TCPA vs FCC Robocall Rules — How They Overlap

Last updated: 29 May 2026

If you've been searching for "TCPA vs FCC" trying to work out which one applies to your business, here's the short answer: both do, and they're not in conflict. The Telephone Consumer Protection Act (TCPA) is the federal statute. The Federal Communications Commission (FCC) is the regulator Congress put in charge of writing the actual robocall rules and enforcing them. The FTC then layers its Telemarketing Sales Rule on top of that for any call that fits the "telemarketing" definition. We've helped US contact centers work through this stack, and the framing trips people up constantly — so let's untangle it.

TCPA vs FCC: the statute and the regulator are not the same thing#

The Telephone Consumer Protection Act became law in 1991. It's a piece of federal legislation — a few thousand words long, codified at 47 U.S.C. § 227. It sets out the big-ticket prohibitions: no autodialed or prerecorded calls to mobile numbers without prior express consent, no prerecorded telemarketing to residential lines without prior express written consent, and a private right of action that lets consumers sue for $500 to $1,500 per violation. That's it. The statute itself is short.

The FCC is the regulator. Congress wrote into the TCPA that the FCC would "prescribe regulations to implement the requirements" of the Act. So the actual operational rules — what counts as an autodialer, how prior express consent has to be captured, the timing windows, the opt-out language, the identification requirements — sit in the Code of Federal Regulations at 47 CFR § 64.1200. The FCC also issues declaratory rulings, fines, and enforcement actions. When you read about a $300 million TCPA fine, that's the FCC swinging the enforcement bat, not Congress.

Why does this matter for your compliance work? Because pointing at the statute alone isn't enough. The FCC updates the rules. In 2024 alone they tightened the one-to-one consent rules, closed the lead-generator loophole, and moved on AI-generated voice calls. If you only read the 1991 text, you'll miss thirty-plus years of regulatory evolution that's now baked into how the law actually works.

What the TCPA statute actually says#

Strip the TCPA down to the parts that affect payment calls and you get four operative prohibitions. First, no autodialed or artificial-voice calls to mobile numbers without prior express consent. Second, no prerecorded telemarketing calls to residential numbers without prior express written consent. Third, no unsolicited fax advertisements. Fourth, the National Do Not Call (DNC) Registry restrictions, which the FCC and FTC jointly administer.

The statute also creates the private right of action that drives most of the TCPA litigation industry. Any consumer who receives a non-compliant call can sue for statutory damages of $500 per violation, trebled to $1,500 if the violation is willful or knowing. There's no cap, and class actions are routine. Plaintiffs' firms have built entire practices around scraping call records and filing TCPA class complaints — that's why the cost of a small consent mistake can quickly run into the millions. We covered the scale of this in TCPA penalties: worst-case scenarios.

One thing the statute does not do is define "autodialer" with precision. The 2021 Supreme Court ruling in Facebook v. Duguid narrowed the definition considerably — but the FCC has continued to issue guidance that effectively expands it back out for other technologies. So the practical scope of what counts as a regulated call keeps shifting, and it shifts through FCC rulings, not statutory amendment.

The TRACED Act — Congress giving the FCC more teeth#

Any TCPA vs FCC analysis written before 2020 misses the most important shift in the law since 1991: the Pallone-Thune Telephone Robocall Abuse Criminal Enforcement and Deterrence Act, signed by President Trump in December 2019 and known as the TRACED Act. It didn't replace the TCPA — it sat on top of it and handed the FCC a much sharper enforcement toolkit.

Three things the TRACED Act changed that matter to payment-call operations. First, it raised the maximum per-call FCC forfeiture from $1,500 to $10,000 for intentional violations of the robocall rules. So the FCC's headline fines stopped being aspirational and started reflecting genuine per-call multiplication on top of private TCPA damages. Second, it extended the FCC's statute of limitations for robocall enforcement from one year to four years, which is why FCC enforcement actions in 2024 and 2025 are still picking up campaigns from 2021. Third, and most consequentially, it mandated that all US voice service providers deploy the STIR/SHAKEN caller-ID authentication framework — a deadline that took effect in June 2021 and reshaped the entire dialer-reputation economy overnight.

The TRACED Act also created the FCC's Reassigned Numbers Database (launched November 2021) and required the agency to coordinate with state attorneys general through the Industry Traceback Group on cross-border robocall enforcement. So when people ask "why is the FCC suddenly so aggressive on robocalls?", the honest answer is that Congress told it to be and gave it the budget and statutory authority to follow through.

What the FCC actually does#

The FCC does three things that matter to anyone making payment calls. It writes the implementing rules in 47 CFR § 64.1200. It enforces those rules through its Enforcement Bureau, which issues citations, notices of apparent liability, and consent decrees. And it interprets ambiguous provisions through declaratory rulings — which often have the practical effect of changing what's compliant overnight.

The implementing rules are where the operational detail lives. The FCC's regulations specify, for example, that prior express written consent needs a clear and conspicuous disclosure, an unambiguous agreement, and a method that's not pre-checked. They define the calling-time window (8am to 9pm in the called party's time zone). They set out the identification requirements — your business name, a callback number, and the purpose of the call must all be stated. None of that detail is in the statute. It's all FCC regulation.

Enforcement is where the FCC really earns its reputation. Recent FCC fines in this space include $299.97 million against the Cox/Jones auto-warranty robocall ring in 2023 (the largest single TCPA fine in FCC history), $9.9 million against Steve Kramer's New Hampshire primary deepfake operation in 2024, and a steady stream of seven- and eight-figure penalties against telemarketers who ignored DNC rules. The FCC doesn't typically sue payment-collection contact centers, but it does cite them — and once cited, you're exposed to follow-on private litigation that uses the FCC findings as a roadmap.

The FTC's Telemarketing Sales Rule sits on top#

Here's the bit most TCPA-vs-FCC articles miss: there's a third layer. The Federal Trade Commission (FTC) enforces the Telemarketing Sales Rule (TSR), which overlaps with the TCPA but isn't the same thing. The TSR applies to telemarketing calls — calls trying to induce a purchase, donation, or investment. It covers DNC, abandoned calls, robocall restrictions, and disclosures.

For most outbound payment calls, the TSR doesn't apply directly — collecting on an existing debt isn't telemarketing. But if your call drifts into upsell territory ("while I have you, can I tell you about our extended warranty?"), you've now triggered the TSR as well. The penalties are substantial: civil penalties up to $51,744 per violation as of 2025, plus the FTC's redress powers under Section 19 of the FTC Act.

So when people ask "TCPA vs FCC", the honest answer is that they're missing the FTC, which is the third leg of the stool. For a deeper look at consent mechanics, our TCPA consent for payment calls guide breaks down which consent type covers which call type — because the answer is different depending on whether the FTC's TSR is in play.

How the overlap actually plays out for payment calls#

Let's run a concrete example. You're a US contact center handling collections for a utility client. You want to call a customer's mobile to take a payment over the phone. Here's the layered analysis you actually need to run.

The TCPA statute applies because you're calling a mobile number and you're using a dialer. The FCC rules tell you what consent you need — prior express consent is sufficient because this is an informational call (debt collection), not telemarketing. The FCC also tells you the consent has to be unambiguous and the call has to identify you, the purpose, and a callback number. The FTC's TSR generally doesn't apply because debt collection isn't telemarketing — unless your script slides into selling something. And the CFPB's Regulation F under the FDCPA layers in call-frequency caps (seven attempts per debt per seven days) that the TCPA itself doesn't impose.

If you instead want to robocall the same customer with a prerecorded reminder that their bill is due, the rules tighten. The FCC has historically allowed informational prerecorded calls to mobile numbers with prior express consent, but the lines have moved. The safer path for any prerecorded payment call is to treat it as if prior express written consent is required, especially after the 2024 one-to-one consent ruling that tightened how consent can be sourced.

And if your call hits a residential landline with a prerecorded message? Now you're in "artificial or prerecorded voice" territory, and the FCC's residential-line carve-outs apply. Some informational calls are allowed without consent — but a payment-due reminder probably isn't one of them once you cross the line into anything that sounds like solicitation.

Running outbound payment calls in the US and worried about TCPA exposure? Have a quick chat with us — we'll show you how channel-separated capture keeps the payment leg PCI-clean without poking holes in your TCPA posture.

The 2024 FCC rule changes everyone's still catching up on#

Three FCC rule changes in 2023-2024 reshaped how the TCPA works in practice, and most compliance teams haven't fully absorbed them yet.

The first is the one-to-one consent rule (FCC 23-107). From January 2025, prior express written consent has to be granted to one specific seller at a time. The old "lead generator" model — where a consumer fills out a form on a comparison site and that form lists 50 partner companies who can all call — is dead. Each seller now needs its own discrete consent. For payment-related calls, this means the consent you collected via a third-party lead form three years ago is almost certainly worthless now.

The second is the move on AI-generated voice. After the New Hampshire primary deepfake incident in January 2024, the FCC declared in February 2024 that calls using AI-generated voices fall squarely within the TCPA's prohibition on "artificial or prerecorded voice" calls. If you've been experimenting with AI voice agents for outbound payment chase, you now need the same prior express written consent you'd need for any other prerecorded telemarketing call.

The third is the call-blocking and STIR/SHAKEN expansion. The FCC has been progressively tightening the rules around caller ID authentication and the right of carriers to block suspected illegal robocalls. The TRACED Act of 2019 gave them that authority; subsequent FCC rulings have widened it. Calls flagged as "Spam Likely" aren't just an annoyance — they're a signal that your dialer is now competing against carriers' analytics. We covered the dialer-design implications in our TCPA-compliant payment IVR guide.

Who enforces what — the practical map#

If you ever get a notice, it helps to know which body sent it and why. The FCC's Enforcement Bureau handles direct rule violations and issues citations and notices of apparent liability. They focus on egregious robocall operations and gross compliance failures. The FCC also accepts and acts on consumer complaints — the consumer complaint portal feeds directly into enforcement triage.

The FTC handles TSR violations and works with state attorneys general on telemarketing enforcement. They run the National DNC Registry day-to-day. The CFPB enforces the FDCPA for debt collection calls and has taken a more active stance under Regulation F since 2021. State AGs have their own TCPA enforcement powers and have been increasingly active — Texas, Pennsylvania, Missouri, and New York have brought several high-profile actions in the last two years, often in coordination with the FCC's Robocall Response Team.

And then there's the private bar. The bulk of TCPA litigation isn't government-led — it's plaintiffs' firms filing class actions. They scrape call logs, find a few hundred potentially non-consented calls, and file a class complaint. The settlement value of a typical TCPA class action sits between $1 million and $5 million, and individual high-profile settlements have topped $75 million. Private litigation is the single biggest TCPA financial risk most contact centers face — bigger than the FCC, bigger than the FTC.

State-level TCPA equivalents that stack on top#

It gets worse. Several states have passed their own "mini-TCPA" statutes that go further than the federal law. Florida's Telephone Solicitation Act (FTSA), passed in 2021 and amended in 2023, was famously aggressive — though the 2023 amendments narrowed it considerably. Oklahoma's Telephone Solicitation Act (effective November 2022) has similar private-right-of-action mechanics and has produced a wave of class-action filings since enactment. Washington's WAC rules go beyond federal law on call frequency and consent. Maryland's Stop the Spam Calls Act took effect in January 2024.

For a multi-state US contact center, this means your TCPA compliance program needs a state-by-state overlay. The federal rules are the floor; individual states can and do raise the ceiling. Calls into Florida that are perfectly fine under the federal TCPA can still attract FTSA litigation if you don't meet the additional state requirements. And state mini-TCPAs typically define "autodialer" more broadly than federal law — which means they sidestep the Facebook v. Duguid narrowing entirely.

Practically, this is why we tell US clients to design their dialer consent flows around the strictest state's requirements rather than trying to apply different rules per call. The marginal cost of treating every call as if Florida-pre-2023-FTSA standards applied is small. The cost of getting it wrong is enormous.

How channel-separated payment capture interacts with TCPA and FCC rules#

This is where our world meets theirs. The TCPA and FCC rules govern whether you can make the call and what consent you need. They don't govern how you take payment once you're on the call. PCI DSS, not the TCPA, governs the payment-data side. But the two regimes interact in a couple of important ways.

First, your call recording becomes a TCPA evidentiary asset. If a customer ever disputes consent, the recording of your consent capture is your primary defense. That recording, by definition, contains the customer's voice — and if the agent has just taken card details by reading them aloud, the recording also contains cardholder data. Now you've created a record that's PCI-scoped (because it contains a PAN) and TCPA-scoped (because it documents consent). Both regimes demand you keep it; both impose different storage requirements.

Channel separation solves half of this elegantly. With DTMF masking, the customer keys their card details into their handset rather than reading them aloud. The agent never hears the digits, and the call recording captures only flat tones in place of the keypresses. The consent portion of the call is intact and admissible; the cardholder data never enters the recording. You meet both regimes' requirements without compromise.

Second, the FCC's identification requirements (callback number, business name, purpose) interact with how you brand your payment IVR. If a customer initiates payment by calling your IVR, the IVR needs to identify itself in the same way an agent would. We've seen plenty of self-service payment IVRs that pass PCI DSS audits with flying colors but quietly miss the TCPA identification rules — particularly the callback number requirement.

What this means for outbound payment chase campaigns#

Outbound payment chase is the use case where TCPA and FCC overlap most sharply. You're calling a customer who owes you money. Two questions you need to answer before you dial.

First, do you have prior express consent (or prior express written consent if the call is prerecorded or AI-voice)? If the consent came from a contract clause buried on page 14 of your service agreement, it's probably not unambiguous enough under current FCC standards. If it came from a third-party lead generator, after January 2025 it's almost certainly invalid. If it came from the customer giving you their mobile number specifically so you could contact them about their account, you're probably fine for non-prerecorded calls.

Second, are you treating the call as informational or telemarketing? Pure payment collection is informational. The moment you upsell, you're telemarketing — and now the FTC's TSR layers on, the consent bar goes up, and the National DNC registry filtering becomes mandatory. The cleanest answer is to keep payment chase calls strictly payment-focused. Resist the urge to wedge in a cross-sell. The compliance overhead isn't worth the upsell revenue.

If your campaigns rely on volume — thousands of outbound calls a day — invest in dialer logic that filters against the federal DNC, your internal DNC, the FCC's Reassigned Numbers Database, and the state-specific DNC lists. The RND was built for exactly this purpose; if you call a number that's been reassigned and you don't check the database, the safe-harbor defense doesn't apply.

Inbound and consented payment calls — the easier path#

The TCPA mostly doesn't apply to calls the customer initiates. If a customer dials your IVR to pay a bill, you don't need TCPA consent — they consented by calling you. The FCC's caller-ID and identification rules still apply (your IVR needs to identify itself, give a callback number, and state the purpose), but the autodialer and prerecorded-voice prohibitions are off the table.

This is why most contact centers trying to reduce TCPA exposure shift as much payment activity as possible to inbound and customer-initiated channels: IVR self-service, hosted payment pages linked via SMS (with the customer initiating the click), and web chat payments where the customer starts the session. The TCPA and FCC robocall rules largely fall away on these channels, and you're left with PCI DSS as the dominant compliance constraint — which is a much more solved problem.

The trade-off is that inbound-only campaigns convert less aggressively. If you've been running outbound chase that pulls 8-12% payment recovery and you switch to inbound-only, recovery rates typically drop to 3-5%. The economics need to work for your debt portfolio. For high-value accounts, agent-assisted outbound with bulletproof consent management is still the right answer; for lower-value books, inbound-only often wins on margin.

STIR/SHAKEN — the TRACED Act's most concrete legacy#

STIR/SHAKEN is the caller-ID authentication framework the FCC mandated under the TRACED Act for US voice carriers. The acronyms (Secure Telephony Identity Revisited / Signature-based Handling of Asserted information using toKENs) describe a cryptographic system that lets carriers verify that the calling number on a call hasn't been spoofed. Since June 2021, originating carriers in the US have been required to sign outbound calls with an attestation level (A, B, or C) indicating how confident the carrier is that the caller is who they claim to be.

For payment-collection contact centers, STIR/SHAKEN matters in two ways. First, your originating carrier needs to give you full A-level attestation for the calls to go through without being flagged. If your carrier only signs you with B or C attestation — which happens when the carrier can't verify your right to use a specific calling number — terminating carriers will often label your calls as "Spam Likely" in the recipient's caller ID display. We've seen US contact centers lose 30-40% of their answer rate overnight when their carrier downgraded their attestation level after a Robocall Mitigation Database audit.

Second, the FCC has progressively expanded carriers' authority to block calls they reasonably believe to be illegal robocalls. The TRACED Act gave them that authority; subsequent FCC rulings have widened it. So your campaigns aren't just fighting consumer suspicion — they're fighting carrier-side machine-learning models that look at call volume, answer rates, completion rates, and abandon rates to decide whether to block you preemptively. A high abandon rate (which the FCC's predictive-dialer rules limit to 3% in most cases) is one of the strongest signals carriers use to flag a dialer as abusive.

The fix is straightforward but operationally demanding. Work with a carrier that can give you A-attestation, register your calling numbers in the Robocall Mitigation Database, register with the Industry Traceback Group for cross-carrier disputes, monitor your answer and abandon rates daily, and respond fast to any carrier dispute. Several payment-focused contact centers now have full-time roles dedicated to dialer reputation — that's a reasonable cost of doing business in the US market in 2026.

Reassigned numbers — the silent TCPA risk#

Roughly 35 million US phone numbers get reassigned every year. A customer signs up with you in 2022 and gives consent to call their mobile. They cancel their carrier in 2024. Six months later, that number gets reassigned to a new customer who has no relationship with you and has never consented to your calls. You dial. They sue.

The FCC's Reassigned Numbers Database, launched in November 2021 under the TRACED Act mandate, was specifically built to solve this. It's a centralized national database listing every US mobile and landline number that's been disconnected and may have been reassigned. Callers who query the database before each call get a safe-harbor defense if they're sued — provided they were relying on consent given before the disconnection date and didn't know about the reassignment.

The catch is that querying the database is a paid service, and the cost adds up at scale. Per-query rates start around $0.0036 for high-volume callers via authorized resellers under contract with Somos Inc., the FCC-designated administrator. For a dialer pushing 100,000 calls a day, that's $360 a day or roughly $130,000 a year just to maintain the safe-harbor defense. Most US contact centers we work with build the lookup into their pre-call validation layer and treat it as a non-negotiable cost. The alternative — discovering after a few thousand calls that you've been dialing reassigned numbers — is much more expensive.

One nuance: the safe-harbor only protects you for calls made within a reasonable window of the database showing the number as not-disconnected. The queries need to be fresh, ideally on the same day as the call. Build that into your dialer architecture from day one, not as an afterthought.

Litigation patterns — what plaintiffs' firms actually do#

To defend a TCPA program effectively, it helps to understand how plaintiffs' firms build their cases. The pattern is consistent across the dozens of TCPA class actions we've reviewed for US clients.

Step one is acquisition. The plaintiffs' firm advertises directly to consumers ("Did you get a robocall? You may be entitled to compensation") or buys lead data from class-action aggregators. They aim to find a few hundred to a few thousand consumers who received calls from the same source and can credibly claim they didn't consent. Step two is discovery. They subpoena the defendant's call logs, dialer records, consent capture records, and CRM data. Step three is class certification. They argue the defendant's calling practices were uniform enough that all class members suffered the same alleged harm. Step four is settlement, almost always.

The defensive playbook is the inverse. You want your call logs to show that every call was tied to a documented consent record with a timestamp, source, IP address, and the exact disclosure language shown to the consumer. You want your dialer to demonstrate that you queried the Reassigned Numbers Database and the DNC registry before each call. You want your consent flow to be consistent and traceable — because every gap in the audit trail becomes another class-certification argument.

None of this is legal advice; talk to a qualified TCPA attorney for that. But the operational lesson is clear: build your consent infrastructure to be the strongest part of your dialer, not the weakest. Most contact centers still treat consent as a checkbox at the end of a sign-up form. The contact centers that survive TCPA litigation treat it as a versioned, auditable, regulated data asset.

Common consent capture mistakes that kill TCPA defenses#

Across the dozens of TCPA defense reviews we've sat in on, a handful of consent-capture mistakes show up over and over. Worth listing them so you can audit your own flow against the pattern.

Mistake one: bundling consent inside terms and conditions. If your sign-up flow has a single "I agree to the terms" checkbox that includes consent to receive calls buried in paragraph 47, that consent isn't "unambiguous" under FCC standards. The 2024 rules made this explicit — consent has to be clear-and-conspicuous and separately granted from other agreements. Pull it out into its own checkbox with its own disclosure.

Mistake two: pre-checked boxes. The FCC rules have always prohibited pre-checked consent boxes for prior express written consent. They've increasingly applied the same logic to prior express consent more broadly. Any default-on consent capture is a defensible-record problem waiting to happen.

Mistake three: failing to store the disclosure version. The disclosure shown to a consumer in 2023 may be different from the one shown in 2025. If you can't reproduce the exact disclosure that customer X saw on date Y, your consent record is incomplete. The fix is to version every disclosure and store the version reference alongside the consent timestamp.

Mistake four: assuming SMS consent covers voice calls. The two are legally distinct. Consent to receive payment-reminder text messages doesn't automatically include consent to receive payment-reminder phone calls. If you want both, ask for both — preferably as two separate checkboxes with two separate disclosures.

Mistake five: relying on a customer's verbal "yes" on a call to manufacture forward consent. Recorded verbal consent can satisfy prior express consent for non-prerecorded informational calls — but it doesn't satisfy prior express written consent for telemarketing or prerecorded calls. Verbal consent has a ceiling. Know where the ceiling is.

The PCI DSS interaction nobody talks about#

One more interaction that often gets missed: the way your TCPA consent storage policy interacts with PCI DSS data retention rules. PCI DSS v4.0.1 requires you to define and document data retention periods for cardholder data and have a justified business need for the retention. Most US contact centers set this at 12-18 months for call recordings.

TCPA litigation, on the other hand, can come three to four years after the call — the statute of limitations under the TCPA's private right of action is generally four years from the date of the call. So if you set your call-recording retention to 18 months to satisfy PCI DSS minimization, you may have deleted the consent evidence you'd need to defend a TCPA suit two years later.

The clean solution is to separate the consent evidence from the cardholder data. Channel-separated capture does this naturally: the consent portion of the call is recorded, the cardholder data portion isn't. You can then keep the consent recording for the full four-year TCPA window without violating PCI DSS minimization, because it doesn't contain PAN data. Without channel separation, you're stuck choosing between two compliance regimes' retention requirements — and usually picking the wrong one. We've seen this play out in litigation where the defendant had no consent recording because it had been deleted under PCI policy. The case settled for $11 million.

What we'd actually recommend#

If you're trying to build a defensible TCPA program for US payment calls, three concrete moves matter most. First, redesign your consent capture to meet the highest current standard — prior express written consent with one-to-one specificity, clear disclosure, no pre-checked boxes, and a stored record with all the metadata. Don't try to grandfather old consent. The 2024 rules effectively reset the clock.

Second, separate your call recording from your cardholder data capture. Channel-separated DTMF capture means the recording is admissible TCPA evidence without becoming a PCI liability. This is the work we do every day — see our TCPA compliance guide for how the pieces fit together.

Third, run an annual TCPA audit alongside your PCI assessment. Most contact centers audit PCI annually but treat TCPA as a one-time legal review. That's backwards. The FCC's rules move every twelve to eighteen months; PCI DSS has a four-year revision cycle. Your TCPA program is more likely to be out of date than your PCI program, not less.

Next steps#

If you're running US payment calls and want a TCPA-aware capture platform that also handles PCI DSS scope reduction, we'd be glad to walk you through the architecture. Book a call with us and we'll show you how channel-separated capture fits into a defensible TCPA program — or if you want to see the capture mechanism in action first, try the live demo. It takes about three minutes and shows exactly how the agent never hears card details while the consent portion of the call stays fully recorded and admissible.