TCPA Compliance in 2026: Everything That Changed and How to Stay Legal
Picture this: you load 10,000 numbers into your dialer on Monday morning. Two hundred of those numbers were reassigned to new consumers last quarter. Nobody on your team checked. If you contact each of those 200 numbers once, at $500 per violation - $1,500 if a court finds it willful - that's $100K to $300K in exposure before your first rep finishes their coffee.
That scenario isn't hypothetical. TCPA class actions hit 1,052 cases filed through mid-2025, a 95.2% increase over the same period in 2024. The rules shifted fast, and most compliance guides haven't caught up. The one-to-one consent rule everyone panicked about? Dead. The new opt-out rules? Very much alive. State mini-TCPAs? Multiplying faster than anyone expected.
Here's what actually matters for 2026 - and what you can stop worrying about.
The Short Version
- The one-to-one consent rule was vacated - it never took effect. Stop building compliance around it.
- The April 2025 consent revocation rules ARE live: 10 business days to honor opt-outs, standardized keywords, one confirmation text within 5 minutes.
- State mini-TCPAs (Florida, Texas, Maryland, and more) are now stricter than federal regulation for many businesses. If you're only tracking federal rules, you're exposed.
- Virginia's 10-year DNC honor requirement took effect January 1, 2026. That's not a typo. Ten years.
What Is the TCPA?
The Telephone Consumer Protection Act (47 U.S.C. § 227) was enacted in 1991 to regulate telemarketing calls, text messages, faxes, and prerecorded voice messages. The FCC has enforcement authority and has issued dozens of orders expanding and clarifying the statute's scope over three decades.
What makes the TCPA uniquely dangerous for businesses is the private right of action. Any individual consumer can sue - they don't need the FCC to act first. That's why TCPA litigation has become an industry unto itself, with plaintiff firms filing hundreds of cases a month, many as class actions. A single campaign with bad data or sloppy consent records can generate thousands of individual violations, each carrying statutory damages.
The statute covers virtually every form of outbound commercial communication to a phone number: voice calls using autodialers or prerecorded messages, SMS and MMS marketing, and even fax transmissions. If your team makes outbound calls or sends texts to prospects, this law applies to you.
Core TCPA Requirements
Before getting into what changed recently, here are the baseline requirements that haven't changed - because most violations stem from getting these fundamentals wrong, not from missing some new rule.
Prior express consent vs. prior express written consent. This distinction trips up more teams than any other single rule. Informational or transactional calls require prior express consent - the consumer gave you their number and reasonably expects a call. Marketing and telemarketing calls require prior express written consent: a signed (including e-signed) agreement that clearly authorizes the calls, identifies the caller, and includes the phone number to be called.
Calling hours. Federal rules restrict calls to 8am-9pm in the recipient's time zone. Several states narrow this window further. If you're calling across time zones, your dialer needs to respect the recipient's local time, not yours.
Caller ID and STIR/SHAKEN attestation. Every telemarketing call must transmit a caller ID showing either the caller's name and number or the name and number of the entity on whose behalf the call is made. Spoofing or blocking caller ID on sales calls is a separate violation. Beyond caller ID, the STIR/SHAKEN framework now plays a critical role in call deliverability - calls with full attestation (Level A, meaning the originating carrier has verified the caller's identity and right to use the number) pass through carrier filters cleanly, while calls with Level B or C attestation increasingly get labeled "Spam Likely" or blocked outright. If your outbound calls aren't reaching prospects, STIR/SHAKEN attestation is the first thing to check.
National DNC Registry. Telemarketers must scrub against the National Do Not Call Registry at least every 31 days . Calling a registered number without an applicable exemption carries fines up to $43,792 per violation.
Internal DNC list. You must maintain your own internal do-not-call list and honor opt-out requests promptly. This is separate from the national registry - a consumer who tells your rep "don't call me again" goes on your internal list regardless of their national DNC status.
Abandoned call rules. No more than 3% of answered calls can be "abandoned" (where no live agent connects within two seconds of the consumer's greeting) per campaign over a 30-day period.
Established business relationship (EBR). An existing customer relationship provides a limited exemption from DNC restrictions - 18 months from the last transaction, 3 months from the last inquiry. But EBR doesn't exempt you from consent requirements for autodialed or prerecorded calls.
Vicarious liability. If you hire a third-party dialer, BPO, or lead-gen vendor, you're vicariously liable for their violations. Vendor audits aren't optional. They're the difference between "our vendor screwed up" and "our vendor screwed up and we're paying $2M."
What Changed in 2025-2026
This is where most guides get it wrong. Four major developments reshaped the rules, and they pull in different directions.
One-to-One Consent Rule (Vacated)
The FCC's December 2023 order would have required consumers to give consent "one seller at a time," effectively killing the comparison-shopping and lead-generation model where a single form collects consent covering multiple sellers. The original effective date was January 27, 2025.
On January 24, 2025, the FCC postponed the rule pending judicial review. The Eleventh Circuit then vacated the requirement entirely in Insurance Marketing Coalition Limited v. FCC, 127 F.4th 303 (11th Cir. 2025), holding that the FCC's interpretation of "prior written consent" as requiring one-to-one consent conflicted with the statute's ordinary meaning. The court also struck down the "logically and topically associated" restriction, and the FCC issued a final rule formally eliminating the one-to-one consent requirement from 47 CFR § 64.1200(f).
Consent remains valid as long as consumers receive "clear and unmistakable" information that they'll receive calls from various sellers.
Here's the thing, though: carriers built processes to enforce one-to-one consent before the vacatur. SMS campaign registration still involves scrutiny of privacy policy language and consent flows. Even though the federal rule is dead, carrier-level filtering and CTIA-aligned blocking can still reject campaigns that don't demonstrate clear consent procedures. We've seen teams get texts blocked despite having valid consent because their campaign registration didn't satisfy carrier analytics.
New Consent Revocation Rules (April 2025)
Unlike the one-to-one rule, the consent revocation rules are fully in effect as of April 11, 2025. These are operational requirements your team needs to implement now:
- "Any reasonable manner" standard. Consumers can revoke consent through any reasonable method - not just STOP keywords. Voicemail, email, verbal request to a rep, text reply, web form. If it's reasonable, it counts.
- 10 business day processing deadline. Down from the previous 30-day window. This is a significant operational tightening.
- Standardized keywords. You must honor STOP, QUIT, END, REVOKE, OPT-OUT, CANCEL, and UNSUBSCRIBE as opt-out requests.
- One confirmation text within 5 minutes. It can't contain any promotional content. If the consumer doesn't respond, treat it as a broad revocation.
- Medium-agnostic revocation. If a consumer opts out via text, you can't continue reaching them via robocalls. Revocation crosses communication channels.
One piece was partially delayed: the requirement that revocation in response to one type of message applies to all other types of future calls/texts on unrelated matters. That broader cross-message scope is delayed to April 11, 2026. Everything else is live now.
Autodialer Definition After Duguid
The Supreme Court's unanimous 2021 holding in Facebook v. Duguid narrowed the definition of an automatic telephone dialing system (ATDS). An ATDS must have the capacity to use a random or sequential number generator to store or produce numbers to be called. Standard dialers - the kind that call from pre-loaded lists - were effectively cleared.
But Duguid didn't make the statute toothless.
It shifted plaintiff strategies. Post-Duguid, litigation increasingly targets DNC violations, consent documentation failures, and state-law theories. That shift is exactly why state mini-TCPAs have become the real compliance frontier. If your program is built entirely around the federal ATDS definition, you're fighting the last war.
AI-Generated Calls
AI-powered outbound calling is the next minefield, and most teams are sleepwalking into it. The FCC has made clear that AI-generated voice calls fall under the TCPA's prerecorded-voice provisions. If your dialer uses AI to generate or modify voice messages - even "conversational AI" that sounds live - you need prior express written consent just as you would for a traditional robocall. Plaintiff attorneys are already building cases around AI voice calls, and the FCC has signaled enforcement actions are coming. Treat AI-generated voice the same as prerecorded voice. Full stop.
State Mini-TCPA Laws
Federal compliance is necessary but no longer sufficient. A growing number of states have enacted telemarketing laws that are stricter than the federal baseline, and the trend is accelerating.
| State | Call Window | Frequency Cap | Penalties | Private Action | Key Provision |
|---|---|---|---|---|---|
| Florida | 8am-8pm | 3 per 24hrs | $500 / $1,500 willful | Yes | 15-day safe harbor after consumer notice |
| Texas | 9am-9pm | N/A | DTPA damages | Yes (via DTPA) | Covers texts + images |
| Maryland | 9am-8pm | 3 per 24hrs | $1K / $5K subsequent | Yes | Broad "automated system" definition |
| Oklahoma | 8am-8pm | 3 per 24hrs | $500 / $1,500 willful | Yes | Auto-dial/select restriction + freq cap |
| Washington | 8am-8pm | N/A | $100 + atty fees | Yes | DNC request applies to all numbers on record |
| New York | 8am-9pm | N/A | $11,000/violation | State enforcement | Early-call disclosures |
| Arizona | N/A | N/A | $1,000/violation | N/A | Unsolicited texts to DNC numbers |
| Connecticut | N/A | N/A | $20,000/violation | State enforcement | Written consent for telephonic sales calls |
| Virginia | N/A | N/A | State AG enforcement | N/A | 10-year DNC honor (Jan 2026) |
Texas SB 140 deserves special attention. Effective September 1, 2025, it expanded "telephone solicitation" to include text messages, image messages, and other transmissions meant to induce a purchase. It also created a new private right of action through the Texas Deceptive Trade Practices Act. If you're texting prospects in Texas, this law applies to you.
Virginia's SB 1339, effective January 1, 2026, requires businesses to honor a consumer's STOP/Unsubscribe request for 10 years. That's a recordkeeping obligation most CRMs aren't built for. Let's be honest - most teams can barely maintain a 12-month suppression list, let alone a decade-long one.
The practical takeaway: if you're calling or texting into multiple states, you need to comply with the strictest applicable law for each contact. A Florida number gets 8am-8pm and three attempts per day. A Maryland number gets 9am-8pm. Your dialer configuration needs to handle this per-state logic, and if it can't, you need a different dialer.
Reassigned numbers are TCPA lawsuits waiting to happen. Prospeo refreshes all 125M+ verified mobile numbers every 7 days - not every 6 weeks like competitors. That means fewer wrong-party contacts, fewer violations, and fewer sleepless nights.
Stop dialing stale data. Start with numbers verified this week.
SMS Marketing Under the TCPA
SMS follows the same consent framework as calls, but the stakes are higher because every text is a documented, timestamped record that's trivially easy to produce in litigation.
Written consent required for marketing SMS. Any promotional text - sales offers, discount codes, product announcements - requires prior express written consent. The consent must clearly authorize text messages, identify the sender, and include the phone number.
Lower bar for transactional SMS. Order confirmations, shipping updates, appointment reminders, and account alerts require only prior express consent. But the moment you add a promotional line to a transactional text, it becomes marketing. One "use code SAVE20" at the bottom of a shipping notification reclassifies the entire message.
State silent hours apply. Federal rules restrict texts to 8am-9pm recipient time. Florida, Oklahoma, and Washington restrict you to 8am-8pm, and Texas SB 140 sets a 9am-9pm window. Your SMS platform needs time-zone-aware scheduling that respects the strictest applicable window.
April 2025 opt-out rules apply fully to SMS. Honor any reasonable opt-out method within 10 business days. One confirmation text within 5 minutes, no promo content.
Recordkeeping. Retain consent records for five years - date, time, method, and the exact consent language the consumer saw. If you can't produce this in discovery, you lose.
Reassigned Numbers Database
The FCC's Reassigned Numbers Database (RND) is a federal safe harbor mechanism for reassigned number liability. Created via a December 2018 Second Report and Order, it lets callers query whether a number has been permanently disconnected and reassigned since the date they obtained consent.
The query returns one of three responses:
| RND Response | Meaning | Safe Harbor? |
|---|---|---|
| Yes | Number was reassigned | No safe harbor |
| No | Not reassigned since consent | May apply |
| No Data | No info available | No safe harbor if consent pre-Jan 27, 2021 |
If the database says "No" and you relied on that answer in good faith, you have a defensible position. "Yes" means the number changed hands and calling it means calling someone who never consented. "No Data" provides no protection for older consent records.
The RND operates on a subscription basis with per-query fees - expect fractions of a cent per lookup at high volume. The operational challenge is integrating RND queries into your dialer workflow so every number gets checked before it's called, not after.
Penalties and Enforcement
TCPA penalties scale fast. The baseline is $500 per violation, trebled to $1,500 for willful or knowing violations. DNC violations can reach $43,792 per violation under FCC enforcement. Because each call or text to each number counts as a separate violation, a single campaign can generate millions in exposure.
| Case | Amount | Year | Details |
|---|---|---|---|
| FCC Auto Warranty Robocall Scheme | $299,997,000 | 2023 | Proposed fine - 5B+ calls in 3 months |
| Keller Williams | $40M | 2023 | Settlement |
| Momentum Solar | $30M (pending) | 2025 | Proposed settlement |
| Citibank | $29.5M | 2024 | Settlement |
The auto warranty case is instructive: ten companies made over 5 billion illegal robocalls to 500+ million phone numbers in just three months. After the FCC directed carriers to stop carrying the traffic, call volume dropped 99%. The $299,997,000 proposed fine remains the largest the FCC has announced.
Litigation volume tells the broader story. Through mid-2025, 1,052 class actions were filed - a 95.2% increase over the same period in 2024. June 2025 alone saw 257 filings, with 78.6% filed as class actions. The plaintiff bar is more active than ever, and the trend shows no signs of slowing.
Common Compliance Mistakes
1. Over-relying on dialer DNC scrubbing.
The consensus on r/sales and compliance communities is that "most dialers automatically scrub your list against the Do Not Call list." That's partially true - most dialers scrub against the National DNC Registry. But here's what they typically miss:
| What your dialer checks | What it probably doesn't |
|---|---|
| National DNC Registry | State DNC registries |
| Basic number formatting | Reassigned Numbers Database |
| - | Your internal opt-out list (unless integrated) |
| - | Carrier-level blocking signals |
Dialer scrubbing is one layer, not the whole compliance stack.
2. Calling reassigned numbers without querying the RND. A number that belonged to your prospect six months ago might belong to a stranger today. Without an RND query, you have zero safe harbor protection. This is the easiest mistake to prevent and the most expensive to ignore.
3. Ignoring state mini-TCPAs. Your compliance team tracks federal rules. Great. But if you're calling Florida numbers at 8:30pm or texting Texas prospects with image-based offers without consent, you're violating state law - and those state laws carry their own penalties and private rights of action.
4. Poor consent documentation. In our experience, the consent documentation gap is what kills companies in discovery. "We got consent" isn't a defense. "Here's the timestamped record showing the exact language the consumer saw, the date and time they consented, and the method of consent" - that's a defense. If you can't produce this, you functionally didn't have consent.
5. Loading bad contact data. Wrong numbers, disconnected numbers, reassigned numbers - they all create liability. Before loading any list into your dialer or SMS platform, verify every number. Tools like Prospeo catch invalid and disconnected numbers in real time before they become $1,500 mistakes. Bad data isn't just a deliverability problem; it's a compliance problem.
TCPA Compliance Checklist for 2026
Use this as your operational baseline. Every item should be a documented process, not a "we probably do that" assumption.
- Capture and store prior express written consent with the exact language shown to the consumer, timestamped and archived.
- Scrub against the National DNC Registry at least every 31 days - more frequently if you're running high-volume campaigns.
- Maintain and honor your internal DNC list. Every opt-out from every channel feeds into one list.
- Check state DNC registries for every state you call into. National DNC scrubbing doesn't cover state lists.
- Query the Reassigned Numbers Database before dialing. No query = no safe harbor.
- Verify contact data quality before loading lists. Invalid and disconnected numbers are preventable liability. (If you’re building lists at scale, see Clay List Building.)
- Configure opt-out handling for the 10 business day deadline. Automate where possible.
- Honor all standardized opt-out keywords: STOP, QUIT, END, REVOKE, OPT-OUT, CANCEL, UNSUBSCRIBE.
- Comply with state mini-TCPA call windows and frequency caps. Per-state dialer configuration isn't optional. (If you’re standardizing outbound operations, start with a cold calling system.)
- Retain consent records for 5 years. Date, time, method, exact consent language. All of it. (This is easier with solid contact management software.)
- Audit third-party vendors for regulatory adherence. Their violations are your liability. (Vendor oversight fits naturally into sales operations metrics.)
- Confirm STIR/SHAKEN attestation with your carrier. Level A attestation keeps your calls from getting blocked. (If you’re evaluating providers, compare options like Dialpad alternatives.)
Skip items 4 and 5 at your own risk - those are the two we see teams deprioritize most often, and they're the two that generate the largest settlements.
At $500-$1,500 per violation, a single bad list can cost more than your entire tech stack. Prospeo's 5-step verification with catch-all handling and 30% mobile pickup rate means your reps reach the right person - not a reassigned number that triggers a class action.
Pay $0.01 per verified contact instead of $1,500 per violation.
FAQ
Does the one-to-one consent rule apply in 2026?
No. The Eleventh Circuit vacated the FCC's one-to-one consent requirement in Insurance Marketing Coalition Limited v. FCC (2025), and the FCC formally eliminated it from its rules. Lead generation sites can still collect consent covering multiple sellers, provided consumers receive "clear and unmistakable" disclosure. The rule never took effect.
How long do I have to honor an opt-out request?
Under the April 2025 FCC rules, you must process opt-out requests within 10 business days - down from the previous 30-day window. You can send one confirmation text within 5 minutes, but it can't contain promotional content. Consumers can revoke consent through any reasonable method, not just STOP keywords. This applies across communication channels.
How do I prevent calling reassigned or invalid numbers?
Query the FCC's Reassigned Numbers Database before every dial - a "No" response gives you a defensible safe harbor position. For broader data quality, verify your contact lists before loading them into any dialer. We've found that catching disconnected and invalid numbers upstream, before a single call goes out, eliminates the most common source of accidental violations.
What does TCPA compliance require in 2026?
At minimum: prior express written consent for marketing calls and texts, National DNC scrubbing every 31 days, an internal DNC list honored across all channels, state mini-TCPA adherence for every state you call into, 10-business-day opt-out processing, Reassigned Numbers Database queries before dialing, STIR/SHAKEN attestation for voice calls, and five-year consent record retention. Miss any one of these and you're exposed to $500-$1,500 per violation.