Skip to main content

State Mini-TCPA Laws: A 2026 Compliance Guide for Sales Leaders

More than 15 states now enforce mini-TCPA laws stricter than the federal rules. Here's which states carry the most risk and how to keep calling across state lines without inviting a lawsuit.

State Mini Tcpa LawsMini Tcpa ComplianceState Tcpa RegulationsTcpa State LawsFlorida Ftsa
Pintu Kumar
Pintu Kumar 7 min read
Share this post
State Mini-TCPA Laws: A 2026 Compliance Guide for Sales Leaders

Federal TCPA compliance used to be enough. It isn't anymore. As of 2026, more than 15 states enforce their own state-level "mini-TCPA" laws, many with broader definitions, stricter consent rules and far steeper penalties than the federal statute. One unwanted call into Connecticut can carry a fine of up to $20,000. A short calling burst into Texas can trigger treble damages under the state's Deceptive Trade Practices Act. For any B2B team dialing across state lines, the rules change the moment you cross a border.

The good news is that this is manageable once you know which states carry the most risk and build your outreach around the strictest of them. This guide walks through the state mini-TCPA laws sales teams actually need to understand, where the exposure is highest and how to run a multi-state program that keeps your pipeline moving without inviting a lawsuit.

Key takeaways

  • More than 15 states now enforce mini-TCPA laws, each with its own definitions, consent rules and penalty structures that go beyond the federal TCPA.
  • Penalties run high. Connecticut reaches up to $20,000 per violation, and Texas now allows treble damages under its Deceptive Trade Practices Act.
  • Several states out-reach the federal rule. Florida, Oklahoma and Washington use broader autodialer or solicitation definitions than the post-Duguid TCPA.
  • You don't have to track it by hand. A TCPA compliance check flags which contacts are safe to call before outreach begins, so your reps spend their time selling instead of cross-referencing statutes.

Why the states stepped in

The Facebook v. Duguid gap

In April 2021, the Supreme Court's decision in Facebook, Inc. v. Duguid narrowed the federal definition of an automatic telephone dialing system (ATDS). To count as an autodialer under the TCPA, the Court held, a system has to use a random or sequential number generator to store or produce the numbers it dials. Most modern business dialers don't work that way, so a large share of routine calling fell outside the federal rule almost overnight.

Businesses read the ruling as a win. Plaintiffs' attorneys and state legislatures read it as a gap to close. Within a few years, states began writing their own telemarketing statutes with broader autodialer language that recaptured exactly the technology Duguid had exempted. Federal compliance stopped being the finish line.

The 2025-2026 wave hasn't slowed

The pace of new legislation has only picked up. Texas SB 140 took effect on September 1, 2025, with significant new requirements (more on that below). Virginia's amended Telephone Privacy Protection Act took effect on January 1, 2026, introducing a 10-year opt-out mandate. More states have similar measures moving through their legislatures.

The pattern is hard to miss: states are not waiting for federal action. Any team that relies on federal TCPA compliance alone is working from an incomplete map.

The states that carry the most risk

Highest-priority states

Four states deserve the most attention from B2B teams today.

Florida set the template. Its Telephone Solicitation Act (FTSA) carries one of the broadest autodialer definitions in the country, caps commercial calls at three per 24 hours on the same subject, restricts calling to 8 a.m. to 8 p.m. local time, and exposes violators to $500 per call, trebled to $1,500 for willful violations.

Texas joined the strict-enforcement tier in 2025. As of September 1, SB 140 expanded "telephone solicitation" to cover text and image messages and tied violations to the state's Deceptive Trade Practices Act, which opens the door to treble damages, mental-anguish damages and attorney's fees, plus statutory penalties up to $1,500 per violation. Consumers can now sue directly, and certain sellers must register with the Secretary of State, pay a $200 filing fee and post a $10,000 bond before they place a single call.

Connecticut has the steepest fines of any state. Under SB 1058, each illegal call or text can cost up to $20,000 per violation, and the law requires prior express written consent for essentially any telephonic sales call.

Washington rounds out the group. Its updated Commercial Telephone Solicitation Act created a private right of action and raised statutory damages to as much as $1,000 per violation for repeat conduct, with a "commercial solicitation" definition that sweeps in more outreach than the federal rule does.

A second tier worth watching

A few more states are close behind. Virginia's update, effective January 1, 2026, requires honoring a texted STOP or UNSUBSCRIBE for at least 10 years, longer than almost any other state. Oklahoma's Telephone Solicitation Act mirrors Florida's FTSA almost word for word, including the three-call daily limit on the same subject, and Maryland has adopted similar restrictions. Arizona limits unsolicited texts as well as calls to numbers on its do-not-call list, with penalties that can reach $1,000 per violation.

What the rules actually require

Consent

Consent rules vary the most from state to state. Connecticut now demands prior express written consent for nearly any sales call. Florida layers its own requirements on top of the federal consent rules. Texas requires registration before a seller places a single solicitation. And the B2B exemption many teams lean on is narrower than they assume: using an autodialer or a prerecorded message to reach a mobile number generally requires prior express consent whether or not the call is B2B, and a growing share of professional contacts are mobile-first.

The federal Do Not Call Registry compounds the math. At the close of fiscal year 2025, the registry held more than 258 million active phone-number registrations, any one of which can turn a routine dial into a violation.

Calling hours

Most states track the federal 8 a.m. to 9 p.m. window, measured in the recipient's local time rather than yours. Some go further. Florida closes the window an hour early, at 8 p.m. When a campaign spans time zones, the recipient's clock is the one that counts, which is easy to forget when an SDR in Chicago batches calls at 4 p.m. Central to accounts on both coasts.

Call frequency

Florida, Oklahoma and other FTSA-style states prohibit more than three sales calls to the same person about the "same subject matter" in any 24-hour period. The phrase is nowhere defined, and that is the real trap. A 12-touch campaign that stacks several call attempts into a single day can blow past the limit before a rep realizes that two "different" talk tracks count as the same subject.

Building a multi-state compliance framework

Know where your prospect actually is

Compliance starts with knowing where your prospect actually sits, and the area code won't tell you. Numbers are portable, so a 212 (Manhattan) number may belong to someone who moved to Miami years ago and is now covered by Florida law. Applying the right state's rules takes current, verified location data, not a guess based on the prefix. Verifying a contact's details before launch, rather than trusting the area code, is what makes the difference between a clean campaign and an accidental violation.

Default to the strictest standard

Consider a Chicago-based SaaS team running one campaign across Florida, Texas and Connecticut accounts. The same three-call day that's fine for an Illinois prospect could breach Florida's same-subject limit, and a single autodialed voicemail to a Connecticut mobile without written consent could put a $20,000 exposure on the board. Asking every rep to track three different rulebooks does not scale.

The cleaner approach is to set one conservative baseline and apply it to everyone:

  • Prior express consent before any call
  • No more than three calls a day to a single contact
  • Calling only between 9 a.m. and 8 p.m. local time
  • Opt-outs processed immediately and honored for 10 years (Virginia's standard)

Hold every campaign to that bar and you are compliant in the strict states and comfortably inside the rules everywhere else. You also build a repeatable compliant-calling program instead of a patchwork your team has to relearn for each new market.

Document everything

State mini-TCPA laws increasingly reward a paper trail. If your compliance is ever questioned, contemporaneous records are the defense. Keep when and how consent was obtained, a timestamp for every call, opt-out requests and the dates you processed them, the TCPA classification for each contact, and the checks you ran before dialing. A clean internal do-not-call list sits at the center of that record.

Letting software do the state-by-state math

Screen every number before you dial

Tracking 15-plus statutes by hand is not realistic for a team that also has a number to hit. This is the part to automate. A one-click compliance check can screen each contact against the federal DNC list, known litigators, line type and state-specific rules, then sort them into three buckets:

  • Safe to call
  • Manual or human review needed
  • Off-limits

AvairAI's TCPA Compliance Check does exactly this, classifying every phone number as safe or risky before any outreach goes out. Automated AI calling stays a secondary, consent-limited channel under the TCPA, reserved for warm or opted-in contacts, but the screening protects every channel, calls included.

Compliance is Pair Selling in miniature

Multi-state compliance is also a clean illustration of why Pair Selling works. The software carries the regulatory load: checking each state's rules, classifying contacts, enforcing the calling window and logging the documentation. Your salespeople carry the conversations. When a rep no longer has to wonder whether a given dial is legal, the question shifts to a better one, is this prospect a good fit, and the human hours go to the work that actually closes deals. Together they produce outreach that is both compliant and effective across all 50 states. You never sell alone.

Compliance as an advantage

State mini-TCPA laws are not a passing trend. Every signal since Duguid points toward more state regulation, not less. Texas tightened its rules in 2025, Virginia's took effect in 2026, and more bills are moving. The teams that win will treat multi-state compliance as an edge rather than a tax, knowing which states carry the most risk, defaulting to the strictest standard, automating the screening and documenting as they go.

Most competitors are doing one of two things: ignoring state rules and quietly stacking up legal and financial risk, or avoiding whole markets out of caution. A real compliance system lets you call confidently across every jurisdiction while they hesitate. AvairAI checks each contact against both federal and state requirements before a campaign begins, so you know exactly who is safe to reach. Start there, and your team spends its time on prospects instead of statutes.


← Back to all articles
Pintu Kumar

About Pintu Kumar

Co-founder & Director of Product Operations, AvairAI

Pintu Kumar is a co-founder and Director of Product Operations at AvairAI, where he turns product vision into reliable execution — designing the operational frameworks, quality processes, and go-to-market readiness that keep the company’s AI-driven prospecting workflows scalable and dependable. He brings 22 years at enterprise-integration company Adeptia, advancing from System Administrator to Senior Manager of Software Quality Assurance and owning QA strategy, release management, and DevOps/Kubernetes practices across mission-critical software. At AvairAI he coordinates cross-functional teams, defines process KPIs, and leads onboarding and adoption strategy. His expertise sits where software quality, DevOps, and product operations meet — ensuring AI agents perform consistently in production. He holds an MCA and BCA in Computer Science and a PGDM in management.

More from Pintu Kumar →

See what AvairAI builds from your website

Never sell alone.

14-day free trial · no credit card · see it in ~3 minutes

Prefer to browse first? Grab a free outreach template Start for free