The average TCPA class-action settlement ranges from $5 million to $75 million. The amount depends on call volume, violation type, and company size. According to WebRecon LLC’s 2025 year-end litigation report, plaintiffs filed 2,628 TCPA cases in federal court in 2025. In fact, that is a 60% jump over 2024. Class actions surged 112% year-over-year. Nearly 80% of all TCPA cases are now class actions. Through February 2026, filings ran 26.8% ahead of the prior year. As a result, it is one of the most actively litigated consumer protection laws in the country.
A negligent TCPA violation costs $500 per call. A willful violation costs $1,500 per call. Now, apply those numbers to a busy floor. A team dialing 2,000 leads per day for six months places about 250,000 calls. If the floor dialed just 8% of those numbers without consent, that would be 20,000 violations. At the base rate: $10 million in exposure. At the willful rate: $30 million.
The gap between trying to comply and actually being compliant is where the risk lives. However, that gap does not end with a fine. It ends with lawsuits, legal fees, lost time, and damage that stays in search results for years.
This guide lays out the framework you need before talking to a TCPA attorney. It covers what the law requires, where exposure is created, what strong records look like, and what a solid compliance setup includes.
This content is for operational context only. It is not legal advice. Talk to a qualified TCPA attorney for decisions about your operation.
What the TCPA Actually Is: The Operational Summary
The Telephone Consumer Protection Act (TCPA) is a federal law passed in 1991 and updated in 2015. It controls how businesses can reach people by phone, text, and fax. For sales floor operators, four rules matter most. Here is a direct answer for anyone searching “what is TCPA compliance for call centers.”
The four operational provisions of the TCPA:
- Consent for autodialed calls and texts. No one can use an automatic telephone dialing system (ATDS) or prerecorded voice to call a cell phone without written consent. According to the Pew Research Center, 98% of Americans own a cellphone. As a result, nearly every outbound sales call falls under this rule. This provision creates the greatest risk for high-volume floors.
- National Do Not Call Registry. You cannot call numbers on the National DNC Registry unless written consent is in place or a business relationship exists. As reported by the Federal Trade Commission, the registry held over 258 million active numbers in fiscal year 2025. Another 4.7 million joined that year.
- Calling hour restrictions. You cannot contact consumers before 8 am or after 9 pm in the consumer’s local time zone. In addition, more restrictive state-level regulations may also apply.
- Abandoned call rate cap. A predictive dialer must keep its abandoned call rate below 3% over 30 days. An abandoned call connects to a person but does not reach an agent. The FTC’s Telemarketing Sales Rule (TSR) requires this.
Written consent means a person agreed in writing to get autodialed calls from a named company. It must state that the person does not need to provide consent to make a purchase. A form, a digital checkbox, or a signed document all count.
These four rules form the compliance framework. Each one has its own requirements, exceptions, and records that decide if a call is compliant or exposed.
The Five TCPA Exposure Points in a High-Volume Outbound Operation
Industry audits show that TCPA risk in outbound operations almost always comes from one or more of five gaps. Most high-volume floors carry two or three at once. That is why risk grows with scale rather than remaining flat.
Exposure Point 1: Consent Documentation Gaps at the Lead Source
This is the most common and most serious source of TCPA risk. Consent to call must be on record at the point of lead capture. That means the form, the ad click, or the verbal agreement. It must happen before any number is dialed.
A 2025 PACE report found that over 60% of TCPA class actions involved weak or missing consent at the lead source. Specifically, consent words existed in many cases but lacked strength. The opt-in language did not name the company that would call.
What strong consent records need:
- The form must list the company name (or “its marketing partners”)
- A clear statement that autodialed calls and texts may be made
- A statement that consent is not needed to buy anything
- A timestamp and IP address tied to the submission
- The exact words the person saw when they submitted
If the floor cannot produce these five items for every lead, a consent gap exists. Consequently, that gap creates risk on every dial.
Exposure Point 2: DNC Scrubbing Gaps
The team must scrub every lead list against the National DNC Registry before calls begin. The FTC says the scrub must be no more than 31 days old. Furthermore, state registries in California, Texas, Florida, and 9 other states must be checked individually for multi-state campaigns.
The most common mistakes found in audits:
- The team scrubs the list once at purchase, but does not re-scrub before follow-up calls 30+ days later
- The team checks the federal registry but misses state registries
- A vendor says they scrubbed the list, but no one checks the date
What strong DNC compliance looks like:
- An automated scrub runs at list upload with a logged timestamp
- Re-scrubs run every 31 days for leads still in the campaign
- The team scrubs state registries for every state in the calling area
- The team keeps scrub logs ready to export for audits or lawsuits
Exposure Point 3: ATDS Classification Uncertainty
Whether a dialer counts as an ATDS under the TCPA is the most argued question in telemarketing law. The 2021 Supreme Court case Facebook, Inc. v. Duguid narrowed the definition. The system must be able to create phone numbers using a random or sequential generator to qualify.
Most predictive and power dialers used in BPO work from pre-loaded lists. They do not generate random numbers. Under the current reading, they may not count as ATDS. However, the rules keep changing as the FCC issues new guidance.
What to do now: Keep records of how leads enter the system. Document how numbers load into the dialer. Note what the dialer does on its own. If this question comes up in court, these records support a factual defense. This question needs review by a qualified attorney.
Exposure Point 4: Calling Window Violations
Federal rules allow calls between 8 am and 9 pm in the person’s local time zone. A floor that uses one calling window based on its own timezone creates risk when calling across time zones.
How this happens: A California floor starts dialing at 8 am PST. Leads in New York get called at 11 am EST. That is fine. However, leads in Hawaii get called at 6 am HST. That is a violation of every Hawaii call before 10 am PST.
What strong calling window management looks like:
- Timezone detection based on area code or ZIP code
- The dialer enforces calling windows, not agents
- State-level rules block calls in restricted hours without manual steps
Exposure Point 5: Abandoned Call Rate Creep
The FTC’s Telemarketing Sales Rule requires predictive dialers to keep the abandoned call rate below 3% over 30 days. An abandoned call connects to a live person but does not reach an agent within 2 seconds.
For example, industry data from the Contact Center Association shows that floors that dial aggressively ahead of agent availability face a higher risk of passing the 3% limit during busy periods.
What strong abandoned call rate management looks like:
- Real-time tracking by the dialer system
- Automatic pacing changes when the rate gets close to the limit
- A recorded message on abandoned calls with the company name and callback number
- The team keeps monthly reports for compliance records
The Consent Documentation Framework: What Is Needed Before Every Dial
Consent records are the base of any TCPA defense. Without them, every autodialed call to a cell phone is a potential violation. With them, the floor has a factual defense for each lead.
Component 1: The Consent Language Itself
The form must clearly state four things: that autodialed calls and texts will be sent, which company will be calling, that consent is not required to buy anything, and what the person is agreeing to receive.
Weak consent language example:
“By submitting this form, you agree to our terms and conditions and consent to be contacted.”
Strong consent language example:
“By clicking Submit, I provide my electronic signature and express written consent authorizing [Company Name] and its marketing partners to contact me about [product/service] at the phone number provided, including through autodialed, prerecorded, or artificial voice calls and text messages. I understand that my consent is not a condition of purchase.”
As noted by the FCC in its December 2023 lead generator consent rule, vague opt-in language does not support a defense. On the other hand, specific consent language does.
Component 2: Timestamp and IP Documentation
The system must log every form submission with a timestamp and IP address. This proves the person gave consent at a specific time from a specific device. As a result, it creates a record that can stand up in court.
Component 3: Lead Source Audit Trail
For leads bought from vendors, the floor must trace each lead back to the form where consent was given. In addition, the actual consent words shown to the person must stay on file.
The following should be requested before leads are purchased from any new source:
- The exact consent language displayed on the form
- A sample of timestamped consent records for verification
- Confirmation of whether the vendor collects consent at the individual level or through a network of sub-publishers
- The vendor’s process for flagging and removing leads where consent documentation is incomplete
A 2025 report by the National Consumer Law Center found that a significant share of TCPA class actions involved leads purchased from third-party aggregators, where no one could trace consent documentation to the individual consumer.
Component 4: Revocation Tracking
When someone says stop, the floor must log that request and act on it right away. This includes a phone request, a STOP text, or a verbal ask on a call. Any call made after that counts as a willful violation, subject to a $1,500 penalty per call.
Therefore, this tracking must be automatic. Agents should not have to update a CRM by hand during a live call. PACE survey data shows manual tracking played a role in 35% of repeat-contact TCPA complaints.
DNC Compliance: The Scrubbing Infrastructure
DNC compliance is simpler than consent compliance. However, it breaks more often from missed steps than on purpose. Five parts make up a strong scrubbing setup.
Component 1: Federal DNC Registry access. Teams access the registry through the FTC’s TSR portal. The FTC bases fees on area codes. Every area code in the campaign must be covered, not just the busiest states.
Component 2: Automated scrub at list upload. The team must scrub every lead list before making any call. This includes bought lists, marketing leads, and CRM re-engagement lists. The scrub must be automatic. Otherwise, manual scrubbing gets skipped under pressure and does not create strong records.
Component 3: 31-day re-scrub. The DNC Registry updates every month. As a result, a lead scrubbed on day 1 that sits in the queue until day 32 may face outdated data. Active leads need re-scrubs every 31 days.
Component 4: State DNC registry scrubbing. Twelve states run their own registries apart from the federal list. Campaigns calling into California, Texas, Florida, and nine other states must check each state individually. This is the step most multi-state operations miss.
Component 5: Internal DNC list. The team must add people who request removal to an internal list immediately. They must stay on it for at least 5 years per the TSR. This list is separate from federal and state registries and must be checked against every new lead list.
TCPA Compliance in a Managed BPO Operation: Who Is Responsible for What
A common mistake in BPO relationships is failing to determine who owns TCPA compliance when the vendor’s agents make the calls.
Nevertheless, the answer is simple but hard to hear. The client keeps the liability. It does not matter if in-house agents or the vendor’s agents place the calls. FCC rulings and court cases confirm this. The vendor is not the caller of record. The client is.
If the vendor scrubs poorly, calls at the wrong time, or dials without consent, the client shares the blame. A contract can say the vendor will cover losses. However, that only creates a right to recover money. It does not erase the client’s TCPA exposure.
The following should be verified in a vendor’s compliance infrastructure:
- Consent process: How does the vendor check that each lead has documented consent before dialing?
- DNC scrubbing: Does the vendor scrub on its own, or use the client’s list? How often? Which registries?
- Calling windows: Does the dialer set timezone rules, or do agents handle them?
- ATDS records: What records exist for how numbers load into and move through the dialer?
- Compliance monitoring: What share of calls does the vendor check for required disclosures, abandoned call messages, and verbal removal requests?
A vendor who cannot answer all five with real details, not just policy talk, does not have the setup to justify the risk the client carries.
The Compliance Documentation Stack: What to Maintain and for How Long
TCPA compliance is not just about what you do. It is about what you can prove. Five records are needed, each with a set time limit.
- Consent records. The team must save every submission with a timestamp, IP address, consent words, and lead ID. Keep them for 4 years past the last contact. The TCPA statute of limitations is 4 years. The team must pull records per lead, not as totals.
- DNC scrub logs. Save logs of every scrub: date, list name, registries checked, and the number of records blocked. Keep them for 5 years. The TSR safe harbor defense requires these logs.
- Calling window logs. The dialer must produce records showing that agents placed calls within the correct time window for each timezone. Keep them for 4 years. Manual logs do not count because they cannot be independently verified.
- Internal DNC list records. Log every removal request: how it came in, the date, the lead ID, and when the lead left the active dialing queue. Keep these for at least 5 years.
- QA monitoring records. The team must keep call recordings and QA scores for at least 2 years. In a TCPA dispute, being able to pull up a call and show that the agent used compliant language is a key part of the defense.
Build this stack before you need it. Otherwise, trying to put records together after a demand letter shows up costs more and looks worse.
TCPA Compliance by Vertical: Where the Specific Risks Are Highest
TCPA risk varies widely across verticals. Lead sourcing, additional regulations, and lawsuit patterns differ significantly. WebRecon’s annual report shows these verticals are hit the hardest.
Debt Settlement
Debt settlement is one of the top TCPA lawsuit targets. Call volume is high. Prospects are under financial stress and may chase statutory damages. Leads often come from shared networks with weak consent records. As a result, some of the biggest TCPA settlements ever came from this space.
Key priorities: Audit consent on every lead source. Use automated DNC scrubbing with no manual override. Log every verbal removal request. Run QA checks on the disclosures the FTC requires for debt relief.
Tax Relief
Tax relief has a similar risk profile. Prospects are stressed, volume is high, and leads come from shared sources. Moreover, the urgency of IRS notices can push teams to call too early or too often.
Key priorities: Watch calling windows closely. These prospects are on edge and notice when calls feel too aggressive.
Mortgage and Refinance
Mortgage falls under both TCPA and the FTC’s MAP Rule. QA must check for banned claims about mortgage products, in addition to the standard TCPA language. Rate changes drive fast follow-up, which can push the abandoned call rate past 3%.
Insurance
State rules add another layer on top of federal TCPA rules for insurance. Some states limit how insurance can be sold by phone beyond federal law. Therefore, multi-state campaigns need a state-by-state review that most TCPA guides skip.
Solar and Home Services
Solar has seen one of the biggest TCPA lawsuit waves in the past three years. The shared-lead model, where one form is sold to multiple buyers, makes it hard to prove which buyer holds valid consent. The consent words may not cover every company in the network.
What Changes When a Managed BPO Operator Handles Compliance
When the floor handles compliance in-house, every part of the stack must be built and run with your own team. For a floor of 20 to 50 agents calling across states and verticals, that takes real time and money.
A strong managed BPO operator builds this into every campaign. It is not an add-on.
What should be covered by the operator’s compliance infrastructure:
- Consent verification at lead intake: before any lead enters the dialing queue, the operator verifies the documented consent status against intake standards
- Automated DNC scrubbing: federal and state registries, at upload and at 31-day intervals, with logged output
- Timezone-enforced calling windows: automated at the dialer level, not dependent on agent compliance
- Abandoned call rate monitoring: real-time tracking with automated pacing adjustment
- QA monitoring of compliance language: on 100% of calls through AI-assisted review, with human review on flagged calls
- Revocation logging: automated suppression within minutes of a do-not-call request, regardless of channel
- Documentation maintenance: consent records, scrub logs, QA records, and calling window logs are maintained in exportable format for the client’s compliance records
The client still owns the liability for calls on their leads. But a managed operator with this setup gives them records that support a defense. In addition, it reduces the risk of mistakes that lead to lawsuits.
This is a very different setup from running compliance in-house by hand or stacking vendors, where no one clearly owns it.
Building a TCPA Compliance Checklist for Your Floor
This checklist covers the compliance basics for a high-volume outbound floor. It is not a legal audit. Instead, it is a self-check to find the gaps most likely to cause problems.
Consent and Documentation
- [ ] A TCPA attorney has reviewed consent language for every lead source in the last 12 months
- [ ] The team saves consent records per lead with timestamp, IP, and consent words
- [ ] Vendor consent records have been checked before purchase, with consent language and process confirmed
- [ ] Revocation tracking is automatic; the system logs STOP texts, verbal requests, and written requests, and acts on them fast
DNC Compliance
- [ ] Federal DNC Registry subscription is active and covers all area codes in the campaign
- [ ] State DNC registries are set up for every state in the calling area
- [ ] The team scrubs leads at upload with a logged timestamp
- [ ] Re-scrubs run every 31 days for long campaigns
- [ ] The team maintains an internal DNC list and checks it against every new lead list
Calling Operations
- [ ] The dialer sets calling windows based on the prospect’s timezone, not the floor’s
- [ ] State calling rules are flagged and enforced in the dialer
- [ ] The team tracks the abandoned call rate live, and pacing adjusts before hitting 3%
- [ ] A recorded ID message plays on abandoned calls
QA and Monitoring
- [ ] The team checks compliance language on at least 10% of calls (100% with AI QA)
- [ ] Verbal removal requests are part of agent training and QA scoring
- [ ] The team keeps call recordings for at least 2 years in a format that can be pulled and shared
Documentation Retention
- [ ] Consent records: 4+ years
- [ ] DNC scrub logs: 5+ years
- [ ] Internal DNC list: 5+ years
- [ ] QA compliance records: 2+ years
- [ ] Calling window logs: 4+ years
Any box left unchecked is a gap. The more calls you run against it, the bigger the risk.
Frequently Asked Questions
What is TCPA compliance for outbound call centers?
What is the penalty for a TCPA violation?
What is prior express written consent under TCPA?
How often does a lead list need to be scrubbed against the DNC Registry?
Is a predictive dialer classified as an ATDS under TCPA?
Can TCPA liability be transferred to a BPO vendor through a contract?
What is a TCPA safe harbor?
Conclusion: The Operational Reality of TCPA Compliance in 2026
TCPA compliance is not a one-time task. It is an ongoing process built into the floor. It starts when a lead comes in, runs through the moment a call is placed, and lasts for years after.
Here is what this guide covered:
- Risk is counted per call. At $500 to $1,500 per violation, a busy floor’s total exposure can run into the millions. WebRecon data shows 2,628 TCPA cases were filed in 2025, up 60% from 2024. Early 2026 filings are running 26.8% ahead of last year.
- Five gaps cause most of the risk. Consent records, DNC scrubbing, ATDS classification, calling windows, and abandoned call rates. All five must be addressed.
- Consent records are the foundation. Without written consent that names the company, discloses autodialing, states that no purchase is needed, and logs a timestamp and IP address, every autodialed cell phone call is a potential violation.
- The client is liable, not the vendor. In a BPO setup, the party whose product was sold on the call holds the risk. A contract does not move that.
- Records must exist before they are needed. Consent records (4+ years), DNC scrub logs (5+ years), calling window logs (4+ years), internal DNC records (5+ years), and QA records (2+ years) must be kept and ready per lead.
TCPA lawsuits and enforcement will keep rising as call volumes grow and more people learn about statutory damages. The FCC’s 2024 ruling on AI-generated calls and changes to ATDS rules will keep reshaping the landscape. Floors with strong infrastructure, documented consent, automated scrubbing, timezone-based calling windows, and full QA monitoring are set to scale. Floors without it will find the cost of non-compliance grows with every dial.
