Last updated 2026-07-09

TL;DR
The wrong dialer can expose you to TCPA liability of up to $1,500 per call, state mini-TCPA penalties, and FTC Do Not Call violations. Before you buy, verify five things: ATDS status and human-click-to-dial architecture, real-time DNC scrubbing, consent audit trails, call-time enforcement, and state-specific controls. This guide covers every compliance feature worth checking.
Why your choice of dialer software is a compliance decision, more than a tech decision
Most teams treat dialer selection as a features-and-price problem. Pick the one with the best CRM integration, the cheapest per-minute rate, and decent call recording. Compliance gets a checkbox at the end: "does it have a DNC list?" That approach is how companies end up in class-action territory.
The Telephone Consumer Protection Act, 47 U.S.C. § 227, attaches liability to the caller, not the software vendor [1]. Your dialer vendor will not be named in the lawsuit. You will. That changes how you should read every feature on the demo.
TCPA statutory damages are $500 per violation for negligent violations and $1,500 per violation for willful ones [1]. A campaign of 10,000 calls to a bad list is not a $10,000 problem. It is potentially a $15,000,000 problem. Courts have certified TCPA class actions on lists far smaller than that.
Beyond the TCPA, you face the FTC's Telemarketing Sales Rule (TSR), the National Do Not Call Registry, and a growing stack of state laws that in some cases run stricter than the federal rules. Florida's Mini-TCPA (SB 1120, effective July 2021) requires prior express written consent for calls made with an autodialer to Florida numbers, regardless of federal standards [2]. Maryland, Oklahoma, and Washington have passed similar laws. Your dialer has to handle all of it, or you manage the gaps by hand, which most teams never actually do.
Here is the frame that matters. Treat the compliance architecture of a dialer the way you'd treat the safety record of a car. Horsepower matters less than whether the brakes work.
What is an ATDS and why does the dialer's architecture determine your legal exposure?
An ATDS is an automatic telephone dialing system, and the TCPA prohibits using one to call or text cell phones without prior express consent [1]. The definition has been fought over for years. The Supreme Court narrowed it in 2021 in Facebook v. Duguid: an ATDS must use "a random or sequential number generator" to store or produce the numbers it dials [3]. A dialer that calls only from a pre-uploaded list, with a human agent clicking to start each call, is generally not an ATDS under that reading.
Generally. That word is not a guarantee, and the practical risk lives in the architecture.
Predictive dialers place outbound calls automatically before an agent is free, then connect the agent when someone answers. That automates call initiation in a way courts have treated as ATDS-adjacent even after Duguid, especially when the system can generate or select numbers without human input per call [3]. Power dialers usually require an agent to confirm before each call goes out. Preview dialers show the record first, then the agent clicks. Those setups cut the risk. They do not erase it.
When you evaluate a dialer, ask the vendor flat out: "Does the system place outbound calls without a human initiating each individual dial?" Get the answer in writing. Ask to see documentation of how the system handles call pacing. Some vendors sell a "predictive" mode that is effectively ATDS-capable and offer it quietly as an upgrade.
SMS works the same way. If your platform fires texts automatically off triggers, with no human clicking send for each message, you are almost certainly using an ATDS for SMS purposes. See our full breakdown of tcpa sms compliance for how those rules apply to text campaigns specifically.
The FCC has issued multiple orders clarifying ATDS definitions and consent requirements [10]. The 2023 one-to-one consent rule (Report and Order in CG Docket No. 21-402) requires consent for robocalls and robotexts to be obtained on a per-seller basis, not through a general "I agree to be contacted by partners" checkbox [4]. A dialer that cannot track which seller obtained consent for which contact is a liability in that world.
What DNC scrubbing capabilities should a compliant dialer have?
A compliant dialer needs, at minimum, direct integration with the federal DNC registry, automatic internal DNC suppression across all campaigns, and coverage for the state registries you call into. The National Do Not Call Registry is maintained by the FTC [9]. The TSR requires telemarketers to access the registry at least every 31 days and stop calling numbers listed for more than 30 days [5]. That is the floor. Good practice is scrubbing before every campaign, not every month.
Here is what to actually check.
Federal registry access. Does the dialer integrate directly with the FTC's National DNC Registry, or does it lean on you to upload a list by hand? Direct API integration with automatic refresh is better. Manual upload creates gaps.
Internal DNC list management. When someone tells your agent "don't call me again," that number goes on your internal DNC list, and the FTC says the request must be honored within 30 days at most [5]. The dialer needs a one-click or automatic internal DNC add, and it needs to suppress that number across every campaign, not only the one the agent was running.
State DNC lists. Several states run their own registries. Indiana, Tennessee, Wyoming, Texas, and others maintain state lists that sit on top of the federal registry [6]. A dialer with federal-only scrubbing misses these. Ask vendors point blank whether their scrubbing covers state-level registries for the states you dial.
Real-time vs. batch scrubbing. Batch scrubbing runs before a campaign launches. Real-time scrubbing checks each number at the moment of dialing. Real-time is meaningfully safer, because a number can land on a DNC list after your batch scrub ran but before your campaign ends.
| Scrubbing Method | When It Runs | Risk Level |
|---|---|---|
| Manual upload (you manage) | Before campaign, manually | High |
| Batch integration | At campaign start, auto | Medium |
| Real-time per-dial | At moment of each call | Low |
| Real-time + state lists | At dial, all jurisdictions | Lowest |
A dialer that only offers manual DNC uploads is a liability for any team running more than a few hundred calls a week. The operational burden alone will produce gaps.
How should a dialer handle consent records and audit trails?
Prior express written consent is the standard under the TCPA for autodialed or prerecorded calls to cell phones and for most SMS marketing [1]. "Written" includes electronic records. The FCC's 2023 one-to-one consent rule tightened this further: consent has to be specific to the seller making contact, not bundled with broad marketing consent handed to a lead aggregator [4].
So your dialer, or the systems feeding it, need to store at minimum:
- The source of the consent (which opt-in form, which campaign, which landing page)
- The timestamp of the consent
- The IP address or other identifier tying the consent to a specific person
- The exact language the consumer agreed to
- Evidence the number being called matches the number that consented
Most dialers do not store this natively. They store contact records and call logs. Consent records usually live in your CRM or a separate consent management platform. The real question is whether the dialer integrates with your consent data so that, before a call goes out, it can confirm consent exists for that specific number.
Some enterprise-tier dialers (Five9, NICE inContact, Genesys) build consent-check fields that block a call if the consent flag is empty [7]. Smaller SMB-oriented dialers often do not. That is not disqualifying, but it means you need a clean process to guarantee records pushed to the dialer already carry verified consent.
With an active enough outbound program, the question is not whether someone files a demand letter but when. The first thing opposing counsel asks for is your consent documentation. If you cannot produce it per number, you negotiate from a very weak spot. A dialer that cannot export a consent audit log is a problem.
For SMS-specific consent architecture, including double opt-in flows that create stronger audit trails, see our guide on sms double opt in and how to structure your sms opt in form.
What call-time restrictions does compliant dialer software need to enforce?
The dialer has to block calls outside 8 a.m. to 9 p.m. local time at the called party's location, and it has to figure out that local time from the destination number, not your office clock. That is the TSR rule, and it applies at the recipient's location [5]. A team in California calling East Coast numbers at 7:00 p.m. local time is dialing at 10:00 p.m. Eastern. That call is illegal.
A compliant dialer time-zone-corrects automatically using the destination number's area code and NPA-NXX data. "Should" is doing real work there. Many dialers offer this as an optional setting or make you configure it per campaign. Ask vendors how time-zone enforcement works by default, then test it yourself.
State laws add complexity. Some states run tighter windows. Florida's statutes restrict certain call categories. California's rules under the CCPA and state consumer protection laws create extra timing and disclosure obligations [8]. A dialer set only to the federal window can still generate state-level violations.
One more thing to check. Can you set calling windows per campaign, or only account-wide? If you run multiple campaigns hitting different states, you need per-campaign time controls, not a single global switch. Dialers that only offer account-level windows are less flexible and create risk the moment your campaigns target different geographies.
Does the dialer support abandoned call rate compliance under the TSR?
The dialer needs per-campaign, per-day abandoned call reporting, a hard cap that throttles dialing near the three percent limit, and an automatic recorded disclosure when a call does get abandoned. The FTC's TSR defines an abandoned call as one where the dialer reaches a live person but fails to connect a live agent within two seconds of the greeting [5]. The TSR caps the abandoned call rate at three percent of all calls answered by a live person, measured per campaign, per day [5].
This is where predictive dialers create real exposure. A predictive dialer speeds up outbound calling by dialing several numbers at once, betting some go unanswered. When more people answer than expected, calls get abandoned because no agent is free. Cross three percent on any single day and you have violated the TSR. Full stop.
A compliant dialer should:
- Report real-time and per-day abandoned call rates, broken out per campaign
- Let you set hard caps that throttle dialing as you approach the three percent threshold
- Log abandoned call events with timestamps so you can prove compliance if audited
- Play a recorded disclosure message when a call is abandoned, identifying the seller and giving an opt-out (the TSR requires this) [5]
Ask any vendor to show you the abandoned call rate dashboard before you sign. If the metric is not built in and visible, that is a red flag. FTC enforcement actions have cited inadequate abandoned call disclosures directly [5].
This is also where smaller predictive dialers sold to SMBs cut corners. The three percent rule lives at the campaign level, not the account level. If a vendor's reporting only shows account-wide aggregates, you cannot actually verify compliance.
What recording, disclosure, and call-monitoring features matter for compliance?
Call recording is both a compliance tool and a compliance risk. It is a tool because recordings are your best evidence of what got said: consent given verbally, agent disclosures made, a consumer's DNC request logged. It is a risk because recording calls in two-party consent states without telling everyone on the line creates separate liability.
Federal law (the Electronic Communications Privacy Act) allows one-party consent recording. California, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, New Hampshire, Oregon, Pennsylvania, and Washington all require all-party consent [8]. If your dialer records automatically without playing a disclosure, you have a problem in any of those states.
A compliant dialer lets you configure an automatic disclosure message at the start of calls, either by the called party's state or across the board. Something plain: "This call may be recorded for quality and compliance purposes." That is more than good practice. It is legally required in a dozen states.
Beyond recording, look for:
Script compliance controls. Some dialers let you build required disclosure scripts into the agent interface and flag or block call completion until the agent confirms the disclosures were made. Genuinely useful for TCPA consent language, state-specific disclosures, and the TSR's seller-identification requirement.
Whisper and barge-in for supervisor monitoring. Live monitoring catches compliance problems before they turn into patterns. Less about surveillance, more about training agents on compliant call behavior.
Call recording retention. How long does the vendor keep recordings? If you need to produce one in litigation two years out, does it still exist? Ask about retention periods and data export options before you commit.
How should a dialer handle litigator lists and known TCPA plaintiffs?
A smaller but real risk: some people file TCPA lawsuits for a living. They register phone numbers, wait for an unsolicited call, and sue. The polite term is "serial TCPA litigants." The blunt one is professional plaintiffs.
Several third-party services maintain "litigator lists" compiled from public court records. The SAN (Suppression Assurance for Non-solicitation) list and similar products let you scrub your dialing lists against known litigants before you call. This is not a legal requirement under the TCPA. It is common risk-mitigation among compliance-aware teams.
A dialer that integrates with third-party litigator suppression databases adds a real layer of protection. If it does not offer this natively, check whether it supports custom suppression list uploads you can populate from a third-party source.
Nobody has clean data on what share of TCPA suits come from serial litigants versus genuinely aggrieved consumers. The closest analyses find a small pool of repeat plaintiffs driving a disproportionate share of individual TCPA cases, especially in districts with heavy TCPA dockets like those in the Ninth and Eleventh Circuits. Litigator list scrubbing is cheap insurance.
What should you check about a dialer vendor's own compliance posture and data practices?
Your dialer vendor holds your contact data, call recordings, and consent records. That creates its own obligations, separate from the TCPA.
Data processing agreements. If you call into the EU or touch European leads at all, you need a Data Processing Agreement (DPA) with your dialer vendor under GDPR. For California leads, the CCPA/CPRA requires similar contractual protections [8]. Ask for the vendor's standard DPA before you sign anything.
SOC 2 compliance. A SOC 2 Type II report shows an independent auditor verified the vendor's security and data-handling controls over time, not at a single snapshot. For a dialer holding call recordings and contact data, SOC 2 Type II is a reasonable minimum bar.
Subprocessor transparency. Who does the vendor share data with? Carriers, analytics providers, cloud storage? A vendor with opaque subprocessor relationships can create downstream problems you never see coming.
Contractual indemnification. What does the contract say about liability if the software causes a TCPA violation? Almost every dialer vendor disclaims all liability and pushes the obligation onto you to use the software compliantly. That is standard. You will not negotiate it away. But read it so you are not surprised later.
For teams running SMS alongside calls, the vendor's data practices around text records matter too. See our overview of tcpa sms compliance for the specific records you need to keep for SMS campaigns.
LeadCompliant's free compliance kit includes a vendor evaluation checklist you can hand straight to a dialer's sales team, then use their answers to score the platform before you commit.
Which dialer features are nice-to-have versus genuinely required for compliance?
Not every feature with a "compliance" label carries equal weight. Here is an honest ranking based on actual legal exposure, not marketing copy.
Non-negotiable:
- Federal DNC registry integration with automatic refresh (TSR requirement)
- Internal DNC list management with cross-campaign suppression (TSR requirement)
- Time-zone-aware call window enforcement (TSR / TCPA requirement)
- Abandoned call rate tracking per campaign per day, with a disclosure message on abandon (TSR requirement)
- Call recording with configurable all-party consent disclosure (state law requirement)
- ATDS-free architecture documentation (TCPA risk management)
Strongly recommended:
- State DNC registry scrubbing for the states you call into
- Consent audit log export
- Litigator/plaintiff list integration
- Per-campaign time window controls
- SOC 2 Type II certification
Nice-to-have, not make-or-break:
- AI-driven compliance monitoring
- Built-in script compliance checklists (useful, but a paper checklist works too)
- Real-time carrier spam-flag feedback (valuable for deliverability; less directly a TCPA concern)
The vendors that market "AI compliance" hardest are often the ones with the weakest fundamentals. An AI overlay on top of broken DNC scrubbing is still broken DNC scrubbing. Get the fundamentals right first.
How do state mini-TCPA laws change what you need from a dialer?
State mini-TCPA laws mean your dialer has to apply different consent and calling rules by the called party's state, segment lists by state, and record which state a consumer was in when they consented. The federal TCPA is the floor. A growing set of states have passed their own telephone solicitation laws that run stricter in various ways.
Florida's Telephone Solicitation Act (FTSA, SB 1120) took effect July 1, 2021. It requires prior express written consent for any autodialed call or text to Florida numbers, covers both cells and landlines for automated calls, and gives consumers a private right of action with $500 per call damages, matching the federal TCPA [2]. Florida saw a wave of FTSA class actions in 2022 and 2023.
Oklahoma, Maryland, and Washington have enacted laws with similar structures. Georgia, Texas, and others have legislation pending as of 2024-2025. The patchwork is real and growing [6].
What this means for dialer selection:
- You need a dialer that applies different consent and calling-window rules by the called party's state
- Call lists should be segmentable by state so you can apply stricter suppression to Florida or Maryland numbers
- Consent records need to capture which state the consumer was in when they consented, because some state laws require consent obtained within that state
If your dialer only supports one rule set account-wide, you are stuck: apply the strictest rules everywhere (safe but limiting) or manage state-based lists by hand outside the dialer (error-prone). A dialer with state-level campaign controls is materially better for multi-state outbound teams.
For ongoing updates on state law changes affecting your dialer configuration, tcpa news today and lead generation compliance news are worth bookmarking.
What questions should you actually ask a dialer vendor's sales team before buying?
Sales demos steer toward conversion rates and CRM integrations. Drag the conversation back to compliance with these questions:
1. "Walk me through exactly how your DNC scrubbing works. Federal only, or do you cover state registries? How often does it refresh, and can I configure real-time per-dial scrubbing?"
2. "Does your architecture require a human to initiate each individual call, or can the system place calls automatically? Show me the technical documentation."
3. "How do I add a number to my internal DNC list mid-call? How long until it propagates across all campaigns?"
4. "Where do you report abandoned call rates? Can I see per-campaign, per-day data? What happens when I approach three percent?"
5. "Do you integrate with any litigator suppression lists?"
6. "Can I configure state-by-state calling windows and consent requirements?"
7. "What is your SOC 2 status? Can I get your DPA before signing?"
8. "What happens to my data if I cancel? How do I export call recordings and consent records?"
A vendor who deflects, goes vague, or treats these as odd questions is telling you something. Good compliance-oriented vendors have answers ready, because their serious buyers always ask.
If you are also evaluating platforms for SMS outbound, the same framework holds. Our guide to selecting a marketing text message service and text message marketing software covers the SMS-specific compliance features to demand.
For the full statutory framework under all of this, our tcpa overview covers 47 U.S.C. § 227 in plain language, and the LeadCompliant compliance kit includes a printable vendor scorecard for exactly this evaluation.
Frequently asked questions
Can I use a predictive dialer legally under the TCPA?
Yes, but with real caveats. After Facebook v. Duguid (2021), a predictive dialer that calls only from a pre-loaded list may not meet the ATDS definition. But predictive dialers that generate or select numbers automatically still carry ATDS risk. You also have to hold your abandoned call rate under three percent per campaign per day under the TSR, which predictive dialing makes harder. Many compliance attorneys recommend power or preview dialers for consumer cell phone campaigns.
What is the abandoned call rate limit and who enforces it?
The FTC's Telemarketing Sales Rule caps abandoned calls at three percent of all live-answered calls, measured per campaign per day. An abandoned call is one where no live agent connects within two seconds of the consumer's greeting. The FTC enforces this, not the FCC. When a call is abandoned, you must play a recorded message identifying the seller and giving an opt-out. Violations can carry civil penalties.
Do I need separate consent records for calls and texts?
Yes. The TCPA treats autodialed calls to cell phones and text messages similarly for consent, but they are technically separate acts. The FCC's 2023 one-to-one consent rule requires consent specific to each seller. In practice, a well-documented opt-in covering both calls and texts from your company is fine, but you need records showing the consumer agreed to both, and the consent language must be clear about exactly what they agreed to.
What states have their own Do Not Call registries I need to scrub against?
Several states maintain supplemental DNC registries beyond the federal list. Indiana, Tennessee, Wyoming, Texas, Colorado, Missouri, Louisiana, and others have state-level lists. Requirements vary: some require separate registration fees and scrubbing, others are less strictly enforced. If you call into multiple states, check each state's attorney general website for current DNC requirements. A compliance attorney or a scrubbing service that covers state lists is worth the cost.
How long do I need to keep call recordings for TCPA compliance?
The TCPA does not specify a recording retention period, but the practical answer is at least four years, matching the federal statute of limitations for TCPA claims. Some counsel recommend five years to be safe. For consent records, retain them as long as you use the consent plus the limitations period. A dialer that auto-deletes recordings after 90 days creates a real problem if a demand letter arrives 18 months later.
What is the FCC's one-to-one consent rule and when did it take effect?
The FCC issued its one-to-one consent rule in a December 2023 Report and Order (CG Docket No. 21-402). It requires consent for robocalls and robotexts to identify a specific seller and be obtained directly from the consumer for that seller, not bundled into broad lead-generation forms covering multiple companies. The rule was set to take effect in January 2025 but faced legal challenges that affected its timeline. Check current FCC guidance for the latest status.
Does Florida's mini-TCPA apply to B2B calls and texts?
Florida's Telephone Solicitation Act (FTSA) covers calls and texts to Florida phone numbers broadly, and its text has been read to reach business numbers in some cases, not only consumers. The FTSA's B2B scope has been contested in litigation. B2B callers targeting Florida numbers should get specific legal guidance rather than assume a B2B exemption applies. The private right of action and $500 per call damages make Florida a high-risk jurisdiction either way.
What is a litigator list and should my dialer use one?
A litigator list is a compiled database of phone numbers tied to people who have filed TCPA lawsuits, drawn from public court records. Scrubbing your call list against known TCPA plaintiffs before dialing is not legally required, but it is a widely used risk-reduction practice. Some dialers integrate with third-party litigator suppression services. If yours does not, you can obtain a list from providers like SAN (Suppression Assurance for Non-solicitation) and upload it as a custom suppression list.
Can a dialer vendor be held liable for TCPA violations caused by its software?
Generally no. Courts have consistently held that the entity making the call is the liable party under the TCPA, not the software provider. Dialer contracts typically include broad liability disclaimers and place all compliance obligations on the customer. You may have a breach-of-contract claim if a vendor explicitly promised a compliance feature that failed, but TCPA statutory damages flow to you as the caller. Vendor insurance does not cover your TCPA exposure.
What is the difference between a power dialer and a predictive dialer for compliance purposes?
A power dialer places one call per available agent, usually waiting until the agent is ready before dialing the next number. That keeps the agent in control of each call and eliminates the abandoned call problem. A predictive dialer dials multiple numbers at once before agents are free, predicting availability. Predictive dialers hit higher volume but create abandoned call exposure under the TSR and potential ATDS risk under the TCPA. For consumer cell phone campaigns, power dialers are the safer choice.
How do I verify that a dialer enforces calling time windows correctly across time zones?
Ask the vendor to demonstrate time-zone enforcement in the demo using a test number in a different time zone than your office. Check whether enforcement uses NPA-NXX data (area code and exchange) rather than area code alone, which is more precise. Confirm what happens when a number's location is ambiguous. Then test it yourself before going live: schedule a call outside the permitted window and verify the system blocks it.
What records do I need to produce if I receive a TCPA demand letter?
Opposing counsel typically demands: the consent record for the specific number called (timestamp, IP address, opt-in language, source), your DNC scrub logs showing the number was checked before calling, call recordings, the agent who made the call and their training records, your internal DNC list showing the number was not on it, and your campaign settings at the time of the call. A dialer that cannot export all of this puts you in a weak negotiating position no matter how clean your actual practices were.
Are there dialer compliance requirements specific to real estate outbound calling?
Real estate agents and brokerages face the same TCPA and TSR requirements as any other telemarketer calling cell phones. There is no real estate exemption from the National DNC Registry or from ATDS restrictions. Some states additionally regulate real estate solicitation specifically. Florida's FTSA has been applied to real estate text campaigns. Prior express written consent is the safest approach for any autodialed real estate outreach to cell phones.
Sources
- U.S. Government, 47 U.S.C. § 227 (Telephone Consumer Protection Act): TCPA statutory damages are $500 per violation, trebled to $1,500 for willful violations; liability attaches to the caller
- Florida Legislature, SB 1120 (Florida Telephone Solicitation Act, effective July 1, 2021): Florida's mini-TCPA requires prior express written consent for autodialed calls and texts to Florida numbers and provides a private right of action with $500 per call damages
- U.S. Supreme Court, Facebook, Inc. v. Duguid, 592 U.S. 395 (2021): The Supreme Court held that an ATDS must use a random or sequential number generator to store or produce numbers, narrowing the definition
- FCC, Report and Order in CG Docket No. 21-402 (One-to-One Consent Rule, December 2023): The FCC's 2023 one-to-one consent rule requires that consent for robocalls and robotexts be obtained on a per-seller basis, not through bundled marketing consent forms
- FTC, Telemarketing Sales Rule (TSR), 16 C.F.R. Part 310: TSR requires DNC scrubbing at least every 31 days, limits abandoned calls to 3% per campaign per day, restricts calls to 8am-9pm local time, and requires internal DNC honored within 30 days
- National Conference of State Legislatures, State Telemarketing Laws: Multiple states including Indiana, Tennessee, Wyoming, Texas, and others maintain state-level DNC registries supplementing the federal list; state mini-TCPA laws have been enacted in Florida, Oklahoma, Maryland, and Washington
- FTC, Complying with the Telemarketing Sales Rule, Business Guidance: Consent verification and call-blocking controls support TSR and TCPA compliance; prior express written consent is required for autodialed calls and texts to cell phones
- California Attorney General, California Consumer Privacy Act (CCPA/CPRA) Overview: California requires all-party consent for call recording and imposes data processing obligations on vendors handling California consumer data
- FTC, National Do Not Call Registry: The FTC maintains the National DNC Registry; telemarketers must access it at least every 31 days and honor registrations more than 30 days old