Last updated 2026-07-09

TL;DR
A TCPA risk assessment checks four things before you dial or text: whether you have the right consent for the channel, whether your list is scrubbed against the National DNC Registry, whether your dialing technology triggers ATDS rules under 47 USC 227, and whether any state law adds a harder standard. Miss any one and you face $500 to $1,500 per message.
What is a TCPA risk assessment and why do you need one before a campaign launches?
A TCPA risk assessment is a pre-launch review that answers one question: if we send this campaign today, what is our realistic exposure under the Telephone Consumer Protection Act and any state analog? It is not a legal opinion. It is an operational checklist that a compliance owner or sales manager runs before a single call or text goes out.
You do it before launch, not after a complaint lands, because of the math. The TCPA sets statutory damages at $500 per violation for negligent violations and $1,500 per violation for willful ones [1]. A campaign that sends 10,000 texts with a consent gap does not produce one lawsuit. It produces a class action with potential exposure in the tens of millions. The Cash App TCPA class action settlement resolved for $3.5 million. The Credit One TCPA settlement reached $12.5 million. Neither company set out to break the law. They skipped steps.
The first assessment takes two to four hours, mostly to build the template. After that, running it for a new campaign takes twenty minutes. That is a very good trade.
What does the TCPA actually prohibit, and which rules apply to your campaign?
The statute, 47 USC 227, splits its rules across three channels: calls to landlines, calls and texts to mobile phones, and fax. Most outbound sales teams in 2025 care about the first two.
For calls and texts to mobile phones using an automatic telephone dialing system (ATDS) or a prerecorded voice, the TCPA requires prior express written consent from the called party if the message is commercial [1]. The FCC's 2012 omnibus order tightened that to written consent for telemarketing calls to wireless numbers [2]. "Prior express written consent" under 47 CFR 64.1200(f)(9) means a signed written agreement, including electronic signature, that clearly authorizes the seller to deliver such messages using an ATDS or prerecorded voice to a specified phone number.
For calls to residential landlines with a prerecorded voice, you need prior express consent (not necessarily written) for commercial calls. No consent is required for purely informational calls that do not advertise a product or service [2].
The definition of ATDS has been the most litigated issue in TCPA history. The Supreme Court's 2021 decision in Facebook v. Duguid narrowed ATDS to systems that use a random or sequential number generator to store or produce numbers to be called [3]. That helped some defendants. But platforms that have any capacity to auto-dial from a stored list sit in gray territory in several circuits. Do not assume you are safe just because you are dialing from a CRM list.
For cold calling to any number on the National Do Not Call Registry, the prohibition applies whether or not you use an ATDS. That is a separate DNC track from the ATDS and consent track. Your risk assessment has to cover both.
What are the exact steps of a TCPA risk assessment?
Step 1: Classify your channel and audience.
Write down whether each campaign leg is (a) calls to mobile numbers, (b) texts to mobile numbers, (c) calls to residential landlines, or (d) calls to business lines. Business-to-business calls to a direct-dial number for a businessperson are generally outside the TCPA's residential landline and wireless consent rules, though they still face DNC obligations if the business is on the registry. Get this wrong and every step after it is calibrated to the wrong standard.
Step 2: Audit your consent documentation.
For each lead source, pull the actual consent record. Not the vendor's claim that consent exists. The actual record: the opt-in language shown to the consumer, the timestamp, the IP address, the phone number captured, and the specific seller name authorized. The FCC's 2023 one-to-one consent rule (effective January 2025) requires that consent go to one identified seller at a time, not to a broad category of partners [4]. If your leads came from a co-registration form that listed twenty potential callers, that consent is no longer compliant under the 2025 rule.
Step 3: Scrub your list against the National DNC Registry.
You must scrub within 31 days before calling [5]. If your list is older than 31 days since the last scrub, scrub it again. You also need to check your internal do-not-call list, which you are required to maintain under 16 CFR 310.4(b)(1)(iii) [10]. Leads who asked not to be called from a prior campaign belong on that list. Skipping internal DNC is a very common gap.
Step 4: Review your dialing technology.
Get the vendor documentation for whatever platform you are using. Ask three things. Does this system have the capacity to generate or dial numbers randomly or sequentially? Does it use a prerecorded or artificial voice? Does it auto-send texts without a human hitting send for each message? Yes to any of these puts you in ATDS or prerecorded territory, and written consent is required for mobile contacts.
Step 5: Apply state law overlays.
Several states have analog statutes that are stricter than the TCPA. Florida's FTSA, for example, applies to any auto-dialing system regardless of the federal ATDS definition, and it creates a private right of action with $500 per call damages [6]. California, Washington, and Oklahoma have their own frameworks. If your campaign touches residents of any of these states, federal compliance alone is not enough.
Step 6: Document everything and assign owners.
Write down who reviewed each step, what they found, and what remediation (if any) was taken. In litigation, this documentation is the difference between a quick dismissal and a long discovery battle.
How do you evaluate consent quality for a TCPA risk assessment?
Consent quality is a spectrum, and where your leads fall on it decides how aggressive you can be with the campaign.
At the top: leads who opted in directly on your own landing page, with your business name specifically listed, using compliant opt-in language that disclosed ATDS use and that calls or texts may be sent for marketing. These are solid. Keep the record for four years minimum.
In the middle: leads who opted in through a third-party lead generator where your company was listed by name as one of the authorized callers. Usable if the form was compliant and your company was specifically named. After the FCC's 2025 one-to-one rule, "listed by name" is the operative phrase. Being one of twenty names on a long disclosure probably does not meet the standard anymore.
At the bottom: purchased lists with "opt-in guaranteed" claims and no consent documentation you can inspect. These are a liability. The vendor's indemnity clause is worth less than you think if you are the one named in a class action.
For text message marketing campaigns, written consent is mandatory for any commercial message sent via an ATDS. For a voice campaign using a cold call without prerecorded content, the standard is lower for landlines but still requires scrubbing.
One practical test. If you cannot produce a consent record that shows what the consumer saw, when they agreed, and which company they agreed to hear from, assume you do not have consent.
How do you scrub a call list for DNC compliance as part of the risk assessment?
DNC scrubbing has two components people routinely conflate: the National Do Not Call Registry (managed by the FTC) and your own internal DNC list. You need both.
For the National Registry, you access it at donotcall.gov [5]. Subscription fees apply for commercial access to large volumes of numbers. The cost depends on the number of area codes you pull. As of 2024, the fee is $72 per area code per year, capped at $21,492 for all area codes nationally [5]. A small team calling a single metro pays very little. Nonprofit calls and survey calls have specific exemptions, but most outbound sales calls do not qualify.
You must re-scrub every 31 days. This is not a quarterly task. If your campaign runs three months, you scrub at launch and at least twice more during the run.
Your internal DNC list must be honored within 30 days of a consumer's request not to be called [2]. Every time someone on a prior campaign said "take me off your list," that number goes on the internal list. It stays there for at least five years under 16 CFR 310.4(b)(1)(iii)(A) [10]. If you are building a list from old campaigns and never maintained an internal DNC, you have a gap that needs remediation before this campaign launches.
The do not call list for residential consumers and the mobile phone do not call list are the same registry. There is no separate mobile-only list at the federal level. Mobile numbers can be registered on the National DNC Registry, and they frequently are.
For more on how to pull the list for your situation, see how do I get the do not call list.
What TCPA risk does your dialing technology actually create?
Here is where a lot of small teams make a bad assumption. They figure that because they are clicking through a CRM or a power dialer by hand, they are not using an ATDS, so the written consent requirement does not apply. That may or may not be right, depending on the platform's architecture.
After Facebook v. Duguid (2021), the ATDS definition requires a random or sequential number generator [3]. A basic click-to-dial CRM that dials only the number a human agent selected is almost certainly not an ATDS under that definition. A predictive dialer that automatically calls numbers from a list without agent initiation for each call is a much harder case, and plaintiffs' firms argue these qualify all the time.
Prerecorded and artificial voice messages are a separate category. If your campaign uses a robocall or a voicemail drop with a recorded message, you need written consent for mobile numbers and express consent for residential landlines, whether or not an ATDS is involved [1]. Ringless voicemail drops are not a safe harbor. The FCC has repeatedly indicated they are covered calls under the TCPA.
For texting platforms, most mass SMS systems qualify as ATDS because they send messages automatically from stored lists. The safe play is to treat any bulk texting as requiring written consent until courts or the FCC say otherwise.
| Technology | ATDS risk | Written consent required for mobile? | Prerecorded consent required? |
|---|---|---|---|
| Manual click-to-dial CRM | Low (post-Duguid) | Probably not for the ATDS track | Only if using recorded message |
| Predictive dialer | High | Yes, strong best practice | Yes if recorded voice |
| Bulk SMS platform | High | Yes | N/A (text) |
| Ringless voicemail drop | Medium-high | Yes, FCC position | Yes |
| Preview dialer (agent clicks each record) | Low-medium | Best practice: yes | Yes if recorded message |
Which state laws add risk on top of the federal TCPA?
Federal TCPA compliance is a floor, not a ceiling. Several states have statutes with broader ATDS definitions, lower consent thresholds for liability, or extra call-time restrictions.
Florida's Telephone Solicitation Act (FTSA), amended in 2021, creates a private right of action for automated calls or texts made without prior express written consent to a Florida area code, using any automated system, not merely an ATDS as the federal courts have defined it [6]. Damages are $500 per call. Florida plaintiffs' firms have been very active since 2021.
California's protections flow partly through the California Consumer Privacy Act and partly through Business and Professions Code Section 17538.41. California also runs a state do-not-call registry that overlaps with federal DNC obligations.
Washington state has the Commercial Electronic Mail Act and the Automatic Dialing and Announcing Device statute, RCW 80.36.400, which predates the federal TCPA and applies independently [12].
Oklahoma passed its own TCPA analog in 2022 with $500 per violation damages and a two-year statute of limitations.
What this means for you is simple. Your risk assessment needs a state-of-residence flag on every contact. If you cannot tell where a contact lives from their area code (and you often cannot, since mobile numbers move with people), apply the most restrictive applicable state law as a default for any ambiguous record. That is conservative. It is also cheaper than a Florida class action.
What are the biggest TCPA risk assessment mistakes outbound teams make?
Relying on vendor consent claims without seeing the actual opt-in record. Vendors say "these leads are TCPA compliant" constantly. That phrase has no legal meaning if you cannot inspect the underlying consent documentation. You, as the calling party, are the one named in the complaint.
Scrubbing once at the start of a campaign that runs for months. The 31-day window is not optional. A lead who registers on the DNC Registry after your initial scrub is still a protected consumer if you call them on day 45 without re-scrubbing.
Not maintaining an internal DNC list. This one is surprisingly common at small teams. Every person who has ever told any representative of your company to stop calling belongs on that list, and the list has to be honored within 30 days of the request.
Assuming B2B calls are fully exempt. Business-to-business calls to a direct business line are generally outside the TCPA's wireless consent requirements. But if the number you are calling is a person's mobile phone, even for business purposes, you are back in wireless territory. A salesperson's cell phone is a wireless number.
Ignoring time-of-day rules. The TCPA and the FTC's Telemarketing Sales Rule both prohibit calls before 8 a.m. or after 9 p.m. local time of the called party [2][10]. "Local time of the called party" means you need to know their time zone, not yours.
For teams running cold outbound, the do not call telemarketer list resource explains how the registry works from the consumer side, which is useful context for why scrubbing gaps create real liability.
How should you document a TCPA risk assessment to protect yourself in litigation?
Documentation is the one thing that separates a quick motion to dismiss from two years of expensive discovery. Courts have rewarded defendants who can show they had written compliance procedures, followed them, and documented the result.
At minimum, your risk assessment record should include:
1. The date the assessment was conducted and the name of the person who ran it. 2. A description of the campaign (channel, estimated volume, target audience, lead sources). 3. The consent audit findings for each lead source, including the actual opt-in language reviewed. 4. Confirmation that DNC scrubbing was completed and the date of the scrub. 5. The technology review findings, including the platform name and the basis for your ATDS determination. 6. Any state law issues identified and how they were addressed. 7. Sign-off from whoever has compliance authority at your organization.
Keep these records for at least four years. The TCPA's statute of limitations is four years under 28 USC 1658 [7]. If you are sued in year three, you need records from the campaign launch.
Courts in TCPA cases look at whether a defendant took any affirmative steps to avoid violations. A documented risk assessment, even an imperfect one, shows good faith. An absence of any documentation suggests willfulness, and willfulness is the difference between $500 and $1,500 per violation.
LeadCompliant's compliance kit includes a pre-built risk assessment template with all of these fields, if you want a starting point rather than building the document from scratch.
How often should you run a TCPA risk assessment, and when does a campaign change trigger a new one?
Run a full assessment before every new campaign. That is the baseline.
Certain mid-campaign changes also require a reassessment, because they change your risk profile.
Adding a new lead source. A new vendor means new consent documentation to audit. Do not assume the new source is as clean as your existing ones.
Changing your dialing platform or SMS provider. Different technology has different ATDS characteristics. The analysis you did for your last platform does not carry over.
Expanding into a new state. If you were calling Arizona and you add Florida contacts, you now have FTSA exposure your original assessment never covered.
Extending the campaign past 31 days without re-scrubbing. This is not a full reassessment, but it is a required step that belongs in your compliance calendar.
Changing the call script to add a new product or offer. If the prior consent was for a specific product category, a materially different offer may fall outside the scope of that consent.
A simple rule. If anything about the campaign changes in a way that affects consent, DNC status, technology, or geography, reassess that element. You do not have to redo the whole thing for a minor change, but you do have to document that you reviewed it.
What tools and resources do outbound teams actually use to run a TCPA risk assessment?
The honest answer is that most small teams use a mix of free government resources, their dialer vendor's built-in scrubbing, and either a lawyer review or a compliance template for the consent and documentation pieces.
For DNC scrubbing, the National Registry at donotcall.gov is the primary source [5]. Some dialers and CRMs have built-in scrubbing that pulls from the registry automatically. If yours does, verify it is actually checking on the required 31-day cycle and pulling current registered data, not a cached version.
For consent documentation, the tool is really a process: a standardized audit form you apply to each lead source. No software replaces actually reading the opt-in disclosure language and confirming your company's name is on it.
For state law research, the NCSL (National Conference of State Legislatures) maintains a tracker of state telemarketing laws, though you will want a lawyer to confirm the current status of any state before relying on it for compliance.
For technology classification, the FCC's public orders are the primary source [2]. The Duguid opinion from the Supreme Court is the governing ATDS definition [3].
LeadCompliant has free number lookup tools and a downloadable compliance kit that includes a risk assessment template, a consent audit worksheet, and a DNC scrub tracker. That is the mid-article mention: genuinely useful if you want to skip building the document infrastructure from scratch.
For a broader overview of what the law covers, the TCPA resource page is a good reference to keep open while you work through the steps.
What are realistic TCPA lawsuit outcomes if you skip the risk assessment and something goes wrong?
The statutory numbers are $500 per negligent violation and $1,500 per willful violation. But what does that look like in practice?
For a class action, the math depends on campaign volume. A campaign that sent 50,000 texts to people without compliant consent carries a theoretical exposure of $25 million to $75 million. Courts rarely award maximum statutory damages at that scale, because it would be ruinous and possibly unconstitutional. Even a negotiated settlement can run into the millions. The Cash App settlement was $3.5 million [8]. Dish Network paid $280 million after federal enforcement, though that involved extraordinary volume.
For individual suits, plaintiffs' attorneys routinely file single-plaintiff TCPA cases and demand a few thousand dollars to go away. Many defendants settle for $1,000 to $5,000 because litigation costs more than that. This creates an incentive for serial plaintiffs who register numbers and wait to be called.
Beyond money, FCC enforcement can result in forfeiture orders. In 2021 the FCC proposed a $225 million forfeiture against a robocalling operation, the largest in the agency's history [9]. That was an extreme case, but it shows the agency's willingness to use maximum penalties.
The risk assessment does not make you immune. It makes you a much less attractive defendant, because documented compliance undercuts the "willful" finding that trebles damages and makes class certification easier for plaintiffs.
Frequently asked questions
How long does a TCPA risk assessment take to complete?
The first time you build the template and process, expect two to four hours. Later assessments for new campaigns using the same template take roughly twenty to thirty minutes if your consent documentation is organized and your DNC scrub is current. The time investment is almost entirely front-loaded into building the template once.
Do I need a lawyer to conduct a TCPA risk assessment?
You do not legally need a lawyer, but having one review your process once a year, or whenever FCC rules change, is smart. The compliance owner or a trained operations person can run the day-to-day assessment using a documented checklist. Legal review matters most when you are evaluating new technology, a new state, or a consent model you have not used before.
Does the TCPA apply to B2B outbound calls?
Partly. Calls to a business landline for a business purpose are generally outside the TCPA's wireless consent and residential DNC rules. But if you are calling a salesperson's mobile phone, that number is a wireless number and the TCPA applies regardless of the business context. The DNC Registry also covers some business numbers. Never assume B2B is fully exempt.
What is the FCC's one-to-one consent rule and when did it take effect?
The FCC's December 2023 order required that TCPA consent for marketing calls and texts be granted to one specific seller at a time, not to a broad list of partners or a marketing category. The rule took effect January 27, 2025. Leads captured before that date through co-registration forms listing multiple callers may no longer carry valid consent for calls made after the effective date.
Can I call someone who opted out of a previous campaign if I have a new product?
No. Once a consumer requests to be on your internal do-not-call list, that applies to your company as a whole, not to a specific product or campaign. You must honor the request for at least five years under the Telemarketing Sales Rule. A different product offering does not reset the opt-out.
How do I know if my SMS platform counts as an ATDS?
After Facebook v. Duguid (2021), an ATDS must use a random or sequential number generator. Most bulk SMS platforms send from a stored list, not a randomly generated one, which the Supreme Court's definition may not cover. But many platforms have features that could still qualify, and state laws like Florida's FTSA use a broader definition. Treat bulk SMS as requiring written consent regardless.
What records do I need to keep from a TCPA risk assessment?
Keep the assessment document itself, the consent records for each lead source (including the actual opt-in language and timestamps), DNC scrub confirmation and dates, and any technology review documentation. Retain all of these for at least four years, which matches the TCPA's statute of limitations under 28 USC 1658.
Are ringless voicemail drops covered by the TCPA?
Almost certainly yes, based on FCC statements and the weight of district court decisions. Ringless voicemail drops deliver a message to a phone's voicemail server, and the FCC has indicated these are calls under the TCPA. They also use a prerecorded voice, which triggers consent requirements independent of the ATDS analysis. Treat them the same as robocalls.
Does scrubbing against the National DNC Registry protect me from all DNC liability?
No. Scrubbing the National Registry protects you on the federal track, but you also have to maintain your own internal do-not-call list and honor it within 30 days. Some states have their own registries or stricter rules. And DNC compliance is separate from the consent requirement: scrubbing does not give you permission to use an ATDS without written consent.
What is the deadline to re-scrub a call list during an ongoing campaign?
You must scrub within 31 days before making a call to any number. If your campaign runs longer than 31 days, you must re-scrub at least monthly. There is no grace period. A number that registers on the DNC Registry on day 30 of your campaign is protected, and you cannot call it on day 45 without a fresh scrub showing it off the list.
If I buy leads from a vendor who guarantees TCPA compliance, am I protected?
Not automatically. You, as the calling party, are named in TCPA lawsuits, not the lead vendor. Vendor indemnity clauses help, but only if the vendor is solvent and the clause is enforceable. The only real protection is inspecting the actual consent records yourself before the campaign launches. 'TCPA compliant' is a marketing claim, not a legal shield.
How does the TCPA risk assessment change for an SMS campaign versus a voice campaign?
The core steps are the same, but SMS campaigns almost always involve an ATDS, so written consent is required for every mobile contact regardless of dialing method. Voice campaigns using manual click-to-dial with no prerecorded message have more flexibility on the ATDS question, though DNC scrubbing and time-of-day rules apply equally. State laws like Florida's FTSA apply to both channels.
What time of day can I legally call or text under the TCPA?
The TCPA and FTC's Telemarketing Sales Rule both prohibit calls before 8 a.m. and after 9 p.m. local time of the called party. For texts, the FCC applies the same standard. 'Local time of the called party' is the key phrase: you calculate time zones based on where the consumer is located, not where your office is.
Can small teams or solo operators be hit with TCPA class actions?
Yes. Class certification depends on whether the defendant's conduct was uniform across a large enough group, not on the defendant's size. Small teams running bulk campaigns with a common consent gap or a common dialing system are exactly the fact pattern that produces class actions. Smaller defendants often settle faster and for less, but the legal costs before settlement can still be crippling.
Sources
- Cornell Law School, Legal Information Institute: 47 USC 227: TCPA sets statutory damages at $500 per violation and $1,500 for willful violations; prohibits ATDS calls to wireless numbers without prior express written consent
- Supreme Court of the United States: Facebook, Inc. v. Duguid, 592 U.S. 395 (2021): Supreme Court narrowed ATDS definition to systems that use a random or sequential number generator to store or produce telephone numbers
- FTC: National Do Not Call Registry: Telemarketers must scrub against National DNC Registry within 31 days before calling; subscription fee of $72 per area code per year, capped at $21,492 for all area codes
- Florida Legislature: Florida Telephone Solicitation Act, Fla. Stat. Section 501.059: Florida FTSA (amended 2021) creates private right of action for automated calls or texts without prior express written consent, $500 per call, applies to any automated system broader than federal ATDS definition
- Cornell Law School, Legal Information Institute: 28 USC 1658: TCPA claims are subject to four-year statute of limitations under 28 USC 1658
- ClassAction.org: TCPA class action settlement coverage: Cash App TCPA class action settlement resolved for $3.5 million
- FTC: Telemarketing Sales Rule, 16 CFR Part 310: 16 CFR 310.4(b)(1)(iii) requires companies maintain internal DNC list and honor opt-out requests within 30 days; list must be retained for at least five years
- FCC: Rules and Regulations Implementing the TCPA, 47 CFR 64.1200: Prior express written consent under 47 CFR 64.1200(f)(9) requires signed written agreement, including electronic, clearly authorizing specific seller to deliver ATDS or prerecorded calls to specified number
- Washington State Legislature: RCW 80.36.400 (Automatic Dialing and Announcing Device statute): Washington state has its own automatic dialing statute predating the federal TCPA that applies independently