Is Cold Calling Legal? U.S. Rules, TCPA/TSR + Checklist (2026)

Is cold calling legal in the U.S.? Yes - if you follow TCPA/TSR/DNC rules. Learn consent, hours, recording laws, and a 2026 checklist.

Is cold calling legal in the U.S.? (2026 rules, explained)

Cold calling's legal in the U.S. Most teams still get themselves in trouble.

Not because they "cold called." Because they called the wrong person at the wrong time, ignored an opt-out, or let a dialer behave like a robocall machine.

Here's the angle that actually keeps you safe: treat outbound like an ops system (rules + logs + suppression), not a vibes-based activity where reps "try to do the right thing."

What you need (quick version)

  • Call only during the legal window: 8 a.m. to 9 p.m. local time for the person you're calling. Build timezone logic into your dialer - don't trust reps to eyeball it.
  • Scrub against the National Do Not Call (DNC) Registry every 31 days and document it. The FTC's DNC site spells out the mechanics and subscription flow: https://telemarketing.donotcall.gov/
  • Maintain an internal (company-specific) DNC list and honor it immediately. If someone says "don't call me again," you stop--even if you think you have an established business relationship (EBR).
  • Use the right "rulebook": TSR (telemarketing conduct), TCPA (calling tech + consent), and DNC (who you can't call + scrub cadence).
  • Transmit accurate caller ID. Don't spoof it or hide who's calling. If your caller ID can't be traced back to your business, fix that before you scale.
  • Avoid prerecorded or AI voice for cold outreach. For telemarketing calls using an artificial/prerecorded voice, you're in written-consent territory. The FCC's robocall guidance is the clearest reference point: https://www.fcc.gov/consumers/guides/stop-unwanted-robocalls-and-texts
  • Keep dialer abandonment under control. If your system dials faster than agents can answer, you create "dead air" and hang-ups - exactly the behavior regulators and consumers hate.
  • If you record calls, default to an upfront disclosure. It's the simplest nationwide policy and avoids the "which state's rule applies?" mess.
  • Keep your data clean. Clean data reduces wrong/reassigned dials (and complaints). Tools like Prospeo help teams verify numbers before dialing.

Cold calling's legal but regulated. The U.S. doesn't ban cold calls outright; it bans specific behaviors: calling outside permitted hours, calling people who opted out, misleading people, and using certain calling tech without the right consent.

If you're asking "is it illegal to cold call?" the real answer is that the same outreach can be compliant (or not) based on DNC status, consent, and whether you used prerecorded or artificial voice.

Two agencies matter most:

  • The FTC enforces the Telemarketing Sales Rule (TSR): disclosures, misrepresentation bans, calling hours, DNC processes, abandoned-call controls, and recordkeeping.
  • The FCC enforces the Telephone Consumer Protection Act (TCPA): autodialing/robocall rules, prerecorded or artificial voice, texts, and consent standards.

Look, this is where teams talk themselves into bad decisions: "We'll just crank volume and fix compliance later." That's backwards. Once you've got complaints, you don't get to rewind time and magically produce scrub logs, opt-out timestamps, and dialer settings from three months ago.

In our experience, the fastest way to reduce legal risk is boring: fewer dials, better targeting, cleaner data, and a dialer that doesn't act like it's trying to win a speedrun.

Most teams get burned because they treat "DNC" like the only rule. It's not. You're dealing with three overlapping frameworks.

Three overlapping U.S. cold calling rulebooks compared
Three overlapping U.S. cold calling rulebooks compared

TSR = telemarketing conduct. TCPA = calling tech + consent. DNC = who you can't call (and how often you must scrub).

Rulebook Enforcer What it governs What to prioritize
TCPA FCC Autodialing/robocalls, prerecorded/artificial voice, texts TCPA if you use any automation or voice tech
TSR FTC Telemarketing practices (disclosures, misrepresentation, abandonment, records) TSR if you run campaigns at scale
DNC FTC/FCC/states National + internal DNC rules DNC if you call consumers at all

A few specifics that matter in real life:

  • TSR applies to calls made as part of a "plan, program, or campaign" to sell goods or services. It's not just "big call centers." The FTC's plain-English TSR guide is worth bookmarking: https://www.ftc.gov/business-guidance/resources/complying-telemarketing-sales-rule
  • TSR can also apply to inbound calls that result from your ads - if the call turns into a sales pitch or upsell.
  • TCPA overlaps TSR. You can be "TSR-clean" and still violate TCPA if you use prerecorded/artificial voice without the right consent.
  • DNC enforcement is shared. The National DNC Registry is run by the FTC and enforced by the FTC, FCC, and state officials.
Prospeo

The fastest way to stay TCPA-compliant isn't better scripts - it's cleaner data. Prospeo verifies 125M+ mobile numbers with a 30% pickup rate, so your reps dial real people, not reassigned numbers that trigger complaints.

Stop dialing dead numbers. Start every campaign with verified contacts.

Use this as a pre-dial sanity check. It's the simplest way to answer "is cold calling illegal?" for a specific campaign without turning your sales floor into amateur lawyers.

Pre-dial decision tree for cold call legality
Pre-dial decision tree for cold call legality
  1. Are you calling within 8 a.m.-9 p.m. local time?
  • No -> Don't call.
  • Yes -> continue.
  1. Is the person on your internal (company-specific) DNC list?
  • Yes -> Don't call.
  • No -> continue.
  1. Is the number on the National DNC Registry (consumer outreach)?
  • Yes -> call only if you have a valid exception (EBR or express consent).
  • No -> continue.
  1. If you're relying on EBR, are you inside the windows?
  1. Are you using prerecorded or artificial voice (including AI voice)?
  1. Can you prove what you did? (scrub date, list source, opt-out handling, call logs)
  • No -> fix your process before you scale.
  • Yes -> you're operating like a real program.

One missed opt-out is all it takes to create a repeat complainant.

Do Not Call compliance that actually works (ops playbook)

DNC compliance isn't complicated. What's hard is making it unskippable - and documenting it so you can show your work if a complaint lands on someone's desk.

Seven-step DNC compliance ops checklist visual
Seven-step DNC compliance ops checklist visual

I've seen teams do everything "right" in the rep script and still get burned because list hygiene was a mess: a stale CSV got uploaded, the scrub was 45 days old, and the internal suppression list lived in someone's personal spreadsheet. That isn't a sales problem. It's an ops failure.

Step-by-step DNC checklist (the version you can run)

  1. Define what counts as telemarketing for your org. If the call's purpose is to sell goods/services, treat it as telemarketing.
  2. Centralize list intake. One path into your dialer/CRM - no rogue CSVs.
  3. Subscribe to the National DNC Registry (consumer calling). You download by area code via https://telemarketing.donotcall.gov/
  4. Scrub at least once every 31 days and store the scrub date/version.
  5. Maintain a company-specific DNC list and suppress it everywhere.
  6. Enforce opt-outs immediately (same day, same system, no exceptions).
  7. Audit weekly. Sample calls for time window, DNC status, and opt-out handling.

Three TSR basics reps mess up (and how to fix them)

  • Prompt disclosure: open with who you are and why you're calling. Don't "warm up" for 30 seconds and then reveal it's a sales call.
  • Caller ID: transmit a real, reachable number tied to your business. If your caller ID looks shady, your answer rate drops and your complaint rate climbs.
  • Abandoned calls: if your dialer creates dead air or hang-ups because no agent is available, slow it down. High abandonment is a dialer configuration problem, not a "rep performance" problem.
  • Don't let the dialer outpace agent availability. If you can't connect a live agent quickly, you're manufacturing abandoned calls.
  • Don't use prerecorded "drops" for cold outreach. That's the fastest path into robocall rules.
  • Don't spoof caller ID or hide who's calling. Rotate numbers for operations if you must, but keep caller ID truthful and traceable.

What to log (so you can defend your process)

Log item What to store Why it matters
DNC scrub date + area codes Proves 31-day cadence
List source campaign + origin Stops "mystery lists"
EBR proof purchase/inquiry date EBR has windows
Consent proof form/text + timestamp Needed for robocalls
Opt-out date + channel Overrides EBR
Call detail number + time + rep QA + recordkeeping

Data hygiene: the unsexy thing that prevents complaints

A lot of "DNC complaints" start as wrong person / reassigned number calls. Someone picks up, they're annoyed, and now you're the villain - even if your rep was polite.

Prospeo, "The B2B data platform built for accuracy", is built for this exact problem: 300M+ professional profiles, 143M+ verified emails, and 125M+ verified mobile numbers, all refreshed on a 7-day cycle (the industry average is about 6 weeks). If you're running outbound at any real volume, that freshness is the difference between "this list is usable" and "why are we calling people who left the company last year?"

Skip this if you're doing 20 founder-led calls a week and manually checking every contact. Everyone else should treat verification as part of the workflow, not a nice-to-have.

Under TCPA, your dialing method drives your risk.

TCPA consent requirements by calling method comparison
TCPA consent requirements by calling method comparison
  • Live, human calls (manual/agent-led): the cleanest compliance story for cold outreach. You still must follow hours, DNC rules, and opt-outs.
  • Dialers that behave like automation: the more your system auto-selects/auto-dials at scale, the more attention you attract. Keep humans in control and keep logs.
  • Prerecorded or artificial voice (including AI voice): treat this as a robocall path. For telemarketing, this is where written-consent requirements show up. The FCC's robocall guidance is a solid starting point: https://www.fcc.gov/consumers/guides/stop-unwanted-robocalls-and-texts

Here's the thing: "AI SDR" voice calling is mostly a compliance trap dressed up as innovation, and it also annoys prospects in a way that live reps usually don't. Use AI to research, personalize, and coach, then keep the call human.

B2B vs B2C: what changes for outbound calls?

Teams ask this because they want a simple rule like "B2B is fine." Real life isn't that clean.

B2C (consumer calling) B2B (business calling)
National DNC Registry is a core control. TSR historically exempted most B2B calls, but not every category.
TSR requirements are the baseline expectation (disclosures, abandonment controls, records). Certain B2B categories were never fully exempt (a common example in TSR discussions is nondurable office/cleaning supplies).
TCPA risk spikes fast with automation, prerecorded, or artificial voice. The 2024 TSR amendments pulled B2B calls into TSR misrepresentation rules. In practice, that doesn't make B2B identical to B2C, and it doesn't impose the full TSR recordkeeping regime on typical B2B outreach.
Consumers complain more, and enforcement is more common. Business prospects escalate internally faster (legal, IT, exec assistants) when you ignore opt-outs.

Both (non-negotiables):

  • Don't misrepresent who you are or why you're calling.
  • Honor internal opt-outs immediately.
  • TCPA still applies based on the tech you use.

"Do B2B cold calls require prompt disclosure?"

Yes in practice. Even where TSR exemptions reduce formal requirements, misrepresentation is still prohibited, and the fastest way to sound misleading is to hide the sales intent. Start with identity + purpose. It also improves outcomes because the prospect doesn't feel tricked.

Can you record cold calls? (one-party vs all-party states)

Recording is where well-meaning teams step on a rake.

  • Federal law is one-party consent.
  • State law can require all-party consent.
  • For cross-state calls, the safest policy is "strictest wins."

A solid reference is Justia's 50-state survey (last reviewed September 2026): https://www.justia.com/50-state-surveys/recording-phone-calls-and-conversations/

If you want the simple approach (works nationwide):

  • Always disclose recording at the start ("This call may be recorded...").
  • Offer an opt-out (stop recording or continue unrecorded with notes).
  • Geo-route disclosures when possible (area code routing is better than guessing).

What changed in 2026 (and what to do about it)

Most pages on cold calling laws are stuck in pre-2024 rules. Don't copy them.

The updates that matter

  • FTC TSR amendments: the FTC updated TSR requirements and expanded recordkeeping expectations for covered telemarketing. Primary rule text: https://www.federalregister.gov/documents/2024/04/16/2024-07180/telemarketing-sales-rule
  • One-to-one consent drama: the Eleventh Circuit decision in Insurance Marketing Coalition v. FCC struck down the "one-to-one" and "logically related" consent limits. The FCC removed the nullified text and reverted to the prior rule language (FCC action posted 07/14/2026).

The myths that won't die (3 only)

  • Myth: "B2B is exempt, so we can be vague." Reality: B2B still can't mislead people. Lead with identity + purpose and you avoid the biggest practical risk: sounding deceptive.

  • Myth: "AI voice is a loophole." Reality: The FCC treats AI-generated voice as artificial voice under the robocall framework. If you wouldn't do it prerecorded, don't do it with AI.

  • Myth: "We'll add compliance later." Reality: If you don't have scrub logs and opt-out suppression now, you won't magically produce them after a complaint.

What compliance actually costs (and what violations can cost)

Compliance is cheaper than cleanup.

DNC access fees + penalty signals (FY2026)

Item Cost / exposure Notes
DNC access $82 / area code First 5 free
DNC max fee $22,626 / year All area codes
Add area code $41 (half-year) Mid-year add
TSR/DNC penalty up to $53,088 Civil penalty cap
TCPA §227(b) $500 minimum Can treble
TCPA §227(c) up to $500 Discretionary

FTC fee update: https://www.ftc.gov/news-events/news/press-releases/2025/08/telemarketer-fees-access-ftcs-national-do-not-call-registry-increase-2026

TCPA damages in plain English (this is where most articles mess it up): robocall-style violations under §227(b) usually start at $500 per call and can be trebled, while DNC violations under §227(c) are up to $500 and courts can award less.

FAQ: cold calling legality (quick answers)

Yes. Live, human calls to cell phones are generally allowed if you follow 8 a.m.-9 p.m. local time, honor opt-outs immediately, and suppress DNC-listed consumer numbers where required. Risk spikes when you add prerecorded audio, artificial/AI voice, or heavy automation.

Can I cold call someone on the Do Not Call Registry if I have an established business relationship (EBR)?

Yes--only within the EBR windows (commonly 18 months after purchase/payment/delivery or 3 months after an inquiry/application) and only if they haven't opted out. The moment someone says "don't call again," your internal suppression overrides EBR every time.

Can I use an AI-generated voice or prerecorded message for cold outreach?

For most outbound teams, no. AI voice is treated as an "artificial voice" robocall path, and telemarketing robocalls typically require prior written consent. If you want to use AI safely, use it for research, personalization, and coaching, then keep the call live.

What's a good free tool to reduce wrong-number dials before calling?

Prospeo's a strong starting point because it verifies contact data in real time and refreshes records every 7 days, which helps cut wrong-person and reassigned-number calls before they turn into complaints.

Prospeo

Your DNC scrub is only as good as the data feeding your dialer. Prospeo refreshes 300M+ profiles every 7 days - not every 6 weeks - so you're calling current numbers tied to the right person. At $0.01 per email and 10 credits per verified mobile, compliance doesn't have to be expensive.

Fresh data every 7 days means fewer wrong-number complaints.

Yes - if you run it like a system.

Call inside 8 a.m.-9 p.m., scrub DNC every 31 days, honor internal opt-outs immediately, avoid prerecorded/AI voice for cold outreach, and keep logs that prove what happened. Do that and you're not "hoping" you're compliant; you're ready to defend your process if anyone asks.

· B2B Data Platform

Verified data. Real conversations.Predictable pipeline.

Build targeted lead lists, find verified emails & direct dials, and export to your outreach tools. Self-serve, no contracts.

  • Build targeted lists with 30+ search filters
  • Find verified emails & mobile numbers instantly
  • Export straight to your CRM or outreach tool
  • Free trial — 100 credits/mo, no credit card
Create Free Account100 free credits/mo · No credit card
300M+
Profiles
98%
Email Accuracy
125M+
Mobiles
~$0.01
Per Email