Legal Insight: Avoid Legal Pitfalls in Telemarketing: Navigating the Telephone Consumer Protection Act

April 22, 2025

This discussion is regarding a business’s use of the phone to directly contact consumers. There are two main federal laws that deal with telemarketing – the Telephone Consumer Protection Act (TCPA) and the Telemarketing Sales Rule (TSR). Both have to be complied with if you are going to use telemarketing. This article focuses on the TCPA. In addition, the TCPA imposes requirements on telemarketing businesses that use faxes. However, those provisions are not covered here.

There are two common ways to violate TCPA: Using technology-enabled phone contact and calling someone on the Do Not Call Registry (DNC).

1. Technology-Enabled Phone Contact: As a general rule, sending unsolicited text messages, using pre-recorded calls, using an automatic telephone dialing system to call consumers’ cell phones, or spoofing are violations of the TCPA. Use of Artificial Intelligence is considered to be a pre-recorded call, even if it is interacting in the moment with your consumer and it is capable of directly responding to the consumer’s specific questions. In order to use any of these methods, you must have prior written express consent.
2. DNC: Calling someone on the Do Not Call Registry is a violation of the TCPA unless:
   • You have express written consent; or
   • You have an established business relationship.

Established Business Relationship

There are two types of established business relationships: inquiries and past transactions. Each of these types of relationships have different timelines for when you can contact potential or past customers.

1. Inquiry – 3 months from the inquiry.
2. Past transaction – 18 months from the last transaction (delivery, purchase, or payment).

Also, while you may already be aware of the federal Do Not Call Registry, there are also some states that have set up their own registries that must be complied with. In addition, you should be maintaining an internal Do Not Call Registry for those who opt out of being called directly from your business in order to mitigate liability (see below regarding the Safe Harbor provision).

The best way to avoid these violations is by getting prior express written consent. It might be helpful to think about that consent being a contract to contact that specific customer, because that is how a court will evaluate the consent you received. The burden of proving the enforceability of that contract is on the person who is contacting the consumer. If you are the person initiating the call or text to a consumer, you will have to prove that the consumer consented. So, when looking to defend against these claims in a lawsuit, you have to ask, “Would a court enforce this contract I have in which this customer gave me express written consent to contact them?” This requires you to look at your process of getting consent and how to initiate contact to mitigate liability.

Things to Consider to Reduce Your Liability

This list is not exhaustive but may help you in thinking through your current process for contacting your customers.

Safe Harbor Provision

The TCPA specifically has a Safe Harbor provision, which is a defense to a DNC claim. It requires policies to be put in place and followed as part of routine business practice. It is intended as a defense if you have called someone in error. You must:

1. Have a written procedure in compliance with the DNC rules;
2. Train your personnel regarding the procedure;
3. Maintain an internal do-not-call list;
4. Have a process to prevent calls to any list that has been established for compliance with DNC rules; and
5. Have a process that ensures that the purchase of any DNC database is solely used for compliance with DNC rules.

Operations and Creating Your Own Internal Policy:

1. Keep records of your workflow for obtaining consent, and keep your consents in an easily readable and downloadable format. You will need them if someone claims they never consented. Your attorneys will need to be able to pull them to provide to the court. If it’s full of other data, there will be a great deal of time spent redacting or trying to extract this data, which can also affect the quality of the data to prove you received consent. You need to not just show that you have consent, but also how you received it to prove they did indeed consent. 
2. Would the method that you are currently using to gather consent allow for contacting the wrong person? In other words, does your method allow someone to give you someone else’s name and number without that person’s consent? This would generally mean you don’t have a contract, and thus don’t have consent.
3. Do you use vendors that have policies that require them to follow TCPA requirements? Have you checked those policies and vetted them for prior lawsuits for TCPA violations? How trustworthy is their network and processes? One thing to keep in mind is that the TCPA statute generally doesn’t allow for contribution or indemnity for liability of TCPA violations. Which protections you may get for the wrong actions of a vendor is going to depend on your contracts with them. This will include if they have technology failures that cause a violation, such as not opting out your customers once they’ve requested to not be called anymore. Or, if you are buying leads from aggregators, do you know if they are properly getting consent specific to you, as opposed to getting consent specific to the aggregator? You need the consent from the consumer that is specific to you contacting them.
4. Do you update your consumer contact information regularly? Phone numbers get reassigned. You may be contacting someone on the DNC registry, even though you received consent from the prior consumer. The phone number is not what granted consent; the person you contacted did. You must keep up-to-date with your customers’ consents to make sure they are still valid for the person you are contacting. Your contract with your consumer is solely valid to the consumer you specifically received consent from. Also, keeping data indefinitely opens you up for liability in other areas such as privacy and data breach laws. It is highly recommended to establish automatic deletion of stale data. Assuming they haven’t already opted out of communications, if there is a consumer inquiry or prospect you haven’t heard from in three months, delete them. If it’s been 18 months from someone’s last purchase, delete them. Make it part of your internal policy and train your personnel on the deletion protocol.
5. How are you handling verifications of the consumer you are contacting for the first time? If you are texting individuals, do you have an opt-in message for your first text to make sure someone at that number is specifically consenting to the contact?
6. Do you have a clear opt-out process that works? If individuals are still receiving messages after opting out, you can be liable for violations of the TCPA.
7. What are your own policies for contacting customers via phone? Do you have a training process to educate your personnel that is initiating contact? It’s not just a tool for liability mitigation, it’s also a customer service issue to have staff that is well-trained on how to properly handle calls administratively, not just as good salespersons.
8. Consult an attorney familiar with the TCPA about your specific workflow and processes. There are several exceptions for certain types of messages and purposes of the messages. It will also be important to talk through the potential issues with how you collect consent. An attorney would be able to assist with pointing out potential gaps.

Violations

TCPA violations range from $500 up to $1,500. These are statutory damages that are assessed per call. While this seems low, when there is a class action, $500 per call can add up to a large sum of money. This is not per person; it is per call. If a consumer was unlawfully called five times, they would be entitled to $2,500. Multiply that across however many consumers are being contacted without consent, and the potential damages rapidly increase. The damages in these cases can, and have, quickly become millions.

Summary

As a general rule, get prior express written consent before contacting consumers through the phone; keep a record of that consent; set up policies for compliance with the TCPA laws and enforce them; and regularly update your consumer data, including the deletion of stale data.