TCPA Penalties — Worst-Case Scenarios and Real Settlements

Last updated: 29 May 2026

If you take card payments by phone in the United States, TCPA penalties aren't an abstract regulatory risk — they're the single largest unbudgeted line item sitting on your call floor. A mid-sized US contact center running 50,000 outbound dials a month, with even a 2% bad-consent rate, is one plaintiff firm away from a class certification number that ends in eight zeros. Per-call statutory damages start at $500, treble to $1,500 for willful conduct, and there's no cap. We've watched US operators we never thought were exposed end up writing nine-figure checks because a vendor's dialer kept calling reassigned numbers and nobody noticed for six months.

This piece walks through the actual math behind TCPA penalties, the US settlements that set the benchmark, the four scenarios that produce the biggest payouts, and how a properly consented payment-call workflow neuters the risk. We've sat in on enough plaintiff depositions to know which evidentiary holes get exploited and which don't. If you want the wider pillar view first, our TCPA compliance guide covers the framework before this dives into the dollar figures.

What TCPA penalties actually cost per violation#

The statutory damages framework under 47 U.S.C. § 227(b)(3) is brutally simple. A private plaintiff who proves a TCPA violation recovers either their actual monetary loss or $500 per call, whichever is greater. If a court finds the defendant knew or should have known the call was unlawful — the "knowing or willful" standard — damages treble to $1,500 per call. That's not a cap on aggregate exposure. It's a per-call number that multiplies across every dial, every text, every prerecorded ringback in the certified class.

The reason this turns into nine-figure settlements is the volume. Modern US dialer stacks place tens of millions of calls a year. If even 0.5% of those calls land on a number where consent can't be proved — a reassigned number, an opt-out the CRM didn't sync, a list pulled from a marketing partner without written authorization — you've got the building blocks of a class. The plaintiff doesn't have to prove individual harm. They just have to prove the call happened to a US wireless number without prior express written consent. The damages stack mechanically from there.

The benchmark case for what "stack mechanically" actually means is Wakefield v. ViSalus. A federal jury in Oregon found that ViSalus had placed roughly 1.85 million unconsented prerecorded calls to wireless numbers. At $500 per call, the resulting aggregate judgment was $925 million. The Ninth Circuit affirmed on liability but remanded on the question of whether the aggregate award violated due process — ViSalus settled in 2023 rather than continue litigating. The point that frightens compliance teams: the jury didn't have to find willful conduct. The negligence-tier $500 floor, multiplied by 1.85 million calls, was enough to produce a near-billion-dollar number.

Two pieces of context matter. First, the FCC's Reassigned Numbers Database (and the safe harbor that comes with checking it) doesn't eliminate exposure — it just shifts the negligence calculus. If you didn't query the database before the call, you have no safe harbor, and US plaintiffs argue the failure is itself willful. Second, state mini-TCPAs in Florida, Oklahoma, Washington and Maryland stack on top of the federal claim. Florida's FTSA in particular has produced multi-million-dollar settlements off small-volume conduct because it allows $500 statutory damages on telemarketing texts to in-state residents regardless of federal preemption arguments.

Why US class action settlements end at numbers that look like phone numbers#

Three forces drag US TCPA settlements upward: certifiability, settlement pressure, and insurance. Certifiability is high because the class is mechanical — every wireless number on the dial list is either consented or it isn't. The settlement pressure comes from the per-call statutory floor: even a defendant convinced they'll win at trial faces aggregate exposure that bankrupts the business if the jury comes back the wrong way. Insurance is uneven. Most US commercial general liability policies carve out TCPA explicitly, so the operator carries the loss directly on the balance sheet.

The benchmark US settlements anyone defending a TCPA case will quote back to you cluster around a few sizes. Below $10M sits the long tail of single-vendor, single-campaign cases — usually a marketing partner who text-blasted a list without verifying consent. The $20M to $75M band is where most mid-sized programs end up: a few months of bad practice across multiple campaigns, certified as a single nationwide class. Above $100M sits the catastrophic tier — Capital One ($75.5M in 2014), Caribbean Cruise Line ($76M), Wells Fargo ($30M), Bank of America ($32M), and Dish Network (over $200M after the FTC and state AG actions stacked on the private class) — where the dial volume measured in the tens of millions and conduct stretched across years.

What gets people to the catastrophic tier isn't always intent. It's the failure to fix a known issue. Dish's record didn't come from one bad campaign — it came from continuing to use a marketing vendor after multiple warnings that the vendor was dialing without proper consent. Plaintiffs don't need to prove malice. They just need to prove the operator was on notice and kept dialing.

The four worst-case scenarios that produce the biggest payouts#

From the cases we've reviewed and the depositions we've sat through, four patterns produce the worst outcomes. Each one has a clean technical fix that, in our experience, most US operators don't realize is available until they're already in litigation.

Scenario one: the reassigned-number pile-up

A wireless number that was once held by a consenting customer gets returned to the carrier pool and reissued to a different consumer. Your dialer, working from a list that was clean two years ago, keeps calling. The new holder of the number complains, joins a class, and discovers tens of thousands of other reassigned numbers in your call history. The settlement is calculated against every one of those calls at the $500 statutory floor — often more than the customer lifetime value of the original consenting account. Capital One's $75.5M settlement is the canonical example: a pre-RND case where the bank had valid consent from original cardholders, those numbers were reassigned, and the bank kept dialing.

The technical fix is the FCC's Reassigned Numbers Database, queried before every campaign, with the safe harbor evidence trail preserved. Operators that pull from the RND and document the timing of the pull have a near-bulletproof affirmative defense. Operators that don't are sitting on liability that compounds every month they keep dialing.

Scenario two: consent that isn't actually express or written

This is the most common failure pattern we see in US payment operations. The operator believes they have consent because the customer entered a phone number on a web form or signed a contract that mentioned "communications". But the FCC's rules under 47 C.F.R. § 64.1200(f)(9) require that prior express written consent for telemarketing calls using an automated dialer or prerecorded voice must be in writing, must clearly authorize the specific seller to deliver telemarketing messages, must identify the phone number authorized, and must be obtained without conditioning a purchase on it. A check-box at the bottom of a checkout flow that says "I agree to be contacted about my account" isn't express written consent for telemarketing — it's transactional consent, which is a different and narrower thing.

The fix is to design the consent capture as a distinct, channel-specific opt-in for marketing communications, with the disclosure language matching the FCC's safe harbor wording. We cover this in detail in our guide to TCPA consent for payment calls — the consent record needs to capture the IP, timestamp, exact language shown, and the wireless number consented, otherwise it's evidentiary noise that won't hold up against a motion to compel.

Scenario three: the marketing partner you didn't vet

Affiliate-sourced lead generation is a leading cause of TCPA exposure for US businesses that don't dial themselves. The principal-agent relationship under federal common law (and the FCC's 2013 guidance) means the seller can be held vicariously liable for TCPA violations committed by an affiliate if the affiliate was acting within the apparent scope of authority. Dish Network's $280M combined exposure came largely from third-party retailers dialing under Dish's brand. US operators routinely sign affiliate agreements that include a one-line indemnity and assume that's the end of it. It isn't. Plaintiffs name the principal because the principal has the deeper pockets, and US courts increasingly find vicarious liability where the principal accepted the leads, paid for them, and used them to dial.

The fix is a vendor due diligence package that includes: pre-contract review of the affiliate's consent capture process, a contractual requirement to maintain consent records for at least four years, audit rights, and ongoing monitoring. Most operators do step one and stop. The contractual paper without ongoing monitoring is what lets vicarious liability through.

Scenario four: the auto-redial that wasn't authorized

A US agent talks to a customer about an outstanding balance. The customer agrees to a payment plan and gives their card details. The CRM saves the card and the phone number and flags the account for a follow-up call in 30 days. The follow-up dial is placed by an autodialer — and the TCPA's definition of an "automatic telephone dialing system" still catches systems that use a sequential or random number generator to produce or store numbers, per the Supreme Court's 2021 Facebook v. Duguid decision. If the call is marketing — for example, "we noticed you've made a payment, would you like to upgrade your plan?" — the consent the customer gave for the original payment call doesn't cover it.

The fix is to bifurcate the consent capture: transactional consent for the payment confirmation call, separate express written consent for any follow-up that includes a marketing element. Most US contact center platforms don't expose this distinction cleanly, which is why so many programs end up commingling the two and assuming the customer has consented to everything.

How payment calls fit into the TCPA framework#

Payment calls sit in a genuinely complicated part of the TCPA. Calls that exist purely to collect on an existing debt — "your statement shows an outstanding balance, here's how to pay" — are generally treated as transactional, not telemarketing. The FCC's 2015 Order on debt collection calls confirmed that calls made for the purpose of servicing or collecting a debt aren't subject to the prior express written consent requirement that applies to telemarketing, though they still need at least prior express consent (oral or written) to a wireless number when an autodialer or prerecorded voice is used.

The complications start when the payment call carries any commercial uplift — a cross-sell, a renewal offer, a payment plan upgrade. The moment a payment call includes a marketing element, the FCC treats it as a dual-purpose call, and the entire call falls under the more restrictive prior express written consent standard. That's where so many US operators get caught: they design the call flow assuming it's transactional, the agent goes off-script and pitches a product, and the recording becomes the smoking gun in a class action. Bank of America's $32M settlement in 2014 (Rose v. Bank of America) turned on exactly this pattern — calls that were nominally for account servicing but that the bank's own scripts allowed to slide into product promotion.

The architectural fix is a payment-call workflow that's incapable of marketing pitch by design. The agent's interface for collecting payment should be locked to the transaction — confirm balance, confirm payment method, capture card via channel separation, confirm authorization. Marketing offers should require a separate, time-boxed module with its own consent gate. Our TCPA-compliant payment IVR piece walks through how an automated IVR can deliver this cleanly without an agent in the loop.

What Wakefield v. ViSalus teaches every US payment operation#

The Wakefield numbers are worth walking through carefully because they show how the mechanics produce a result that's frightening even to seasoned compliance leaders. ViSalus, a multi-level marketing company selling weight-loss products, ran a prerecorded-voice campaign through 2012-2013 that placed roughly 1.85 million calls to wireless numbers without prior express written consent. The plaintiff, Lori Wakefield, certified a class on behalf of every recipient of those calls. The jury found liability — not willfulness, just liability — and the math did the rest: 1.85 million calls multiplied by $500 equals $925 million.

ViSalus's defense on appeal pivoted to a due-process argument: that an aggregate award of nearly a billion dollars for conduct that produced no actual harm violated the Fifth and Fourteenth Amendments under the St. Louis, I.M. & S. Ry. Co. v. Williams line of cases. The Ninth Circuit took the argument seriously enough to remand for reconsideration of the aggregate award, but it did not disturb the per-call statutory damages calculation. ViSalus settled in 2023 rather than test what the remand would produce. The message for US payment operators is clear: a $500 per-call floor multiplied by ordinary contact-center volume produces existential numbers, and the constitutional due-process backstop is theoretical, not reliable.

The second lesson is about discovery posture. ViSalus's records weren't strong enough at trial to disaggregate calls that might have had valid consent from those that didn't. Once a class is certified and the dial logs are produced, the defendant carries the burden of proving consent for each call. If your records can't prove it call-by-call, the plaintiff's aggregate calculation stands. This is why our consent schema for US clients captures the eight evidence elements per number and ties them to a CRM identifier — when the subpoena lands, the export is mechanical, not reconstructive.

State mini-TCPAs stack on top of federal exposure#

Federal TCPA isn't the only statute in play. Four states have enacted mini-TCPAs that create additional, stackable private rights of action, and the Florida Telephone Solicitation Act (FTSA) has produced more class action filings since 2021 than any other state-law telemarketing statute. The FTSA's text-message provisions are particularly aggressive — $500 statutory damages per text, no requirement to prove harm, and a presumption of intent that's hard to rebut without contemporaneous consent records.

Florida courts have generally rejected federal preemption arguments, so an FTSA claim runs in parallel to the federal TCPA claim and the damages don't offset. Settlements involving Florida residents now routinely allocate a separate FTSA tranche because the per-text statutory damages on Florida wireless numbers exceed the federal TCPA's per-call damages for the same conduct. Washington's CEMA, Maryland's MTCPA, and Oklahoma's TCPA all add similar exposure on smaller volumes.

For US operators, the practical implication is geography-aware consent capture. Texts to Florida numbers need FTSA-grade consent. Calls to Washington numbers need CEMA-compliant disclosures. The federal-only consent flow that most CRMs ship out of the box leaves operators exposed to state claims that the federal compliance work doesn't cover.

How channel-separated payment capture changes the TCPA math#

The reason we built our US payment platform around channel separation isn't just PCI scope reduction — it's the way it changes the TCPA evidentiary picture. When a US customer calls your inbound line and pays via DTMF that the agent can't hear, three things happen at once. The call is inbound, not outbound, so the TCPA's autodialer and prerecorded voice rules don't apply. The transaction is unambiguously payment-related, so it falls into the transactional safe harbor rather than the telemarketing rules. And the recording — which is where most "smoking gun" evidence comes from in US TCPA litigation — contains no card data and no marketing pitch, just the transactional confirmation.

The outbound payment-reminder call is harder. Even on a transactional basis, if you're using an autodialer or prerecorded voice into a US wireless number, you need prior express consent. The architectural answer is to design the dial-out flow as a payment IVR rather than an agent call: the customer answers, the IVR identifies the call as a payment reminder, offers an opt-out for future calls, and routes them straight to a secure DTMF capture if they want to pay. No agent, no marketing, no cross-sell pressure. The TCPA risk profile is fundamentally smaller because the call has one purpose and the system can prove it.

For inbound payment calls, the take card payments over the phone workflow we run keeps agents and recordings clear of cardholder data and clear of marketing speech. For outbound, the IVR payments module handles dial-out scenarios with a fixed, auditable call script that can't drift into telemarketing.

Capital One $75.5M — anatomy of a pre-RND reassigned-number case#

Capital One's 2014 settlement covered TCPA claims arising from collections calls placed to cell phones via predictive dialer technology between 2007 and 2014. The class included anyone who received a call where the underlying consent had been given by a prior holder of the number — the canonical reassigned-number pattern. The case settled for $75.5 million, which at the time was the largest TCPA settlement on record.

What made Capital One pay rather than fight was the structural certainty of the class certification. Every wireless number on the dialer list either had a chain of consent traceable to the current subscriber or it didn't. The bank's CRM couldn't reliably distinguish between the two because it had no mechanism for catching reassignments. When the FCC's Reassigned Numbers Database launched in November 2021, it was largely a response to the pattern Capital One had paid to litigate seven years earlier. US operators dialing in 2026 without an RND query in the pre-call pipeline are choosing to relitigate exactly that pattern — and there's no longer a sympathy argument about "the database didn't exist yet."

For payment operations, the practical takeaway is that the RND query has to be wired into the dialer's pre-call validation, not run as a monthly batch against a static list. The safe harbor attaches at the moment of the query relative to the call. If your dialer pulls a list, queries the RND, and then dials a week later, the safe harbor on calls placed days after the query is at best uncertain. Same-day or same-hour query-and-dial is the defensible posture.

A note on cost. Per-query pricing through authorized RND resellers runs in the range of fractions of a cent at high volume to a few cents at lower tiers. A US contact center placing 100,000 outbound payment-reminder calls a month is looking at low-four-figure annual cost for full RND coverage. That's against a per-call statutory damages floor of $500. The cost-benefit math doesn't have a wrong answer. The operators we see skip the integration are the ones who later spend seven figures defending discovery requests that the RND log would have closed in a paragraph.

The evidence trail that wins TCPA cases#

The single most important thing a US operator can build is the consent evidence trail. Not the policy that says you collect consent — the actual records that show, for each specific phone number, when consent was captured, what the customer saw, what they agreed to, and which CRM event represented that agreement. Plaintiffs win TCPA cases when the defendant can't produce this record at the level of granularity required.

The minimum data set we tell US operators to maintain for every wireless number consented:

The exact phone number consented (E.164 format, including +1 country code). The timestamp of consent capture (ISO 8601 with timezone). The IP address from which consent was submitted, or the recording reference if oral. The exact disclosure language the customer saw or heard at the moment of consent, stored as a snapshot, not a reference. The product or service the consent covers. The channels the consent covers (voice, SMS, prerecorded, autodialer). Any opt-out events with their timestamps. And the customer-facing identifier that ties the consent to a CRM account.

This is more than most US CRMs capture by default, which is why so many TCPA defenses collapse during discovery. The defendant can produce a record that "Customer A consented at 2:14pm on March 18", but can't produce the exact wording of the disclosure shown on the consent screen at that timestamp. Without that, the plaintiff argues the consent was defective and the per-call damages start stacking from the first dial.

What insurance won't cover and why that matters#

TCPA exclusions in US commercial general liability and errors-and-omissions policies are now the industry default. The 2016 case Penn-America Insurance v. Peccadillo (and the wave of similar rulings that followed) confirmed that most CGL policies exclude TCPA claims because the alleged harm — invasion of privacy via unwanted communication — isn't "bodily injury" or "property damage" as defined in the policy. E&O cover is patchier, but most US carriers now write explicit TCPA carve-outs.

What this means commercially: US TCPA settlements are paid from operating cash flow, not from an insurance pool. A $30M class action settlement is a $30M hole in the balance sheet, not a deductible. This is the part finance teams typically don't understand until they're staring at the demand letter. The cost of building a properly consented payment-call workflow — let's call it $50K to $200K of platform and process spend — is rounding error against a single eight-figure settlement.

If your business runs significant outbound payment-reminder volume, ask your broker for the specific TCPA endorsement language in your current policies. Most US operators are surprised to find they're carrying the risk fully self-insured.

What the FCC's 2024-2025 rule changes mean for payment calls#

Two FCC rule changes are worth tracking. The first is the one-to-one consent rule, finalized in December 2023, which (when it takes effect — it's been subject to litigation and partial stays) requires that prior express written consent for marketing calls cover only one identified seller per consent. The era of bundled consents that authorize "our partners and affiliates" to call is ending. US operators who rely on lead-generation partners with multi-seller consent disclosures need to redesign the consent capture before the rule's enforcement window closes.

The second is the FCC's continued tightening of the autodialer definition and its push on robocall mitigation generally. STIR/SHAKEN call authentication isn't a TCPA defense in itself, but failure to participate in the framework is increasingly cited as evidence of bad faith. A US operator placing outbound payment calls in 2026 without STIR/SHAKEN-signed traffic looks negligent to a court that's seen the rest of the industry sign their dial-out for years.

Our broader comparison of TCPA versus FCC robocall rules walks through where the two regimes overlap and where they diverge — worth reading before any redesign of an outbound dial program.

How we approach TCPA compliance for our US contact center clients#

When a US contact center comes to us to take a payment platform live, the TCPA conversation runs in parallel with the PCI conversation. We don't take a view on the call list itself — that's the operator's commercial decision — but we do bake three things into every deployment. The first is a payment-call workflow that's locked to the transaction, with marketing pitch separated into a different module behind its own consent gate. The second is a consent record schema that captures the eight data points listed above, written to the CRM at the moment of consent capture, with the exact disclosure text snapshotted at that timestamp. The third is an outbound dial flow built around payment IVR rather than agent dials, with STIR/SHAKEN signing, RND query logging, and automatic suppression of any number that's appeared on an opt-out list within the last four years.

None of this is hard once the architecture is in place. The expensive part is doing it after the fact, in the middle of US class action discovery, when the records that should have existed for the last 36 months don't exist and the operator is reconstructing consent capture flow from screenshots taken by a paralegal. Build it once, correctly, at the start of the payment program.

How TCPA exposure interacts with PCI scope#

One of the architectural decisions we push hardest on is keeping the TCPA fix and the PCI fix on the same platform. Operators sometimes design the consent-capture layer separately from the payment-capture layer, which creates a brittle hand-off where consent records live in one CRM and the payment record lives in another. When discovery hits, the two records don't reconcile cleanly and the defendant ends up producing inconsistent timelines. Our recommendation is to make the payment platform itself the source of truth for the consent attached to the payment — every authorized charge ties back to the consent that authorized the underlying call, and the chain is provable on a single timeline.

The PCI side of this matters too. A US contact center that's already reduced its PCI scope by 95% through channel separation has, as a side effect, dramatically reduced the surface area where a recording could contain card data. That same architectural decision — agents can't hear the digits, recordings can't capture them — also means that recordings, if subpoenaed in a TCPA case, contain only the conversational portion of the call. The card data isn't there to be discovered. Our DTMF masking setup achieves both outcomes simultaneously: PCI scope reduction and a cleaner evidentiary record for any TCPA discovery.

What a defensible US payment-call program looks like in 2026#

If we were standing up a US payment contact center from scratch in 2026, the design would look like this. Inbound payment calls only, by default. Outbound dial reserved for genuinely transactional reminders, placed via a payment IVR with STIR/SHAKEN signing and pre-call RND lookup. Consent capture as a first-class workflow with the eight-point evidence record, tied to the customer-facing identifier and the wireless number consented. A payment-capture layer based on channel separation, so agents and recordings stay clear of card data and clear of marketing speech. Marketing pitch in a separate module behind its own consent gate, with the disclosure language matching the FCC safe harbor wording. State-aware consent handling for Florida, Washington, Maryland and Oklahoma residents. A four-year retention floor on consent records and call recordings, mapped to the longest applicable statute of limitations.

That's the defensible posture. Most of the US operators who end up in nine-figure settlements got there because one or two of those components were absent, not because the whole framework was broken. The compounding nature of per-call damages means a single weak link can produce class-action exposure that's existential.

Next steps#

If you're running US payment calls without provable, channel-by-channel express consent records — or if your outbound dial volume has grown faster than your compliance evidence trail — the cheapest fix is to design it right before the first plaintiff letter arrives. Get in touch for a consent-architecture review against your current call flow, or book a working demo and we'll show you how channel-separated payment capture plus a payment-IVR dial-out flow reshapes the TCPA risk picture for a real US contact center program.