TCPA Compliance for SaaS Sales Teams: Why B2B Isn't Exempt
B2B calling is not exempt from the TCPA, and for fast-moving SaaS teams the risk hides in plain sight. Here's what actually applies, what it costs, and how to keep prospecting clean.
In the first half of 2025, plaintiffs filed 1,052 TCPA class actions, a 95.2% jump over the same stretch of 2024 and a new record. For a SaaS team running outbound at volume, that number is not abstract. It is the going rate on a mistake most sales leaders do not know they are making.
The mistake is assuming that selling to businesses puts you outside the Telephone Consumer Protection Act. It does not. The TCPA turns on the kind of phone you dial and whether you have consent, not on whether the person on the other end is buying enterprise software or a mattress. Dial a mobile number without the right consent and you can be on the hook for $500 to $1,500 per call, with no cap on the total. A single 500-contact campaign can build six-figure liability before a rep books a single meeting.
This guide covers what the TCPA actually requires of SaaS sales teams, where the risk hides in a normal prospecting workflow, and how to bake compliance in without slowing pipeline.
Key takeaways
- B2B calling is not exempt. Mobile numbers need consent no matter the business purpose, and SaaS buyers run work off personal phones constantly.
- Violations run $500 to $1,500 per call with no cap, so a 500-contact campaign with 100 bad numbers can mean $50,000 to $150,000 in exposure.
- AI-voice calls face a higher bar. A February 2024 FCC ruling treats AI-generated voices as "artificial," which triggers prior express written consent.
- Screening every number before you dial is the fix. Phone classification flags which contacts are safe to call, which need a human and which are off-limits.
Why SaaS teams think B2B is exempt (and why they're wrong)
Plenty of SaaS sales leaders assume the TCPA is a consumer law that stops at the business line. That assumption has cost companies millions.
The statute does not care about the business relationship. It cares about the line you are calling and whether you have consent. A mobile number is protected whether your prospect uses it for weekend texts or for closing deals, and there is no such thing as a "business mobile" carve-out. For autodialed or AI-voice marketing calls to a cell phone, the TCPA's private right of action sets statutory damages of $500 per call, tripled to $1,500 when a court finds the violation willful.
SaaS makes the exposure worse than most industries, and the reasons compound. Start with the phones themselves. Technology buyers live on personal devices, so the "work number" in your data is often a personal cell, and a cold dial without consent can violate the TCPA even when the outreach is perfectly legitimate B2B. Then add velocity: where a field-equipment rep might make 50 calls a quarter, a SaaS SDR can make 500 a week, and every one is a potential count of liability. Most of those teams also lean on power dialers or automated systems, which carry stricter consent rules than a human dialing by hand. And the lists are rarely clean. Numbers get bought, scraped and recycled, and contact data goes stale faster than most teams realize. Calling a reassigned number creates fresh liability even when you had valid consent for the person who used to own it.
The TCPA rules that actually apply to your team
Consent depends on the type of call
Not every call carries the same risk, and the differences are where teams trip.
A live call to a business landline sits at the low end. It is generally allowed without prior consent, as long as you honor do-not-call requests and stay inside calling hours. A live call to a mobile number is a step up: you need prior express consent, meaning the person knowingly handed over the number for business contact. Having it sitting in a database does not count.
Prerecorded and AI-voice calls sit at the top. Under the FCC's February 2024 declaratory ruling, a call made with an AI-generated voice is "artificial" under the TCPA. That means prior express written consent regardless of the line type, plus identification and clear opt-out disclosures. It is worth understanding whether AI cold calling is legal at all before you build a program around it.
Calling hours, DNC and the state patchwork
Federal rules limit calls to 8 a.m. to 9 p.m. in the recipient's local time, which sounds trivial until you are running automated campaigns across four time zones at once. Several states go further. Florida, Washington and Oklahoma have passed state-level mini-TCPA laws with tighter calling windows, extra consent rules and caps on how many times you can dial the same number in a day.
Do-not-call compliance means scrubbing every list against both the National DNC Registry and your own suppression list. The federal registry is enormous: the FTC's fiscal-year 2025 Data Book counts more than 258 million active phone numbers, so a large share of any raw contact list is already off-limits before you dial. Your internal do-not-call list matters just as much, because it has to reflect every opt-out in near real time.
The AI-calling layer
If part of your program uses an AI Call Agent, the bar climbs again. Prior express written consent becomes mandatory, every call has to disclose that AI is in use, and opt-outs have to be honored fast. As of April 11, 2025, an FCC opt-out rule requires you to process a consent revocation within 10 business days, through whatever reasonable method the contact used to send it.
This is exactly why AI calling is a warm-contact tool, not a cold-outbound channel. US law restricts AI and automated voice calls to people who have opted in or otherwise consented, so the sensible use is testing messaging, SDR practice and compliant follow-up with contacts who already raised a hand. Compliance here is not a reason to avoid the phone. It is a set of guardrails you wire into the workflow rather than bolt on afterward.
What a TCPA mistake actually costs
The per-call math
The damages are simple and unforgiving. A standard violation is $500. A willful one is $1,500. There is no statutory cap on the total, so the number scales with the size of the mistake.
Run a 500-contact campaign where 20% of the numbers are problematic, and you have 100 violations on a single pass. At $500 to $1,500 each, that is $50,000 to $150,000 of exposure from one campaign, before legal fees and before anyone files for class status.
Class-action exposure
The bigger threat is the class action. Filings hit a record in the first half of 2025, with 1,052 TCPA class actions, up 95.2% year over year. The TCPA carries a four-year lookback, so plaintiffs' attorneys are mining old calling records to build cases against companies that assumed they were fine.
Recent settlements show the range. QuoteWizard paid $19 million over unsolicited insurance texts to numbers on the DNC registry. Kaiser Permanente settled telemarketing-text claims for $10.5 million. Truist agreed to $4.1 million over prerecorded calls placed to people who were not the intended recipients. None of these were fly-by-night operations. They were established companies with real legal teams, and they paid anyway.
How to build compliance into your SaaS sales motion
Before the campaign launches
Compliance is cheapest before the first dial. Every number should be screened against the DNC registries, checked for known TCPA litigators, verified for line type and tested for reassignment. If you are relying on consent, you need the record to prove it: when it was given, how it was given and exactly what it covered. It is also worth confirming the contact still works where your data says, since calling someone who left six months ago burns time and invites complaints.
During the campaign
Live campaigns need live guardrails. Calling windows should follow the recipient's time zone automatically, not yours. Suppression lists should update in real time, because people opt out every day and a weekly sync is not fast enough. And revocations need to be actioned right away to stay inside that 10-business-day rule.
How AvairAI handles it
AvairAI, the AI sales prospecting platform for B2B sales, builds this screening into the campaign as a built-in TCPA Compliance Check rather than leaving it as a checklist you have to remember. Its one-click phone classification sorts every contact before launch:
- CAN_CALL_AI (green): cleared for AI-assisted calling.
- CAN_CALL_MANUAL (yellow): a rep should dial and use judgment.
- CANNOT_CALL (red): legally off-limits, excluded automatically.
The check runs against DNC registries, known-litigator databases, line-type verification and reassignment detection, so the full picture of who you can safely call lives inside the campaign itself. That is Pair Selling in practice: the AI handles the screening and the email sending, your reps work the call and LinkedIn tasks the system hands them, and the human conversations are what book and close the deal.
Turning compliance into an edge
The teams that win on compliance do not treat it as a tax. Screened, documented calling lets you move at full speed while competitors hesitate or quietly take the risk, because you already know which contacts are safe before anyone picks up the phone. It also protects the asset that volume callers tend to destroy: clean, complaint-free calling keeps your numbers off carrier spam flags, so your connect rates hold. And there is a trust dividend. In a market full of illegal robocalls, being transparent about AI calling and honoring every opt-out is a real differentiator with buyers. Handled well, compliance becomes a durable advantage instead of a cost center.
Compliance is the cost of calling at scale
The B2B exemption SaaS teams lean on is mostly a myth. Mobile numbers are protected regardless of business purpose, AI-voice calls demand written consent, and a four-year lookback means today's shortcut is tomorrow's class action. The answer is not to put down the phone. It is to verify every number before you dial, document your consent and keep your suppression lists current, so compliance rides inside the workflow instead of slowing it down.
See how AvairAI builds TCPA screening into every campaign and lets your team prospect at scale while the legal risk stays handled. Start with a 14-day free trial, no credit card required.
← Back to all articles