How to write a TCPA compliance policy for a five-person sales team

A practical, step-by-step guide to writing a TCPA compliance policy for small outbound teams. Covers consent, DNC scrubbing, call hours, and training.

LeadCompliant Team
26 min read
In This Article

Last updated 2026-07-10

Two sales team members reviewing a printed TCPA compliance policy at a desk
Two sales team members reviewing a printed TCPA compliance policy at a desk

TL;DR

A TCPA compliance policy for a small sales team needs five things: a written consent standard, a do-not-call scrubbing process, call-hour rules, a revocation procedure, and documented training. You can build a working version in one afternoon. Fines run $500 to $1,500 per call or text, and plaintiffs' lawyers target small teams because they usually have no paper trail.

Why does a five-person team need a written TCPA policy at all?

Small teams think TCPA suits are a big-company problem. They are wrong.

The Telephone Consumer Protection Act, 47 U.S.C. § 227, applies to any person or entity making autodialed calls, prerecorded calls, or text messages to cell phones without prior express consent [1]. There is no carve-out for teams under ten people. Plaintiffs' lawyers actually prefer small teams. Fewer internal controls, no legal department, and settlements happen faster and cheaper than a full trial.

The statutory penalty is $500 per violation. It jumps to $1,500 if the court finds the violation was willful or knowing [1]. One rep who dials 50 unconsented cell phones in a morning can expose the company to $25,000 to $75,000 before lunch. A class action multiplies that by every similarly situated person who got the same call.

A written policy does three things. It tells your reps exactly what they can and cannot do, which cuts accidental violations. It creates a paper trail showing the company acted in good faith, which matters a lot in settlement talks and in deciding whether a violation was "willful." And it forces you to actually build the processes (consent capture, DNC scrubbing, opt-out handling) that the policy describes.

If you have ever wondered what happens when those processes do not exist, the cash app tcpa class action settlement and credit one tcpa settlement are instructive reading. Both involved companies that had the technology to comply and simply did not build the workflow around it.

What does TCPA actually prohibit that a sales team would do?

The statute covers four things that matter for outbound sales [1]. Autodialed calls or texts to cell phones without prior express consent. Prerecorded or artificial-voice calls to cell phones without prior express consent. Calls to numbers on the National Do Not Call Registry, subject to the established business relationship (EBR) exception. And any call or text to a number after the recipient has asked you to stop.

The word "autodialer" has been fought over for years. The Supreme Court's 2021 decision in Facebook, Inc. v. Duguid narrowed it: a dialer must use a random or sequential number generator to store or produce numbers [2]. That helped companies running predictive dialers off a fixed list, but the practical effect depends on your exact technology. If your dialer has any capacity to generate numbers randomly, you are still in autodialer territory.

Prerecorded messages are simpler. Drop a voicemail with a ringless voicemail service, and that is a prerecorded message. It needs prior express written consent for telemarketing [3].

Texts count as calls under the TCPA. Every marketing text to a cell phone triggers the same consent requirement as an autodialed call. This catches small teams off guard constantly, especially once they start using SMS platforms to scale. The tcpa rules for texts and the text message marketing implications are worth reading before you send your first campaign.

For calls to numbers on the do not call list, you need either written consent or a valid EBR (a purchase within the last 18 months, or an inquiry without a purchase within the last 3 months) [4].

What are the core sections every small-team TCPA policy needs?

A workable policy for five people does not need to run fifty pages. It needs to be accurate, specific, and actually read. Here are the sections you need.

1. Scope and ownership State who the policy applies to (every rep, every contractor, every vendor who calls or texts on your behalf), who owns it (name a specific person, not a title), and when it was last updated.

2. Consent standards Define the two consent tiers and when each applies.

  • Prior express consent: needed for non-telemarketing informational calls to cell phones using an autodialer or prerecorded message. The FCC has said this can be established when someone gives a number in a context that implies it will be used for that purpose [3].
  • Prior express written consent: needed for any telemarketing call or text to a cell phone. "Written" includes electronic records. The consent must be a signed agreement that clearly authorizes calls or texts, names your company, and states the consumer is not required to consent as a condition of purchase [3].

Your policy needs to say, in plain language, which tier applies to each type of outreach your team does, and where consent records are stored.

3. Do Not Call scrubbing Every number gets checked against the National DNC Registry before a call or text. The FCC requires telemarketers to access the registry every 31 days at minimum [4]. Your policy needs to name the tool you use, who runs the scrub, and how often. It also needs to cover your internal DNC list, which must capture anyone who asks not to be called and honor that request within 30 days, indefinitely.

4. Call-hour restrictions Calls may only go out between 8 a.m. and 9 p.m. in the recipient's local time zone [4]. Your policy must state this rule and explain how your team figures out the recipient's time zone, because "I assumed they were in my time zone" is not a defense.

5. Revocation and opt-out handling Any request to stop calls or texts must be honored. The FCC's 2024 order clarified that revocation must be honored within a reasonable time, which the FCC treats as no more than 10 business days [5]. Your policy needs a process: who logs the opt-out, where it goes, and how quickly it reaches your dialer or SMS platform.

6. Training and acknowledgment Every rep reads the policy, confirms they understand it, and signs or digitally acknowledges it. Do this at hire and once a year after that. Keep the records.

7. Vendor oversight If you use a lead vendor, a dialer company, or a texting platform, your policy must require written warranties from them that they comply with TCPA. You can be liable for your vendors' violations if you had reason to know and took no steps [6].

TCPA penalty exposure for a five-person outbound team Per-violation fines under 47 USC 227, plus common thresholds $500 Standard TCPA fine per violation $1,500 Willful violation fine per call or text $69 DNC Registry cost per area code/year $20k DNC Registry national cap (all area codes) Source: 47 USC 227 (Cornell Law), FTC DNC Registry fee schedule

Consent is only as good as your ability to prove it. A verbal "yes" over the phone is almost impossible to defend. Build for documentation.

For web-generated leads, your lead capture form needs a clear disclosure that submitting the form authorizes calls and texts from your company, lists the phone number that may be used, and does not condition the submission on consent. The disclosure should sit right next to the phone number field, not buried in a terms-of-service link [3]. Capture the IP address, timestamp, and form content at submission. Store that record indefinitely or for at least four years, which is the longest TCPA statute of limitations in any circuit.

For phone-in leads, if a prospect calls you and gives their number, you have prior express consent for informational callbacks. You do not have prior express written consent for telemarketing. To market to them, you need a separate disclosure and agreement during that call, which means a verbal recording with specific language or a follow-up email with a consent link.

Purchased lists are where most small teams get burned. Lead vendors love to claim consent was captured at the original opt-in. Your policy must require the vendor to hand over the specific consent language, the URL where it was captured, and the timestamp. If they cannot produce that, the list is not safe for autodialed or prerecorded calls to cell phones. Period.

For cold calling on a manual basis (a human rep dials with no autodialer), the TCPA consent requirement for cell phones technically applies only to autodialers and prerecorded messages. A truly manual cold call to a cell phone does not trigger the TCPA autodialer rules, though the DNC rules still apply. Your policy should draw a clean line between manual and automated outreach.

How do you handle the National DNC Registry for a small team?

You need a subscription to the National Do Not Call Registry if you make telemarketing calls. The FTC runs it. Access costs $69 per area code per year, with a maximum of $19,817 for all area codes nationwide under the FTC's fee schedule [7]. For a small team calling a few states, the per-area-code price matters more than the national cap.

Scrub your calling list against the registry before your first call and at least every 31 days after [4]. If someone registers their number and you call more than 31 days later, you have no defense based on the registration date.

Beyond the national registry, you need an internal DNC list. Anyone who says "take me off your list" or "don't call me again" goes on it immediately. Your policy should set a maximum propagation time. Same business day is the standard practice. The FCC requires you honor it within 30 days, but faster is safer.

Several states run their own registries on top of the federal one. Your policy should list the states you call and flag whether each has a separate registry requirement. Call consumers in Florida, for example, and Florida's Telephone Solicitation Act has registration requirements for the company itself [8].

The do not call telemarketer list rules and the question of how do i get the do not call list work differently for businesses than for consumers. Your policy should spell out how your company gets and maintains its subscription.

For mobile phone do not call list numbers, cell phones on the national DNC registry get the same protection as landlines. The myth that there is a separate cell-phone DNC list is false. Cell numbers on the national registry are protected [9].

What call-hour and time-zone rules must the policy include?

The rule is short: calls only between 8 a.m. and 9 p.m. local time at the called party's location [4]. The hard part is figuring out "local time."

For a five-person team, you have a few practical options. Use a dialer with built-in time-zone detection based on area code, which works for landlines but is shaky for cell phones (a California area code on someone who moved to New York is still a California area code). Use a data append service that returns time zone with the record. Or make a policy choice: unless you have verified time-zone data, you call only during the window safe for every contiguous U.S. time zone, which is 11 a.m. to 6 p.m. Eastern. That is conservative, but it kills the risk.

Your policy should also address federal and state holidays. TCPA itself does not list holiday restrictions, but several state laws do, so name which state rules apply to your team.

One rep calling Hawaii at 7:00 a.m. Hawaii time from an East Coast office is a real scenario. Your policy needs to make checking the time easy, not leave a rep doing mental math at the start of a busy dial session.

How should the policy handle opt-outs and revocation requests?

This is the section most small-team policies skip or write vaguely. It is also one of the most litigated areas in TCPA.

The FCC's 2024 order on revocation (FCC 24-59) said consumers can revoke consent through any reasonable means, beyond the method the company specifies [5]. So a rep who gets a text reply saying "STOP," or hears "don't call me again" during a call, or gets a voicemail asking to be removed, has to treat all of those as valid opt-outs. You cannot force a consumer to use one specific method.

The statute requires honoring revocations within a "reasonable time." The FCC's 2024 order treats 10 business days as a safe harbor for most contexts [5]. Your policy should beat that. Aim for 24 hours on text opt-outs (automated STOP handling is table stakes for any SMS platform) and same-day entry into your internal DNC list for verbal requests.

Your policy must also address multi-channel opt-outs. If someone opts out of texts, does that opt them out of calls? The safest default is yes, unless you hold separate consent records for each channel. Document your decision either way.

Opt-outs are permanent. There is no expiration. Your internal DNC list does not get purged after a year. The only time you can re-contact someone who has opted out is if they reach out to you first, clearly re-establishing consent. Say this explicitly in the policy.

What should rep training cover and how do you document it?

Training is where the policy becomes real. A document no one has read is not a defense.

At minimum, train every rep on what an autodialer is and whether your tools qualify, how to identify and log an opt-out request in real time, the call-hour rules and how to check time zones, where consent records live and how to look up a number's consent status before calling, and what to do when they are unsure (the answer is always "stop and ask the policy owner before calling").

For a five-person team, a one-hour group session with a written quiz works fine. The quiz does not need to be hard. Its job is to generate a signed acknowledgment you can produce if you get sued. Keep copies of the quiz, the date, and who passed it.

Run annual refresher training. The law shifts (the 2024 FCC order changed opt-out rules, and more changes are always in the pipeline), and reps forget. Annual training also resets your "willfulness" clock for penalty purposes, because it shows ongoing good-faith effort.

For documentation, a simple shared spreadsheet works if it records name, date, and a signature or digital acknowledgment. A formal LMS (learning management system) is nicer but not required for five people. What matters is that the record exists and is hard to alter after the fact.

How do you vet and manage lead vendors to stay TCPA-safe?

Lead vendor liability is one of the fastest-growing areas of TCPA litigation. Courts have held that companies can be vicariously liable for TCPA violations by their lead vendors when the company knew of or ratified the vendor's conduct [6].

Your policy needs a vendor onboarding checklist. Before you buy a single lead, require the vendor to hand over the exact opt-in language used on their capture page, the URL and a screenshot of that page, a sample consent record (IP, timestamp, form data), their internal DNC scrubbing process, and a written warranty in the contract that their leads comply with TCPA.

If the vendor balks at any of that, do not buy the list. A cheap lead that generates a TCPA suit costs far more than a clean lead from a compliant source.

After onboarding, your policy should require periodic audits. Pull 10 random records from the vendor and confirm the consent documentation exists. If a rep gets an "I never signed up for anything" complaint, your first call is to the vendor to pull that specific consent record. Document everything.

For any vendor who cannot produce consent documentation within 48 hours of a request, stop calling their leads and put them on your internal vendor DNC list.

What does a compliant policy look like in practice, day to day?

Here is what a compliant workflow looks like for a small outbound team on a typical morning.

The lead list was scrubbed against the National DNC Registry within the past 31 days. Every number carries a consent record: either a web form submission with IP and timestamp, or a documented verbal opt-in. Before the dial session starts, the rep confirms the time zone of the numbers they are calling (built into the dialer or checked manually). Calls go out between 8 a.m. and 9 p.m. local time for each recipient.

During calls, if a prospect says "stop calling me" or "take me off your list," the rep logs it in the CRM immediately, before moving to the next number. At day's end, someone (the policy owner, or the rep) exports the day's opt-outs and adds them to the internal DNC list. If the team uses SMS, the texting platform handles STOP replies automatically, but the policy owner confirms weekly that the automation is working.

Once a month, the policy owner runs the new DNC scrub, checks the vendor's consent documentation on any new lists, and confirms the dialer settings still fit the autodialer definition your legal counsel signed off on.

LeadCompliant's free number-checker and compliance kit can help you build the scrubbing and consent-verification steps into this routine without building everything from scratch.

This is not complicated. It is a series of checklists that someone has to own. For five people, that means one person has to care about this and stay current on the rules.

How do state TCPA-equivalent laws change what your policy needs?

Federal TCPA is the floor. States go further, and some go a lot further.

California's Invasion of Privacy Act (CIPA) and its overlap with TCPA has driven enormous litigation in the past three years. Florida's Telephone Solicitation Act (FTSA) expanded the state-law definition of autodialer well past the federal Facebook v. Duguid standard, reaching technology that dials from a list even without random or sequential number generation [8]. Texas, Washington, and Oklahoma each have state telemarketing laws with their own registration, call-hour, or consent requirements.

Your policy needs a section that lists the states where your team calls consumers and identifies any state-specific requirements. At a minimum:

  • Florida: review FTSA requirements. The consent standard is stricter than federal TCPA for texts [8].
  • California: review CIPA and whether your recording practices need two-party consent (they do for calls into California).
  • Washington: the state has its own charitable solicitation and commercial telephone solicitation laws with registration requirements.

If you call consumers nationally, your policy should note that you have reviewed state-specific requirements and will update the policy before your team starts calling into a new state.

State penalties can stack on top of federal TCPA penalties. A CIPA claim can carry $5,000 per violation under California law, on top of any TCPA exposure. Your policy needs to acknowledge this so reps understand the stakes run past the federal number.

How often should you review and update the policy?

TCPA law moves fast. The FCC issued a major order in 2024 that rewrote opt-out rules [5]. Before that, Facebook v. Duguid in 2021 changed the autodialer definition [2]. Before that, the 2015 FCC Omnibus Order expanded consent requirements a lot [3].

Your review schedule should be simple: a full review any time there is a major FCC order or Supreme Court decision touching TCPA, and an annual review no matter what. The annual review should check whether your state list has changed (new states you are calling, or new state laws in states you already call), whether your vendors changed their consent-capture pages, and whether your dialer or SMS platform changed its technology in a way that affects your autodialer analysis.

Mark the last-updated date on the policy document itself. Courts look at whether a policy was current at the time of the alleged violation. A policy last updated in 2019 that does not reflect the 2021 autodialer change looks like willful ignorance, not good faith.

For a five-person team, the annual review takes a few hours. Set a calendar reminder. The policy owner reads the current FCC guidance, checks TCPA-focused compliance resources for recent case outcomes, updates the relevant sections, and gets everyone to re-acknowledge the new version.

Frequently asked questions

Does a small sales team actually need a written TCPA policy, or is verbal training enough?

Verbal training leaves no record. If you are sued, you need to show the court a documented, good-faith compliance program: a written policy, signed acknowledgments, and a paper trail. Without documentation, a single violation looks willful (tripling the penalty to $1,500 per call) because you cannot prove the team was trained otherwise.

Prior express consent covers informational autodialed calls to cell phones (appointment reminders, delivery alerts). Prior express written consent is required for any telemarketing call or text. Written consent must be a signed agreement, electronic signatures count, and it must clearly name your company, state the communication method, and confirm consent is not a purchase condition. FCC rules at 47 CFR 64.1200 define both tiers.

How often does a small team need to scrub against the National DNC Registry?

At minimum every 31 days. FCC rules require telemarketers to access and sync to the current registry within 31 days of calling a number. If you scrub on day 1 and call on day 32 without re-scrubbing, you have no safe harbor for a number that registered on day 2. For small teams, monthly scrubs tied to your lead import is the most reliable approach.

Can a five-person team use a predictive dialer after Facebook v. Duguid?

Possibly. Facebook v. Duguid held that a dialer must use a random or sequential number generator to qualify as an ATDS under federal TCPA. If your predictive dialer pulls exclusively from a pre-loaded list with no capacity to generate numbers randomly, you may fall outside the federal ATDS definition. But Florida's FTSA and some other state laws define autodialers far more broadly, so check your state rules before assuming you are clear.

What happens if a rep ignores an opt-out during a call?

The company is liable. TCPA liability is entity-level, beyond rep-level. If a rep hears 'don't call me again' and calls the number again without honoring it, that is a willful violation carrying up to $1,500 per subsequent call. That is why the policy must have a real-time opt-out logging procedure, and why reps must treat any opt-out language as an immediate stop instruction.

Do the TCPA call-hour rules apply to texts as well as calls?

Yes. The FCC applies the same 8 a.m. to 9 p.m. local time restriction to text messages because texts qualify as 'calls' under TCPA. Time zone is measured at the recipient's location. Scheduling a marketing text at 9:30 p.m. Eastern to a list that includes Pacific-time recipients is compliant for Eastern recipients and a violation for Pacific recipients who have not yet reached 9 p.m.

Can we rely on a lead vendor's claim that their leads are TCPA-compliant?

Not without documentation. Courts have found companies vicariously liable for vendor violations when they had reason to know and took no steps to verify. Your policy must require vendors to produce the specific consent language, capture URL, and a sample record with IP and timestamp. A contract warranty alone is not enough if the vendor's actual practices were non-compliant.

What records do we need to keep and for how long?

Keep consent records, DNC scrub logs, opt-out logs, training acknowledgments, and vendor contracts. TCPA's statute of limitations is four years in the Ninth Circuit and some others, two to three years elsewhere. Store for at least four years to be safe. For consent records specifically, match the longest possible statute of limitations in the states where you call.

Yes. The FCC treats ringless voicemails (direct-to-voicemail drops) as prerecorded or artificial voice messages under TCPA, requiring prior express written consent for telemarketing. The FCC's 2021 declaratory ruling addressed this. Using a ringless voicemail platform to drop marketing messages without written consent is a TCPA violation even though the phone never rings.

An inbound call establishes prior express consent for informational callbacks using an autodialer or prerecorded message. It does not automatically establish prior express written consent for marketing texts or calls. To send marketing texts to someone who called in, you need a separate consent agreement: a verbal disclosure recorded during the call, or a written opt-in sent to them immediately after.

What should our TCPA policy say about calling cell phones versus landlines?

The autodialer consent requirement under federal TCPA applies specifically to cell phones. Landline calls using a prerecorded message require consent, but landline autodialed calls without a prerecorded message are treated differently. In practice, append the number type before calling. Calling a cell phone without consent, assuming it was a landline, is not a defense. Your policy should require a number-type check before any automated outreach.

How does the 2024 FCC order change our opt-out procedures?

FCC 24-59 requires companies to honor revocation through any reasonable means the consumer chooses, beyond a company-specified method. It also confirmed a 10-business-day safe harbor for honoring revocations. Your policy must allow opt-outs by phone, text, email, or any other method a consumer uses, and must route all of those to your internal DNC list within the safe-harbor window.

Does TCPA apply to B2B sales calls?

TCPA applies to calls and texts to phone numbers, not to the type of buyer. If a business contact gives you their cell phone number and you autodial or text it for marketing, TCPA applies. The main practical difference is that B2B contacts rarely join class actions, so your risk profile is lower. But the legal exposure is real, and your policy should treat any cell number, business or personal, with the same consent standard.

What is a reasonable TCPA policy update schedule for a small team?

Annual at minimum, plus an immediate review after any major FCC order or federal court decision on TCPA. The 2021 Facebook v. Duguid decision, the 2024 FCC revocation order, and state changes like Florida's FTSA all required policy updates. Set a calendar reminder for the same month each year. The review should take two to four hours for a small team with a well-organized policy.

Sources

  1. U.S. Code, 47 USC 227, Telephone Consumer Protection Act: TCPA imposes $500 per violation and $1,500 for willful violations; applies to autodialed calls and texts to cell phones without prior express consent
  2. U.S. Supreme Court, Facebook Inc. v. Duguid, 592 U.S. 395 (2021): An ATDS must use a random or sequential number generator to store or produce phone numbers; predictive dialers using fixed lists may not qualify
  3. FCC, 2015 TCPA Omnibus Declaratory Ruling and Order (FCC 15-72), Federal Communications Commission: Prior express written consent for telemarketing requires a signed agreement naming the seller and stating consent is not a condition of purchase; ringless voicemails are prerecorded messages
  4. FCC, Telephone Consumer Protection Act (TCPA) regulations, 47 CFR 64.1200: Calls restricted to 8 a.m. to 9 p.m. local time; DNC registry must be accessed within 31 days before calling; EBR window is 18 months for purchases and 3 months for inquiries
  5. FCC, Report and Order on Consent Revocation (FCC 24-59, 2024), Federal Communications Commission: Consumers may revoke consent through any reasonable means; 10 business days is the safe harbor for honoring revocations
  6. FTC, Complying with the Telemarketing Sales Rule: Companies can be vicariously liable for violations by lead vendors and third-party callers acting on their behalf
  7. FTC, National Do Not Call Registry, Registry fee schedule: DNC Registry access costs $69 per area code per year; maximum fee for all area codes is $19,817
  8. Florida Legislature, Florida Telephone Solicitation Act, Section 501.059, Florida Statutes: Florida's FTSA defines autodialer more broadly than federal TCPA; applies to technology that dials from a list even without random or sequential number generation
  9. FTC, National Do Not Call Registry, Information for Businesses: Businesses must scrub calling lists against the registry before calling; registry reflects registrations within 31 days
  10. FCC, Consumer guides on unwanted calls and texts, Federal Communications Commission: Text messages qualify as calls under TCPA; cell phones on the National DNC Registry receive the same protection as landlines

Disclaimer: LeadCompliant is a compliance review tool, not a law firm. We do not provide legal advice. Consult with a TCPA attorney for legal guidance on specific compliance questions. Compliance scores, audits, and risk assessments are informational only.

LeadCompliant Team

LeadCompliant provides expert guidance and tools to help you succeed. Our content is reviewed for accuracy and kept up to date.

Related Articles

Related Glossary Terms

LeadCompliant
Build My Kit