TL;DR
TCPA consent for payment calls means prior express written consent, captured before the first marketing call, retained for at least four years, and tied to the specific phone number you'll dial. Service calls are different — implied consent works there — but get the line wrong and statutory damages start at $500 per call.
Last updated: 29 May 2026
If you're running a US contact center that ever calls customers about a payment — an overdue invoice, a card on file that's about to expire, a renewal that needs authorization — TCPA consent is one of the few compliance areas where one wrong field on a web form can cost you seven figures. The Telephone Consumer Protection Act (47 USC 227) has its own rules, its own evidentiary standard, and its own class-action bar that lives for these cases. This piece is the practical breakdown: what TCPA consent actually is, when you need the written version, what the FCC's 2024 one-to-one rule changed (and what's been paused since), how to record consent so it survives a deposition, and where payment calls sit on the consent map.
What TCPA consent means for payment calls in 2026#
TCPA consent isn't a single thing. There are three flavors, and the one you need depends on how the call is dialed and what it's about. Manual calls to a residential or wireless number for an existing transaction generally need no prior consent — implied consent attached to the original business relationship covers them. Automated or pre-recorded calls (anything dialed by an autodialer, or anything that plays an artificial voice) require prior express consent at minimum, and prior express written consent if the call is marketing.
The Federal Communications Commission is the rule-maker here, but the cases are largely civil — plaintiffs sue under the statute's private right of action and collect $500 per violation, trebled to $1,500 where the call was knowing or willful. There's no cap. A 50,000-customer dialer campaign with a defective consent record is a $25 million floor and a $75 million ceiling before legal fees. That's the commercial backdrop. For the broader framework, see our TCPA compliance guide.
For payment calls specifically, the dividing line is whether the call is transactional or promotional. A call to collect an overdue invoice is transactional — implied consent generally applies, and you can dial under the prior-business-relationship doctrine even with an autodialer in some configurations. A call offering a payment plan upgrade, a new product, or a discount is marketing — you need prior express written consent, full stop, regardless of how many years the customer's been with you. The hard cases sit in between, and most contact center teams are surprised by where the FCC and courts have drawn the line.
Prior express written consent: the four hard requirements#
Prior express written consent under 47 CFR 64.1200(f)(9) has four elements. Get any one wrong and the consent is defective — which under TCPA's strict-liability regime means every call placed in reliance on it is a violation.
First, the consent must be in writing. Electronic signatures are fine under the federal E-SIGN Act, so a web-form checkbox satisfies the writing requirement as long as you can later prove who clicked it, when, and from what IP. Second, the consent must clearly authorize the seller to deliver advertisements or telemarketing messages using an autodialer or pre-recorded voice. The language has to say so — generic "we may contact you" boilerplate has been struck down repeatedly.
Third, the consent must include the specific phone number to which the calls will be placed. A blank "phone" field on the form isn't enough; the consumer has to actively enter or confirm the number. Fourth, the consent must be unambiguous and must not be a condition of purchase. If the form makes telemarketing opt-in a precondition for buying the product, the consent is void.
The evidentiary burden is on the caller — you don't get to say "we're sure they consented." You have to produce the artifact. Most teams we work with store the full form submission, the IP, the timestamp, the user agent, and a screenshot of the form as it appeared on the day. That's the deposition-ready package. Anything less and a competent plaintiff's lawyer will tear it apart in cross.
The 2024 one-to-one rule, the Eleventh Circuit, and where we are now#
This is the area where most TCPA advice on the internet is out of date, so it's worth being precise. In December 2023 the FCC adopted the "one-to-one consent" rule, which would have required separate written consent for each seller a lead generator passed a phone number to. Under the old "tick this box to be contacted by us and our marketing partners" model, a single checkbox could authorize calls from dozens of companies. The one-to-one rule was scheduled to take effect on 27 January 2025.
On 24 January 2025 — three days before the rule went live — the US Court of Appeals for the Eleventh Circuit vacated it in Insurance Marketing Coalition Ltd. v. FCC. The court held that the FCC had exceeded its statutory authority by adding requirements not found in the underlying statute. The rule is currently not in force at federal level.
That doesn't mean lead generation is back to the old playbook. Several states — Florida, Oklahoma, Washington, Maryland — have passed their own mini-TCPA statutes that explicitly require one-to-one consent or its equivalent. And the FCC has signaled it will pursue the same outcome through a different statutory hook. The practical answer for a 2026 payment-calls program is to design as if one-to-one consent applies, even though it doesn't federally. The forms are easier to fix now than to retrofit when the rule comes back.
Service calls vs marketing calls: where payment outreach sits#
The most expensive TCPA mistakes we've seen come from contact centers that mixed service and marketing scripts in the same call. A genuine billing call — "your card on file declined, can we run an alternative?" — is transactional. The customer has an existing account, the call is informational, and implied consent applies even for autodialed calls to a wireless number. That's been settled FCC doctrine since the 2015 Declaratory Ruling.
But the moment the agent pivots — "and while we have you on the line, our premium tier is on offer this month" — the call becomes marketing for TCPA purposes, retroactively. Plaintiffs argue, often successfully under the Reyes v. Lincoln Automotive line of cases on revocation and the broader Mims v. Arrow Financial Services jurisdictional framing, that the entire call was a pretextual marketing contact. You needed prior express written consent before the dial, and you didn't have it. The conservative play is to maintain a hard split: never up-sell on a service call to a customer who hasn't given written marketing consent. Our TCPA-compliant payment IVR walkthrough covers the script architecture that keeps the two streams separate at every step.
Payment links sent by SMS sit in the same framework. A one-time SMS confirming an order or carrying a payment link the customer asked for is service traffic. An SMS offering a discount or a new product line is marketing — and an SMS to a wireless number from an automated system is treated like an autodialed call under TCPA. Same consent rules apply.
How to record consent so it survives a class action#
The TCPA defense bar has a saying: the case is won or lost at the consent capture, not in court. By the time a complaint lands, the evidentiary record is fixed. What you stored on the day is what the magistrate sees. Here's what a defensible consent record looks like for payment calls.
Capture the consent through a dedicated form — not buried in 30 pages of T&Cs. Federal courts have consistently struck down consent buried in long agreements as ambiguous. The disclosure language should be in normal-size print, immediately adjacent to the checkbox, and the checkbox should be unticked by default. Pre-ticked boxes have been ruled invalid by both the FCC and multiple circuits.
Store the entire submission: form field values, the disclosure text exactly as it appeared, IP address, user agent, geo, timestamp to the second, the URL of the page, and a server-rendered HTML or PNG snapshot of the form as it looked that day. Retain for at least four years — TCPA's statute of limitations — though we recommend six because plaintiffs sometimes raise tolling arguments that extend the window.
For inbound phone consent (where a customer rings in and gives consent verbally), record the call. The recording is the equivalent of the written form. Make the disclosure explicit, ask the question in unambiguous terms, and get a clear "yes." For PCI-scope reasons that recording shouldn't capture card data — see our DTMF masking page for how the audio stream gets split during card capture.
Revocation: when a customer says stop, you stop#
TCPA gives consumers the right to revoke consent at any time, through any reasonable means. That's been the FCC position since 2015 and the Second, Third, and Eleventh Circuits have all reinforced it. "Reasonable means" includes saying "stop calling" to a live agent, replying STOP to an SMS, sending an email to your customer service address, or telling an IVR system to take them off the list. The 2024 FCC Order on consent revocation (FCC 24-24) clarified that callers must honor revocation within 10 business days.
The operational implication is that revocation has to flow upstream to every system that holds the phone number — the CRM, the dialer, the SMS gateway, the email platform, any partner that's syndicated the lead. If a revoked number gets dialed by a downstream partner you forgot to notify, you're liable. We see firms get bitten on this when they've sold or shared leads under the old broad-consent model and have no clean way to push a revocation through to every recipient.
Store the revocation with the same rigor as the original consent — date, channel, exact words used, the agent or system that received it. If a plaintiff later claims you ignored their revocation, the record is what you have.
Payment-call specifics: the 30-second compliance checklist#
Before any outbound payment-related call campaign, run through these checks. They take 30 seconds per script and they catch the failures we see most often.
Is the call transactional or marketing? If you're collecting on an existing balance, confirming a transaction, or fulfilling a customer-requested action, it's transactional and implied consent applies. If you're offering anything new, it's marketing and you need prior express written consent for that specific phone number.
What's the dial method? A manual hand-dialed call to a wireless number for a transactional purpose is the lowest-risk configuration. An autodialer or pre-recorded voice raises the bar — even transactional calls placed by autodialer need at least prior express consent (the non-written version), and marketing calls need the full written version.
What time is it? TCPA restricts calls to 8am–9pm local time at the called party. That's local to the area code or, more conservatively, local to the billing address. Some state mini-TCPAs (Florida, Washington) restrict further. A weekend call before 9am Eastern that the customer received at 6am Pacific is a violation even with perfect consent.
Is the number on the DNC? The federal Do-Not-Call registry — operated by the FTC and FCC jointly — applies to marketing calls only, but it carries roughly 250 million numbers. Scrubbing against the national DNC list is operationally cheap and removes one whole category of plaintiff. State DNC lists also apply in many states.
For the operational architecture that ties all this together — call splitting, recording controls, consent capture in the IVR — our take card payments over the phone page covers the platform-level pieces.
Multi-state complications: state mini-TCPA statutes#
Several US states have layered their own telephone consumer protection laws on top of the federal TCPA. These often carry private rights of action, larger statutory damages, or extended limitations periods. If your customer base spans the country, you need to comply with the strictest applicable law for each consumer.
Florida's Telephone Solicitation Act (FTSA) is the one that gets the most attention. It originally allowed plaintiffs to sue for calls placed using an "automated system for the selection or dialing of telephone numbers." A 2023 amendment narrowed the trigger language, but the statute still imposes one-to-one consent requirements and provides $500–$1,500 per call damages. Florida class actions have been the most active TCPA jurisdiction since 2022.
Washington's WAEPA, Maryland's MTCPA, and Oklahoma's TCPA-equivalent each have their own quirks. Oklahoma in particular requires consent to be obtained directly by the calling party — passing through a lead generator doesn't satisfy the statute. Designing your consent flow to satisfy Oklahoma usually means you've satisfied everything else as well. For a comparison of how state and federal rules interact, see our TCPA vs FCC robocall rules breakdown.
How Paytia handles consent capture during payment calls#
When a customer is on a recorded payment call with one of our clients' agents, the consent moment is a designed pause in the call flow. The agent reads a scripted disclosure ("I'd like to confirm your consent to keep this card on file for future automated payments — that means we may call or text this number with payment reminders. Do you consent? Yes or no."), the customer answers, and the recording captures the exchange. The transcription is tagged with consent metadata and stored against the customer record.
Critically, the consent capture happens before the card capture — and the card capture uses DTMF masking, so the recorded audio never contains the PAN. That keeps the consent recording itself outside PCI scope, which means we can retain it for the four-to-six-year TCPA window without inheriting the deletion requirements that apply to card data under PCI DSS 4.0.1.
For inbound web flows, consent capture sits on the payment page itself with a dedicated checkbox, explicit disclosure text, and IP/timestamp/user-agent storage tied to the resulting payment token. One mid-sized property-management client cut their PCI scope by 95% after moving to our platform and ran the consent capture through the same flow as the payment authorization — one form, one server-side record, audit-ready by default. The same architectural pattern works for healthcare collections under HIPAA, where the consent capture also has to survive an OCR audit.
What happens when you get it wrong: the litigation pattern#
TCPA class actions follow a recognizable arc. A plaintiff who received an unwanted call files a complaint, usually within weeks. Plaintiff's counsel issues a Rule 26 discovery request for the entire calling list and the consent records for each number. If the consent records are weak, the case settles fast — typically $1–3 per record on the calling list, which on a million-number campaign is real money.
If the consent records are strong, the case usually survives a motion to dismiss but the plaintiff's negotiating position weakens. The settlements move from per-record to nuisance-value. The difference between a $5 million settlement and a $500,000 settlement, in our experience, is the quality of the consent artifact and the cleanliness of the revocation handling. For a deeper look at what the downside actually looks like in dollar terms, see our TCPA penalties worst-case scenarios piece.
Consent for IVR and chatbot payment flows#
The conventional TCPA cases are about voice calls, but the rules apply across every automated channel that touches a wireless number. That includes self-service payment IVRs that ring a customer back to confirm a transaction, chatbot flows that follow up with an SMS, and AI voice agents that handle outbound collection calls. Each of these triggers TCPA scrutiny if the underlying system is an autodialer or plays a pre-recorded voice.
For an inbound IVR — where the customer rings you and goes through a payment flow — TCPA mostly doesn't apply because the customer initiated the contact. The exception is if the IVR captures a callback number and the system later rings that number unsolicited. At that point you're back in autodialed-call territory and you need consent for the callback specifically. The cleanest design is to capture explicit consent for callbacks as a discrete step in the IVR script, with the customer pressing 1 to confirm.
For outbound IVR campaigns — payment reminders, declined card recovery, renewal confirmations — assume TCPA applies and design the consent capture against the four-element written test. The dialer config matters: predictive dialers, progressive dialers, and broadcast IVR systems are all autodialers under the current FCC view, even though the 2021 Supreme Court Facebook v. Duguid decision narrowed the statutory definition. Most circuits have read the post-Duguid landscape as still bringing modern dialers under the statute, so don't bet on the narrower reading.
AI voice agents add another layer. An AI voice that places outbound calls is, in TCPA terms, a pre-recorded or artificial voice — even though it's generated fresh on every call. The TRACED Act amendments and recent FCC guidance treat AI-generated voice the same as pre-recorded for consent purposes. If you're using an AI voice agent for payment collection, you need prior express written consent for marketing and prior express consent for service.
Vicarious liability: when partner calls become your problem#
TCPA's reach extends past direct callers. The FCC and courts have held that the "seller" — the entity whose goods or services are being marketed — is vicariously liable for telemarketing calls placed by agents, lead generators, or other third parties acting on the seller's behalf. The standard is federal common-law agency, which means actual authority, apparent authority, or ratification.
For payment-related campaigns, the practical scenarios are familiar. A collections agency rings customers on your behalf and uses an autodialer. A lead generator passes you phone numbers from a "free quote" web form and you call them. A marketing partner runs an outbound campaign promoting your renewal product. In each case, even though you didn't dial the number, you can be on the hook if the consent record is defective or the calling pattern violates TCPA.
The defensive moves are contractual and operational. Contracts with collections, lead generators, and outbound marketing partners should require TCPA compliance, indemnification for violations, and access rights to the consent records on demand. Operationally, you should sample-audit your partners' consent records at least annually — pull a random selection of phone numbers, request the corresponding consent artifacts, and check them against the four-element test. If a partner can't produce clean records on a 24-hour timeline, that's a contractual breach and a commercial signal.
The lead-generator economy has been particularly affected by the post-2024 regulatory landscape. With the one-to-one rule vacated federally but echoed in several state statutes, the safer model is to treat every lead source as if one-to-one consent applies and to demand provenance for each phone number — which lead-generator captured it, on which form, with what disclosure language. If the chain is broken anywhere, the consent isn't defensible.
The Reassigned Number Database and why it matters#
One of the more painful TCPA traps is calling a number whose previous owner consented but whose current owner hasn't. Phone numbers get reassigned constantly — the FCC estimates around 35 million numbers change hands every year. If you call a reassigned number with the old owner's consent on file, you're calling someone who never consented. That's a violation.
The FCC's Reassigned Numbers Database (RND) launched in November 2021 to address this. The database aggregates disconnection events reported by carriers, and callers can query it before placing a call to check whether a number has been reassigned since the consent date. Using the RND in good faith creates a safe harbor: if the database says the number hasn't been reassigned and you call it, you're not liable for the call even if the database was wrong.
The catch is that the safe harbor only applies if you actually queried the database in good faith. Buying a subscription and ignoring the results doesn't count. For payment-call programs, the operational fix is to integrate an RND lookup into your pre-call workflow — typically a batch query the morning of the campaign — and to automatically suppress any number that's been reassigned since the consent date. The cost is modest (the database operates on a tiered subscription) and it shuts down a whole class of plaintiff.
If you're dialing on a continuous basis (collections, payment reminders), repeat the RND check periodically — at least quarterly, and ideally before any campaign that's more than 30 days from the last check. A customer's number can be reassigned overnight, and the older the consent the higher the risk.
Cross-border issues: foreign callers reaching US consumers#
This is where firms headquartered outside the US most often get caught out. Foreign privacy regimes — GDPR in the EU, PIPEDA in Canada, the UK's UK-GDPR — are not TCPA. The freely-given, specific, informed, unambiguous GDPR standard sounds similar but it doesn't satisfy the four-element prior-express-written-consent requirement. A firm that's perfectly GDPR-compliant on its consent forms can still be a TCPA defendant if those forms are pointed at US numbers.
The biggest gap is the autodialer disclosure. GDPR-style consent forms typically don't mention autodialers or pre-recorded voices — they cover the data processing, not the dial method. TCPA requires the disclosure to specifically call out the dialer use case. A consent form that says "we may contact you about our services" is not TCPA-compliant for autodialed calls into the US.
The second gap is the specific-number requirement. GDPR consent attaches to a person; TCPA consent attaches to a phone number. If a consumer relocates to the US and gives you their new American mobile, the original foreign consent doesn't carry across. You need a fresh capture against the new number.
The third gap is the time-of-day rule. Foreign regulators don't typically restrict call windows the way TCPA does. Dialing a New York customer at 7am Eastern from London (where it's noon and feels reasonable) is a TCPA violation regardless of consent. Build the call-window check into the campaign-management layer rather than relying on agent judgment.
For multi-region clients running US payment campaigns, we typically recommend a separate consent flow for the US contact base — a US-specific form, US-specific disclosure language reviewed by US counsel, US-specific retention periods, and an integrated DNC and RND check. The marginal cost is small; the marginal protection is large.
What to do if you've already got a consent problem#
Most firms that come to us about TCPA exposure have already been calling for months or years before they realized the consent records weren't defensible. The question isn't whether the records are perfect — it's what to do now to minimize forward risk and reduce the size of any class.
The first move is to stop the bleeding. Pause any campaign where the consent provenance is unclear, and limit outbound dialing to numbers with verifiable, four-element-compliant consent on file. That's a short-term revenue hit but it caps the class size from this point forward.
The second move is to re-collect consent for the existing customer base. Send an email or in-app prompt asking customers to confirm they consent to autodialed or pre-recorded calls and texts at their phone number, with the four-element disclosure language. Customers who confirm move to the verified-consent list; those who don't get moved to manual-dial-only or removed from outbound entirely.
The third move is to clean the historical record. Pull the original consent capture for each customer — form HTML, IP, timestamp, disclosure text — and assess whether each record would survive deposition. Records that hold up stay in the active pool; records that don't move to the same manual-dial-only category until re-collection.
The fourth move is to layer in the operational controls that should have been there from the start: RND lookups, DNC scrubbing, time-of-day enforcement, revocation handling. These are the things a competent plaintiff's counsel will probe in discovery, and the strength of the operational record will reduce the size of any settlement.
The cost of doing this work proactively is a fraction of the cost of doing it under a discovery deadline. We've seen the same exercise cost a client around $50k in pre-emptive consultancy and $5m in post-complaint remediation on substantively identical fact patterns.
The role of class waivers and arbitration clauses#
One defensive structure that's worth raising with your in-house counsel is the arbitration-and-class-waiver clause in your customer terms. The Federal Arbitration Act generally enforces these clauses, and a clean arbitration clause with a class-action waiver can convert a multi-million-dollar TCPA class action into a series of individual arbitration proceedings, most of which the plaintiff never bothers to bring.
That said, the structure has to be set up correctly. The clause needs to be presented prominently at the time the customer signs up, the arbitration provider needs to be reputable (AAA or JAMS rather than a captive arbitration body that's been thrown out of court), and the clause shouldn't try to limit statutory damages or shorten the limitations period — courts strike those provisions and sometimes throw the whole clause out with them. We've seen multiple TCPA cases turn on whether an arbitration clause was enforceable, and the wins typically went to defendants whose clauses were modest in scope rather than maximalist.
The clause also needs to actually apply to the calls in question. A clause buried in the original sales agreement doesn't always extend to subsequent telemarketing, especially if the calls relate to products or services that weren't covered by the original contract. The cleanest approach is to make the arbitration clause apply to "any dispute arising out of or related to the relationship between the parties, including without limitation any claim under TCPA or state telephone consumer protection laws," and to remind customers of the clause at key touchpoints.
Arbitration isn't a silver bullet — some courts have refused to enforce arbitration in TCPA cases where the calls reached non-customers, and class-action plaintiffs have started pursuing mass arbitration as a counter-tactic — but on the basic class-defense question it's still the single most effective contractual tool. If your terms don't have a clean arbitration clause yet, this is the year to add one.
Common pitfalls we see at audit#
When we audit a client's TCPA position before they take on a new US payment-calls program, a small set of issues turns up over and over. They're worth listing because most teams can fix them in a week if they know what to look for.
Pre-ticked consent boxes on web forms. We've seen this on more than half the audits we've done in the last two years. The fix is a single line of HTML, but until it's fixed every form submission is a defective consent.
Disclosure text in a hover-tooltip or behind a "more info" link. Courts have read this as not "clear and conspicuous" within the meaning of TCPA. The disclosure has to be visible at the moment the consumer ticks the box, in the same font size as the surrounding form content.
No timestamp or IP capture on the consent record. The submission was saved but the metadata was discarded. Without timestamp and IP, the record can't be tied to a specific call later.
Revocation handling that lives in one system but not the others. A customer says "stop" to a live agent, the agent flags it in the CRM, but the dialer still has the number on its outbound list because the systems don't sync in real time. The next campaign re-calls the revoked number and the violation count restarts.
No time-of-day check in the dialer config. The system dials whenever the campaign is scheduled, regardless of where the called party is. This catches firms with national customer bases who schedule campaigns around their own working day.
Next steps#
If you're building or refreshing a US payment-calls program, start by auditing your current consent capture against the four-element written-consent test, then map your call types into the service vs marketing buckets and check whether your dialer configuration matches each. Layer in RND lookups, DNC scrubbing, and the time-of-day rule. For the wider compliance picture this slots into, work back through the TCPA compliance guide at the top of the cluster. If you'd like a walkthrough of how Paytia handles the consent and recording architecture inside a PCI-descoped payment call, book a live demo — we'll show you the actual call flow. For platform-level questions, contact our team directly on +1 628 295 2250.
