Last updated 2026-07-09

TL;DR
Every new outbound rep needs a written TCPA checklist before their first dial. The law (47 U.S.C. § 227) sets fines at $500 per violation and up to $1,500 for willful ones, with no cap on class-wide damages. A solid onboarding checklist covers consent types, DNC scrubbing, time-of-day rules, autodial restrictions, and how to handle revocations. Build it once. Enforce it every hire.
Why does a TCPA onboarding checklist matter before a rep ever picks up the phone?
The Telephone Consumer Protection Act, codified at 47 U.S.C. § 227, makes your company liable for what your reps do, not for what management approved.[1] A new hire who wings it on day one can trigger a class action before you even know a problem exists. Courts treat each call or text to a cell phone without proper consent as its own separate violation. Plaintiffs' lawyers count them one by one.
Statutory damages run $500 per negligent violation and $1,500 per willful violation.[1] In a class action covering thousands of consumers, those numbers multiply fast. The Credit One TCPA settlement resolved at $75 million.[2] The Cash App TCPA class action settlement came in at $9.5 million.[3] These aren't edge cases. They're what happens when onboarding gaps get exploited at scale.
A checklist does three jobs. It forces you to document that training happened, which is your first defense if you ever get sued. It creates a repeatable process, so compliance doesn't depend on whoever happens to be running orientation that week. And it gives reps a concrete reference they can pull up when they're not sure a particular call is allowed.
One more thing. The FCC enforces the TCPA and has issued binding rules under it, most recently its one-to-one consent orders from 2023 and 2024.[4] Those rules are not optional. They apply to every person making calls or sending texts on your behalf, including a contractor you hired last Tuesday.
What are the core TCPA rules every new rep must understand before dialing?
Five rules matter most. Get these wrong and everything else is noise.
1. Prior express written consent for autodialed or prerecorded calls to cell phones. If your team uses any system that stores or produces numbers using a random or sequential number generator, or dials from a list without human intervention on each call, the FCC may treat it as an automatic telephone dialing system (ATDS). Calls or texts to cell phones using an ATDS require prior express written consent.[1] The consent must clearly authorize calls from your company specifically. A signed agreement (electronic signature is fine) that names autodialed marketing calls, the consumer's phone number, and the consumer's signature satisfies this.[4]
2. The National Do Not Call Registry and internal DNC lists. Reps must never call a number on the federal DNC registry without a documented exception. They also have to honor your company's internal DNC list within a reasonable time after a consumer's request, and no longer than 30 days.[5] Both lists get scrubbed before calls go out, not after.
3. Time-of-day restrictions. TCPA and FCC rules bar calls before 8 a.m. or after 9 p.m. in the called party's local time.[1] Not your office's time zone. The called party's. A rep in New York calling a California number at 8:30 p.m. Eastern is calling at 5:30 p.m. Pacific, which is fine. A 9:15 p.m. Eastern call to someone in New York is a violation.
4. Identification requirements. Every call must include the caller's name, the entity on whose behalf the call is made, and a phone number or address where that entity can be reached.[1] Prerecorded messages must state this at the start.
5. Revocation of consent. The FCC has long required companies to honor opt-out requests, and its 2024 rule made the standard tighter and faster.[4] A rep who ignores a consumer saying "stop calling me" has turned a potential consent defense into a willful violation. Every rep needs to know how to log a revocation and who gets that log.
If your reps do any cold calling or outbound SMS, make sure they can tell a landline from a cell number, because the consent requirements differ a lot.
What should be on the actual checklist? A section-by-section breakdown
Here's how to structure the checklist itself. Each section maps to a real compliance gap that has shown up in TCPA litigation.
Section 1: Consent verification
- Can the rep pull up the consent record for any number in the dialing list before calling? If not, they shouldn't dial.
- Does the consent record include the consumer's name, phone number, the date and method of consent, and the specific company authorized to call?
- For SMS campaigns, does the record include the opt-in keyword or form submission?
- Is there a process for flagging numbers from third-party lead vendors, since purchased lists carry consent liability with them?
Section 2: DNC scrubbing
- Is the dialing list scrubbed against the National DNC Registry within 31 days of the call?[5] The FCC's safe harbor protects you if scrubbing happened inside that window.[4]
- Is there a company-specific internal DNC list, and is the rep trained to check it before every campaign?
- Does the rep know how to add a number to the internal DNC list in real time when a consumer asks?
Section 3: Time-of-day and time-zone rules
- Does the dialing system automatically block calls outside 8 a.m. to 9 p.m. in the recipient's local time zone?
- If any dialing is manual, does the rep know how to look up the time zone for an area code?
Section 4: Call identification
- Does the rep know what to say at the start of every call?
- Is caller ID set to a real, working number that can receive callbacks?
- For prerecorded messages, has legal confirmed the identification comes at the beginning?
Section 5: ATDS and dialing system awareness
- Does the rep understand what dialing technology the company uses and whether it may qualify as an ATDS?
- Has the rep been told specifically not to use personal auto-dialers or unapproved third-party tools?
Section 6: Revocation and opt-out handling
- Does the rep know the exact steps to log a verbal opt-out?
- For SMS, does the rep know what happens when a consumer texts STOP, UNSUBSCRIBE, or any reasonable revocation?
- Is there a same-day (or shorter) target for processing revocations into the DNC list?
Section 7: State law overlay
- Has the rep been briefed on state laws that go beyond the TCPA for the states they'll call? Florida, California, and Oklahoma have some of the most aggressive rules.[6][7]
- Does the rep know to escalate uncertainty about a state rule before dialing, not after?
This is a good place in onboarding to point reps to a resource like the do not call list explainer, so they understand how the federal registry works from the consumer's side.
How do you document that training happened, and why does that matter legally?
Documentation is your only real defense if you get sued and need to argue good-faith compliance. The TCPA allows treble damages, up to $1,500 per call, when violations are willful or knowing.[1] The gap between $500 and $1,500 per call often turns on whether the company can show it had a compliance program and the rep deviated from it, or whether the company had no program at all.
Keep these records for every rep, at minimum:
- A dated, signed acknowledgment that the rep read and understood the TCPA training materials.
- A copy of the checklist version the rep trained on.
- Any quiz or knowledge-check results, if you use them.
- Refresher training records when rules change.
Store these somewhere that timestamps entries and locks them after the fact. A shared Google Doc doesn't cut it. Even a basic HR system with version history beats it.
FCC enforcement actions have cited the absence of a written compliance program as an aggravating factor.[4] In private litigation, plaintiff attorneys routinely demand training records in discovery. Hand over a complete file for every rep and you're in a very different position than the company that says "we trained them verbally."
Refresher training matters too. When the FCC issued its 2024 one-to-one consent changes, every rep running multi-seller lead campaigns needed to be retrained on what consent now had to look like. A checklist that gets updated and re-acknowledged is worth far more than a static PDF that nobody has read since 2020.
What consent types exist and which ones actually protect your company?
There are three consent tiers under the TCPA, and which one you need depends on what your reps are doing.[1][4]
Prior express consent (informational calls, landlines): Covers non-telemarketing calls to landlines using prerecorded voice and non-telemarketing calls to cell phones. An existing business relationship, or a consumer providing their number in a relevant context, can satisfy it. Lowest bar.
Prior express written consent (telemarketing to cell phones via ATDS or prerecorded voice): This is the one that trips up most outbound teams. The FCC rule at 47 C.F.R. § 64.1200(f)(9) defines it as a written agreement that clearly authorizes the seller to deliver telemarketing messages using an ATDS or prerecorded voice to the number the consumer provides.[4] It needs the consumer's signature (electronic works) and a clear disclosure that they aren't required to consent as a condition of buying anything.
No consent required (purely manual calls to any number not on DNC): A rep dialing one call at a time, by hand, with no ATDS involved, calling a number that isn't on the DNC registry, doesn't trigger the written-consent requirement for cell phones. The DNC rules still apply.
The FCC's 2024 one-to-one consent rule aimed to require that written consent name a single seller rather than a category of sellers.[4] Litigation affected the rollout, but the direction is clear: broad "co-registration" consent language is on borrowed time. Reps trained on the old lead-sharing approach need a hard reset. Check whether your consent language names one seller.
For SMS specifically, the text message marketing rules require consent before the first text, not consent ratified by a non-reply. Reps can't send an initial text that says "reply YES to consent." That first text already needed permission.
If you want a quick reference tool, LeadCompliant's consent checker (at leadcompliant.com) flags whether a consent record includes the required elements before your rep dials.
How often should you scrub your dialing lists against the DNC registry?
The FCC's safe harbor protects a company from DNC violations if it scrubbed its list against the National Do Not Call Registry within 31 days before the call.[4] Serious compliance teams scrub every two weeks or per campaign. The 31-day window is a floor, not a target.
The National Do Not Call Registry, run by the FTC, holds more than 249 million registered phone numbers as of the FTC's most recent fiscal-year report.[5] Your reps will hit these numbers constantly. The question isn't whether some slip through. It's whether you have a documented, regular scrub process to point to when they do.
The practical setup: 1. Bulk-download or API-pull the registry through the FTC's subscription service before each campaign launch. 2. Scrub against your internal DNC list at the same time. 3. Log the date and the list version used in your campaign records. 4. Never reuse a list older than 31 days without re-scrubbing.
Reps shouldn't be scrubbing lists by hand. That's a systems job. But reps absolutely have to ask "has this list been scrubbed?" before they dial, and they can't take the answer on faith. No visible timestamp on the scrub? Escalate.
For teams that call cell phones, the mobile phone do not call list rules are the same federal DNC rules. Cell phones were eligible for the registry as soon as it launched in 2003 and have always been covered. The myth about cells being on a separate list costs teams real money. See also how do I get the do not call list for a walkthrough of the FTC's data access process.
What calling hour rules apply, and how do state laws change the picture?
The federal floor is 8 a.m. to 9 p.m. in the recipient's local time for telephone solicitations.[1] Miss that window and you have a violation, consent or not.
State laws often go further. Florida's Telephone Solicitation Act, amended in 2021, limits calls to 8 a.m. to 8 p.m. local time and adds a one-year opt-out period that's harder to work around than the federal standard.[6] California's Rosenthal Act and its privacy laws layer more requirements on top of the TCPA.[7] Oklahoma, Arkansas, and several other states run their own telemarketing acts with time rules that differ from the federal one.
Reps working multi-state lists need a clear protocol. Safest approach: apply the most restrictive time window any relevant state imposes on the list being dialed. Calling a mixed list with Florida numbers in it? Dial the whole session to Florida's 8 a.m. to 8 p.m. window. You lose an hour at the end. You also erase a whole category of state-law exposure.
The time-zone issue is separate from the time-of-day issue. A rep in Eastern time calling a Pacific number at 9 a.m. Eastern is calling at 6 a.m. Pacific, a clear violation. Your dialing system should auto-detect time zones by area code, but reps need to know the rule so they catch it when the system fails.
Holidays are a gray area under federal law. Several states restrict or prohibit calls on Sundays. Build that in as a state-specific row rather than ignoring it.
How should reps handle a consumer who says 'stop calling me' or 'remove me from your list'?
This is where a lot of teams bleed money. A verbal revocation is legally valid under the TCPA and FCC rules. The consumer doesn't have to put it in writing. They don't have to say a magic phrase. If the intent to revoke is clear, it counts.[4]
The FCC stated in its 2015 Declaratory Ruling and Order that consumers may revoke consent "using any reasonable method including orally or in writing." That single sentence has driven countless plaintiff wins. Courts cite it constantly.
Your checklist needs a step-by-step revocation flow: 1. Rep hears any variant of "stop calling," "take me off your list," "don't call again," or similar. 2. Rep confirms verbally: "I'm noting that now. You won't receive further calls from us." 3. Rep logs the revocation in the CRM immediately, before ending the call, with the exact words the consumer used and a timestamp. 4. Rep notifies the compliance or list team within 24 hours if the CRM doesn't auto-propagate to the DNC list. 5. The number goes on the internal DNC list that day.
SMS works the same way, only faster. STOP, UNSUBSCRIBE, QUIT, END, and CANCEL are standard opt-out keywords that most SMS platforms process automatically. Reps must never override a platform's opt-out log, and never keep texting a number that sent any of those keywords.
Call out one failure mode explicitly in training. Reps who don't want to lose a call sometimes pretend they didn't hear the revocation. Tell them plainly: that's a willful violation, not a small procedural slip. It's the difference between $500 and $1,500 per call.
What dialing technology rules do reps need to know before they start calling?
Most reps have no idea what an ATDS is. That's a training gap that can cost you $1,500 per call.
After the Supreme Court's 2021 decision in Facebook, Inc. v. Duguid, the ATDS definition narrowed to equipment that uses a random or sequential number generator to store or produce numbers to be called.[8] Power dialers that pull from a pre-uploaded list without random number generation sit in a gray zone that different courts read differently. Safest posture: if your dialing system calls faster than a human could dial by hand, or queues numbers automatically, treat it as an ATDS and get prior express written consent before calling cell phones.
Reps need to know:
- What platform they use to dial.
- Whether that platform has been reviewed by your legal team for ATDS status.
- That they may not use personal auto-dialers, browser-based mass texters, or unapproved third-party tools.
- That manual, human-initiated calls to numbers not on the DNC list carry lower consent requirements than autodialed calls.
This is a good onboarding moment to cover SMS. A tcpa violation by mass text carries the same per-message statutory damage as a call. Reps who think blasting 500 texts from their phone is somehow different from a corporate campaign are wrong, and they need to hear it directly.
For a breakdown of what counts as a cold call under the TCPA, see the cold call reference guide.
What are the biggest onboarding mistakes that lead to TCPA exposure?
These are the patterns that surface in discovery after a lawsuit lands.
Assuming verbal training is enough. A rep who heard the rules but signed nothing leaves you with no documentation. Plaintiff attorneys ask for training records. If there aren't any, the company looks like it didn't care.
Handing over a list nobody checked. New reps often get a list and a green light. If that list wasn't scrubbed, they're dialing blind into DNC violations from call one.
Teaching the rules once and never updating. The FCC has changed its TCPA implementing rules several times in the past five years. A checklist from 2020 says nothing about the 2024 one-to-one consent changes.[4] Compliance is a living process.
Skipping revocations. Most onboarding materials cover consent and DNC. Far fewer cover what happens when a consumer tries to revoke mid-call. That's exactly where the willful-violation risk lives.
Letting reps use personal devices for campaigns. A rep who dials campaign contacts from a personal phone still hands your company the liability, and you lose all visibility into what happened on each call.
Ignoring state law. Federal training that skips Florida, California, or other aggressive-state overlays leaves reps exposed the moment they call into those states. It also makes you look sloppy in litigation if you knew you had Florida customers and never trained for Florida law.
The do not call telemarketer list rules also catch reps who think of themselves as "just following up" on warm leads. Telemarketing status under the TCPA turns on the content and purpose of the call, not on whether you file it under sales or service.
How do you keep the checklist current as TCPA rules change?
The TCPA itself has barely changed since 1991, but the FCC's implementing rules and court interpretations move constantly. Facebook v. Duguid redefined ATDS in 2021.[8] The FCC issued one-to-one consent rules in 2023 and 2024.[4] State legislatures update their telemarketing statutes almost every session. Your checklist needs a version number and a review schedule.
A workable governance model for small teams:
Quarterly review. Assign someone (compliance owner, legal counsel, or senior ops person) to spend 30 minutes reviewing FCC orders, court decisions, and state law changes from the prior quarter. The FCC publishes its enforcement actions and orders publicly.[4]
Triggered review. Any time a class action lands in your industry, pull the complaint and check whether your current checklist would have caught the alleged violation. The credit one tcpa settlement complaint is public and readable by a non-lawyer. Same for the cash app tcpa class action settlement documents.
Version control. When the checklist changes, archive the old version with a date range. If you get sued over a call made 18 months ago, you need to show what your policy was then, not what it is today.
Re-acknowledgment. Any material change requires re-acknowledgment from every active rep, not only new hires going forward.
LeadCompliant's TCPA compliance kit (leadcompliant.com) includes a versioned checklist template that maps each item to the specific FCC rule or statute behind it, which makes quarterly review faster because you can check the source directly when a rule moves.
What's a realistic timeline for TCPA onboarding, and how much of it is training versus paperwork?
For focused, well-organized onboarding, TCPA compliance training takes about two to three hours of actual content. Spread across a first week, that's manageable without burying a new rep in legal material before their first call.
A realistic breakdown:
| Activity | Time | Format |
|---|---|---|
| TCPA overview (rules, stakes, why it matters) | 30 min | Video or live walkthrough |
| Consent types and verification walkthrough | 30 min | Guided practice with CRM |
| DNC scrubbing process demo | 20 min | Screen share or recorded demo |
| Time-of-day and time-zone rules | 15 min | Reference sheet + quiz |
| Revocation handling role-play | 20 min | Live or recorded scenario |
| State law overlay for target states | 20 min | State-specific cheat sheet |
| Dialing tech overview | 15 min | Diagram of what the platform does |
| Checklist review and sign-off | 20 min | Paper or e-signature |
Two to three hours is about right. Less than that and you're skimming. More than that in one sitting and retention drops off a cliff. Break it across days one and two, with sign-off before the first live call.
The paperwork (signed acknowledgment, quiz results, training record) should take 15 minutes if you built the forms in advance. The mistake is building forms after you've already hired someone. Build the onboarding packet before your first hire, even if you're a team of two. The whole packet costs you a morning to assemble and saves you a discovery nightmare later.
Frequently asked questions
Does a new rep need to complete TCPA training before making any calls?
Yes, and document it. The TCPA holds the company liable for rep conduct, and courts allow treble damages of $1,500 per call when violations are willful. If a rep dials without training and makes a violating call, the total absence of a compliance program makes the "willful" finding easy for a plaintiff to argue. Training before first call, with a signed acknowledgment, is the minimum standard.
What is the penalty for a TCPA violation and how does it add up?
The statute sets $500 per negligent violation and $1,500 per willful or knowing violation, under 47 U.S.C. § 227(b)(3). Each call or text is a separate violation. In class actions covering thousands of consumers, these numbers stack with no statutory cap on aggregate damages, which is why TCPA settlements regularly reach tens of millions of dollars even when the per-call figure looks small.
Can a rep call a number on the National Do Not Call Registry if they have an existing business relationship?
Yes. The existing business relationship (EBR) exemption allows calls up to 18 months after the last transaction or 3 months after a consumer inquiry, under FCC rules. But if the consumer asked to be added to your internal DNC list, the EBR does not override that request. Reps must check both the federal registry and the company's internal list, because these are separate obligations with separate rules.
What's the difference between prior express consent and prior express written consent?
Prior express written consent is the higher standard, required for autodialed or prerecorded telemarketing calls and texts to cell phones. It needs a written agreement (electronic is fine) that names the seller, authorizes autodialed calls, includes the consumer's phone number, and discloses that consent isn't required to make a purchase. Prior express consent, the lower bar, covers informational calls and some landline calls and needs no written agreement.
Do TCPA rules apply to manual calls made from a personal cell phone?
The ATDS-specific written consent requirement doesn't apply to truly manual dialing, where a human presses each digit with no automation. But the DNC rules apply to all telephone solicitations, however the call is placed. And if a rep uses a personal phone for company campaigns, the company still owns the liability. Personal devices also make compliance monitoring impossible, which is a separate risk you don't want.
How soon must a company honor a consumer's revocation request?
The FCC ruled in its 2015 Declaratory Ruling that revocations must be honored within a reasonable time. For SMS, most platforms process STOP commands immediately, and continuing to text after a STOP is close to per se willful. For voice calls, same-business-day logging into your internal DNC list is the safe practice. Any delay you can't explain through a documented process creates exposure.
Are there states where the calling hour rules are stricter than the federal 8 a.m. to 9 p.m. window?
Yes. Florida limits calls to 8 a.m. to 8 p.m. local time under the Florida Telephone Solicitation Act. Several other states, including Oklahoma, run their own telemarketing laws with varying windows. California layers CCPA and Rosenthal Act obligations on top of the TCPA. Reps calling multi-state lists should apply the most restrictive window that applies to any state on that list.
What should a rep do if they're not sure whether a number requires written consent before calling?
Treat it as a cell phone requiring written consent until you confirm otherwise. Getting it wrong costs up to $1,500 per call plus potential class membership, far more than the cost of holding a call while you verify. Your checklist should include an escalation path: a specific person or process to contact before dialing a number whose consent status is unclear. Build that path before your team starts calling.
How does the Facebook v. Duguid Supreme Court decision affect what ATDS means in rep training?
The Supreme Court's 2021 ruling in Facebook, Inc. v. Duguid held that an ATDS must use a random or sequential number generator to store or produce numbers, not merely dial from a stored list. That narrowed the definition sharply. Courts since have split on how it applies to predictive and power dialers. Safest training message: any platform that automates dialing without a human initiating each call should be treated as a possible ATDS until legal reviews it.
Do TCPA rules apply to business-to-business calls?
The TCPA's cell phone autodialer restrictions apply to calls to any cell phone, including business contacts. The DNC registry covers residential numbers, so a registered business line usually isn't on it, but individual employees' cell phones can be. B2B is not a blanket exemption. Reps calling business cell phones with an ATDS for telemarketing still face written consent requirements under the statute.
How long should training records and signed checklists be kept?
The TCPA carries a four-year federal statute of limitations, and some state laws run longer. Keeping training records for at least five years from the date a rep was active is reasonable. In litigation, the training records from the time of the alleged violation are what count, so archive old checklist versions alongside the acknowledgments signed under each version.
What's the minimum a very small outbound team (two to five reps) needs to comply with the TCPA?
A written checklist signed by each rep before first call, a documented DNC scrub run at least every 31 days, a logged consent record for every number in the dialer, a revocation handling procedure, and training records stored somewhere with timestamps. None of this needs expensive software. A spreadsheet DNC log and a PDF acknowledgment form hold up in court if you maintain them consistently. Consistency beats complexity.
Can a rep's company be sued even if the rep made a mistake the company didn't authorize?
Yes. Under agency law, companies face liability for the acts of their agents, including sales reps, when those acts fall within the scope of employment or apparent authority. The TCPA does not require company-level intent for the baseline $500 violation. The $1,500 willful standard demands more, but plaintiffs routinely argue that the absence of a compliance program shows the company knew violations were likely and let them happen.
Sources
- U.S. Government Publishing Office, 47 U.S.C. § 227, Telephone Consumer Protection Act: The TCPA sets $500 per violation and $1,500 for willful violations; prohibits autodialed calls to cell phones without prior express written consent; restricts calls to 8 a.m. to 9 p.m. recipient local time; requires caller identification on every call
- FTC, consumer protection and TCPA enforcement information (Credit One Bank TCPA class action settlement, $75 million): The Credit One TCPA class action settlement resolved at $75 million, cited as a major TCPA class action outcome
- FTC, consumer protection and TCPA enforcement information (Cash App TCPA class action settlement, $9.5 million): The Cash App TCPA class action settlement resolved at $9.5 million
- FTC, National Do Not Call Registry, consumer and business information: The National Do Not Call Registry has more than 249 million registered numbers; companies must scrub lists within 31 days before calling
- Florida Legislature, Florida Telephone Solicitation Act, Fla. Stat. § 501.059: Florida restricts telephone solicitation calls to 8 a.m. to 8 p.m. local time and imposes a one-year do-not-call period upon request
- California Attorney General, California Consumer Privacy Act overview: California imposes additional privacy and consumer protection obligations that layer on top of the TCPA for calls to California residents
- U.S. Supreme Court, Facebook, Inc. v. Duguid, 592 U.S. 395 (2021): The Supreme Court held in 2021 that an ATDS must use a random or sequential number generator to store or produce numbers to be called, narrowing the prior broader interpretation
- FTC, Telemarketing Sales Rule, 16 C.F.R. Part 310: The FTC's Telemarketing Sales Rule governs deceptive and abusive telemarketing practices and sets requirements for honoring do-not-call requests and calling hour restrictions