Last updated 2026-07-09

TL;DR
Outbound dialer software with compliance features should scrub the DNC registry, enforce call-time limits, store consent records, and let you control answering machine detection. TCPA violations cost $500 to $1,500 per call under 47 U.S.C. § 227, so one unchecked campaign can turn into seven-figure exposure. This guide breaks down which features the law requires, which ones vendors oversell, and how to test a vendor's claims before you sign.
Why does dialer compliance matter so much right now?
TCPA liability has nothing to do with whether you meant well. The statute, 47 U.S.C. § 227, makes it illegal to use an automatic telephone dialing system (ATDS) or a prerecorded voice to call or text a mobile number without prior express written consent, and it sets damages at $500 per violation or $1,500 if the violation is willful [1]. Courts award those numbers per call. Do the math on a 10,000-call campaign with no valid consent and you are looking at $5 million to $15 million before anyone mentions class certification.
Volume is the whole problem. A dialer exists to push call velocity up, and that same velocity turns a small mistake into a mass tort. One bad list. One missed scrub. One auto-dial mode set wrong. Any of those can hand a plaintiff's attorney a class action.
Compliance features are what make the law's requirements workable at scale. They are not a bonus tier. They are the thing that lets you dial thousands of numbers a day without building the plaintiff's case for them.
What is an ATDS and why does the definition change what software you need?
An ATDS is defined in 47 U.S.C. § 227(a)(1) as equipment with the capacity to store or produce telephone numbers using a random or sequential number generator, and to dial them [1]. The Supreme Court read that narrowly in Facebook, Inc. v. Duguid (2021), holding that a system qualifies only if it uses a random or sequential number generator to store or produce the numbers it dials, not merely to dial from a stored list [2]. That trimmed the definition. It did not erase TCPA risk for dialers that pull numbers off a list in sequence.
Here is where software selection gets tricky. Some vendors label their systems "non-ATDS" on the strength of Duguid and use that label to wave off compliance features. That logic is thin. Even if your dialer sits outside the post-Duguid ATDS line, you still face FCC rules on prerecorded calls, DNC obligations, and state laws that often reach further than federal TCPA. One Supreme Court case does not make your compliance stack optional.
Treat your dialer as a source of TCPA exposure unless your own counsel has looked at your specific configuration and told you otherwise in writing. Build the compliance features in either way.
What compliance features should every outbound dialer have?
Some features the law requires. Others vendors bundle in to look thorough. Here is the honest split.
DNC list scrubbing. Every dialer has to scrub against the National Do Not Call Registry before calls go out [3]. The FTC runs the registry and updates it daily. A system that does not scrub automatically, on a schedule you can verify, is a liability. Look for scrubbing at least every 31 days (the FTC's safe harbor window) with a scrub date logged per campaign.
Call-time restrictions. The TCPA bans calls before 8 a.m. or after 9 p.m. in the called party's local time [1]. Sounds simple. It breaks constantly when a team in one time zone runs a national campaign. Your dialer needs to resolve the recipient's time zone from their number, not from your office clock. Cheaper systems use static area-code tables. Better ones do real-time lookups.
Consent recordkeeping. Mobile numbers need prior express written consent. Your dialer or your CRM has to store a timestamped record of how and when each number consented, what they agreed to, and where the consent came from [1]. A compliant dialer either manages consent natively or hooks tightly into a CRM that does. That record is your defense exhibit if you get sued.
Opt-out honoring. The FTC's Telemarketing Sales Rule says opt-outs have to be honored company-wide within 30 days [3]. Your dialer should suppress opted-out numbers automatically and sync that suppression across every campaign. A per-campaign opt-out that never reaches your other campaigns is a common and expensive gap.
AMD (answering machine detection) controls. Leaving a prerecorded message on a cell phone voicemail counts as a call that needs consent [4]. Aggressive AMD settings misread live answers as machines, or miss machines entirely. Either way you need to see how AMD is behaving and be able to tune it. A black-box setting you cannot audit is a problem waiting to surface.
Call-recording disclosure. In two-party consent states (California, Florida, Illinois, and about a dozen more), recording a call without telling the other party breaks state wiretap law, which is separate from TCPA. Your dialer should play a disclosure at the start of the call and log that it played.
Which features are commonly oversold or genuinely optional?
Vendors love pitching "AI-powered compliance" and "real-time consent verification" as premium tiers. Some of it earns its keep. Some is a slide deck.
Real-time DNC lookups sound rigorous but cost more and rarely clear a legal bar you cannot clear otherwise. The FTC safe harbor is 31 days [3]. Daily scrubs cover most operations fine. Real-time lookups add cost and latency without a matching legal payoff, unless you work in a sector like healthcare with tighter rules.
Litigator scrubbing checks your numbers against databases of known TCPA plaintiffs and serial filers. It is not required by law, but it is practical. Some compliance people swear by it. Others call it an arms race, since litigants cycle through new numbers. Nobody has good data on how much it actually cuts lawsuit risk. The cost is usually low enough that adding it is a reasonable call.
Predictive dialing mode is not illegal by itself, but the FTC's TSR caps the abandoned call rate at 2% per campaign per day [3]. A predictive dialer that blows past that without a safeguard puts you in violation. Ask vendors flat out how they measure abandonment and whether the software enforces the cap or just prints it on a dashboard afterward.
STIR/SHAKEN attestation matters more every year. The FCC's rules under the TRACED Act require voice providers to authenticate caller ID with STIR/SHAKEN [5]. If your VoIP carrier cannot give you full A-level attestation, carriers may flag your calls as spam and show recipients "Scam Likely." That is not a TCPA issue on its own. It kills answer rates, and it tells you your carrier stack needs a look.
How do the major dialer types compare on compliance readiness?
Dialers work in different modes, and the mode drives both your exposure and which features you actually need.
| Dialer Type | How It Works | Key Compliance Risk | Minimum Feature Needed |
|---|---|---|---|
| Preview dialer | Agent reviews contact before dialing | Low ATDS risk; manual intent | DNC scrub, time-zone check, consent record |
| Power/progressive dialer | Dials one number per available agent | Moderate ATDS risk | All of the above plus AMD control |
| Predictive dialer | Algorithm dials ahead of agents | Higher ATDS risk; abandonment risk | All above plus abandonment rate cap (2% FTC limit) |
| Ringless voicemail (RVM) | Drops audio directly to voicemail | High TCPA risk; courts split on whether this is a "call" | Written consent; treated as prerecorded message |
| Auto-dialer with prerecorded message | Fully automated, no live agent | Highest risk; written consent required for all mobile numbers | Written consent required; no exemptions |
Ringless voicemail earns its own warning. Courts are split on whether an RVM to a mobile number counts as a "call" under TCPA, and the FCC has not settled it with a final rule [4]. Drop RVMs to mobile numbers without written consent and you are betting on unsettled law. That can be a deliberate risk posture. It should never be something you back into because a vendor told you it was fine.
Running SMS alongside voice? TCPA SMS compliance rules apply on their own track, with their own consent and opt-out requirements.
What should you actually look for in a vendor's compliance claims?
Almost every dialer vendor says it is TCPA compliant. On its own, that phrase means nothing. Here is what to ask instead.
First, get their DNC scrub process documented: how often they pull from the FTC registry, the lag between a registry update and your list getting scrubbed, and whether you get per-campaign scrub logs you could hand to a court. If they cannot answer in writing, walk.
Second, ask exactly how time-zone resolution works. Does the software look up the number's current time zone at dial time, or lean on a static area-code table? Area codes have split and been reassigned enough that static tables carry real risk. Real-time lookups through a number intelligence API are the right answer.
Third, ask what consent data they store and in what format. You want timestamps, the source URL or form name, the exact consent language the person agreed to, and an IP address where it applies. You want it exportable. "We store consent" without a schema they can show you is a red flag.
Fourth, ask whether the system enforces the 2% abandonment cap or just reports it. Enforcement means the dialer throttles the predictive algorithm when the cap gets close, mid-campaign. Reporting means a number you read after the damage is done. You want enforcement.
Fifth, ask their STIR/SHAKEN attestation level with the underlying carrier. A-level means the carrier fully verifies your identity. B and C levels are weaker and get more of your calls flagged [5]. Plenty of small carriers only offer B-level. If answer rates matter to you, and they should, dig into this.
Teams building a compliance stack for the first time can use the free tools and checklist at LeadCompliant to check consent flows, DNC status, and documentation gaps before going live.
How do state laws add requirements beyond federal TCPA?
Federal TCPA is a floor, not a ceiling. Several states go further, and a setup that clears the federal bar can still put you in state trouble.
California reads its Invasion of Privacy Act (CIPA) broadly. Courts have found that session replay tools and certain call-recording practices break CIPA even without a classic wiretap [6]. Florida's Mini-TCPA (SB 1120, effective July 2021) created a private right of action for autodialed calls or texts to Florida numbers, with damages up to $500 per call [7]. Florida courts have stayed busy with these.
Texas, Indiana, and other states run their own DNC registries with separate registration and scrubbing [8]. Call nationally and you may need to register with several state registries on top of the federal one. Some dialers handle multi-state scrubbing natively. Others make you upload state lists by hand.
Washington State lets consumers sue for $500 per violation without proving actual damages, much like TCPA [8]. Tennessee and several others have comparable provisions. The patchwork is real. The safe move is to run every campaign as if the strictest state law that could apply does apply.
Doing B2B outreach across borders makes it thornier still. B2B lead generation platforms and GDPR compliance covers the EU-side obligations that kick in the moment any of your contacts are European.
What does a real compliance workflow look like in practice?
Theory is easy. Here is what a properly configured outbound workflow looks like, step by step.
List ingestion: Before a number reaches your active campaign, it runs through DNC scrub (federal registry plus any state registries that apply), internal opt-out suppression, and consent verification. Fail any check and the number gets suppressed, with the reason logged.
Consent gate: For mobile numbers, the system confirms a valid consent record exists. That record has to show the owner agreed to be contacted by your organization specifically, in language that meets the FCC's prior express written consent standard: clear and conspicuous disclosure, a checkbox that was not pre-checked, and a signature or its electronic equivalent [1]. No valid consent, and the dialer routes the number to manual review or suppresses it outright.
Call-time enforcement: At dial time the system resolves the recipient's local time zone and checks that the clock reads between 8 a.m. and 9 p.m. there. Numbers outside the window wait for the next legal call window.
Abandon-rate monitoring: On predictive campaigns, the system tracks abandoned calls as a share of live answers per campaign per day and enforces the 2% cap. As the cap gets close, the algorithm slows the dial rate automatically, not as a chart you check later.
Opt-out capture: When a called party asks off the list, the agent marks it in the dialer. That suppression syncs to the master opt-out list immediately, applies company-wide, and gets logged with a timestamp. Same rule for automated IVR opt-outs.
Post-campaign audit: Every campaign spits out a log: numbers called, call times, agent, result, DNC scrub date, consent record ID. The log stays in an exportable format. If a complaint or lawsuit lands, that log is your evidence.
The consent piece is where most teams cut the corner. Reading up on SMS opt-in best practices gives you a framework that carries over to both text and voice consent capture.
How much does outbound dialer software with compliance features cost?
Pricing swings widely with call volume, seat count, and how much of the compliance stack is native versus a third-party add-on.
Entry-level compliance-aware dialers (a power dialer with basic DNC scrub and time-zone enforcement) run roughly $50 to $150 per agent per month for most small and midsize teams. This tier usually covers federal DNC scrubbing but may charge extra for state DNC feeds or consent recordkeeping.
Mid-tier platforms with predictive dialing, abandonment enforcement, consent management, and STIR/SHAKEN-aware routing typically run $150 to $400 per agent per month. At this level you generally get audit logs, CRM integration, and basic litigator scrubbing.
Enterprise platforms with full compliance suites, dedicated dashboards, real-time number intelligence, and SLA-backed DNC updates can reach $500 to $1,000-plus per agent per month. For high-volume shops where one bad campaign could mean seven-figure liability, that cost is easy to justify.
Budget separately for add-ons. Direct access to the National DNC Registry costs about $117 per area code per year from the FTC [11], though most dialers bundle it. Number intelligence APIs for real-time time-zone and carrier lookups often add $0.001 to $0.005 per lookup. Litigator scrub databases run on custom pricing tied to volume.
The math is not close. A mid-tier dialer at $200 per agent per month is $2,400 per agent per year. One TCPA judgment at the statutory minimum for a 1,000-call campaign is $500,000. The software is not the expensive line on this page.
What does real TCPA case law say about dialer compliance failures?
Actual outcomes teach more than vendor decks. Two cases and one FCC action tell most of the story.
In Jimenez v. Credit One Bank (S.D.N.Y. 2019), the court awarded $257,000 in TCPA damages for calls made after an opt-out was ignored. The calls came from an automated system, and the defendant could not show that opt-outs were processed and propagated company-wide [9]. That is the exact gap a suppress-and-sync workflow closes.
In Wakefield v. ViSalus (9th Cir. 2022), the court affirmed over $925 million in TCPA damages against a direct sales company for prerecorded calls made without consent. The Ninth Circuit upheld the per-call statutory damages even while acknowledging they ran well past the actual harm to recipients [10]. This is the case that belongs on the wall of every outbound sales floor.
The FCC issues large fines directly too. In 2023 it proposed a $6 million fine against a company for spoofed robocalls that violated the TRACED Act and TCPA [5]. Spoofed caller ID, on its own, draws enforcement.
One thread runs through all of it: defendants lose when they cannot produce documentation. No consent records. No scrub logs. No opt-out timestamps. Your dialer's compliance features are worth exactly as much as the audit trail they leave behind.
How do you evaluate and choose a dialer vendor without getting burned?
Start with a compliance checklist, not a features demo. Put the earlier questions to every vendor before you watch a single walkthrough. Demos are built to impress. Audits are built to find gaps.
Get the DNC documentation in writing before you sign anything. Scrub frequency, registries covered, logs provided per campaign. Ask whether those logs are admissible quality: timestamped, immutable, exportable. A vendor who hedges here is telling you something.
Ask for a sample audit log from a real, anonymized campaign. A vendor that will not show you what a post-campaign compliance export looks like is a vendor you cannot lean on when a plaintiff's attorney sends a discovery request.
Check whether they carry E&O or technology liability insurance, and whether the contract indemnifies you if their system misconfigures and causes a violation. Most contracts push the liability entirely onto you. That is standard. Knowing it means you treat their compliance claims as starting points to verify, never promises to rely on.
Running SMS next to voice? Make sure the vendor's compliance features cover both channels, or that you have a clear second system. TCPA basics for text messaging run on a partly separate regulatory track from voice, and teams that blur the two miss consent rules specific to each channel.
Then run a pilot at low volume with full logging before you scale. This is the single most useful thing a small team can do. A 500-call pilot with clean list management and complete audit logging surfaces the gaps before they grow to class-action size. Scale only once you can see that every number in your logs has a matching consent record, a clean DNC clear, and a legal call time.
Frequently asked questions
Does my outbound dialer need to scrub against the National DNC Registry before every campaign?
Yes. The FTC's Telemarketing Sales Rule requires scrubbing against the National Do Not Call Registry no more than 31 days before you make a call [3]. Most compliant dialers automate this on a rolling basis. You also have to register as a subscription organization with the FTC to access the registry, which costs about $117 per area code per year for high-volume users. Skipping the scrub is one of the easiest TCPA and TSR violations for a plaintiff to prove.
Is predictive dialing legal under TCPA?
Predictive dialing to mobile numbers without prior express written consent is illegal under TCPA if the system qualifies as an ATDS. Even outside the post-Duguid ATDS definition, the FTC's Telemarketing Sales Rule still caps abandoned calls at 2% of live answers per campaign per day. A predictive dialer that exceeds that with no enforcement mechanism draws FTC action separate from TCPA. You need both consent and abandonment controls.
What is prior express written consent and how does a dialer capture it?
Prior express written consent under 47 C.F.R. § 64.1200 means the called party signed or electronically agreed to receive autodialed or prerecorded calls after a clear disclosure of what they were agreeing to. The dialer does not capture this itself. Consent happens at the lead source: a web form, a verbal confirmation, an e-sign. The dialer's job is to verify a consent record exists before dialing and to log the record ID. Break that link and you have no defense.
Can I call a cell phone without consent if it is a business number?
The TCPA has no blanket B2B exemption. A cell registered to a business is still a cell. The FCC and courts have generally held that TCPA protection attaches to the number type (wireless), not to how the number is used. A few courts have found implied consent in narrow B2B contexts, but do not build a compliance strategy on that. Written consent is the safe path for any mobile number, business or personal.
What is the 2% abandonment rule and how does it apply to outbound dialers?
The FTC's Telemarketing Sales Rule, 16 C.F.R. § 310.4(b)(1)(iv), limits abandoned calls to no more than 2% of all calls answered by a live person per campaign per day [3]. An abandoned call is one the system disconnects because no agent is free. Dialers have to measure this per campaign and per day. Software that enforces the cap by slowing the dial rate beats software that only reports the number after the fact.
Do outbound dialers need to handle state DNC lists separately from the federal registry?
Yes, if you call into states that run their own DNC registries. Texas, Indiana, Wyoming, and several others maintain separate lists with separate registration [8]. Federal scrubbing does not cover state-only registrants. Running national campaigns means either working with a vendor that bundles multi-state scrubbing or folding in state lists by hand. Ignore this and you expose yourself to state-level private rights of action.
What is STIR/SHAKEN and why does it matter for outbound dialing?
STIR/SHAKEN is an FCC-mandated caller ID authentication framework under the TRACED Act [5]. It assigns an attestation level (A, B, or C) to outbound calls based on how well your carrier can verify your identity. A-level signals a verified caller. Lower levels get your calls flagged as spam or labeled "Scam Likely." This does not create TCPA liability on its own, but it drops answer rates enough to matter operationally.
Is ringless voicemail legal under TCPA?
This is genuinely unsettled. The FCC has not issued a definitive rule on whether ringless voicemail (RVM) to mobile numbers counts as a "call" under TCPA. Some courts have found RVM needs consent; others have not ruled clearly. The practical risk runs high. If a court or the FCC eventually decides RVM is a call and you have been dropping RVMs to mobile numbers without written consent, the exposure is the same $500 to $1,500 per voicemail as any other TCPA violation.
What records should my dialer software be keeping for TCPA defense?
At minimum: the timestamp and identity of every call placed, the DNC scrub date for that number, the consent record ID and source for mobile numbers, the agent or campaign that placed the call, and any opt-out events with timestamps. These records have to be exportable in a format usable for discovery. Most courts that awarded large TCPA damages did so partly because defendants could not produce this documentation. The log is your evidence.
How does AMD (answering machine detection) create compliance risk?
Aggressive AMD settings produce false positives, where a live person picks up but the system tags them as a machine and either drops the call or plays a prerecorded message. A dropped live call counts toward your abandonment rate. A prerecorded message played to a live answer on a mobile number without prerecorded-message consent is a potential TCPA violation. You need to see your AMD accuracy rate and tune its sensitivity, not accept a vendor default you cannot audit.
What questions should I ask a dialer vendor before signing a contract?
Ask: How often do you scrub the federal DNC registry, and which state registries are included? How does time-zone resolution work at dial time? What does a post-campaign compliance audit log look like, and can I export it? How is the 2% abandonment cap enforced, software cutoff or dashboard reporting? What STIR/SHAKEN attestation level does your carrier provide? What consent data do you store, in what format, and for how long? Get the answers in writing.
Can a small outbound team (under 10 agents) afford proper TCPA compliance tools?
Yes, and it cannot afford to skip them. Entry-level compliance-aware dialers start around $50 to $150 per agent per month. For a team of five, that is $250 to $750 a month. One TCPA judgment at minimum statutory damages, even for a small campaign, runs orders of magnitude higher. Free tools like the checkers at LeadCompliant can cover documentation gaps before you commit to a paid platform. The budget question is real. The risk math is not.
Does TCPA apply to B2B cold calling on landlines?
TCPA's autodialer and prerecorded-message restrictions bite hardest on wireless numbers. Autodialed calls to landlines are less restricted, but prerecorded messages to residential landlines without consent are still prohibited. Business landlines get somewhat more room under TCPA, though state telemarketing laws and the FTC's TSR still apply. The safe path for any cold-calling program is to treat mobile numbers as requiring written consent, consumer or business.
What is the difference between a power dialer and a predictive dialer for compliance purposes?
A power dialer dials one number per available agent, so an agent is always ready when someone answers. That design removes the abandonment problem. A predictive dialer dials ahead of agent availability using an algorithm, which lifts call velocity but creates abandoned calls when more people answer than agents are free. Predictive dialers need abandonment monitoring and enforcement at the 2% FTC cap. Power dialers carry lower compliance overhead on this specific issue.
Sources
- U.S. Government, 47 U.S.C. § 227 (Telephone Consumer Protection Act): TCPA statutory damages are $500 per violation or $1,500 for willful violations; calls to mobile numbers require prior express written consent; call times restricted to 8 a.m. to 9 p.m. local time
- Supreme Court of the United States, Facebook, Inc. v. Duguid (2021): The Supreme Court held that an ATDS must use a random or sequential number generator to store or produce the numbers it dials, narrowing the TCPA autodialer definition
- Federal Trade Commission, Telemarketing Sales Rule (16 C.F.R. Part 310): TSR requires DNC scrubbing within 31 days, caps abandoned calls at 2% of answered calls per campaign per day, and requires company-wide opt-out honoring within 30 days
- California Attorney General, California Invasion of Privacy Act (CIPA) overview: California's CIPA applies broadly to call recording and certain electronic interception without two-party consent
- Florida Legislature, Florida Telephone Solicitation Act / SB 1120 (2021 amendment): Florida's Mini-TCPA effective July 2021 created private right of action for autodialed calls or texts to Florida numbers with damages up to $500 per call
- National Conference of State Legislatures, State telemarketing and do-not-call laws overview: Multiple states including Texas and Indiana maintain separate DNC registries with independent registration and scrubbing requirements; Washington State allows $500 per violation private actions
- Jimenez v. Credit One Bank, N.A., 15-cv-9018 (S.D.N.Y. 2019): $257,000 TCPA judgment awarded for autodialed calls made after opt-out requests because defendant could not show opt-outs were processed and propagated company-wide
- Wakefield v. ViSalus, Inc., 51 F.4th 1109 (9th Cir. 2022): Ninth Circuit affirmed over $925 million in TCPA statutory damages for prerecorded calls made without consent, upholding per-call damages even where they exceeded actual harm
- FTC, National Do Not Call Registry information for telemarketers: Access to the National DNC Registry costs approximately $117 per area code per year for subscription organizations placing high-volume calls