Last updated 2026-07-11

TL;DR
Connect your CRM to a DNC lookup API through Zapier and every lead gets checked before a rep dials. A new lead triggers a webhook call, the API checks the number against federal and state registries, and Zapier tags it safe or flags it for review. No developer needed. It runs before your reps ever see the number.
Why does DNC scrubbing have to happen before every outbound touch?
Because one call to a number on the National Do Not Call Registry can cost you up to $53,088, and that ceiling climbs with inflation [1]. The FTC resets the penalty cap periodically under the Federal Civil Penalties Inflation Adjustment Act, so any figure you saw quoted two years ago is probably low.
The TCPA (47 U.S.C. § 227) and the FTC's Telemarketing Sales Rule work as a pair. The TCPA hands private plaintiffs $500 to $1,500 per call or text. The TSR gives the FTC its own hammer. Both apply at once. A single bad batch of 500 calls to registered numbers can put you in settlement range that ends the company. The Credit One TCPA settlement shows how fast these numbers stack.
Scrubbing is never one and done. The registry updates constantly as people register new numbers. The FTC lets registered telemarketers download refreshed data every 31 days, but a number can appear on the list any day, so a list you cleaned 60 days ago may already be dirty [2]. Quarterly scrubbing is not enough for an active dialer. Monthly barely is. You want the check to fire automatically, the moment a lead lands, before a rep touches it.
What does a Zapier-based DNC scrubbing workflow actually look like?
Three moves: trigger, action, branch. That's the whole shape.
Trigger: something happens in your CRM or lead source. A row appears in a Google Sheet. A HubSpot contact gets created. A Salesforce lead imports. A form submission lands. Zapier watches for that event and wakes up.
Action: Zapier sends the phone number to a DNC lookup API. You do this with a Webhooks by Zapier step (paid plans only) or a native app if your DNC provider publishes one. The API checks the number against the National DNC Registry, state lists, and your internal suppression file, then returns a status: clean, flagged, or internal-suppressed.
Branch: a Filter or Paths step reads that status. Clean leads move forward. Flagged leads get a CRM field set to "DNC - do not contact", a Slack or email ping to your compliance owner, and a hard stop before any dialing queue.
The whole thing runs in seconds. No human review for the vast majority of leads. Reps only ever see numbers that passed.
Which DNC scrubbing APIs actually work with Zapier?
Several providers publish REST APIs you can hit from a Zapier Webhook step. Here are the ones worth a look.
| Provider | Registry coverage | Typical cost model | Native Zapier app? |
|---|---|---|---|
| Telnyx | Federal DNC, TCPA litigator list | Per-lookup, pay-as-you-go | No, use Webhook |
| Neustar (TransUnion) | Federal + state + wireless | Contract, volume tiers | No, use Webhook |
| Twilio Lookup | Carrier data, line type | $0.005 per lookup | Yes (native) |
| Scrubbing.io | Federal + state + internal | Subscription or per-lookup | No, use Webhook |
| ContactOut / Trestle | Federal DNC, litigator lists | Subscription | No, use Webhook |
Twilio Lookup returns line type (mobile vs. landline) and carrier. That matters for TCPA because autodialer rules differ by line type. But Twilio Lookup does not check the National DNC Registry itself. Use it alongside a registry check, never instead of one.
For most small teams, the right combination is federal DNC plus the state lists (Florida, Texas, Indiana, and a handful of others run their own) plus a litigator scrub [3]. A litigator scrub catches serial TCPA plaintiffs, whose numbers often sit on DNC lists precisely so they can collect. Is that list worth the extra money? Honestly, it's a real debate. Nobody has clean public data on how often it stops a suit. Anecdotally, teams that run one sleep better.
Check your do not call list obligations for each state you're dialing. Some states demand separate registration and separate scrubbing.
How do you build the Zapier workflow step by step?
Here's a concrete walkthrough with HubSpot as the CRM and a generic REST scrubbing provider. Swap the trigger app for whatever you actually run.
Step 1: Create a new Zap. Pick HubSpot as the trigger app, choose "New Contact" as the trigger event, and connect your account. Test it so Zapier pulls in a sample contact with a phone field.
Step 2: Add a Webhooks by Zapier action. Choose the "POST" method. In the URL field, paste your provider's endpoint (for example, https://api.yourprovider.com/v1/scrub). Under "Data", map the phone number from the HubSpot trigger to the field name the API expects (often "phone" or "number"). Add your API key under "Headers" as Authorization: Bearer YOUR_KEY. Send a test and confirm the response comes back with a status field.
Step 3: Add a Filter or Paths step. Two outcomes only (clean vs. flagged)? A Filter works fine. Set the condition to continue only if the "status" field equals "clean" (or whatever your provider returns for a safe number). If the filter fails, the Zap stops and that lead goes nowhere.
Step 4: Want flagged leads updated instead of silently dropped? You do. Use Paths instead of a Filter. Path A: status is clean, lead proceeds. Path B: status is flagged, add a HubSpot Update Contact step that sets a custom property like "DNC Status" to "Flagged" and routes the contact owner to your compliance review queue.
Step 5: Add a notification for flagged leads. A Slack message or a Gmail email to your compliance owner is one more step. Cost: nothing extra if your plan already covers the step count.
Step 6: Test with a number you know is registered. The FTC publishes the registry's consumer helpline (1-888-382-1222) as a public reference [2], but never test with real consumer numbers. Most providers offer a sandbox mode for exactly this.
A finished Zap usually clears in under 10 seconds per contact.
What are the real limitations of doing DNC scrubbing through Zapier?
Zapier is a workflow tool, not a compliance platform. Using it for DNC scrubbing is genuinely useful, but it comes with constraints you need to understand before going live.
Task limits bite. Zapier prices by tasks, and each step in a Zap that runs counts as one. A four-step Zap (trigger + webhook + filter + update) burns three tasks per contact. Import 10,000 leads a month and that's 30,000 tasks. The Professional plan includes 2,000 tasks a month. The Team plan goes to 50,000 [4]. Do the math before you assume a cheap plan covers your volume.
Latency is real. Zapier processes tasks in sequence, not instantly. Under load a Zap can sit in the queue for several minutes. If your reps dial new leads the second they appear, a five-minute Zapier delay isn't enough buffer. Add a time delay step, or route leads through a staging status that reps know not to touch until the DNC field fills in.
No audit trail out of the box. Regulators and plaintiffs' attorneys will ask you to prove you scrubbed a specific number on a specific date. Zapier's task history only goes back 30 days on most plans [4]. Log every scrub result somewhere permanent: a timestamped CRM field, or a Google Sheet capturing phone number, result, and date. Add that logging step on purpose, not as an afterthought.
API errors fail quietly if you let them. If your provider's API is down and Zapier gets an error, what happens depends on your filter. A filter set to "proceed if status equals clean" will stop the lead on an error response, which is the safe default. Good. But you still want to know. Add an error path or a Zapier error notification so failures surface fast.
High volume shifts the math. A purpose-built compliance platform may beat Zapier for teams pushing tens of thousands of leads. Under a few thousand a month, Zapier plus an API is a genuinely practical answer.
Do you need to scrub mobile numbers differently than landlines?
Yes, and this is exactly where small teams get caught. Mobile numbers carry a second layer of rules that landlines don't.
The National DNC Registry covers all residential numbers, including mobile numbers a consumer has registered. Calling a registered mobile with a telemarketing call breaks the TSR the same way calling a registered landline does [5].
The TCPA adds its own mobile-specific layer. Under 47 U.S.C. § 227(b)(1)(A), using an automatic telephone dialing system or an artificial or prerecorded voice to call a mobile number requires prior express consent, separate from the DNC question entirely. So even a mobile number that's clean on the registry still needs consent before an autodialer touches it. The mobile phone do not call list picture is two separate checks, not one.
In your Zapier workflow, add a line-type lookup (Twilio Lookup is the easiest to reach) as an early step that tells you mobile or landline. Mobile numbers route through both a DNC check and a consent verification step. Landline numbers get the DNC check only, though prerecorded-call consent rules still apply under a different section.
This matters most when your scrubbing provider doesn't split line type. Some bundle line-type detection into the DNC response. Others don't. Ask before you sign anything.
What about internal DNC lists, beyond the federal registry?
Your internal suppression list can matter more than the federal registry, legally speaking. It's the list of people who told you, personally, to stop.
The TCPA and the TSR both require you to honor a stop-calling request inside a set window and keep that number on your company-specific do-not-call list indefinitely [5]. The TSR sets the window at "a reasonable time from the date of such request, not to exceed 30 days." Call that person again after day 30 and get sued, and the fact that their number never hit the federal registry means nothing.
In Zapier, internal DNC handling runs one of two ways. Option one: your CRM has a DNC or opt-out field you maintain by hand, and your Zap checks that field before routing any lead forward, before it even hits the external API. Option two: your scrubbing provider lets you upload your suppression list and folds it into the API response. Several support this, and it simplifies the Zap because one call checks everything.
Using the CRM-field approach? Make the process for adding someone to the internal list fast and reliable. A consumer who asked to stop, then got called again 32 days later because someone forgot to flip a field, is a lawsuit in waiting. Automate the suppression add too.
For what the federal list actually covers, see how do I get the do not call list and the do not call telemarketer list for organization registration requirements.
How do state DNC lists change the automation setup?
Several states run their own DNC registries on top of the federal one, and your provider choice decides whether you cover them. States with active, separately maintained lists include Indiana, Texas, Wyoming, Louisiana, Mississippi, Colorado, Tennessee, Idaho, Oregon, and Massachusetts, among others [3]. Rules vary: some lists are free once you register with the state, some charge fees like the federal registry, and scrubbing-frequency requirements differ.
State coverage in your Zapier workflow depends entirely on the API provider. This is the one feature to nail down before you sign. Ask directly: "Does your API check state DNC registries, and which states?" Get the answer in writing. A provider that only checks the federal list while you're dialing into Texas or Indiana leaves you exposed.
If your provider returns state flags in the same response, your Zap needs no structural change. The status already accounts for state-level hits. If your provider skips certain states, add a second Webhook step to a different provider for those states, or pull those states out of your automated dialing and handle them by hand.
State law is moving fast. Florida's mini-TCPA (FTSA) created a private right of action for calls to Florida numbers made with auto-dialing technology and no consent, at $500 per call [7]. A clean DNC result alone doesn't fix FTSA exposure. Documented consent does. Clean DNC plus documented consent is the pair you need.
The cold calling breakdown has a state-by-state view of where outreach is tightest.
How do you document your scrubbing process to protect yourself legally?
Doing the scrub right is half the job. Proving you did it is the other half, and it's the half that wins cases.
Federal courts and the FTC both look for a "reasonable" compliance program when they weigh TCPA and TSR violations. In the cash app TCPA class action settlement and cases like it, whether the defendant could document its process (or couldn't) was central to liability and damages.
For a Zapier workflow, documentation has four parts.
First, log every scrub result. Add a step that writes a row to a Google Sheet or database table: phone number (hashed if you're privacy-minded), scrub date and time, result (clean / flagged / error), and which provider ran the check. That's your timestamped audit trail.
Second, version your Zap. Zapier keeps a history of a Zap's configuration. Before you change the workflow, screenshot or export the current setup. If a call from six months back gets challenged and a plaintiff says you weren't scrubbing right at the time, you can show exactly what the workflow looked like.
Third, document your provider's methodology. Get a written statement or their published docs on what lists they check, how often they refresh, and their SLA for registry currency. File it. To defend a call, you need to show what the scrub actually covered, more than that one happened.
Fourth, train your reps. Automation catches most problems, but a rep who adds leads by hand or skips the CRM intake is a gap the Zap can't see. Write down that reps never call a number that hasn't gone through standard intake, and keep the training records.
LeadCompliant's free compliance kit has a DNC scrubbing documentation checklist you can adapt to your Zapier setup, including the logging template and the vendor documentation request language.
What does this cost to run and is it worth it compared to manual scrubbing?
Real numbers, both ways. Start with manual.
Manual scrubbing through the FTC's own system means registering as an organization accessing the National DNC Registry. The FTC charges per area code per year: $75 for the first area code, $25 for each additional one, up to a maximum of $18,503 for all area codes [2]. That's registry access alone. It buys you none of the staff time to run the scrub, match numbers, update records, and document results.
Say a small team calls 2,000 leads a month across 15 area codes. Rough math: 15 area codes at roughly $25 each after the first is around $350 a year in fees, plus maybe 2 to 4 hours of scrubbing labor per batch. At $25 an hour that's $600 to $1,200 a year in labor, assuming monthly scrubbing. And monthly probably isn't often enough.
Automated Zapier costs:
- Zapier Professional plan: $49/month (billed annually) for 2,000 tasks/month [4]
- Scrubbing API: roughly $0.003 to $0.02 per lookup depending on coverage and volume
- At 2,000 leads/month at $0.01/lookup: $20/month in API costs
- Total: about $70/month, or $840/year
Comparable to the manual price, sure. But the automated version runs in real time, runs every single time without human error, and builds the audit trail for you. The risk-adjusted value isn't close. One missed DNC call that becomes a lawsuit costs $500 to $1,500 at the floor. The gap between manual and automated buys a lot of insurance for under $50 a month extra.
Over 10,000 leads a month, you'll blow past Zapier's task limits and need the Team plan at $299/month or a higher API tier. At that scale, dedicated compliance platforms (some start around $200 to $500/month) may win on economics and features. For the 0 to 5,000 leads/month range, Zapier plus an API is the right tool.
Can you use Zapier to automate DNC scrubbing for text message campaigns too?
Yes, and you should. The TCPA covers text messages sent with an autodialer, and the same DNC registry obligations apply [8]. The FCC's 2003 order confirmed that texts fall under 47 U.S.C. § 227(b)(1)(A) when sent using an automatic telephone dialing system.
The SMS Zap is structurally identical to the voice workflow. The trigger might be a new subscriber in your SMS platform (Attentive, Klaviyo, Postscript, SimpleTexting) or a new CRM lead. The webhook step checks the number. The filter passes clean numbers and flags the rest.
SMS carries one extra layer: consent is stricter. Marketing texts sent with an autodialer require prior express written consent under the FCC's 2012 rules [8]. So your SMS workflow needs two checks: DNC registry status and documented consent. The Zap handles the first. Consent verification comes from your own records, usually a field in your CRM or ESP that logs when and how consent was given.
The text message marketing guide covers the consent and content rules your automated workflow can't handle by itself.
One more note: the FCC's 2024 one-to-one consent rule, which would have required consent specific to a single seller rather than shared across lead aggregator networks, was vacated by the Eleventh Circuit in January 2025 [9]. The practical effect on your automation is that the consent field you track should still record who gave consent and for which company's communications, even with the one-to-one rule off the books. Courts and plaintiffs can still argue inadequate consent under the existing statute.
What should you test before going live with the automated workflow?
Testing a DNC scrubbing Zap is not like testing a marketing automation. A bug that sends the wrong email is embarrassing. A bug that lets DNC numbers through to your dialing queue is a legal event.
Run all five of these before you flip the Zap on for real leads.
Test 1: Known clean number. Use a number you control that's definitely not on any DNC registry. Confirm the API returns clean and the Zap routes the contact forward.
Test 2: Known flagged number. Register a number you control on the National DNC Registry at donotcall.gov [10]. Wait the standard 31-day processing window, then test. Confirm the API returns flagged, the Zap stops the lead, and the CRM field updates.
Test 3: API error simulation. Temporarily plug in an invalid API key or a wrong endpoint URL. Confirm the Zap does not route the lead forward on an error. It should stop silently or fire your error notification, but it should never pass a lead through on an inconclusive result.
Test 4: Internal suppression. Add a test number to your internal DNC field in the CRM. Confirm the Zap catches it before it ever calls the external API.
Test 5: Volume and timing. Import 50 test contacts at once and watch the Zapier task queue. Verify all 50 process inside your acceptable time window, before any of them could hit a rep's dialing queue.
Document each test with a screenshot of the Zap's run history and the CRM outcome. That's part of your compliance record too.
Frequently asked questions
Does Zapier connect directly to the National DNC Registry?
No. Zapier has no native integration with the FTC's National DNC Registry. You connect Zapier to a third-party DNC scrubbing API (like Telnyx, Scrubbing.io, or Neustar) using Zapier's Webhooks step. That provider maintains registry access and returns a clean or flagged result to your Zap. Zapier just moves the data and reads the answer.
How often does the DNC scrubbing Zap need to run per lead?
Once at intake, when the lead first enters your system. But if a lead sits in your CRM more than 31 days before being called, re-scrub it, because the registry updates continuously. Add a second Zap that triggers when a contact moves to an active dialing stage after 30+ days and runs the scrub again before the number reaches a rep.
What happens if the scrubbing API is down when a lead comes in?
By default, if your Zapier Filter checks for a "clean" status and the API returns an error instead, the filter fails and the lead does not proceed. That's the safe default. Add a Zapier error notification step so your team knows the API is down and can hold routing until it's back. Never design the workflow to pass leads through on API errors.
Is a Zapier DNC scrub good enough to use as a legal defense?
It helps, but it's not a complete defense by itself. Courts look at whether you had a reasonable compliance program: documented processes, a reliable scrubbing provider, audit logs of scrub results, and trained staff. Zapier handles the automation. You still need the documentation and vendor methodology on file. This article is general information, not legal advice.
Do I need to scrub numbers if I only call existing customers?
The TSR has an established business relationship (EBR) exemption allowing calls to existing customers regardless of DNC registration, for up to 18 months after the last purchase or transaction. The TCPA has similar but not identical provisions. Autodialer consent rules still apply separately. Confirm EBR eligibility for each contact rather than assuming every past customer qualifies.
How much does a DNC scrubbing API cost for a small team?
Expect $0.003 to $0.02 per lookup depending on coverage (federal only, federal plus state lists, or litigator scrub included). At 1,000 leads a month, that's $3 to $20 a month in API costs. Most providers also offer monthly subscription tiers starting around $50 to $150 a month that include a set number of lookups and more detailed return data.
Can I use Zapier to automate DNC scrubbing for SMS campaigns, more than calls?
Yes. The setup is structurally identical. The TCPA covers text messages sent with an autodialer, so the same DNC registry check applies. For SMS you also need to verify prior express written consent separately, which is stricter than the standard for calls. Your Zap should check both DNC status and your consent records field before routing any number into an SMS send queue.
What Zapier plan do I need for DNC scrubbing automation?
At least the Professional plan, because Webhooks by Zapier (required to call external APIs) isn't on the free plan. Professional costs $49/month billed annually and includes 2,000 tasks per month. A four-step Zap uses roughly three tasks per contact, so 2,000 tasks covers about 650 leads a month before you hit the limit. Higher volume needs the Team plan at $299/month.
Does the TCPA apply to B2B cold calls, and do I still need to scrub?
The National DNC Registry applies to residential numbers. True B2B calls to a business's direct line are generally not covered by the DNC registry. But if you're calling mobile numbers of business contacts, TCPA autodialer consent rules still apply regardless of business purpose. Line type matters. Always scrub mobile numbers even in B2B contexts, and check whether the mobile is also registered as residential.
How long should I keep scrubbing records?
There's no single federally mandated retention period specifically for DNC scrub logs, but the TSR requires telemarketers to keep compliance records for 24 months. Since TCPA claims carry a four-year statute of limitations, keeping scrub logs for four years is the safer practice. Store them somewhere with timestamped write protection so the record can't be altered after the fact.
Can I build this without Zapier using a different automation tool?
Yes. Make (formerly Integromat), n8n, and Tray.io all support webhook calls to external APIs with similar filter and routing logic. The structural pattern is the same. Make tends to be cheaper at higher task volumes than Zapier. n8n has a self-hosted option with no per-task cost if you have someone to run it. The scrubbing API doesn't care which orchestration tool makes the call.
What is the penalty for calling a number on the DNC list?
The FTC can seek civil penalties up to $53,088 per violation under the TSR as of 2024. Private plaintiffs can sue under the TCPA for $500 per call or text, trebled to $1,500 per violation if the court finds the violation was willful. Both the FTC and private plaintiffs can pursue the same conduct, so you face exposure from both directions at once.
What is a litigator scrub and should I include it in my Zapier workflow?
A litigator scrub checks numbers against databases of serial TCPA plaintiffs who have filed or been involved in TCPA lawsuits. Some providers maintain these lists. Adding one as an extra API call in your Zap is straightforward. Whether it's worth the cost depends on your call volume and risk tolerance. It won't stop a legitimate consumer complaint, but it lowers the odds of hitting a plaintiff actively hunting for violations.
Sources
- FTC, Telemarketing Sales Rule civil penalty amounts: Civil penalties under the TSR can reach $53,088 per violation as of 2024, adjusted for inflation under the Federal Civil Penalties Inflation Adjustment Act
- FTC, National Do Not Call Registry for organizations (telemarketer access and fees): Registered telemarketers can access updated registry data every 31 days; the FTC charges $75 for the first area code and $25 for each additional area code up to a maximum of $18,503 for all area codes
- NCSL, State Do Not Call Laws: Multiple states including Indiana, Texas, Wyoming, Louisiana, and others maintain their own DNC registries separate from the federal list
- Zapier, Pricing and task limits: Zapier Professional plan includes 2,000 tasks per month; task history is available for 30 days on most plans; Webhooks by Zapier requires a paid plan
- U.S. Code, 47 U.S.C. § 227 (TCPA full text): The TCPA prohibits using an automatic telephone dialing system to call mobile numbers without prior express consent and establishes company-specific DNC list obligations
- FTC, Telemarketing Sales Rule 16 CFR Part 310: The TSR requires telemarketers to honor do-not-call requests within a reasonable time not to exceed 30 days and to maintain company-specific suppression lists
- Florida Legislature, Florida Telephone Solicitation Act (FTSA) Fla. Stat. § 501.059: Florida's FTSA creates a private right of action with $500 per call damages for calls to Florida numbers using auto-dialing without consent
- U.S. Court of Appeals, Eleventh Circuit, Insurance Marketing Coalition v. FCC (Jan. 2025): The Eleventh Circuit vacated the FCC's 2024 one-to-one consent rule in January 2025, which had required consent specific to a single seller
- FTC, donotcall.gov consumer registration: Consumers can register numbers on the National DNC Registry at donotcall.gov; registrations are processed on a rolling basis