Last updated 2026-07-11

TL;DR
A TCPA call monitoring program for a small team means recording calls, checking consent before each dial, scrubbing against the federal and internal DNC lists, and reviewing samples weekly. The statute (47 U.S.C. § 227) sets fines at $500 to $1,500 per violation. You don't need expensive software to start. You do need a written process.
What is a TCPA call monitoring program and why does a small team need one?
A TCPA call monitoring program is a documented, repeatable process for making sure every outbound call your team makes follows the Telephone Consumer Protection Act. The right consent is on file. The number isn't on a do-not-call list. Your dialing equipment qualifies under current FCC rules. And someone is actually reviewing calls after the fact to catch drift.
Small teams skip this because they assume TCPA is a big-company problem. It isn't. Plaintiffs' attorneys file TCPA suits against companies of every size, and a single campaign to a few thousand numbers can generate six-figure exposure fast. The statute at 47 U.S.C. § 227(b)(3) says a person can recover "$500 in damages for each such violation" and up to $1,500 if the violation was willful [1]. Send 10,000 texts without proper consent, and that math gets ugly before you've hired a lawyer.
A formal program matters even for a five-person sales team because "we didn't know" is not a defense under TCPA. Willfulness is judged partly by whether you had processes to prevent violations. A written monitoring program with dated audit logs is evidence of good faith. Its absence is evidence of the opposite.
You can learn the full statutory framework at our tcpa overview, which covers the consent tiers, the equipment definitions, and the FCC's role in issuing interpretive orders.
What does TCPA actually require for outbound calls and texts?
The statute has two main tracks, and most small teams mix them up.
For calls and texts to cell phones using an automatic telephone dialing system (ATDS) or a prerecorded voice, you need prior express written consent [1]. The FCC's 2012 rules tightened this to require a written agreement, signed by the consumer, that explicitly authorizes autodialed or prerecorded calls to a specific number for a specific purpose [2]. An oral agreement doesn't qualify here.
For calls to residential landlines using a live agent and no autodialer, you need prior express consent, which is a lower bar. A consumer who gave you their number during a transaction has arguably given express consent for calls related to that transaction.
The National Do Not Call Registry rules sit on top of both tracks. If a number is on the federal DNC list, you generally cannot make telemarketing calls to it at all, regardless of dialing method, unless you have an established business relationship or written permission [3]. The FTC maintains the registry. The FCC enforces the TCPA side of DNC compliance.
For a practical breakdown of how cold calling fits into this framework, including which calls need which tier of consent, that article walks through the live-agent rules in detail.
Here's the piece small teams miss: the 2024 FCC one-to-one consent ruling. It requires that any prior express written consent name the specific seller making the calls. A consent that just said "marketing partners" stopped being legally compliant for new calls starting January 27, 2025 [4]. If your leads came from a shared-consent lead generator under the old model, those consents need a fresh look.
What are the core components of a call monitoring program?
Six pieces. Every small team needs all of them eventually, though you don't have to build them all in week one.
1. Consent documentation system. Before a rep dials, someone has to know that valid consent exists for that number and that the consent type matches the dialing method. This can be as simple as a CRM field with a consent source, date, and opt-in URL. What it cannot be is "we trust the vendor who sold us the list."
2. DNC scrubbing. You must scrub against the federal registry at least every 31 days if you're calling numbers your team pulled more than a month ago [3]. You also need an internal suppression list, because a consumer who tells your rep "take me off your list" gets a request that must be honored within 30 days under 47 C.F.R. § 64.1200(d)(3) [2].
3. Call recording. This is your paper trail. Most states allow one-party recording (the rep consents by recording), but a handful require all-party consent. Check state law before recording. Store recordings for at least four years to match TCPA's statute of limitations.
4. Sample call review. Someone needs to listen to calls. Not all of them. A random sample of 5 to 10 percent of dials per week is enough for a small team to catch reps going off-script, dropping required disclosures, or mishandling opt-out requests.
5. Incident logging. When something goes wrong, write it down. Date, rep, number dialed, what happened, what you did to fix it. This log is your proof of remediation if a complaint ever turns into litigation.
6. Written policy. A one- to two-page document that describes all the above, who owns each step, and what happens when a violation is found. Reps sign it at onboarding. You update it when FCC rules change.
How do you set up DNC scrubbing on a small budget?
The federal DNC registry charges by area code access. Under the FTC's current fee schedule, the first five area codes are free, each additional area code costs $79 per year, and full national access costs around $18,341 per year [5]. For most small teams calling a regional territory, buying only the area codes you dial keeps annual costs under a few hundred dollars.
You access the registry through the FTC at telemarketing.donotcall.gov. Your organization registers, pays, and downloads the data as a .txt file. You load it into your CRM or dialer and suppress any matching numbers.
The 31-day re-scrub rule catches teams that download once and forget. Set a calendar reminder. If your dialer has built-in DNC integration, confirm in writing with the vendor that their sync frequency meets the 31-day standard. Vendor error is not a complete defense, but documented due diligence helps.
Your internal DNC list matters just as much. Any consumer who asks to be removed during a call goes on this list right away, and you have 30 days to honor it across every campaign. A shared spreadsheet works for very small teams, but version-control it so you can prove when someone was added.
For more detail on accessing and maintaining the registry, our do not call list guide covers subscription tiers, access types, and how the FTC's scrubbing rules interact with state-level DNC lists.
What call recording software works for a small team?
You have three realistic options at small-team scale.
Start with your existing VoIP or dialer, which almost certainly has a recording feature already. Platforms like Aircall, RingCentral, Dialpad, and JustCall all include call recording in their standard or mid-tier plans. If you're already paying for one of these, look there before buying anything else.
Next is a standalone conversation intelligence tool, Gong and Chorus being the best known. These record, transcribe, and flag keywords automatically. They cost roughly $100 to $200 per user per month depending on contract terms. For a team of two to five reps, the analytics are probably overkill for pure compliance, but if you also want coaching data, the dual use can justify the spend.
Third is a compliance-specific call monitoring platform, such as CallMiner or NICE. These are built for large contact centers and cost accordingly. I'd skip them entirely for a team under 20 reps.
Whatever you pick, confirm two things: where recordings are stored (you want to be able to export them), and the default retention period. Some default to 90 days. TCPA's statute of limitations runs four years from the violation [6], so either the vendor holds recordings for four years or you export and store them yourself.
For state all-party consent rules, the National Conference of State Legislatures maintains a tracker at ncsl.org. At minimum, know whether any state your team dials into requires you to announce that the call is being recorded.
How often should you review calls and what should you look for?
Weekly is the right cadence for a small team. Monthly is the floor. Anything less frequent means a problem can run for weeks before anyone catches it.
A 5 to 10 percent random sample catches systematic issues without burying the reviewer. For a team dialing 200 calls a day, a flat 10 percent is 20 calls daily, which is too many to sustain. Scale by time instead: review a 5 percent sample of calls from a random two-hour window each day rather than a flat percentage of all dials.
What to listen for:
- Did the rep identify themselves and the company at the start of the call? Under 47 C.F.R. § 64.1200(d)(4), callers must state their name and the company name at the beginning of the call [2].
- Did the rep state the phone number or address of the company during or at the end of the call?
- If the consumer asked to be removed, did the rep handle it correctly and log the request immediately?
- Was any prerecorded or AI-generated voice used that wasn't disclosed?
- Did the rep call outside the permitted hours? Federal rules allow calls between 8 a.m. and 9 p.m. in the called party's local time [2].
Log every reviewed call with a timestamp, the rep's name, and a pass/fail for each criterion. Even if 98 percent of calls pass, that log is gold in litigation. The Credit One Bank TCPA case settled for $75 million, driven partly by the volume of calls made to consumers who had revoked consent and the apparent absence of a system to catch it [7]. That case is worth reading if you want a concrete picture of what unchecked volume risk looks like. We cover it in our credit one tcpa settlement article.
How do you document consent so it holds up in court?
Consent documentation is the single weakest point for most small teams. The 2012 FCC order requires prior express written consent that includes: a written agreement signed or e-signed by the consumer; the consumer's telephone number; a clear and conspicuous disclosure that the consumer authorizes receipt of autodialed or prerecorded calls; and a disclosure that the consumer is not required to consent as a condition of buying goods or services [2].
In practice, your web opt-in form needs specific language on it, more than a generic checkbox. The consent language has to name your company, not "marketing partners" or "affiliated companies." Post-January 2025, the one-to-one consent rule means even language that used to be industry-standard for lead gen may no longer qualify [4].
Store consent records with: the timestamp of the opt-in, the IP address, the URL of the page where consent was given, the exact disclosure language shown at the time, and the consumer's phone number as entered. If your form pulls phone numbers from a third-party source, get documentation from that third party showing the same fields.
For purchased leads, get a written attestation from the vendor specifying which company the consumer consented to hear from, the date and URL, and the exact disclosure shown. If the vendor won't provide this, treat those numbers as having no consent on file.
The LeadCompliant consent documentation checklist covers the specific fields you need to store and how to structure your CRM so consent lookups run fast before dialing.
For texts, the consent standard is the same but the verification challenges differ. Our text message marketing guide walks through opt-in confirmation flows and how to handle double opt-in for SMS.
What should a written TCPA compliance policy include for a small team?
Your written policy doesn't need to be 30 pages. A one- to two-page document that answers these questions is enough:
1. Who owns compliance? Name a specific person, not a role. For a small team, this is usually the founder or the sales manager.
2. How do we verify consent before dialing? What CRM field do reps check? What happens if the field is blank?
3. How do we scrub DNC? What tool, how often, who runs it?
4. What are the calling hours? State the federal rule (8 a.m. to 9 p.m. local time) and note any stricter state rules for states in your territory.
5. What is the opt-out procedure? When a consumer says stop, what does the rep say, where do they log it, and who confirms it was added to the suppression list?
6. How do we store recordings? Where, for how long, who can access them?
7. What happens when a violation is found? Describe the escalation path and corrective action process.
Every rep signs this at hire and re-signs when the policy changes. Keep dated copies. The policy's existence and the signatures are direct evidence that your team made a good-faith effort to comply, which matters if you're ever accused of willful violations (the standard for treble damages under 47 U.S.C. § 227(b)(3)).
What TCPA violations do small teams most commonly make on calls?
Based on enforcement patterns and case filings, four errors show up again and again.
Calling numbers on the federal DNC list. The most common one. Usually because scrubbing gets done once at list acquisition and then forgotten, or because a purchased list was never scrubbed at all.
Calling cell phones with an ATDS without written consent. The ATDS definition has been litigated heavily. The Supreme Court's 2021 ruling in Facebook v. Duguid narrowed the definition to systems that use a random or sequential number generator [8]. Enough uncertainty remains that any predictive dialer or power dialer deserves careful review. If your tool dials numbers from a list automatically without a human initiating each call, get a legal opinion on whether it qualifies as an ATDS under post-Duguid standards.
Calling outside permitted hours. Often a timezone error. If you're in Chicago and your list includes Florida numbers, 8 a.m. Central is 9 a.m. Eastern and fine. But 7:30 a.m. Central is 8:30 a.m. Eastern, also fine. The trouble comes when your dialer isn't timezone-aware and a California number gets called at 7 a.m. Pacific from the East Coast. Build timezone validation into your dialer setup.
Failing to honor opt-outs within 30 days. The internal DNC process breaks down most often right here. A rep logs the request in personal notes and never adds it to the central suppression file. The consumer gets called again two weeks later, calls an attorney, and your team now has a demand letter.
For more on what a cold call triggers under federal rules and when a live-agent call requires consent, that guide covers the boundary cases.
How much does a TCPA violation actually cost a small company?
The statutory range is $500 per negligent violation and up to $1,500 per willful or knowing violation under 47 U.S.C. § 227(b)(3) [1]. Courts have consistently held that each individual call or text is a separate violation, so the math scales with volume.
Here's what that looks like across a few scenarios:
| Scenario | Calls affected | Negligent ($500) | Willful ($1,500) |
|---|---|---|---|
| One month of unconsented autodialer calls | 5,000 | $2,500,000 | $7,500,000 |
| SMS blast to unverified list | 20,000 | $10,000,000 | $30,000,000 |
| DNC calls over 6 months | 500 | $250,000 | $750,000 |
These are statutory maximums, and actual settlements usually land lower, but not always by much. Even cases that settle early for nuisance value typically cost $5,000 to $50,000 in legal fees plus settlement, and insurance often doesn't cover intentional statutory violations.
The real financial risk for a small team isn't one massive class action. It's a serial plaintiff who targets your campaign, sends a demand letter for $5,000 to $20,000, and knows you'll pay to avoid litigation. These cases are common, cheap to file, and aimed squarely at small companies that lack a compliance record to defend themselves with.
For a concrete example of what large-scale non-compliance costs, the cash app tcpa class action settlement article covers the case facts in detail.
How do you handle TCPA compliance when using a third-party lead vendor?
Third-party leads are the highest-risk category for small teams. You didn't collect the consent yourself, and you often can't verify it independently.
The FCC's 2024 one-to-one consent order speaks directly to this. Under the rule, a consumer's consent to receive calls from "marketing partners" does not authorize calls from your company [4]. If the lead vendor's opt-in form did not name your company, the consent doesn't transfer to you. Period.
Before using any purchased or third-party lead list for autodialed calls or texts, get written documentation from the vendor covering: the exact disclosure language shown to the consumer at opt-in, the date and URL, whether your company was specifically named, and the consumer's phone number as entered. If the vendor can't or won't provide this, don't autodial those numbers. You can still call them with a live agent and no ATDS if the call qualifies under the express consent standard, but verify that too.
Scrub every purchased list against the federal DNC registry before dialing regardless of consent, because consent doesn't override DNC registration for telemarketing calls. If a consumer is on the DNC list and hasn't given you written permission specifically authorizing calls, you can't call them for telemarketing purposes.
For a refresher on what qualifies as being on the DNC list and how to check, see how do i get the do not call list for the access process, and mobile phone do not call list for how cell numbers interact with the registry.
LeadCompliant's free number checker lets you run individual numbers against the federal registry to spot-check your list before a campaign.
What records should you keep and for how long?
TCPA's statute of limitations is four years from the date of violation under 28 U.S.C. § 1658 [6]. That's your minimum retention window for anything tied to a call or text.
Here's what to keep and for how long:
Consent records: Four years from the date of the last contact with that consumer. Store the opt-in timestamp, IP address, form URL, and consent language.
Call recordings: Four years. Export from your platform if the vendor's default retention is shorter.
DNC scrub logs: Four years. Keep the date you ran the scrub, which database version you used, and who ran it.
Internal suppression list: Indefinitely. There's no good reason to delete opt-outs, and deleting them creates risk if a consumer later claims you re-contacted them.
Incident logs: Four years from the incident date.
Written policy versions: Keep all versions permanently, with the dates each version was in effect.
Cloud storage is fine. What matters is that files are organized so you can pull everything related to a specific phone number quickly. If you get a demand letter or CFPB complaint, you'll want to produce records within days, not weeks.
Frequently asked questions
Does a small business with only a few sales reps really need a formal TCPA call monitoring program?
Yes. TCPA suits are filed against companies of every size. A serial plaintiff targeting a single campaign of 2,000 unconsented texts can demand $1,000,000 in statutory damages. Small companies are attractive targets precisely because they often lack documentation to defend themselves. A written program with dated audit logs is your best evidence of good faith and directly affects whether a court treats violations as negligent ($500 each) or willful ($1,500 each).
How often do I have to scrub my call list against the federal DNC registry?
The FCC and FTC require that you scrub against the national registry no older than 31 days before making a telemarketing call under 16 C.F.R. § 310.4(b)(3)(iv). If your list was pulled or purchased more than 31 days ago, re-scrub before dialing. Set a calendar reminder or automate it through your dialer. One-time scrubbing at list acquisition does not satisfy this rule.
What phone numbers are covered by TCPA, including cell phones?
TCPA covers calls and texts to any telephone number assigned to a cellular telephone service, plus calls to residential landlines using a prerecorded or artificial voice. Cell phones get the strictest protection: autodialed or prerecorded calls to cell numbers require prior express written consent regardless of whether the number is on the DNC registry. Registry status is a separate issue from the consent requirement for cellular numbers.
What is the one-to-one consent rule and when did it take effect?
The FCC's December 2023 order (FCC 23-107) required that prior express written consent for autodialed calls specifically identify the seller making the call, rather than allowing blanket consent to "marketing partners." The rule took effect January 27, 2025. Consent forms that named broad categories of callers rather than your company by name stopped qualifying for new campaigns after that date. Review your lead vendors' consent language before using those lists.
How long do I have to honor a do-not-call request from a consumer?
Under 47 C.F.R. § 64.1200(d)(3), you must honor an opt-out request within 30 days of receiving it. The consumer's number must be added to your internal suppression list and not dialed again for any telemarketing purpose. This 30-day window is a maximum; best practice is to add the number to your internal DNC list before the call ends or within the same business day.
What calling hours are permitted under TCPA for outbound telemarketing?
Federal rules under 47 C.F.R. § 64.1200(c)(1) prohibit telemarketing calls before 8 a.m. or after 9 p.m. in the called party's local time zone, not your time zone. Several states have tighter windows; Florida, for instance, restricts calls to 8 a.m. to 9 p.m. local time with additional restrictions for cell phones under the Florida Telephone Solicitation Act. Configure your dialer to use the called number's area code time zone, not your team's time zone.
Can I use a predictive dialer or power dialer without TCPA issues after the Facebook v. Duguid ruling?
The Supreme Court's 2021 Facebook v. Duguid decision narrowed the ATDS definition to systems that use a random or sequential number generator to store or produce telephone numbers to be called. A dialer that calls numbers from a fixed list may not qualify as an ATDS under this definition. Lower courts are still working through the implications, and the FCC may issue new guidance. Get a written legal opinion on your specific dialer before assuming it falls outside ATDS classification.
What records do I need to prove consent if I get sued under TCPA?
You need: the timestamp of the opt-in, the IP address of the consumer's device, the URL of the page where consent was given, the exact disclosure language shown at the time of consent, the consumer's phone number as entered, and the name of your company as shown in the consent disclosure. Without all of these, you cannot reliably prove you had valid prior express written consent. Store records for at least four years, the TCPA statute of limitations.
What should I do when a rep gets a complaint from a consumer during a call?
The rep should apologize, confirm the opt-out request verbally, and add the number to the internal suppression list before ending the call or within the same day. Log the incident with the date, rep name, consumer's number, and what the consumer said. Do not delete the original call recording. If the consumer mentions an attorney or a lawsuit, escalate to your compliance owner immediately and consider notifying your general counsel before responding further.
Does TCPA apply to B2B calls to business phone numbers?
TCPA's cell phone and ATDS restrictions apply to the telephone number assigned, not to whether the person is a consumer or a business. If you're calling a person's cell phone for business-to-business purposes, the ATDS and prerecorded call rules still apply and you need prior express written consent. Calls to office landlines using a live agent are generally lower risk, but if a rep is dialing cell numbers from LinkedIn or a B2B database, treat those numbers as requiring full TCPA compliance.
How does a small team handle TCPA compliance when using SMS for outreach?
SMS to cell phones is treated the same as autodialed calls under TCPA: prior express written consent is required. Your opt-in flow needs the specific consent language naming your company. Confirmation texts (double opt-in) are not required by federal law but are strong evidence of consent. Every text campaign needs an opt-out mechanism (STOP instruction), and opt-outs must be honored immediately. Scrub your SMS list against the DNC registry the same way you scrub your call list.
What are the biggest mistakes small teams make with call monitoring programs?
The top mistakes: scrubbing the DNC list only once at list purchase instead of every 31 days; storing consent records in a format where you can't prove the exact language the consumer saw; not recording calls or deleting recordings after 90 days; running an opt-out process that depends on individual reps rather than a centralized suppression list; and using a predictive dialer without a written legal opinion on whether it qualifies as an ATDS. Any one of these creates significant exposure.
What is the statute of limitations for TCPA claims and how does it affect how long I keep records?
TCPA claims are governed by the four-year federal statute of limitations under 28 U.S.C. § 1658. A plaintiff can sue over a call made up to four years ago. Your call recordings, consent records, DNC scrub logs, and incident documentation all need to be retained for at least four years from the date of the call or text. If your VoIP provider deletes recordings after 90 days, export them to your own storage.
Do I need a TCPA compliance attorney or can I handle this internally?
For building initial processes and reviewing your consent forms, you can use published FCC guidance, the statute, and resources like this one without hourly attorney fees. But before launching any high-volume autodialed or SMS campaign, a one-hour review by a TCPA-focused attorney is worth the money. Get a written opinion on whether your dialer qualifies as an ATDS post-Duguid and whether your consent language meets post-January 2025 one-to-one requirements. The cost of one attorney hour is a fraction of any settlement.
Sources
- Cornell Law School LII, 47 U.S.C. § 227, Telephone Consumer Protection Act (statute text): TCPA authorizes recovery of $500 per violation and up to $1,500 for willful violations under 47 U.S.C. § 227(b)(3)
- FCC, 47 C.F.R. § 64.1200, Delivery Restrictions (rules implementing TCPA): FCC rules require prior express written consent for autodialed calls to cell phones, company identification at call start, and 8am-9pm local calling hours
- FTC, Complying with the Telemarketing Sales Rule, Business Guidance: Telemarketers must scrub against the DNC registry no older than 31 days before calling
- FCC, Report and Order FCC 23-107, One-to-One Consent Rule (December 2023): FCC 2023 order required prior express written consent to specifically identify the seller; effective January 27, 2025
- FTC, National Do Not Call Registry for Telemarketers, Fees: First five area codes on the DNC registry are free; each additional area code costs approximately $79/year; full national access costs approximately $18,341/year
- Cornell Law School LII, 28 U.S.C. § 1658, Statute of Limitations for Federal Civil Actions: The default four-year federal statute of limitations applies to TCPA claims
- Cornell Law School LII, 47 U.S.C. § 227(b)(3), Private Right of Action (statutory damages basis for TCPA settlements): Large-volume TCPA settlements, including the Credit One Bank case reported at $75 million, are driven by per-call statutory damages for calls made after consent was revoked
- U.S. Supreme Court, Facebook Inc. v. Duguid, 592 U.S. 395 (2021): Supreme Court held that an ATDS must use a random or sequential number generator to store or produce numbers; narrowing the definition
- FTC, Consumer Advice, Phone Scams and Unwanted Calls: TCPA class settlements over automated texts sent without adequate consent have resolved in the multimillion-dollar range
- eCFR, 47 C.F.R. Part 64 Subpart L, FCC TCPA Enforcement Rules: The FCC enforces TCPA for calls to cell phones and residential lines and issues forfeiture orders for violations
- FTC, Telemarketing Sales Rule, 16 C.F.R. Part 310: TSR requires DNC scrubbing no older than 31 days and governs telemarketing call practices alongside TCPA