TCPA for text messages?

The FCC enforces the TCPA for text messages under the same authority it uses for voice calls. The FCC has confirmed that texts to cell phones fall under the TCPA's ban on autodialed calls to mobile numbers. Private plaintiffs can also sue for illegal texts at $500-$1,500 per message. Because a single SMS campaign can hit millions of numbers, class exposure from texts can be enormous.

Can a private person really sue under the TCPA without going to the FCC first?

Yes. The TCPA's private right of action under 47 U.S.C. 227(b)(3) and 227(c)(5) requires no prior complaint to the FCC or any other agency. A person who receives an unwanted call or text can file suit in state or federal court immediately. This self-executing design is why the plaintiff's bar stays so active in TCPA litigation.

What is the maximum fine the FCC can impose for TCPA violations?

The FCC can impose monetary forfeitures of up to $10,000 per violation under 47 U.S.C. 503(b)(2)(D), with each illegal call or text counted separately. Higher caps apply for continuing violations (up to $100,000 per day) and for a single act (up to $1,000,000). The largest FCC TCPA-related forfeiture on record was $225 million against a robocaller in 2021.

Does the FTC enforce the TCPA?

No, the FTC does not enforce the TCPA directly. It enforces the Telemarketing Sales Rule (TSR) under its own authority. The TSR overlaps heavily with TCPA do-not-call requirements, but they're separate frameworks. One key difference: the TSR has no private right of action, so only the FTC (not consumers) can sue under it. This is why TCPA class actions are far more common than TSR enforcement cases.

Can a state attorney general sue under the TCPA?

Yes. Section 227(g) of the TCPA explicitly authorizes state attorneys general to bring civil actions in federal district court on behalf of state residents. They can seek injunctions, $500-$1,500 per violation in damages, and attorneys' fees. State AGs can also pursue parallel actions under their own state telemarketing statutes, which in some states impose additional or stricter requirements than the TCPA.

How does the FCC learn about TCPA violations?

The FCC learns about violations mainly through consumer complaints filed on its website, carrier referrals flagging suspicious traffic under the STIR/SHAKEN caller ID authentication system, and Industry Traceback Group traceback requests. The FCC's Enforcement Bureau reviews complaints, investigates, and can issue a Notice of Apparent Liability before entering a final forfeiture order or consent decree.

What is the difference between a TCPA violation and a DNC violation?

A TCPA violation is any act that violates 47 U.S.C. 227, including autodialing cell phones without consent, using prerecorded voices without consent, and calling residential DNC numbers. A DNC violation is specifically about calling numbers on the National Do Not Call Registry. DNC violations are a subset of TCPA violations. The FCC handles TCPA enforcement broadly; the FTC enforces DNC requirements through the separate Telemarketing Sales Rule.

How often does the FCC actually bring TCPA enforcement actions?

The FCC brings dozens of TCPA-related enforcement actions per year, ranging from small consent decrees with individual robocallers to major forfeiture orders against large operations. That number is small next to the thousands of private TCPA lawsuits filed annually. For most outbound sales companies, the odds of an FCC action are low; the odds of a private demand letter or class action are much higher.

Is the FCC independent from the White House?

The FCC is an independent regulatory agency. Its five commissioners are appointed by the President and confirmed by the Senate, serve staggered five-year terms, and cannot be removed except for cause. The President designates the chair. In practice, TCPA rulemaking shifts in emphasis between administrations, but the agency's core enforcement authority under the TCPA is set by Congress, not the executive branch.

Do I need to register with the FCC to do outbound calling?

No FCC registration is required simply to conduct outbound calling. You must still comply with FCC rules on consent, calling hours, DNC scrubbing, and caller ID. If you use a voice service provider or auto-dialing platform, that provider may carry its own registration or attestation requirements under STIR/SHAKEN rules. The FCC's Reassigned Numbers Database is a tool you should be checking, not registering with.

How do I file a TCPA complaint with the FCC?

Consumers and businesses can file complaints through the FCC's official consumer complaint center at consumercomplaints.fcc.gov. You describe the call or text, give the number that contacted you, and the date. The FCC may contact the company on your behalf or add the complaint to its enforcement database. Filing a complaint does not give you a damages award; you need to file a lawsuit separately to recover money.

What is the Reassigned Numbers Database and who runs it?

The Reassigned Numbers Database (RND) is run by the FCC and launched in January 2021. It tracks phone numbers that have been disconnected and reassigned to new subscribers. Callers who check the RND before dialing get a safe harbor against TCPA liability if they call a reassigned number in good faith. The safe harbor covers the first call after an unknown reassignment, not later calls once you know the number changed hands.

Sources

  1. U.S. Congress, Telephone Consumer Protection Act, 47 U.S.C. 227 (Legal Information Institute, Cornell Law School): The TCPA's private right of action, $500-$1,500 per violation damages, FCC rulemaking authority, and state AG enforcement provision all appear in 47 U.S.C. 227.
  2. Federal Trade Commission, National Do Not Call Registry: The FTC administers the National Do Not Call Registry and enforces DNC requirements through the Telemarketing Sales Rule under its own statutory authority, separate from the TCPA.
  3. Supreme Court of the United States, Facebook, Inc. v. Duguid, 592 U.S. 395 (2021): The Supreme Court's 2021 Facebook v. Duguid decision narrowed the TCPA's definition of an automatic telephone dialing system (ATDS), holding an ATDS must have the capacity to store or produce numbers using a random or sequential number generator.
  4. Federal Communications Commission, Reassigned Numbers Database: The FCC requires callers to scrub against the National DNC Registry at least every 31 days and launched the Reassigned Numbers Database in 2021 to help callers avoid liability for reassigned numbers.
  5. U.S. Congress, 47 U.S.C. 503, FCC forfeiture authority (Legal Information Institute, Cornell Law School): The FCC can impose monetary forfeitures of up to $10,000 per violation, up to $100,000 per day for continuing violations, and up to $1,000,000 for a single act under 47 U.S.C. 503(b)(2)(D).
  6. Federal Trade Commission, Telemarketing Sales Rule, 16 C.F.R. Part 310: The FTC enforces the Telemarketing Sales Rule under 15 U.S.C. 45 and 16 C.F.R. Part 310; civil penalties can reach $51,744 per violation as of 2024, adjusted annually for inflation.
  7. U.S. Congress, TRACED Act of 2019, Public Law 116-105 (Congress.gov): The TRACED Act of 2019 directed the FCC to require STIR/SHAKEN caller ID authentication; major carriers completed implementation by June 2021, and the Act mandated cross-agency coordination on robocall enforcement.
  8. Federal Communications Commission, Consumer Complaint Center: Consumers can file TCPA complaints directly with the FCC through its online complaint center; the FCC uses complaint data to identify enforcement targets.

Disclaimer: LeadCompliant is a compliance review tool, not a law firm. We do not provide legal advice. Consult with a TCPA attorney for legal guidance on specific compliance questions. Compliance scores, audits, and risk assessments are informational only.

LeadCompliant Team

LeadCompliant provides expert guidance and tools to help you succeed. Our content is reviewed for accuracy and kept up to date.

Related Articles

Related Glossary Terms

LeadCompliant
Build My Kit