Last updated 2026-07-11

TL;DR
A TCPA gap analysis compares your current outbound calling and texting practices against the requirements of 47 U.S.C. § 227 and FCC rules. It covers six domains: consent documentation, DNC scrubbing, dialer classification, call-time restrictions, state law overlays, and record-keeping. Most small teams have at least two material gaps. Fixing them before a lawsuit is always cheaper than settling after.
What is a TCPA gap analysis and why does your outbound team need one?
A TCPA gap analysis is a structured audit that maps every step of your outbound sales process against the legal requirements of the Telephone Consumer Protection Act, 47 U.S.C. § 227 [1], and the FCC's implementing regulations at 47 C.F.R. Part 64 [2]. The output is a list of specific gaps: places where what you're actually doing diverges from what the law requires.
Most outbound sales teams don't have a gap analysis because nobody scheduled one. They have a compliance "policy" that lives in a Google Doc, a CRM field labeled "consent" that nobody audits, and a vague belief that their dialer vendor handles the legal stuff. That belief is expensive. TCPA statutory damages run $500 per negligent violation and $1,500 per willful violation [1], and class actions aggregate those numbers fast. The Cash App TCPA class action settlement reached $7.5 million for text message violations cash app tcpa class action settlement, and Credit One Bank paid $9 million to settle TCPA claims involving autodialed calls credit one tcpa settlement.
A gap analysis doesn't make you lawsuit-proof. Nothing does. But it turns unknown risk into known risk, and known risk is something you can actually make decisions about. You can see what to fix first.
What are the six domains every TCPA gap analysis must cover?
Every outbound sales operation has the same six risk domains. Miss one and your analysis is incomplete.
Domain 1: Consent documentation. The TCPA requires prior express written consent before sending autodialed or prerecorded marketing messages to a cell phone [1]. "Written" under the FCC's 2012 order means a signed agreement, including electronic signatures, that clearly authorizes the specific type of contact [2]. The gap question is simple: can you produce that consent record for any number you're dialing or texting, on demand, within 24 hours? If your answer is "probably" or "it's in the CRM somewhere," you have a gap.
Domain 2: DNC list scrubbing. The National Do Not Call Registry requires covered telemarketers to scrub against the registry at least every 31 days [3]. That's the federal floor. Some state registries have shorter windows. The gap question: what is your actual scrub cadence, and can you prove it with a dated log?
Domain 3: Dialer classification. Whether your dialer is an Automatic Telephone Dialing System (ATDS) under the TCPA is the most contested question in outbound sales right now. The Supreme Court's 2021 ruling in Facebook v. Duguid narrowed the ATDS definition to systems that use a random or sequential number generator [4]. Many dialers still carry risk, and prerecorded calls have separate rules regardless of dialer type. The gap question: has your legal counsel actually reviewed your current dialer configuration against the post-Duguid standard?
Domain 4: Call-time restrictions. Federal rules prohibit telephone solicitations before 8 a.m. or after 9 p.m. local time at the called party's location [2]. Several states are stricter. The gap question: does your dialer enforce time-of-day restrictions based on the recipient's time zone, not your office's?
Domain 5: State law overlays. Florida's Mini-TCPA (FTSA), Washington, Oklahoma, and other states have passed laws stricter than federal rules, sometimes reaching human-dialed calls or imposing shorter scrub windows [5]. The gap question: do you know which states your team calls most, and have you checked whether any of them have a state-level analog to the TCPA?
Domain 6: Record-keeping and audit trail. The FTC's Telemarketing Sales Rule requires telemarketers to keep records of consent and scrubbing for 24 months [3]. The gap question: where do your records live, who controls them, and have you ever tested a retrieval drill?
How do you run the gap analysis step by step?
This is the actual sequence. Budget roughly half a day for a lean team with one dialer, two to three days for a team with multiple lead sources and vendors.
Step 1: Map your call and text flows. Write down every way a phone number enters your system: inbound web form, purchased list, referral, trade show scan, chat-to-call. For each source, document what consent language (if any) was shown, where the record is stored, and who owns it. This step usually surfaces the first gap in about ten minutes.
Step 2: Classify your dialer and outreach types. Is your outreach live-agent, ringless voicemail, prerecorded message, or text? Each carries different rules. Prerecorded messages to cell phones require prior express written consent regardless of ATDS status [1]. Live-agent calls to landlines have lighter consent requirements but still require DNC compliance. Write this down per channel.
Step 3: Pull your DNC scrub logs. Ask your vendor or internal ops team for the last three scrub reports. Check the date of each scrub against the 31-day requirement. Check whether the scrub covered the National DNC Registry [3] and any applicable state registries. If you bought a list, confirm the list provider's scrub date and get it in writing.
Step 4: Audit your time-zone enforcement. Pull a sample of 50 to 100 outbound call records from the last 30 days. Cross-reference call timestamps against the recipient's area code and state. Calculate what percentage of calls landed outside the 8 a.m. to 9 p.m. window in the recipient's local time. Even a 2 percent rate on high volume is a material exposure.
Step 5: Review your opt-out handling. Federal rules require that any opt-out mechanism works within 30 days for telemarketing calls [2]. For texts, the FCC expects near-immediate suppression. The gap question: when someone texts STOP or says "take me off your list," what exactly happens in your system, how long does it take, and can you prove it?
Step 6: Score and prioritize. Rate each gap as Critical (active legal exposure, fix within 30 days), High (likely exposure under audit, fix within 90 days), or Low (best-practice miss, fix on next sprint). That gives you a ranked remediation list instead of a paralyzing wall of problems.
What does the actual gap analysis template look like?
Below is the template in table form. Each row is a control. You mark it Pass, Gap, or N/A, add a note, and assign an owner.
| Control | Requirement | Status | Gap Description | Owner | Due Date |
|---|---|---|---|---|---|
| Consent records for cell numbers | Prior express written consent, storable and retrievable [1] | ||||
| Consent records for prerecorded calls | Prior express written consent, any line type [1] | ||||
| Web form consent language | Clear disclosure of autodialed/text contact [2] | ||||
| National DNC scrub cadence | Every 31 days minimum [3] | ||||
| State DNC scrub (applicable states) | Per state law [5] | ||||
| Internal DNC / suppression list | Maintained and applied before each campaign | ||||
| Dialer ATDS classification reviewed | Post-Facebook v. Duguid legal review [4] | ||||
| Call time enforcement by recipient time zone | 8 a.m. to 9 p.m. local [2] | ||||
| Opt-out processing time for calls | Within 30 days [2] | ||||
| Opt-out processing time for texts | Near-immediate suppression [2] | ||||
| State law overlay review | Florida FTSA, WA, OK, etc. [5] | ||||
| Vendor contracts (liability clauses) | Vendor takes responsibility for their scrubbing | ||||
| Record retention (consent + scrub logs) | 24 months minimum [3] | ||||
| Staff training on TCPA | Documented training, dated |
Copy this table into a spreadsheet. Work through each row with the person who actually owns that process, more than the person who's supposed to own it. The honest answers usually come from whoever runs the dialer or manages the lead lists, not from the sales manager.
What are the most common gaps found in outbound sales teams?
Based on the public record of TCPA litigation and FCC enforcement actions, a few gaps show up constantly.
The consent documentation gap is the most common. Teams pull a lead from a third-party vendor, assume the vendor got consent, and never verify. The FCC's 2023 "one-to-one consent" rule, which was set to require that consent name the specific seller rather than a broad category of partners, went through a complicated legal and regulatory path [10]. Regardless of its current status, the underlying problem is real: chain-of-consent is often broken, and you are the one who gets sued.
The opt-out lag gap is second most common. A prospect texts STOP and your system suppresses them in the marketing platform but not in the dialer list. Two days later, a rep calls them manually off a spreadsheet. That's a violation.
The time-zone gap is underrated. If your team sits in Eastern time and calls West Coast leads from 8 a.m. to 9 a.m. Eastern, those calls hit Pacific recipients between 5 a.m. and 6 a.m. That's a violation on every single call [2].
The state law gap is growing fast. Florida's FTSA, enacted in 2021, applies to calls made to Florida area codes using an auto-dialer and allows a private right of action with $500 to $1,500 per call [5]. Many teams learned about it from a demand letter, not before.
For a broader look at what cold calling legally requires at the federal level, including what a live-agent call can and can't do, that page is worth reading alongside this one.
How do DNC scrubbing requirements affect the gap analysis?
DNC compliance is its own sub-analysis. The National Do Not Call Registry, maintained by the FTC, covers residential and wireless numbers where individuals have registered [3]. Telemarketers must access the registry and scrub their lists at least every 31 days. Accessing the registry takes a paid subscription for commercial users, though small organizations calling fewer than five area codes can access it for free [6].
Beyond the federal registry, check three things:
1. Your internal suppression list. Anyone who has previously asked you to stop calling must be on it, and it must be applied before every campaign. 2. State-level registries where applicable. Several states maintain their own lists. 3. Wireless-specific considerations. There is no separate "wireless DNC list" in the way some teams believe. Cell phones registered on the National DNC Registry get the same protections as landlines for telemarketing calls. For how the do not call list actually works and what numbers qualify, that's covered separately.
The gap analysis should produce a documented scrub cadence: a dated log showing when each list was scrubbed against which registry. If you can't produce that log for the last six months, you have a gap. To understand how telemarketers specifically access and use the registry, the do not call telemarketer list process is worth reviewing.
One thing teams miss constantly: if you buy a lead list, the list provider's scrub date does not protect you. The FTC's position is that the calling party is responsible for scrubbing against the current registry before placing calls. A list scrubbed 45 days ago is stale by federal standards [3].
How does the Facebook v. Duguid ruling change what you need to audit?
In Facebook, Inc. v. Duguid (2021), the Supreme Court held that an ATDS under the TCPA must use a random or sequential number generator, not merely have the capacity to store and dial numbers automatically [4]. As the Court stated, the TCPA's ATDS definition covers "equipment which has the capacity to store or produce telephone numbers to be called, using a random or sequential number generator" [4].
This matters for your gap analysis because it changed the dialer risk calculus. A predictive dialer that dials from a static uploaded list is much less likely to qualify as an ATDS under the post-Duguid standard than it was before 2021. That's genuinely good news for many outbound teams.
Three risks remain. First, prerecorded messages have their own statutory section and require prior express written consent regardless of ATDS classification [1]. If your team uses voicemail drops or robocalls of any kind, Duguid gives you less protection than you might think. Second, some states define ATDS more broadly than the federal standard. Florida's FTSA uses a different definition that arguably captures predictive dialers [5]. Third, the plaintiff's bar has shifted to arguing that many modern dialers do use random or sequential generation under the hood, and that litigation is ongoing.
For your gap analysis template, the ATDS review row should include a note from legal counsel dated after April 1, 2021, reviewing your specific dialer software version. "We use a predictive dialer so we're fine" is not a legal review.
What should your consent documentation actually look like to pass audit?
Under the FCC's 2012 order implementing the TCPA, prior express written consent for autodialed marketing calls or texts to a cell phone must be a written agreement (including electronic) that clearly and conspicuously discloses that the consumer authorizes the seller to deliver, or cause to be delivered, telephone calls using an automatic telephone dialing system or an artificial or prerecorded voice [2].
That's a mouthful. The practical requirements are shorter:
- The consumer's signature (including electronic checkbox or click)
- A clear disclosure that they'll receive autodialed or prerecorded calls or texts
- Identification of who will be contacting them (the specific seller, not a category like "our marketing partners")
- The disclosure cannot be buried in general terms of service
- Consent cannot be a condition of purchase
For your gap analysis, audit a random sample of 20 recent leads. For each one, find the actual consent record: the timestamped form submission, the IP address, the disclosure language shown at the time of opt-in. If any record is missing, or the disclosure language doesn't meet the standard above, that's a critical gap.
If your leads come from a third-party source or affiliate, you need the consent records from them, and those records need to show consent to contact from your company specifically. This is where most purchased-list programs fall apart.
For operations using SMS as a channel, the text message marketing consent requirements add another layer of specificity worth reviewing separately.
How do state TCPA analogs affect your gap analysis scope?
The federal TCPA is the floor, not the ceiling. Several states have passed their own statutes that expand liability, and your gap analysis must account for the states where your leads are located, not where your office sits.
Florida's Telephone Solicitation Act (FTSA), Fla. Stat. § 501.059, effective July 1, 2021, covers calls made with an auto-dialer to Florida numbers and provides for $500 in damages per call with no federal preemption [5]. Florida is the third-largest state by population. If you're doing any volume of outbound sales, you're calling Florida.
Washington's telephone solicitation statute imposes additional requirements. Oklahoma enacted SB 986 in 2022 with TCPA-like provisions. Maryland, Colorado, and others have pending or recently enacted laws. This landscape changes every legislative session.
The gap analysis state-law overlay section should list every state where more than 5 percent of your call volume originates (or where your leads are located), note whether that state has a TCPA analog, and identify the key differences from federal law. If you don't know, that's the gap.
For teams calling cell phones and wondering whether those numbers carry specific registry protections, the mobile phone do not call list question is worth understanding separately. The short answer: cell phones are covered by the National DNC Registry the same way landlines are, and the TCPA's consent rules for autodialers add a separate layer on top.
How often should you run a TCPA gap analysis?
Run a full gap analysis at least once a year. Run a targeted review any time you:
- Add a new lead source or data vendor
- Change your dialer software or vendor
- Expand into outbound SMS
- Start calling a new geographic market (especially Florida, Texas, California, or Washington)
- Receive a demand letter or notice of litigation
- Hire fast enough that your call volume grows more than 30 percent
The annual full analysis should work through all six domains with fresh eyes. Don't just update last year's spreadsheet. Pull new samples. Re-interview the people running the dialer. Check whether state laws have changed.
The in-between targeted reviews can be lighter: a 30-minute spot check on the specific domain that changed. New lead vendor? Run only the consent documentation and DNC scrub sections for that source.
LeadCompliant's free compliance kit includes a pre-built gap analysis spreadsheet and a DNC scrub log template if you want a starting point rather than building from scratch.
One honest note on frequency: nobody has clean data on how often small outbound teams actually run compliance audits versus how often they should. The closest signal is the gap between two numbers. Thousands of TCPA suits get filed against small businesses each year, per FCC reporting. Only a small fraction of companies run a documented audit program, based on any survey of legal and compliance professionals. That gap is the whole argument for doing this more often than feels necessary.
What should you do with the gap analysis results?
A gap analysis that sits in a folder is theater. The output has to drive changes.
For Critical gaps, stop the practice that creates the violation while you fix it. If you don't have consent documentation for a list you're actively calling, pause calls to that list. The short-term revenue hit is real. The alternative is $500 to $1,500 per call with no cap [1].
For High gaps, assign a specific owner and a hard deadline. Not "the compliance team" but one person's name. Not "next quarter" but a calendar date. Then check it.
For Low gaps, batch them into your next systems review or quarterly ops sprint. Worth fixing, not worth stopping campaigns over.
Document your remediation. When you fix a gap, write down what changed, who approved it, and when it went into effect. That documentation is your evidence of good faith if you ever face a TCPA claim. Courts and the FCC have given credit to companies that can show they found a problem and corrected it promptly, even when a violation happened before the fix.
Share the summary (not the full detail) with your sales leadership and any investors who ask about legal risk. A documented compliance program, even an imperfect one, is materially better than no program at all from a liability standpoint.
For grounding in what the TCPA actually requires before and after you run your analysis, the tcpa overview covers the statute's history and current FCC interpretations in one place. Understanding what cold calling legally looks like for outbound teams, including the difference between regulated and non-regulated call types, belongs in the same document set.
Frequently asked questions
What is the TCPA gap analysis template used for?
It's a structured checklist that maps your outbound calling and texting operations against 47 U.S.C. § 227 and FCC regulations. You work through six domains: consent, DNC scrubbing, dialer classification, call-time rules, state law overlays, and record-keeping. The output is a scored list of gaps with owners and deadlines, so you can fix problems before a plaintiff's attorney finds them.
How much can TCPA violations actually cost per call or text?
The statute sets $500 per violation for negligent violations and $1,500 per violation for willful ones, with no federal cap on class actions. 47 U.S.C. § 227(b)(3) states these as the available damages. A single SMS campaign to 10,000 recipients with a consent defect could produce $5 million in statutory exposure at the $500 rate, before any legal fees.
Do I need prior written consent to cold call a cell phone?
If you're using an automatic telephone dialing system or a prerecorded message, yes. 47 U.S.C. § 227(b)(1) prohibits autodialed or prerecorded calls to cell phones without prior express written consent. Live-agent calls to cell phone numbers not on the DNC Registry are generally allowed without written consent, though state laws in places like Florida apply stricter standards.
How often does the DNC list need to be scrubbed for legal compliance?
The FTC's Telemarketing Sales Rule requires scrubbing against the National Do Not Call Registry at least every 31 days. Your internal suppression list (people who have asked you to stop calling) must be applied before every campaign. Some state laws require shorter windows. Document each scrub with a date, and keep those records for at least 24 months per FTC rules.
Does the Facebook v. Duguid ruling mean my predictive dialer is definitely not an ATDS?
Not definitively. Duguid narrowed the ATDS definition to systems using a random or sequential number generator, which helps many predictive dialer users. But prerecorded calls still require written consent regardless of ATDS status, some state laws use broader definitions, and litigation about whether specific dialers meet even the narrow Duguid standard is ongoing. Get a legal review of your actual dialer version.
What states have stricter TCPA-like laws that affect outbound sales?
Florida's FTSA (Fla. Stat. § 501.059) is the biggest risk for most teams, applying to autodialed calls to Florida numbers with $500-$1,500 per-call damages and a private right of action. Washington, Oklahoma, and Maryland have also enacted or strengthened telephone solicitation statutes. Check the laws of any state where more than 5 percent of your call volume is directed.
Can I rely on my lead vendor's consent documentation?
Not safely. The FTC's position is that the calling party bears responsibility for compliance, including valid consent. If a vendor's consent language doesn't specifically name your company, or their records are incomplete, the liability falls on you. Ask vendors for a sample consent record from a real opt-in, read the disclosure language, and confirm it meets FCC standards before you call any list they supply.
What records do I need to keep and for how long?
The FTC's Telemarketing Sales Rule requires telemarketers to keep records related to consent and DNC scrubbing for 24 months. In practice, keep consent records for as long as you're calling or texting that person plus 24 months, since TCPA claims have a four-year federal statute of limitations. Store records in a system where you can retrieve a specific record for a specific number within 24 hours.
What is the minimum viable TCPA compliance program for a small outbound team?
At minimum: written consent documentation for every cell number you autodial or text, a 31-day DNC scrub cadence with dated logs, call-time enforcement by recipient time zone, a functional opt-out process that suppresses within 24 hours, and a record-keeping system that survives an employee departure. That's not the whole picture, but it covers the four most common sources of TCPA litigation for small teams.
How do I know if my opt-out process has a gap?
Run a test. Have someone call your number and say "take me off your list," then text STOP from another number. Wait 48 hours and check whether either number appears in your next dial or send list. If it does, you have a gap. Also check whether opt-outs captured in your CRM flow automatically into your dialer suppression list. Many teams have a sync failure there.
Is this article legal advice?
No. This article is educational information about publicly available law and FCC guidance. It is not legal advice and does not create an attorney-client relationship. TCPA compliance depends on facts specific to your business, your technology, and your state. Consult a licensed attorney before making compliance decisions based on this content.
What is the difference between prior express consent and prior express written consent?
Prior express consent (verbal or written) is sufficient for some non-marketing calls. Prior express written consent is required for autodialed or prerecorded marketing calls and texts to cell phones under 47 U.S.C. § 227 and the FCC's 2012 order. Marketing is the key word: if your call has any promotional component, you need the written form, which includes electronic signatures and checkbox agreements.
How do I get access to the National DNC Registry to run scrubs?
Register at the FTC's official registry site. Organizations making calls to fewer than five area codes pay nothing. Larger operations pay a fee per area code accessed, capped annually. You download data files and compare them against your calling list. Many dialer vendors offer automated scrubbing integrations, but confirm the vendor's scrub frequency and get it documented in your contract.
Do texts count as calls under the TCPA?
Yes. The FCC has consistently interpreted text messages as "calls" under 47 U.S.C. § 227. Autodialed or prerecorded text messages to cell phones require prior express written consent for marketing purposes. The FCC affirmed this interpretation in its 2003 and 2012 orders. This means your SMS marketing program is subject to the same consent and opt-out requirements as your autodialed voice calls.
Sources
- U.S. Congress, Telephone Consumer Protection Act, 47 U.S.C. § 227: TCPA statutory damages are $500 per violation for negligent violations and $1,500 per willful violation; prior express written consent required for autodialed/prerecorded calls to cell phones
- FTC, Telemarketing Sales Rule, 16 C.F.R. Part 310 and National Do Not Call Registry: Telemarketers must scrub against the National DNC Registry every 31 days and retain consent and scrub records for 24 months
- U.S. Supreme Court, Facebook, Inc. v. Duguid, 592 U.S. 395 (2021): ATDS definition under TCPA requires use of a random or sequential number generator; Court stated the TCPA covers 'equipment which has the capacity to store or produce telephone numbers to be called, using a random or sequential number generator'
- Florida Legislature, Florida Telephone Solicitation Act, Fla. Stat. § 501.059: Florida FTSA effective July 1, 2021, applies to autodialed calls to Florida numbers, provides private right of action for $500-$1,500 per call
- FTC, National Do Not Call Registry (registration and access for telemarketers): Organizations calling fewer than five area codes can access the registry for free; larger telemarketers pay per area code accessed
- FTC, Consumer Guidance on the Do Not Call Registry and Unwanted Calls: Prohibition on telephone solicitations before 8am or after 9pm local time at the called party's location, and general DNC consumer protections
- FTC, Press Releases (TCPA and telemarketing enforcement): Cash App TCPA class action settlement reached $7.5 million for text message violations (widely reported in 2023)
- Consumer Financial Protection Bureau: Credit One Bank paid $9 million to settle TCPA claims involving autodialed calls
- FTC, Complying with the Telemarketing Sales Rule (business guidance): TSR requires telemarketers to maintain records of consent documentation and DNC scrubs for 24 months