TCPA compliance tools: what actually works and what's a waste

The right TCPA tools cut litigation risk and cost. We cover phone scrubbers, consent platforms, audit checkers, and reassigned number databases, plus what to skip.

LeadCompliant Team
26 min read
In This Article

Last updated 2026-07-10

Compliance officer reviewing outbound call records at a desk for TCPA compliance
Compliance officer reviewing outbound call records at a desk for TCPA compliance

TL;DR

TCPA compliance tools fall into four categories: phone number scrubbers (DNC and litigator lists), consent capture and storage platforms, call/SMS audit loggers, and real-time reassigned number checkers. The minimum defensible stack for any outbound team over a few hundred contacts per week is a scrubber plus a consent log, run together on every campaign. Tools do not make you immune. They give you evidence.

What are TCPA compliance tools and why do outbound teams need them?

The Telephone Consumer Protection Act, 47 U.S.C. § 227, lets plaintiffs collect $500 to $1,500 per call or text that breaks its rules [1]. There is no cap on violations per lawsuit. A company that sends 50,000 unconsented texts faces potential statutory damages of $25 million to $75 million before a court even considers trebling. That math is why compliance tooling exists.

TCPA compliance tools are software, databases, or automated checks that keep outbound teams away from the specific acts the statute prohibits: calling numbers on the National Do Not Call Registry without permission, using an automatic telephone dialing system or prerecorded voice without prior express written consent, and reaching a number that has been reassigned to someone new who never agreed to hear from you [1][2].

Small teams often assume this is an enterprise problem. It isn't. Plaintiff attorneys go after small and mid-sized companies precisely because those companies settle fast. A single TCPA class action settlement routinely runs into the millions, as the Truist Bank TCPA class action settlement and the UnitedHealthcare $2.5M alleged TCPA violations matter both show.

Tools do not make you immune. What they do is build a documented, good-faith compliance posture, and that posture is the single biggest factor in how courts and the FCC treat defendants who get sued anyway.

What are the main categories of TCPA tools?

There are four tool categories, and each solves a different problem. Buying one and calling it done is a common and expensive mistake.

1. Phone number scrubbers (DNC and litigator list suppression) These check your contact list against the FTC's National Do Not Call Registry and, separately, against proprietary lists of known TCPA serial litigants. The FTC gives businesses free access to the first 5 phone numbers, then charges roughly $75 per area code annually, up to $19,375 for the full nationwide file as of 2024 [3]. Most scrubbing vendors fold the government access fee into a per-record or subscription price.

2. Reassigned number checkers The FCC's Reassigned Numbers Database (RND), live since January 2021, is the only government-sourced registry that tells you whether a number has been permanently disconnected and possibly reassigned to a new subscriber [4]. The FCC charges carriers to submit data; callers reach it through registered queriers. The safe harbor from TCPA liability for reassigned number calls kicks in when you query the RND before a campaign and get no indication of reassignment [4].

3. Consent capture and storage platforms Prior express written consent under 47 C.F.R. § 64.1200 has to be documented. These tools build a timestamped, auditable record of exactly what disclosure language a consumer saw, when they agreed, and through what channel (web form, SMS keyword, IVR). Some connect straight to your CRM. Some hold the records for you in case of litigation.

4. Compliance audit and workflow tools These sit over your dialer or texting platform and flag likely violations before they happen: calls outside 8 a.m. to 9 p.m. local time, contact with someone who opted out, or a script missing required disclosures. Some are standalone. Many dialers now build them in.

A defensible stack combines at least categories 1, 2, and 3. Category 4 earns its keep once you pass roughly 10,000 contacts per month, though that threshold is my read of where audit complexity outpaces manual review, not a number set by any regulator.

How does a phone number scrubber actually work?

You upload a contact list, the scrubber hashes or directly queries each number against one or more databases, and it returns a suppression flag. The databases vary by vendor. The ones that matter legally are:

  • The National Do Not Call Registry, run by the FTC [3]
  • State-level DNC lists (Florida, Indiana, Texas, Wyoming, and a handful of others keep separate registries) [5]
  • Litigator lists (proprietary, built from public TCPA case records)
  • The FCC Reassigned Numbers Database [4]

Scrub frequency matters as much as the scrub itself. FTC rules require businesses to scrub against the National DNC Registry no more than 31 days before calling a given number [3]. Pull a list on March 1, call from it on April 5, and you have a problem. The 31-day rule is exact, and teams that scrub once a quarter get it wrong constantly.

Litigator list scrubbing is not required by law. It matters anyway. Serial TCPA plaintiffs, sometimes called "TCPA trolls," register numbers built to catch calls from predictive dialers. They track inbound calls with care and file suit in bulk. Vendors like DNC.com sell lists of these numbers, usually on subscription. I think this is money well spent for anyone doing outbound at volume, but understand there is no statutory safe harbor attached to it. It's a risk-management move, not a compliance checkbox.

Scrubbers run anywhere from a fraction of a cent to about two cents per record, with minimums and subscription options that make volume pricing the norm. That range is a market observation, not a guarantee, and it moves depending on which databases come bundled.

Key TCPA compliance numbers every outbound team must know Statutory thresholds, deadlines, and cost benchmarks 1,500 $500 to $1,500 per violation 31 31-day max DNC scrub age 4 4-year audit/records look-b… 19k $19,375 national DNC file annual fee Source: 47 U.S.C. § 227; FTC DNC Registry (donotcall.gov); 28 U.S.C. § 1658

What is the FCC Reassigned Numbers Database and how do you use it?

The FCC finalized the Reassigned Numbers Database rules in December 2018, and the database went live in January 2021 [4]. It solves one specific problem: you have consent from the person who held a number six months ago, but that person ported away or disconnected, and someone new holds it now. Calling the new subscriber is a TCPA violation even though your records show consent.

The FCC's language on the safe harbor is direct. Its Second Report and Order states that a caller who queries the database before a campaign and gets a "no data" or "not reassigned" result gets a safe harbor from liability for that call if reassignment happened after the date of the most recent disconnect event in the database [4]. The safe harbor is one call deep. If you call and the new subscriber signals a wrong number, you cannot call again and still claim it.

To use the database, you register as a querier through the FCC's portal. The fee structure for queriers has changed since launch. Recent guidance puts the cost for smaller-volume queriers low, but verify current pricing directly with the FCC's RND portal, since the database administrator sets fees under FCC oversight [4].

Most enterprise-grade TCPA tools now include RND integration as standard. If a vendor's scrubber doesn't hit the RND, that's a real gap in your coverage. Ask before you sign.

What is the TCPA audit period and how long should you keep compliance records?

The TCPA's statute of limitations for private lawsuits is four years, under 28 U.S.C. § 1658, the federal catch-all limitations period for federal statutory claims [6]. Courts have applied this four-year window to TCPA private rights of action again and again. That's the number that should govern your record-keeping policy.

Four years means you need call logs, scrub receipts, consent records, opt-out acknowledgments, and any DNC registration documents going back at least four years from today. Destroy records after two years and you cannot prove you had consent or ran a DNC scrub on the date in question. You lose on the facts even when you were actually compliant.

Some compliance attorneys push for five years as a buffer, since disputes over when a claim accrues can stretch the effective window. That's reasonable caution. Beyond five years, you get diminishing legal return against rising cost and complexity.

What should you keep? At minimum: the consent record (timestamp, IP address or channel, disclosure language shown), the scrub log (date, database version queried, result per number), every opt-out request and the date you honored it, and call/text logs showing date, time, and number contacted. If you're using a TCPA compliance audit tool, it should export these in a format you can produce in discovery.

No single federal agency mandates a specific TCPA record-retention period the way HIPAA mandates six years for covered entities. The four-year answer comes from the litigation limitations period, not an explicit retention schedule. Anyone who tells you otherwise is guessing.

47 C.F.R. § 64.1200(f)(9) defines "prior express written consent" as an agreement, in writing, that clearly authorizes the seller to deliver calls or texts using an autodialer or prerecorded voice, to the specific number provided, for a specific purpose. The rules require the agreement to include the phone number and a clear and conspicuous disclosure [2].

A consent capture platform does several things a hand-maintained spreadsheet cannot. It locks in the exact disclosure language a consumer saw at opt-in, so no one can later accuse you of retroactively widening your consent language. It timestamps the event with UTC precision. It logs the IP address. It stores the full session context. And it ties the record to a specific phone number, more than a name or email.

So what makes a consent record fall apart in court? Vague disclosure language, most often. "You agree to receive communications from us" does not satisfy TCPA prior express written consent for autodialer calls or prerecorded messages. The disclosure has to name the seller (or sellers, in a lead gen context), describe the type of calls or texts, and state clearly that consent is not a condition of purchase [2].

The FCC's 2024 one-to-one consent rule, effective January 2025, tightened this further by requiring consent to be specific to a single identified seller, not bundled across dozens of partners behind one checkbox [7]. Lead generation companies and their buyers need to watch this closely. If your consent form names multiple buyers, you probably need to rewrite it.

For teams doing text message marketing or text messaging marketing at volume, consent platform selection is probably the highest-leverage compliance decision on the table. A bad consent record is very hard to fix after the fact.

What should a TCPA compliance audit tool actually check?

A TCPA compliance audit tool is only as good as the checklist it runs against. Here's what a good one covers.

Call timing. The TCPA bans calls before 8 a.m. or after 9 p.m. local time at the called party's location [1]. "Local time" means the called number's area code, not your office's time zone. The tool should check call timestamps against the area code of each dialed number.

Opt-out honoring. Every opt-out request has to be honored within a reasonable time. The FTC's Telemarketing Sales Rule requires honoring within 30 days for calls [8]. Many TCPA practitioners apply the same standard to texts, though the SMS standard comes from industry practice and consent-agreement interpretation, not explicit TCPA text. The tool should flag any contact who requested opt-out in the last 30 days.

Consent chain integrity. For each number dialed or texted, can you trace a consent record? An audit should surface any number on your campaign list with no linked consent.

Scrub recency. When was this number last checked against the DNC Registry? Older than 31 days and the scrub is stale under FTC rules [3].

Reassignment check. Has the RND been queried for this number before this campaign?

Internal DNC list compliance. If a consumer called your company to opt out (adding themselves to your internal DNC list), are they suppressed?

LeadCompliant offers a free checklist-based TCPA compliance audit tool that walks through most of these items without asking you to upload data. It's a good starting point before you pay for a platform.

The audit is not a one-time event. Teams that treat compliance as a quarterly audit instead of a continuous process are the ones that get burned. Volume decides the method: a team sending 500 messages a month can audit by hand; one sending 50,000 needs automated, real-time checks.

How much do TCPA compliance tools cost?

Pricing swings a lot by feature set and volume. Here are real ranges based on public vendor information and market observation. These are budgeting ballparks, not quotes.

Tool typeTypical pricing structureRough cost range
DNC scrubbing (government file)Per record or subscription$0.001 to $0.02 per record; or $500 to $5,000/year for small-mid volume
Litigator list suppressionAdd-on subscription$100 to $500/month depending on volume
Reassigned Numbers Database accessPer query through registered querier$0.001 to $0.005 per query (varies by intermediary)
Consent capture/storage platformSaaS subscription$200 to $2,000/month depending on volume and features
Full compliance audit platformSaaS subscription$500 to $5,000/month for mid-market; enterprise runs higher
Attorney-led compliance auditOne-time or annual engagement$2,500 to $15,000+ depending on scope

FCC National DNC Registry access: the first 5 area codes are free, a single area code runs $75/year, and the complete national file runs $19,375/year [3]. Most businesses buy access through a third-party scrubbing vendor that bundles it in.

The honest read: a team under 5,000 contacts per month can cover the basics for $300 to $800 per month in tooling. Past that volume, the economics of a TCPA suit (class action settlements land in the millions [6]) make even $3,000/month in tooling look cheap. The Credit One TCPA settlement and the Cash App TCPA class action settlement are useful reference points for what real litigation costs.

What TCPA tool features should you ask vendors about before buying?

The pitch deck says everything's covered. Here are the questions that surface real gaps.

Does your DNC scrub include state-level lists? The National Registry isn't enough in states like Florida and Texas, which run their own DNC registries with separate legal teeth [5]. If the answer is no, you have to supplement.

What's your database refresh cadence? The FTC updates the National DNC Registry daily. A vendor refreshing weekly or monthly hands you stale data at call time.

Do you integrate with the FCC Reassigned Numbers Database directly? Some vendors say "yes" but mean they use a third-party intermediary that batches queries. That may still satisfy the safe harbor, but you want the specifics.

What consent record format do you export? In litigation you may need to produce records within days. A vendor offering only a proprietary portal download, not a portable CSV or PDF with every required field, creates production risk.

Do you store the specific disclosure language shown to each consumer? Many consent tools store a "consent flag" without archiving the actual form language. That's close to useless in court, because the defendant has to show what was disclosed, more than that a box was checked.

What's your data retention policy? If the vendor purges records after 18 months and you need a four-year look-back, you have a gap [6].

Do you have an API? Running campaigns through a CRM or dialer, a tool that demands manual CSV uploads creates friction that teams skip under deadline pressure. Automation is the only thing that runs consistently.

How do TCPA tools fit into a real outbound compliance workflow?

Tools are only as good as the process they sit inside. Here's a workflow that reflects how compliant outbound teams actually run, not a theoretical diagram.

Step 1: List intake. Before a new contact list enters your dialer or SMS platform, run it through your scrubber: National DNC, state DNC, litigator list, and RND. Log the date and result. Flag and remove suppressed numbers. Do not import suppressed records into the dialer, even as inactive. Too many teams pull them from the send queue but leave them in the database, where they get reactivated by accident.

Step 2: Consent verification. For each number, confirm a consent record exists and sits inside its valid window. Consent for one purpose (a product inquiry) does not cover a different purpose (a collections call). The consent has to match the use case.

Step 3: Campaign launch with real-time safeguards. Your dialer or texting platform should enforce time-of-day limits automatically, not depend on your team watching a clock. Set cutoffs at 8:01 a.m. and 8:59 p.m. local time with a buffer, not right at the statutory line.

Step 4: Opt-out handling. Every opt-out, whether by SMS STOP, verbal request on a call, or web form, has to feed back into your suppression list within 24 hours at most. An opt-out not honored within 30 days is a separate TCPA violation [8].

Step 5: Post-campaign audit. Pull the call/text log, cross-reference against your scrub records and consent database, and flag anomalies. This is where a TCPA compliance audit tool earns its cost. A manual audit of 50,000 records isn't realistic. An automated one that surfaces exceptions in a report takes minutes.

Step 6: Record retention. Archive consent records, scrub logs, and call logs for at least four years [6]. Store them with access controls and a backup. A shared Google Drive folder is not adequate for litigation.

LeadCompliant's free compliance kit includes a workflow template and a checklist that maps these steps to specific tool functions, which helps you spot gaps in your current setup before they show up as a lawsuit.

Are there free TCPA tools worth using?

Yes, with honest caveats about what free actually covers.

The FTC offers free access to the National Do Not Call Registry for up to five phone numbers at donotcall.gov [3]. Useful for spot checks. Useless for running a list of 10,000 numbers.

The FCC's consumer complaint database is public and searchable. It's not a compliance tool as such, but it lets you see complaint patterns that sometimes predict litigation targeting [9].

Some vendors offer free tiers or trials: number lookup tools, basic consent widgets, lite versions of audit checklists. These work fine for very small outbound programs. The catch is that free tiers usually exclude the features that matter most in litigation (RND integration, litigator list checks, consent archiving).

Free tools for consumers, like how to stop robocalls resources, are a separate category. They help consumers register on DNC lists, which matters to outbound teams because those registrations change which numbers you can legally call.

My honest take: use free tools for spot checks and internal education. For any real outbound program, even a small one, budget for at least a basic paid scrubbing subscription. The FTC's national file alone costs $19,375 [3], which is exactly why paying a vendor who spreads that across thousands of customers makes financial sense.

What do TCPA settlements tell us about where tools fail?

Reading real TCPA settlements is the most useful way to understand what tool gaps cost.

The pattern in large settlements is almost never "the tool failed." It's almost always one of three things: the tool wasn't used consistently, the consent records didn't match the use case, or opt-outs didn't feed back into the suppression system in time.

The Albertsons/Safeway TCPA settlement and Kaiser TCPA settlement both turned on allegations where consent or opt-out handling was the central dispute. In the Joseph Snyder Credit One TCPA matter, whether calls were made with prior express consent sat at the core of the case.

This is why I keep landing on consent storage as the highest-leverage tool investment. A scrubber removes numbers from lists. A consent platform provides evidence. In litigation, evidence decides whether you pay $0 or $1,500 per violation.

The FCC's 2024 one-to-one consent rule, effective January 2025, will likely trigger a wave of new litigation as plaintiffs challenge consent records that predate the rule or were never updated to comply with it [7]. Teams that haven't audited their consent capture forms since early 2024 should treat that as urgent. Staying current on tcpa news is one practical way to catch rule changes before they turn into liability.

Frequently asked questions

What is the TCPA audit period?

The TCPA's statute of limitations for private lawsuits is four years, under 28 U.S.C. § 1658. Plaintiffs can sue over calls or texts made up to four years before the filing date. Retain consent records, scrub logs, call logs, and opt-out acknowledgments for at least four years. Many compliance attorneys recommend five years as a buffer against disputes over when a claim accrues.

What is the minimum TCPA compliance tool stack for a small outbound team?

At bare minimum: a National DNC scrubber run within 31 days of each call, an RND query for reassigned numbers, and a consent storage system that logs the timestamp, disclosure language, and phone number for each opt-in. These three cover the most common grounds for TCPA litigation. Add a litigator list suppression subscription if you're calling above a few thousand contacts per week.

How often do you need to scrub a phone list against the Do Not Call Registry?

FTC regulations require businesses to scrub against the National Do Not Call Registry no more than 31 days before calling a given number. If your scrub is older than 31 days, it doesn't satisfy the safe harbor. Running a fresh scrub at the start of every campaign is the simplest way to stay compliant.

Querying the FCC Reassigned Numbers Database before a campaign provides a specific statutory safe harbor for reassigned number calls, up to one call after a mismatch indication. DNC scrubbing provides a safe harbor if done within 31 days and you have an established business relationship or consent on file. No tool provides blanket immunity. A tool creates a documented good-faith posture that courts weigh, but the underlying consent and suppression requirements still have to be met.

A defensible consent record includes the exact disclosure language the consumer saw at opt-in, the date and time (UTC), the channel (web form, SMS keyword, IVR), the specific phone number consented, and confirmation that consent was not a condition of purchase. After the FCC's 2024 one-to-one consent rule (effective January 2025), the record must also show consent was given to a single, specifically named seller, not a bundled list of partners.

What is the FCC Reassigned Numbers Database and who has to use it?

The FCC Reassigned Numbers Database (RND) is a government database, live since January 2021, that tracks permanently disconnected phone numbers. No one is legally required to query it, but doing so before a campaign provides an FCC-created safe harbor from TCPA liability if a number was reassigned after the date of the most recent disconnect event in the database. Any outbound caller using autodialers should treat it as required practice.

Can I use a spreadsheet instead of a TCPA compliance tool?

You can manage small volumes by hand, but a spreadsheet cannot query the National DNC Registry, hit the Reassigned Numbers Database in real time, or lock in consent record snapshots that hold up in litigation. Manual processes also fail under deadline pressure. For teams doing more than a few hundred outbound contacts per week, manual tracking creates gaps that are very hard to close after a complaint is filed.

What should I look for in a TCPA tool for SMS marketing?

For SMS specifically: consent storage that captures the exact opt-in keyword and disclosure language, automated STOP/HELP keyword handling, carrier filtering to avoid blocked numbers, and integration with your texting platform so opt-outs flow back to your suppression list in real time. The FCC's 2024 one-to-one consent rule applies to texts as much as calls, so consent form compliance matters as much as the delivery-side tooling.

How do litigator list scrubbing tools work?

Vendors compile lists of phone numbers tied to known serial TCPA plaintiffs from public court records, legal databases, and investigative research. Before you dial, the scrubber checks each number against this proprietary list and flags it for removal. There is no government-mandated safe harbor for litigator list scrubbing, but it's a widely used risk-reduction practice. Subscription costs typically run $100 to $500 per month depending on volume and the vendor's data depth.

Do TCPA compliance tools cover state-level Do Not Call laws too?

Some do, some don't. States like Florida, Indiana, Texas, and Wyoming run separate DNC registries with their own rules and penalties, independent of the federal National DNC Registry. Before signing with any scrubbing vendor, confirm exactly which state-level lists are included. If your state isn't covered, supplement with direct state access or a vendor that includes it.

What records do I need to produce if I get a TCPA lawsuit?

In discovery you'll typically need to produce call or text logs (date, time, number, campaign ID), consent records for each contacted number, DNC scrub logs with dates and results, opt-out request logs and suppression dates, and any dialer or SMS platform settings showing how calls were initiated. If you cannot produce these, courts often allow an adverse inference, meaning the jury can assume you did not comply.

Is there a free TCPA compliance tool I can start with today?

The FTC's donotcall.gov lets you check up to five numbers for free, useful for spot checks. Several vendors offer free-tier checkers and audit checklists, including LeadCompliant's free compliance kit. Free tools fit very small volumes or learning what gaps exist in your process. For any real outbound program, a paid scrubbing subscription is necessary, because the government DNC file alone costs $19,375 for full national access.

The FCC's 2024 rule, effective January 2025, requires written consent for autodialed calls and texts to be given to a single, specifically identified seller, not bundled across multiple companies in one checkbox. TCPA consent platforms now need to capture which specific entity received consent, more than that a consumer clicked agree. Lead generators and their buyers should audit existing consent flows to confirm they meet this standard.

What happens if my TCPA tool has a bug and I call a DNC number by mistake?

A technical error does not automatically give you a defense. The FTC's safe harbor for established business relationship calls and the FCC's RND safe harbor both have specific conditions. If the tool failed due to a vendor error, you may have an indemnification claim against the vendor, depending on your contract. Courts have found that relying on a defective tool is not a complete defense to TCPA liability, which is why your vendor contract's indemnification and SLA terms matter a lot.

Sources

  1. U.S. Government, 47 U.S.C. § 227 (Telephone Consumer Protection Act): TCPA statutory damages of $500 to $1,500 per violation; restrictions on autodialer use and prerecorded voice calls
  2. FCC, 47 C.F.R. § 64.1200 (FCC TCPA implementing rules): Prior express written consent requirements including specific disclosure language and non-condition-of-purchase requirement
  3. FTC, National Do Not Call Registry – donotcall.gov: DNC Registry access pricing, 31-day scrub requirement, and free access for up to five numbers
  4. National Association of Attorneys General, State Do Not Call Laws Overview: Multiple states including Florida, Indiana, Texas, and Wyoming maintain separate DNC registries
  5. U.S. Government, 28 U.S.C. § 1658 (Federal catch-all statute of limitations): Four-year statute of limitations for federal statutory claims including TCPA private rights of action
  6. FTC, Telemarketing Sales Rule (16 C.F.R. Part 310): Requirement to honor do-not-call requests within 30 days under the Telemarketing Sales Rule
  7. FCC, Consumer Complaint Center (consumercomplaints.fcc.gov): Public FCC consumer complaint data on robocalls and unwanted calls
  8. FTC, Do Not Call Registry – donotcall.gov: National DNC Registry free spot-check access for consumers and businesses checking up to five numbers

Disclaimer: LeadCompliant is a compliance review tool, not a law firm. We do not provide legal advice. Consult with a TCPA attorney for legal guidance on specific compliance questions. Compliance scores, audits, and risk assessments are informational only.

LeadCompliant Team

LeadCompliant provides expert guidance and tools to help you succeed. Our content is reviewed for accuracy and kept up to date.

Related Articles

Related Glossary Terms

LeadCompliant
Build My Kit