The Three Pillars of a Compliant Calling Program: TCPA Guide
A compliant calling program rests on three pillars: consent, opt-out handling and record keeping. Here is how each one works, what the 2025 rules changed and where most teams are exposed.
One non-compliant call can cost you $1,500. That is the statutory penalty for a willful Telephone Consumer Protection Act (TCPA) violation, it applies per call, and there is no cap on how high the total can climb. The arithmetic gets ugly quickly. In 2017 a federal court ordered Dish Network to pay $280 million for Do Not Call violations, the largest penalty of its kind on record, after finding the company responsible for more than 66 million violations. Your sales team does not need to learn this the hard way.
The complete TCPA compliance guide for sales leaders covers the regulatory landscape in full. This piece is narrower and more practical: the three pillars that hold up any compliant calling program. Get them right and compliance becomes a routine you run rather than a fire you fight. Get them wrong and a single audit can surface years of exposure.
Key takeaways
- A compliant calling program rests on three pillars: consent, opt-out handling and record keeping. Weakness in any one undermines the other two.
- Penalties are real and they stack per call: $500 to $1,500 per call under the TCPA, plus up to $53,088 per call for Do Not Call violations under the FTC's rules, a figure adjusted yearly for inflation.
- AI gets no exemption. In February 2024 the FCC ruled that AI-generated voices are "artificial voices," so every TCPA rule applies to an AI call exactly as it would to a human one.
- The rules keep moving. The FCC's consent-revocation rule took effect in April 2025 (honor a revocation within 10 business days), while the one-to-one consent rule many vendors still warn about was struck down in court and never took effect.
Why the stakes keep climbing
Phone outreach has never been a free-for-all, but enforcement and litigation are both intensifying. Through the first half of 2025, plaintiffs filed roughly 95% more TCPA class actions than in the same stretch of 2024, according to WebRecon data reported by the National Law Review. Most of those suits run on the same fuel: calls placed to people who were on a Do Not Call list, never consented, or asked to stop and were dialed anyway.
State lawmakers are adding their own layer. A growing roster of state "mini-TCPA" laws carries requirements that go beyond the federal baseline, from tighter calling windows to SMS coverage and stricter disclosure rules. A program that looks clean under federal law can still draw a claim under a single state statute.
AI changes the volume, not the rules. An AI calling system can dial far more contacts than a room full of reps, which is exactly why a small compliance gap stops being a rounding error. At a few hundred calls a day, a flawed list is a nuisance. At scale, it is a class action waiting for a plaintiff's lawyer.
Pillar 1: consent
Consent is where a program either builds its foundation or quietly undermines it. The rule that trips people up is easy to state and easy to get wrong: different calls demand different levels of permission, and assuming the wrong one is an instant liability.
For most marketing calls placed to a cell phone using an autodialer or an artificial or prerecorded voice (AI voices included), you need Prior Express Written Consent (PEWC). A verbal yes does not count. Neither does permission you inferred because someone filled out a form two years ago. PEWC has to be documented, specific and conspicuous: the person clearly agrees to receive calls made with automated technology, and that agreement cannot be buried in terms and conditions nobody reads.
The one-to-one consent rule that never arrived
This part is worth correcting, because a lot of compliance content still gets it wrong. For most of 2024 the industry braced for the FCC's "one-to-one consent" rule, which would have required a consumer to consent to each individual seller rather than to a company and its loosely defined "affiliates." It was scheduled to take effect in January 2025. Days before the deadline, the Eleventh Circuit vacated it in Insurance Marketing Coalition v. FCC, finding the agency had exceeded its authority, and the FCC later repealed it outright.
So separate consent per seller is not the law today. That does not make buying leads safe. If you purchase a list, the burden still sits with you, the caller, to prove valid consent for your calls. "We bought this list" has never been a defense, and it is not one now. The practical takeaway is unchanged: capture consent yourself wherever you can, and log exactly what each person agreed to, including the time, date, method and the precise language they saw. A consent management platform that writes that evidence straight into your CRM means the answer to "can we call this person?" is available the moment you need it, not reconstructed under subpoena.
Pillar 2: handling opt-outs
The second pillar is what you do when someone does not want to hear from you. It has two parts that organizations routinely treat as one, to their cost.
The National Do Not Call Registry
Any telemarketer has to check its calling lists against the National Do Not Call Registry at least every 31 days. This is not a best practice or a nice-to-have. It is a requirement under the FTC's Telemarketing Sales Rule, and the penalty for getting it wrong runs up to $53,088 per call. Scrub before every campaign, pull the matches before anyone dials, and re-scrub on the 31-day clock. A list you cleaned two months ago is not a clean list today.
Your internal Do Not Call list
Beyond the national registry, every organization that telemarkets must keep its own internal Do Not Call list, and this is the one that quietly creates liability. When someone asks you specifically to stop, that request stands indefinitely.
Picture a prospect who told a rep "please take me off your list" back in 2021. The rep noted it in a spreadsheet that has since been replaced by a new CRM. In 2026 a different rep, working a freshly purchased list, dials the same number. The person never rescinded that earlier request, so the second call is a textbook violation. Nothing about it was malicious. The system simply forgot, and forgetting is not a defense. That is why managing your internal DNC list belongs in software, not a spreadsheet: one logged request should flag that number across every future campaign, automatically.
The consent-revocation rule (2025)
In April 2025 the FCC's consent-revocation rule took effect, and it tilts heavily toward the consumer. People can revoke consent in any reasonable way; they do not have to use a magic word or your preferred form. Once they do, you have no more than 10 business days to stop all calls and texts. You may send a single message confirming the opt-out, and then contact has to cease.
One related provision, which would treat a revocation on one topic as covering all future unrelated messages from you, has been pushed back more than once and now sits in early 2027. The 10-business-day clock, though, is live today. Meeting it reliably is not a manual job. Revocations that route through email threads and shared spreadsheets get missed, and a missed one is a per-call violation. Build revocation handling into your stack so the number goes quiet on its own.
Pillar 3: record keeping
The third pillar is the one teams forget until a demand letter arrives, and by then it is too late to create the records. The TCPA carries a four-year statute of limitations, so you can be asked to prove a call placed years ago was compliant. If you cannot produce the evidence, its absence tends to be read against you.
What to keep
A defensible record covers four things:
- Consent: how and when it was obtained, the exact disclosure language shown and the affirmative action the person took to agree.
- Calls: date, time, number dialed, the caller ID displayed, the disposition and any transfer details.
- Opt-outs: the date and method of each request, the confirmation you sent and the date calling actually stopped.
- Scrubbing: when you checked each list against the national registry, which numbers came off and every internal DNC update.
How long, and how findable
Given the four-year window, keep all of it for at least four years after your last contact with a person; some teams hold five to be safe. Retention alone is not enough, though. The records have to be searchable. When a claim names a specific number on a specific date, you need that file in minutes, not a week of digging through archived exports. Automated call logging, timestamped consent records and a single source of truth in your CRM are what turn "we think we were compliant" into "here is the proof." Building documentation into the calling workflow itself, rather than bolting it on afterward, is what makes this sustainable.
AI calling lives under the same rules, not above them
For a while, some teams treated AI calling as a regulatory gray area. The FCC closed that gap in February 2024, ruling that AI-generated voices count as "artificial voices" under the TCPA. There is no AI carve-out. Whether a human or a model is on the line, the same framework applies: written consent for marketing calls to cell phones, a clear and immediate disclosure that the call uses AI, a working opt-out and full documentation of every interaction.
This is also why responsible AI calling is a narrow, deliberate channel rather than a cold-outbound firehose. The honest read is that automated calling fits warm or opted-in contacts, message testing and rep practice, always with the AI disclosed up front. If you are weighing whether your own program clears the bar, the question of whether AI cold calling is legal deserves a careful read before you dial.
Putting the three pillars to work
A framework only matters once you measure yourself against it. The fastest way to find your exposure is a blunt audit of each pillar.
Start with consent. For the contacts in your database right now, can you actually produce proof of consent, and does the language you captured still meet current requirements? Move to opt-outs. When did you last scrub against the national registry, is your internal DNC list complete and current, and could you honor a revocation within 10 business days if one arrived today? Finish with documentation. How far back can you pull detailed call logs, and if a demand letter landed this afternoon, could you prove compliance for a call placed two years ago?
Wherever the honest answer is "I'm not sure," you have found a priority. Fix the highest-risk gaps first, then put repeatable processes in place so the answers stay "yes" as you grow.
Compliance as a growth lever
It is tempting to file compliance under cost-of-doing-business and move on. The teams that pull ahead do the opposite. When consent, opt-out handling and record keeping are solid, you can scale outreach with confidence while competitors throttle back or lawyer up. Done well, clean compliance becomes a real competitive advantage instead of a brake on growth.
The three pillars are not bureaucratic box-checking. They are what lets a calling program grow without quietly stacking up the kind of risk that ends programs. It is also why AvairAI runs a built-in TCPA Compliance Check, with DNC and calling-window screening, on every campaign: the aim is to fill your pipeline with interested leads through outreach you can defend, so your reps spend their hours on the conversations that book and close.
See how AvairAI builds compliance into every campaign, or start a 14-day free trial, no credit card required.
← Back to all articles