How to integrate a DNC scrubbing API into your sales workflow

Step-by-step guide to connecting a DNC scrubbing API so your team never dials a registered number. Covers TCPA rules, timing, real costs, and workflow tips.

LeadCompliant Team
26 min read
In This Article

Last updated 2026-07-11

Laptop and phone on a desk representing a sales team DNC compliance workflow
Laptop and phone on a desk representing a sales team DNC compliance workflow

TL;DR

A DNC scrubbing API checks every phone number against the National Do Not Call Registry and your internal suppression lists before your dialer fires. Wire one in correctly and you stay off the wrong side of TCPA's $500 to $1,500 per-call penalty. This guide walks the technical steps, the timing rules, the data you need, and what still breaks after the API goes live.

What does a DNC scrubbing API actually do?

A DNC scrubbing API is a live lookup service. You send it a phone number, or a batch of numbers, and it returns a flag telling you whether that number sits on a do-not-call list. What it checks depends on the vendor: the Federal Trade Commission's National Do Not Call Registry, state-level DNC lists, wireless carrier suppression lists, and any internal "company-specific" do-not-call list your organization keeps.

The FTC's National DNC Registry, authorized under 47 U.S.C. § 227 (the TCPA), covers residential and wireless numbers. Any organization making more than a handful of outbound telemarketing calls has to scrub against it no more than 31 days before placing a call. [1] That 31-day rule is not a soft suggestion. The FCC wrote it into the regulations at 47 C.F.R. § 64.1200(c), and courts have treated a stale scrub as no scrub at all.

Beyond the federal registry, a well-built scrubbing step also checks your company's own suppression file. Under TCPA, a consumer can ask you specifically to stop calling. You have to honor that request within 30 days and keep it honored for at least five years. [2] If your API call hits the federal registry but skips your internal list, you're still exposed.

Think of the API as the goalkeeper. Everything upstream (your lead sources, your CRM, your campaign targeting) still needs to be clean. The API is the last automated gate before the call attempt fires.

Under 47 U.S.C. § 227(c)(5), a consumer whose number sits on the National DNC Registry and gets a telemarketing call can sue for $500 per violation. If the violation is willful, the court can triple that to $1,500 per call. [3] That's per call, not per campaign.

The statute puts it plainly: a plaintiff may recover "$500 in damages for each such violation." No actual harm needs to be proven. That's why plaintiffs' attorneys love TCPA cases. The damage number is fixed and the math is easy.

Class actions are the real weapon. The Credit One TCPA settlement and the Cash App TCPA class action settlement both show how fast individual $500 statutory claims stack into eight-figure payouts.

The FTC can also fine telemarketers directly. Civil penalties for DNC violations can reach $51,744 per violation under current FTC penalty authority. [4] For a small outbound team, even a mid-sized enforcement action is existential.

Here's a realistic scenario. Your team runs a 10,000-number outbound campaign. You scrubbed 45 days ago instead of within 31. Two percent of those numbers registered after your scrub date. That's 200 calls to registered numbers. At $500 each, plaintiff's counsel sees a $100,000 class anchor before discovery even starts. Getting the integration right is cheaper than any lawsuit, every time.

What data sources should your DNC API scrub against?

The minimum viable scrub for a telemarketing operation hits three layers.

Layer 1: The National Do Not Call Registry. The FTC runs the registry. Telemarketers access it through the FTC's subscription system, which needs a SAN (Subscription Account Number) from telemarketing.donotcall.gov. [1] Most commercial DNC API vendors pull the registry data directly and keep it fresh, so you hit their endpoint instead of the government's raw files. Confirm how often your vendor refreshes. Weekly pulls are common. Daily is better.

Layer 2: Your internal company-specific DNC list. Every opt-out request, every "stop calling me" your reps log, and every written revocation has to live in a database your scrubbing step can query. TCPA requires you to keep this list and honor it within 30 days of the request. [2] Many teams store it in their CRM and expose it as a second lookup in the same API chain.

Layer 3: State-level DNC lists. Several states run their own registries independent of the federal list. Indiana, Texas, Wyoming, and others have state DNC laws with separate registration and sometimes shorter scrub windows. [5] A good commercial API covers most of these, but verify your vendor's state coverage explicitly, especially if you call into states with aggressive consumer protection regimes like Florida.

Optional Layer 4: Litigator lists and reassigned number checks. Some vendors flag numbers tied to known serial TCPA plaintiffs and numbers reassigned to new subscribers. The FCC launched the Reassigned Numbers Database in 2021 to address exactly this problem. [6] Calling a reassigned number without consent is a TCPA violation even if the prior subscriber gave you permission.

TCPA and DNC violation penalty ranges Per-violation exposure at each enforcement level TCPA statutory (per call) $500 TCPA willful (per call) $1,500 FTC civil penalty (per violation) $52k Source: 47 U.S.C. § 227, FTC penalty authority, 2024

What technical steps does integrating a DNC scrubbing API actually involve?

The integration is not complicated if your tech setup is reasonable. Here's the practical sequence.

Step 1: Get a SAN from the FTC (or confirm your vendor holds one). If you call numbers in any state, you need a SAN or a vendor who pulls under their own SAN. Annual SAN cost scales by how many area codes you access: a five-area-code subscription runs around $75 per year, climbing to $16,714 for all U.S. area codes under the current FTC fee schedule. [4] Most teams under 500 monthly call attempts just pay through a vendor who bundles this cost.

Step 2: Choose your scrubbing vendor and read their API docs. Major vendors publish REST APIs that accept a phone number (E.164 format is standard), optional extra fields, and return a JSON response with a compliance flag and the list source that triggered it. Read the docs for their refresh cadence, whether they support batch requests, and how they handle edge cases like toll-free numbers.

Step 3: Find the right trigger point in your workflow. This is where teams make the most mistakes. The API call should fire at the last possible moment before the dial attempt, not when the lead lands in the CRM. Why? A number can register on the DNC list at any time, and your scrub has to be within 31 days of the call. [1] Scrub at lead import and dial 45 days later, and that scrub is legally stale. The right trigger is either in your dialer software (a pre-dial hook) or in the final campaign-load step, run within 24 to 72 hours of the first dial.

Step 4: Decide between real-time and batch logic. Real-time scrubbing checks each number the instant before the call goes out. Batch scrubbing loads a list and checks every number before a campaign launches. Real-time is safer for agile sales floors where reps pull leads manually. Batch is more efficient for power-dialer campaigns that pre-load thousands of numbers the night before. Many teams run both: a batch scrub during campaign build and a real-time check just before dial.

Step 5: Handle the suppression output. A flagged number should drop out of the dial queue automatically and get tagged in your CRM with the suppression reason and the scrub timestamp. Do more than delete it. You want an audit trail that shows when the number was checked and what flag came back. That log is your first line of defense in litigation.

Step 6: Test with known DNC numbers before go-live. The FTC's own number (1-888-382-1222) is registered and makes a clean test case. [1] Run it through your integration and confirm the flag returns correctly before you dial a single live number.

Step 7: Document the integration. Write a one-page internal policy that states what lists you scrub, how often you re-scrub active leads, where the suppression logs live, and who owns the process. Courts and regulators respond far better to teams who can produce documentation than to teams who say "we had a system."

How often do you need to re-scrub your lead list?

The legal floor is every 31 days for any number you intend to call. [1] Load a list today, scrub it, then run the same campaign 32 days later without re-scrubbing, and every call you make that day has a stale scrub problem.

In practice, most compliance teams re-scrub active lead lists weekly. Run a high-velocity dialer campaign and a daily re-scrub of your active queue is worth the API cost. Numbers register on the DNC list continuously. The FTC processes new registrations and makes them available to subscribers on a monthly cycle, but several commercial vendors pull and process updates more often.

For leads from third-party generators, get aggressive. The lead seller's scrub date is irrelevant to your liability. You are the caller. Your scrub has to be current when your call goes out. Run any purchased list through your own integration before you dial, no matter what the seller tells you about their compliance process.

A practical policy many teams use: scrub on list load, re-scrub any number that hasn't been dialed in 14 days before the next attempt, and never let a number sit in an active queue more than 30 days without a fresh check.

What should your CRM and dialer integration look like?

The most common architecture looks like this. Your CRM (Salesforce, HubSpot, a custom system) holds the contact records. Your dialer (Five9, Outreach, Kixie, a predictive dialer) pulls records and places calls. Your DNC scrubbing API sits between them.

For CRM-to-dialer workflows, the cleanest setup adds a webhook or a pre-export script that calls the DNC API for every number before it enters a dialer campaign. The API response updates a custom field in the CRM record: something like "DNC_Status" and "DNC_Scrub_Timestamp." The dialer's campaign filter excludes any record where DNC_Status is flagged or where the timestamp is older than 30 days.

For real-time dialer integrations, many enterprise dialers support pre-dial hooks. A pre-dial hook fires an API call, waits for the response (typically under 300 milliseconds for a well-provisioned scrubbing API), and either proceeds with the dial or drops the number from the queue. If your dialer doesn't support pre-dial hooks natively, you can often get similar behavior through the dialer's API plus a middleware layer.

On a tighter budget or a smaller stack, tools like Zapier or Make (formerly Integromat) can chain a DNC lookup into your workflow without custom code. It's slower and less elegant than a native integration, but it works for teams under a few hundred dials per day.

Whatever the architecture, build logging at the API-call level. Your log should capture the number checked, the timestamp, the lists checked, the result, and the campaign or record ID. Keep those logs for at least five years to match TCPA's company-specific DNC list retention requirement. [2]

How much does DNC scrubbing API access cost?

Costs vary a lot by volume, vendor, and how many lists you cover. A small team making 5,000 calls a month usually lands around $100 to $300 per month all-in for a reputable API that bundles the SAN cost and covers major state lists.

Cost componentTypical rangeNotes
FTC SAN (federal list access)$75 to $16,714/yearScales by number of area codes [4]
Commercial DNC API (per-lookup)$0.001 to $0.01 per numberBulk pricing improves unit cost
Commercial DNC API (monthly flat)$50 to $500/monthCommon for teams under 100K lookups/month
State list add-ons$0 to $200/year extraVaries by vendor and state
Reassigned number checks$0.0015 to $0.005 per lookupFCC RND-based products [6]

At 5,000 calls a month, that's roughly $0.02 to $0.06 per dial. Tiny next to the liability it removes.

Some vendors charge per number in the scrub no matter the result. Others charge only for flagged numbers. Read the pricing model carefully. A high-volume list with many registered numbers can make per-number pricing expensive in ways flat-fee pricing avoids.

Starting out with low volume? Check whether your dialer already bundles DNC scrubbing. Five9, NICE inContact, and several predictive dialer platforms include basic scrubbing in their platform fees. That bundled scrub may be enough, or it may need extra state-level lookups depending on your geography.

LeadCompliant's free do-not-call list checker is a reasonable place to start for verifying single numbers or small batches before you commit to a full API vendor.

What are the most common integration mistakes that still lead to violations?

Getting the API technically connected doesn't mean you're protected. These are the failure points that show up over and over.

Scrubbing at lead import instead of at dial time. A lead that was clean the day it entered your CRM may have registered on the DNC list since. If 60 days passed between the import scrub and the call, your scrub is stale. Always trigger the definitive scrub as close to the dial moment as your architecture allows.

Not capturing the scrub timestamp. You need to prove, with a log, that the number was checked within 31 days. A database row that says "DNC: clean" with no timestamp is useless in litigation.

Forgetting the internal suppression list. Plenty of teams wire up federal and state registry checks perfectly, then route a call to someone who told their rep two months ago "never call me again." Still a TCPA violation. [2] Your internal opt-out file has to be a live data source in your scrubbing chain, not a spreadsheet somebody updates by hand once a month.

Not covering wireless numbers. The FTC's registry includes wireless numbers, and the FCC extended TCPA's autodialer and artificial voice restrictions to calls to wireless numbers without prior express consent. [3] Your API has to check wireless numbers. Some older scrubbing tools predate widespread wireless registration and may have gaps.

Trusting third-party scrubs. A vendor who says "these are already scrubbed" doesn't transfer compliance responsibility to you. You placed the call. You hold the liability. Re-scrub purchased lists through your own integration, always.

Batch scrubs that don't sync back to the dialer queue. If your batch scrub runs at 11 PM and your dialer loads leads at 6 AM from a different data source, the suppression flags may not have propagated. Make sure the scrub results write to the same record the dialer reads, not to a parallel system.

Does the DNC scrubbing API requirement apply to SMS campaigns too?

Yes, with some nuance. The National DNC Registry is a prohibition on telephone solicitations, which the FTC and FCC read to include text message marketing in the telemarketing context. [7] Send marketing SMS at scale and the same scrubbing logic applies.

SMS compliance layers differently, though. TCPA's prior express written consent requirement for texts sent with an autodialer is separate from and on top of the DNC registry requirement. You can have a number that's not on the DNC list and still lack valid consent to text it, and that's a TCPA violation on its own. For the full picture of how these rules interact, the text message marketing rules page covers the consent side in detail.

For pure SMS outreach, your scrubbing workflow needs to check both the DNC registry (to catch numbers where the consumer opted out of telemarketing generically) and your internal opt-out list (to honor any STOP responses or written revocations). Most commercial DNC APIs that serve the call market also handle SMS lookup queries on the same endpoint.

One practical difference. SMS programs usually have a STOP mechanism built into the messaging platform. That STOP response should write immediately to your internal suppression file, and your scrubbing logic should query that file before any later outbound text or call to the same number.

How do you handle leads that come in after hours or from high-velocity inbound flows?

Speed-to-lead pressure is real. Sales orgs want to call back an inbound lead within five minutes of form fill. Good news: a properly configured real-time DNC API returns a response in under 500 milliseconds for most vendors. There's no reason a fast callback workflow can't include a DNC check as a synchronous step before the dial.

The pattern to build: when a lead form posts to your backend or your CRM gets a new record, your webhook handler fires the DNC lookup before it ever writes a phone number to the dialer queue. Clean result, the record flows to the rep's queue in real time. Flagged, the record gets suppressed and logged. Total added latency is under a second.

For truly high-velocity environments (thousands of inbound records per hour), make sure your API vendor supports concurrent connections and publishes an SLA on uptime and latency. Ask specifically what happens if the API is down or slow. You need a defined fallback: either hold the dial until the API responds, or suppress all unconfirmed numbers until the scrub clears. Defaulting to suppress-on-timeout is the safer legal choice.

The cold calling compliance guide covers what other pre-call checks are worth adding to this flow beyond DNC status.

What documentation do you need to survive a TCPA audit or lawsuit?

If a demand letter or a complaint lands, the first thing plaintiff's counsel asks for is your compliance records. Here's what you need to be able to produce.

Call logs with scrub evidence. For every dial attempt, keep a record of the number called, the date and time, and the DNC scrub result with its timestamp. The scrub timestamp has to show the check happened within 31 days of the call. [1]

Your written DNC policy. 47 C.F.R. § 64.1200(d) requires telemarketers to keep a written policy for maintaining a do-not-call list. Courts enforce this: a company that can't produce its written policy loses a big part of its safe harbor argument. [8] The policy should name who owns compliance, how often scrubs run, how opt-out requests get processed, and how long records are kept.

Internal suppression list with timestamps. Every opt-out request has to be logged with the date received and the date it was applied. Proving you acted inside the 30-day honor window takes timestamps.

Vendor contracts and coverage confirmations. Keep a record of which DNC API vendor you used, what lists their service covered, and their stated refresh cadence. This goes to reasonable reliance if a number slips through.

Consent records for your entire contact list. Technically separate from DNC scrubbing, but any TCPA investigation will also examine consent. Keep lead source, consent language, IP address, and timestamp for every lead, especially ones collected by web form.

LeadCompliant's compliance kit walks through a documentation checklist format you can adapt to your own policy. At minimum, every team should be able to answer these questions before they place their first outbound dial.

Are there any safe harbors if a flagged number gets called by mistake?

TCPA does give a limited safe harbor, but it's narrow. Under 47 C.F.R. § 64.1200(c)(2)(i), a company isn't liable for a call to a registered number if it has an established business relationship with the consumer, the consumer gave their number directly to the company, or the call was made in error despite procedures that meet the minimum legal standards. [8]

That last one is what most teams try to invoke when a call slips through. The FCC's standard for procedures that meet the minimum requires, at minimum, a written policy, employee training, and active use of a do-not-call list updated no less than every 31 days. If your integration was technically running but your scrub data was 45 days old, you probably don't qualify.

The safe harbor is not a license to be sloppy. Courts and the FCC apply it narrowly. What it actually protects is the honest technical failure: a number that registered on the DNC list this morning and got called this afternoon before your vendor's daily refresh ran. That gap is genuinely hard to prevent, and courts have been more sympathetic. A gap from running the scrub every 60 days, or from never scrubbing purchased lists at all, doesn't qualify.

The other major safe harbor is prior express consent, and it's worth pressing on. If the consumer gave you their number and consented to marketing calls, the DNC registration doesn't bar you from calling them. The statute at 47 U.S.C. § 227(c)(5) carves out calls made with the consumer's prior express invitation or permission. Documented consent is the strongest protection you have, and it works alongside your DNC integration rather than replacing it.

Frequently asked questions

How long does a DNC scrub API call take to return a result?

Most commercial DNC scrubbing APIs return a result in 100 to 500 milliseconds under normal load. For real-time pre-dial integrations, that's fast enough to be invisible to the rep. If your vendor is consistently slower than one second, that's a signal to test alternatives. Always ask vendors for their p99 latency and uptime SLA before committing.

Can I scrub numbers myself using the FTC's database instead of paying a vendor?

Yes, technically. The FTC provides the National DNC Registry directly to subscribers through telemarketing.donotcall.gov with a paid SAN. You'd download the data files and run lookups against your own copy. The catch is freshness: the FTC updates the files on a monthly cycle, and building your own pipeline to stay current takes ongoing engineering. For most small teams, paying a commercial vendor $100 to $300 per month is more practical.

What happens if I call a number that registered on the DNC list after my scrub date but before my call?

If your scrub was within 31 days of the call and the number registered after your scrub, you have a reasonable argument for the error safe harbor under 47 C.F.R. § 64.1200(c). This is one scenario where the law genuinely gives you room. The tighter your scrub cadence (daily versus monthly), the smaller that window, and the stronger your position.

Does the 31-day scrub rule apply to business-to-business calls?

The National DNC Registry and its 31-day scrub requirement apply to calls to residential telephone subscribers and wireless numbers. Purely business-to-business telemarketing calls are generally not covered by the federal DNC registry rules. Some state laws extend DNC protections to business numbers, though, and your internal company-specific DNC list should apply regardless of whether the number is a business line.

How do I get access to the National Do Not Call Registry for my organization?

You register for a Subscription Account Number at telemarketing.donotcall.gov. Cost scales by area codes accessed: the FTC charges roughly $75 for up to 5 area codes, climbing to $16,714 for all U.S. area codes annually. Most small teams access the registry through a commercial DNC API vendor who bundles the SAN cost. See the full breakdown on the how do i get the do not call list page.

What is the difference between the federal DNC list and a company-specific do-not-call list?

The federal list is the FTC's National Do Not Call Registry: a public database consumers register with to block telemarketing calls broadly. A company-specific DNC list is your own internal suppression file of people who told your company specifically to stop calling. TCPA requires you to keep both, scrub against both, and honor your internal list within 30 days of any opt-out request for a minimum of five years.

Do I need to scrub against state DNC lists separately from the federal registry?

Yes, if you operate in states with their own DNC registries. Indiana, Texas, Wyoming, and several others maintain state-level lists. Some have different scrub timing requirements and separate registration processes. Most commercial DNC API vendors cover the major state lists, but confirm your vendor's state-by-state coverage explicitly. Calling a state-registered number without scrubbing the state list is a violation of that state's law regardless of your federal scrub.

If I buy leads from a vendor who says they've already been scrubbed, am I protected?

No. You are the party placing the call, so compliance responsibility is yours. A third-party scrub certification does not transfer legal liability. Always run purchased lists through your own DNC API integration before dialing. Courts and the FCC have been consistent on this point: the caller, not the list vendor, faces statutory liability under TCPA.

What format should phone numbers be in when I send them to a DNC scrubbing API?

Most APIs expect E.164 format, which looks like +12025551234 for a U.S. number: a plus sign, the country code, then the full number with no spaces or dashes. Some vendors also accept 10-digit NANP format (2025551234). Check your vendor's documentation. Sending malformed numbers usually returns an error code rather than a compliance result, which can silently skip the check if your error handling isn't set up correctly.

How should I handle a situation where the DNC API is temporarily down or returns an error?

Define a fail-safe behavior in your integration before this happens, not after. The safest default is to suppress any number that returns an API error or timeout rather than letting the call proceed. This may occasionally block a clean number, but it protects against calling a flagged number because of a system failure. Log every timeout and error so you can audit your gap coverage.

Does DNC scrubbing apply to ringless voicemail drops?

Yes. The FCC has treated ringless voicemail as a call under the TCPA, which means the same rules apply: you cannot leave a ringless voicemail at a DNC-registered number without prior express consent. This reading has faced some legal challenge, but operating on the assumption that ringless voicemail is subject to TCPA and DNC rules is the conservative and defensible position until courts or the FCC rule otherwise.

How long should I retain DNC scrub logs?

TCPA requires you to keep your company-specific do-not-call list for at least five years. Extending that same retention to your API call logs and scrub timestamps is the practical choice: if a complaint surfaces two years after a call, you need proof of compliance from that date. Store logs in a queryable format, not flat files, so you can pull records for a specific number and date fast.

Can a consumer sue me even if the number is on a mobile phone do not call list?

Yes. The FTC's National DNC Registry includes wireless numbers. Consumers register mobile numbers directly, and calling a registered mobile number with a telemarketing call creates the same $500 per-call statutory exposure as calling a registered landline. Wireless numbers carry extra protection under TCPA's autodialer provisions, which require prior express consent for calls or texts to cell phones regardless of DNC status.

Sources

  1. FTC, National Do Not Call Registry, telemarketing.donotcall.gov: Telemarketers must scrub against the National DNC Registry no more than 31 days before placing a call; the FTC maintains the registry and requires a Subscription Account Number for access.
  2. Electronic Code of Federal Regulations, 47 C.F.R. § 64.1200(d), company-specific do-not-call rules: Companies must honor consumer requests to stop calling within 30 days and maintain the suppression for at least five years.
  3. Legal Information Institute, Cornell Law, 47 U.S.C. § 227 (TCPA): 47 U.S.C. § 227(c)(5) authorizes private suits for $500 per violation, trebled to $1,500 for willful violations, for calls to numbers on the National DNC Registry.
  4. FTC, Telemarketing Sales Rule and DNC fee schedule: FTC civil penalties for DNC violations can reach $51,744 per violation; SAN costs range from approximately $75 for 5 area codes to $16,714 for all U.S. area codes annually.
  5. NCSL, State Do Not Call Laws overview: Multiple states including Indiana, Texas, and Wyoming maintain their own DNC registries with rules separate from the federal registry.
  6. FCC, Reassigned Numbers Database, reassigned.us: The FCC launched the Reassigned Numbers Database in 2021 to help callers verify whether a number has been reassigned to a new subscriber, reducing TCPA liability for stale consent.
  7. Electronic Code of Federal Regulations, 47 C.F.R. § 64.1200(c) and (d), DNC safe harbor and written policy requirement: The safe harbor for calls to registered numbers requires a written do-not-call policy, employee training, and scrubbing no less than every 31 days; 47 C.F.R. § 64.1200(d) mandates a written policy for maintaining company-specific DNC lists.
  8. FTC, Telemarketing Sales Rule, 16 C.F.R. Part 310: The Telemarketing Sales Rule establishes the legal framework for DNC compliance, SAN requirements, and enforcement authority alongside the TCPA.

Disclaimer: LeadCompliant is a compliance review tool, not a law firm. We do not provide legal advice. Consult with a TCPA attorney for legal guidance on specific compliance questions. Compliance scores, audits, and risk assessments are informational only.

LeadCompliant Team

LeadCompliant provides expert guidance and tools to help you succeed. Our content is reviewed for accuracy and kept up to date.

Related Articles

Related Forms & Templates

Related Glossary Terms

LeadCompliant
Build My Kit