TCPA compliance solutions: what actually works in 2025

TCPA violations can cost $500, $1,500 per call or text. This guide covers the real compliance solutions, tools, and processes that protect outbound teams.

LeadCompliant Team
26 min read
In This Article

Last updated 2026-07-09

Telephone handset on a desk in a quiet office, representing outbound call compliance
Telephone handset on a desk in a quiet office, representing outbound call compliance

TL;DR

TCPA compliance solutions are the mix of consent management, DNC scrubbing, dialer configuration, and staff training that keeps outbound teams below the lawsuit threshold. The statute (47 U.S.C. § 227) sets statutory damages at $500 per violation and up to $1,500 for willful violations. No single tool covers you. The real solution is a layered process.

What is the TCPA and why does it hit small teams hardest?

The Telephone Consumer Protection Act, codified at 47 U.S.C. § 227, was signed in 1991 and has been reshaped by FCC rulemaking ever since [1]. The statute restricts autodialed calls, prerecorded messages, and texts to cell phones without prior express consent. It also bars calls to numbers on the National Do Not Call Registry and enforces quiet hours.

Large companies have compliance departments. Small outbound teams usually have a sales manager who also handles HR, a dialer that came bundled with the CRM, and a vague sense that they "got consent somewhere." That gap is exactly where TCPA plaintiffs' attorneys hunt. The private right of action in the statute means any single consumer can sue, and class actions get certified when the same unlawful practice hit thousands of people through the same system [1].

Statutory damages are $500 per violation. No cap is written into the statute. Courts have awarded $1,500 per violation when they find willful or knowing conduct [1]. A class of 10,000 people times $1,500 is $15 million before attorneys' fees. That math explains why settlements like the one involving UnitedHealthcare's alleged TCPA violations and Credit One Bank run into the millions.

What are the core components of a TCPA compliance solution?

No software makes you compliant on its own. A real TCPA compliance solution has five components, and if any one is missing, the others don't fully protect you.

1. Consent capture and documentation. Before you dial or text a cell phone with an autodialer or prerecorded message, you need prior express written consent for marketing calls, or prior express consent for informational calls. "Prior express written consent" means a written agreement (electronic records count) that clearly authorizes the specific type of message from you [2]. You need to produce that record years later in litigation.

2. DNC list scrubbing. The FTC's National DNC Registry must be checked at least every 31 days for numbers you intend to call [3]. State DNC lists (Indiana, Texas, Wyoming, and others maintain their own) add another layer. Scrubbing is not optional and not a one-time task.

3. Dialer configuration and ATDS classification. The FCC has defined an automatic telephone dialing system (ATDS) as equipment that has the capacity to store or produce telephone numbers to be called using a random or sequential number generator and to dial such numbers [1]. The Supreme Court narrowed that definition in Facebook v. Duguid (2021), but litigation over what qualifies as an ATDS continues [4]. Your dialer vendor should be able to document exactly how numbers enter the call queue.

4. Time-of-day enforcement. The TCPA prohibits calls before 8 a.m. or after 9 p.m. in the called party's local time [1]. If you have a national list, your system needs to apply the recipient's time zone, not your office's.

5. Revocation handling. The FCC's 2024 one-to-one consent rule and its guidance on revocation require that consumers can revoke consent at any time through any reasonable means [2]. Your CRM or contact management system needs to suppress revocations within a reasonable period. The FCC has flagged ten business days as the outside limit, but processing revocations same-day is safer.

Those five parts are the skeleton. The rest of this article fills in how to build them without a seven-figure compliance budget.

In December 2023, the FCC adopted new rules that took effect January 27, 2025, aimed at lead generation and comparison shopping websites [2]. The old trick of collecting one blanket consent that covered dozens of "marketing partners" is now illegal for calls and texts to wireless numbers.

The rule says each seller must get its own individual prior express written consent. You can't buy a lead from an aggregator and claim you're covered by consent the consumer gave to that aggregator plus a list of unnamed partners. The consent has to name you specifically.

This is a real operational change. If your lead sources include shared lists, co-registration forms, or purchased data, audit every source and either (a) confirm the consent form named your company individually, or (b) stop using that source for autodialed or prerecorded contacts.

The FCC's order, In the Matter of Rules and Regulations Implementing the Telephone Consumer Protection Act of 1991, FCC 23-107, states that comparison shopping websites and lead generators must obtain consent "on a one-to-one basis from a single seller at a time" [2]. That's the exact text the rule uses. Any consent form that tries to cover multiple sellers at once no longer satisfies the TCPA for calls and texts to cell phones.

Small teams that buy leads should get written representations from every lead vendor that consent was collected this way, and keep those representations on file. If the vendor can't provide that, the leads carry legal risk no matter how clean the data looks.

TCPA: key numbers every outbound team should know Statutory thresholds and compliance requirements from federal law and FCC rules 500 Statutory damages per viola… (base) 1,500 Statutory damages per willf… violation 31 Max days between DNC scrubs (federal) 18 Established business relati… (months) Source: 47 U.S.C. § 227; FTC Telemarketing Sales Rule, 16 CFR Part 310; FCC 23-107 (2023)

What does DNC scrubbing actually require and how often?

The National Do Not Call Registry is run by the FTC and lists residential telephone numbers whose owners registered to avoid telemarketing calls [3]. The legal requirement for telemarketers is to scrub call lists against the registry no less than every 31 days. This is a rolling requirement, not a one-time check.

The mechanics matter. You access the registry through the FTC's online portal (telemarketing.donotcall.gov). You download the numbers for the area codes you call. You compare your list against that data before dialing. Numbers on the registry can't be called for telemarketing without a pre-existing business relationship (which lasts 18 months from the most recent transaction or inquiry) or written consent from the consumer [6].

State lists add complexity. Texas maintains its own No Call List under the Texas Business and Commerce Code. Indiana's Telephone Privacy Law covers calls to Indiana residents. Florida, which passed the Florida Telephone Solicitation Act amendments in 2021, adds requirements around autodialed texts [10]. Scrubbing the federal registry alone does not satisfy state law in those states.

For most small teams, the practical answer is a data vendor or dialer add-on that runs the scrub automatically before each campaign. The cost usually runs between $0.001 and $0.005 per number per scrub from well-known data providers, though pricing varies by volume and vendor. Do not rely on a scrub that is more than 31 days old under any circumstances.

Some teams also keep internal DNC lists, which are separate from the federal registry. Anyone who asks you to stop calling gets added to your internal DNC list immediately. The FTC's Telemarketing Sales Rule requires you to honor do-not-call requests within 30 days [3], and you must keep that internal list for at least five years.

What tools do most outbound teams actually use for TCPA compliance?

The honest answer is that the market for TCPA compliance tooling is fragmented and the quality varies a lot. Here's how most small outbound teams piece together a solution.

Consent management platforms. Companies like ActiveProspect (TrustedForm) and Jornaya (LeadiD) capture real-time documentation of the consent event: a timestamped certificate that records what the consumer saw on the form, their IP address, and the moment they clicked agree. These certificates cost roughly $0.05 to $0.10 per lead depending on volume. They are not required by law but are strong evidence in litigation. If you're buying leads or running web forms for your own campaigns, one of these tools earns its keep.

DNC scrubbing services. Most CRMs (Salesforce, HubSpot, GoHighLevel) do not scrub the national DNC list natively. You typically need an add-on or integration. Services like DataValidation, Gryphon Networks, and similar providers offer real-time or batch DNC scrubbing. Some dialers (Five9, NICE CXone, Convoso) bundle DNC scrubbing into their platform.

Predictive and power dialers. This is where ATDS risk lives. A predictive dialer that dials ahead of agent availability and drops calls when no agent is free is the classic TCPA exposure point. Some teams have moved to "manual" or "click-to-dial" workflows specifically to argue they aren't using an ATDS. Whether that argument holds in court depends on the specific system's architecture and the jurisdiction.

Time-zone enforcement. Any list-dialing tool worth using should have time-zone mapping built in. If yours doesn't, you need to either append time-zone data to your list before import or manually segment your calling hours by state.

CRM-level suppression. Whatever tools you use upstream, the CRM is where revocation records need to live. A consumer who texts STOP, emails you, or verbally tells your agent to stop calling needs to hit a suppression record that blocks any future outbound contact. Most CRMs support this, but it has to be configured deliberately. It does not happen automatically out of the box.

LeadCompliant offers a free TCPA compliance kit with a DNC scrubbing checker and consent audit templates that help small teams run through these checkpoints without starting from scratch.

For a sense of what happens when these tools are absent or misconfigured, the Cash App TCPA class action settlement and the Truist Bank class action both involved alleged failures at the consent and suppression layer, not exotic legal theories.

How much does a TCPA violation actually cost?

The statutory floor is $500 per call or text that violates the TCPA [1]. Courts can triple that to $1,500 per violation for willful or knowing conduct. There is no per-case cap in the statute, which is what makes class certification so dangerous.

Real settlements give a better sense of exposure. The Albertsons and Safeway TCPA settlement resolved allegations over text message marketing. The Kaiser TCPA settlement involved healthcare communications. These cases usually settle for amounts well below the theoretical maximum, because class-wide treble damages would be ruinous enough that defendants settle early.

Outside class actions, individual suits and demand letters from TCPA plaintiff's firms are common. A single plaintiff who received 50 texts they didn't consent to can credibly demand $75,000 ($1,500 x 50) before filing anything. Many of these cases settle for $5,000 to $30,000 per plaintiff. That range is not published in any official dataset. It reflects what practitioners discuss publicly and what shows up in court filings, but nobody has clean data on private pre-suit settlements.

Legal defense costs stack on top. A TCPA defense through discovery can run $50,000 to $200,000 in attorneys' fees even for a case that eventually gets dismissed. That cost alone is reason enough to invest in prevention.

The FCC can also levy forfeitures for violations of the TCPA rules it enforces. In 2023 and 2024, the FCC proposed forfeitures in the hundreds of millions of dollars against robocall operations, though collected amounts usually come in lower after proceedings [9].

The FCC defines "prior express written consent" for telemarketing calls and texts to wireless numbers as an agreement that: (1) bears the signature of the person called (electronic signatures count); (2) clearly authorizes the seller to deliver advertisements or telemarketing messages using an automatic telephone dialing system or an artificial or prerecorded voice; and (3) identifies the telephone number the person is providing [2].

The consent form must also include clear and conspicuous disclosure that the consumer is authorizing calls or texts. Burying it in a 40-page terms-of-service document is not enough. The FCC has said the disclosure must stand out from surrounding text.

A few things that do not satisfy prior express written consent: checking a box that says "I agree to the terms and conditions" with no specific mention of autodialed calls or texts; a verbal agreement alone (marketing calls require written consent); and consent given to a different company that then sold the lead to you without specific written authorization to contact the consumer on your company's behalf.

For informational calls (not marketing), the bar is lower: prior express consent, which can be oral or written. But separating a purely informational call from one with any marketing element is hard in practice, and courts tend to weigh content and purpose together.

Store the consent record with the phone number it covers, the timestamp, the IP address if collected online, the exact language of the consent disclosure, and the source (form URL or interaction record). You want to reconstruct that event two years later if a lawsuit lands.

Revocation is where a lot of teams get tripped up. A consumer can revoke consent at any time through any reasonable means, per the FCC's 2024 guidance [2]. A verbal "stop calling me" to your agent, a text reply of STOP or QUIT or any reasonable variation, an email, or a letter all count.

You can't contractually limit how a consumer revokes. Some consent forms tried to say "you may only revoke consent in writing sent via certified mail" to build a procedural barrier. The FCC has made clear those limitations are unenforceable for TCPA purposes.

Once revocation happens, the FCC expects you to stop contacting that number within a reasonable time. The FCC's 2024 order referenced ten business days as an outside limit, but shorter is better. Two-way text platforms can automatically suppress STOP replies within minutes. For phone call records where an agent logs a verbal revocation, you need a workflow that drops that number into your internal DNC list the same day.

The practical failure point for most small teams is the agent-logged verbal revocation. The agent hangs up and forgets to update the CRM. The number gets called again next week by a different agent. That's two violations, maybe more. Training and CRM workflow design matter as much as any software tool.

What is a TCPA compliance audit and does your team need one?

A TCPA compliance audit is a structured review of your consent records, suppression lists, dialer configuration, calling hours enforcement, and staff training. It produces a gap list, and closing those gaps is the actual compliance work.

You probably need one if any of these are true: you bought leads in the last 18 months without verifying one-to-one consent documentation; your CRM has no formal STOP/revocation workflow; you have never compared your calling hours logic against a time-zone map of your contact list; your consent form has not been reviewed against the FCC's 2024 rules; or someone on your team is not sure what ATDS means for your specific dialer.

A lawyer-led TCPA audit from a firm that specializes in this area typically costs $3,000 to $15,000 depending on scope and firm size. That's not nothing for a small team, but it's a fraction of a single plaintiff settlement. Some compliance consultants offer lighter-touch audits at lower price points.

For teams that can't afford a full legal audit right now, a self-audit using a structured checklist covers the highest-risk areas. The FCC's public guidance documents and the FTC's Telemarketing Sales Rule are both free and specific enough to build a checklist from [3][9]. LeadCompliant's free compliance kit includes a structured checklist built around those sources.

If you want legal help in a specific region, resources like TCPA lawyers in Kentucky can point you to practitioners who know local state law additions on top of the federal framework.

How do state laws interact with TCPA compliance solutions?

The TCPA is a federal floor, not a ceiling. States can and do add their own requirements, and some are stricter than federal law.

Florida's Telephone Solicitation Act, amended in 2021 via SB 1120, created a private right of action for texts that use "an automated system for the selection or dialing of telephone numbers" and extended quiet hours [10]. Florida is one of the most active states for TCPA-style litigation.

California's Invasion of Privacy Act adds wiretapping and recording consent requirements on top of the TCPA. If you record calls with California residents, one-party consent is not enough under California law. You need all-party consent or proper disclosure.

Texas and Indiana have state DNC lists that require separate registration and scrubbing.

Washington State's Commercial Electronic Mail Act covers some text messaging in ways that overlap with federal requirements.

A compliance solution that only addresses federal TCPA requirements leaves you exposed in high-litigation states. At a minimum, identify which states make up the bulk of your contact list and check whether those states add requirements beyond federal law. State attorneys general pages and state legislature websites are the right sources for this. Don't rely on third-party summaries alone.

For more on what the broader TCPA landscape looks like right now, the TCPA news section covers recent regulatory and case developments as they happen.

What should a TCPA compliance policy document include?

A written compliance policy is both a practical management tool and evidence of good faith if litigation happens. Courts and regulators look more favorably on defendants who can show an established compliance program, even when a violation slips through.

Your policy document should cover:

Scope. Which calling and texting programs does the policy govern? Include every channel: outbound sales calls, appointment reminders, text campaigns, ringless voicemail if you use it.

Consent standards. Define what counts as valid consent for each type of contact. State the specific disclosure language your forms must include. Name who reviews consent form language when it changes.

DNC scrubbing schedule. Document that the federal registry must be checked at least every 31 days, name the tool used, and name who confirms it ran.

Calling hours. State the hours (8 a.m. to 9 p.m. recipient local time) and how your system enforces them.

Revocation handling. Define the workflow for every channel (verbal, text, email, written). Name the maximum time to suppression (ideally same business day).

Training. State that all agents who make or schedule outbound contacts must complete TCPA training before they dial, and that refresher training happens at least annually or when rules change.

Record retention. Consent records: keep for at least four years or the duration of any applicable statute of limitations in your state, whichever is longer. Call logs and DNC scrub confirmations: at least five years to cover the FTC's TSR requirements [3].

Incident response. What happens when an agent reports a possible violation? Who reviews it, how fast, and what gets documented?

A one-page policy that people actually follow beats a 40-page manual that rots in a shared drive.

Are there TCPA safe harbors that protect outbound teams?

The TCPA has a few protections that reduce liability exposure, though none are absolute shields.

The established business relationship (EBR) exception lets you call a residential number on the National DNC Registry if the consumer made a purchase, transaction, or inquiry with you within the past 18 months, or contacted you within the past three months [6]. This exception only applies to the federal DNC rules. It does not override the prior express written consent requirement for autodialed or prerecorded calls to cell phones.

The good-faith reliance defense is not a statutory safe harbor, but courts have found that a company that relied in good faith on an established consent practice and took reasonable steps to comply is sometimes granted leniency on the willfulness finding, which decides whether damages are $500 or $1,500 per violation. This is fact-specific and not something to count on.

The FCC's reassigned numbers database (RND) offers partial protection. If you scrub your numbers against the RND and call a number that has been reassigned to a new person, you may have a defense that you had consent for the prior subscriber and no way to know about the reassignment [9]. Scrubbing the RND costs money but is worth considering for any list more than a few months old.

One thing that is definitively not a safe harbor: your lead vendor's warranty that the leads are "TCPA compliant." That warranty shifts contractual liability to the vendor but does not protect you from a consumer lawsuit. The consumer sues you, you sue the vendor, and you're still in litigation.

Frequently asked questions

Prior express consent can be oral or written and applies to informational calls like appointment reminders to wireless numbers. Prior express written consent, which must be a signed (including electronic) agreement specifically authorizing autodialed or prerecorded marketing messages, is required for telemarketing calls and texts to cell phones. The FCC defines both terms in its TCPA rules under 47 CFR Part 64.

How often do I need to scrub my list against the National Do Not Call Registry?

At least every 31 days for any numbers you intend to call for telemarketing. The FTC's Telemarketing Sales Rule requires this rolling scrub schedule. A scrub that is 32 days old does not satisfy the requirement. Most compliant dialing platforms automate this, but you should confirm the scrub actually ran and document the date.

Does the TCPA apply to B2B calls?

The TCPA's autodialer and prerecorded message restrictions apply to calls to wireless numbers regardless of whether the recipient is a consumer or a business professional. If the cell phone number belongs to a business contact, the same rules apply. The National DNC Registry applies to residential numbers, so B2B calling to a business landline has more flexibility, but cell phones used for business are not exempt.

Can I text someone who gave me their number on a business card?

A business card is not written consent for autodialed marketing texts. It shows they voluntarily gave you the number, which may support a prior express consent argument for non-marketing informational contact, but not the prior express written consent required for marketing texts sent via an ATDS. If you want to send promotional texts, get a signed (or digitally confirmed) opt-in that specifically describes what they are agreeing to receive.

What counts as an automatic telephone dialing system (ATDS) after Facebook v. Duguid?

The Supreme Court's 2021 Facebook v. Duguid decision held that an ATDS must have the capacity to use a random or sequential number generator to either store or produce phone numbers. A system that only dials from a stored list without random or sequential generation is not an ATDS under that definition. But many courts are still working through what that means for specific dialer architectures, and some state laws use broader definitions.

The TCPA statute of limitations is four years under federal law (28 U.S.C. § 1658), so you need records that can be produced for at least that long from the date of each contact. Some states have longer limitations periods. The safest practice is to keep consent documentation for five years, which also covers the FTC Telemarketing Sales Rule's record retention requirement.

The FCC adopted the one-to-one consent rule in December 2023 (FCC 23-107), and it took effect January 27, 2025. It requires that prior express written consent for telemarketing calls and texts to wireless numbers be obtained by each individual seller separately. A single consent form that purports to cover multiple unrelated companies at once no longer satisfies the TCPA.

Does a STOP reply to a text message immediately revoke consent?

Yes. A reply of STOP, QUIT, CANCEL, UNSUBSCRIBE, or any other clear revocation through a reasonable means triggers an obligation to stop texting. The FCC's 2024 guidance makes clear consumers can revoke consent through any reasonable channel. For automated text platforms, processing a STOP reply in real time is technically straightforward and should be the default configuration.

Are ringless voicemails covered by the TCPA?

The FCC ruled in 2022 that ringless voicemails delivered directly to a voicemail server constitute calls under the TCPA and are subject to its restrictions, including the prior express written consent requirement for marketing messages to wireless numbers. Ringless voicemail vendors that marketed them as TCPA-exempt were wrong; treat them the same as any autodialed call.

What is the FCC's Reassigned Numbers Database and do I need to use it?

The Reassigned Numbers Database (RND) is an FCC-maintained registry of phone numbers reassigned to new subscribers. Callers who scrub against it can establish a safe harbor defense if they call a reassigned number in good faith after checking the database. It is not legally mandatory for every caller, but if your lists are more than a few months old, it is a meaningful risk-reduction step. Access costs a small fee through the FCC.

How does the TCPA interact with the FTC's Telemarketing Sales Rule?

The TCPA and the FTC's Telemarketing Sales Rule (TSR) overlap heavily but come from different agencies. The TSR governs telemarketing broadly, including DNC obligations, calling hours, and disclosure requirements. The TCPA governs the technology used (autodialers, prerecorded calls) and consent. You must comply with both. In areas where one is stricter than the other, follow the stricter standard.

Can I buy a list and call everyone on it for telemarketing?

No. Purchasing a list does not transfer prior express written consent from the list seller to you. You need consent that specifically names your company as the authorized caller or texter. List purchases can still be useful for manual calling to landlines with proper DNC scrubbing and established business relationship checks, but for autodialed or prerecorded calls to wireless numbers, a purchased list without individual verified consent is high-risk.

What should I do if I think my company has already committed TCPA violations?

Stop the practice immediately. Document what happened, how many contacts were affected, and what the consent record shows. Talk to a TCPA defense attorney before responding to any demand letters or complaints. Do not destroy records. Put corrective controls in place so the same violation cannot recur. Proactive remediation and a documented compliance program are the strongest arguments for reducing exposure in settlement talks. This is not legal advice.

Text message marketing to wireless numbers using an ATDS or prerecorded messages is legal with proper prior express written consent. You need a compliant opt-in that clearly discloses what messages the consumer will receive, how often, and that message and data rates may apply. You must honor revocation requests promptly and maintain suppression lists. See our full guide on text message marketing for the opt-in language and workflow details.

Sources

  1. U.S. House of Representatives, Office of the Law Revision Counsel, 47 U.S.C. § 227 (Telephone Consumer Protection Act): Statutory damages of $500 per violation, trebled to $1,500 for willful violations; restrictions on autodialed calls, prerecorded messages, and calls before 8 a.m. or after 9 p.m. local time
  2. FTC, Complying with the Telemarketing Sales Rule: National DNC Registry must be scrubbed at least every 31 days; internal DNC lists must be maintained for five years; do-not-call requests must be honored within 30 days
  3. U.S. Supreme Court, Facebook, Inc. v. Duguid, 592 U.S. 395 (2021): ATDS definition requires capacity to use a random or sequential number generator to store or produce phone numbers; systems dialing only from stored lists without random or sequential generation may not qualify
  4. FTC, National Do Not Call Registry information for businesses: Registry administered by FTC; 18-month established business relationship exception from transaction; 3-month exception from consumer inquiry
  5. FCC, 47 CFR Part 64, Subpart L, rules implementing TCPA: Regulatory definitions of prior express consent, prior express written consent, and calling hour restrictions
  6. FTC, Telemarketing Sales Rule, 16 CFR Part 310: Telemarketing Sales Rule requirements including calling hours, DNC obligations, and record retention of five years
  7. Florida Legislature, SB 1120, Florida Telephone Solicitation Act amendments (2021): Florida created a private right of action for texts using automated selection or dialing systems; stricter requirements than federal TCPA in some respects
  8. U.S. House of Representatives, Office of the Law Revision Counsel, 28 U.S.C. § 1658 (catch-all four-year federal statute of limitations): Four-year statute of limitations for federal claims not otherwise covered; applied to TCPA claims in most circuits

Disclaimer: LeadCompliant is a compliance review tool, not a law firm. We do not provide legal advice. Consult with a TCPA attorney for legal guidance on specific compliance questions. Compliance scores, audits, and risk assessments are informational only.

LeadCompliant Team

LeadCompliant provides expert guidance and tools to help you succeed. Our content is reviewed for accuracy and kept up to date.

Related Articles

Related Glossary Terms

LeadCompliant
Build My Kit