How to get a TCPA compliance audit done affordably

TCPA audits can cost $500 to $25,000+ depending on who does them. Here's how small outbound teams get covered without overpaying lawyers.

LeadCompliant Team
25 min read
In This Article

Last updated 2026-07-11

Compliance professional reviewing TCPA audit documents at a wooden office desk
Compliance professional reviewing TCPA audit documents at a wooden office desk

TL;DR

A TCPA compliance audit reviews your consent records, list scrubbing, calling hours, and opt-out handling against 47 U.S.C. § 227 and FCC rules. Costs run from a few hundred dollars for a structured self-audit to $5,000, $25,000+ for outside counsel. Most small outbound teams get 80% of the protection at 20% of the cost by doing the audit themselves with the right checklist.

What does a TCPA compliance audit actually cover?

A TCPA compliance audit is a structured review of every process that could expose your company to liability under the Telephone Consumer Protection Act, 47 U.S.C. § 227 [1]. At a minimum it looks at six areas: how you collected consent (and whether it meets the 2012 FCC "prior express written consent" standard for autodialed or prerecorded calls to cell phones) [2], how you scrub your lists against the National Do Not Call Registry [3], how your technology works (specifically whether it qualifies as an "automatic telephone dialing system" after Facebook v. Duguid) [4], how you handle opt-outs in real time, what your calling hours are, and whether your team has any training on these rules at all.

People underestimate the opt-out piece. The FCC requires that automated opt-out mechanisms be available at the time of each prerecorded call [2], and that requests get honored within a reasonable time. A lot of small teams have a process for honoring opt-outs from inbound calls but nothing systematic for texts or voicedrops.

For SMS specifically, the audit should cover whether your messages include required disclosures, how you handle STOP replies, and whether your list was built from opt-in sources that actually said "yes to texts." Send text message marketing without that documentation and you're carrying risk on every single message.

The output should be a written gap analysis: here is what you're doing, here is what the rule requires, here is the specific gap. Anything less is a wellness check, not an audit.

What does a TCPA audit cost, and what drives the price?

The range is enormous and depends almost entirely on who does it.

Law firms that specialize in TCPA work typically charge $350, $600 per hour for partner time and $150, $300 for associate time [5]. A real audit at a firm means document review, interviews, a written memo, and a remediation plan, and it takes 20 to 60 hours depending on how complicated your operation is. That puts full law-firm audits at $5,000 on the low end and $25,000+ for a company with multiple vendors, tangled consent flows, and a history of complaints.

Compliance consultants who aren't attorneys charge less, usually $100, $250 per hour, and many sell fixed-fee packages. A structured fixed-fee audit from a qualified TCPA consultant runs $1,500, $5,000 for a small team of 5 to 50 reps.

Self-audits using a vetted checklist cost almost nothing in cash. Just internal time. If your compliance lead or ops manager is sharp and has 10 to 20 hours to spend, a self-audit is legitimate for low-volume or low-complexity operations. The catch is you don't know what you don't know.

What pushes cost upward: multiple lead vendors with different consent language, legacy technology that may or may not qualify as an ATDS, any prior complaints or litigation, multi-state operations (state analogs in Florida, Washington, and California add scope), and whether you need attorney-client privilege over the findings.

How much does it actually cost to skip the audit?

This is the real number you need. TCPA statutory damages are $500 per violation for a negligent violation and $1,500 per violation for a willful one [1]. "Per violation" generally means per call or per text. Class actions are the real threat: a class of 10,000 people who each got one unconsented robocall represents $5,000,000 in statutory exposure at the $500 rate, or $15,000,000 trebled.

The Cash App settlement, which you can read about in the cash app tcpa class action settlement breakdown, shows how fast these numbers scale for consumer-facing businesses. The credit one tcpa settlement is another concrete example of what happens when consent documentation is weak.

Nobody has good data on the average settlement for small-company TCPA suits specifically. The FCC and the plaintiffs' bar don't publish that breakdown. What public PACER filings show is that most TCPA class actions settle in the $1M, $10M range for mid-size defendants, and individual plaintiff suits routinely settle for $1,000, $10,000 per plaintiff before any discovery. Even those individual suits eat $10,000, $50,000 in defense costs to get there.

A $2,000 audit that prevents one class action is not a close call.

TCPA audit cost by method Typical cost range for a small outbound team (5 to 50 reps) Self-audit with checklist (staff… $500 Compliance consultant (fixed fee) $3,250 TCPA boutique law firm $15k General commercial law firm $25k Source: Clio Legal Trends Report 2023; FCC regulations; industry consultant pricing

Can you do a TCPA compliance self-audit, and how?

Yes. A self-audit is real, and for many small outbound teams it's the right starting point. Here is how to structure it.

Start with your consent documentation. Pull the actual opt-in language from every lead source you're calling or texting. For each source, ask: does this consent specifically authorize calls or texts from your company (or at minimum your "marketing partners"), and does it mention autodialed or prerecorded calls if you use them? The FCC's 2012 order requires that prior express written consent be "unambiguous" [2]. Vague language like "I agree to be contacted" has been found deficient in multiple federal courts.

Second, audit your scrubbing process. When did you last scrub your list against the National Do Not Call Registry [3]? The rule requires scrubbing every 31 days at minimum for telemarketing calls [6]. Document the date of your last scrub and pull the confirmation receipt from the FTC's SAN system.

Third, review your technology. Log into whatever dialing or texting platform you use and write down what it does. Does it send messages automatically from a queue, or does a human start each one? After Facebook v. Duguid (2021) [4], the federal ATDS definition narrowed a lot, but some state laws (California's CIPA, for one) reach further. Describe your system in plain English.

Fourth, check your opt-out handling. Send a STOP reply to your own SMS shortcode or text line. How fast does it remove the number? Is there a confirmation message? Does the suppression stick if that number gets uploaded again from a new list?

Fifth, look at calling hours. Federal rules ban calls before 8 a.m. or after 9 p.m. local time of the called party [6]. If you call across time zones, is your system using the called party's local time or yours?

Write down every gap you find. That record matters even if you never show it to a lawyer, because it shows you acted in good faith to find and fix problems.

LeadCompliant offers a free TCPA compliance checklist as part of its compliance kit if you want a pre-built template rather than starting from a blank page.

What's the difference between a self-audit, a consultant audit, and a law firm audit?

Audit TypeTypical CostAttorney-Client Privilege?Written Deliverable?Best For
Self-audit with checklist$0, $500 (staff time)NoOnly if you write it yourselfVery small teams, first-pass assessment
Compliance consultant$1,500, $5,000 fixedNo (unless attorney)Usually yesSmall teams that want outside eyes without law firm rates
TCPA boutique law firm$5,000, $25,000+YesYesAny team with prior litigation, complex lead stacks, or large call volume
General commercial firm$10,000, $40,000+YesYesRarely the right choice; pay for TCPA specialization

The privilege question is not academic. If your audit memo gets produced in discovery, plaintiffs' counsel will use it as a map to your weakest points. Work done under the direction of an attorney is protected. Work done by your ops manager is not. For any team that has already gotten a demand letter or is in litigation, do not do a self-audit. Call a TCPA-specialized attorney first.

For everyone else, the consultant or self-audit route is legitimate. Just make sure the person or checklist you use is current with the Facebook v. Duguid decision and the FCC's one-to-one consent rule, which took effect January 27, 2025 and requires that consent be granted separately to each specific seller, not bundled across a list of "marketing partners" [7].

Yes, and this is the change most small teams haven't caught up with.

In December 2023 the FCC adopted a rule requiring that prior express written consent for autodialed or prerecorded calls be given to one seller at a time. The old practice of consent forms that said "I agree to be contacted by [Company] and its marketing partners" and then sold that consent to a list of buyers is no longer valid under federal rules for covered calls and texts [7]. The rule took effect January 27, 2025.

If your leads come from comparison shopping sites, lead aggregators, or any co-registration flow, this rule almost certainly touches you. Your audit needs to answer one question: is the consent form the consumer saw specific to your company by name? If not, that consent is probably not valid under the current FCC rule for autodialed calls and texts.

The practical fallout is that some lead sources you've bought from for years may now be selling you non-compliant consent. Your audit should pull the actual consent form URL or screenshot from each vendor and compare it to the one-to-one standard. This is not legal advice. It's a description of what the FCC rule says.

How do you vet a TCPA compliance consultant or law firm without overpaying?

The TCPA bar is small and specialized. A few practical filters.

Ask whether the person has handled TCPA defense matters, not general privacy or marketing law. TCPA plaintiff's attorneys (the ones who sue companies like yours) and defense attorneys often know each other's work. Someone who has seen discovery demands, settlement talks, and FCC enforcement orders will audit you differently than someone who read the statute last month.

Ask for a fixed-fee quote, not hourly. Any consultant or attorney who can't scope a standard audit for a small operation probably hasn't done enough of them to work efficiently. Hourly arrangements at this scale tend to balloon.

Check whether they're current on the January 2025 one-to-one consent change [7] and the Facebook v. Duguid ATDS decision from 2021 [4]. If they don't mention both unprompted, keep looking.

Get the deliverable defined in writing before you start. A proper audit memo covers each compliance area with a finding (compliant, gap, or unclear) and a recommended fix. A phone call summary with no written output is not an audit.

Be skeptical of any vendor that sells both compliance auditing and lead generation. The conflict there is obvious.

What records do you need to gather before starting an audit?

Preparation is half the work. Walk into an audit (or start a self-audit) without these, and you'll spend most of your time hunting paperwork instead of analyzing it.

Consent records: actual opt-in form language, timestamps, and IP addresses for each lead source. Screenshots or archived HTML of the consent form as the consumer saw it at the time of opt-in are ideal.

Lead vendor contracts: your data purchase or licensing agreements, specifically the sections on consent representation and indemnification. If a vendor claims consent exists, you want to know whether they'll stand behind that claim when you get sued.

DNC scrub logs: receipts from SAN (the FTC's Subscription Account Number system) showing when you last downloaded the registry and which numbers got suppressed [3].

Technology documentation: screenshots or vendor docs showing how your dialer or SMS platform works, specifically whether calls and messages fire automatically or by human action.

Opt-out logs: your internal suppression list with timestamps showing when each number was added and whether it's been re-added from a new upload since.

Complaint records: any consumer complaints (BBB, FTC, state AG) and any demand letters, whether or not they led to litigation.

Training records: any documentation that your sales or calling staff got TCPA training, and when.

Gathering all of this before an audit starts cuts billable time a lot if you're using outside help, and makes the self-audit far more useful.

How often should you run a TCPA compliance audit?

A full audit every 12 to 18 months is a reasonable baseline for a stable small operation. But certain events should trigger an immediate partial or full re-audit no matter the timing.

You add a new lead vendor. New vendor, new consent chain to verify.

You change your dialing or texting technology. What counts as an ATDS matters a lot, and different platforms have different technical profiles.

You get a demand letter or complaint referencing TCPA. This is not a "put it on the calendar for next quarter" situation.

A significant FCC or court ruling lands. The Facebook v. Duguid ruling in 2021 [4] changed the analysis for companies using random or sequential number generation. The one-to-one consent rule effective January 2025 [7] changed the analysis for everyone buying third-party leads. Big rule changes force a re-check of your existing practices.

You expand into a new state. Florida's FTSA [8], Washington's CEMA, and California's CIPA carry requirements beyond federal TCPA. An audit that only checks federal law is incomplete for multi-state operations.

For cold calling and cold call operations, the DNC scrub is an ongoing task, not an audit item. Federal rules require scrubbing no more than 31 days before each call to a number that could be on the registry [6].

What state laws does a TCPA audit need to cover?

Federal TCPA is the floor, not the ceiling. Several states passed their own telemarketing and robocall laws with stricter requirements or different damages.

Florida's FTSA (section 501.059, Florida Statutes) created a private right of action at $500 per call that mirrors TCPA but applies to any call made with an "automated system," a definition broader than the post-Duguid federal ATDS standard [8]. Florida has become a heavy source of TCPA-style plaintiff litigation precisely because of this.

Washington's Commercial Electronic Mail Act (CEMA) covers commercial texts and emails with its own opt-out and disclosure rules.

California's CCPA covers data practices broadly, and CIPA (California Invasion of Privacy Act) has been used to assert claims tied to call recording and certain automated communications.

If you call or text consumers in any of these states, your audit should explicitly check whether your practices comply with the state law, more than federal TCPA. This is the piece most DIY audits miss, because the checklists floating around online are often outdated or federal-only.

You can learn more about the do not call list requirements and how to check how do i get the do not call list access, which is part of any complete audit for telemarketing operations. The mobile phone do not call list status of cell numbers adds another layer, since cell numbers on the federal DNC list get that protection even for some calls that aren't telemarketing under certain interpretations.

What should the final audit report include?

A useful audit deliverable is not a long recitation of what the law says. You can read the law yourself. What you actually need is this.

A finding for each area reviewed: compliant, gap identified, or unable to determine without more information.

For each gap: a plain-English description of what the gap is, what rule it violates, and the specific fix. "Update opt-in form to remove bundled consent language and name your company specifically, per FCC 23-107" is useful. "Consider reviewing consent practices" is not.

A risk tiering: which gaps, if a plaintiff exploited them, would be catastrophic (class action territory), which are serious but likely individual-plaintiff range, and which are minor process issues.

A timeline: what to fix immediately (before your next campaign), what to fix in 30 days, and what is a longer-term structural change.

Documentation templates if you're missing them. A good audit often produces a revised opt-in form, a vendor consent certification letter, and a DNC scrub policy document, more than a gap list.

If you worked with an attorney, ask explicitly for the memo to be covered by attorney-client privilege. If you did a self-audit or used a non-attorney consultant, the memo is potentially discoverable. Keep that in mind when you decide how candid to be in writing about what you found.

LeadCompliant's compliance kit includes templates for consent documentation and DNC scrub policies, which can work as a starting point for the documentation side of your audit outputs.

Are there free or low-cost TCPA audit tools worth using?

A few honest options exist at the low end.

The FCC's own consumer guides and order archives are free and are the primary source for what the rules require [2]. Reading FCC 12-21 (the 2012 consent order) and FCC 23-107 (the one-to-one consent rule) yourself is not a waste of time if you're doing a self-audit. The FCC publishes these on its website.

The FTC's National Do Not Call Registry SAN portal lets you download the registry data and keep scrub logs [3]. The subscription costs money (around $79 per area code per year as of 2024, with the first five area codes free [9]), but the scrub log function is built in.

TCPA compliance checklists from legitimate legal and compliance publishers (the International Association of Privacy Professionals, state bar publications [10]) give you a structured framework. Watch out for checklists that haven't been updated since 2021, because they miss the Facebook v. Duguid and one-to-one consent changes.

Do-not-call scrubbing services that integrate with your CRM automate the 31-day scrub requirement and produce timestamped logs. These are genuinely useful and typically cost $50, $300 per month depending on list volume. They aren't a substitute for a full audit, but they close one of the most common gaps.

Free tools have limits. No free tool reviews your consent language, evaluates your specific dialing technology, or catches state-law issues. Starting point, not a finish line.

Frequently asked questions

How long does a TCPA compliance audit take?

A self-audit with a good checklist takes 10 to 20 hours of focused internal time over one to two weeks. A compliance consultant audit typically takes two to four weeks from kickoff to delivery. A law firm audit, including document review and legal memo drafting, usually takes three to six weeks. The main variable is how fast you can pull your consent records, DNC scrub logs, and vendor contracts. Disorganized files add time.

Can a small business with under 10 employees do its own TCPA audit?

Yes, and for many small teams it's the right first move. A structured checklist covering consent, DNC scrubbing, calling hours, opt-out handling, and technology classification gets you most of the way there. The limit is that you may not catch issues you don't know to look for, particularly state-law requirements and the post-January 2025 one-to-one consent rule. Treat the self-audit as a first pass, and consider a consultant review if you find significant gaps.

Does attorney-client privilege protect a TCPA audit memo from discovery?

Only if an attorney directed the audit and the memo was prepared in anticipation of litigation or for the purpose of legal advice. A memo written by your ops manager or a non-attorney consultant is not privileged and can be produced in discovery if you're sued. If your audit finds serious gaps, that document can hand plaintiffs' counsel a roadmap. For any team with prior complaints or meaningful call volume, paying for attorney-directed privilege is worth the extra cost.

The FCC's one-to-one consent rule, adopted in FCC 23-107, requires that prior express written consent for autodialed or prerecorded marketing calls and texts be granted to a single, named seller at a time. Bundled consent forms that authorize contact from a list of unnamed marketing partners no longer satisfy the requirement. The rule took effect January 27, 2025. If you buy leads from aggregators or comparison sites, your consent documentation almost certainly needs review against this change.

How often do I need to scrub my call list against the Do Not Call Registry?

Federal regulations require that you scrub your telemarketing call list against the National Do Not Call Registry no more than 31 days before each call [6]. If you called a number 32 days after your last scrub, you may not get the protection of the safe harbor even if the number wasn't on the registry when you last checked. Most compliance teams run scrubs monthly at minimum. Your scrub logs should record the date of each download with a confirmation receipt.

What is an ATDS and does the Facebook v. Duguid decision change my audit?

An ATDS (automatic telephone dialing system) under 47 U.S.C. § 227 is equipment that uses a random or sequential number generator to store or produce telephone numbers to be called. The Supreme Court's 2021 ruling in Facebook v. Duguid narrowed the federal definition, holding that a device must use random or sequential number generation to qualify. Your audit should document what your dialing or texting system actually does technically, because that determines whether TCPA's ATDS restrictions apply.

Do TCPA rules apply to texts the same way they apply to calls?

Yes. The FCC has long held that text messages to cell phones are covered by TCPA the same way calls are. Autodialed or prerecorded texts to cell phones require prior express written consent for marketing messages, the same as calls. The statute says "to make any call" and the FCC treats texts as calls for this purpose. Your SMS program needs the same consent documentation, DNC scrub compliance, and opt-out handling as your voice dialing program.

What happens if I find gaps during my audit? Do I have to stop calling?

Not necessarily, but it depends on the gap. If your scrub is 60 days old, update it before your next campaign. If your consent forms are non-compliant, pause campaigns using those leads and fix the form at the source before calling new leads acquired under the old language. You're generally not required to stop all activity, but calling or texting with a known, documented gap is close to the definition of a willful violation, which exposes you to trebled $1,500-per-violation damages instead of $500.

Do I need a TCPA audit if I only make calls, no texts?

Yes. Voice calls to cell phones using an ATDS or prerecorded message require prior express written consent under TCPA whether or not you also text. Even live manual calls to numbers on the DNC registry require compliance. Calls to landlines using prerecorded messages have their own consent requirements. An audit for a calls-only operation covers consent, DNC scrubbing, calling hours, the live-agent disclosure requirement, and technology classification.

What does a TCPA audit cost at a law firm vs. a consultant?

Law firm TCPA audits typically cost $5,000, $25,000 for a small to mid-size operation, billing at $150, $600 per hour depending on seniority. TCPA-specialized compliance consultants who aren't attorneys typically offer fixed-fee audits in the $1,500, $5,000 range. The key difference beyond price is attorney-client privilege: only attorney-directed work product is protected from discovery. For teams with prior complaints or high call volumes, law firm cost is often justified.

Which states have TCPA-like laws that my audit needs to cover?

Florida's FTSA (section 501.059) creates a private right of action at $500 per call using a broader automated-system definition than federal law. California's CIPA has been used to assert robocall and recording claims. Washington's CEMA covers commercial texts. Several other states (Oklahoma, Georgia) run state DNC lists with separate registration requirements. A federal-only audit is insufficient for any multi-state operation. Make sure your audit checks the laws of every state where you actively call or text consumers.

Ask your vendor for the actual consent form URL or screenshot the consumer saw at the time of opt-in. It needs to name your company specifically (more than a list of marketing partners), disclose that autodialed calls or texts may be sent if you use them, and not be buried in terms and conditions. Under the FCC's one-to-one rule effective January 2025, consent must be granted to your company individually. If your vendor can't produce the actual consent language, treat those leads as unconsented.

Is a TCPA compliance audit tax deductible for a small business?

Generally yes, as an ordinary and necessary business expense under IRC Section 162, but consult your tax advisor for your situation. Legal and compliance fees paid to attorneys or consultants for business compliance purposes are typically deductible as professional service expenses. This is general information, not tax advice. Deductibility doesn't change the math much: even if you deduct the full cost, the net expense of a $3,000 audit is far lower than one settled TCPA demand letter.

Sources

  1. U.S. Code, 47 U.S.C. § 227 (Telephone Consumer Protection Act): TCPA statutory damages are $500 per violation, trebled to $1,500 for willful violations; defines the scope of the TCPA
  2. FTC, National Do Not Call Registry: Telemarketers must scrub their call lists against the National Do Not Call Registry; registry access and scrub logs available through the SAN subscription portal
  3. U.S. Supreme Court, Facebook, Inc. v. Duguid, 592 U.S. 395 (2021): Supreme Court narrowed the ATDS definition, holding that equipment must use random or sequential number generation to qualify as an automatic telephone dialing system under 47 U.S.C. § 227
  4. Clio, Legal Trends Report 2023 (attorney hourly rates): Attorney hourly rates for specialized legal work typically range from $150 for associates to $600+ for senior partners in specialized practice areas
  5. FTC, Telemarketing Sales Rule, 16 C.F.R. Part 310: Federal regulations require telemarketing call list scrubbing against the National Do Not Call Registry no more than 31 days before each call; prohibits calls before 8 a.m. or after 9 p.m. local time of the called party
  6. Florida Legislature, Florida Telephone Solicitation Act, Section 501.059, Florida Statutes: Florida's FTSA creates a private right of action at $500 per call using a broader automated-system definition than federal TCPA, making Florida a significant source of state-level robocall litigation
  7. FTC, National Do Not Call Registry (telemarketer access fees): Access to the National Do Not Call Registry for telemarketers costs approximately $79 per area code per year as of 2024, with the first five area codes free
  8. International Association of Privacy Professionals (IAPP): IAPP publishes compliance frameworks and checklists for TCPA and related telemarketing compliance reviewed by legal practitioners

Disclaimer: LeadCompliant is a compliance review tool, not a law firm. We do not provide legal advice. Consult with a TCPA attorney for legal guidance on specific compliance questions. Compliance scores, audits, and risk assessments are informational only.

LeadCompliant Team

LeadCompliant provides expert guidance and tools to help you succeed. Our content is reviewed for accuracy and kept up to date.

Related Articles

Related Glossary Terms

LeadCompliant
Build My Kit