Last updated 2026-07-11

TL;DR
A compliance gate is a mandatory set of automated checks every contact must pass before it hits your dialer. At minimum it scrubs federal and state DNC lists, validates consent records, identifies wireless numbers, and flags reassigned numbers. Miss one layer and a single call can cost $500 to $1,500 per violation under 47 USC 227.
What is a compliance gate and why does every outbound team need one?
A compliance gate is a checkpoint, or a series of them, that sits between your raw lead list and your dialer. Every contact has to pass every check before a rep can dial. Fail any check and the record routes to a suppression queue or gets flagged for manual review. It never reaches a phone.
That sounds bureaucratic until you see what happens without one. The TCPA [1] creates statutory damages of $500 per negligent violation and $1,500 per knowing or willful violation, with no cap per plaintiff class. The Cash App TCPA class action settlement and the Credit One TCPA settlement are two recent cases where companies paid tens of millions because their scrubbing had gaps. [2] Neither company set out to break the law. They just lacked the gate.
Small teams think this is a big-company problem. It isn't. Plaintiffs' attorneys target smaller operations precisely because they assume there's no compliance infrastructure. A three-person inside sales team running 500 dials a day with no DNC scrub is a settlement waiting to happen.
Here's the good news. A compliance gate doesn't require enterprise software. It requires a clear sequence of checks, a documented process, and records you can actually produce in discovery.
What are the legal requirements that a compliance gate has to satisfy?
The floor is set by federal law and two FCC rule sets. 47 USC 227, the Telephone Consumer Protection Act, prohibits calls and texts made with an autodialer or prerecorded voice to cell phones without prior express consent. [1] It also bars telemarketing calls to numbers on the National Do Not Call Registry unless the caller has an established business relationship or written consent. [3]
The FCC's 2012 TCPA rule update, published in the Federal Register at 77 FR 34233, closed the established business relationship exemption for autodialed or prerecorded calls to cell phones. [4] That change matters. You cannot rely on a prior customer relationship alone anymore. You need documented consent.
The FCC's one-to-one consent order, adopted in late 2023 with compliance required by early 2025, now requires that consent be obtained for each specific seller individually. A lead who opted in on a comparison website granting permission to "marketing partners" is no longer valid consent for your company. [5] That single rule change wiped out an enormous volume of purchased leads.
On top of the federal floor, states layer their own rules. Florida's Mini-TCPA (SB 1120) applies to calls to Florida residents and sets a lower threshold for what counts as an autodialer. Washington's CEMA, Illinois's autodialer rules, and California's CCPA each add obligations. Your compliance gate needs to account for the state law that applies to the called party's number, not your company's home state.
You also have to honor internal do-not-call requests. Under 47 CFR 64.1200(d), any company doing residential telemarketing must keep its own DNC list, honor opt-out requests within 30 days, and retain opt-out records for five years. [6]
What are the specific layers a compliance gate should include?
Think of this as a sequential filter. A contact passes every layer in order. Fail one and it stops there.
Layer 1: Internal DNC suppression This is your own list of people who asked not to be called. Run it first, because it's the cheapest check and the hardest failure to defend in litigation. Your CRM should flag these on import, not after the fact.
Layer 2: National DNC Registry scrub The FTC operates the National Do Not Call Registry. [3] You must scrub against it no more than 31 days before any call. Subscriptions run through the FTC's Telemarketing Sales Rule access portal at donotcall.gov and cost nothing for the first five area codes; fees apply beyond that. Miss this and you have a Telemarketing Sales Rule violation on top of potential TCPA exposure.
Layer 3: State DNC list scrub Several states keep their own registries separate from the federal list. Indiana, Texas, Wyoming, and others maintain state-specific lists. If you call into those states, you need a separate scrub. [7] The do not call list landscape is more fragmented than most teams realize.
Layer 4: Wireless number identification The TCPA requires separate consent for autodialed or prerecorded calls to cell phones. You have to know whether a number is wireless before you dial. Carrier data from Twilio Lookup, Neustar, or Bandwidth can classify a number as mobile, landline, or VoIP at the time of dialing, not at the time of lead capture. Numbers port constantly.
Layer 5: Reassigned number check The FCC's Reassigned Numbers Database (RND) launched in 2021 and was built for exactly this problem. [8] When a phone number is disconnected and reassigned to a new person, the original consent you had is worthless. The RND lets you query whether a number has been reassigned since you last had contact with the person who consented. A single query costs fractions of a cent. Missing a reassigned number and getting sued costs a minimum of $500 per call.
Layer 6: Consent record verification For any number classified as wireless, you need a consent record. That record should include the date and time consent was collected, the source URL or form identifier, the exact language shown to the consumer, and the IP address or other attribution data. The FCC's one-to-one consent rule means generic lead-gen opt-ins no longer satisfy this. [5] If you can't produce a consent record for a specific contact, treat that contact as unconsented.
Layer 7: Time-of-day and state-specific window check Federal rules prohibit calls before 8 a.m. or after 9 p.m. local time at the called party's location. [6] Several states are stricter. Your dialer or pre-dial logic needs to calculate the time zone of the called number and enforce those windows automatically, not lean on reps to remember.
How should you structure the data flow from lead source to dialer?
The biggest operational mistake is treating compliance as a one-time event at import. Consent decays. Numbers get reassigned. People call your company to opt out and then get dialed again because the suppression didn't sync to the dialer in time.
Here's a data flow that actually holds up:
1. Lead arrives (API push, file upload, or manual entry) 2. Deduplication and formatting validation run first 3. Internal DNC suppression check runs against your own list 4. Federal and state DNC scrub runs against registry data no older than 31 days 5. Wireless classification API call confirms current carrier type 6. If wireless, consent record lookup runs against your consent database 7. Reassigned Numbers Database query runs if last contact was beyond a defined lookback period 8. Time-zone assignment and calling-window flag added to the record 9. Record enters the dialer queue with a compliance status field set to "cleared" 10. Dialer software checks that status field before initiating any call; it won't dial a record without it
Step 10 is the gate. The dialer should not be able to start a call on a record that lacks a valid compliance status timestamp. This kills the common failure mode where your compliance process runs correctly but the dialer queue gets populated through a separate channel that skips it.
For teams on Salesforce, HubSpot, or similar CRMs, the compliance status field should be required on the contact object, and the dialer integration should only pull records where that field is populated and current (within 31 days for DNC, and refreshed if the consent source changes).
Want a ready-made structure for this? LeadCompliant's free compliance kit includes a documented data flow template and a contact status schema you can adapt to your CRM without starting from scratch.
How do you handle consent records so they hold up in litigation?
Courts look at two things in TCPA cases: did you have valid consent, and can you prove it? You can win the first question and lose the second because your records were sloppy.
A consent record that survives discovery contains six things. The date and time consent was given (down to the second, in UTC). The source, meaning the specific URL, form ID, or call recording where consent was captured. The exact language shown or spoken to the consumer at the moment of consent. The identifier connecting that record to the specific phone number being called. The person's IP address or session ID if collected online. And the name of the lead vendor if a third party acquired the consent.
For purchased leads, go further. Under the FCC's one-to-one consent ruling, a lead from an aggregator where the opt-in language said "I agree to be contacted by marketing partners" does not give your company valid prior express written consent. [5] The opt-in has to name your company specifically. That means either collecting your own leads, or working with vendors who can produce compliant, name-specific consent documentation for every record they sell you.
Store consent records separately from your CRM contact record. Courts have seen cases where a contact gets deleted from a CRM and the underlying consent record goes with it. Keep consent records for at least five years, which matches the FTC's internal DNC record-keeping requirement and covers the TCPA's four-year statute of limitations plus buffer.
For cold calling to landlines, the consent standard is lower. You don't need prior express written consent for informational calls; you need it for telemarketing calls that use an autodialer or prerecorded voice to a cell. But even for landline calls, documenting your basis (an established business relationship, a B2B exemption, express permission) protects you if a complaint arises.
What technology do you actually need to run a compliance gate?
You don't need a dedicated compliance platform costing $50,000 a year. You need a handful of API connections and a sensible data architecture. Here's what each layer of the stack does:
| Function | What it does | Example tools |
|---|---|---|
| DNC scrub | Checks federal and state registries | Gryphon, DNC.com, Contact Center Compliance |
| Wireless classification | Identifies mobile vs. landline in real time | Twilio Lookup, Neustar, Bandwidth |
| Reassigned number check | Queries the FCC's RND for reassignment | Numeracle, Telecommunication Systems |
| Consent storage | Records and retrieves timestamped consent | Your CRM + a simple consent log table |
| Time-zone enforcement | Maps area code to local time | Most dialers (Five9, Outreach, Aircall) |
| Dialer gating | Blocks uncleared records from dialing | Custom status field + dialer API filter |
For very small teams (under five reps), a monthly DNC scrub subscription, Twilio Lookup via API for wireless classification, a spreadsheet-based consent log with timestamps, and a simple CRM status field can be enough to build the gate. Imperfect but documented beats undocumented and theoretical every time.
Run more than a few hundred dials a day and the manual approach falls apart fast. At that scale, pay for a purpose-built scrubbing service that processes your lists in batch and returns a compliance-status file before leads enter your CRM. Build the API call into your lead intake so it fires automatically.
The mobile phone do not call list question comes up constantly. There is no separate federal mobile DNC list. Cell phones are covered by the main National DNC Registry plus the TCPA's consent requirements. Your wireless classification step is what enforces the cell phone rules.
How often do you need to re-scrub existing contacts?
The FTC's Telemarketing Sales Rule requires you to scrub against the National DNC Registry no more than 31 days before a call. [9] That's the legal maximum interval. In practice, if your contact list spans months, scrub on a rolling 30-day cycle, not once at import.
Consent records decay differently. The FCC hasn't set a maximum age for prior express written consent in statute, but courts and FCC guidance treat older consent with more skepticism, especially where the consumer hasn't interacted with your company recently. Nobody has definitive published data on the safe consent window. What we do know: plaintiff attorneys will argue that 24-month-old consent from a lead-gen site is stale. A reasonable internal policy treats any consent older than 18 to 24 months as requiring re-verification if you haven't had subsequent contact with the person.
Reassigned number checks should run close to the time of dialing. A check you ran 90 days ago tells you almost nothing about whether the number is still held by the person who consented. Query the FCC Reassigned Numbers Database [8] within 30 days of a call, and ideally within the same week.
Internal DNC suppression has no decay. If someone asked not to be called, they stay on your internal list forever unless they affirmatively request removal and you document that request.
What records do you need to keep, and for how long?
Record-keeping is where compliance gates save you or sink you. You win TCPA cases with documentation. You lose them without it.
Here's what to retain and for how long:
Consent records: Keep for at least five years from the date of collection. The TCPA has a four-year statute of limitations for private rights of action, so four years is the legal floor; five gives you margin.
DNC scrub logs: Keep the date, the registry version used, and the result for each scrub run. 47 CFR 64.1200(d) requires you to maintain your internal DNC list and honor opt-outs; the FTC's TSR carries parallel record-keeping requirements. Keep these for at least five years. [6]
Internal DNC opt-out requests: Keep the date of the request, the number, and the source (inbound call, email, text reply, verbal). Honor them within 30 days; the record proves you did.
Call logs: Your dialer should produce a log of when each call started, the number dialed, the duration, and the agent. Keep for four years minimum.
Vendor agreements: If you buy leads, keep the contract, and specifically any representations the vendor made about consent source and language. If that consent is later challenged, you need to show you relied on the vendor's warranty in good faith.
Store all of this somewhere that isn't just your CRM. CRMs get migrated, contacts get deleted, fields get overwritten. A separate compliance data store, even a cloud-hosted database or a read-only data warehouse, keeps your records intact.
What are the most common compliance gate failures, and how do you fix them?
Read through FTC enforcement actions and TCPA case complaints and the same failures show up again and again.
Failure 1: The compliance check runs but the dialer bypasses it. Teams set up a scrub on list import, but reps can also drop numbers into the dialer queue manually, skipping the gate entirely. Fix: the dialer only dials records with a current compliance status field. No exceptions, no manual overrides without a documented authorization workflow.
Failure 2: Internal DNC opt-outs don't sync in time. Someone calls in and says "take me off your list." The rep notes it in the CRM. But the CRM-to-dialer sync runs nightly, so that contact gets dialed again the next morning before the sync fires. Fix: opt-out status propagates to the dialer immediately, not on a nightly batch.
Failure 3: Consent records live in a format you can't retrieve fast. In litigation you'll have 30 days or less to produce documentation. If your consent records sit in a spreadsheet that got emailed around and then archived, you're in trouble. Fix: structured database storage with queryable fields from day one.
Failure 4: Wireless classification happens at intake and never again. A contact came in as a landline two years ago. They ported the number to a wireless carrier six months ago. Now you're dialing a cell phone with an autodialer and no consent. Fix: re-classify numbers within 30 days of each call attempt, more than at intake.
Failure 5: Purchased leads with invalid consent get loaded without scrutiny. The Cash App TCPA class action settlement and similar cases often trace back to third-party lead sources with weak consent language. [2] Fix: before onboarding any new lead vendor, get their consent form, read the exact language, and confirm it names your company specifically after the FCC's one-to-one rule.
Want to audit your current process against these failure modes? The free checkers at LeadCompliant let you verify individual numbers against the National DNC Registry and check wireless status without building a full integration.
How do you document your compliance gate so it protects you in court?
A compliance gate you can't prove existed is almost the same as no gate. Documentation is what turns your process into a legal defense.
The core document is a written compliance policy. It describes each layer of the gate, the technology at each layer, who maintains each piece, how exceptions get handled, and how the policy gets updated when the law changes. Courts have noted that a written TCPA compliance policy factors into whether a violation was willful or merely negligent, which is the difference between $500 and $1,500 per call. [1]
Train everyone who touches lead lists or the dialer on the policy. Keep signed training acknowledgments. If a rep bypasses the gate, you need to show the deviation was that individual's act against documented policy, not a systemic company failure.
Run a quarterly compliance audit. Pull a sample of calls from the past 90 days and trace each one back through the gate logs. Confirm the contact had a valid DNC scrub on file, a consent record if wireless, and a current compliance status before the call started. Document the audit and its findings.
When the law changes, update your policy within 30 days and re-train the team. The FCC's one-to-one consent rule is a good example. Companies that updated their lead intake immediately have a clean break date in their records. Companies that ignored it for six months have a gap. [5]
For text message marketing, the documentation is the same but the consent standard is higher. Prior express written consent is required for every marketing text to a cell phone, and the consent must state that automated texts may be sent. Automate that documentation the same way you document consent for calls.
What does a compliance gate look like for a very small team or solo operator?
The principles don't change with team size. The build gets leaner.
If you're a team of one or two running manual outreach with a basic dialer, here's a workable minimum viable gate:
Before any list enters your system, run it through an FTC-accessible DNC scrub tool or a low-cost scrubbing service. Record the date you ran it and the number of records removed. Save that log file.
For every cell phone number, check wireless status before calling. Twilio Lookup costs fractions of a cent per query and has an API any developer can wire to a spreadsheet in an afternoon. Can't build the API? Run manual spot checks and log them.
Keep a spreadsheet as your internal DNC list. Every time someone asks not to be called, add their number, the date, and how they asked. Check that sheet before every call session with a VLOOKUP or a simple filter against your list.
For any cell phone where you don't have documented consent, don't dial it with an autodialer. Use click-to-dial, which removes the autodialer question entirely because a human manually starts each call. This doesn't erase all TCPA risk, but it takes the autodialer element out of the analysis.
Store your consent records in a separate tab of your CRM or a dedicated spreadsheet. Never delete them. If you outgrow this approach, migrate the data, don't abandon it.
This won't cover every edge case, and it's no substitute for real compliance infrastructure as you scale. But documented and manual beats undocumented and automated from a litigation standpoint. You can learn more about the do not call list access process and the do not call telemarketer list rules that apply to your situation.
Frequently asked questions
Can I just rely on my dialer vendor to handle compliance?
No. Dialer vendors typically apply time-of-day restrictions and sometimes basic DNC scrubs, but they don't verify your consent records, check for reassigned numbers, or confirm your consent meets the FCC's current one-to-one standard. The legal obligation sits with your company, not the software vendor. Your dialer is one layer of the gate, not the whole gate.
How do I get access to the National Do Not Call Registry for scrubbing?
The FTC grants access through its Telemarketing Sales Rule portal at donotcall.gov. The first five area codes are free; fees apply for additional area codes and for national access. You need a subscription to reach the data, and you must re-scrub against it no more than 31 days before any call. State registries have separate access procedures and fees.
Does the compliance gate apply to B2B calls?
Partially. The National DNC Registry applies to residential and personal numbers, not to numbers answered in a business context during business hours. But if a B2B prospect uses a cell phone, the TCPA's autodialer restrictions still apply to that number regardless of context. You still need wireless classification and, if using an autodialer, documented consent for cell phones.
What is the FCC Reassigned Numbers Database and how do I query it?
The FCC Reassigned Numbers Database (RND) tracks when phone numbers get disconnected and reassigned to new subscribers. It launched in 2021 and lets callers verify whether a number has been reassigned since they last had contact with the original subscriber. Access it via the FCC's RND portal or through third-party aggregators who expose it by API. Queries cost a small per-record fee.
How long do I have to honor a do-not-call request?
Under 47 CFR 64.1200(d), you must honor an internal DNC request within 30 days of receiving it. In practice, most litigation targets companies that called again inside the 30-day window, so the faster you process opt-outs, the better. Keep a record of when the request came in and when you applied it. National Registry numbers must be scrubbed before each calling campaign.
Does the FCC one-to-one consent rule affect leads I already purchased?
Yes, and significantly. The FCC's one-to-one consent rule, effective in early 2025, requires prior express written consent for each seller specifically. Leads bought from aggregators using broad opt-in language covering 'marketing partners' are no longer valid for your company unless the consumer's consent named you specifically. Review your lead vendor contracts and the exact opt-in language before calling any purchased list acquired before 2025.
What's the difference between the compliance gate and a TCPA compliance program?
The compliance gate is the operational mechanism: the specific checks a contact passes before entering the dialer. A TCPA compliance program is broader, covering the written policy, staff training, audit procedures, incident response, and vendor oversight. The gate is one component of the program. You need both. The gate stops bad calls from happening, the program documents why your process is lawful if you're challenged.
Can prior express written consent be verbal?
No. Prior express written consent under the TCPA requires a written agreement, which the FCC defines to include electronic signatures and online checkboxes, but the consent must be in writing or its electronic equivalent. A verbal agreement a rep jotted into CRM notes is not prior express written consent and won't hold up in a TCPA lawsuit where the plaintiff disputes they consented.
What happens if a contact revokes consent after I have a valid record?
Revocation ends your right to call. The FCC's 2023 guidance reaffirmed that consumers may revoke consent by any reasonable means, including replying STOP to a text, saying stop on a recorded call, or sending a written request. You must honor revocation promptly. Add them to your internal DNC list immediately, sync it to your dialer within 24 hours at most, and keep the revocation record.
Is there a safe harbor if I follow the compliance gate process but a call slips through?
There is a limited good-faith defense recognized in some courts for TCPA violations where the caller relied on established procedures and reasonable technology. But it's a defense argued in litigation, not a guaranteed exemption. The TCPA has no explicit statutory safe harbor equivalent to the TSR's. Documented process and immediate remediation when you find an error are your best defenses, not an assumption that process alone immunizes you.
Do I need a separate compliance gate for SMS outreach?
In practice, yes. Text messages to cell phones require prior express written consent under the TCPA, and the consent must specifically authorize texts, not only calls. Your SMS gate should include wireless classification (all texts go to mobile numbers, but confirm VoIP vs. true mobile), consent record verification with text-specific language, and an opt-out handler that adds STOP replies to your internal DNC list in real time.
How do I verify that a lead vendor's consent is actually compliant?
Ask the vendor for the exact consent form URL and the opt-in language at the time the lead was generated. Confirm the language names your company specifically after January 2025. Check whether their platform captures IP address, timestamp, and session data. Request a sample data file showing the consent metadata they provide per record. If they can't provide that documentation, don't purchase the list.
What's the minimum a very small team needs to have a defensible compliance gate?
A documented internal DNC list with opt-out records, a DNC scrub run within 31 days of each call session, wireless classification for any cell number, a consent record for any cell phone dialed with an autodialer, a reassigned number check, and a written policy describing the process. Imperfect documentation of real steps beats a sophisticated undocumented process every time in court.
Sources
- U.S. Code, 47 USC 227, Telephone Consumer Protection Act: The TCPA creates statutory damages of $500 per violation and $1,500 for knowing or willful violations, with no per-class cap.
- FTC, Cases and Proceedings library: TCPA class action settlements have reached tens of millions of dollars in cases involving deficient consent and DNC scrubbing processes.
- FTC, National Do Not Call Registry: The FTC operates the National Do Not Call Registry and requires telemarketers to scrub against it no more than 31 days before calling.
- Federal Register, FCC TCPA rule, 77 FR 34233 (2012): The FCC's 2012 rule closed the established business relationship exemption for autodialed or prerecorded calls to cell phones, requiring prior express written consent.
- Electronic Code of Federal Regulations, 47 CFR 64.1200(d): 47 CFR 64.1200(d) requires companies to maintain an internal DNC list, honor opt-out requests within 30 days, and keep records for five years.
- FTC, Telemarketing Sales Rule compliance guidance: Several states maintain their own DNC registries separate from the federal list, including Indiana and Texas, requiring separate scrubs for calls into those states.
- FCC, Reassigned Numbers Database: The FCC's Reassigned Numbers Database, launched in 2021, lets callers verify whether a number has been reassigned to a new subscriber since the original consent was obtained.
- FTC, Telemarketing Sales Rule, 16 CFR Part 310: The FTC's Telemarketing Sales Rule requires that telemarketers scrub calling lists against the National DNC Registry no more than 31 days before any call.