What is the TCPA (Telephone Consumer Protection Act)?

What the TCPA Covers

The TCPA was passed in 1991 and lives in the US Code at 47 USC 227. It's the main federal law governing how businesses contact consumers by phone, fax, or text. The FCC writes the rules that put it into practice, and private plaintiffs (and state attorneys general) enforce it through lawsuits.

The law covers four big areas. First, calls to mobile phones using an automatic telephone dialing system (ATDS) or an artificial or prerecorded voice. Second, prerecorded marketing calls to residential landlines. Third, unsolicited fax advertisements. Fourth, the federal Do Not Call Registry, which restricts telemarketing calls to consumers who've opted out.

Consent Rules That Trip People Up

The TCPA distinguishes between two consent levels, and getting them mixed up is how most companies end up in court.

Prior express written consent is required for telemarketing or advertising calls and texts to mobile phones that use an autodialer or prerecorded voice. Written consent has to be a clear, conspicuous disclosure that the consumer is agreeing to receive marketing calls, and it can't be hidden in a terms-of-service wall. Pre-checked boxes don't count.

Prior express consent (without the "written") is enough for non-marketing calls to mobile phones, like appointment reminders, fraud alerts, or payment confirmations. Giving a business your phone number during a transaction usually counts as express consent for calls related to that transaction.

Revocation Rights

Consumers can revoke consent at any time, by any reasonable means. The Supreme Court confirmed this in Campbell-Ewald Co. v. Gomez, and the FCC has reinforced it repeatedly. "Reasonable" means a consumer can say "stop" verbally to an agent, reply STOP to a text, or send a written request. Businesses can't force revocation through a single channel.

Once revocation happens, the clock starts. The FCC's 2024 rules require honoring opt-out requests within a reasonable time, generally interpreted as no more than 10 business days.

What Counts as an Autodialer

For years, this was the most-litigated question in TCPA case law. The Supreme Court settled it in Facebook v. Duguid (2021): an ATDS is equipment that has the capacity to use a random or sequential number generator to store or produce phone numbers, and to dial them.

That's a narrower definition than plaintiffs' lawyers had been pushing, and it took some pressure off predictive dialers that work from a stored list. But it didn't change the prerecorded-voice rules, the DNC rules, or the consent rules. Companies still get sued constantly.

Statutory Damages

The TCPA is a strict-liability statute with statutory damages baked in. Each violation carries:

• $500 per call or text for ordinary violations
• $1,500 per call or text for willful or knowing violations
• No cap on aggregate damages

Class actions stack quickly. A single non-compliant campaign that hits a few hundred thousand mobile numbers without proper consent can produce nine-figure exposure. Courts have approved settlements over $75 million in recent years.

The Do Not Call Registry

The TCPA created the framework for the National Do Not Call Registry, which the FTC operates. Telemarketers are required to scrub their calling lists against the registry every 31 days. Calls to registered numbers without a valid exemption (existing business relationship, express written consent, or non-commercial purpose) are violations.

Businesses also have to maintain an internal DNC list. If a consumer asks a particular company to stop calling them, that company has to honor the request even if the consumer isn't on the federal registry.

Recent FCC Rule Changes

The FCC has been active on TCPA rulemaking. Notable recent moves:

• One-to-one consent rule (2024): Required that consent for marketing calls go to one specific seller at a time, ending the practice of "lead-generator consent" that funneled one signup to dozens of advertisers. A federal court vacated this rule in early 2025, but the FCC is reviewing options.
• STIR/SHAKEN mandates: Carriers must authenticate the calling number to combat spoofing. This intersects with TCPA enforcement because spoofed calls violate both regimes.
• AI-generated voice clarification (2024): The FCC declared that calls using AI-generated voices count as "artificial or prerecorded voice" calls under the TCPA, requiring the same consent.

Practical Compliance Steps

Companies that make outbound calls should at minimum:

• Maintain documented prior express written consent for any marketing call or text to a mobile number
• Scrub against the federal DNC registry every 31 days
• Maintain an internal DNC list and honor stop requests across all channels
• Train agents to recognize and process revocation requests immediately
• Use STIR/SHAKEN-compliant outbound calling and avoid spoofed caller ID
• Document everything: consent records should survive a class-action discovery request