Last updated 2026-07-11

TL;DR
A TCPA self-audit reviews six areas: consent documentation, DNC list scrubbing, calling hours, autodialer use, opt-out honoring, and record retention. Most small teams find their first gaps in consent recordkeeping and DNC scrubbing. Run this audit quarterly and you prevent per-violation fines of $500 to $1,500 under 47 USC 227.
What is a TCPA self-audit and why does it matter?
A TCPA self-audit is a structured internal review where your team checks its own outbound calling and texting against the Telephone Consumer Protection Act, 47 USC 227, and the FCC rules that implement it. [1] You run it yourself, without hiring outside counsel, and you write down what you find.
The point is to catch gaps before a plaintiff's attorney does. Under 47 USC 227(b)(3), each violation carries a statutory damages floor of $500, rising to $1,500 if a court finds the violation was willful or knowing. [1] In a class action, those numbers multiply across every contact in your database. The Cash App TCPA class action settlement resolved at $3.5 million for claims tied to unsolicited messages, and settlements at that scale hit companies of every size. See the cash app tcpa class action settlement breakdown for what triggers those suits.
The audit does not require a law degree. It requires honesty about what records you actually have versus what you think you have. Most teams doing this for the first time get surprised, not by what they learn about their intent, but by what they can't prove.
What laws and FCC rules does a TCPA audit need to cover?
The audit touches three layers of law.
First, the federal statute. 47 USC 227 prohibits calls and texts made with an automatic telephone dialing system (ATDS) or an artificial or prerecorded voice to cell phones without prior express written consent for telemarketing, and prior express consent for informational calls. [1] The FCC's 2012 order (FCC 12-21) sharpened that consent standard and killed the prior-business-relationship exemption for robocalls. [2]
Second, the National Do Not Call Registry rules under 47 CFR Part 64. A telephone solicitation to a number that has been on the registry more than 31 days is a violation, and you have to scrub your lists against the registry every 31 days at minimum. [3]
Third, state laws. Several states run rules stricter than federal TCPA. Florida's Mini-TCPA (SB 1120, effective July 2021) uses a broader autodialer definition, and California's CCPA adds consent and deletion duties that overlap with TCPA. Your audit should flag state exposure based on where your contacts live, not where your business is incorporated. [4]
For a plain-English primer on the underlying statute before you start, the tcpa overview is a good reference.
What are the six areas every TCPA self-audit should cover?
Here is the standard framework. Treat each area as its own workstream.
1. Consent documentation For every cell phone on your outbound list, you need prior express written consent if you make telemarketing calls or send marketing texts with an ATDS. That consent has to be a signed agreement (electronic signature counts) that clearly authorizes calls or texts from your company using automated technology, and it must disclose that consent is not a condition of purchase. [2] Pull a sample of 50 records and ask: can you produce that consent document right now? If no, that's a gap.
2. DNC scrubbing Your list has to be scrubbed against the National DNC Registry at least every 31 days. [3] You also need an internal DNC list, you must honor opt-outs within 30 days of receipt, and you keep those records for five years. Check when your last scrub ran, which vendor ran it, and whether your internal DNC list is deduplicated and current. The do not call list article explains how the registry works if your team is unclear on the mechanics.
3. Calling hours Federal law prohibits calls before 8 a.m. or after 9 p.m. local time of the called party, not the caller. [3] Pull your dialer logs and filter for calls outside that window. Use the recipient's area code as a proxy for their time zone. This is one of the easiest gaps to audit and one of the most common ones to find.
4. Autodialer and prerecorded voice identification After the Supreme Court's 2021 ruling in Facebook, Inc. v. Duguid, the ATDS definition got narrower: a system has to use a random or sequential number generator to store or produce numbers. [5] But many dialers still qualify, and prerecorded voice calls carry the same restrictions regardless of ATDS status. Document what technology you use, get your vendor's written description of how the dialer works, and map that description to the legal definition.
5. Opt-out honoring For text campaigns, opt-outs must be processed immediately or within a reasonable time, and you cannot send anything after a STOP reply except a single confirmatory opt-out message. [2] For voice, your internal DNC list must be updated within 30 days. Audit a sample of opt-out requests from the last six months and trace each one forward: when was it received, when was the number suppressed, did any later contact happen?
6. Record retention The FCC's safe harbor for DNC violations requires written procedures, trained personnel, a maintained do-not-call list, and access to the national registry within the prior 31 days. [3] You need records that prove all of it. Check that consent forms, scrub receipts, calling logs, and opt-out logs sit somewhere you can actually retrieve them when a complaint or a litigation hold letter lands.
How do you audit your consent records specifically?
Consent auditing is where most teams spend the most time and find the most problems. Here is a method that works.
Pull your full outbound contact list. Split it into three buckets: landlines, cell phones, and unknown. If you do not know whether a number is a cell phone, treat it as one for TCPA purposes, or run a carrier lookup. For every cell phone number that will get a marketing text or an autodialed marketing call, you need verifiable prior express written consent linked to that specific number. [2]
For each number in your sample, you should be able to retrieve four things: the date and time consent was given, the URL or document where it was collected, the exact consent language the person saw, and their identifying information tied to that record. If your consent came through a lead generator, you need a contract that obligates them to collect TCPA-compliant consent, and you should have spot-checked their lead records.
The FCC's 2012 order says that for telemarketing robocalls, consent must be "a written agreement, signed by the person called, that clearly authorizes" the specific seller to deliver calls using an ATDS. [2] A general terms-of-service checkbox that does not name your company does not satisfy that. A signed lead form saying "I agree to be contacted by partners" is likely not enough either, and courts have ruled against companies leaning on that language.
One honest note. Nobody has fully reliable data on what percentage of lead-gen consent records would survive TCPA scrutiny if challenged in court. The closest data point is litigation outcomes, and courts have repeatedly found boilerplate, buried, or third-party consent language insufficient. The Credit One TCPA settlement, which resolved claims about consent validity on calls to cell phones, shows how fast those suits move. Details at credit one tcpa settlement.
How do you check whether your DNC scrubbing is actually working?
The mechanical check is simple: get the date and confirmation receipt from your last scrub run, confirm it was within 31 days, and confirm it covered every number in your active calling universe, more than new leads.
The harder check is whether numbers that sat on the DNC registry at the time of a call also show up in your dialer logs as called. Pull a sample of completed calls from the last 90 days. Take a random subset, run those numbers against the current registry, and see when each was registered. If any were on the registry before your call date and did not get scrubbed out, you have a live gap.
Check your internal do-not-call list process too. When someone asks not to be called again, that request stands for the next five years and applies company-wide, more than to the rep who took it. [3] Test it: find five opt-out requests from six months ago, look those numbers up in your current dialer queue, and confirm none are loaded for future contact.
For teams buying lists from third parties, the FTC says the seller's scrub does not relieve you of the duty to scrub yourself. [6] You own the compliance obligation. The do not call telemarketer list article explains what the company-specific DNC list requirement means in practice.
If you are unsure how to access the National DNC Registry or what a subscription for list scrubbing costs, how do i get the do not call list has the step-by-step.
What should a TCPA calling-hours audit look like?
This one is data-driven and fast. Pull your dialer call logs for the last 90 days. Export to a spreadsheet with columns for called number, call initiation timestamp (in your local time), and area code of the called number.
Add a lookup column mapping each area code to its standard time zone. Then calculate the local time of each call from the called party's perspective. Flag any call before 8:00 a.m. or after 9:00 p.m. in that local time zone. [3]
A few things to watch. Daylight saving time changes trip up automated systems that convert time zones mechanically without accounting for DST transitions. If your dialer runs on a static UTC offset, it can be off by an hour for part of the year.
Watch area codes that do not map to geography cleanly. VoIP and ported numbers carry area codes that no longer reflect where the person sits. You cannot know where a ported VoIP user is, so this is genuinely an imperfect audit step. Document that limitation. What you want to show is a reasonable process, not a perfect one. The FCC's safe harbor cares about the existence of a written procedure and a good-faith effort to follow it. [3]
How do you audit text message campaigns for TCPA compliance?
Text compliance under TCPA has three checkpoints: consent, content identification, and opt-out mechanics.
For consent, the same prior express written consent standard applies to marketing texts sent via ATDS as to marketing robocalls. [2] Pull your SMS platform's subscriber list and verify every number has a consent record meeting that standard. Platforms like Twilio log opt-in timestamps. Make sure you are actually exporting and storing those records outside the platform, because if you cancel your account, those logs may not be recoverable.
For content identification, each text in a marketing campaign must clearly say who is sending it. Anonymous texts, or texts where the brand name shows up only inside a link, create exposure. This is not stated as precisely in statute as the consent rule, but FCC guidance and plaintiff arguments both zero in on it. [7]
For opt-out mechanics, you must give a clear and conspicuous opt-out method in each campaign message, process STOP replies immediately, and send nothing further except one confirmatory opt-out message. [2] Test it by sending a STOP to your own short code or long code from a test number, then check how long before that number goes suppressed and whether any later sends went through.
The text message marketing article goes deeper on platform-level mechanics. For cell phone-specific DNC issues, mobile phone do not call list covers the overlap between registry rules and wireless numbers.
What records do you need to keep to pass a TCPA audit or defend a lawsuit?
The FCC's safe harbor for DNC violations requires evidence of four things: written procedures, personnel training, maintenance of your internal DNC list, and timely registry access. [3] Beyond the safe harbor, a full TCPA defense in litigation needs consent records, opt-out records, and evidence of scrubbing.
Here is a practical retention schedule:
| Record type | Minimum retention | Where to store |
|---|---|---|
| Consent forms and timestamps | 4-5 years from last contact | CRM or document management system |
| DNC scrub receipts | 5 years | Compliance folder with dated files |
| Internal DNC list with opt-out dates | 5 years | Deduplicated and locked from editing |
| Calling logs (number, date, time, outcome) | 4 years | Dialer export or data warehouse |
| Training records (who was trained, when, on what) | Duration of employment + 3 years | HR system |
| Opt-out requests (text STOP, verbal requests) | 5 years | Mapped to contact record |
Five years is the most conservative standard across federal TCPA and FTC rules. Four years matches the TCPA's statute of limitations, though some courts have allowed equitable tolling arguments that stretch it. When in doubt, keep records longer.
If you get a litigation hold letter or a complaint, stop deleting anything immediately. Spoliation (destroying evidence after you should have anticipated litigation) is its own exposure separate from the underlying TCPA claim.
How often should a small outbound team run a TCPA self-audit?
Quarterly is the right cadence for active outbound teams. Here is why. Your DNC scrub runs every 31 days, but the fuller audit (reviewing consent records, testing opt-out mechanics, checking calling hours in your logs) takes more time and should land before quarterly business reviews.
A lighter monthly check makes sense for high-volume teams: confirm the scrub ran, confirm opt-out counts look normal, spot-check five consent records. Save the full six-area audit for the quarterly cycle.
When to do an unscheduled audit: any time you swap your dialer platform, switch to a new lead vendor, expand into a new state, or launch a new campaign type. Each of those events resets some of your compliance assumptions. A new lead vendor's consent records may not meet your standard. A new state may run stricter rules than the last one. Run the relevant part of the audit before the campaign goes live, not after.
One thing I would not do: treat your dialer vendor's compliance dashboard as a substitute for this review. Vendor dashboards tell you what the vendor tracks. They do not tell you whether your underlying consent is valid, whether your internal DNC list is accurate, or whether your record retention holds up in litigation. Those are your responsibility.
What does a realistic TCPA self-audit template look like?
A usable template has five columns: the audit area, the specific question, the data source you checked, what you found, and the remediation step with a deadline. Here is the skeleton:
| Audit area | Question | Data source | Finding | Remediation / owner / deadline |
|---|---|---|---|---|
| Consent records | Can we produce written consent for 100% of cell numbers in the active calling list? | CRM consent records | 23% of records lack documented consent | Pull and review all unconsented numbers; pause outreach until resolved |
| DNC scrubbing | When did the last national registry scrub run? | Scrub vendor receipt | Last scrub was 38 days ago | Set automated 28-day scrub schedule; confirm with vendor |
| Calling hours | Any calls outside 8am-9pm recipient local time in last 90 days? | Dialer export + time zone lookup | 14 calls flagged after 9pm | Investigate; add hard hour blocks to dialer config |
| Autodialer classification | Does our dialer use random or sequential number generation? | Vendor documentation | Vendor confirmed system dials from uploaded list only | Document and retain vendor statement |
| Opt-out honoring | Did any opted-out numbers receive subsequent contacts? | Internal DNC vs. call log | 3 numbers contacted post-opt-out | Suppress immediately; review suppression lag process |
| Record retention | Are consent forms, scrub receipts, and opt-out logs stored and retrievable? | Compliance folder / CRM | Scrub receipts missing before January 2024 | Request retroactive receipts from vendor; implement automatic receipt storage going forward |
That is the core of it. Add rows for state-specific laws, third-party lead vendor audits, and training records depending on your risk profile.
LeadCompliant's free compliance kit includes a pre-built version of this template along with a consent language checker if you want a starting point rather than building from scratch.
What are the most common TCPA compliance gaps small teams actually find?
Based on how TCPA litigation clusters, these are the most frequent gaps, roughly in order of frequency.
Gap one: no written consent for cell phones. Teams assume that because a lead submitted a form somewhere, TCPA-compliant consent exists. Often the form language does not name the company, does not mention autodialing, or was never retained.
Gap two: stale or incomplete DNC scrubbing. The 31-day requirement is easy to let slip, especially when a vendor account lapses or a scrub job fails silently.
Gap three: after-hours calls. Dialers set to the company's time zone routinely break the rule for contacts in earlier zones. A company calling from EST at 8:30 a.m. is calling CST contacts at 7:30 a.m.
Gap four: opt-outs not honored company-wide. A rep logs a verbal opt-out in their personal notes. The number stays in the shared dialer queue. Someone else calls it two weeks later.
Gap five: weak record retention. Consent records buried in an email thread. Scrub receipts no one saved. Training done verbally with no documentation.
Gap six: lead vendor consent that does not survive scrutiny. The consent was collected by the vendor for "partners," it did not name your company, and it probably fails the FCC's 2012 written consent standard. [2]
The good news: gaps one through five are fixable with process changes that cost almost nothing. Gap six needs a harder conversation with your lead vendors and possibly a change in sourcing.
What happens if a TCPA self-audit reveals violations you already committed?
First, document what you found with timestamps. That documentation is evidence of good faith, which matters for the FCC's safe harbor and for settlement talks if a claim gets filed.
Second, stop the conduct immediately. If you have been calling numbers without valid consent, pause that list. If your DNC scrub lapsed, run no new outreach until you scrub and have a receipt.
Third, consult a TCPA attorney before you self-report to the FCC or proactively reach out to people you may have called improperly. There is no affirmative legal requirement to self-report TCPA violations to the FCC, and doing so without legal advice can create more exposure than it resolves. This article is not legal advice, and anyone facing material exposure should talk to counsel.
Fourth, remediate and document the remediation. Fix the process, keep proof of the fix, and build the audit schedule so you catch future drift. Courts and plaintiffs' counsel look at whether you made good-faith process changes after finding problems. It does not erase liability, but it is relevant to damages and settlement.
For cold calling operations specifically, the cold call compliance framework article covers what documentation a defense needs.
The TCPA carries a four-year federal statute of limitations for private civil claims under 28 USC 1658. [8] State law claims can run different periods. That means calls made up to four years ago can still be the basis for a current lawsuit.
Frequently asked questions
How long does a TCPA self-audit take for a small team?
For a team with under 10,000 contacts and a single dialer, a first-time audit takes about two to three days of actual work: one day pulling and reviewing consent records, one day checking DNC scrub history and calling logs, and a half-day documenting findings. Subsequent quarterly audits take under a day once the process is built.
Do I need a lawyer to do a TCPA self-audit?
No. The mechanical steps (checking records, reviewing dialer logs, verifying scrub receipts) are internal operational tasks any compliance owner or manager can run. A lawyer adds value in interpreting ambiguous findings, judging whether specific consent language meets legal standards, and advising on remediation if you find material violations. Use counsel for interpretation, not for data collection.
What is the minimum consent language required for TCPA-compliant telemarketing texts?
The FCC's 2012 order requires a written agreement, signed by the recipient, that clearly authorizes the specific company to contact them using an automatic telephone dialing system for marketing, and that states consent is not a condition of purchase. The language must disclose that contact will be via autodialer or prerecorded message. A general opt-in checkbox that does not name your company and does not mention automated technology fails this standard.
How often does the National DNC Registry scrub need to run?
At minimum every 31 days. The FTC's Telemarketing Sales Rule and FCC rules both require your calling list be scrubbed against the National Do Not Call Registry no more than 31 days before a call. Most compliance teams set scrubs to run every 28 days to build in a buffer. Scrub receipts should be kept for at least five years.
Does the TCPA apply to B2B calls?
Mostly no, but it depends on the number you are calling. The TCPA's restrictions on autodialed and prerecorded calls apply to the number, not the caller's intent. If a business contact's cell phone gets dialed with an ATDS, TCPA protections apply even when your purpose is B2B outreach. Calls to business landlines carry fewer restrictions, but the National DNC Registry covers residential numbers, not all business lines.
What is the TCPA safe harbor for DNC violations and how do you qualify?
The TCPA safe harbor under 47 CFR 64.1200(c)(2) protects callers who can show they have written DNC procedures, have trained personnel on those procedures, maintain an internal DNC list, access the national registry within 31 days before calling, and can show the violation was an error despite those practices. The safe harbor is not automatic; you have to prove each element with records, which is why documentation is the whole game.
Can a lead vendor's consent cover TCPA liability for my company?
Not automatically. The FCC's 2012 order requires that consent name the specific seller placing calls. Boilerplate authorizing contact by unidentified 'partners' has been found insufficient in multiple cases. If your leads come from a third-party generator, review their consent forms closely. If your company is not named, or the form does not disclose autodialing, you take on the consent risk. Your vendor contract should include indemnification, but that only matters if the vendor can actually pay.
What happens if someone on your list has ported their number from a landline to a cell phone?
The TCPA applies based on the number's current classification at the time of the call, not its original assignment. If a landline number has been ported to a cell phone, calls to it using an ATDS now require prior express written consent for marketing. FCC guidance and several court cases confirm this. Carrier lookup or number type identification services can flag ported numbers before you dial.
How does a TCPA self-audit differ from a formal compliance review by outside counsel?
A self-audit covers the operational facts: what records exist, what the dialer logs show, whether scrubs ran. Outside counsel provides legal interpretation: whether your consent language is sufficient, how a court would view a specific gap, and what remediation protects you in litigation. Self-audits are a prerequisite for counsel to do their job efficiently, and they cost far less. Run the self-audit first, then bring counsel in if findings are serious.
What is the TCPA statute of limitations for private lawsuits?
Four years under 28 USC 1658, the general federal civil statute of limitations. A plaintiff can sue over a call made up to four years before the filing date. Some plaintiffs have argued for equitable tolling in specific circumstances, and state law claims can carry different periods. Your record retention should cover at least four years of calling logs, consent records, and DNC scrub documentation.
Does TCPA compliance cover fax marketing?
Yes. The TCPA covers unsolicited advertisements sent by fax under 47 USC 227(b)(1)(C). The Junk Fax Prevention Act of 2005 added an established business relationship exemption with opt-out requirements. If you run any fax marketing, your self-audit should check whether recipients gave prior written consent or have an established business relationship, and whether your faxes include a compliant opt-out notice.
What training records does TCPA compliance require?
The FCC's DNC safe harbor requires that personnel have been trained on DNC procedures. The FCC does not specify a training format or frequency, but you need documentation: who was trained, when, and on what topics. A dated sign-off sheet or a training completion record in your HR system works. Training should cover, at minimum, what numbers cannot be called, how to handle opt-out requests, and how to log and escalate compliance issues.
How do state TCPA-equivalent laws affect a self-audit?
Several states have enacted laws stricter than federal TCPA. Florida's SB 1120 (effective July 2021) uses a broader autodialer definition and limits calls per day. Washington state and Oklahoma run their own telemarketing statutes. Your audit should flag the states where your contacts reside and check each state's rules for calling hours, consent, and opt-out periods. This step is easy to skip and is where multi-state operations often carry unrecognized exposure.
Sources
- Cornell LII, 47 USC 227, Telephone Consumer Protection Act: Each TCPA violation carries statutory damages of $500, up to $1,500 for willful violations, under 47 USC 227(b)(3).
- Cornell LII, 47 CFR 64.1200, Delivery restrictions and Do Not Call rules: Callers must scrub against the National DNC Registry every 31 days; calls before 8am or after 9pm local time of the called party are prohibited; internal DNC requests must be honored for five years.
- Florida Legislature, SB 1120 (2021), Florida Telephone Solicitation Act: Florida SB 1120, effective July 1, 2021, applies a broader autodialer definition and imposes per-call limits stricter than federal TCPA.
- U.S. Supreme Court, Facebook Inc. v. Duguid, 592 U.S. 395 (2021): The Supreme Court ruled in Facebook v. Duguid (2021) that an ATDS must use a random or sequential number generator to store or produce numbers; systems dialing from uploaded lists do not automatically qualify.
- FTC, Complying with the Telemarketing Sales Rule: The FTC states that sellers are responsible for their own DNC compliance and cannot rely solely on a list seller's scrub.
- Cornell LII, 28 USC 1658, Limitations on Actions: The general federal civil statute of limitations under 28 USC 1658 is four years, which courts have applied to private TCPA claims.
- FTC, National Do Not Call Registry: The FTC administers the National Do Not Call Registry; telemarketers must access it and scrub their lists before calling.
- Junk Fax Prevention Act of 2005, Public Law 109-21: The Junk Fax Prevention Act of 2005 amended TCPA to add an established business relationship exemption for fax advertising, with mandatory opt-out requirements.