Last updated 2026-07-11

TL;DR
Name one person as your TCPA compliance owner. Give them documented authority over consent records, DNC scrubbing, and call and SMS logs, plus a written policy they can enforce. You do not need a lawyer on staff. You need a clear chain of accountability, a scrubbing schedule, and written consent standards before your first dial goes out.
Why does TCPA compliance need a named owner in the first place?
The TCPA sits at 47 U.S.C. § 227, and it creates strict liability. A plaintiff does not have to prove you meant to break the rules. If you called a number on the National Do Not Call Registry without a valid exemption, or sent an automated text without proper written consent, you owe between $500 and $1,500 per violation [1]. No intent required.
Most small teams get sued not because they did something reckless, but because nobody owned the question. Consent records lived in a spreadsheet nobody updated. DNC scrubbing happened when someone remembered. The sales manager assumed marketing handled it, and marketing assumed legal reviewed the form. That gap is where plaintiffs find their cases.
Naming an owner changes the dynamic immediately. Someone is accountable when a plaintiff's lawyer sends a demand letter and asks: where is your consent record for this number? Who scrubbed this list and when? What is your policy on abandoned calls?
The owner does not have to be a lawyer. They need judgment, access to your systems, and the authority to stop a campaign if something looks wrong.
Who should be the TCPA compliance owner at a small company?
There is no single right answer here. It depends on your org structure. Here is how I would think about it.
At a company with 5 to 25 people running outbound sales, the best fit is usually the person who already owns the CRM or the dialer. They touch the lists, they see the call dispositions, and they understand the data flow. That is your compliance owner by default whether you have named them or not.
At a slightly larger team, 25 to 75 people, the head of sales operations or revenue operations is the natural fit. They sit between sales and marketing, they control the tools, and they have enough authority to push back when a sales director wants to call a list that has not been scrubbed.
Avoid one thing: making the compliance owner a junior SDR or BDR with no real authority. They will get ignored the first time they flag a problem. The owner needs to pause a campaign without asking permission from three people first.
The FCC's 2023 one-to-one consent rule (originally set for January 2025, though enforcement timelines have shifted) makes this more urgent for lead-gen teams. Under that rule, consent must come from one identified seller at a time, not bundled across a marketplace [2]. Someone has to own verifying that your lead vendors meet that standard. That person is your compliance owner.
What authority does a compliance owner actually need?
Authority is the word most guides skip. They tell you to name an owner, hand them a checklist, and call it done. That is not enough.
Your compliance owner needs, at minimum, four specific powers in writing:
1. The authority to pause or cancel a campaign if consent records cannot be verified. 2. The authority to reject a purchased or rented list that has not been scrubbed against the National DNC Registry [3]. 3. Direct access to your dialer logs, SMS platform records, and CRM consent fields without having to request them from IT. 4. A defined escalation path. If they find a serious problem, who do they call? An outside TCPA attorney on retainer, or the CEO? Write that path down before you need it.
Without these four things, you have a compliance owner in title only. The title does not protect you in litigation. The FTC and FCC look for evidence of actual systems and controls, not org charts [4].
Put the authority grant in a one-page internal document. It does not need to be fancy. It needs to exist, be signed by someone with authority over the organization, and be dated.
What does a TCPA compliance policy actually look like for a small team?
A policy does not have to run 40 pages. For a team running outbound calls and SMS, a workable policy covers six things:
Consent standards. What counts as valid prior express written consent for autodialed calls or texts to cell phones? At minimum, a signed (including electronic) agreement that clearly names the company, states that calls or texts may be placed using an autodialer, and confirms that consent is not a condition of purchase. That last part matters. 47 C.F.R. § 64.1200(f)(9) defines prior express written consent and requires that it not be conditioned on any purchase [10].
List sourcing rules. Where can lists come from? What documentation is required from vendors? How do you verify a vendor's consent chain?
DNC scrubbing schedule. The FTC requires telemarketers to scrub against the National DNC Registry no more than 31 days before a call [3]. Write that down as your minimum standard. Many teams scrub every 15 days to be safe.
Call time restrictions. The TCPA prohibits calls before 8 a.m. or after 9 p.m. local time of the called party [1]. Your dialer must enforce this by the recipient's time zone, not yours.
Record retention. How long do you keep consent records? The FCC expects you to produce them if a complaint is filed. A safe standard is four years, which matches the TCPA's four-year statute of limitations.
Incident response. What happens when someone complains or threatens to sue? Who gets notified? Who pulls the records? Write the steps down.
A policy like this fits on two or three pages. It is not legal advice and does not replace outside counsel when you get a demand letter, but it is evidence that you ran a program with real controls.
How do you build a consent record system without expensive software?
You do not need enterprise software to keep compliant consent records. You need records that are retrievable, timestamped, and tied to a specific phone number.
Here is what that looks like in practice. For web-generated leads, your form should log the IP address of the submitter, a timestamp, the exact consent language shown on the page at the time of submission, and the phone number provided. Most modern form tools (Typeform, Gravity Forms with logging, HubSpot forms) capture IP and timestamp automatically. Store the consent language as it appeared, not a reference to "our standard consent language" that you might change tomorrow.
For inbound calls where you later want to market to the caller, log the call recording as your consent evidence and note what disclosure was made.
For purchased lists, get a data certification from the vendor in writing. It should state that consent was obtained for the specific type of contact you plan to make (autodialed call, text, prerecorded voice), that it was obtained within a defined time window, and that it was not conditioned on a purchase. Keep that document.
Ask yourself one practical question. If a plaintiff's attorney sends a litigation hold notice tomorrow and asks for the consent record for phone number 555-867-5309, can you pull it in 30 minutes? If the answer is no, your consent system needs work before your next campaign goes live.
For text message marketing, the consent bar is the same as for autodialed calls to cell phones. Prior express written consent is required. A contact filling out a form to download a PDF does not automatically consent to marketing texts, even if they gave you their number.
How should a compliance owner manage the National DNC list?
The National Do Not Call Registry is run by the FTC. Telemarketers who make more than a minimal number of calls must register and pay to access the registry data. The annual subscription fee is $75 per area code, up to a maximum of $20,597 for all area codes as of the FTC's most recent fee update [9]. Small teams that call a limited geography pay far less.
Your compliance owner's job here is straightforward, but it has to run on a defined schedule:
- Pull fresh registry data no more than 31 days before a call.
- Scrub your outbound list against it before each campaign starts.
- Document the date of each scrub and the version of the registry data used.
- Never call a number that has been on the registry for 31 days or more without a valid exemption (established business relationship, written permission, or a personal connection).
For an established business relationship exemption, the FTC rule allows calls to someone who has purchased from you within the past 18 months, or inquired within the past 3 months, even if they are on the registry [3]. That exemption expires, so your CRM data needs dates, more than flags.
Some teams also keep an internal do-not-call list for people who asked not to be called regardless of the national registry. You must honor those requests and keep the entries for at least 5 years [3]. That list is your compliance owner's responsibility too.
For more detail on accessing the registry, see our guide on how do I get the do not call list. And if your team calls cell phones, the mobile phone do not call list covers how wireless numbers are treated.
What records does your compliance owner need to maintain and for how long?
Record-keeping is where small teams most commonly fail in litigation. They have good intentions about consent but nothing they can produce when sued.
Here is a practical record-keeping table:
| Record type | Minimum retention | What to store |
|---|---|---|
| Consent records (web form) | 4 years from date of consent | IP, timestamp, exact consent language, phone number |
| Consent records (vendor-supplied) | 4 years from date of last contact | Vendor certification, list date, stated consent basis |
| DNC scrub logs | 5 years | Date of scrub, registry version used, list name |
| Internal DNC requests | 5 years from date of request | Number, date of request, date honored |
| Call recordings (if captured) | Varies by state, 2-4 years as a floor | All recordings for numbers that later complain |
| SMS opt-out confirmations | 4 years | Opt-out keyword received, timestamp, confirmation sent |
The four-year standard for consent records matches the TCPA's four-year statute of limitations under 28 U.S.C. § 1658. Some state TCPA analogs have longer windows, so if you operate heavily in California or Florida, check local rules [5].
Your compliance owner should run a quarterly records audit. Pull ten random records from each category and verify they are complete and retrievable. If they are not, fix the gap before it becomes evidence of no controls.
How do you handle TCPA compliance when using a dialer or SMS platform?
Most modern outbound dialers (Five9, Convoso, NICE CXone, and others) have built-in DNC scrubbing, time-zone enforcement, and call logging. Your compliance owner should not assume those features are on and configured correctly. Verify it.
For every dialer or SMS platform you use, your compliance owner should document:
- Is time-zone restriction enabled and set to the recipient's local time (not the agent's)?
- Is DNC scrubbing integrated, and what is the scrub frequency?
- Does the system block calls before 8 a.m. and after 9 p.m. local to the recipient?
- Is there an abandoned call rate setting? The FCC's safe harbor for abandoned calls on predictive dialers is 3% or less of answered calls per 30-day period, and abandoned calls must play a specific message with contact information [4].
- Does the SMS platform automatically process STOP replies as opt-outs and send confirmation?
Get answers to these questions in writing from your vendor. Save their responses. If they tell you the system is compliant and it turns out it was misconfigured, that documentation matters.
For cold calling teams, the question of what counts as an "autodialer" under the TCPA remains unsettled after the Supreme Court's 2021 ruling in Facebook v. Duguid, which narrowed the definition but did not resolve every use case [6]. Your compliance owner should know what dialing technology your team uses and whether it fits the current autodialer definition.
What should your compliance owner do when someone threatens to sue?
This is the moment the whole system either holds or falls apart. A demand letter arrives. Someone calls threatening a class action. An attorney sends a litigation hold notice.
The compliance owner's first move is not to respond. It is to preserve records. Immediately.
Stop any process that might overwrite or delete records tied to the complainant's number. Pull the consent record, the DNC scrub log showing whether that number was scrubbed and when, the call recordings if you have them, and any opt-out requests for that number. Get all of it into a folder that will not be touched.
Then get outside TCPA counsel on the phone. This is not a job for a compliance owner to handle alone. TCPA class actions settle big. The Cash App TCPA class action settled for $15 million in 2022 [7]. Credit One Bank reached a $14 million settlement in an earlier TCPA case [8]. Even individual cases settle for tens of thousands of dollars. You want a lawyer reviewing your records before anyone responds to a demand.
What the compliance owner can do: write a clear factual memo for counsel covering what the company's process was, what records exist, and what the call or text in question was supposed to be. That memo is not privileged unless counsel directs it, so be careful. But the factual summary helps outside counsel move fast.
The teams that handle demand letters well are the ones whose compliance owners can answer: yes, we have the consent record, yes, the number was scrubbed, here is the date and the registry version. That is the whole game.
How do you train your sales team on TCPA basics without a legal department?
Your sales team does not need to understand 47 U.S.C. § 227 in detail. They need three things.
First, some calls and texts require consent before you make them. If the system shows a contact came from a purchased list and there is no consent flag, do not dial that number until the compliance owner clears it.
Second, if anyone says "stop calling me," "take me off your list," or any reasonable variation, the call ends and the number gets flagged right away. The FTC requires internal DNC requests to be honored within 30 days, but best practice is immediate [3]. Train reps to log the request in the CRM before they close the call.
Third, do not make promises about what records exist. If a prospect asks how you got their number, the rep says "let me connect you with the right person" and escalates to the compliance owner. Reps improvising answers about consent in real time is a liability.
A 30-minute training covering these three points, run at onboarding and refreshed annually, beats a 200-slide TCPA overview nobody remembers. Keep it simple. Keep it tied to real scenarios from your actual campaigns.
Document that the training happened. Sign-in sheets or LMS completion records work. That documentation shows regulators and courts that you ran a real program.
LeadCompliant offers a free compliance checklist covering the consent and DNC scrubbing steps your team runs through before each campaign. It is a reasonable starting point if you are building training materials from scratch.
What does good compliance ownership look like six months in?
The first month is setup: naming the owner, writing the policy, verifying dialer configuration, establishing the scrubbing schedule. After that, compliance ownership shifts to maintenance and monitoring.
At six months, a functioning program looks like this.
The compliance owner runs a monthly DNC scrub and logs the date, registry version, and list size every time. They have a folder of vendor certifications for every purchased list used in the past year. They can pull any consent record within 30 minutes. Training records exist for every current rep.
They also stay current with regulatory developments. The FCC issued its one-to-one consent rule in late 2023 [2], and enforcement has been an active area. The FTC updates its guidance on the National DNC Registry periodically [3]. Subscribing to FCC and FTC email updates costs nothing and takes ten minutes to set up.
At a practical level, the compliance owner should run a brief quarterly review with whoever owns legal risk at the company (the CEO, COO, or outside counsel). The agenda: what campaigns ran this quarter, any complaints received, any gaps found in the records audit, and any regulatory changes coming that affect your process.
If you want a free tool to verify numbers against the DNC registry or check your consent language before a campaign, LeadCompliant's free checkers are a reasonable starting point for small teams without dedicated compliance software.
The do not call list and do not call telemarketer list guides cover the scrubbing mechanics in more detail if your compliance owner is getting into the weeds on list management.
What are the biggest TCPA mistakes small teams make when there is no clear owner?
These are the patterns that show up again and again in TCPA litigation, based on public case records and FCC enforcement actions:
Buying a list and assuming it is clean. A vendor calling their list "TCPA compliant" means almost nothing without documentation of when and how consent was obtained, and what type of contact was consented to. The FCC's one-to-one consent rule makes this even more important [2].
Using a dialer's default settings. Out-of-the-box dialer configurations are not always compliant. The abandoned call rate limit, time-zone enforcement, and DNC scrubbing all need explicit configuration and verification.
Not honoring opt-outs fast enough. For SMS, the TCPA and carrier requirements expect opt-outs to be processed quickly. Waiting a week to remove someone from your text list after they reply STOP is a problem.
Assuming established business relationships are unlimited. The EBR exemption from the DNC registry has time limits: 18 months for purchasers, 3 months for inquirers [3]. Teams often treat EBR as a permanent flag rather than a time-sensitive one.
No record of what the consent language said at the time. If you change your opt-in form language and do not version-control it, you cannot prove what a consumer agreed to 18 months ago. Archive your form versions.
The common thread runs through all of these. Nobody owned the question. When everyone assumes someone else handled it, nobody handled it.
Frequently asked questions
Do I legally need a compliance officer for TCPA?
No statute requires a formal compliance officer or any specific job title. What the TCPA and FCC rules require is that you actually follow the rules: scrub lists, get proper consent, honor opt-outs, and keep records. A named internal owner is the practical way to make sure those things happen. The title matters less than the accountability.
Can the same person own TCPA compliance and run sales?
Yes, but there is a real conflict of interest risk. A sales manager whose bonus depends on dials made has a built-in incentive to cut corners on scrubbing or consent verification. If your compliance owner is also your top revenue driver, build in an escalation path to someone above them who can override a decision to run a questionable campaign. A check on the checker matters.
How often does our DNC scrub need to happen?
The FTC rule requires telemarketers to access current registry data no more than 31 days before making a call [3]. In practice, most teams scrub every 15 to 30 days. If you run high-volume outbound daily, scrubbing weekly is a safer standard. The key is to document the date of each scrub and the version of the registry data used.
What is the fine for a TCPA violation without a compliance program?
The TCPA provides $500 per violation for negligent violations, up to $1,500 per violation for willful or knowing violations [1]. In a class action, each call or text to each class member is a separate violation. Class actions with millions of records can generate settlement demands in the tens of millions. The Cash App settlement was $15 million; Credit One reached $14 million [7][8].
Does a compliance owner need TCPA training or a certification?
No formal certification exists for TCPA compliance. The practical skills needed are understanding the statute and FCC rules, ability to manage data systems, judgment about when to escalate to outside counsel, and enough organizational authority to pause a campaign. A compliance owner who reads the actual FCC rules and stays current on enforcement actions will know more than most.
What should we do if a vendor says their list is already TCPA compliant?
Ask for written documentation of when consent was obtained, what the consent language said, what type of contact was consented to (autodialed call, text, prerecorded voice), and whether consent was conditioned on a purchase. A vendor unwilling to provide that is a red flag. Under the FCC's 2023 one-to-one consent rule, consent must identify your company specifically, not a broad category of sellers [2].
How do you track TCPA consent records if you do not have a CRM?
A spreadsheet with the right columns works at a small scale: phone number, consent date, consent method (web form, verbal, written), IP address if web-sourced, and the exact consent language version shown. The key is that the record is timestamped, tied to a specific number, and stored somewhere with backup. Google Sheets with version history turned on is a reasonable starting point for very small teams.
What happens when a rep gets a verbal 'do not call' request during a call?
The rep ends the call, logs the number in the CRM with today's date marked as an internal DNC request, and the number must be honored within 30 days at the outside. Best practice is immediate suppression. That number also stays on your internal DNC list for at least 5 years [3]. Train reps to treat verbal DNC requests as a hard stop, not a note to maybe follow up on later.
Does TCPA apply to texts the same way it applies to calls?
Yes. The FCC has interpreted text messages as 'calls' under the TCPA since at least 2003, and that reading has been affirmed repeatedly. Autodialed or prerecorded texts to cell phones require prior express written consent, just like autodialed calls. Opt-out requests via text (like replying STOP) must be honored promptly and a confirmation message sent [4].
How should we handle compliance if we use a lead generation vendor or affiliate?
Treat vendor-sourced leads with more scrutiny than self-generated ones, not less. Get a written certification that consent was obtained, specifying the company named in the consent disclosure, the date, and the contact method consented to. The FCC's one-to-one consent rule requires consent to name your company specifically [2]. Keep those certifications for at least four years.
What is the difference between the National DNC Registry and a company-specific DNC list?
The National DNC Registry is run by the FTC and covers numbers where consumers have opted out of most telemarketing calls nationally [3]. A company-specific internal DNC list covers people who asked your company specifically not to call, regardless of whether they are on the national registry. You must maintain and honor both. Someone not on the national registry can still demand you stop calling them personally.
Can a small company survive a TCPA class action if it has a compliance program?
A documented compliance program does not make you immune, but it matters in two ways. It reduces the likelihood you made the kind of systemic error that generates a class action. And evidence of real controls can affect whether violations are deemed willful (up to $1,500 each) versus negligent ($500 each), which strengthens your position in settlement talks. No program is a guarantee, but the absence of one is consistently cited in TCPA case outcomes.
How do we handle TCPA compliance if we operate across multiple states?
The TCPA is federal law and applies nationwide, but some states have stricter laws of their own. California's Rosenthal Act adds layers for California consumers. Florida's Mini-TCPA, effective July 2021, applies to calls and texts and has its own consent and DNC requirements. Your compliance owner needs to know which states your campaigns touch and check state-specific rules on top of the federal standard [5].
Sources
- 47 U.S.C. § 227 (TCPA statute text) via Cornell Legal Information Institute: TCPA provides $500 per violation, up to $1,500 for willful violations; prohibits calls before 8 a.m. or after 9 p.m. local time; defines prior express written consent requirements
- Federal Trade Commission, main site (National Do Not Call Registry guidance for telemarketers): Telemarketers must access DNC registry data no more than 31 days before calling; established business relationship exemption covers 18 months for purchasers and 3 months for inquirers; internal DNC requests must be honored within 30 days and retained 5 years
- National Conference of State Legislatures, main site (state telemarketing laws): Multiple states including California and Florida have TCPA-analog laws with stricter requirements than federal law; Florida Mini-TCPA effective July 2021
- U.S. Supreme Court, Facebook, Inc. v. Duguid, 592 U.S. 395 (2021), opinions section: Supreme Court narrowed the TCPA autodialer definition in 2021, holding that a device must use a random or sequential number generator to be an ATDS, but did not resolve all use cases
- U.S. District Court records, Cash App (Block, Inc.) TCPA class action settlement, reported 2022: Cash App TCPA class action settled for $15 million
- U.S. District Court records, Credit One Bank TCPA class action settlement: Credit One Bank reached a $14 million TCPA class action settlement
- FTC, Complying with the Telemarketing Sales Rule, main FTC business guidance section: FTC Telemarketing Sales Rule requires subscription to DNC registry at $75 per area code up to an annual maximum for all area codes; sets rules for abandoned calls, consent documentation, and internal DNC list maintenance
- 47 C.F.R. § 64.1200 (FCC TCPA implementing regulations) via the Electronic Code of Federal Regulations: FCC regulation defines prior express written consent, call time restrictions, and requirements for prerecorded message calls and texts