The TCPA Compliance Checklist You Actually Need in 2026
You launch a 50,000-contact SMS campaign on Monday. By Friday, three recipients have filed complaints, a plaintiff's firm has your company name in a demand letter, and you're staring at real liability - from three texts. Federal TCPA penalties alone run $500-$1,500 per text, and state mini-TCPA laws push exposure much higher.
That's not hypothetical. TCPA class actions surged 95.2% through mid-2025 versus 2024. Separately, 880 lawsuits landed in just the first four months of 2025 - a 44% jump year over year. The rules tightened in three specific ways, and most TCPA compliance checklists floating around haven't caught up.
This one has.
What Changed (Quick Version)
- The one-to-one consent rule is dead. The 11th Circuit vacated it in January 2025, and the FCC later issued a final rule formally eliminating the restriction. The prior PEWC framework remains in place.
- New revocation rules went live April 2025. You have 10 business days to process opt-outs, and seven keywords (like "stop" and "cancel") are per se revocations.
- Carriers block unregistered 10DLC SMS traffic. If you haven't registered your brand and campaigns with The Campaign Registry, your texts aren't getting delivered.
- State mini-TCPA laws now carry penalties up to $20,000 per violation. Federal TCPA is the floor, not the ceiling.
- TCPA litigation is at record levels. 78% of 2025 lawsuits were filed as class actions.
The Full Checklist: 14 Items
Fourteen items. Each one is a potential lawsuit trigger if you skip it.
Obtain prior express written consent before marketing calls or texts. A signed or e-signed agreement that discloses automated calls/texts, identifies the sender, and specifies the phone number. Verbal consent isn't enough for marketing.
Store consent records for 2-5 years. Document the timestamp, exact language agreed to, source (web form, paper, etc.), and IP address or session data. If you can't prove consent existed, it didn't.
Scrub against the National DNC Registry every 31 days. Telemarketers must access the registry regularly, with no more than a 31-day gap between scrubs. Set a recurring calendar reminder - this is one of the easiest boxes to check and one of the most common to forget.
Maintain and honor your internal DNC list. When someone says "don't call me," add them within 10 business days and retain that record for at least 5 years. Your internal list overrides any purchased data.
Respect calling hours: 8 AM-9 PM in the recipient's local time zone. Not your time zone - theirs. Dialing from New York to California at 9:05 PM PT is a violation, even if it's only 12:05 AM ET.
Identify yourself in telemarketing calls and prerecorded messages. Provide your name, the company you represent, and a callback number or address.
Process opt-out requests within 10 business days. The new FCC revocation rules shortened the window from the 30 days many teams had been using. If someone texts "stop," suppress that number fast.
Honor the seven per se opt-out keywords automatically. Stop, quit, revoke, opt out, cancel, unsubscribe, end. Treat any of these as a valid revocation - no "did you really mean that?" follow-ups beyond the single allowed confirmation text.
Check the FCC Reassigned Numbers Database before calling. The RND at reassigned.us covers 305.9M+ numbers. Querying it provides a safe harbor: if the database incorrectly says a number hasn't been reassigned, you're protected from liability.
Register for 10DLC if you send any SMS via local numbers. Brand registration plus campaign registration through The Campaign Registry (TCR). Expect around $5-$20 for brand registration and $10-$50 per campaign, plus ongoing monthly carrier/TCR fees. Without registration, carriers block your traffic outright.
Distinguish marketing messages from transactional ones. Appointment reminders and account alerts require prior express consent. Marketing messages require express written consent. Mixing the two in a single thread is a common and expensive mistake.
Audit your vendors and third-party lead sources. If a lead provider obtained consent improperly, that's your problem when you dial the number. Review their consent flows and confirm they meet current PEWC standards.
Keep abandoned call rates below 3%. If you're running a predictive dialer, federal rules cap the abandoned call rate at 3% measured over a 30-day period. Agents must connect within 2 seconds when available. We've seen teams blow past this threshold without realizing it because their dialer dashboard reports averages differently than the FCC measures them.
Ensure STIR/SHAKEN attestation for voice calls. Carriers use STIR/SHAKEN caller ID authentication to flag and block suspected spam calls. If your outbound calls aren't properly attested, they'll show "Spam Likely" or get blocked entirely. Confirm with your telephony provider that your calls carry proper attestation.
What Changed in 2025-2026
One-to-One Consent Rule: Vacated
The FCC's one-to-one consent rule - which would've required lead gen sites to obtain separate consent for each individual seller - was set to take effect January 27, 2025. It never did. The FCC announced it would postpone implementation pending judicial review, and on the same day (January 24, 2025), the 11th Circuit vacated the rule entirely in Insurance Marketing Coalition Limited v. FCC, 127 F.4th 303 (11th Cir. 2025), holding the FCC exceeded its authority.
The court also rejected the FCC's "logically and topically associated" restriction - consent doesn't need to be topically related to the seller's product, so long as it's "clear and unmistakable." The FCC later issued a final rule formally eliminating the one-to-one consent restriction from the regulations. For lead gen and comparison-shopping sites, the prior framework is intact: a single disclosure can obtain consent for multiple sellers.
New Revocation Rules (April 2025)
Effective April 11, 2025, consumers can revoke consent in "any reasonable manner" that clearly expresses their desire to stop receiving calls or texts - including in the language they originally received the communication. The processing window dropped to 10 business days.
Seven keywords are now per se reasonable opt-outs: stop, quit, revoke, opt out, cancel, unsubscribe, end. You can send one confirmation text within 5 minutes, but it must contain zero promotional content. If the consumer doesn't respond to your clarification, the revocation applies broadly to all non-emergency robocalls and robotexts from your organization.
One partial reprieve: the FCC delayed the requirement that a revocation from one message type applies to all future message types until April 11, 2026. So for now, an opt-out from marketing texts doesn't automatically kill your transactional messages. That changes this year.
10DLC Carrier Enforcement
Since February 1, 2025, US carriers block unregistered 10DLC traffic. This isn't a TCPA rule - it's carrier policy - but the practical effect is identical: unregistered messages don't arrive.
Registration requires Brand and Campaign registration with The Campaign Registry (TCR). You'll need your legal business name, EIN, opt-in/opt-out disclosures, a privacy policy, and sample consent language. Registered throughput ranges from 1 to 75 messages per second depending on your trust score.
State Laws Beyond Federal TCPA
Federal TCPA is the floor, not the ceiling. This table covers the states with the most significant recent changes - if you're dialing or texting nationally, you need to know these.
| State | Law | Effective | Key Requirement | Max Penalty |
|---|---|---|---|---|
| TX | SB 140 | Sept 1, 2025 | Texts included; DTPA action | Per DTPA |
| FL | HB 761 (FTSA) | Active | Consent + 15-day safe harbor | $500-$1,500 |
| CT | SB 1058 | Active | Prior express written consent | $20,000/violation |
| MD | SB 90 | Active | 3 solicitations max per 24 hrs | Varies |
| VA | SB 1339 | Jan 1, 2026 | Honor opt-outs for 10 years | Varies |
| AZ | HB 2498 | Active | No unsolicited texts to DNC | $1,000/violation |
Texas SB 140 is the big one to watch. It expands "telephone solicitation" to include texts and creates a private right of action via the Texas DTPA - individual consumers can sue, not just the state AG. Connecticut's $20,000 per violation penalty dwarfs the federal $500-$1,500 range. And Virginia's 10-year opt-out honor requirement means your suppression lists need to be permanent infrastructure, not spreadsheets you rebuild every quarter.
Here's the thing: if you're running national outbound campaigns with deal sizes under $15k, state mini-TCPA laws are a bigger threat to your business than the federal statute itself. The federal penalties are predictable. A single Connecticut violation at $20,000 can wipe out an entire deal's margin.
Bad phone data is a TCPA lawsuit waiting to happen. Prospeo's 125M+ verified mobile numbers are refreshed every 7 days - not 6 weeks - so you're never dialing reassigned numbers from stale lists. At 30% pickup rates, you reach real decision-makers, not plaintiffs.
Stop risking $1,500 fines on outdated contact data.
Consent Language Templates
Copy-paste ready. Adjust the bracketed fields for your business.
Opt-In Checkbox Language
By checking this box, you agree to receive automated marketing text
messages from [Company Name] at the phone number provided. Message
frequency varies. Message and data rates may apply. Consent is not
a condition of purchase. Reply STOP to opt out at any time. View our
Terms of Service [link] and Privacy Policy [link].
Place this directly adjacent to the phone number field on your form. The checkbox must be unchecked by default - pre-checked boxes don't count as express written consent.
First-Message Disclosure
[Company Name]: Thanks for signing up! You'll receive [frequency]
messages about [program description]. Reply STOP to opt out, HELP
for support. Msg & data rates may apply.
Send this as your first message after opt-in. It confirms the subscription, identifies you, and provides the opt-out mechanism in one shot.
SMS Terms Checklist
Your published SMS terms should cover program name and description, opt-out mechanism (STOP keyword plus any additional methods), customer support contact (HELP keyword plus email/phone), the standard carrier liability disclaimer, "message and data rates may apply," and a link to your privacy policy. Post these on a dedicated page and link to it from every opt-in form.
Penalties and Recent Settlements
Federal TCPA penalties run $500 per negligent violation and $1,500 for willful or knowing violations. "Per violation" means per call or per text - so a 10,000-text campaign to unconsented numbers is $5M-$15M in potential exposure.
| Company | Amount | Year | Trigger |
|---|---|---|---|
| Clover Network | $15M | 2024 | Texts without consent |
| Truist Bank | $4.1M | 2025 | Prerecorded calls |
78% of 2025 TCPA lawsuits were class actions. State penalties stack on top of federal ones. A single text to a Connecticut number could carry $20,000 in state penalties plus $1,500 federal - $21,500 from one message.
Common Compliance Mistakes
Here's what actually gets teams in trouble - not obscure edge cases, but everyday assumptions that turn into lawsuits.
"My dialer scrubs the DNC list automatically." The consensus on r/sales and cold calling communities is that most dialers handle this for you. Maybe yours does. But relying on a dialer's built-in scrub without verifying the scrub date, confirming it covers state-level DNC lists, and documenting the process is a recipe for liability. At 700-1,000 dials per day - standard for outbound SDRs - even a 1% error rate means 7-10 potential violations daily. If you're evaluating providers, compare features in our guide to Dialpad alternatives.
No reassigned number checks. Someone changes their phone number. The new owner gets your marketing texts. They didn't consent. You're liable. The FCC's RND exists for exactly this, but most teams don't query it.
Ignoring state laws. We've seen teams build compliance around federal TCPA and forget that Texas, Connecticut, and Florida have their own rules with their own penalties. A "nationally compliant" program isn't nationally compliant if it ignores state-level requirements.
Stale consent from inactive subscribers. If someone opted in 14 months ago and hasn't engaged since, treat that as higher risk. Build a re-engagement step into your program, and suppress people who never respond.
Stale contact data. This is the silent killer. If your contact database refreshes every six weeks (the industry average), you're dialing numbers that may have changed hands since your last update. Stale data is how reassigned-number violations happen at scale. Tools like Prospeo refresh contact profiles every 7 days - when your data is never more than a week old, you're reaching the right person, not their number's previous owner. If you're comparing vendors, start with data enrichment services and sales prospecting databases.
Building a Compliant Phone List
Every compliance framework assumes you're contacting the right person. When your data is wrong - wrong number, reassigned number, outdated consent record - compliance breaks down regardless of how good your processes are.
A compliant phone list starts with verified, fresh data and layers DNC scrubbing and consent documentation on top. The FCC's Reassigned Numbers Database at reassigned.us is one layer of protection, covering 305.9M+ numbers with a safe harbor for callers who check it. But the broader solution is keeping your contact data fresh enough that reassigned numbers don't accumulate in the first place.
In our experience, the teams that get hit with reassigned-number lawsuits aren't the ones with bad processes - they're the ones with good processes built on top of stale data. Let's be honest: if your data provider refreshes monthly or less, you're building compliance on a shaky foundation no matter how many boxes you check.
Pair RND checks with proper DNC scrubbing and a data provider that actually refreshes weekly, and you've closed the three biggest operational gaps that drive TCPA lawsuits. If you're building a repeatable outbound motion, these sales prospecting techniques help keep volume high without cutting corners.
Your TCPA compliance is only as strong as your data vendors. Prospeo's 5-step verification process removes spam traps, honeypots, and dead numbers before they ever reach your dialer. 98% email accuracy and weekly data refreshes mean your outbound campaigns stay clean and compliant.
Audit-proof your outbound lists starting at $0.01 per email.
TCPA Compliance FAQ
Does the TCPA apply to B2B calls and texts?
Yes. B2B isn't exempt. The TCPA applies to calls and texts made to any U.S. phone number regardless of whether the recipient is a consumer or business. DNC rules also cover B2B telemarketing calls.
How often should I scrub against the DNC Registry?
At least every 31 days. Federal rules require telemarketers to access the National Do Not Call Registry with no more than a 31-day gap between scrubs. Many compliant teams scrub weekly to reduce risk.
What's the difference between express consent and express written consent?
Prior express consent covers informational and transactional calls/texts - a verbal "yes" or providing your number suffices. Prior express written consent requires a signed agreement disclosing automated contact and is mandatory for marketing messages. The written consent must specify the phone number and clearly describe what the consumer is agreeing to receive.
Can I still buy leads from lead generation sites?
Yes. The FCC's one-to-one consent rule was vacated by the 11th Circuit in January 2025 and later formally removed from the regulations. Lead gen sites can obtain consent for multiple sellers via a single disclosure, provided it meets prior express written consent standards.
How does data verification reduce TCPA risk?
Stale data causes reassigned-number violations - one of the most common operational lawsuit triggers. When contact data refreshes every 7 days instead of every 6 weeks, the window for a number to change hands undetected shrinks dramatically. Skip this step if you're only making a handful of calls per week, but for any team running volume outbound, it's non-negotiable.