The Telephone Consumer Protection Act (TCPA) is one of the most aggressively enforced consumer protection laws in the United States. Violations carry penalties of $500 per unsolicited call or message, with willful violations reaching $1,500 each. In 2025 alone, TCPA class action settlements exceeded $1.2 billion.
For B2B lead generation operations, TCPA compliance is not optional. Even business-to-business communications fall under TCPA regulation when they involve automated dialing, pre-recorded messages, or text messages to mobile phones. Here is a comprehensive checklist to protect your operation.
Prior Express Written Consent
The foundation of TCPA compliance is prior express written consent (PEWC). Before sending any automated text message or making any automated call to a prospect, you must have documented evidence that they agreed to receive communications.
Consent must be: clearly and conspicuously disclosed to the consumer, signed (electronically or physically) by the person being contacted, specific about the type of communications they will receive, and not a condition of purchasing any product or service.
Your consent language should name the specific company or companies that will be communicating. The FCC's one-to-one consent rule, effective January 2025, requires that each lead provide separate consent for each company that will contact them. Blanket consent covering "our partners" is no longer sufficient.
The Do Not Call Registry
Maintaining and regularly checking the National Do Not Call (DNC) Registry is a baseline requirement. Your operation must scrub prospect lists against the federal DNC registry at least every 31 days. You must also maintain an internal DNC list and honor removal requests within a reasonable time, typically 24 to 48 hours.
For B2B operations, the established business relationship (EBR) exemption allows calls to existing customers for up to 18 months after their last transaction. However, this exemption does not apply to text messages, and it does not override an explicit DNC request from the contact.
Consent Documentation Requirements
Every consent record should capture the following data points at minimum:
The full name and phone number of the person who consented. The exact date and time of consent (with timezone). The specific language the person agreed to, including the consent disclosure text. The method of consent capture (web form, paper form, verbal). The IP address or device identifier if collected online. The URL of the page where consent was given.
These records must be stored in an append-only format. Consent records should never be edited or deleted. If a prospect revokes consent, you add a new revocation record rather than modifying the original consent record. This audit trail is your primary defense in any TCPA dispute.
Technical Safeguards
Your technical infrastructure needs to enforce compliance automatically, not rely on human processes that can fail. Key technical requirements include:
Automated DNC scrubbing before every campaign send. Real-time consent verification before every outreach touchpoint. Rate limiting to prevent excessive contact frequency. Automatic opt-out processing for stop words like STOP, UNSUBSCRIBE, CANCEL, and similar variations. Time-of-day restrictions that prevent contacts before 8 AM or after 9 PM in the recipient's local timezone.
These safeguards should be fail-closed, meaning that if the consent check fails or returns ambiguous results, the system blocks the outreach rather than proceeding. A false negative (blocking a consented contact) is far less expensive than a false positive (contacting someone without consent).
Text Message Specific Requirements
SMS and MMS messages carry additional requirements beyond voice calls. Every automated text message must include: clear identification of the sender, a disclosure that the message is an advertisement (if applicable), and a clear mechanism to opt out. The opt-out mechanism should be as simple as replying STOP.
When a recipient sends STOP or any similar opt-out keyword, your system must immediately cease all automated messages to that number. The opt-out must be processed within seconds, not hours. Sending even one additional message after a STOP request constitutes a separate TCPA violation.
Record Retention
TCPA lawsuits can be filed up to four years after the alleged violation in some jurisdictions. Your consent records, DNC lists, campaign logs, and opt-out records should be retained for at least five years.
This retention requirement applies to all supporting documentation, not just the consent form itself. If your system logs show that a consent check passed before each outreach, those logs are valuable evidence. If your system cannot produce these logs, you have a documentation gap that a plaintiff's attorney will exploit.
Multi-State Considerations
Several states have their own telephone consumer protection laws that impose additional requirements beyond the federal TCPA. Florida, Oklahoma, and Washington have particularly strict state-level regulations. If your lead generation operation contacts prospects across multiple states, your compliance framework must account for the strictest applicable regulation.
The safest approach is to design your compliance framework around the most restrictive requirements and apply them universally. This is simpler to implement than maintaining state-by-state compliance logic and eliminates the risk of accidentally applying the wrong rules.
Regular Compliance Audits
Compliance is not a one-time setup. Schedule quarterly audits that review: consent capture processes, DNC list maintenance, opt-out processing speed, time-of-day restriction accuracy, record retention completeness, and campaign logs for any anomalies.
Each audit should produce a documented report with findings and remediation steps. These audit records become part of your compliance documentation and demonstrate good faith effort in any regulatory inquiry.
The Cost of Non-Compliance
A single TCPA lawsuit involving 10,000 unsolicited messages at $500 per violation exposes your company to $5 million in potential liability. Class action suits routinely reach eight figures. The math is straightforward: investing in proper compliance infrastructure costs a fraction of a single settlement.
Build consent tracking into your lead generation pipeline from day one. Make compliance automated, not manual. Maintain complete audit trails. The companies that treat TCPA compliance as a core infrastructure requirement, rather than an afterthought, are the ones that scale without legal risk.