The Telephone Consumer Protection Act turned 35 in 2026 and it's still the most expensive law most US contact centers underestimate. Statutory damages of $500 per violating call, trebled to $1,500 for willful violations, with no cap and a plaintiff-friendly class-action track record. If you make outbound calls for collections, renewals, or sales, TCPA exposure is bigger than your PCI exposure, and it's not even close.
The rules sit in 47 USC §227 and the FCC's implementing regulations. Here's how they actually apply to payment calls, what the Supreme Court did to the autodialer definition in 2021, and where the consent bar sits today.
The two consent standards
TCPA recognizes two levels of consent, and which one you need depends on what you're calling about and how.
Prior express consent covers informational and transactional calls to a cell phone made with an automatic telephone dialing system or a prerecorded voice. A customer giving you their cell number on an order form is generally enough. Prior express written consent is the higher bar, required for telemarketing calls that are either prerecorded or made with an autodialer to a cell phone. That needs a signed, dated agreement identifying the seller, the number being called, and clear language that the consumer isn't required to consent as a condition of purchase.
Collection calls about an existing debt generally sit under prior express consent rather than written, because they're not telemarketing. Cross-selling a new product on a collection call flips it back into telemarketing territory, and that's where a lot of contact centers get tripped up.
Facebook v Duguid and the autodialer narrowing
For years, plaintiffs' lawyers argued that any system capable of dialing a stored list qualified as an "automatic telephone dialing system" under the TCPA, which pulled almost every modern dialer into scope. The Supreme Court's 2021 decision in Facebook Inc. v Duguid ended that. The Court read the statute narrowly: to be an ATDS, a system has to use "a random or sequential number generator" to store or produce the numbers it dials.
That took predictive dialers calling stored customer lists largely out of ATDS territory, which cut a huge amount of TCPA exposure for legitimate businesses. It did not take prerecorded voice calls out of scope, and it did not affect the Do Not Call rules. It also did not affect state-level mini-TCPAs in Florida, Oklahoma, Washington, and others, some of which define autodialer far more broadly than federal law does.
The practical upshot: if you're manually dialing or using a stored-list dialer without random or sequential number generation, federal ATDS liability has receded. If you're using prerecorded messages, or if you're calling into a state with a broader definition, you're still fully exposed.
Call recording disclosure
TCPA itself doesn't set the call-recording disclosure rule, but the patchwork of state two-party consent laws does, and the interaction matters. California, Florida, Illinois, Maryland, Massachusetts, Montana, New Hampshire, Pennsylvania, and Washington all require all parties to a call to consent to recording. If one party on the call is in a two-party state, you need consent.
For payment calls this matters twice: once for the recording itself, and again for the authorization record. A recorded TEL debit authorization is a better piece of evidence than a written one, so you want the recording. But the disclosure has to be explicit, at the top of the call, and the consent has to be captured. Dropping the card-number portion of the call out of the recording with DTMF suppression is now standard, because you get the authorization record without the PCI scope.
Statutory damages and class-action exposure
TCPA damages are private right of action, uncapped, and per-call. $500 per call as a baseline, $1,500 per call for willful or knowing violations. On a class with 50,000 members who each got three calls, that's $75 million at the baseline, $225 million at the treble rate. Cases settle in the low tens of millions routinely.
That's why the TCPA bar cares so much about minor technicalities on your consent language and your DNC scrubbing. The damages stack up fast.
Do Not Call and reassigned numbers
The National DNC Registry rule is separate from the autodialer rule, and it applies to live telemarketing as well as automated. If a consumer is on the federal DNC list and you don't have either an established business relationship or written consent, the call is a violation. Scrubbing against the list at least every 31 days is the compliance standard.
Reassigned numbers are the other trap. A customer gives you permission to call their cell, they drop the number a year later, the carrier reassigns it, and the new owner sues you for the next call. The FCC's Reassigned Numbers Database, live since late 2021, gives you a safe harbor if you check it before dialing. Using the database and logging the check is the cleanest defense.
Cure provisions and the Junk Fax Prevention Act model
Unlike some federal consumer statutes, TCPA has no pre-suit cure period. A plaintiff doesn't have to ask you to stop before suing. That's why cases often start with a single violation and snowball into a class.
The FCC's 2023 and 2024 rulings tightened this further by closing the so-called "lead generator loophole" and requiring one-to-one consent for calls generated from shared lead lists. As of the effective date of that rule, a consumer has to consent to calls from each specific seller individually, not a generic list of marketing partners. That change alone forced a redesign of most lead-generation funnels in the US.
STIR/SHAKEN and caller ID authentication
TCPA is about whether you're allowed to make the call. STIR/SHAKEN is about whether the call you're making can be trusted by the consumer's carrier. They solve different problems but they interact: if your outbound calls are being flagged as "Spam Likely" by carriers because your STIR/SHAKEN attestation is weak, your answer rates crater, and agents compensate by dialing more, which pushes your TCPA exposure up.
Fixing STIR/SHAKEN attestation, rotating outbound numbers sensibly, and registering your calling identity with call-analytics providers is table stakes now. The FCC has made clear it expects carriers to block non-compliant traffic.
Practical guidance for payment and collection calls
A few things I'd have every US contact center doing today. Capture consent explicitly and keep the record for at least four years to cover the TCPA statute of limitations. Scrub against federal DNC, any applicable state DNCs, and the Reassigned Numbers Database before every outbound campaign. Disclose call recording at the top of every call into every state. Keep telemarketing and informational calls on separate consent flows. If you're using prerecorded voice for anything, get prior express written consent for every number and re-obtain it if the relationship ends.
For the payment portion of the call, drop card digits out of the recording with DTMF masking so you're keeping the authorization record without keeping cardholder data. That's belt-and-braces: good for phone payment compliance and good for TCPA recording evidence. For the broader legal term itself, our TCPA glossary entry is a plain-English primer you can share with new hires.
TCPA doesn't reward perfection, but it punishes sloppiness ruthlessly. Get the consent and recording pieces right and the rest of the program takes care of itself.
State-level mini-TCPAs worth knowing
Federal TCPA is only half the map. Florida's FTSA, Washington's CEMA, and Oklahoma's TCPA equivalent all define autodialer or regulate outbound calling more strictly than federal law. Florida's statute, as amended in 2021, made autodialer liability substantially broader than the post-Duguid federal definition, and despite a 2023 narrowing amendment, the state still supports a more active plaintiffs' bar than most. If you call consumers in those states, assume your compliance program has to meet the state floor rather than the federal one.
New York, Maryland, and California all have add-on rules around call recording, solicitation timing windows, and required disclosures. The patchwork is genuinely annoying to operate against, and most large US outbound programs now build their compliance framework against the strictest applicable state rather than trying to segment by geography.
TCPA and payment-plan offers on collection calls
One scenario worth calling out because it keeps catching operators. A collection agent is on the phone with a debtor, the debt is real, consent is on file, the call is fine. The agent offers to set the debtor up with a recurring auto-debit payment plan in exchange for a waiver of late fees. That auto-debit enrollment typically counts as a telemarketing solicitation under TCPA and state law, because it's a solicitation for a new product or service, and it may require written consent that the original account-opening disclosure doesn't cover.
The practical answer is to split the call: handle the collection conversation under the existing consent, and for any new enrollment (payment plan, auto-renewal, cross-sell), capture a new, explicit consent at that moment. Voice-captured written consent via recorded affirmation is now broadly accepted by courts as meeting the written-consent bar, provided the disclosure language is clean and the recording is retained.
