If your business relies on SMS, voice, or other forms of phone-based outreach in the U.S., then TCPA compliance isn't optional - it’s essential.
The Telephone Consumer Protection Act (TCPA) lays out clear rules around how and when you can contact consumers, and the penalties for getting it wrong can be steep.
Fortunately, compliance doesn’t have to be complicated.
In this Telerivet article, we break down the key requirements of the TCPA in plain terms - covering everything from consent and opt-outs to timing, record-keeping, and robocalls - so you can better understand your obligations and reach your audience legally, ethically, and effectively.
However, I want to make it very clear that any time you deal with regulations and compliance for your business, you should consult a relevant legal professional. I am not a lawyer and this article cannot be understood as legal advice. You shouldn’t get legal advice from blogs or ChatGPT.
We’ll cover:
- What is TCPA?
- 8 Step TCPA compliance checklist
- 1: Obtain consent
- 2: National Do Not Call Registry
- 3: Respect opt-out requests
- 4: Time-of-day restrictions
- 5: Provide identification
- 6: Automated call restrictions
- 7: Text message compliance
- 8: Maintain call logs and records
What is TCPA?
TCPA stands for the Telephone Consumer Protection Act of 1991.
This is legislation in the U.S. that covers regulations relating to phone communications and related areas.
Currently, it's the most relevant piece of legislation for those of us who work in communications and care about sending texts or making phone calls - and doing it all ethically and legally.
The legislation covers everything from older technology like faxes through to phone calls, text messages, voicemails, and VoIP calls.
If you want to use these channels to make sales and do marketing - i.e. to solicit - then you need to make sure you're in compliance with the Telephone Consumer Protection Act, at least in America.
Within the EU, there are very similar rules, and the UK carries similar rules as well. Other parts of the world will have their own specific legislation, so it's worth checking what the regulations are both in the areas in which you operate and in the areas where your customers or prospects might be based, in case that is different.
The TCPA covers a range of different things and lays out a series of violations and the fines for those violations.
For example, if you were to run a whole load of sales prospecting or telemarketing calls in the early hours of the morning, then you could be in violation of the TCPA.
If reported and caught for these violations, you could incur fines of up to $1,500. And that's not just for the overall action.
If you have an automated system, for example, calling huge numbers of people, and aspects of that automated system are not in compliance with the TCPA, then you could find yourself fined for each of those calls - not just for the one campaign. So those types of fines can really add up.
8 Step TCPA compliance checklist
If you want to avoid falling foul of the TCPA, then there are a few steps you can take.
For the most part, these steps aren't particularly complicated, and they give you a lot of space within which to operate.
The legislation in question wants to protect consumers, but it also wants to allow businesses to be able to operate.
Many of the things in this list are just non-spam actions and good business practice.
For example - why would you want to cold call someone at 2 in the morning? You wouldn’t. So the legislation stopping you from doing so isn’t harming you in any way, and it's definitely protecting the consumer.
The more people who abuse the system and break these rules, the less trustworthy that channel becomes - and probably the less successful this channel becomes as a means of selling and marketing.
By following the rules, complying with the TCPA, and respecting the other person on the other end of the phone, you're benefiting your business, but you're also benefiting the industry and the sector by keeping it all above board and respectable.
Let’s dive in.
TCPA compliance checklist #1: Obtain consent
The TCPA really demonstrates the difference between phone channels and email channels.
One of the most important distinctions is the requirement to obtain consent.
If you want to make sales or marketing calls to people in the United States of America, you must have written consent from the consumer. They must have opted in to receive these calls.
There are many different ways someone can consent to you calling them. It could be through a physical form, it could be online forms, it could be through text message opt-ins, or it could be them checking a box as they create their account on your website.
But you should clearly explain that you may want to call them, and that they are giving their consent to those communications.
Beyond that, once the consent is given, you as a business have the responsibility to keep records of that consent and to keep the consent status up to date.
You should have a system in place to be able to see who has consented, who has not consented, who has withdrawn their consent, and who has updated their consent.
What this essentially means is that if you are doing sales or marketing calls, you should have a CRM in place where you are keeping and recording this information.
There are many good CRMs available on the market.
TCPA compliance checklist #2: National Do Not Call Registry
In America, we have what's called the National Do Not Call registry - or the DNC registry.
Your company should make sure that you are not contacting customers who join that registry. You shouldn't be prospecting to people who are on that registry because they have explicitly opted out - not just directly with you, but opted out in general from all communications of this sort.
The responsibility is on you to check and cross-reference against the Do Not Call registry.
A common practice is for companies to maintain an internal DNC list and to honor any opt-out requests for at least a significant period of time.
This might be five years, or it could be longer. You could make your company policy ten years if it made you happy. Five years is a fairly typical amount of time to remain in compliance with TCPA legislation.
TCPA compliance checklist #3: Respect opt-out requests
Equally, when a customer requests that you don't call them - when they opt out, when they write it in an email, when they scream at you over the phone, when they send you a text, or when they shout at you in the street - perhaps even send a carrier pigeon - you have to honor their decision to opt out.
Under the TCPA, you're required not just to honor the opt-out, but to do so promptly — the FCC now requires opt-out and consent revocation requests to be honored within 10 business days
As a further dimension of this, if you're sending marketing communications, you should include an opt-out method in every interaction.
This is super easy, and most of the main marketing communications platforms will include opt-out features built in. Most of the time when you send an email - any kind of mass email sent from a marketing platform - the unsubscribe functionality is built into either the header or the footer of the email, often in such a way that it's integrated with, for example, Gmail's internal systems so that someone can one-click unsubscribe from your email.
Again, you might think that this is bad for your business, but it's not.
Someone who wants to one-click unsubscribe from your email was unlikely to be a high-paying customer for you anyway.
This improves your list. It gives you fewer unnecessary contacts to pay for, lowers your bounce rate, improves your reply proportions, and your overall email health.
These protections are good for the consumer, but they're also good for you.
TCPA compliance checklist #4: Time-of-day restrictions
We've already covered this one, but it bears repeating - because it's so annoying if you receive a call promoting something at a very early or very late time.
Fortunately, legislation like this means that if you do receive a sales call very early in the morning or very late at night, you can be almost certain it's a spam call. The TCPA specifies the times at which you are allowed to do this kind of sales prospecting or telemarketing.
The morning cutoff is 8:00 a.m., and the evening cutoff is 9:00 p.m. Before 8 or after 9 - don’t think about it. You can’t make those communications then.
And 8 or 9 is not based on your time zone - it’s based on the consumer’s time zone. So you should also be tracking and keeping count of where someone is based at a given point in time.
Are they in New York, on the East Coast, on Eastern Time? Or are they in San Francisco, on the West Coast, on Pacific Time? Or are they somewhere in the middle?
Do you want to do calls at 8 in the morning? If you're not sure of someone's time zone, you could very easily be calling outside the legally allowed times.
A safer plan of action is to do these calls late morning, lunchtime, or early afternoon - during what would likely be people’s working hours anyway. That way, you don’t fall outside these time-of-day restrictions.
Of course, there are some exceptions to these rules. Any emergency calls will be fine to do outside of those hours.
But use your common sense. If the consumer will appreciate that it’s an emergency, they won’t mind that you contacted them. If the consumer is not going to agree with your assessment of the emergency, then they might be annoyed that you contacted them during hours you’re not allowed to.
This is a space where common sense is a very useful addition.
TCPA compliance checklist #5: Provide identification
Continuing on the theme of common sense - when you call someone, you should identify who you are and what business you’re with.
This is very important, not just because it’s polite and how communication should be undertaken, but because the TCPA requires it.
You have to provide your name, provide the company’s name, and by some means, provide the phone number or address where that person can contact you.
This is good practice for creating transparency, building trust, and letting someone understand what they’re committing their time to.
This will also, again, save you time. Some people will not be good prospects for you from the beginning. Being open and honest with who you are weeds those people out, saves you time, and gives you a better chance of finding the customers that are right for you.
Further to that - building trust in these relationships is huge. Particularly as, nowadays, most people have secure logins online and use their phones less.
People are less comfortable with giving out details on the phone and any revealing information.
This is, of course, a typical way that people can get scammed and exploited.
So remember - you should be open and honest so they feel trust.
TCPA compliance checklist #6: Automated call restrictions
This one’s very relevant for Telerivet customers.
Telerivet gives you the ability not just to use SMS, WhatsApp, Viber, MMS, and more within a complete connectivity platform - but it also provides voice and IVR.
IVR is Interactive Voice Response.
But IVR can come under the category of robocalling or automated calling.
If you're using voice response in outreach - rather than voice response to deal with inbound concerns - then it’s important you consider the TCPA’s position on robocalling.
If you want to use robocalling or artificial voices of any kind, you need to have explicit permission from the customer to allow you to do this.
You also need to provide an opt-out method within that automated system.
So this is a further set of consent - above and beyond outreach. This is explicit consent to automated calling.
This sounds difficult to get, but if you fold the automated calling into other consent requests - and explain why you would use this, when you would use this, and what benefit this has for the customer - clearly and concisely, then you're probably going to find that customers are happier to give consent.
TCPA compliance checklist #7: Text message compliance
Under the TCPA, it’s not just phone calls that have to adhere to these strict guidelines - it’s also SMS and MMS.
Now, there are varying perspectives on how compliant someone needs to be in order to be safe in how they send their messages.
Everything we’ve said so far about phone calls also applies to SMS messages. So, you should only be contacting people who have agreed and opted in - actively - to receive marketing communications.
marketing texts generally follow the same consent rules as calls, so the same caution applies
However, some people will tell you that you need to include an opt-out on every text message you send.
I think it would be worth checking with a communications lawyer - as I am not one - before you determine your company policy.
However, the first message in an instance of outreach is probably the message to include the opt-out in.
Follow-up messages may not need that explicit opt-out.
For example, with Telerivet, you can use the Campaign Manager to set up flows where a text message provides some information to the consumer and they can reply to it, and an automated second message will be sent.
These flows can be very simple, but they can also be multi-step - and, in essence, conversational.
The follow-up messages in that flow are unlikely to need their own explicit opt-outs.
But the first message in that flow may benefit from an opt-out option.
That first opt-out option may then cover the opt-out requirements of the following messages within the same conversation.
However, I’m not a lawyer, and I’m not offering legal advice.
TCPA compliance checklist #8: Maintain call logs and records
For the final point on our TCPA compliance checklist, it’s quite a simple one - and it applies to any legislative compliance that you are aiming for.
If you want to be compliant, you must be able to demonstrate not just that you are compliant, but that you have been compliant.
In that, you need to keep logs and records.
It is vital that you keep the records of calls you have made, texts you have sent, and communications in general.
This is not hard to do, as the platforms you're using to send this outreach typically keep that information - unless you choose to delete it.
So don’t delete it.
What you also have to do, as previously mentioned, is keep good records of opt-in and opt-out status.
This means you should have a CRM that aligns with the logs of the calls and messages you’ve sent, and shows who can and cannot be contacted.
This is compliance 101.
And if you want to be TCPA compliant, you’ll need to do it.
If you want to be compliant with other areas of legislation, you’ll need to record and keep logs of the other things you do.
This is called doing business.
It’s also just very useful for you to keep these logs and records, because you want to prove that you have been following the law and haven’t been breaking the regulations.
These records and logs can also keep records of employee training you might have done - to show that the people who are responsible for these calls and messages understand the TCPA and understand what they’re required to do.
And it may include any adaptations you’ve made to your policies in response to regulatory changes or updates.
Keep everything.
Again, violations of the TCPA do come with fines.
Those fines can go up with the number of violations. Each violation could be $500 to $1,500, and so it can really add up to large amounts of money.
To keep up with changes to the TCPA, you can check out the FCC and FTC websites, where they’ll post updates or clarifications on TCPA regulations.
Beyond that, speak to a lawyer, and keep up to date with industry news - such as subscribing to our newsletter here at Telerivet, or reading our blog.
Telerivet: Messaging when it matters
Trusted by Fortune 500 companies, NGOs, governments, cutting-edge tech firms, and universities in 150+ countries, Telerivet's cloud-based platform makes it reliable, resilient, and flexible to communicate at scale via text and voice.
Engage your audience anywhere
Ensure complete global service reach that supports large-scale communication via SMS, voice, chat, WhatsApp, RCS, MMS, and micropayments.
Trust our tech when you need it
High reliability for essential communication needs. A CPaaS built to thrive in challenging use cases.
Tailored solutions for your needs
Create engagements and workflows that fit your needs and networks with our solutioning engine, APIs and campaign builder.
“Our lives are a million times easier because of Telerivet. We're growing exponentially, doubling our reach every year... and it's Telerivet's technology that makes this all possible.” - MyAgro
"The user interface is very intuitive and detailed, making it easy to set up. The few times we have required technical support, or had a query about a needed feature, the response has always been quick." - Médecins Sans Frontières (Doctors Without Borders)
"One of the most important aspects of a tool like Telerivet is the user interface. We have hundreds of people across the region relying on Telerivet for their daily tasks, and we need to provide them with the most efficient way of accomplishing that." - Grab
Sign up now or contact us to chat about how we can help you implement reliable, resilient, and flexible communications.