Telephone Consumer Protection Act (TCPA)
Overview
The Telephone Consumer Protection Act (TCPA) of 1991 (47 USC Sec. 227) restricts telemarketing practices, autodialed calls, prerecorded messages, text messages, and unsolicited faxes. Enforced by the Federal Communications Commission (FCC), TCPA protects consumers from unwanted communications and provides private right of action for violations.
Primary Authority: Federal Communications Commission (FCC)
Statutory Citation: 47 USC Sec. 227
Regulatory Citation: 47 CFR Part 64 Subpart L
Effective Date: December 20, 1991
Scope and Applicability
Covered Communications
Telephone Calls:
- Calls to residential landlines
- Calls to mobile/cell phones
- Autodialed calls using ATDS (automatic telephone dialing system)
- Prerecorded voice messages
- Artificial voice calls
Text Messages (SMS/MMS):- Marketing/advertising text messages
- Promotional texts to cell phones
- Autodialed text messages
- Text messages treated identically to voice calls under TCPA
Fax Advertisements:- Unsolicited advertisements sent via fax
- Requires prior express permission or EBR (established business relationship)
Who Must Comply
All entities engaged in:
- Telemarketing to consumers
- Marketing calls/texts to cell phones
- Autodialed or prerecorded calls
- Fax advertising
- Lead generation for telemarketers
Includes:- Businesses of any size
- Nonprofits (partial exemption)
- Debt collectors
- Healthcare providers (appointment reminders)
- Educational institutions (recruiting)
- Political campaigns (exemption for certain calls)
Liability extends to:- Direct callers/marketers
- Entities on whose behalf calls made
- Lead generators
- Platform providers facilitating calls
Key Requirements
1. Prior Express Written Consent (47 CFR Sec. 64.1200(f))
For Autodialed/Prerecorded Calls to Cell Phones:
Consent must be:
- In writing (electronic or paper signature)
- Signed by consumer
- Clearly authorize calls using ATDS or artificial/prerecorded voice
- Specify phone number to which calls may be made
- Disclose that consent not required as condition of purchase
What constitutes valid consent:- Written agreement with clear language
- Electronic signature (E-SIGN Act compliant)
- Opt-in checkbox on website (with proper disclosures)
- Signed contract provision specifically authorizing calls
Consent cannot:- Be required as condition of purchase (unless related to purchased product)
- Be bundled with other authorizations without clear separation
- Include pre-checked boxes or default opt-ins
One-to-One Consent Rule (Effective January 27, 2025):- Consent obtained on website or online form limited to single seller only
- Platform/lead generator cannot share consent with multiple sellers
- Separate consent required for each distinct seller
- Consent must identify specific seller authorized to call
- Eliminates consent sharing in lead generation
Revocation Rights:- Consumer can revoke consent at any time
- Revocation effective through any reasonable means:
- Verbal request during call
- Written request
- Email to seller
- Text message "STOP" reply
- Indication through automated system
- Must honor revocation in reasonable time (generally immediately)
2. National Do Not Call Registry (47 CFR Sec. 64.1200(c))
Consumer Registration:
- Free registration at DoNotCall.gov or 1-888-382-1222
- Permanent registration (no expiration since 2008)
- Effective 31 days after registration
Telemarketer Obligations:- Access registry at least every 31 days
- Scrub calling lists against registry
- Do not call numbers on registry (unless exemption applies)
- Maintain internal Do Not Call list
Safe Harbor Requirements:- Access National Registry every 31 days or less
- Maintain internal Do Not Call list of consumer requests
- Train personnel on Do Not Call requirements
- Honor opt-out requests within reasonable time (30 days maximum)
- Document compliance procedures
Exemptions from Registry:- Calls with prior express written consent
- Established business relationship (EBR):
- Purchase/transaction within 18 months, OR
- Inquiry/application within 3 months
- Tax-exempt nonprofit organizations
- Political organizations
- Survey/polling (no marketing pitch)
3. Time of Day Restrictions (47 CFR Sec. 64.1200(c)(1))
Prohibited Call Times:
- Before 8:00 AM local time of recipient
- After 9:00 PM local time of recipient
Applies to:- All telemarketing calls
- Autodialed calls
- Manually dialed marketing calls
Time Zone Determination:- Recipient's local time, not caller's time
- Must determine recipient's time zone before calling
4. Caller Identification Requirements (47 USC Sec. 227(e))
Required Information:
- Transmit name of caller or business
- Transmit phone number that can receive return calls
- Number must be answered during normal business hours
- Caller ID must not be blocked or falsified
Truth in Caller ID Act:- Prohibits caller ID spoofing with intent to defraud
- Cannot manipulate caller ID to hide identity
- Spoofing violations: $10,000 per violation
5. Identification and Opt-Out Requirements
During Telemarketing Calls (47 CFR Sec. 64.1200(d)):
- Identify seller/entity promptly
- Provide phone number or address where seller can be contacted
- For prerecorded calls: provide automated opt-out mechanism
- Must offer Do Not Call opt-out in each call
For Text Messages:- Clear identification of sender
- Free opt-out mechanism ("Reply STOP")
- Must honor opt-out immediately
- Cannot charge for opt-out message
6. Prerecorded Message Requirements (47 CFR Sec. 64.1200(a)(2))
For Calls to Residential Lines:
- Announce identity of caller at beginning
- Provide phone number or address during or after message
- Offer automated interactive opt-out during message:
- Available throughout message and for 5 seconds after
- Automated system to record opt-out
- Added to Do Not Call list within 30 days
For Calls to Cell Phones:
- Prior express written consent required (subject to consent rules above)
- Must include opt-out mechanism
- Same identification requirements
Exemptions
Communications Exempt from TCPA
1. Emergency Calls:
- Calls for public safety or emergency purposes
- Natural disaster warnings
- Emergency notifications from schools/government
2. Healthcare-Related Communications:- HIPAA-compliant appointment reminders (with prior consent)
- Prescription notifications
- Test result notifications
- Healthcare treatment information (non-marketing)
3. Informational Calls to Existing Customers:- Package delivery notifications
- Flight status updates
- Appointment confirmations
- Account status (non-marketing)
- Fraud alerts
4. Tax-Exempt Nonprofit Organizations:- Charitable fundraising calls
- Political organizations (501(c)(3), (c)(4))
- Not exempt from Do Not Call registry requirements if using paid solicitors
5. Political Calls:- Campaign calls from candidates/parties
- Political surveys
- Exempt from Do Not Call registry
- Still subject to time restrictions and caller ID
6. Survey and Polling:- Market research with no marketing pitch
- Opinion polls
- Cannot include sales pitch or lead to transfer to sales
Consent Management
Obtaining Valid Consent
Written Consent Requirements:
Must include:
- Clear authorization for calls using ATDS or prerecorded voice
- Specific phone number(s) to be called
- Signature (electronic or physical)
- Disclosure: "By providing my phone number, I agree to receive calls/texts using automated technology. Consent is not a condition of purchase."
Best Practices:- Separate consent checkbox for TCPA (not bundled with other agreements)
- Clear, conspicuous language
- Timestamp and IP address for electronic consent
- Retain consent records for compliance proof
Invalid Consent Examples:- Pre-checked boxes
- Consent buried in terms of service
- Consent as mandatory condition unrelated to service
- Vague language not specifying call technology
One-to-One Consent Rule (Effective January 27, 2025)
FCC December 2023 Declaratory Ruling:
Key Changes:
- Consent obtained through online forms limited to one seller only
- Lead generators cannot share consent with multiple sellers
- Each seller must obtain separate, individual consent
- Consent must clearly identify the specific seller
Impact on Lead Generation:- Platforms cannot sell/share consumer consent to multiple buyers
- Consumer must provide consent directly to each seller
- Separate checkboxes required for each seller on shared platforms
Compliance Date: January 27, 2025
Managing Revocation
Consumer Rights:
- Can revoke consent at any time
- Through any reasonable method:
- Verbal request during call
- Written notice
- Email
- Text reply "STOP"
- Through customer portal/website
Business Obligations:
- Honor revocation immediately or within reasonable time
- Update calling lists promptly
- Document revocation
- No retaliation or negative consequences for revocation
- Do not require specific revocation method
National Do Not Call Registry
Registry Operations
Consumer Portal: DoNotCall.gov
Phone Registration: 1-888-382-1222
Maintained by: Federal Trade Commission (FTC), enforced by FTC and FCC
Registration:
- Free for consumers
- Permanent (no expiration since 2008 regulations)
- Effective 31 days after registration
- Can register cell phones and landlines
Telemarketer Compliance
Access Requirements:
- Download registry data at least every 31 days
- Scrub calling lists against registry before calling
- Maintain documentation of registry access
Safe Harbor Protection:To qualify for safe harbor from penalties:
- Access National Registry every 31 days or less
- Maintain company-specific Do Not Call list of opt-out requests
- Train personnel on Do Not Call compliance
- Maintain written procedures
- Honor consumer opt-outs within 30 days
Penalties for Registry Violations:- FTC penalties up to $51,744 per violation (2024 adjusted)
- FCC forfeitures up to $50,120 per violation (2024 adjusted)
- State AG enforcement actions
- Each unlawful call is separate violation
Enforcement and Penalties
Private Right of Action (47 USC Sec. 227(b)(3))
Consumer Lawsuits:
- Statutory damages: $500 per violation
- Treble damages: Up to $1,500 per violation for willful/knowing violations
- Actual damages: If higher than statutory
- Attorney's fees: Available in some courts
- Class actions: Permitted (major risk for businesses)
Statute of Limitations: 4 years from violation
"Per Violation" Defined:
- Each call/text is separate violation
- Multiple calls to same number = multiple violations
- Class actions can result in millions in liability
Notable Class Action Settlements:- Dish Network: $280 million (2017) - largest TCPA settlement
- Capital One: $75 million (2020) - autodialed debt collection calls
- Jiffy Lube: $47 million (2016) - marketing text messages
- Papa John's: $16.5 million (2014) - text message marketing
FCC Enforcement
Administrative Actions:
- Notices of Apparent Liability (NALs)
- Forfeitures up to $50,120 per violation (2024 adjusted amount)
- Consent decrees
- Referral to DOJ for criminal prosecution
Recent FCC Enforcement:- Rising Broadband: $30 million settlement (2023) - illegal robocalls
- U.S. Telecom Hub: $10 million forfeiture (2024) - foreign scam calls
- Sumco Panama: $10 million forfeiture (2024) - illegal spoofed robocalls
TRACED Act Enhanced Authority (2019):- FCC can impose forfeitures without prior warning for intentional violations
- Enhanced penalty amounts
- Faster enforcement process
- Focus on illegal robocall operations
FTC Enforcement
Authority:
- Enforces Do Not Call Registry violations
- Enforces TSR (Telemarketing Sales Rule) violations
- Consumer protection enforcement
Penalties:- Up to $51,744 per violation (2024 adjusted)
- Injunctive relief
- Consumer redress
State Attorney General Enforcement
Concurrent State Jurisdiction:
- State consumer protection laws
- State-specific telemarketing statutes
- Do Not Call violations
Massachusetts Enforcement (Example):- MGL Chapter 159C (state telemarketing law)
- MGL Chapter 93A (consumer protection)
- State Do Not Call registry
- AG can seek civil penalties and injunctive relief
Technology and Innovation
STIR/SHAKEN Call Authentication
Secure Telephone Identity Revisited (STIR) / Signature-based Handling of Asserted Information Using toKENs (SHAKEN):
Purpose: Combat caller ID spoofing and illegal robocalls
Requirements (Effective June 2021):
- Voice service providers must implement call authentication
- "Signed" calls verify originating phone number is legitimate
- Three attestation levels:
-
A: Full attestation (provider authenticated caller and number)
-
B: Partial attestation (authenticated caller, not number)
-
C: Gateway attestation (foreign call, limited verification)
Consumer Benefits:
- Reduced spoofed robocalls
- Improved caller ID accuracy
- Network-level blocking of unverified calls
Robocall Mitigation Database
FCC Requirement (2021):
- All voice service providers must register
- Submit robocall mitigation plan
- Implement STIR/SHAKEN or alternative mitigation
- Carriers can block calls from non-compliant providers
Database Access: https://fccprod.servicenowservices.com/rmd
Call Blocking Technologies
FCC Safe Harbors for Blocking:
- Carriers can block calls from invalid numbers
- Carriers can block unverified calls if consumer opts in
- Consumers can use network-level and app-based call blocking
Third-Party Solutions:- Call screening apps
- Carrier-provided blocking services
- "Verified Calls" display features
Massachusetts-Specific Requirements
State Telemarketing Law (MGL Ch. 159C)
Massachusetts Do Not Call Registry:
- Separate state registry maintained by Attorney General
- Telemarketers must check both state and national registries
- Violations enforced by Massachusetts AG
Telemarketer Registration:- Must register with AG before operating in Massachusetts
- Annual renewal required
- Surety bond requirement
- Filing fees apply
Disclosure Requirements:- Must identify as telemarketer at beginning of call
- Must state purpose of call
- Must provide seller's name and contact information
Penalties:- Up to $5,000 per violation
- Enforcement by AG under MGL Ch. 93A
- Private right of action available
Massachusetts Attorney General Enforcement
Consumer Protection Division:
- Actively pursues TCPA and state telemarketing violations
- Coordination with FCC on federal enforcement
- Focus on scams targeting elderly residents
Recent Actions:- Multistate settlements on illegal robocalls
- Enforcement against debt collectors violating TCPA
- Consumer education campaigns on robocall blocking
Compliance Best Practices
Consent Management
- Obtain express written consent before autodialed/prerecorded calls to cell phones
- Use clear, unambiguous consent language
- Maintain consent records (who, when, how, what phone number)
- Implement one-to-one consent (effective January 2025)
- Honor revocation immediately through any reasonable means
- Separate TCPA consent from other agreements
Do Not Call Compliance
- Access National Registry every 31 days
- Maintain internal Do Not Call list
- Scrub calling lists before campaigns
- Honor opt-outs within 30 days (immediately if possible)
- Train staff on Do Not Call procedures
- Document compliance (registry access, opt-out requests)
Calling Practices
- Respect time restrictions (8 AM - 9 PM recipient local time)
- Display accurate caller ID (no spoofing)
- Identify caller/seller at beginning of call
- Provide opt-out mechanism in every call
- Maintain call records for compliance verification
- Verify phone numbers before calling (wireless vs. landline)
Text Message Compliance
- Obtain prior express written consent before marketing texts
- Provide free opt-out ("Reply STOP" in every message)
- Honor opt-outs immediately
- Identify sender clearly
- Don't charge for opt-out messages
- Keep messages concise and non-deceptive
Vendor Management
- Vet third-party callers/texters for TCPA compliance
- Contractually require TCPA compliance
- Monitor vendor practices regularly
- Verify consent source and quality for purchased leads
- Audit vendor call recordings for compliance
- Maintain vicarious liability awareness (responsible for vendor violations)
Record Retention
Maintain records of:
- Consent forms (electronic and written)
- Do Not Call list access logs
- Internal Do Not Call list with opt-out dates
- Call recordings (if available)
- Text message logs
- Training records for personnel
- Vendor compliance audits
Retention Period: Minimum 4 years (statute of limitations)
Industry-Specific Considerations
Healthcare
HIPAA Interaction:
- TCPA consent separate from HIPAA authorization
- Healthcare marketing requires both TCPA consent and HIPAA authorization
- Appointment reminders permitted with prior consent
Best Practices:- Obtain TCPA consent at patient intake
- Use patient-preferred contact method
- Limit automated calls to treatment-related communications
- Provide easy opt-out for non-essential communications
Financial Services
Debt Collection:
- FDCPA compliance does not exempt from TCPA
- Prior express consent required for autodialed calls to cell phones
- Verification of phone number ownership critical
- High risk of TCPA class actions in debt collection
Account Servicing:- Fraud alerts and account notifications may qualify as informational (non-marketing)
- Marketing calls require consent
- Clear distinction between servicing and marketing
Retail and E-Commerce
Order Confirmations:
- Transactional messages generally exempt
- Upselling in confirmation message may trigger TCPA
- Shipping notifications typically exempt if purely informational
Marketing Campaigns:- SMS campaigns require prior express written consent
- One-to-one consent rule critical for lead generation
- E-commerce checkout consent language must comply with TCPA
Education
Student Recruitment:
- Recruiting calls to prospective students require consent
- Alumni fundraising may qualify for exemption if nonprofit
- Marketing degree programs via text requires TCPA consent
Related Federal Laws
Telemarketing Sales Rule (TSR) - 16 CFR Part 310:
- FTC regulation complementing TCPA
- Prohibits deceptive telemarketing practices
- Additional Do Not Call requirements
Truth in Caller ID Act (47 USC Sec. 227(e)):- Prohibits caller ID spoofing
- Enforced by FCC
- $10,000 penalties per violation
CAN-SPAM Act:- Governs commercial email (not voice calls)
- Some similar opt-out requirements
- Enforced by FTC
Fair Debt Collection Practices Act (FDCPA):- Regulates debt collector communications
- TCPA applies in addition to FDCPA
- Both laws must be followed for debt collection calls
Regulatory Resources
Federal Resources
FCC TCPA Resources:
- https://www.fcc.gov/consumer-governmental-affairs/guide/telemarketing-and-robocalls
- https://www.fcc.gov/tcpa
National Do Not Call Registry:- Consumer registration: https://www.donotcall.gov/
- Telemarketer compliance: https://telemarketing.donotcall.gov/
FCC Robocall Mitigation Database:- https://fccprod.servicenowservices.com/rmd
FTC Telemarketing Resources:- https://www.ftc.gov/news-events/topics/protecting-consumers/telemarketing-robocalls
Massachusetts Resources
Massachusetts Attorney General:
- Consumer Protection Division: https://www.mass.gov/orgs/consumer-protection-and-antitrust-division
- Massachusetts Do Not Call information: https://www.mass.gov/info-details/learn-about-do-not-call-laws
Massachusetts Telemarketing Registration:- Office of Consumer Affairs and Business Regulation
- Telemarketer registration portal
Legal Citations
Primary Statute: 47 USC Sec. 227
Implementing Regulations: 47 CFR Part 64 Subpart L
Massachusetts State Law: MGL Ch. 159C
Summary
TCPA compliance requires comprehensive consent management, Do Not Call registry compliance, respect for time restrictions, accurate caller identification, and robust opt-out mechanisms. With statutory damages of $500-$1,500 per violation and class action risk, TCPA is one of the highest-risk compliance areas for businesses engaging in telemarketing, text messaging, or automated calling.
The 2023 one-to-one consent rule (effective January 2025) fundamentally changes lead generation practices, requiring separate consent for each seller. Businesses must implement strong consent tracking, vendor oversight, and calling procedures to avoid costly TCPA litigation.