TCPA Penalties — Worst-Case Scenarios and Real Settlements

Last updated: 29 May 2026

If you take card payments by phone in the United States, TCPA penalties aren't an abstract regulatory risk — they're the single largest unbudgeted line item sitting on your call floor. A mid-sized contact centre running 50,000 outbound dials a month, with even a 2% bad-consent rate, is one plaintiff firm away from a class certification number that ends in eight zeros. Per-call statutory damages start at $500, treble to $1,500 for wilful conduct, and there's no cap. We've watched operators we never thought were exposed end up writing nine-figure cheques because a vendor's dialler kept calling reassigned numbers and nobody noticed for six months.

This piece walks through the actual math behind TCPA penalties, the settlements that set the benchmark, the four scenarios that produce the biggest payouts, and how a properly consented payment-call workflow neuters the risk. We've sat in on enough plaintiff depositions to know which evidentiary holes get exploited and which don't. If you want the wider pillar view first, our TCPA compliance guide guide covers the framework before this dives into the dollar figures.

What TCPA penalties actually cost per violation#

The statutory damages framework under 47 U.S.C. § 227(b)(3) is brutally simple. A private plaintiff who proves a TCPA violation recovers either their actual monetary loss or $500 per call, whichever is greater. If a court finds the defendant knew or should have known the call was unlawful — the "knowing or wilful" standard — damages treble to $1,500 per call. That's not a cap on aggregate exposure. It's a per-call number that multiplies across every dial, every text, every prerecorded ringback in the certified class.

The reason this turns into nine-figure settlements is the volume. Modern dialler stacks place tens of millions of calls a year. If even 0.5% of those calls land on a number where consent can't be proved — a reassigned number, an opt-out the CRM didn't sync, a list pulled from a marketing partner without written authorisation — you've got the building blocks of a class. The plaintiff doesn't have to prove individual harm. They just have to prove the call happened to a US wireless number without prior express written consent. The damages stack mechanically from there.

Two pieces of context matter. First, the FCC's 2023 reassigned numbers database (and the safe harbour that comes with checking it) doesn't eliminate exposure — it just shifts the negligence calculus. If you didn't query the database before the call, you have no safe harbour, and plaintiffs argue the failure is itself wilful. Second, state mini-TCPAs in Florida, Oklahoma, Washington and Maryland stack on top of the federal claim. Florida's FTSA in particular has produced multi-million-dollar settlements off small-volume conduct because it allows $500 statutory damages on telemarketing texts to in-state residents regardless of federal preemption arguments.

Why class action settlements end at numbers that look like phone numbers#

Three forces drag TCPA settlements upward: certifiability, settlement pressure, and insurance. Certifiability is high because the class is mechanical — every wireless number on the dial list is either consented or it isn't. The settlement pressure comes from the per-call statutory floor: even a defendant convinced they'll win at trial faces aggregate exposure that bankrupts the business if the jury comes back the wrong way. Insurance is uneven. Most commercial general liability policies carve out TCPA explicitly, so the operator carries the loss directly on the balance sheet.

The benchmark settlements anyone defending a TCPA case will quote back to you cluster around a few sizes. Below $10m sits the long tail of single-vendor, single-campaign cases — usually a marketing partner who text-blasted a list without verifying consent. The $20m to $75m band is where most mid-sized programmes end up: a few months of bad practice across multiple campaigns, certified as a single nationwide class. Above $100m sits the catastrophic tier — Capital One ($75.5m), Caribbean Cruise Line ($76m), Wells Fargo ($30m), Dish Network (over $200m after the FTC and state AG actions stacked on the private class) — where the dial volume measured in the tens of millions and conduct stretched across years.

What gets people to the catastrophic tier isn't always intent. It's the failure to fix a known issue. Dish's record didn't come from one bad campaign — it came from continuing to use a marketing vendor after multiple warnings that the vendor was dialling without proper consent. Plaintiffs don't need to prove malice. They just need to prove the operator was on notice and kept dialling.

The four worst-case scenarios that produce the biggest payouts#

From the cases we've reviewed and the depositions we've sat through, four patterns produce the worst outcomes. Each one has a clean technical fix that, in our experience, most operators don't realise is available until they're already in litigation.

Scenario one: the reassigned-number pile-up

A wireless number that was once held by a consenting customer gets returned to the carrier pool and reissued to a different consumer. Your dialler, working from a list that was clean two years ago, keeps calling. The new holder of the number complains, joins a class, and discovers tens of thousands of other reassigned numbers in your call history. The settlement is calculated against every one of those calls at the $500 statutory floor — often more than the customer lifetime value of the original consenting account.

The technical fix is the FCC's Reassigned Numbers Database, queried before every campaign, with the safe harbour evidence trail preserved. Operators that pull from the RND and document the timing of the pull have a near-bulletproof affirmative defence. Operators that don't are sitting on liability that compounds every month they keep dialling.

Scenario two: consent that isn't actually express or written

This is the most common failure pattern we see. The operator believes they have consent because the customer entered a phone number on a web form or signed a contract that mentioned "communications". But the FCC's rules under 47 C.F.R. § 64.1200(f)(9) require that prior express written consent for telemarketing calls using an automated dialler or prerecorded voice must be in writing, must clearly authorise the specific seller to deliver telemarketing messages, must identify the phone number authorised, and must be obtained without conditioning a purchase on it. A check-box at the bottom of a checkout flow that says "I agree to be contacted about my account" isn't express written consent for telemarketing — it's transactional consent, which is a different and narrower thing.

The fix is to design the consent capture as a distinct, channel-specific opt-in for marketing communications, with the disclosure language matching the FCC's safe harbour wording. We cover this in detail in our guide to TCPA consent for payment calls — the consent record needs to capture the IP, timestamp, exact language shown, and the wireless number consented, otherwise it's evidentiary noise that won't hold up against a motion to compel.

Scenario three: the marketing partner you didn't vet

Affiliate-sourced lead generation is a leading cause of TCPA exposure for businesses that don't dial themselves. The principal-agent relationship under federal common law (and the FCC's 2013 guidance) means the seller can be held vicariously liable for TCPA violations committed by an affiliate if the affiliate was acting within the apparent scope of authority. Operators routinely sign affiliate agreements that include a one-line indemnity and assume that's the end of it. It isn't. Plaintiffs name the principal because the principal has the deeper pockets, and courts increasingly find vicarious liability where the principal accepted the leads, paid for them, and used them to dial.

The fix is a vendor due diligence package that includes: pre-contract review of the affiliate's consent capture process, a contractual requirement to maintain consent records for at least four years, audit rights, and ongoing monitoring. Most operators do step one and stop. The contractual paper without ongoing monitoring is what lets vicarious liability through.

Scenario four: the auto-redial that wasn't authorised

An agent talks to a customer about an outstanding balance. The customer agrees to a payment plan and gives their card details. The CRM saves the card and the phone number and flags the account for a follow-up call in 30 days. The follow-up dial is placed by an autodialler — and the TCPA's definition of an "automatic telephone dialing system" still catches systems that use a sequential or random number generator to produce or store numbers, per the Supreme Court's 2021 Facebook v. Duguid decision. If the call is marketing — for example, "we noticed you've made a payment, would you like to upgrade your plan?" — the consent the customer gave for the original payment call doesn't cover it.

The fix is to bifurcate the consent capture: transactional consent for the payment confirmation call, separate express written consent for any follow-up that includes a marketing element. Most contact centre platforms don't expose this distinction cleanly, which is why so many programmes end up commingling the two and assuming the customer has consented to everything.

How payment calls fit into the TCPA framework#

Payment calls sit in a genuinely complicated part of the TCPA. Calls that exist purely to collect on an existing debt — "your statement shows an outstanding balance, here's how to pay" — are generally treated as transactional, not telemarketing. The FCC's 2015 Order on debt collection calls confirmed that calls made for the purpose of servicing or collecting a debt aren't subject to the prior express written consent requirement that applies to telemarketing, though they still need at least prior express consent (oral or written) to a wireless number when an autodialler or prerecorded voice is used.

The complications start when the payment call carries any commercial uplift — a cross-sell, a renewal offer, a payment plan upgrade. The moment a payment call includes a marketing element, the FCC treats it as a dual-purpose call, and the entire call falls under the more restrictive prior express written consent standard. That's where so many operators get caught: they design the call flow assuming it's transactional, the agent goes off-script and pitches a product, and the recording becomes the smoking gun in a class action.

The architectural fix is a payment-call workflow that's incapable of marketing pitch by design. The agent's interface for collecting payment should be locked to the transaction — confirm balance, confirm payment method, capture card via channel separation, confirm authorisation. Marketing offers should require a separate, time-boxed module with its own consent gate. Our TCPA-compliant payment IVR piece walks through how an automated IVR can deliver this cleanly without an agent in the loop.

State mini-TCPAs stack on top of federal exposure#

Federal TCPA isn't the only statute in play. Four states have enacted mini-TCPAs that create additional, stackable private rights of action, and the Florida Telephone Solicitation Act (FTSA) has produced more class action filings since 2021 than any other state-law telemarketing statute. The FTSA's text-message provisions are particularly aggressive — $500 statutory damages per text, no requirement to prove harm, and a presumption of intent that's hard to rebut without contemporaneous consent records.

Florida courts have generally rejected federal preemption arguments, so an FTSA claim runs in parallel to the federal TCPA claim and the damages don't offset. Settlements involving Florida residents now routinely allocate a separate FTSA tranche because the per-text statutory damages on Florida wireless numbers exceed the federal TCPA's per-call damages for the same conduct. Washington's CEMA, Maryland's MTCPA, and Oklahoma's TCPA all add similar exposure on smaller volumes.

For US operators, the practical implication is geography-aware consent capture. Texts to Florida numbers need FTSA-grade consent. Calls to Washington numbers need CEMA-compliant disclosures. The federal-only consent flow that most CRMs ship out of the box leaves operators exposed to state claims that the federal compliance work doesn't cover.

How channel-separated payment capture changes the TCPA math#

The reason we built our US payment platform around channel separation isn't just PCI scope reduction — it's the way it changes the TCPA evidentiary picture. When a customer calls your inbound line and pays via DTMF that the agent can't hear, three things happen at once. The call is inbound, not outbound, so the TCPA's autodialler and prerecorded voice rules don't apply. The transaction is unambiguously payment-related, so it falls into the transactional safe harbour rather than the telemarketing rules. And the recording — which is where most "smoking gun" evidence comes from in TCPA litigation — contains no card data and no marketing pitch, just the transactional confirmation.

The outbound payment-reminder call is harder. Even on a transactional basis, if you're using an autodialler or prerecorded voice into a wireless number, you need prior express consent. The architectural answer is to design the dial-out flow as a payment IVR rather than an agent call: the customer answers, the IVR identifies the call as a payment reminder, offers an opt-out for future calls, and routes them straight to a secure DTMF capture if they want to pay. No agent, no marketing, no cross-sell pressure. The TCPA risk profile is fundamentally smaller because the call has one purpose and the system can prove it.

For inbound payment calls, the take card payments over the phone workflow we run keeps agents and recordings clear of cardholder data and clear of marketing speech. For outbound, the IVR payments module handles dial-out scenarios with a fixed, auditable call script that can't drift into telemarketing.

The evidence trail that wins TCPA cases#

The single most important thing an operator can build is the consent evidence trail. Not the policy that says you collect consent — the actual records that show, for each specific phone number, when consent was captured, what the customer saw, what they agreed to, and which CRM event represented that agreement. Plaintiffs win TCPA cases when the defendant can't produce this record at the level of granularity required.

The minimum data set we tell US operators to maintain for every wireless number consented:

The exact phone number consented (E.164 format, including country code). The timestamp of consent capture (ISO 8601 with timezone). The IP address from which consent was submitted, or the recording reference if oral. The exact disclosure language the customer saw or heard at the moment of consent, stored as a snapshot, not a reference. The product or service the consent covers. The channels the consent covers (voice, SMS, prerecorded, autodialler). Any opt-out events with their timestamps. And the customer-facing identifier that ties the consent to a CRM account.

This is more than most CRMs capture by default, which is why so many TCPA defences collapse during discovery. The defendant can produce a record that "Customer A consented at 2:14pm on 18 March", but can't produce the exact wording of the disclosure shown on the consent screen at that timestamp. Without that, the plaintiff argues the consent was defective and the per-call damages start stacking from the first dial.

What insurance won't cover and why that matters#

TCPA exclusions in commercial general liability and errors-and-omissions policies are now the industry default. The 2016 case Penn-America Insurance v. Peccadillo (and the wave of similar rulings that followed) confirmed that most CGL policies exclude TCPA claims because the alleged harm — invasion of privacy via unwanted communication — isn't "bodily injury" or "property damage" as defined in the policy. E&O cover is patchier, but most carriers now write explicit TCPA carve-outs.

What this means commercially: TCPA settlements are paid from operating cash flow, not from an insurance pool. A $30m class action settlement is a $30m hole in the balance sheet, not a deductible. This is the part finance teams typically don't understand until they're staring at the demand letter. The cost of building a properly consented payment-call workflow — let's call it $50k to $200k of platform and process spend — is rounding error against a single eight-figure settlement.

If your business runs significant outbound payment-reminder volume, ask your broker for the specific TCPA endorsement language in your current policies. Most operators are surprised to find they're carrying the risk fully self-insured.

What the FCC's 2024-2025 rule changes mean for payment calls#

Two FCC rule changes are worth tracking. The first is the one-to-one consent rule, finalised in December 2023, which (when it takes effect — it's been subject to litigation and partial stays) requires that prior express written consent for marketing calls cover only one identified seller per consent. The era of bundled consents that authorise "our partners and affiliates" to call is ending. Operators who rely on lead-generation partners with multi-seller consent disclosures need to redesign the consent capture before the rule's enforcement window closes.

The second is the FCC's continued tightening of the autodialler definition and its push on robocall mitigation generally. STIR/SHAKEN call authentication isn't a TCPA defence in itself, but failure to participate in the framework is increasingly cited as evidence of bad faith. A US operator placing outbound payment calls in 2026 without STIR/SHAKEN-signed traffic looks negligent to a court that's seen the rest of the industry sign their dial-out for years.

Our broader comparison of TCPA versus FCC robocall rules walks through where the two regimes overlap and where they diverge — worth reading before any redesign of an outbound dial programme.

How we approach TCPA compliance for our US contact centre clients#

When a US contact centre comes to us to take a payment platform live, the TCPA conversation runs in parallel with the PCI conversation. We don't take a view on the call list itself — that's the operator's commercial decision — but we do bake three things into every deployment. The first is a payment-call workflow that's locked to the transaction, with marketing pitch separated into a different module behind its own consent gate. The second is a consent record schema that captures the eight data points listed above, written to the CRM at the moment of consent capture, with the exact disclosure text snapshotted at that timestamp. The third is an outbound dial flow built around payment IVR rather than agent dials, with STIR/SHAKEN signing, RND query logging, and automatic suppression of any number that's appeared on an opt-out list within the last four years.

None of this is hard once the architecture is in place. The expensive part is doing it after the fact, in the middle of class action discovery, when the records that should have existed for the last 36 months don't exist and the operator is reconstructing consent capture flow from screenshots taken by a paralegal. Build it once, correctly, at the start of the payment programme.

How TCPA exposure interacts with PCI scope#

One of the architectural decisions we push hardest on is keeping the TCPA fix and the PCI fix on the same platform. Operators sometimes design the consent-capture layer separately from the payment-capture layer, which creates a brittle hand-off where consent records live in one CRM and the payment record lives in another. When discovery hits, the two records don't reconcile cleanly and the defendant ends up producing inconsistent timelines. Our recommendation is to make the payment platform itself the source of truth for the consent attached to the payment — every authorised charge ties back to the consent that authorised the underlying call, and the chain is provable on a single timeline.

The PCI side of this matters too. A contact centre that's already reduced its PCI scope by 95% through channel separation has, as a side effect, dramatically reduced the surface area where a recording could contain card data. That same architectural decision — agents can't hear the digits, recordings can't capture them — also means that recordings, if subpoenaed in a TCPA case, contain only the conversational portion of the call. The card data isn't there to be discovered. Our DTMF masking setup achieves both outcomes simultaneously: PCI scope reduction and a cleaner evidentiary record for any TCPA discovery.

What a defensible US payment-call programme looks like in 2026#

If we were standing up a US payment contact centre from scratch in 2026, the design would look like this. Inbound payment calls only, by default. Outbound dial reserved for genuinely transactional reminders, placed via a payment IVR with STIR/SHAKEN signing and pre-call RND lookup. Consent capture as a first-class workflow with the eight-point evidence record, tied to the customer-facing identifier and the wireless number consented. A payment-capture layer based on channel separation, so agents and recordings stay clear of card data and clear of marketing speech. Marketing pitch in a separate module behind its own consent gate, with the disclosure language matching the FCC safe harbour wording. State-aware consent handling for Florida, Washington, Maryland and Oklahoma residents. A four-year retention floor on consent records and call recordings, mapped to the longest applicable statute of limitations.

That's the defensible posture. Most of the operators who end up in nine-figure settlements got there because one or two of those components were absent, not because the whole framework was broken. The compounding nature of per-call damages means a single weak link can produce class-action exposure that's existential.

Next steps#

If you're running US payment calls without provable, channel-by-channel express consent records — or if your outbound dial volume has grown faster than your compliance evidence trail — the cheapest fix is to design it right before the first plaintiff letter arrives. Get in touch for a consent-architecture review against your current call flow, or book a working demo and we'll show you how channel-separated payment capture plus a payment-IVR dial-out flow reshapes the TCPA risk picture for a real contact centre programme.