Cold Calling Laws: Everything Your Sales Team Needs to Know in 2026
Most cold calling compliance guides are already outdated. The FCC clarified in 2024 that AI-generated voice calls are treated like "artificial or prerecorded voice" calls under the TCPA, consent revocation rules changed effective April 11, 2025, and states like Connecticut and Texas added exposure that can rival federal penalties. If your team is still operating on 2023-era compliance training, you're exposed.
Let's break down every cold calling law - federal and state - that governs outbound dialing right now.
Is Cold Calling Legal?
Yes. Cold calling is legal in the United States, but it's regulated by three federal frameworks and a growing patchwork of state telemarketing laws. TCPA litigation surged nearly 95% compared to the prior year, and 2025-2026 brought some of the strictest enforcement yet. Here's everything that governs every outbound dial your team makes.
Three Federal Telemarketing Laws
| Law | What It Covers | Key Penalty |
|---|---|---|
| TCPA | Consent for calls/texts to mobiles | $500-$1,500/violation |
| TSR | Telemarketing practices, disclosures | Up to $50,120/violation |
| National DNC | Do-not-call list compliance | Up to $50,120/violation |
TCPA (Telephone Consumer Protection Act) is the big one. It requires prior express written consent (PEWC) for automated or prerecorded marketing calls and texts to mobile numbers, and for prerecorded marketing calls to landlines. Live calls from a human dialing manually don't require PEWC, but they still must respect DNC lists and calling hours - 8 a.m. to 9 p.m. in the recipient's local time zone. The TCPA also allows private lawsuits, and class-action TCPA suits are the primary financial risk for sales teams because a single campaign touching thousands of numbers can generate seven-figure exposure overnight.
The TSR governs telemarketing broadly, requiring disclosures, prohibiting misrepresentation, and setting DNC compliance rules for consumer calls. B2C telemarketing records must now be kept for 5 years (up from 2).
The National DNC Registry is operationally simple but unforgiving. You must scrub your call lists against the registry at least every 31 days. An existing business relationship exempts you for 18 months after a transaction or 3 months after an inquiry - but that's a DNC concept, and it doesn't replace TCPA consent rules for autodialed or prerecorded marketing to mobile numbers.
Here's the consent distinction that trips up most teams:
| Consent Type | Required For | How Obtained |
|---|---|---|
| PEC (Prior Express Consent) | Informational autodials | Oral or implied |
| PEWC (Prior Express Written Consent) | Marketing autodials/prerecorded | Written/electronic signature |
What Changed in 2024-2026
AI voice calls now require PEWC. In February 2024, the FCC ruled that AI-generated voices qualify as an "artificial or prerecorded voice" under the TCPA. If your team is experimenting with AI voice agents for outbound, the same robocall consent rules apply. No shortcut.
The one-to-one consent rule was scrapped. The anticipated rule - which would have required separate consent for each individual seller - was struck down before it took effect in January 2025. Existing consent frameworks remain in place, so if you restructured your consent flows in anticipation, you can relax on that front.
Consent revocation got stricter. As of April 11, 2025, consumers can revoke consent by any reasonable means - not just texting "STOP." Your team has 10 business days to honor the opt-out. You're allowed one confirmation text within 5 minutes, but it can't contain any marketing. If the consumer doesn't specify scope, assume the opt-out covers everything. A broader provision requiring opt-outs to apply across all message types and business units takes effect April 11, 2026 - plan for it now.
TSR misrepresentation rules now cover B2B. The FTC expanded the TSR's prohibition on false or misleading statements to business-to-business telemarketing. The DNC provisions still don't apply to B2B, but you can't misrepresent your product, pricing, or identity on any call.
Consumer telemarketing recordkeeping expanded to 5 years. For B2C telemarketing, call detail records, consent documentation, and opt-out requests must now be retained for 5 years under the updated TSR. This includes copies of consent language presented and consent captured. The expansion doesn't apply to B2B-only operations, but we'd still recommend keeping thorough records - they're your best defense if a call is ever disputed.
Calling reassigned numbers is a $50K+ liability per dial. Prospeo refreshes its 125M+ verified mobile numbers every 7 days - not every 6 weeks - so your SDRs reach the right person at the right number.
Stop dialing blind. Start dialing verified numbers at $0.01 each.
B2B Cold Calling: What's Actually Exempt
The B2B exemption is the most dangerous myth in outbound sales. Here's what it actually means: the TSR's DNC provisions don't apply to B2B calls, and live calls to business landlines don't require prior consent under the TCPA. That's it.
Here's the thing: the moment your SDR autodials or sends a prerecorded message to a mobile number, TCPA consent rules apply - regardless of whether it's a B2B context. And now, the TSR's misrepresentation prohibition covers B2B too.
The scenario that creates the most exposure is painfully common. Your SDR cold-calls a reassigned number. The new owner is on the DNC list. That's a potential $50,120 penalty per call. The "it's a business call" defense doesn't help when the number now belongs to a consumer. We've seen teams assume B2B exempts them from everything. It doesn't, and the fines don't care about your intent.
What Counts as an Autodialer?
The Supreme Court narrowed this significantly in Facebook v. Duguid (2021). An automatic telephone dialing system (ATDS) under federal law must use a random or sequential number generator. Dialers that only call from stored lists generally fall outside the federal ATDS definition after Duguid.
That's the federal picture. Some state mini-TCPAs use broader definitions, so don't assume Duguid protects you everywhere. California, for instance, has historically interpreted autodialer definitions more broadly than the federal standard.
State Regulations Beyond Federal Rules
Federal telemarketing compliance is the floor, not the ceiling. These states have added rules that catch teams off guard:
| State | Key Provision | Penalty/Requirement | Effective |
|---|---|---|---|
| Texas (SB 140) | Texts = "telephone solicitation" | $200 fee + $10K security bond | Sept 2025 |
| Virginia (SB 1339) | 10-year text opt-out | 8 a.m.-9 p.m. hours | Jan 2026 |
| Connecticut (SB 1058) | PEWC for any "telephonic sales call" | Up to $20,000/violation | Active |
| Georgia (SB 73) | No damage caps; vicarious liability | No cap on damages | Active |
| Maine (LD 2234) | Requires FCC RND check | Safe harbor tied to RND | Active |
Connecticut is the one that surprises people most. PEWC for any telephonic sales call - not just autodialed ones - with a 9 a.m. to 8 p.m. calling window and $20,000 per violation. If your team calls nationally, you need state-level compliance review, not just a federal checklist.
Look, if your average deal size is under $15K, a single Connecticut violation wipes out the revenue from that account. Most teams would be better off excluding non-compliant states from their call lists entirely rather than risking it with an incomplete compliance program. The consensus on r/sales threads about cold calling compliance is blunt: "just skip the states you can't handle." It's not bad advice.
Compliance Checklist for 2026
In our experience, the teams that get fined aren't making illegal calls on purpose - they're the ones with stale data and no system for keeping it clean. Here's the operational checklist:
- Register with the National DNC Registry and scrub your lists every 31 days.
- Document consent type (PEC vs. PEWC) for every contact before dialing.
- Restrict calling hours to 8 a.m.-9 p.m. local time (9 a.m.-8 p.m. in Connecticut).
- Honor opt-outs within 10 business days by any method the consumer uses.
- Keep all call records - consent documentation, opt-out requests, call logs - for 5 years.
- Check state registration requirements before calling nationally. Texas now requires a $10,000 security bond and a $200 filing fee.
- Verify contact data before dialing. Stale data means reassigned numbers, and reassigned numbers mean DNC violations. Prospeo refreshes contact records every 7 days with 98% email accuracy and 5-step verification - because calling a reassigned number isn't just a wasted dial, it's a potential $50,120 penalty.
Skip steps 1-6 at your own risk. But step 7 is the one we see teams ignore most often, and it's the one that generates the ugliest surprises.
B2B exemptions won't save you if your data is stale. Prospeo's 7-day refresh cycle and 98% email accuracy keep your outbound compliant and connected - no reassigned numbers, no dead contacts.
Clean data is your best compliance defense. Build your list now.
FAQ
Can you cold call a business phone number?
Yes. The TSR's DNC provisions don't apply to B2B calls, and live calls to business landlines don't require TCPA consent. B2B telemarketing regulations still prohibit misrepresentation under the updated TSR, though, and autodialed or prerecorded calls to mobile numbers require consent even in B2B contexts.
What are the penalties for violating cold calling laws?
Federal TCPA violations carry $500 per call, or $1,500 if willful. DNC violations can reach $50,120 per incident. State penalties vary - Connecticut charges up to $20,000 per violation, and Georgia has no damage cap at all. One bad campaign can generate six- or seven-figure exposure before you even know there's a problem.
Are AI cold calls legal?
Only with prior express written consent. The FCC ruled in February 2024 that AI-generated voices are robocalls under the TCPA. There's no gray area here - if the voice isn't a live human, you need PEWC.
How often must I scrub against the DNC list?
At least every 31 days. The National Do Not Call Registry requires regular list scrubbing, and using data older than 31 days exposes you to $50,120-per-violation penalties. Pair DNC scrubbing with a data provider that refreshes records weekly to minimize reassigned-number risk.
What if someone revokes consent mid-campaign?
As of April 2025, you have 10 business days to honor any opt-out request, delivered by any reasonable means. You can send one confirmation text within 5 minutes, but it can't include marketing content. If the person doesn't specify what they're opting out of, treat it as a blanket revocation. Starting April 2026, opt-outs must be honored across all message types and business units automatically.