TCPA Compliance for Payment Calls After Duguid

Last updated: 29 May 2026

US reader? See the US version of this guide with US-specific compliance detail (TCPA, NYDFS, CCPA, FedNow, US PCI scope guidance).

The Telephone Consumer Protection Act turned 35 in 2026 and it's still the most expensive law most US contact centres underestimate. Statutory damages of $500 per violating call, trebled to $1,500 for willful violations, with no cap and a plaintiff-friendly class-action track record. If you make outbound calls for collections, renewals, or sales, TCPA exposure is bigger than your PCI exposure, and it's not even close.

The rules sit in 47 USC §227 and the FCC's implementing regulations. Here's how they actually apply to payment calls, what the Supreme Court did to the autodialer definition in 2021, and where the consent bar sits today. We'll also cover where TCPA bumps into PCI DSS v4.0.1 obligations, because for any operation taking card details by phone the two regimes have to be designed together — not stitched in afterwards.

A note on framing: we're a UK operator writing for UK and US payment teams. The UK equivalent regime sits across PECR (Privacy and Electronic Communications Regulations), the Telephone Preference Service, FCA conduct rules under CONC and ICOBS, and the ICO's enforcement powers under the Data Protection Act 2018. We'll flag the UK reader points throughout. If you run outbound to consumers on either side of the Atlantic, you're managing two parallel rulebooks and they don't quite line up.

The two consent standards#

TCPA recognises two levels of consent, and which one you need depends on what you're calling about and how. Get this wrong on the consent form and the whole compliance programme that sits on top of it inherits the defect.

Prior express consent

Prior express consent covers informational and transactional calls to a cell phone made with an automatic telephone dialing system or a prerecorded voice. A customer giving you their cell number on an order form is generally enough — the act of voluntarily providing the number, in a context where it's reasonable to expect contact about the transaction, is treated as consent for related informational calls. So a delivery notification, an appointment reminder, a fraud alert, or a balance-due notification on an existing account all sit under this lower bar.

Practical tip: the TCPA consent record for payment calls needs to tie back to a specific number and a specific moment. Saying "we have consent" in the abstract is worth nothing in a TCPA defence. You need the timestamp, the form fields, the IP address (if web), the call recording (if voice), and the language shown to the consumer. Four-year retention is the floor because that's the statute of limitations; we'd recommend six to cover state-law variations.

Prior express written consent

Prior express written consent is the higher bar, required for telemarketing calls that are either prerecorded or made with an autodialer to a cell phone. That needs a signed, dated agreement identifying the seller, the number being called, and clear language that the consumer isn't required to consent as a condition of purchase. Electronic signature under E-SIGN is fine. A checkbox tick with the right disclosure language is fine. A pre-ticked checkbox is not. Bundling the consent into a 40-page terms-of-service block where no reasonable consumer would notice it is risky and has been litigated unfavourably.

The "not a condition of purchase" line is non-negotiable. If your enrolment form makes the box mandatory, you've broken the consent. That's a frequent finding in plaintiff discovery: the form looks fine in marketing's eyes but the dev team made the checkbox required because it tidied up the form validation.

Where collections sits

Collection calls about an existing debt generally sit under prior express consent rather than written, because they're not telemarketing. The 2014 FCC guidance and several circuit-court rulings confirm this — recovery of an established debt isn't a solicitation. Cross-selling a new product on a collection call flips it back into telemarketing territory, and that's where a lot of contact centres get tripped up. Agents are trained to "save the relationship" or offer a loyalty product as a goodwill gesture; the second they do, the call is in the higher consent bracket. If the original consent didn't cover marketing, the new offer triggers a written-consent requirement and the recording becomes Exhibit A in a class complaint.

Edge case: B2B calls

Business-to-business calls to a published business line are generally outside TCPA's autodialer and prerecorded-voice rules for cell phones, because the protected status follows the consumer cell number. But once you're calling an employee's mobile that the employee uses for business, the analysis gets fact-specific. The safe assumption: if the number is on a wireless carrier's records, treat it as a cell phone and apply consumer rules unless your counsel says otherwise.

Facebook v Duguid and the autodialer narrowing#

For years, plaintiffs' lawyers argued that any system capable of dialing a stored list qualified as an "automatic telephone dialing system" under the TCPA, which pulled almost every modern dialer into scope. Predictive dialers, click-to-call systems, even some CRM-integrated softphones got swept in. The Supreme Court's 2021 decision in Facebook Inc. v Duguid ended that. The Court read the statute narrowly: to be an ATDS, a system has to use "a random or sequential number generator" to store or produce the numbers it dials.

What Duguid actually changed

That took predictive dialers calling stored customer lists largely out of ATDS territory at the federal level, which cut a huge amount of TCPA exposure for legitimate businesses. The decision did not take prerecorded voice calls out of scope — the prerecorded-voice prohibition is a separate statutory hook. It did not affect the Do Not Call rules, which sit under §227(c) rather than §227(b)(1)(A). And it did not affect state-level mini-TCPAs in Florida, Oklahoma, Washington, and others, some of which define autodialer far more broadly than federal law does.

What Duguid didn't change

The practical upshot: if you're manually dialing or using a stored-list dialer without random or sequential number generation, federal ATDS liability has receded. If you're using prerecorded messages, or if you're calling into a state with a broader definition, you're still fully exposed. The cell-phone prohibition under §227(b)(1)(A)(iii) still bars prerecorded marketing calls without prior express written consent regardless of how the number was selected. Many operators read the Duguid headlines, retired their consent programme, and then walked into a state-law case three months later.

Click-to-dial and human-intervention defences

Post-Duguid, a popular architectural choice has been "click-to-dial" IVR architecture — an agent has to physically click a button to initiate each call. The intent is to remove any plausible ATDS argument by inserting human intervention into the dialling step. The FCC has historically recognised human intervention as a factor pulling a system out of ATDS classification. The risk: if your click-to-dial UI lines up 200 numbers and the agent is told to "click through the list", a court might still treat the system as automated in substance. Document the operational reality, not just the screenshot.

Curious how Paytia fits in? Have a quick chat with us — we'll show you in 15 minutes whether we're a fit.

Call recording disclosure#

TCPA itself doesn't set the call-recording disclosure rule, but the patchwork of state two-party consent laws does, and the interaction matters. California, Florida, Illinois, Maryland, Massachusetts, Montana, New Hampshire, Pennsylvania, and Washington all require all parties to a call to consent to recording. If one party on the call is in a two-party state, you need consent.

The all-states rule of thumb

Outbound campaigns can't reliably route by state in real time — the consumer's billing zip code might not match where they're actually answering the phone. The simplest defensible policy is to disclose recording on every outbound call, full stop. The script overhead is trivial compared to the cost of one bad ruling on whether your geographic detection was reasonable.

Where the PCI rule meets the TCPA rule

For payment calls this matters twice: once for the recording itself, and again for the authorisation record. A recorded TEL debit authorisation is a better piece of evidence than a written one, so you want the recording. But the disclosure has to be explicit, at the top of the call, and the consent has to be captured. Dropping the card-number portion of the call out of the recording with DTMF suppression is now standard, because you get the authorisation record without the PCI scope. PCI DSS v4.0.1 (current standard, with v4.0 having gone live March 2024 and v3.2.1 retired) treats any recording that captures cardholder data as in-scope storage — and storing card data on a CCaaS recording platform that wasn't designed for it is a SAQ-D-level problem you didn't sign up for.

What "DTMF suppression" actually means

When the customer keys in their card number on the phone keypad, the DTMF tones travel down the same audio path as the voice. If your recording platform writes the raw audio to disk, the tones land in the recording. Tools exist that decode DTMF tones with off-the-shelf libraries — so an attacker who breached your recording archive could extract card numbers programmatically. The answer is to suppress the tones before they hit the recording. In the model Paytia uses, the cardholder's keypresses are intercepted before they reach the agent or the recorder, replaced with flat tones in the audio stream, and the actual digits are routed straight to the payment gateway. The agent never hears the digits, the recording never contains them, and the call audio that survives is fully usable as a TEL authorisation record.

Statutory damages and class-action exposure#

TCPA damages are private right of action, uncapped, and per-call. $500 per call as a baseline, $1,500 per call for willful or knowing violations. On a class with 50,000 members who each got three calls, that's $75 million at the baseline, $225 million at the treble rate. Cases settle in the low tens of millions routinely.

Why "willful" is easier to prove than people think

"Willful" under TCPA doesn't mean malicious. It means the defendant voluntarily did the act, and the act turned out to be a violation. A contact-centre manager who knew the DNC scrub was 45 days old when the policy required 31 has a willfulness problem. A consent-form developer who shipped a pre-ticked checkbox because product asked for it has a willfulness problem. The bar is much lower than tort-style willfulness, which is why most plaintiff complaints assume the treble rate from day one.

Class certification dynamics

That's why the TCPA bar cares so much about minor technicalities on your consent language and your DNC scrubbing. The damages stack up fast. Class certification in TCPA cases turns on commonality — did everyone in the class get hit by the same defect in the consent flow, or did individual issues predominate? Plaintiff firms structure their pleadings around a single systemic defect, because that's what makes certification likely. A defendant who can point to individualised consent records — a unique form fingerprint per consumer — is in a much better position at the certification hearing than one with a single boilerplate consent applied to a million contacts.

Insurance and indemnification

Most general liability policies exclude TCPA claims explicitly, treating them as statutory penalties rather than damages. Cyber and professional indemnity policies may pick up some of it but typically with sublimits well below the realistic class exposure. The honest position is that you're self-insuring TCPA risk, which is another reason the compliance programme has to be the front-line control.

Do Not Call and reassigned numbers#

The National DNC Registry rule is separate from the autodialer rule, and it applies to live telemarketing as well as automated. If a consumer is on the federal DNC list and you don't have either an established business relationship or written consent, the call is a violation. Scrubbing against the list at least every 31 days is the compliance standard, but in practice you want a daily scrub for active campaigns and a fresh check immediately before dialling for any number that's been sitting in your CRM more than a week.

Established business relationship — the often-overstated defence

The EBR exemption is narrower than people assume. A purchase creates an EBR for 18 months from the date of transaction; an inquiry creates one for three months. "Customer for life" doesn't exist under TCPA. If you're calling a consumer about a renewal of a product they bought three years ago, EBR is gone unless they've transacted with you more recently.

State DNC lists

Federal DNC is one list; multiple states maintain their own. Pennsylvania, Indiana, Louisiana, Mississippi, Missouri, Oklahoma, Tennessee, Texas, and Wyoming all have separate state DNC lists with their own scrubbing requirements. If your CRM doesn't ingest state lists separately, you're running a federal-only programme that's exposed on every state list.

Reassigned Numbers Database

Reassigned numbers are the other trap. A customer gives you permission to call their cell, they drop the number a year later, the carrier reassigns it, and the new owner sues you for the next call. The FCC's Reassigned Numbers Database, live since late 2021, gives you a safe harbour if you check it before dialling. Using the database and logging the check is the cleanest defence — the safe harbour requires both the check and a record of the check, so logging is not optional. The database returns one of three answers: "yes, the number has been reassigned since your stated permission date", "no, it hasn't", or "no data available". The safe harbour applies to the "no" answer specifically; "no data" is not safe harbour and you should treat it as a risk signal.

Internal DNC obligations

Separately from the federal list, every seller has to maintain an internal DNC list and honour stop requests for at least five years. The stop request can be verbal — a consumer saying "take me off your list" on a recorded call is enforceable. The compliance test is whether the consumer's request was honoured promptly. "Promptly" has been interpreted as within 30 days, but in 2026 most operators are targeting same-day or next-day suppression to remove ambiguity.

Cure provisions and the lead-generator loophole#

Unlike some federal consumer statutes, TCPA has no pre-suit cure period. A plaintiff doesn't have to ask you to stop before suing. That's why cases often start with a single violation and snowball into a class. Some state mini-TCPAs do have cure provisions, but federal TCPA is straight to court.

One-to-one consent — the 2024 rule

The FCC's 2023 and 2024 rulings tightened this further by closing the so-called "lead generator loophole" and requiring one-to-one consent for calls generated from shared lead lists. As of the effective date of that rule, a consumer has to consent to calls from each specific seller individually, not a generic list of marketing partners. That change alone forced a redesign of most lead-generation funnels in the US. Comparison sites that historically offered "submit once, hear from up to 50 partners" have had to either name each partner at the moment of consent or restructure as data-services rather than lead-generation businesses.

Buyer due diligence on lead sources

If you're buying leads from a third party, the consent paperwork they give you is only as good as the form the consumer actually saw. Plaintiff firms now routinely demand the form HTML, the timestamp record, the IP, and the lead-source publisher chain. If the lead came through three sub-affiliates and the original form named twelve different partner brands, the one-to-one rule fails. Build your due-diligence template around what you'd need to produce in discovery, not around what looks nice in a sales presentation.

STIR/SHAKEN and caller ID authentication#

TCPA is about whether you're allowed to make the call. STIR/SHAKEN is about whether the call you're making can be trusted by the consumer's carrier. They solve different problems but they interact: if your outbound calls are being flagged as "Spam Likely" by carriers because your STIR/SHAKEN attestation is weak, your answer rates crater, and agents compensate by dialing more, which pushes your TCPA exposure up.

Attestation levels in practice

STIR/SHAKEN attaches one of three attestation levels to outbound calls: A (full attestation, the carrier knows you and verified the calling number), B (partial, the carrier knows you but couldn't verify the number), or C (gateway attestation, the carrier just passed it through). Carrier analytics platforms (Hiya, First Orion, TNS) weight calls by attestation when deciding whether to flag as spam. If your outbound provider is giving you C-level by default, you're starting every campaign on the wrong foot.

Branded calling and Rich Call Data

Beyond attestation, the next layer is branded calling — your business name and logo display on the recipient's screen instead of a raw number. Rich Call Data is the technical name for the payload. Adoption is uneven across carriers but it's been the biggest answer-rate lever of 2025-2026 for compliant operators. The point we'd flag: branded calling makes you easier to identify and easier to sue if your compliance hygiene is poor. Don't enable it before the underlying programme is clean.

Outbound number hygiene

Fixing STIR/SHAKEN attestation, rotating outbound numbers sensibly, and registering your calling identity with call-analytics providers is the operational baseline now. The FCC has made clear it expects carriers to block non-compliant traffic. Rotating numbers to evade spam labels (sometimes called "snowshoe dialling") will get you blocked by analytics providers and, depending on intent, may itself be a TCPA-adjacent violation.

Practical guidance for payment and collection calls#

A few things we'd have every US contact centre doing today.

Consent capture and retention

Capture consent explicitly and keep the record for at least four years to cover the TCPA statute of limitations — six years is safer once state laws are layered in. The record needs the timestamp, the number, the language shown, the channel (web form, voice affirmation, SMS opt-in), and an immutable identifier you can produce in court. Hashed snapshots stored in append-only logs are the gold standard.

Scrubbing cadence

Scrub against federal DNC, any applicable state DNCs, and the Reassigned Numbers Database before every outbound campaign. For ongoing campaigns, daily scrub plus immediate-before-dial check for any number older than a week. Log the scrub result against the number; the safe-harbour value depends on the log existing.

Recording disclosure script

Disclose call recording at the top of every call into every state. A simple "this call may be monitored or recorded for quality and training" line satisfies the disclosure requirement in most states; jurisdictions that need active opt-in (a small minority, but they exist) need a pause for affirmation. Train agents that if a consumer objects, the recording stops or the call ends — there is no third option.

Separate telemarketing from informational

Keep telemarketing and informational calls on separate consent flows. If you're using prerecorded voice for anything, get prior express written consent for every number and re-obtain it if the relationship ends. Avoid the temptation to "save the call" with an upsell during a service interaction — that's the single most common compliance failure across the industry.

Card capture

For the payment portion of the call, build a TCPA-compliant payment IVR that drops card digits out of the recording with DTMF masking so you're keeping the authorisation record without keeping cardholder data. That's belt-and-braces: good for phone payment compliance and good for TCPA recording evidence. For the broader legal term itself, our TCPA glossary entry is a plain-English primer you can share with new hires.

TCPA doesn't reward perfection, but it punishes sloppiness ruthlessly. Get the consent and recording pieces right and the rest of the programme takes care of itself.

State-level mini-TCPAs worth knowing#

Federal TCPA is only half the map. Florida's FTSA, Washington's CEMA, and Oklahoma's TCPA equivalent all define autodialer or regulate outbound calling more strictly than federal law.

Florida FTSA

Florida's statute, as amended in 2021, made autodialer liability substantially broader than the post-Duguid federal definition, and despite a 2023 narrowing amendment, the state still supports a more active plaintiffs' bar than most. Florida private right of action is alive and well, with statutory damages comparable to federal TCPA. If you call Florida consumers, your dialer architecture has to clear the Florida bar, not the federal bar.

Washington CEMA

Washington's Commercial Electronic Mail Act has been interpreted to cover commercial text messages as well, with statutory damages of $500 per violation. The state attorney general has been active. Consent and clear opt-out are non-negotiable; the courts have not been generous to defendants arguing technical compliance.

Oklahoma TCPA equivalent

Oklahoma's mini-TCPA, effective 2022, defined autodialer broadly and created a private right of action with $500 statutory damages, treble for knowing violations. The plaintiff bar caught up quickly. As with Florida, if you call Oklahoma consumers, treat federal compliance as a floor and add the state requirements on top.

The patchwork problem

New York, Maryland, and California all have add-on rules around call recording, solicitation timing windows, and required disclosures. The patchwork is genuinely annoying to operate against, and most large US outbound programmes now build their compliance framework against the strictest applicable state rather than trying to segment by geography. Calling-time windows are the most operationally painful — different states define "permitted hours" differently, and getting it wrong is a strict-liability violation.

TCPA and payment-plan offers on collection calls#

One scenario worth calling out because it keeps catching operators. A collection agent is on the phone with a debtor, the debt is real, consent is on file, the call is fine. The agent offers to set the debtor up with a recurring auto-debit payment plan in exchange for a waiver of late fees. That auto-debit enrolment typically counts as a telemarketing solicitation under TCPA and state law, because it's a solicitation for a new product or service, and it may require written consent that the original account-opening disclosure doesn't cover.

Splitting the call cleanly

The practical answer is to split the call: handle the collection conversation under the existing consent, and for any new enrolment (payment plan, auto-renewal, cross-sell), capture a new, explicit consent at that moment. Voice-captured written consent via recorded affirmation is now broadly accepted by courts as meeting the written-consent bar, provided the disclosure language is clean and the recording is retained.

The script structure that works

The disclosure has to name the seller, the type of communication being consented to (recurring debits, marketing follow-ups, both), the channel (voice, SMS, email), and the right to revoke. The consumer's affirmation has to be unambiguous — "yes" is fine, "okay" is contested in some jurisdictions. Train agents not to lead the consumer through the answer; let the consumer confirm in their own words.

Where it goes wrong

The most common failure pattern: agent reads the disclosure too quickly, consumer responds with a non-committal "uh-huh", agent treats it as consent, enrolment goes through, consumer sees the debit on a statement two months later and disputes. That's how you generate the lead for a class complaint. The fix is operational — speed and clarity targets in QA — not technical.

How Paytia fits the TCPA picture#

We're a phone-payment platform, not a TCPA compliance vendor. But the recording side of the problem and the PCI side overlap directly with what we build, and operators ask us about both in the same conversations.

The recording problem we solve

When a customer reads or types card details on the phone, those details land in the call recording unless something stops them. Most CCaaS platforms (Genesys, Five9, NICE CXone, Talkdesk, RingCentral, 8x8, Avaya, Amazon Connect) record full audio by default. If you record card data, your call-recording archive becomes a PCI-scope cardholder data environment. That's an audit problem, a breach-liability problem, and — if you're using the recording as a TEL authorisation record — a TCPA evidence problem because you can't share the recording for dispute resolution without leaking card data.

Paytia drops the card digits out before they hit the recording. The customer keys card data on their own keypad, the tones are intercepted, the digits route to the payment gateway, and the recording captures everything except the card. The TEL authorisation record stays clean and usable. The recording archive stays out of PCI scope. Both regulatory frames are satisfied with one architectural decision.

What we don't do

We don't run your dialer, we don't manage your DNC scrub, we don't decide your consent language. Those are TCPA-specific functions and they sit with your compliance team or a dedicated TCPA vendor. We integrate with the major dialer and CCaaS platforms, so whichever stack you've built the rest of your TCPA programme around, the card-capture layer slots in.

UK reader bridge

For UK and EEA payment operations, the equivalent regulatory weave is PECR for unsolicited marketing, the TPS (Telephone Preference Service) for the consumer suppression list, FCA conduct rules (CONC for credit collections, ICOBS for insurance) for fairness and treating-customers-fairly obligations, and UK GDPR + DPA 2018 for the consent-and-purpose-limitation layer. The ICO enforces. Penalties under PECR can reach £500,000 per breach under the old regime and the UK GDPR cap of £17.5m or 4% of global turnover applies to the data-protection breaches that often accompany them. Housing associations, insurance brokers, FX bureaux, and contact centres serving regulated industries all face the same call-recording / card-data overlap as US operators — and the Paytia model addresses it the same way.

Curious how Paytia fits in? Have a quick chat with us — we'll show you in 15 minutes whether we're a fit.

Related guides in this cluster#