TCPA compliance dialing software for contact centers: what you actually need

TCPA fines hit $500, $1,500 per call. This guide covers what dialing software must do, how autodialers are defined, and how to audit your stack today.

LeadCompliant Team
27 min read
In This Article

Last updated 2026-07-09

Empty contact center desks with headsets and monitors in late afternoon light
Empty contact center desks with headsets and monitors in late afternoon light

TL;DR

TCPA-compliant dialing software for contact centers has to suppress DNC numbers, store consent records, avoid ATDS-triggered dialing without consent, and log every call or text with a timestamp. One bad campaign can trigger statutory damages of $500 to $1,500 per call. The software does not make you compliant. Your configuration, your consent workflows, and your suppression hygiene do.

What does TCPA compliance actually require from dialing software?

The Telephone Consumer Protection Act, 47 U.S.C. § 227, controls how businesses call or text consumers with automated technology [1]. The core rule is short: you need prior express consent before you use an automatic telephone dialing system (ATDS) or a prerecorded voice to reach a wireless number. For telemarketing calls to residential landlines, you need prior express written consent. That single consent requirement shapes everything a compliant dialing platform has to do.

Software does not make you compliant. What software does is enforce the rules your team sets up. It scrubs numbers against the National Do Not Call Registry before each campaign, holds your internal DNC list, flags numbers that arrived without consent documentation, and logs call metadata you can produce in litigation. Skip any of those steps in your configuration and the software is just a fast way to break the law at scale.

The FCC's 2015 Declaratory Ruling and Order (FCC 15-72) read the ATDS definition broadly. Then the Supreme Court narrowed it in Facebook v. Duguid (2021), holding that an ATDS has to use a random or sequential number generator to store or produce numbers [2]. That distinction drives your dialer choice. A predictive dialer that pulls numbers from a pre-loaded list and dials them in order is, under Duguid, arguably not an ATDS. But carriers, courts, and class-action plaintiffs still fight over this. Treat any high-volume automated dialer as ATDS-equivalent until the appellate courts finish settling the dust. That posture costs you almost nothing and covers a lot.

Here is the practical floor for any contact center dialing platform:

  • Scrub against the federal DNC registry every 31 days at minimum [3]
  • Maintain and apply an internal DNC list within 30 days of an opt-out request [3]
  • Store consent records (source, timestamp, IP address, the exact language presented) in a retrievable format
  • Log call disposition, duration, and ATDS vs. manual dial method
  • Restrict calling hours to 8 a.m. to 9 p.m. local time for the called party [1]
  • Honor wireless number restrictions separately from landline rules

How does the ATDS definition affect which dialer technology you choose?

Facebook v. Duguid, decided in April 2021, changed the battlefield. The Supreme Court held that the ATDS definition in 47 U.S.C. § 227(a)(1) covers equipment that uses a random or sequential number generator to store or produce numbers to be called [2]. A dialer that calls a pre-uploaded list in a fixed order does not fit that definition under the majority's reading.

Why does this matter for what you buy? Predictive dialers, power dialers, and preview dialers that work from a contact list you supply now sit in a legal gray zone that is friendlier than it was pre-2021. The gray zone is not a safe harbor. Several state courts and plaintiff attorneys argue that certain auto-dialing features still trip state-level ATDS analogs after Duguid. California, Florida, and Washington run their own mini-TCPA statutes with different definitions [4]. If you operate nationally, you design to the strictest state, not the federal floor.

The practical effect on software choice:

Dialer TypePost-Duguid Federal ATDS RiskNotes
Preview dialer (agent initiates each call manually)LowLowest risk, lowest volume
Power dialer (auto-dials on agent availability)MediumDepends on number-generation logic
Predictive dialer (algorithm paces ahead of agents)Medium-HighAbandoned call rules also apply
Robo/blast dialer (prerecorded, no live agent)HighConsent required regardless of Duguid

The FCC's abandoned call rule under 47 C.F.R. § 64.1200(a)(7) caps abandoned calls at 3% of calls answered over a 30-day period [5]. An abandoned call is one that is not connected to a live agent within two seconds of the called party's completed greeting. That rule applies whether or not your system qualifies as an ATDS. Most predictive dialers have a configurable abandon-rate cap. Verify it is enforced at the carrier level, more than displayed in the UI.

What specific features should you look for in TCPA-compliant contact center software?

Half the features in a vendor deck map to nothing that protects you in court. Here is what actually matters.

DNC scrubbing, more than DNC access. A compliant platform scrubs your list against the federal DNC registry automatically before each campaign, and lets you upload your own internal DNC list. Some platforms charge extra for real-time scrubbing over batch scrubbing. Real-time is worth it if you're calling fresh inbound leads who may have registered on DNC in the last 24 hours.

Consent records tied to the phone number. When a lead fills out a form or gives verbal consent, that record has to attach to the phone number in your CRM or dialer and survive data migrations. The record should capture the date and time, the source URL or call recording reference, and the exact disclosure language shown or read. The FCC requires that written consent be signed and contain specific disclosures [5]. "Signed" includes electronic signatures.

Time-zone enforcement. The TCPA restricts calls to 8 a.m. to 9 p.m. local time for the called party [1]. "Local time for the called party" is what the statute says, not your local time. A compliant system geolocates area codes or uses CNAM data to figure out the right time zone and blocks calls outside those windows automatically. This sounds basic. Plenty of teams running East Coast hours still call West Coast numbers at 5 a.m. Pacific.

Call recording and full logging. In litigation you need to show exactly when a call went out, what number you dialed, what technology placed it, and whether consent existed at dial time. Most platforms log calls. Check whether the logs export in a litigation-ready format and how long they're retained. Ninety days is not enough. TCPA class actions get filed years after the calls.

Revocation handling. The FCC's October 2024 order on revocation of consent took effect in April 2025. It requires businesses to honor revocation requests "at any reasonable time and through any reasonable means" [6]. Your platform needs a way to accept opt-outs by text reply, verbal request on a call, web form, or email, and apply the suppression within 10 business days. Some platforms handle this natively. Others push it to your CRM integration, which is where opt-outs go to die.

STIR/SHAKEN attestation. Under the TRACED Act and later FCC orders, carriers have to authenticate caller ID [7]. If downstream carriers flag your calls as "spam likely" because your platform lacks full attestation or uses a non-registered caller ID, your answer rates fall and you may hit carrier-level call blocking. Look for platforms that support full A-level attestation on the calls you originate.

For SMS campaigns, the rules stack on top of the voice rules instead of replacing them. You need separate written consent for marketing texts, and every text has to carry a clear opt-out instruction (STOP, UNSUBSCRIBE, or equivalent) [5]. See our text message marketing guide for the full SMS-specific requirements.

What are the real financial penalties for non-compliant dialing?

Statutory damages under 47 U.S.C. § 227(b)(3) are $500 per violation for negligent violations and $1,500 per violation for willful or knowing violations [1]. Each call or text counts as a separate violation. A campaign of 10,000 non-compliant calls exposes you to $5 million at the negligent rate or $15 million at the willful rate, before any attorneys' fees.

Class actions are where the math turns catastrophic. Every recipient of a bad campaign is a potential class member, and settlements in the eight-figure range are ordinary for large programs. UnitedHealthcare settled a TCPA case for $2.5 million, Credit One faced its own substantial TCPA settlement, and Truist Bank resolved a TCPA class action too. These are not outliers. They are the standard result when a large outbound program fails to keep adequate consent records.

FCC enforcement runs on a separate track. The agency can issue forfeiture orders up to $23,727 per violation (adjusted for inflation) under 47 U.S.C. § 503(b) [8]. In practice the FCC rarely chases individual small businesses, but it has hit robocall operators with multi-million dollar forfeitures.

One more thing that surprises people at renewal time. Many general commercial liability policies exclude TCPA claims outright or cap them well below realistic exposure. If your contact center does real outbound volume, get a specific quote for TCPA or communication privacy coverage. Premiums swing with volume and industry, but a dedicated rider usually costs a small fraction of the exposure you're carrying without it.

Key TCPA thresholds for contact center operations Statutory figures every outbound team must know 500 Negligent violation fine (p… call/text) 1,500 Willful violation fine (per call/text) 24k Max FCC forfeiture per violation 31 DNC scrub interval (days) Source: 47 U.S.C. § 227, FTC TSR 16 C.F.R. § 310, FCC 47 C.F.R. § 64.1200

How do you audit your current dialing software for TCPA compliance gaps?

An audit has four parts: the technical stack, the consent workflow, the suppression hygiene, and the documentation trail. Do them in that order.

Technical stack audit. Pull the configuration documentation for your dialer and answer four questions. Does it auto-scrub against the federal DNC registry, and how often? Does it enforce time-zone-based calling hours automatically? Does it cap abandoned calls and log when the cap gets hit? Does it support STIR/SHAKEN attestation? If you can't answer these from documentation, your vendor should hand you a written compliance feature summary. If they won't, that refusal is itself information.

Consent workflow audit. Pull 50 phone numbers from a recent campaign and trace each one back to its consent source. Can you find the date, the form or call where consent happened, and the exact language shown? Lose the thread on more than a handful and your consent architecture has holes. This exercise is roughly what a plaintiff's attorney does in discovery, so you'd rather find the holes first.

Suppression hygiene audit. When did you last download a fresh federal DNC list? The FTC requires access every 31 days for each area code you call, and the list has to actually get applied [3]. Check whether your internal DNC list fills automatically when someone opts out on a call, or whether it needs a manual step your staff might skip on a busy day.

Documentation trail audit. Assume a class action complaint lands on your desk tomorrow. Within 30 days, can you produce call logs for every outbound call in the last four years, the consent record for each number, and proof that each number was scrubbed before dialing? If the answer is no, close those gaps before you do anything else.

LeadCompliant's free TCPA compliance kit includes a contact center audit checklist covering all four parts. It's a starting point, not a legal opinion, but it surfaces gaps fast.

For teams tracking ongoing regulatory changes, the TCPA news section carries updates on recent FCC orders and court decisions that hit dialing operations.

The FCC issued an order in December 2023 that took effect in January 2025 [6]. Two changes matter most for contact centers.

First, the one-to-one consent requirement. Before this order, a single consent form could authorize calls from a stack of sellers or lead buyers. The FCC ended that. Consent now has to be obtained by and for a single seller, not a network of partners. This broke the lead generation model where a consumer checks one box and gets called by 20 companies. If you buy leads, you have to verify that the consent form names your company by name.

Second, the stronger revocation rules. The FCC's October 2024 order (FCC 24-108) requires businesses to honor revocation of consent no matter what channel the consumer uses, and within 10 business days [6]. The order states that consumers may revoke consent "in any reasonable manner" that clearly expresses the desire to stop receiving calls or texts. Your dialing platform has to receive and process revocations from text reply, web form, phone request, or email, and your suppression list has to update inside that window.

These changes forced software updates that many platforms were still rolling out through mid-2025. If you bought your dialing software before 2024 and haven't had a compliance review from the vendor, ask directly whether the platform supports single-seller consent flagging and multi-channel revocation processing. Vague reassurance about being "TCPA-ready" is not an answer.

How does DNC list management work inside a contact center dialing platform?

DNC management has two layers people constantly mix up: the federal Do Not Call Registry and your internal company-specific DNC list. Both are required by law. Both have to work automatically inside your platform.

The federal registry is run by the FTC and covers consumers who registered their number at donotcall.gov [3]. Telemarketers pay for access by area code and must scrub their calling lists against it at least every 31 days. Calling a registered number without a valid exemption exposes you to $500 per violation. The main exemptions are an existing business relationship within 18 months of the last purchase, or an inquiry within the last three months.

Your internal DNC list covers people who told you directly to stop calling, whether or not they're on the federal registry. Under 16 C.F.R. § 310.4(b)(1)(iii), you have to honor internal do-not-call requests within 30 days [9]. Many platforms let you set this at 24 hours or less, which is the better practice. A consumer who says "stop calling me" on a recorded call and gets called again the next day is an easy plaintiff.

Inside a dialing platform, the suppression flow should run like this: the agent takes the opt-out request on the call, the system flags the number in the internal DNC table, the integration pushes the flag to the CRM, and the dialer checks both the internal DNC table and the most recent federal scrub before it queues any number. The weak point in most platforms is that integration step between the dialer and the CRM. Gaps there mean an opt-out logged in one system never reaches the other, and you call the person again.

For how TCPA violations start life as consumer complaints, the how to stop robocalls guide walks through the consumer side of the process. It's useful context when you build your own suppression workflows.

What are the TCPA rules specific to SMS and text messaging through contact center software?

The TCPA treats text messages like calls for almost every purpose. A text sent via an ATDS to a wireless number requires prior express written consent for marketing [1]. "Wireless number" covers every cell phone, which means every consumer in a modern B2C program.

Prior express written consent for texts has to include a clear and conspicuous disclosure that the consumer authorizes autodialed text messages, the name of the seller, and the fact that consent is not a condition of any purchase [5]. Put the disclosure on the same page as the consent button, or right next to it. Buried-footer consent does not hold up reliably.

The CTIA's Messaging Principles and Best Practices are not a statute, but carriers have adopted them as a condition of service [10]. Carriers can block text traffic from senders who violate these principles, which is faster and more painful than a lawsuit. The CTIA calls for opt-out keywords (STOP, QUIT, CANCEL, UNSUBSCRIBE, END), a confirmation text when someone opts out, and program identification in the first message of a campaign.

For contact centers running SMS alongside voice, the integration gap is almost always consent segregation. A consumer who consents to calls has not consented to texts, and vice versa. Your consent database has to track which channels a given number has authorized, and your SMS platform has to check that flag before it sends.

The text messaging marketing guide covers the channel-specific rules in more detail, including the compliance differences between short codes and long codes.

What do major TCPA settlements reveal about contact center compliance failures?

Reading where the large settlements actually came from teaches more than any policy document. The patterns repeat.

Consent documentation failure is the most common root cause. In many cases the company had a consent process, but it couldn't produce records for specific plaintiffs' numbers in discovery. Consent stored in a marketing automation platform that later got sunset. Consent captured on paper forms nobody digitized. Consent inferred from purchase history without an explicit disclosure. Each of these has produced eight-figure settlements.

Lead buying without consent verification is the second pattern. When you buy a lead list, you inherit the consent problem if the original collector's form didn't name you. With the FCC's one-to-one consent rule now in effect, this risk is higher than ever. The Albertsons/Safeway TCPA settlement and the Cash App TCPA class action settlement show how large consumer brands land in TCPA exposure regardless of size.

Calling after revocation is the third pattern. A consumer opts out, the opt-out sits in one system and never reaches the dialer's suppression list, and the number gets called again. That sequence is a technology integration problem more than a policy problem, and it's often what turns a single complaint into a class action with "willful" violation allegations attached.

The lesson for software selection is one blunt question. Ask vendors exactly how opt-outs move from the call recording system or IVR to the dialer suppression list. Get the answer in writing.

Consent documentation that holds up in court has four traits. It's contemporaneous, it's specific, it's retrievable by phone number, and it includes the disclosure language you actually showed.

Contemporaneous means the record was created when consent happened, not reconstructed later. A screenshot of your current opt-in form proves nothing about what your form said 18 months ago when a specific consumer filled it out. The record needs a version snapshot or a hash of the form as it looked at that moment.

Specific means the record names your company (post-2025 FCC rules), names the channel (calls, texts, or both), and includes the disclosure about autodialed communications and no-purchase-required consent.

Retrievable by phone number means you can search your consent database by the dialed number and return the record in minutes, not days. In litigation, how fast you produce this signals whether you run a real system or a loose pile of spreadsheets.

Includes the actual disclosure language. Courts have thrown out consent when the disclosure was vague or the consumer could not have understood what they agreed to. A versioned record of your consent copy is not optional.

Most modern CRMs (Salesforce, HubSpot, and the like) can store this data, but only if your web forms and dialing software are set up to capture and write it. The configuration is where teams cut corners, because it needs coordination between marketing ops, legal, and the software vendor, and that coordination is easy to push to next quarter. Don't push it.

What should a small contact center budget for TCPA-compliant dialing software?

Pricing swings more than the vendor websites suggest, so these ranges come with caveats.

For small teams (5 to 25 agents), cloud-based predictive or power dialing platforms with DNC scrubbing run roughly $80 to $200 per agent per month, depending on call volume and whether DNC scrubbing is bundled or an add-on. Some platforms layer per-minute or per-connection rates on top of the seat fee. At 10 agents you're looking at $800 to $2,000 per month before compliance add-ons.

Federal DNC registry access costs $75 per area code per year, up to a maximum of $18,967 for national access (2024 FTC pricing) [3]. If you call nationally, full national access is usually cheaper than buying individual area codes once you cross about 250 of them.

Consent management platforms that integrate with dialers run $500 to $3,000 per month for small to mid-size contact centers. Many teams manage consent inside the CRM instead, which works if the CRM is configured right, but the configuration cost is real even when the incremental software cost isn't.

Call recording and log retention at litigation-ready standards (searchable by number, kept 4 to 5 years) adds roughly $50 to $150 per month at most cloud platforms, depending on volume.

The honest number: TCPA-compliant infrastructure for a 10-agent contact center doing real outbound volume runs $1,500 to $3,500 per month in software alone, before you staff a compliance function. That sounds steep until you set it against $500 per call exposure on a campaign of any real size. One bad campaign pays for a decade of the software.

Frequently asked questions

Does a predictive dialer qualify as an ATDS under the TCPA after Facebook v. Duguid?

After the Supreme Court's April 2021 Facebook v. Duguid decision, an ATDS requires a random or sequential number generator to store or produce numbers. A predictive dialer working from a pre-uploaded contact list arguably does not meet that definition at the federal level. State courts and regulators in California, Florida, and Washington apply broader definitions, so national programs should still treat predictive dialers with ATDS-level caution.

How often does my contact center need to scrub against the federal DNC list?

At least every 31 days, per the FTC's Telemarketing Sales Rule at 16 C.F.R. § 310.4(b)(3)(iv). You also pay for access to each area code you intend to call. Most compliant platforms automate this scrub, but verify the schedule in your platform configuration rather than assuming it's running. A scrub that silently stopped is still a violation.

What is the 3% abandoned call rule and does my dialer enforce it?

Under 47 C.F.R. § 64.1200(a)(7), no more than 3% of answered calls over a 30-day period can be abandoned, where abandoned means not connected to a live agent within two seconds of the called party answering. Most predictive dialers have a configurable cap, but the default may not be set to 3%. Check your platform's actual configuration, not its marketing page.

Can I buy a lead list and call those numbers without getting individual consent?

Not safely, especially post-2025. The FCC's one-to-one consent rule requires that consent name your company specifically. If the lead generation form named a different company or a network of unnamed partners, that consent does not transfer to you. Calling without valid, specific consent exposes you to $500 to $1,500 per call in statutory damages. Get the original consent form from the seller and have counsel review it.

The TCPA's four-year statute of limitations under 28 U.S.C. § 1658 is the floor for record retention. Keeping call logs and consent records for five years is safer, because litigation timelines push right up to that limit. Store records in a searchable format indexed by phone number, more than by date or campaign, so you can produce them fast in discovery.

Starting in January 2025, consent obtained through a multi-seller lead generation form is no longer valid for companies not named in the consent disclosure. If you buy leads, the original consent form must identify your business by name. This ended the practice of selling one consent to dozens of buyers. Contact centers that did not update their lead sourcing by 2025 are operating on invalid consent.

The FCC's October 2024 order (FCC 24-108), effective April 2025, requires businesses to honor revocation of consent through any reasonable means at any reasonable time, within 10 business days. Your software must accept opt-outs by text reply, verbal request, web form, or email and apply them to your suppression list inside that window. Platforms that process revocations through only one channel leave you exposed.

Do TCPA rules apply to B2B outbound calling, or only consumer calls?

TCPA restrictions mainly target calls to residential lines and wireless numbers. Prerecorded calls to business landlines still require compliance, but consent requirements are generally lighter for pure B2B calls to business numbers. Calling a cell phone that belongs to a business employee still triggers the wireless number rules under the statute. The safest posture is to treat any wireless number as consumer-protected.

What is STIR/SHAKEN and why does it matter for outbound contact centers?

STIR/SHAKEN is the carrier-level caller ID authentication framework the FCC required under the TRACED Act. It assigns an attestation level (A, B, or C) to outbound calls based on how well the originating carrier can verify the caller ID. Calls without A-level attestation are more likely to get labeled spam likely by downstream carriers, which wrecks answer rates and can trigger call blocking. Ask your dialing vendor whether your traffic gets full A-attestation.

Is a voicemail drop or ringless voicemail subject to TCPA restrictions?

Yes. The FCC treats ringless voicemail as a call under the TCPA because it delivers a message to a phone's voicemail system. The agency has confirmed that the TCPA applies whether or not the phone rings. Consent requirements for prerecorded voice messages apply to ringless voicemail the same way they apply to live or recorded calls, so consent-free ringless drops carry the same $500 to $1,500 per-message exposure.

What should I ask a dialing software vendor to prove TCPA compliance support?

Ask for written documentation of DNC scrub frequency and how it's enforced, how the platform processes opt-outs and how fast they propagate, whether STIR/SHAKEN A-attestation is supported, what call log fields are captured and how long they're retained, whether the platform supports single-seller consent tagging per the 2025 FCC rules, and whether they provide audit-ready log exports. A vendor that can't answer these in writing is not a compliance partner.

How much does a TCPA class action settlement typically cost?

Settlements vary widely with call volume and whether violations were willful. Smaller cases involving tens of thousands of calls settle in the $500,000 to $2 million range. Larger programs reach tens of millions. Statutory damages are $500 to $1,500 per violation, so a campaign of 100,000 non-compliant contacts carries a theoretical exposure of $50 million to $150 million, though actual settlements usually land well below the statutory maximum.

Does the TCPA apply to text messages sent through a contact center SMS platform?

Yes. The TCPA treats texts sent via an ATDS to wireless numbers the same as calls. Marketing texts require prior express written consent with specific disclosures, and every message must include an opt-out option. Carriers separately enforce CTIA messaging guidelines as a condition of service, which means a non-compliant SMS program can get blocked at the carrier level before a lawsuit ever reaches you.

What is the difference between the FTC's DNC registry and the TCPA's consent requirements?

The FTC's National Do Not Call Registry, under the Telemarketing Sales Rule, covers telemarketing calls to consumers who registered their number. The TCPA's consent requirements cover automated or prerecorded calls and texts regardless of registry status. A number that is not on the DNC list still requires prior express consent for autodialed calls to wireless numbers. Both rules apply at once, and compliance means satisfying both.

Sources

  1. U.S. Government Publishing Office, 47 U.S.C. § 227 (Telephone Consumer Protection Act): TCPA restricts ATDS use on wireless numbers, requires consent, and sets $500 to $1,500 per violation damages; restricts calls to 8 a.m. to 9 p.m. local time for the called party
  2. Supreme Court of the United States, Facebook, Inc. v. Duguid, 592 U.S. 395 (2021): Supreme Court held that an ATDS must use a random or sequential number generator to store or produce numbers; pre-loaded list dialers may not qualify as ATDS under this definition
  3. Federal Trade Commission, Telemarketing Sales Rule (National Do Not Call Registry): Telemarketers must scrub against the DNC registry at least every 31 days; national DNC access costs up to $18,967 per year; internal DNC requests must be honored within 30 days
  4. California Legislative Information, Invasion of Privacy Act (CIPA), Cal. Penal Code § 630 et seq.: California has its own automated calling and privacy statutes with definitions that differ from the federal ATDS standard post-Duguid
  5. Electronic Code of Federal Regulations, FCC rule 47 C.F.R. § 64.1200: FCC rules require prior express written consent for marketing calls and texts, abandoned call cap of 3%, and specific disclosure requirements for written consent including no-purchase-required language
  6. Cornell Law School Legal Information Institute, 47 U.S.C. § 503 (forfeiture penalties): FCC can issue forfeiture orders of up to $23,727 per violation (inflation-adjusted) under 47 U.S.C. § 503(b)
  7. Federal Trade Commission, Telemarketing Sales Rule, 16 C.F.R. § 310.4(b)(1)(iii): TSR requires telemarketers to honor internal do-not-call requests; companies must maintain internal DNC lists and honor requests within 30 days
  8. Cornell Law School Legal Information Institute, 28 U.S.C. § 1658 (federal statute of limitations): Four-year statute of limitations for federal statutory claims including TCPA violations; defines minimum record retention window

Disclaimer: LeadCompliant is a compliance review tool, not a law firm. We do not provide legal advice. Consult with a TCPA attorney for legal guidance on specific compliance questions. Compliance scores, audits, and risk assessments are informational only.

LeadCompliant Team

LeadCompliant provides expert guidance and tools to help you succeed. Our content is reviewed for accuracy and kept up to date.

Related Articles

Related Glossary Terms

LeadCompliant
Build My Kit