Visitor identification gives you something powerful: the ability to call someone who just browsed your website, without them ever filling out a form. But that power comes with responsibility. The Telephone Consumer Protection Act (TCPA) is one of the most heavily litigated consumer protection laws in the United States — and violations can result in statutory damages of $500–$1,500 per call.

The good news: TCPA compliance for visitor identification is entirely achievable. It requires understanding a handful of core rules, using DNC data correctly, and building a consent infrastructure that holds up to scrutiny. This guide covers exactly that.

TCPA Penalties at a Glance

$500 per negligent violation · $1,500 per willful violation · No cap on class action exposure · Private right of action (anyone can sue) · No pre-litigation settlement requirement

TCPA Basics Every Marketer Must Know

The TCPA was passed in 1991 and has been significantly expanded through FCC rulemaking and court decisions since. At its core, the law restricts three types of contact:

  • Calls and texts to mobile numbers using an ATDS (automated telephone dialing system) without prior express consent
  • Calls and texts to any number on the National DNC Registry without a prior business relationship or express invitation
  • Pre-recorded voice message calls without prior express written consent

For visitor identification specifically, the relevant concern depends on how you plan to follow up:

Manual calls (human dialing)

Lower TCPA risk. Still must respect the National DNC Registry. No automated dialing system involved, so consent requirements are less stringent.

Ringless voicemails / texts

Higher risk. FCC has signaled that ringless voicemails constitute calls. Text messages to identified mobile numbers require prior express written consent.

Auto-dialers (ATDS)

Highest risk. Calling mobile numbers with any automated system requires prior express written consent — even for numbers not on the DNC.

Email outreach

Not covered by TCPA. Governed by CAN-SPAM instead, which is significantly less restrictive. Email is the lowest-friction starting point for cold outreach.

How to Read and Use DNC Flags

Every phone number in Kopimore's identity graph is matched against the National Do Not Call Registry and flagged accordingly. Understanding what these flags mean — and how to act on them — is the most practical compliance step you can take.

National DNC Registry

The FTC's National DNC Registry contains phone numbers that consumers have registered to avoid telemarketing calls. Calling a registered number without an established business relationship (EBR) or express invitation can result in $50,120 per violation (FTC civil penalties).

How Kopimore flags it: Records include a dnc_flag field. If dnc_flag = true, the number is on the National DNC Registry. You should not call or text this number for marketing purposes unless you have an EBR with this person.

Established Business Relationship (EBR) Exception

You can call a DNC-registered number if you have a prior business relationship — defined as a purchase or transaction within the past 18 months, or an inquiry from the consumer within the past 3 months. If a visitor who is in your customer database visits your site, the EBR exception likely applies.

Internal DNC Suppression

You must also maintain your own internal DNC list and honor it for at least 5 years. Anyone who asks not to be called must be added immediately. Load this list into your CRM and configure your identification workflow to suppress these contacts before routing new records to your sales team.

Practical tip: Build your suppression check into the CRM automation, not the sales workflow. If your reps are manually checking DNC status, you will have violations. Automate the suppression so records that shouldn't be contacted never reach the sales queue.

The safest TCPA position for calling identified visitors by phone is to obtain prior express written consent before making automated calls or sending texts. Here's how to build that consent infrastructure.

What Counts as Prior Express Written Consent

Under the TCPA, PEWC must be:

  • A clear and conspicuous disclosure that the consumer authorizes being contacted via calls/texts using an ATDS or pre-recorded messages
  • The consumer's phone number provided directly by the consumer
  • A signature (electronic counts — checking a box, clicking "agree", etc.)
  • Not bundled with consent to purchase anything (consent must be a standalone acknowledgment)

One-to-One Consent (FCC 2024 Rule)

The FCC's 2024 ruling significantly tightened consent requirements. Lead generators can no longer use a single consent disclosure to authorize calls from multiple companies. Consent must now be specific to one company at a time. If you're using a third-party lead gen platform that uses bundled consent language, verify they've updated their disclosures.

Website Consent Best Practices

If you want to call identified visitors using automated systems, add clear consent language to your site:

  • Consent checkbox on any form (contact form, quote request, scheduling tool)
  • Disclosure must specifically name your company
  • Language example: "By clicking Submit, I consent to receive calls and text messages from [Company Name] at the number I provided, using automated technology, even if my number is on the DNC registry. Consent is not a condition of purchase."
  • Pre-checked boxes do NOT create valid consent — the consumer must actively check the box

A Safe Outreach Framework for Identified Visitors

Given the compliance landscape, here's the approach we recommend for contacting identified visitors:

Layer 1: Email First (Lowest Risk)

CAN-SPAM governs commercial email, not TCPA. A well-crafted initial email to an identified visitor is legal without prior consent — it just needs to include accurate sender info, a physical address, and an unsubscribe mechanism. Start here. Email warms the conversation and establishes your legitimacy before a phone call.

Layer 2: Manual Call to Non-DNC Numbers

For visitors whose numbers are not on the DNC registry, a manual (human-dialed) call is generally permissible without prior consent. Respect calling hours (8am–9pm in the recipient's time zone), leave a clear voicemail identifying yourself, and honor any opt-out requests immediately.

Layer 3: Automated Contact Only With Consent

Reserve automated dialing, robocalls, and text messages for contacts who have explicitly consented through your website or a prior interaction. If you don't have that consent, don't use automated systems — the liability exposure isn't worth it.

State-level consideration: Florida, Oklahoma, and several other states have state-level telemarketing laws that are stricter than federal TCPA. If your business is in or targets residents of these states, consult with a TCPA attorney about additional requirements.

Documentation and Record-Keeping

In TCPA litigation, the burden is often on the defendant to prove they had consent or a valid exemption. Your record-keeping is your defense.

  • Log every call with timestamp, number dialed, and agent ID
  • Retain consent records for at least 4 years (the TCPA statute of limitations)
  • Document DNC checks — timestamp when you pulled the DNC list and verified the number
  • Track opt-outs — when received, when applied to suppression list, who processed it
  • Audit your consent language at least quarterly — FCC rules evolve

Using Kopimore's DNC Data in Your Records

Every API response and CSV export from Kopimore includes a dnc_flag field and a dnc_checked_at timestamp. Store both in your CRM alongside the contact record. If you're ever in litigation, this documentation shows you performed due diligence before calling.

TCPA Compliance Checklist for Visitor Intelligence

  1. Never call or text numbers with dnc_flag = true for marketing purposes (without EBR)
  2. Maintain an internal DNC list and honor opt-outs within 30 days (FTC requires this)
  3. Only use ATDS or pre-recorded calls to numbers with prior express written consent
  4. Update consent language to be one-to-one (FCC 2024 rule)
  5. Call only between 8am–9pm in recipient's local time zone
  6. Log all calls with timestamps and agent IDs
  7. Retain consent records for at least 4 years
  8. Train all agents on TCPA requirements annually
  9. Review state-level telemarketing laws for key markets
  10. Consult with a TCPA attorney before launching any high-volume outbound program

Disclaimer: This article is for informational purposes only and does not constitute legal advice. TCPA compliance is complex and fact-specific. Consult a qualified attorney before making compliance decisions for your business.

Compliance built into every record

Kopimore includes DNC status flags, verified email deliverability data, and compliance documentation on every identified visitor. So your team can reach out confidently — and correctly.

Try Kopimore Free →
RL
Rachel Luo

Head of Compliance, Kopimore. Specializes in TCPA, CCPA, and CAN-SPAM compliance for data-driven marketing teams. Former regulatory affairs lead at a national lead generation platform.