Last updated 2026-07-10

TL;DR
A compliant dialer enforces prior express written consent before it dials, scrubs numbers against the National Do Not Call Registry and your internal DNC list, holds calls to the 8 a.m. to 9 p.m. local window, flags cell numbers, and logs everything for discovery. No dialer erases TCPA risk by itself. The right configuration closes the mechanical gaps that produce most five- and six-figure settlements.
What does the TCPA actually require of outbound callers?
Three things: consent, timing, and identification. Get those right and you've handled most of the law that trips up small teams.
The Telephone Consumer Protection Act, codified at 47 U.S.C. § 227, was signed in 1991. It has been the legal spine of outbound call and text regulation ever since. The FCC writes the rules under it, and those rules have gotten tighter over the past decade. [1]
On consent: if you use an automatic telephone dialing system (ATDS) or a prerecorded voice to call a cell phone, you need prior express written consent from that specific consumer. [2] The FCC's 2012 order raised the bar from "prior express consent" to "prior express written consent" for telemarketing calls, effective October 2013. [12] That means a signed agreement, an online checkbox, or a recorded verbal opt-in that clearly discloses who's calling and the fact that the consumer may get autodialed or prerecorded calls. A lead form that just grabs a phone number does not clear this bar.
On timing: calls and texts to residential lines and cell phones cannot happen before 8 a.m. or after 9 p.m. in the recipient's local time zone. [3] Sounds simple. It causes constant problems because teams schedule in the sender's time zone instead of the recipient's.
On identification: every autodialed or prerecorded call has to state the caller's name, the entity the call is made for, and a phone number or address where the called party can reach the caller. [2]
Violations run $500 per call, trebled to $1,500 for willful violations. There is no damages cap per plaintiff. Class actions are common. The UnitedHealthcare $2.5 million settlement and the Credit One settlement show what happens when these rules get ignored at scale.
What is an ATDS and why does the definition matter for dialers?
The ATDS question is the most litigated issue in TCPA history. The statute defines an ATDS as "equipment which has the capacity to store or produce telephone numbers to be called, using a random or sequential number generator; and to dial such numbers." [2]
The Supreme Court read that narrowly in Facebook, Inc. v. Duguid (2021). An ATDS has to use a random or sequential number generator to store or produce numbers, not merely dial from a stored list. [4] That ruling shrank the definition. A predictive dialer working off a static uploaded list, with no randomization engine, may not be an ATDS under that reading.
Don't treat Duguid as permission to skip consent. Many states run their own mini-TCPA laws with broader definitions. Some courts still read Duguid in ways that help plaintiffs. And the FCC keeps issuing orders that extend TCPA obligations to technologies sitting outside the statutory ATDS definition. [9] The safe operating assumption is that your dialer is regulated, even while its exact status gets argued.
For day-to-day compliance, the ATDS label barely matters. What matters is whether you have consent, clean DNC hygiene, and accurate time-zone controls. Those practices protect you no matter how the definition shakes out in the next round of litigation.
How do dialers enforce prior express written consent before a call goes out?
Consent gating is the mechanism. The system refuses to dial a number unless a valid consent record is attached to that contact. No record, no call. That single rule turns a calling tool into a compliance tool.
Here's how it runs in practice. A lead comes in through a web form. The consent record (timestamp, source URL, exact disclosure language, IP address, sometimes a session ID) gets written to the CRM or the dialer's own database. The dialer checks for that record before it places the call. The agent can see why a number was blocked and take manual action if needed.
A few setup details carry real weight.
Consent has to be specific to your company. The FCC's December 2023 one-to-one order requires that consent obtained through comparison shopping sites or lead aggregators name each company individually. [5] The old single checkbox consenting to contact from "our partners" no longer holds. That rule has faced legal challenges and shifting implementation dates, but the direction is settled and you should be fixing your lead intake now.
Consent records need a retention policy. Plaintiffs' attorneys request them in discovery as a matter of routine. If you can't produce the exact record from two or three years back, you effectively have no consent in a courtroom. Most TCPA attorneys recommend keeping consent records at least four years, matching the four-year federal statute of limitations under 28 U.S.C. § 1658. [11]
Revocation matters just as much. When a consumer says "stop calling me," that revocation has to be recorded and honored right away. The FCC's 2024 revocation rules confirmed that consumers can revoke through any reasonable means, including telling an agent out loud. [5] A compliant dialer captures the revocation, flags the number, and blocks future calls without making the consumer do anything else.
How does DNC scrubbing work inside a dialer?
The National Do Not Call Registry, run by the FTC, holds residential phone numbers whose owners opted out of unsolicited telemarketing. [6] Federal rules require telemarketers to scrub calling lists against the registry at least every 31 days. You pay to access the data and register with the FTC's subscription system.
Compliant dialers automate this. You upload your list. Before calls go out, the dialer checks every number against the current registry data. Matches get suppressed. A list of thousands scrubs in seconds.
The national registry is only one layer. You also need three more.
An internal DNC list. Any consumer who asks not to be called goes on your company-specific list immediately. This duty exists on its own, separate from the national registry. A company that scrubs the federal list but ignores its internal list is still breaking the rules.
State DNC lists. Several states, including Indiana, Wyoming, Texas, and Louisiana, run their own registries with separate registration and scrubbing rules. A dialer that only handles federal scrubbing leaves you exposed in those states.
Litigator lists. Not a legal requirement, but many compliance teams buy third-party lists of numbers tied to known TCPA plaintiffs and their attorneys. It's cheap insurance. Nobody has rigorous data on how often it stops a suit, but scrubbing costs almost nothing next to a settlement like the Albertsons/Safeway case.
Data freshness is the operational question that actually bites. If your dialer pulls a local copy of the registry once a month, a number added on day two of the cycle stays exposed for nearly 30 days. Better systems pull updates more often or query the registry in real time.
How do dialers handle calling-hour restrictions by time zone?
The 8 a.m. to 9 p.m. rule follows the called party's local time zone, not yours. [3] An Eastern-time call center dialing California numbers at 7:45 a.m. Eastern is reaching those Californians at 4:45 a.m. Pacific. That's a violation, and the statutory damages meter starts running on the first call.
Good dialers solve this with automatic time-zone detection. The system reads the area code and, ideally, the NPA-NXX prefix of each number to guess the likely time zone, then applies the local window before queuing the call. Numbers in ambiguous zones, like states that straddle two time zones, get the more conservative treatment.
Area codes stopped reliably indicating geography once number portability went mainstream. A 212 number could belong to someone living in Nevada. The most accurate systems enrich phone numbers with verified address data and set time zones from the address instead of the area code. That adds cost. For high-volume operations it cuts risk a lot.
Time-zone logic should also handle holidays and weekends if your patterns shift on those days. State laws pile restrictions on top of the federal floor. California's consumer protection rules and the CCPA framework add layers that a purely federal-focused dialer may miss. [7]
What call recording and audit-trail features matter for TCPA defense?
When a TCPA suit lands, your attorney needs documentation first. Who called, when, how often, with what dialing technology, under what consent, and what happened when the called party asked to stop. A dialer that can't produce that record cleanly is a liability.
At minimum, a compliant dialer logs the outbound number, the called number, the date and time of each call (in local time), the call duration, the agent who placed it, the disposition, any do-not-call requests captured during the call, and a link to the consent record that authorized it.
Call recordings tied to specific call logs earn their keep two ways. They document that your identification disclosures happened correctly. And they capture verbal DNC requests an agent might otherwise forget to enter.
Retention varies by company policy and state law. Four years is a defensible baseline given the federal limitations period. Some companies keep recordings two years because of storage cost, then hold the metadata longer. Ask your attorney what fits your call volume.
Here's the practical trap: many small teams run a dialer, a CRM, and a separate consent database that don't talk to each other. The audit trail lives in pieces across three platforms. Assembling it under litigation pressure is slow and expensive. Tighter integration means a lower litigation burden. Simple as that.
Do dialers actually prevent robocall violations or just reduce them?
Reduce. That's the honest answer. A dialer is a tool, not a lawyer. It enforces the rules you configure. If your consent capture is broken upstream, the dialer will happily call people who never consented. If your DNC scrubbing runs on a 45-day cycle instead of 31, the dialer obeys the cycle you set.
The biggest gap in most small-team setups isn't the technology. It's the consent intake process. The Truist Bank settlement and the Cash App class action both turned on consent and notification failures that no dialer feature could have fixed.
Still, a properly configured dialer wipes out entire categories of mechanical error. Agents calling outside allowed hours. Lists going out without a scrub. Campaigns launching with no consent check. Those are the most common violations at small teams because they're operational mistakes, not intentional wrongdoing. Mechanical enforcement catches mechanical errors.
What's left after a compliant dialer is the gray-area risk. Ambiguous consent language. The ATDS definition shifting again. A new state law. A consumer who swears they never consented even though your records say otherwise. Those need legal counsel, not software settings.
For a starting point on the non-software side, LeadCompliant's free compliance kit includes a consent disclosure template and a DNC policy checklist mapped to current FCC requirements. That documentation is what belongs behind the dialer, not instead of it.
What should you look for when choosing a TCPA-compliant dialer?
There is no FCC-certified "TCPA-compliant dialer" stamp. Every vendor marketing compliance features answers for their own claims, but the legal compliance stays on you. Here's a practical way to evaluate one.
| Feature | What to ask the vendor |
|---|---|
| Consent gating | Does the system block outbound calls with no attached consent record? Can we set this as a hard block vs. a warning? |
| DNC scrubbing | How often is federal registry data refreshed? Do you handle state DNC lists? Is scrubbing automatic or manual? |
| Time-zone control | Is time-zone detection based on area code or address-level data? How are edge cases handled? |
| Call logging and audit trail | What fields are logged per call? How long is data retained? Can we export records in a litigation-usable format? |
| Consent record storage | Can consent records live in the dialer, or must we integrate a CRM? Who controls the data? |
| Revocation handling | When an agent marks a call as a DNC request, how fast is that reflected system-wide? Is there a grace period? |
| ATDS architecture | Can you document whether the system uses a random or sequential number generator? |
Price ranges widely. Enterprise CCaaS platforms (Five9, NICE, Genesys) start around $100 to $200 per seat per month and need implementation work. Mid-market options (JustCall, Kixie, Aircall) run $30 to $100 per seat per month with lighter compliance tooling out of the box. Lightweight power dialers pitched at sales teams often skip the consent gating and DNC integration you need for real TCPA exposure.
Here's the blunt advice. If you're running more than a few hundred outbound calls a week to consumer numbers, the cheapest compliant dialer is not the cheapest option you can find. One settlement at $500 per violation covers years of the price gap between a cheap system and a well-configured one.
For the program-level picture, read the TCPA guidelines overview and the TCPA 2025 update alongside your vendor calls.
How do text message campaigns fit into dialer compliance tools?
SMS and MMS sent through an autodialer or automated platform fall under the TCPA on the same consent and identification framework as voice calls. [2] The compliance mechanisms inside text platforms mirror the voice side: consent gating, DNC scrubbing, time-of-day controls, and opt-out handling.
Opt-out mechanics carry extra weight in SMS. Industry practice, and in some cases carrier platform rules under the CTIA messaging guidelines, requires every text campaign to include an opt-out instruction like "Reply STOP to unsubscribe," and requires STOP replies to be honored immediately and confirmed. [8] A system that keeps texting after a STOP reply is a lawsuit waiting to file itself.
For teams running both voice and text, the clean setup uses a single DNC database that both systems check. A consumer who texts STOP should drop out of voice outreach too, and vice versa, unless the consent was separately scoped. That's a judgment call with some legal nuance, and the safer default is unified suppression.
More on the text side is in the text message marketing and text messaging marketing articles. The TCPA existing business relationship piece is relevant here too, because the EBR exemption is narrower than many teams assume and applies differently to text versus voice.
What are the real compliance gaps that lead to TCPA settlements?
Look at public settlement records and FCC enforcement actions and the same patterns keep showing up. Five of them.
Most common: calling numbers on the DNC list because scrubbing wasn't automated or wasn't happening at all. The easiest gap to close. The most embarrassing to explain in litigation.
Second: calling cell phones under invalid or expired consent. That includes consent from a lead aggregator using a catch-all disclosure, consent that was never documented, and consent given to a different company than the one placing the call.
Third: calling outside permitted hours because of time-zone errors. This shows up in early-morning campaigns hitting Eastern-time contacts from a Western-time office.
Fourth: failing to honor opt-out requests. The consumer told an agent to stop. The agent never entered it. Calls kept coming. Statutory damages on repeat calls after an opt-out add up fast.
Fifth, and less obvious: weak identification disclosures on prerecorded messages. A message that doesn't clearly state the company name and a callback number breaks the identification requirement on its own, separate from any consent issue.
None of these need sophisticated litigation to expose. One consumer with a call log, a screenshot of a STOP reply, or a recording of an unidentified prerecorded message can start a claim. Class certification makes it worse. The Kaiser TCPA settlement shows how institutional scale multiplies these failures into eight-figure exposure.
To stay current on enforcement trends, the TCPA news feed and telemarketing rules news are the most practical ongoing resources.
Does the TCPA B2B exemption reduce what your dialer needs to do?
Barely, and only if you're careful. Calls to business lines (not cell phones used mostly for personal reasons) have historically been treated differently under the TCPA. The prior express written consent requirement applies most clearly to residential lines and cell phones. A call to a business landline for a non-telemarketing purpose sits in a different legal space. [10]
The exemption is narrower than most B2B teams assume. Three limits matter.
Cell phones do not get B2B treatment just because the owner runs a business. Calling a prospect's cell phone, even for a clearly B2B purpose, can trigger the TCPA consent requirements. Many courts hold that a cell phone's residential or personal nature turns on how the owner uses it, not who owns it.
The DNC rules still apply to business calls, including the national registry.
Some states, notably Florida under the FTSA, apply ATDS-like restrictions to business calls that the federal TCPA does not.
For teams calling business cell phones, the TCPA B2B exemption article breaks down where the exemption holds and where it fails. The practical upshot for dialer setup: do not switch off consent gating just because your list is labeled "business contacts." The cell phone question is too live to gamble on.
This is not legal advice. If you're building a high-volume B2B outbound program that dials cell phones, get a TCPA attorney to review your consent and scrubbing setup before you scale.
Frequently asked questions
What is the minimum TCPA compliance setup for a small outbound team?
At minimum: written consent records for every cell number you call with an autodialer, DNC scrubbing against the federal registry updated at least every 31 days, an internal DNC list that captures opt-outs within one business day, and time-zone controls that block calls before 8 a.m. or after 9 p.m. local time. Those four controls address the most common causes of small-team TCPA liability.
Can a dialer legally make calls without prior express written consent?
For autodialed or prerecorded telemarketing calls to cell phones, no. Prior express written consent is required under 47 U.S.C. § 227 and the FCC's 2012 rules. For purely informational calls to existing customers on their cell phones, prior express consent (not necessarily written) may be enough. For telemarketing to residential landlines, written consent is now required too. Manual calls to business lines carry more flexibility.
How often does a dialer need to scrub against the National DNC Registry?
Federal rules require scrubbing at least every 31 days. Calling a number that's been on the registry more than 31 days without a fresh scrub is a violation. Most compliant dialers automate this on a rolling schedule. Some pull updated registry data weekly or in real time to shrink the window between a number being added and your list reflecting the suppression.
Does a dialer need to record calls to be TCPA compliant?
Recording is not a TCPA legal requirement, but it's a strong practical defense. If a consumer claims they never got a disclosure or that they asked for the DNC list, a recording is your best evidence. Most litigation-experienced compliance teams keep recordings at least two years and keep call metadata for four years to cover the federal statute of limitations.
What happens if your dialer calls a number after a consumer opts out?
Each call after a valid opt-out is a separate TCPA violation carrying $500 in statutory damages, trebled to $1,500 if a court finds it willful. The FCC's 2024 rules require oral revocation requests to be honored without any extra confirmation from the consumer. Five calls after a verbal opt-out can hit $2,500 to $7,500 in exposure per affected number.
What's the difference between an ATDS and a predictive dialer under TCPA?
After Facebook v. Duguid (2021), an ATDS must use a random or sequential number generator to store or produce numbers. A predictive dialer working from a pre-loaded list without randomization may fall outside the statutory ATDS definition. But many states use broader definitions, and the FCC can extend TCPA obligations beyond the ATDS framework. The safe approach is to treat any automated outbound system as regulated.
Can I use a ringless voicemail dialer without TCPA consent?
This is contested. The FCC has indicated that ringless voicemails deposited directly into a voicemail system count as calls under the TCPA and so require prior express written consent for telemarketing. The legal status has been argued in multiple proceedings and cases, but the agency's direction points toward treating RVMs as covered calls. Using them without consent is a material risk.
Do outbound text message campaigns need the same dialer compliance as voice calls?
Yes. The TCPA treats autodialed texts the same as autodialed voice calls, requiring prior express written consent for telemarketing texts to cell phones. Text platforms must scrub against DNC lists, honor STOP replies immediately, include identification disclosures, and observe the 8 a.m. to 9 p.m. local window. Carrier-level CTIA guidelines add further requirements on top of the legal minimums.
How do dialers handle the new FCC one-to-one consent rule?
The FCC's December 2023 order requires consent obtained through lead generation or comparison shopping sites to name each company individually. Dialers that integrate directly with lead forms can capture and log which company's disclosure was shown. Dialers relying on bulk lead imports from aggregators need an upstream process to confirm the consent names your company specifically before those leads enter the calling queue.
What documentation should I keep to defend a TCPA claim?
You need the consent record with timestamp, source URL, and disclosure language shown to the consumer; the call log with date, time, called number, agent, and disposition; DNC scrubbing records showing the list was clean at the time of the call; and recordings or transcripts of calls where disclosures were made or opt-outs occurred. Four years of retention is the standard benchmark, matching the federal limitations period.
Are there TCPA risks specific to AI-powered dialers or automated voice agents?
Yes. AI voice agents making telemarketing calls face the same TCPA consent requirements as traditional prerecorded messages. The FCC issued a declaratory ruling in February 2024 stating that AI-generated voices in robocalls fall under TCPA restrictions on prerecorded voice calls. Consent must be obtained before deploying any AI voice agent for telemarketing, and the identification disclosure requirements still apply.
Does the existing business relationship (EBR) exemption let you skip consent?
The EBR exemption applies to certain calls but is narrower than most teams think. It does not eliminate the prior express written consent requirement for autodialed telemarketing calls to cell phones. It gives some protection for calls to residential landlines under specific conditions and time limits. For cell phone outreach, don't lean on EBR as a substitute for documented written consent.
How much does a TCPA violation actually cost per call?
The statute sets $500 per violation, with a court's option to triple it to $1,500 for willful or knowing violations. There is no per-defendant cap. Class actions aggregate these figures across every affected number. A modest campaign that called 10,000 numbers without proper consent could face $5 million in statutory damages before any class multiplier. Settlements often land below maximum exposure, but individual defendant costs routinely reach six figures.
What's the best way to stay current on TCPA rule changes that affect dialers?
Follow FCC proceedings through the FCC's Electronic Comment Filing System, track TCPA-focused litigation blogs, and set up alerts for FCC declaratory rulings. The FCC modifies dialer obligations through orders and rulings even when the statute text stays the same. Rule changes in 2023 and 2024 both forced updates to consent intake and revocation workflows within months of adoption.
Sources
- U.S. Code, 47 U.S.C. § 227 – Telephone Consumer Protection Act (Cornell LII): FCC authority to issue rules under the TCPA and prohibition on autodialed and prerecorded calls without consent
- U.S. Code, 47 U.S.C. § 227 – Telephone Consumer Protection Act text (Cornell LII): Statutory definition of ATDS; prior express written consent requirement for telemarketing calls; identification disclosure requirements; $500 and $1,500 per-violation damages
- FCC rules implementing TCPA, 47 CFR § 64.1200 (eCFR): 8 a.m. to 9 p.m. local time restriction on telemarketing calls and texts; prior express written consent standard
- U.S. Supreme Court – Facebook, Inc. v. Duguid, 592 U.S. 395 (2021): ATDS must use a random or sequential number generator to store or produce numbers; predictive dialers working from static lists may not qualify as ATDS
- Federal Register – FCC Report and Order on Consumer Consent (one-to-one consent and revocation rules): New requirement that consent obtained through comparison shopping sites name each company individually; clarification of revocation rights including oral revocation
- FTC – National Do Not Call Registry: Telemarketers must scrub calling lists against the registry at least every 31 days; registration and access requirements for the registry
- California Attorney General – California Consumer Privacy Act (CCPA): California state privacy and consumer protection framework that adds compliance obligations for outbound callers operating in California
- Federal Register – FCC Declaratory Ruling on AI-Generated Voice Calls under the TCPA (February 2024): AI-generated voices in robocalls are covered by TCPA restrictions on prerecorded voice calls; consent required before deploying AI voice agents for telemarketing
- FTC – Telemarketing Sales Rule, 16 CFR Part 310: Federal Telemarketing Sales Rule requirements including call time restrictions, identification requirements, and DNC compliance obligations that run parallel to TCPA
- Cornell Law School LII – 28 U.S.C. § 1658, federal statute of limitations: Four-year statute of limitations for federal civil claims including TCPA actions, supporting four-year consent record retention recommendation
- Federal Register – FCC 2012 TCPA Order raising the telemarketing consent standard: FCC 2012 order raising the consent standard from prior express consent to prior express written consent for telemarketing calls, effective October 2013