Tag: TCPA compliance checklist

TCPA and DNC Compliance Checklist for VoIP Call Centers

Posted on by kami

TCPA and DNC Compliance Checklist for VoIP Call Centers

Running an outbound call center in 2026 without a documented TCPA and DNC compliance process isn’t just risky — it’s a financial liability that can shut a business down overnight. TCPA class action filings have surged in recent years, and a single non-compliant campaign touching a few thousand numbers can generate seven-figure exposure before anyone on your team even realizes there’s a problem.

This guide breaks down exactly what TCPA and DNC compliance require for VoIP call centers right now, what a violation actually costs, and a practical checklist you can run your operation against today.

What TCPA and DNC Compliance Actually Cover

The Telephone Consumer Protection Act (TCPA) and the Do Not Call (DNC) rules are often mentioned together, but they govern slightly different things, and most outbound call centers need to satisfy both.

The TCPA regulates how you’re allowed to contact someone — consent requirements, the use of autodialers and prerecorded or AI-generated voices, permitted calling hours, and a consumer’s right to sue directly if those rules are broken. DNC compliance governs whether you’re allowed to contact someone at all, based on the National Do Not Call Registry, state-level “mini-DNC” lists, and your own internal suppression list of people who’ve already asked not to be called.

A call center can violate one without violating the other, which is exactly why both need separate, documented processes rather than a single “we scrub our lists” policy.

What a Violation Actually Costs

The numbers here are worth internalizing because they change how seriously a call center needs to take this:

Federal TCPA violations carry $500 per call for ordinary violations, rising to $1,500 per call if a court finds the violation willful or knowing. There is no annual or per-campaign cap, which means a single bad campaign of 10,000 calls can theoretically expose a business to millions of dollars in statutory damages. DNC-specific violations under the FTC’s Telemarketing Sales Rule can run even higher, with maximum penalties reaching into the tens of thousands of dollars per call depending on the specific violation. State-level “mini-TCPA” laws in places like Connecticut, Florida, Oklahoma, and Washington often add their own penalty structures on top of the federal floor.

Beyond the per-call fines, TCPA allows a private right of action — meaning any individual consumer can personally sue, and they don’t need the FCC or FTC to act first. That’s the mechanism behind the wave of TCPA class actions, which have produced settlements regularly landing in the millions of dollars, with at least one case reaching well into nine figures.

The 2026 TCPA and DNC Compliance Checklist

1. Scrub every list against the National DNC Registry — and keep it current

The National Do Not Call Registry now holds over 240 million numbers. Lists should be scrubbed within 31 days of any calling campaign at minimum; many compliance-first operations scrub in real time at the point of dial rather than relying on a monthly batch process. If you’re running VICIdial or a similar dialer, don’t load the entire federal registry directly into the platform’s internal DNC table — at that scale it will degrade hopper performance. Pre-scrub through a dedicated third-party DNC service before import instead.

2. Maintain a separate internal DNC list — and treat it as permanent

Every business that places outbound calls is required to maintain its own internal Do Not Call list, independent of the federal registry. When a consumer says “stop calling me,” “take me off your list,” or anything equivalent, that request needs to be captured by the agent immediately and pushed into a suppression system shared across every team and every vendor touching that contact — not left sitting in a single agent’s notes. Internal DNC entries should be retained for a minimum of five years; some states require longer.

3. Check state-specific DNC and telemarketing laws separately

The TCPA does not preempt state law, and a growing number of states have passed their own telemarketing rules that are stricter than the federal baseline — generally referred to as “mini-TCPAs.” States including California, Florida, Oklahoma, Texas, Washington, and Oregon have either their own DNC registries or tighter calling-hour and consent requirements. A campaign that’s fully compliant federally can still expose you to liability in any of these states if you’re not checking separately.

4. Respect calling hours — based on the consumer’s time zone, not yours

Outbound telemarketing calls are restricted to 8:00 a.m. to 9:00 p.m. in the called party’s local time zone under federal rules, and several states cut that window shorter, often ending at 8:00 p.m. This needs to be enforced by area code or, better, by verified location data rather than assumed from the area code alone, since mobile numbers increasingly don’t reflect where someone actually lives.

5. Get documented consent — and don’t rely on resold or shared consent

Prior express written consent is required before using an autodialer or prerecorded/AI-generated voice to contact a mobile number. Oral consent generally isn’t sufficient for marketing calls. As of the 2025 “one-to-one consent” changes, consent obtained by one company generally can’t be resold or shared with unrelated businesses — each company in a lead chain needs its own direct consent from the consumer. If your leads come from a third-party generator, this is one of the most common places call centers get exposed.

6. Understand what counts as an autodialer in your jurisdiction

Following the Supreme Court’s Facebook v. Duguid ruling, the federal definition of an Automatic Telephone Dialing System narrowed to systems using a random or sequential number generator — which excludes most modern predictive dialers that call from a stored list. However, several states interpret “autodialer” more broadly than the federal standard, so a dialer setup that’s compliant federally may still carry risk in certain states. Manual or manually-approved dialing — where a human reviews and approves each call before it’s placed — remains the lowest-risk approach for cell phone outreach.

7. Process opt-outs within 10 business days, every time

Whether the opt-out comes through a call, a text reply (“STOP,” “QUIT,” “UNSUBSCRIBE,” “CANCEL”), or any other channel, FCC rules require it to be honored within 10 business days. The opt-out needs to flow into your suppression list immediately and apply across every channel and every campaign — not just the one it came in on.

8. Verify numbers haven’t been reassigned

Nearly 100,000 phone numbers get reassigned to new owners every day in the US, and consent is tied to the person, not the number. Calling a number whose original owner gave consent — but who has since given the number up — creates fresh TCPA liability even though you technically had consent at some point. Numbers should be periodically re-validated, especially on lists older than a few months.

9. Keep detailed, timestamped records of everything

If a complaint or lawsuit comes in, your documentation is your defense — and gaps in documentation tend to be treated the same as gaps in compliance. At minimum, maintain: consent records (when and how each contact opted in), opt-out records (when and through what channel each opt-out was received and honored), DNC scrub logs (timestamped, showing which lists were checked and how many numbers were suppressed), and campaign records (which numbers were called, by which agent, when, and the outcome). Most compliance-focused dialer platforms log this automatically; doing it manually in a spreadsheet is a documentation problem waiting to surface.

10. Pair DNC and TCPA compliance with caller ID authentication

DNC scrubbing and consent management solve the legal side of outbound compliance, but they don’t address answer rates — and a growing share of legitimate outbound calls get mislabeled as “Spam Likely” by carrier filters regardless of consent status. Running STIR/SHAKEN call authentication alongside your DNC and TCPA program protects your caller ID reputation and helps ensure compliant calls actually get answered. We covered the mechanics of this in detail in our STIR/SHAKEN compliance guide.

Building This Into Your VoIP Infrastructure

A compliance checklist only works if it’s enforced automatically rather than relying on individual agents to remember each rule on every call. That generally means your dialer needs to handle real-time DNC scrubbing at the point of dial, calling-hour restrictions tied to verified caller location, automatic suppression-list updates the moment an opt-out is logged, and audit-ready records for every call placed.

This is also where the underlying VoIP and dialer infrastructure matters as much as the policy itself. A PBX and outbound calling setup built with compliance controls at the infrastructure layer removes the guesswork — and the liability — that comes with trying to bolt compliance onto a system that wasn’t designed for it.

Final Word

TCPA and DNC compliance isn’t a one-time setup — it’s an ongoing operational discipline, especially as state-level rules keep expanding and enforcement keeps intensifying. The call centers that stay out of trouble are the ones that treat list hygiene, consent tracking, and documentation as part of daily operations, not as a once-a-quarter audit.

If you’re evaluating whether your current dialer and PBX setup can actually support this level of compliance, get in touch with our team — we help call centers build outbound infrastructure that’s compliant by design.