Skip to content
DialPhone
Start free trial

Glossary · TCPA

What is the TCPA?

The TCPA (Telephone Consumer Protection Act of 1991) is a US federal law that restricts unsolicited telemarketing calls, auto-dialed calls, prerecorded calls, text messages, and junk faxes. Enforced by the FCC and through private rights of action, TCPA violations carry statutory damages of $500 to $1,500 per violation. Businesses running outbound dialing or SMS campaigns must comply with consent, opt-out, and caller-identification requirements or face class-action exposure that has historically reached tens of millions of dollars per case.

Core TCPA requirements

For telemarketing calls or SMS to mobile phones, the sender must have prior express written consent from the recipient. The consent must:

  • Be in writing (physical signature or E-SIGN electronic consent)
  • Clearly identify the sender
  • Disclose that the message may be delivered by autodialer or prerecorded voice
  • Note that consent is not a condition of purchase

For non-marketing informational calls/SMS, prior express consent (less formal, can be implied from giving a phone number for that purpose) is often sufficient.

Honor opt-out / STOP

Recipients must have a clear way to opt out. For SMS, any reply with STOP, STOPALL, UNSUBSCRIBE, CANCEL, END, or QUIT must immediately suppress further messaging. For voice, the caller must have a way to revoke consent.

DialPhone handles STOP keywords automatically with no setup required.

Time-of-day restrictions

Telemarketing calls (and SMS by analogy) are restricted to between 8 AM and 9 PM in the recipient’s local time zone. Time-zone-aware scheduling is required for campaigns across regions.

Caller identification

Callers must identify themselves, the business they represent, and (for sales calls) provide a callback number.

Do Not Call Registry

TCPA incorporates the National Do Not Call (DNC) Registry. Callers must scrub outbound lists against the DNC Registry and suppress numbers present on it. Exceptions: prior business relationship (up to 18 months), existing customer relationship, and prior express consent.

Consent can be revoked by the recipient at any time through any reasonable means — a reply of STOP, a verbal request on a call, an email, or any other clear method. Under current FCC rules, senders must honor a revocation within a reasonable time, not to exceed 10 business days.

Who must comply with TCPA

  • Telemarketers: anyone making outbound sales calls
  • Debt collectors: subject to TCPA plus FDCPA
  • Political campaigns: TCPA applies to autodialed political calls (though with some exemptions)
  • Nonprofits: have some exemptions for tax-exempt calls but not unlimited
  • B2B sales: historically a partial exemption; evolving case law is narrowing this
  • Mobile SMS senders: every business texting US mobile numbers
  • Healthcare providers: appointment reminders have limited TCPA exceptions with conditions

Essentially anyone making outbound calls or SMS to US phone numbers at any scale needs a TCPA compliance posture.

TCPA penalties

  • Statutory damages: $500 per violation
  • Willful or knowing violations: up to $1,500 per violation (triple damages)
  • No cap per plaintiff
  • Class actions common: combining thousands of violations per case
  • Historical settlements have reached $75M, $125M, $1.5B

One “violation” can be one call or one SMS. A 10,000-recipient campaign with bad consent is potentially $5M in statutory damages before triple-damages.

Autodialer and ATDS definition

TCPA restricts use of an “automatic telephone dialing system” (ATDS). The Supreme Court’s Facebook v. Duguid (2021) decision narrowed the ATDS definition to systems using a random or sequential number generator. This reduced TCPA exposure for many business dialers that dial from a stored list. But:

  • State-level mini-TCPAs (Florida, Oklahoma, Washington) have broader definitions
  • Prerecorded voice calls remain strictly regulated regardless of ATDS
  • Many courts are still interpreting Duguid
  • SMS rules are largely unaffected by Duguid

The safest posture is still: obtain prior express written consent before using any automated system to call or text US mobile numbers.

TCPA and text messaging

US courts have treated an SMS as the legal equivalent of a call under the TCPA for decades, so every rule above applies to business texting:

  • Marketing texts to mobile numbers need prior express written consent — the same standard as a marketing call.
  • Informational texts (appointment reminders, order updates) to a number the customer provided for that purpose generally rely on the lower prior-express-consent standard, as long as they carry no marketing.
  • STOP must work instantly. A reply of STOP, UNSUBSCRIBE, CANCEL, END, or QUIT must suppress further messages immediately.
  • Quiet hours apply. Promotional texts should follow the same 8 AM–9 PM recipient-local-time window as calls.

This is also where the TCPA and 10DLC intersect. 10DLC is the carrier registration system that decides whether your texts are delivered; the TCPA is the federal law that decides whether you are allowed to send them. A campaign can be perfectly 10DLC-registered and still generate TCPA liability if the consent behind the list is bad. You need both: 10DLC for deliverability, TCPA-grade consent for legality.

Recent TCPA developments

The TCPA is a 1991 statute, but the rules around it keep moving. Two developments matter most for current compliance:

  • Consent revocation, tightened. The FCC clarified that consumers may revoke consent through any reasonable means — there is no required magic word or channel — and that senders must honor the revocation within a reasonable time not to exceed 10 business days. A business cannot dictate that opt-outs only count if sent a particular way.
  • Consent must be specific. Regulatory and litigation attention has increasingly focused on whether consent is genuinely tied to the specific sender contacting the consumer, rather than buried in a broad “marketing partners” disclosure on a lead-generation form. The safest reading: consent should name the actual business that will call or text.

The direction of travel is consistent — narrower exemptions, clearer and more specific consent, and faster opt-out handling. Treat older “we have their number, that’s consent” assumptions as unsafe.

Most TCPA exposure comes from weak consent capture, not from the messaging itself. A defensible consent flow has five parts:

  1. A clear opt-in checkbox — unchecked by default, with plain-language text stating the consumer agrees to receive calls and texts from your named business, including by autodialer or prerecorded voice.
  2. The “not a condition of purchase” disclosure — required for marketing consent. The consumer must be able to buy without agreeing to messaging.
  3. A timestamped, attributable record — capture the date, time, IP address, the exact consent language shown, and the form or channel. Store it for at least four years.
  4. Channel-appropriate confirmation — for SMS, send a single confirmation message that states the program, message frequency, “message and data rates may apply,” and “Reply STOP to opt out.”
  5. A live suppression list — every opt-out, complaint, and revocation feeds an internal do-not-contact list that is honored across every channel and every campaign.

The test is simple: if a plaintiff’s lawyer demands proof that a specific person agreed to hear from you, can you produce a clean, timestamped record showing exactly what they saw and agreed to? If not, the consent is not defensible.

TCPA compliance checklist

  • Obtain prior express written consent before making autodialed or prerecorded marketing calls/SMS to mobile numbers
  • Document consent: keep records (timestamp, IP, form language) for at least 4 years
  • Scrub outbound lists against DNC Registry before every campaign
  • Maintain internal DNC list: honor any recipient-specific requests to stop
  • Configure time-of-day restrictions based on recipient time zones (8am–9pm local)
  • Handle STOP keywords automatically for SMS
  • Include caller/sender identification in every call/message
  • Provide callback number for sales calls
  • Honor revocations promptly — within a reasonable time, not to exceed 10 business days
  • Review exemptions carefully: they are narrow
  • Train agents and monitor: TCPA violations often come from rogue agents
  • Carry insurance: E&O or specific TCPA coverage for higher-risk activities

DialPhone’s TCPA features

  • Consent audit trail: every opt-in tracked with timestamp, source, and form language
  • DNC list scrubbing: automatic suppression against National DNC Registry on every outbound campaign
  • STOP keyword handling: automatic honoring of STOP/STOPALL/UNSUBSCRIBE on SMS
  • Quiet hours enforcement: calls and SMS blocked outside 8am–9pm recipient local time
  • On-screen TCPA alerts: DialPhone’s outbound dialer warns reps in real time if they are about to call a DNC-listed number
  • Time-zone-aware scheduling: campaigns automatically split by recipient time zone
  • Revocation handling: opt-out propagates across all channels within 30 seconds (well under the regulatory limit)

See DialPhone outbound dialing compliance → · See business SMS compliance →

State-level mini-TCPAs

Several states have enacted their own versions of TCPA with broader definitions, higher penalties, or additional requirements:

  • Florida Telephone Solicitation Act: broader ATDS definition; $500-$1,500 per violation
  • Oklahoma Telephone Solicitation Act: similar to Florida
  • Washington State: automated call restrictions

Check state law in every state you call. Outbound campaigns targeting multiple states should apply the strictest rule across all.

Example

A health-and-wellness SaaS platform bought a B2C email list “with SMS consent” from a third party and launched a 50,000-recipient SMS marketing campaign without checking consent provenance or DNC scrubbing. Four recipients on the Do Not Call Registry filed complaints, which became a class action. Settlement: $6.8M after three years of litigation, plus legal fees of roughly $2M. They would have paid a vendor a few thousand dollars for proper consent verification + DNC scrubbing and avoided the entire exposure.

TCPA frequently asked questions

What does TCPA stand for?

TCPA stands for the Telephone Consumer Protection Act, a US federal law passed in 1991. It was enacted to curb unsolicited telemarketing and protect consumers from unwanted automated calls, prerecorded messages, and (as courts later confirmed) text messages and junk faxes. The law is enforced by the FCC and, importantly, through a private right of action — meaning consumers can sue directly, which is why the TCPA generates so much class-action litigation.

What counts as a TCPA violation?

A TCPA violation is any restricted communication sent without the required consent or in breach of the rules — for example, an autodialed or prerecorded marketing call or text to a mobile number without prior express written consent, a call to a number on the Do Not Call Registry without an exemption, a call outside the 8 AM–9 PM local-time window, a failure to honor an opt-out, or a missing caller identification. Each individual call or text can be a separate violation, which is why a single bad campaign can produce millions of dollars in statutory damages.

How much are TCPA fines?

TCPA statutory damages are $500 per violation, rising to up to $1,500 per violation for willful or knowing violations. There is no cap per plaintiff, and a single call or text is one violation — so a campaign that reaches thousands of people without proper consent multiplies fast. Class actions aggregate violations across many recipients, and historical TCPA settlements have reached tens and even hundreds of millions of dollars. The FCC can also levy its own separate enforcement penalties.

Does the TCPA apply to text messages?

Yes. US courts have long treated a text message as the legal equivalent of a call under the TCPA. Marketing texts to mobile numbers require prior express written consent, recipients must be able to opt out with STOP, quiet-hours restrictions apply, and senders must honor revocations. The TCPA is separate from 10DLC: 10DLC is the carrier registration system that controls whether texts get delivered, while the TCPA is the federal law that controls whether you are legally allowed to send them. Business texting programs need to satisfy both.

How do I make my business TCPA compliant?

The core steps are: obtain prior express written consent before sending autodialed or prerecorded marketing calls or texts to mobile numbers; document that consent with a timestamped, attributable record kept for at least four years; scrub every outbound list against the Do Not Call Registry and your own internal suppression list; restrict calls and promotional texts to 8 AM–9 PM in the recipient’s local time; handle STOP and other opt-outs automatically and honor revocations within 10 business days; and identify your business in every call and message.

A communications platform like DialPhone automates the DNC scrubbing, STOP handling, quiet-hours enforcement, and consent audit trail.

Learn more about DialPhone

AI-powered business phone, SMS, meetings, fax, and contact center from $24/user/mo.

Start free trial Browse glossary
Call sales Start free trial