Skip to main content

5-Minute TCPA Compliance Check: Is Your Phone Campaign Legal?

B2B outreach is not automatically exempt from the TCPA. Run this seven-question check before any phone campaign to find the gaps that turn into $500-per-call fines.

Tcpa Compliance CheckTcpa Compliance ChecklistB2B Cold Calling LegalTcpa Quick AuditTelemarketing Compliance
Pintu Kumar
Pintu Kumar 8 min read
Share this post
5-Minute TCPA Compliance Check: Is Your Phone Campaign Legal?

One non-compliant campaign is usually enough to end any debate about whether TCPA compliance is worth the effort. In 2019 a jury found that the marketing company ViSalus had placed 1,850,436 illegal calls, and at the statutory rate of $500 per call that produced a $925 million verdict. The damages math is brutal because it scales: the Telephone Consumer Protection Act sets $500 per violation, and up to $1,500 when a court finds the violation willful, with no cap on the total.

The exposure is also climbing. TCPA class action filings ran about 95% ahead of the prior year through mid-2025, which means the odds that a sloppy phone campaign attracts a plaintiff's attorney are higher now than they have ever been.

This TCPA compliance check is a fast pre-launch screen, not a legal opinion. Seven questions, about five minutes, run before you dial or send a single text. It catches the gaps that most often turn into letters from law firms: assuming B2B is exempt, an opt-out process that is quietly out of date, AI voice calls placed without consent, and state laws stricter than the federal floor. Mark each item pass, fail or needs review as you go.

The 5-minute check

1. Do you have the right consent?

Consent turns entirely on what you are calling and how you are calling it. An autodialed or prerecorded call or text to a mobile number needs prior express written consent, and it does not matter that the number came off a business card. The narrow exemption teams lean on, a live manual call to a published business landline, is exactly that: narrow. Add automation, or dial a cell, and you are back under the consent rule.

A quick example shows the trap. Your SDR uploads a list of 400 "business contacts" from a data provider. Maybe 150 of those numbers are personal cell phones the prospect happens to use for work. Run an autodialer or an AI voice over that list and you may have created 150 violations before anyone answers. Dual-use numbers are treated as consumer lines, so the safe default is to assume any mobile number is a consumer number until you can prove otherwise.

[ ] Prior express written consent on file for automated calls or texts to mobiles

[ ] Consent language names your business and the number being called

[ ] Consent records stored and retrievable for audit

[ ] Live business-landline calls verified as business-only, with no autodialer

2. Are you scrubbing against do-not-call lists?

There are two lists here, not one, and teams remember the wrong one. The federal Do Not Call Registry has to be downloaded and scrubbed before every campaign, and your access has to be current, the rule is access within the last 31 days. The list people forget is the internal one. Every opt-out you have ever received has to be honored, and since 2025 it has to be honored fast. If you are not certain your internal suppression list is airtight, our guide to managing an internal do-not-call list walks through the process.

[ ] Registered at donotcall.gov and scrubbing every list before launch

[ ] Federal registry accessed within the last 31 days

[ ] Internal opt-out list maintained and scrubbed against before calls

[ ] Opt-outs added and honored within 10 business days

3. Are you calling inside the legal window?

Federal rules limit telemarketing calls to between 8 a.m. and 9 p.m. in the recipient's local time. That reads simple until you are dialing four time zones from one queue. An 8 a.m. opener in Chicago lands at 6 a.m. two zones west, which is a violation before the prospect is even awake. Time-of-day cases have become their own litigation niche, so configure for the contact's time zone, never your own, and set the system to the most restrictive window in play.

[ ] Calls fire only between 8 a.m. and 9 p.m. in the recipient's local time

[ ] Time zone verified for each contact

[ ] Automated systems hard-configured to the calling window

4. If you use AI or automated systems, are they compliant?

The FCC closed the AI loophole in February 2024. It ruled that AI-generated voices count as "artificial" voices under the TCPA, so an AI call carries the same consent, disclosure and opt-out obligations as any prerecorded one. There is no exemption for the technology being newer. Autodialers sit under the same logic: if a system can place calls without a human pressing the keys, it needs consent for every number and the ability to stop the instant someone opts out. For where the lines fall, see our breakdown of whether AI cold calling is legal.

[ ] Prior express written consent obtained before any AI or automated call

[ ] The AI nature of the call disclosed to the recipient

[ ] A clear opt-out offered during the call, with the capacity to stop immediately

5. Is your opt-out process current?

This is the single most common way a once-compliant program drifts out of compliance. Since April 11, 2025, you have to honor a revocation within 10 business days, down from the old 30-day standard, and you have to accept it through any reasonable channel: a text, an email, a voicemail or a spoken "take me off your list," not only a tidy "STOP" reply. A process that still assumes 30 days, or that only logs keyword opt-outs, is already behind the rule.

[ ] Opt-outs processed within 10 business days

[ ] Requests honored by text, email, voicemail or verbal, not just "STOP"

[ ] The full opt-out flow tested recently and removal confirmed across every list

6. Are you covered at the state level?

Federal compliance is the floor, not the ceiling. A growing list of state mini-TCPA laws add their own registration requirements, tighter calling windows and, in several states, a private right of action that mirrors the federal per-call math. Florida, Texas, Washington, Oklahoma and New York have been among the most active. When a campaign spans states, the working rule is simple: follow the most restrictive law that applies to anyone on the list.

[ ] Aware of mini-TCPA laws in every state you are calling

[ ] State registrations completed where required (for example, Florida and Texas SMS)

[ ] Campaign configured to the most restrictive applicable rule

7. Can you prove all of this later?

Compliance you cannot document is compliance you cannot defend. When a complaint lands, the question is not whether you believed you had consent, it is whether you can produce the record, with a timestamp and a source, on demand. Consent records, call logs and opt-out history are the difference between a quick dismissal and an expensive discovery fight.

[ ] Written consent stored securely, with timestamp and source

[ ] Call logs and opt-out requests documented and retained

[ ] A regular audit scheduled, with someone accountable for it

Reading your score

If every box is checked, your campaign clears the baseline. Launch, then put a recurring review on the calendar so the program does not drift the way most do.

One or two fails are usually quick fixes, but they are still launch blockers, so close them before the first dial. Three or more fails is a stop sign: pause the campaign and run a full compliance review, because the odds of a real violation are no longer hypothetical. And any item you marked needs review is a question for counsel who knows TCPA, not a judgment call to make under deadline. Uncertainty is its own form of liability.

Where teams actually slip

Two patterns account for most of the trouble. The first is the dual-use mobile number, the prospect's "office" line that is really a personal cell, which quietly converts an exempt-looking B2B list into a consent problem. The second is opt-out drift: a process built for the old 30-day window that nobody updated when the rule tightened to 10 business days. Neither looks dangerous on a spreadsheet. Both show up clearly in a five-minute check. For the deeper legal context behind these traps, our TCPA compliance guide for sales leaders goes further than a checklist can.

Where AvairAI fits

AvairAI builds compliance into the campaign instead of bolting it on afterward. Its one-click phone classification sorts every number, business versus personal and wireless versus landline, and flags the high-risk ones before a single call goes out. Contact Verification and DNC screening run on the list automatically, and the built-in TCPA Compliance Check handles calling-window and consent screening on every campaign.

Automated AI calling stays a secondary, consent-bounded capability here, used for warm or opted-in contacts and always disclosed as AI, never a cold-outbound shortcut. That is the point of Pair Selling: the software absorbs the compliance grind so your salespeople can spend their hours on the conversations that close. You can see how the compliance layer works in more detail.

Run it before every campaign

The check is cheap; the verdicts are not. Five minutes against a $500-to-$1,500-per-call downside is the easiest risk math in sales. Run the seven questions before every phone campaign, fix what fails and keep the records that prove you did.

If you would rather not track all of this by hand, see how AvairAI runs compliant campaigns with screening built in, so your team prospects with confidence and never sells alone.


← Back to all articles
Pintu Kumar

About Pintu Kumar

Co-founder & Director of Product Operations, AvairAI

Pintu Kumar is a co-founder and Director of Product Operations at AvairAI, where he turns product vision into reliable execution — designing the operational frameworks, quality processes, and go-to-market readiness that keep the company’s AI-driven prospecting workflows scalable and dependable. He brings 22 years at enterprise-integration company Adeptia, advancing from System Administrator to Senior Manager of Software Quality Assurance and owning QA strategy, release management, and DevOps/Kubernetes practices across mission-critical software. At AvairAI he coordinates cross-functional teams, defines process KPIs, and leads onboarding and adoption strategy. His expertise sits where software quality, DevOps, and product operations meet — ensuring AI agents perform consistently in production. He holds an MCA and BCA in Computer Science and a PGDM in management.

More from Pintu Kumar →

See what AvairAI builds from your website

Never sell alone.

14-day free trial · no credit card · see it in ~3 minutes

Prefer to browse first? Grab a free outreach template Start for free