TCPA vs FCC Robocall Rules — How They Overlap

Last updated: 29 May 2026

If you've been searching for "TCPA vs FCC" trying to work out which one applies to your business, here's the short answer: both do, and they're not in conflict. The Telephone Consumer Protection Act (TCPA) is the federal statute. The Federal Communications Commission (FCC) is the regulator Congress put in charge of writing the actual robocall rules and enforcing them. The FTC then layers its Telemarketing Sales Rule on top of that for any call that fits the "telemarketing" definition. We've helped contact centres on both sides of the Atlantic work through this, and the framing trips people up constantly — so let's untangle it.

TCPA vs FCC: the statute and the regulator are not the same thing#

The Telephone Consumer Protection Act became law in 1991. It's a piece of federal legislation — a few thousand words long, codified at 47 U.S.C. § 227. It sets out the big-ticket prohibitions: no autodialled or prerecorded calls to mobile numbers without prior express consent, no prerecorded telemarketing to residential lines without prior express written consent, and a private right of action that lets consumers sue for $500 to $1,500 per violation. That's it. The statute itself is short.

The FCC is the regulator. Congress wrote into the TCPA that the FCC would "prescribe regulations to implement the requirements" of the Act. So the actual operational rules — what counts as an autodialer, how prior express consent has to be captured, the timing windows, the opt-out language, the identification requirements — sit in the Code of Federal Regulations at 47 CFR § 64.1200. The FCC also issues declaratory rulings, fines, and enforcement actions. When you read about a $300 million TCPA fine, that's the FCC swinging the enforcement bat, not Congress.

Why does this matter for your compliance work? Because pointing at the statute alone isn't enough. The FCC updates the rules. In 2024 alone they tightened the one-to-one consent rules, closed the lead-generator loophole, and moved on AI-generated voice calls. If you only read the 1991 text, you'll miss thirty-plus years of regulatory evolution that's now baked into how the law actually works.

What the TCPA statute actually says#

Strip the TCPA down to the parts that affect payment calls and you get four operative prohibitions. First, no autodialled or artificial-voice calls to mobile numbers without prior express consent. Second, no prerecorded telemarketing calls to residential numbers without prior express written consent. Third, no unsolicited fax advertisements. Fourth, the National Do Not Call (DNC) Registry restrictions, which the FCC and FTC jointly administer.

The statute also creates the private right of action that drives most of the TCPA litigation industry. Any consumer who receives a non-compliant call can sue for statutory damages of $500 per violation, trebled to $1,500 if the violation is wilful or knowing. There's no cap, and class actions are routine. Plaintiffs' firms have built entire practices around scraping call records and filing TCPA class complaints — that's why the cost of a small consent mistake can quickly run into the millions. We covered the scale of this in TCPA penalties: worst-case scenarios.

One thing the statute does not do is define "autodialer" with precision. The 2021 Supreme Court ruling in Facebook v. Duguid narrowed the definition considerably — but the FCC has continued to issue guidance that effectively expands it back out for other technologies. So the practical scope of what counts as a regulated call keeps shifting, and it shifts through FCC rulings, not statutory amendment.

What the FCC actually does#

The FCC does three things that matter to anyone making payment calls. It writes the implementing rules in 47 CFR § 64.1200. It enforces those rules through its Enforcement Bureau, which issues citations, notices of apparent liability, and consent decrees. And it interprets ambiguous provisions through declaratory rulings — which often have the practical effect of changing what's compliant overnight.

The implementing rules are where the operational detail lives. The FCC's regulations specify, for example, that prior express written consent needs a clear and conspicuous disclosure, an unambiguous agreement, and a method that's not pre-checked. They define the calling-time window (8am to 9pm in the called party's time zone). They set out the identification requirements — your business name, a callback number, and the purpose of the call must all be stated. None of that detail is in the statute. It's all FCC regulation.

Enforcement is where the FCC really earns its reputation. Recent FCC fines in this space include $300 million against a single robocall operation in 2023, $9.9 million against a political deepfake operation in 2024, and a steady stream of seven- and eight-figure penalties against telemarketers who ignored DNC rules. The FCC doesn't typically sue payment-collection contact centres, but it does cite them, and once cited, you're exposed to follow-on private litigation.

The FTC's Telemarketing Sales Rule sits on top#

Here's the bit most TCPA-vs-FCC articles miss: there's a third layer. The Federal Trade Commission (FTC) enforces the Telemarketing Sales Rule (TSR), which overlaps with the TCPA but isn't the same thing. The TSR applies to telemarketing calls — calls trying to induce a purchase, donation, or investment. It covers DNC, abandoned calls, robocall restrictions, and disclosures.

For most outbound payment calls, the TSR doesn't apply directly — collecting on an existing debt isn't telemarketing. But if your call drifts into upsell territory ("while I have you, can I tell you about our extended warranty?"), you've now triggered the TSR as well. The penalties are substantial: civil penalties up to $51,744 per violation as of 2025, plus the FTC's redress powers.

So when people ask "TCPA vs FCC", the honest answer is that they're missing the FTC, which is the third leg of the stool. For a deeper look at consent mechanics, our TCPA consent for payment calls guide breaks down which consent type covers which call type — because the answer is different depending on whether the FTC's TSR is in play.

How the overlap actually plays out for payment calls#

Let's run a concrete example. You're a US-based contact centre handling collections for a utility client. You want to call a customer's mobile to take a payment over the phone. Here's the layered analysis you actually need to run.

The TCPA statute applies because you're calling a mobile number and you're using a dialer. The FCC rules tell you what consent you need — prior express consent is sufficient because this is an informational call (debt collection), not telemarketing. The FCC also tells you the consent has to be unambiguous and the call has to identify you, the purpose, and a callback number. The FTC's TSR generally doesn't apply because debt collection isn't telemarketing — unless your script slides into selling something.

If you instead want to robocall the same customer with a prerecorded reminder that their bill is due, the rules tighten. The FCC has historically allowed informational prerecorded calls to mobile numbers with prior express consent, but the lines have moved. The safer path for any prerecorded payment call is to treat it as if prior express written consent is required, especially after the 2024 one-to-one consent ruling that tightened how consent can be sourced.

And if your call hits a residential landline with a prerecorded message? Now you're in "artificial or prerecorded voice" territory, and the FCC's residential-line carve-outs apply. Some informational calls are allowed without consent — but a payment-due reminder probably isn't one of them once you cross the line into anything that sounds like solicitation.

The 2024 FCC rule changes everyone's still catching up on#

Three FCC rule changes in 2023-2024 reshaped how the TCPA works in practice, and most compliance teams haven't fully absorbed them yet.

The first is the one-to-one consent rule (FCC 23-107). From January 2025, prior express written consent has to be granted to one specific seller at a time. The old "lead generator" model — where a consumer fills out a form on a comparison site and that form lists 50 partner companies who can all call — is dead. Each seller now needs its own discrete consent. For payment-related calls, this means the consent you collected via a third-party lead form three years ago is almost certainly worthless now.

The second is the move on AI-generated voice. After the New Hampshire primary deepfake incident, the FCC declared in February 2024 that calls using AI-generated voices fall squarely within the TCPA's prohibition on "artificial or prerecorded voice" calls. If you've been experimenting with AI voice agents for outbound payment chase, you now need the same prior express written consent you'd need for any other prerecorded telemarketing call.

The third is the call-blocking and STIR/SHAKEN expansion. The FCC has been progressively tightening the rules around caller ID authentication and the right of carriers to block suspected illegal robocalls. Calls flagged as "Spam Likely" aren't just an annoyance — they're a signal that your dialer is now competing against carriers' analytics. We covered the dialer-design implications in our TCPA-compliant payment IVR guide.

Who enforces what — the practical map#

If you ever get a notice, it helps to know which body sent it and why. The FCC's Enforcement Bureau handles direct rule violations and issues citations and notices of apparent liability. They focus on egregious robocall operations and gross compliance failures. The FCC also accepts and acts on consumer complaints — the consumer complaint portal feeds directly into enforcement triage.

The FTC handles TSR violations and works with state attorneys general on telemarketing enforcement. They run the National DNC Registry day-to-day. State AGs have their own TCPA enforcement powers and have been increasingly active — Texas, Pennsylvania, and Missouri have brought several high-profile actions in the last two years.

And then there's the private bar. The bulk of TCPA litigation isn't government-led — it's plaintiffs' firms filing class actions. They scrape call logs, find a few hundred potentially non-consented calls, and file a class complaint. The settlement value of a typical TCPA class action sits between $1 million and $5 million, and individual high-profile settlements have topped $75 million. Private litigation is the single biggest TCPA financial risk most contact centres face — bigger than the FCC, bigger than the FTC.

State-level TCPA equivalents that stack on top#

It gets worse. Several states have passed their own "mini-TCPA" statutes that go further than the federal law. Florida's Telephone Solicitation Act (FTSA), passed in 2021 and amended in 2023, was famously aggressive — though the 2023 amendments narrowed it considerably. Oklahoma's Telephone Solicitation Act has similar private-right-of-action mechanics. Washington and Maryland have proposed equivalents.

For a multi-state contact centre, this means your TCPA compliance programme needs a state-by-state overlay. The federal rules are the floor; individual states can and do raise the ceiling. Calls into Florida that are perfectly fine under the federal TCPA can still attract FTSA litigation if you don't meet the additional state requirements.

Practically, this is why we tell US clients to design their dialer consent flows around the strictest state's requirements rather than trying to apply different rules per call. The marginal cost of treating every call as if Florida-pre-2023-FTSA standards applied is small. The cost of getting it wrong is enormous.

How channel-separated payment capture interacts with TCPA and FCC rules#

This is where our world meets theirs. The TCPA and FCC rules govern whether you can make the call and what consent you need. They don't govern how you take payment once you're on the call. PCI DSS, not the TCPA, governs the payment-data side. But the two regimes interact in a couple of important ways.

First, your call recording becomes a TCPA evidentiary asset. If a customer ever disputes consent, the recording of your consent capture is your primary defence. That recording, by definition, contains the customer's voice — and if the agent has just taken card details by reading them aloud, the recording also contains cardholder data. Now you've created a record that's PCI-scoped (because it contains a PAN) and TCPA-scoped (because it documents consent). Both regimes demand you keep it; both impose different storage requirements.

Channel separation solves half of this elegantly. With DTMF masking, the customer keys their card details into their handset rather than reading them aloud. The agent never hears the digits, and the call recording captures only flat tones in place of the keypresses. The consent portion of the call is intact and admissible; the cardholder data never enters the recording. You meet both regimes' requirements without compromise.

Second, the FCC's identification requirements (callback number, business name, purpose) interact with how you brand your payment IVR. If a customer initiates payment by calling your IVR, the IVR needs to identify itself in the same way an agent would. We've seen plenty of self-service payment IVRs that pass PCI DSS audits with flying colours but quietly miss the TCPA identification rules — particularly the callback number requirement.

What this means for outbound payment chase campaigns#

Outbound payment chase is the use case where TCPA and FCC overlap most sharply. You're calling a customer who owes you money. Two questions you need to answer before you dial.

First, do you have prior express consent (or prior express written consent if the call is prerecorded or AI-voice)? If the consent came from a contract clause buried on page 14 of your service agreement, it's probably not unambiguous enough under current FCC standards. If it came from a third-party lead generator, after January 2025 it's almost certainly invalid. If it came from the customer giving you their mobile number specifically so you could contact them about their account, you're probably fine for non-prerecorded calls.

Second, are you treating the call as informational or telemarketing? Pure payment collection is informational. The moment you upsell, you're telemarketing — and now the FTC's TSR layers on, the consent bar goes up, and the National DNC registry filtering becomes mandatory. The cleanest answer is to keep payment chase calls strictly payment-focused. Resist the urge to wedge in a cross-sell. The compliance overhead isn't worth the upsell revenue.

If your campaigns rely on volume — thousands of outbound calls a day — invest in dialer logic that filters against the federal DNC, your internal DNC, the FTC's reassigned-number database, and the state-specific DNC lists. The FCC's reassigned numbers database was built for exactly this purpose; if you call a number that's been reassigned and you don't check the database, the safe-harbour defence doesn't apply.

Inbound and consented payment calls — the easier path#

The TCPA mostly doesn't apply to calls the customer initiates. If a customer dials your IVR to pay a bill, you don't need TCPA consent — they consented by calling you. The FCC's caller-ID and identification rules still apply (your IVR needs to identify itself, give a callback number, and state the purpose), but the autodialer and prerecorded-voice prohibitions are off the table.

This is why most contact centres trying to reduce TCPA exposure shift as much payment activity as possible to inbound and customer-initiated channels: IVR self-service, hosted payment pages linked via SMS (with the customer initiating the click), and web chat payments where the customer starts the session. The TCPA and FCC robocall rules largely fall away on these channels, and you're left with PCI DSS as the dominant compliance constraint — which is a much more solved problem.

The trade-off is that inbound-only campaigns convert less aggressively. If you've been running outbound chase that pulls 8-12% payment recovery and you switch to inbound-only, recovery rates typically drop to 3-5%. The economics need to work for your debt portfolio. For high-value accounts, agent-assisted outbound with bulletproof consent management is still the right answer; for lower-value books, inbound-only often wins on margin.

The international angle — TCPA vs UK/EU rules#

If you're a UK or European contact centre handling US calls, the TCPA and FCC rules apply to every call you place into a US number, regardless of where you're physically located. Your GDPR consent stack doesn't substitute. UK PECR consent doesn't substitute. The TCPA's prior express written consent has specific elements — clear-and-conspicuous disclosure, unambiguous agreement, no pre-checked boxes — that PECR and GDPR don't require in the same form.

The fix is straightforward but adds friction to the onboarding flow: build a US-specific consent capture step that meets TCPA standards, gate any US calling on completion of that step, and store the consent record (with timestamp, IP, and the exact disclosure shown) for at least four years. Litigation can come three to four years after the call.

The reverse is also worth noting: a US contact centre calling into the UK doesn't get to rely on TCPA-compliant consent to satisfy UK PECR. Different jurisdictions, different rules, no reciprocity. If you're running cross-border collections, you need both consent stacks.

STIR/SHAKEN and what it means for your dialer reputation#

STIR/SHAKEN is the caller-ID authentication framework the FCC has mandated for US voice carriers. The acronyms (Secure Telephony Identity Revisited / Signature-based Handling of Asserted information using toKENs) describe a cryptographic system that lets carriers verify that the calling number on a call hasn't been spoofed. Since June 2021, originating carriers in the US have been required to sign outbound calls with an attestation level (A, B, or C) indicating how confident the carrier is that the caller is who they claim to be.

For payment-collection contact centres, STIR/SHAKEN matters in two ways. First, your originating carrier needs to give you full A-level attestation for the calls to go through without being flagged. If your carrier only signs you with B or C attestation — which happens when the carrier can't verify your right to use a specific calling number — terminating carriers will often label your calls as "Spam Likely" in the recipient's caller ID display. We've seen contact centres lose 30-40% of their answer rate overnight when their carrier downgraded their attestation level.

Second, the FCC has progressively expanded carriers' authority to block calls they reasonably believe to be illegal robocalls. The TRACED Act of 2019 gave them that authority; subsequent FCC rulings have widened it. So your campaigns aren't just fighting consumer suspicion — they're fighting carrier-side machine-learning models that look at call volume, answer rates, completion rates, and abandon rates to decide whether to block you preemptively. A high abandon rate (which the FCC's predictive-dialer rules limit to 3% in most cases) is one of the strongest signals carriers use to flag a dialer as abusive.

The fix is straightforward but operationally demanding. Work with a carrier that can give you A-attestation, register your calling numbers in the Industry Traceback Group's reassigned-numbers database, monitor your answer and abandon rates daily, and respond fast to any carrier dispute. Several payment-focused contact centres now have full-time roles dedicated to dialer reputation — that's a reasonable cost of doing business in the US market in 2026.

Reassigned numbers — the silent TCPA risk#

Roughly 35 million US phone numbers get reassigned every year. A customer signs up with you in 2022 and gives consent to call their mobile. They cancel their carrier in 2024. Six months later, that number gets reassigned to a new customer who has no relationship with you and has never consented to your calls. You dial. They sue.

The FCC's reassigned numbers database, launched in late 2021, was specifically built to solve this. It's a centralised database listing every US mobile and landline number that's been disconnected and may have been reassigned. Callers who query the database before each call get a safe-harbour defence if they're sued — provided they were relying on consent given before the disconnection date and didn't know about the reassignment.

The catch is that querying the database is a paid service, and the cost adds up at scale. Per-query rates start around $0.0036 for high-volume callers. For a dialer pushing 100,000 calls a day, that's $360 a day or roughly $130,000 a year just to maintain the safe-harbour defence. Most contact centres we work with build the lookup into their pre-call validation layer and treat it as a non-negotiable cost. The alternative — discovering after a few thousand calls that you've been dialing reassigned numbers — is much more expensive.

One nuance: the safe-harbour only protects you for calls made within 60 days of the database showing the number as not-disconnected. So you can't query once a quarter and rely on the result. The queries need to be fresh, ideally on the same day as the call. Build that into your dialer architecture from day one, not as an afterthought.

Litigation patterns — what plaintiffs' firms actually do#

To defend a TCPA programme effectively, it helps to understand how plaintiffs' firms build their cases. The pattern is consistent across the dozens of TCPA class actions we've reviewed for clients.

Step one is acquisition. The plaintiffs' firm advertises directly to consumers ("Did you get a robocall? You may be entitled to compensation") or buys lead data from class-action aggregators. They aim to find a few hundred to a few thousand consumers who received calls from the same source and can credibly claim they didn't consent. Step two is discovery. They subpoena the defendant's call logs, dialer records, consent capture records, and CRM data. Step three is class certification. They argue the defendant's calling practices were uniform enough that all class members suffered the same alleged harm. Step four is settlement, almost always.

The defensive playbook is the inverse. You want your call logs to show that every call was tied to a documented consent record with a timestamp, source, IP address, and the exact disclosure language shown to the consumer. You want your dialer to demonstrate that you queried the reassigned-numbers database and the DNC registry before each call. You want your consent flow to be inconsistent enough across customer journeys that class certification becomes hard — because if every class member has a different consent story, certification gets denied and the case fragments back into individual suits, which are uneconomic for the plaintiffs' firm to pursue.

None of this is legal advice; talk to a qualified TCPA attorney for that. But the operational lesson is clear: build your consent infrastructure to be the strongest part of your dialer, not the weakest. Most contact centres still treat consent as a checkbox at the end of a sign-up form. The contact centres that survive TCPA litigation treat it as a versioned, auditable, regulated data asset.

Common consent capture mistakes that kill TCPA defences#

Across the dozens of TCPA defence reviews we've sat in on, a handful of consent-capture mistakes show up over and over. Worth listing them so you can audit your own flow against the pattern.

Mistake one: bundling consent inside terms and conditions. If your sign-up flow has a single "I agree to the terms" checkbox that includes consent to receive calls buried in paragraph 47, that consent isn't "unambiguous" under FCC standards. The 2024 rules made this explicit — consent has to be clear-and-conspicuous and separately granted from other agreements. Pull it out into its own checkbox with its own disclosure.

Mistake two: pre-checked boxes. The FCC rules have always prohibited pre-checked consent boxes for prior express written consent. They've increasingly applied the same logic to prior express consent more broadly. Any default-on consent capture is a defensible-record problem waiting to happen.

Mistake three: failing to store the disclosure version. The disclosure shown to a consumer in 2023 may be different from the one shown in 2025. If you can't reproduce the exact disclosure that customer X saw on date Y, your consent record is incomplete. The fix is to version every disclosure and store the version reference alongside the consent timestamp.

Mistake four: assuming SMS consent covers voice calls. The two are legally distinct. Consent to receive payment-reminder text messages doesn't automatically include consent to receive payment-reminder phone calls. If you want both, ask for both — preferably as two separate checkboxes with two separate disclosures.

Mistake five: relying on a customer's verbal "yes" on a call to manufacture forward consent. Recorded verbal consent can satisfy prior express consent for non-prerecorded informational calls — but it doesn't satisfy prior express written consent for telemarketing or prerecorded calls. Verbal consent has a ceiling. Know where the ceiling is.

The PCI DSS interaction nobody talks about#

One more interaction that often gets missed: the way your TCPA consent storage policy interacts with PCI DSS data retention rules. PCI DSS v4.0.1 requires you to define and document data retention periods for cardholder data and have a justified business need for the retention. Most contact centres set this at 12-18 months for call recordings.

TCPA litigation, on the other hand, can come three to four years after the call — the statute of limitations under the TCPA's private right of action is generally four years from the date of the call. So if you set your call-recording retention to 18 months to satisfy PCI DSS minimisation, you may have deleted the consent evidence you'd need to defend a TCPA suit two years later.

The clean solution is to separate the consent evidence from the cardholder data. Channel-separated capture does this naturally: the consent portion of the call is recorded, the cardholder data portion isn't. You can then keep the consent recording for the full four-year TCPA window without violating PCI DSS minimisation, because it doesn't contain PAN data. Without channel separation, you're stuck choosing between two compliance regimes' retention requirements — and usually picking the wrong one. We've seen this play out in litigation where the defendant had no consent recording because it had been deleted under PCI policy. The case settled for $11 million.

What we'd actually recommend#

If you're trying to build a defensible TCPA programme for payment calls, three concrete moves matter most. First, redesign your consent capture to meet the highest current standard — prior express written consent with one-to-one specificity, clear disclosure, no pre-checked boxes, and a stored record with all the metadata. Don't try to grandfather old consent. The 2024 rules effectively reset the clock.

Second, separate your call recording from your cardholder data capture. Channel-separated DTMF capture means the recording is admissible TCPA evidence without becoming a PCI liability. This is the work we do every day — see our pillar guide on TCPA compliance guide for how the pieces fit together.

Third, run an annual TCPA audit alongside your PCI assessment. Most contact centres audit PCI annually but treat TCPA as a one-time legal review. That's backwards. The FCC's rules move every twelve to eighteen months; PCI DSS has a four-year revision cycle. Your TCPA programme is more likely to be out of date than your PCI programme, not less.

Next steps#

If you're running US payment calls and want a TCPA-aware capture platform that also handles PCI DSS scope reduction, we'd be glad to walk you through the architecture. Book a call with us and we'll show you how channel-separated capture fits into a defensible TCPA programme — or if you want to see the capture mechanism in action first, try the live demo. It takes about three minutes and shows exactly how the agent never hears card details while the consent portion of the call stays fully recorded and admissible.