TCPA & Robocall Regulation

The Telephone Consumer Protection Act (TCPA, 1991) — codified at 47 U.S.C. § 227 — is the federal law that restricts robocalls, auto-dialed calls, prerecorded messages, and unsolicited texts and faxes to consumers. The FCC has long required prior express written consent before any company can contact you by autodialer or prerecorded voice on your cell phone. The Do Not Call Registry (administered jointly by the FTC and FCC) covers 240 million+ registered numbers; telemarketers who call registered numbers face up to $51,744 per violation. The TCPA's private right of action — $500 per violation for negligent violations, $1,500 for willful violations — has made it one of the most heavily litigated consumer protection statutes in the country, generating billions in class action settlements. Despite these rules, Americans receive an estimated 50–60 billion robocalls per year, largely from offshore callers who ignore U.S. law. The TRACED Act (2019) required carriers to implement STIR/SHAKEN caller ID authentication to combat number spoofing, with measurable but incomplete success. In 2024, the FCC tightened the one-to-one consent rule, limiting consent to a single seller per form submission to curb lead generation abuses — a rule with major implications for financial services, insurance, and real estate marketing.

Current Law (2026)

Legal Authority

• 47 U.S.C. § 227(b) — Restrictions on use of automated telephone equipment (prohibits making calls using an automatic telephone dialing system or prerecorded voice to cell phones, emergency lines, or healthcare facilities without prior express consent; prohibits unsolicited prerecorded calls to residential lines)
• 47 U.S.C. § 227(c) — Do Not Call Registry (FCC shall establish a national database of consumers who object to receiving telephone solicitations; telemarketers must check the registry and honor opt-outs; violations subject to penalties)
• 47 U.S.C. § 227(b)(3) — Private right of action (any person who receives a call in violation of the TCPA may bring an action in state court to recover actual monetary loss or $500 per violation, whichever is greater; court may treble damages for willful or knowing violations)

How It Works

The TCPA is one of the most litigated federal statutes in America — generating thousands of lawsuits annually and billions of dollars in class action settlements. Together with the CAN-SPAM Act (which governs email), it forms the core of federal unsolicited communications regulation. It was enacted to combat the growing nuisance of telemarketing calls and has become even more important in the era of robocalls and text message marketing.

The TCPA restricts three categories of calls: calls made using an automatic telephone dialing system (ATDS) or prerecorded/artificial voice to cell phones without the called party's prior express consent (written consent for marketing calls); prerecorded commercial calls to residential landlines without prior express consent; and unsolicited fax advertisements. The TCPA also established the legal foundation for the National Do Not Call Registry — telemarketers must scrub their lists every 31 days. The most litigated question in TCPA law has been what qualifies as an ATDS: the statute defines it as equipment with the capacity to store or produce telephone numbers using a random or sequential number generator. In Facebook v. Duguid (2021), the Supreme Court narrowed the definition, holding that an ATDS must generate random or sequential numbers — not merely dial from a stored list — significantly reducing exposure for businesses using predictive dialers and SMS platforms, though liability for prerecorded and artificial-voice calls remains unaffected. The TCPA applies to text messages identically to phone calls; text message class actions now constitute a major share of TCPA litigation as businesses shift from voice to SMS marketing.

What makes the TCPA uniquely feared is its per-call damages structure: each non-compliant call or text is a separate $500 violation, trebled to $1,500 for willful violations, with a private right of action and no cap. A company that sends 1 million unauthorized text messages faces potential exposure of $500 million to $1.5 billion — enough to destroy mid-size businesses, and enough to sustain an entire plaintiffs' bar specializing in TCPA violations. Despite these penalties, Americans still receive approximately 50 billion robocalls per year, mostly from illegal callers operating offshore at negligible cost per call. The TRACED Act (2019) addressed this structurally by mandating STIR/SHAKEN — a caller ID authentication framework that verifies whether a calling number is legitimate or spoofed — which major carriers have implemented; the FCC has taken enforcement action against carriers that originate or transmit illegal robocall traffic.

How It Affects You

If you receive unwanted robocalls or marketing texts: Register your number at donotcall.gov (free, immediate) — telemarketers must check the registry and honor opt-outs within 31 days. Established businesses with whom you have an existing relationship are exempt from the DNC for 18 months after a transaction. For calls to your cell phone, the TCPA's protections are stronger than the DNC: any call made with an autodialer or prerecorded voice requires your prior express consent regardless of whether you're on the DNC list. If you receive automated calls or texts to your cell phone without consent, you have a private right of action for $500-$1,500 per violation — file a complaint with the FCC at consumercomplaints.fcc.gov and FTC at reportfraud.ftc.gov, or consult a TCPA plaintiffs' attorney who works on contingency. Your carrier also has free call-blocking tools; STIR/SHAKEN authentication now marks many spoofed calls as "Spam Likely" on recent iPhone and Android devices.

If you're still getting calls despite being on the DNC registry: The DNC registry only covers "telephone solicitations" — commercial calls made to encourage you to buy goods or services. It does not cover charities, political organizations, survey firms, debt collectors (FDCPA governs those separately), or businesses with whom you have an existing relationship. The TCPA's prior express consent requirement for automated calls to cell phones is broader and more practically protective than the DNC. For truly illegal robocalls — spoofed numbers, overseas operators, "Rachel from Card Services" type scams — the FCC's STIR/SHAKEN enforcement and gateway carrier actions are your main recourse. Filing complaints through donotcall.gov feeds the FTC's enforcement database; aggregated complaints help identify and prosecute the largest violation networks.

If you're a business doing outbound calling or SMS marketing: The TCPA's $500-per-violation statutory damages structure means a single non-compliant campaign can destroy a company. A text blast to 1 million purchased-list numbers without documented consent creates $500 million in potential exposure — trebled to $1.5 billion for willful violations. Major brands (Papa John's, Capital One, Wells Fargo, Facebook) have each settled TCPA class actions for $75-$500+ million. The FCC's 2024 one-to-one consent rule — effective January 2025 — eliminated the common lead-generation practice of obtaining consent for "marketing partners" in bulk; each marketing consent must now be specific to your company alone. Before sending any marketing text or placing any autodialed call, verify: (1) you have documented prior express written consent specifically naming your company, (2) you're scrubbing against the DNC registry within 31 days, (3) your platform doesn't meet the ATDS definition (post-Duguid), and (4) you have opt-out mechanisms that honor requests immediately.

If you're getting AI-generated or deepfake robocalls: The FCC in February 2024 ruled that AI-generated voices in robocalls are "artificial voices" subject to TCPA restrictions — meaning political campaigns, scammers, and businesses using AI voice technology need prior express consent. The ruling directly responded to an incident where AI-generated robocalls impersonated President Biden to discourage Democratic primary voting in New Hampshire. Criminal penalty proposals for AI robocall impersonation are pending in Congress. If you receive a call you believe is an AI-generated voice from a scammer or political actor, report it to the FCC — these reports feed enforcement actions that can result in multi-million-dollar fines against the originating carriers and callers.

State Variations

• Many states have their own telemarketing and robocall laws that supplement the TCPA
• Some states (Florida, Oklahoma, others) have enacted their own private rights of action with statutory damages
• State do-not-call lists may impose additional requirements beyond the federal registry
• State attorneys general actively enforce both state and federal telemarketing laws
• Some states regulate text message marketing more strictly than federal law — see also Consumer Financial Protection for financial services call restrictions

Implementing Regulations

• 47 CFR Part 64 — FCC rules relating to common carriers (§ 64.1200 — TCPA implementation covering telephone solicitation rules, Do-Not-Call requirements, autodialer restrictions, and prior express consent standards).
• 47 CFR 64.1200 — Delivery restrictions on telephone solicitation (implements TCPA restrictions on autodialed calls, prerecorded messages, and unsolicited fax advertisements; establishes National Do-Not-Call Registry compliance requirements)
• 47 CFR 64.1204 — Private entity submissions of robocall violations (allows private entities to submit evidence of robocall violations to the FCC for enforcement)
• 47 CFR 64.6305 — Robocall mitigation and certification (requires voice service providers to implement STIR/SHAKEN caller ID authentication or a robocall mitigation program and certify compliance in the Robocall Mitigation Database)

Pending Legislation

• S 3370 — Add criminal penalties for willful robocalls, double fines for caller ID spoofing. Status: Introduced.
• S 3354 — Require disclosure when AI used in robocalls/texts, penalties for AI impersonation. Status: Introduced.
• HR 6152 — FCC-led taskforce to trace, authenticate, deter international robocalls. Status: Introduced.
• HR 6449 — Criminal penalties for willful illegal robocalls/texts, double caller-ID fines. Status: Introduced.
• S 2666 (Sen. Budd, R-NC) — FCC taskforce to stop unlawful overseas robocalls. Status: Introduced.
• S 1025 (Sen. Lujan, D-NM) — Let FCC sue to recover unpaid robocall fines over $25M. Status: Introduced.
• HR 1027 (Rep. Sorensen, D-IL) — Require AI disclosure in robocalls/texts, double penalties for AI impersonation. Status: Introduced.

Recent Developments

• Facebook v. Duguid (2021) narrowed the ATDS definition, reducing (but not eliminating) TCPA litigation risk for businesses using stored-number dialers
• STIR/SHAKEN implementation has improved caller ID authentication but illegal robocalls continue, often originating overseas
• FCC has taken aggressive enforcement action against gateway carriers that facilitate illegal robocall traffic
• Text message TCPA litigation has surged as businesses shift to SMS marketing
• The FCC's one-to-one consent rule (2024) requires that marketing consent be specific to a single seller, limiting lead-generation consent practices
• The FCC Enforcement Bureau in March 2026 ordered 35 companies to cure deficiencies in their Robocall Mitigation Database (RMD) certifications, continuing the agency's enforcement push against illegal robocalls through the STIR/SHAKEN authentication framework.
• FCC proposes enhanced Know-Your-Customer requirements for robocall enforcement (April 2026): The FCC circulated a proposal for its April Open Meeting to combat robocalls through enhanced Know-Your-Customer (KYC) requirements for voice service providers, aiming to prevent bad actors from obtaining phone numbers used for illegal robocalling and spoofing schemes.