Disclaimer: This guide is for educational purposes only and does not constitute legal advice. TCPA law is complex and changes frequently. Consult a qualified attorney before implementing any outreach program involving calls or text messages to U.S. consumers.
The Telephone Consumer Protection Act (TCPA) is a federal law enacted in 1991 and significantly updated several times since, most recently with a major FCC rulemaking in January 2025. It restricts unsolicited marketing calls, text messages, and faxes to U.S. consumers.
The law was originally designed to stop robocall spam. It's now one of the most litigated consumer protection statutes in the country, in part because it allows individual plaintiffs to collect $500–$1,500 per violation — and violations are easy to aggregate into class actions. A company that sent 100,000 improperly consented marketing texts faces potential statutory damages of $50 million to $150 million.
The FCC enforces TCPA at the federal level. State attorneys general can also bring enforcement actions, and the statute provides a private right of action — meaning consumers can sue directly, without waiting for government enforcement.
TCPA applies to any person or entity that makes a telephone call or sends a text message for marketing purposes to U.S. consumers. This includes:
There is no small business exemption. A solo roofing contractor cold-calling neighborhood leads has the same TCPA obligations as an enterprise call center. The difference is that small businesses are less likely to be the target of systematic monitoring — but the risk is still real, particularly if a called party reports the number to a TCPA tracking service.
TCPA distinguishes between several levels of consent, each allowing different types of outreach:
The highest standard. Required for auto-dialed or pre-recorded marketing calls and texts to cell phones. The consent must be in writing (a checkbox on a digital form counts), must clearly disclose that the consumer is agreeing to receive automated marketing calls or texts from a specifically named company, and must not be a condition of purchase.
Example of compliant PEWC language: "By submitting this form, I agree that [Company Name] may contact me by phone, including automated calls and text messages, at the number provided above. I understand that consent is not required to receive services."
A lower standard — allows informational calls (like appointment reminders or delivery notifications) to cell phones without the full PEWC requirements. Does not cover marketing calls.
For landline calls, an existing business relationship may provide a basis for outreach without separate consent. The EBR exception has a 90-day window for inquiry-based relationships and an 18-month window for purchase-based relationships. Note: EBR does not apply to cell phone auto-dialing or texting.
The FCC's January 2025 rule change fundamentally altered how consent works for lead generation companies. Before this rule, a single opt-in form could provide consent for multiple companies to contact a consumer — a common practice in lead aggregation and insurance quote platforms.
Under the new rule, TCPA consent must be provided directly to the specific company that will be making the call or sending the text. A consumer checking a box on a lead aggregation site that says "I consent to be contacted by insurance providers" no longer provides valid TCPA consent for individual insurance companies to make auto-dialed calls.
The practical impact is significant for any business that:
If your current lead generation involves any of these practices, you should review your consent chain with your compliance counsel immediately. The transition period for most affected companies has already passed.
Visitor identification generates leads from your own website — meaning any consent collected is first-party consent directly with you, not through a third-party lead aggregator. This makes first-party visitor data a significantly lower compliance risk than purchased lead lists under the new one-to-one rule.
Separate from TCPA auto-dialer restrictions, the National Do Not Call (DNC) Registry restricts marketing calls to consumers who have registered their number. Companies must scrub their outbound call lists against the DNC Registry before any phone marketing campaign and update their internal suppression list no less than every 31 days.
Key DNC rules:
DNC compliance is separate from TCPA cell phone consent compliance. You can be DNC-compliant but still violate TCPA by using an auto-dialer without PEWC. You need to manage both simultaneously.
Here's a plain-language breakdown of what's permitted when calling or texting leads identified through website visitor tracking:
| Outreach Type | Visitor-Identified Leads | Notes |
|---|---|---|
| Manual call by a live rep | Generally Permitted | TCPA's strict consent requirements apply to auto-dialers, not manual live-agent calls. Still must respect DNC Registry. |
| Manual email by a live rep | Generally Permitted | Not covered by TCPA. Governed by CAN-SPAM instead. Must include unsubscribe mechanism. |
| Automated/robocall to cell | Requires PEWC | Auto-dialed or pre-recorded calls to cell phones require prior express written consent from a specific named company. |
| Automated text (SMS) | Requires PEWC | Same consent standard as auto-dialed cell calls. Platform-initiated texts without consent are high-risk. |
| Manual text from a rep's phone | Gray Area | TCPA applies to "automatic telephone dialing systems." Manual one-at-a-time texts from a personal phone are lower risk, but consult counsel. |
| Calls to landlines | EBR May Apply | Landline marketing calls have more flexible rules than cell phones. Pre-recorded calls to residential landlines still require consent. |
The safest and most effective approach for visitor-identified leads: have a live rep make a manual call or send a personal email. This sidesteps the auto-dialer consent requirement entirely while still allowing timely, personalized outreach.
Prioritize manual calls and personal emails for visitor-identified leads. Not only is this lower risk from a compliance standpoint, it also converts better — a personal call from a real person is far more effective than a robocall for high-value services.
No exceptions. Before any outbound phone campaign, run your call list against the National DNC Registry and your internal opt-out list. Most CRM platforms and visitor intelligence tools can automate this.
If your website has forms, include TCPA-compliant consent language near the submit button. This authorizes automated follow-up for contacts who self-identify — giving you more flexibility for those leads while your visitor-identified leads are handled manually.
Anyone who asks not to be called must be added to your internal DNC list and honored for at least five years. This is separate from the National Registry — your internal list covers people who called in or emailed a request, not just those on the federal registry.
If you're ever sued under TCPA, the burden is on you to prove consent. Keep records of when consent was obtained, what the consent language said, and what technology was used to make the call. Most TCPA class actions succeed because defendants can't produce consent documentation — not because they knowingly violated the law.
TCPA is a federal floor, not a ceiling. Several states have enacted stricter laws:
If your customer base includes residents of any of these states, build state-specific compliance steps into your outreach process.
For any outbound phone or text campaign, maintain records of:
Keep this documentation for at least four years — the TCPA statute of limitations is four years from the date of the call.
Kopimore includes TCPA screening, DNC scrubbing, and compliance documentation as standard features — so your team can reach identified visitors confidently and legally.