TCPA and DNC Compliance Guide: What Every Business Needs to Know Before Sending a Text or Making a Call
If your business sends text messages or makes outbound calls to customers or prospects in the United States, two regulatory frameworks sit at the center of everything you do: the Telephone Consumer Protection Act (TCPA) and Do Not Call (DNC) regulations. Understanding both — and the relationship between them — isn’t optional. It’s the compliance foundation your entire outbound communications program depends on.
Violations aren’t a slap on the wrist. TCPA penalties range from $500 to $1,500 per individual message or call, and enforcement can come from federal regulators, state attorneys general, and private plaintiffs through class-action litigation. For businesses operating at any meaningful volume, a single compliance gap can become an existential financial risk almost overnight.
This guide breaks down what TCPA and DNC compliance actually require, where businesses most commonly get it wrong, how exemptions work, and how these regulations connect directly to your 10DLC registration and A2P messaging strategy.
What Is the TCPA and Who Does It Apply To?
The Telephone Consumer Protection Act was enacted in 1991 and has been expanded significantly through FCC rulemaking and federal court decisions in the decades since. At its core, the TCPA restricts unsolicited telemarketing calls, robocalls, automated text messages, and fax transmissions to consumers.
The law applies broadly — not just to traditional telemarketers. If your business operates in e-commerce, healthcare, finance, insurance, real estate, staffing, legal services, home services, or virtually any other industry that uses SMS or outbound calling as part of its customer communication or lead generation strategy, TCPA applies to you.
Key activities regulated under TCPA include:
- Automated or prerecorded voice calls to mobile and residential numbers
- Text messages sent using an automatic telephone dialing system (ATDS) or similar technology
- Unsolicited fax transmissions
- Calls or texts to numbers on the National Do Not Call Registry
The statute gives consumers the right to sue for violations directly, which has made TCPA one of the most litigated consumer protection statutes in the country. Class actions are common, and per-message damages that seem manageable at small scale can become catastrophic when multiplied across thousands or millions of contacts.
Express Written Consent: The Foundation of TCPA Compliance
The single most important concept in TCPA compliance for marketing communications is prior express written consent. Before sending any marketing text message or making any marketing call using automated technology to a mobile number, you must have documented, explicit consent from the recipient.
“Written” in this context doesn’t require a handwritten signature. It can be captured digitally — through a web form, a keyword opt-in, an electronic signature, or another documented method — but it must meet specific requirements to be valid:
- The consent must be a clear, affirmative action by the subscriber (not pre-checked boxes or assumed agreement)
- The language must clearly disclose that the subscriber is agreeing to receive autodialed or automated marketing messages
- The disclosure must identify the business that will be sending messages
- The consent must not be conditioned on purchasing a product or service
This last point is critical and frequently overlooked. Requiring a customer to opt in to marketing messages as a condition of completing a purchase is a TCPA violation. Consent must be freely given.
Your consent records should capture the subscriber’s phone number, the date and time of consent, the exact language they agreed to, and the channel through which consent was obtained. These records are your primary defense in the event of a regulatory inquiry or litigation, and gaps in documentation are among the most common reasons TCPA claims succeed against businesses that otherwise believed they were compliant.
Opt-In and Opt-Out Requirements
TCPA compliance isn’t a one-time event — it’s an ongoing obligation. Getting consent correctly at the point of sign-up is essential, but so is honoring that consent relationship over time, which means maintaining clear and functional opt-out mechanisms.
For SMS programs, every message in a marketing context should include opt-out instructions. Industry best practice — and increasingly, carrier policy under 10DLC — requires that subscribers be able to opt out by replying with standard keywords like STOP, QUIT, CANCEL, END, or UNSUBSCRIBE. Upon receiving an opt-out reply, you must:
- Immediately cease all marketing messages to that number
- Send a single confirmation message acknowledging the opt-out
- Never send another marketing message to that number unless the subscriber actively re-opts in
Failure to honor opt-outs promptly and completely is one of the most common TCPA violations and one of the most indefensible. The documentation trail is clear — if a subscriber sent STOP and you kept messaging them, there’s no ambiguity.
For voice calling programs, opt-outs must similarly be honored immediately and maintained in a company-level internal DNC list. That internal list must be scrubbed before each new calling campaign to ensure opted-out numbers are excluded.
Federal and State Do Not Call (DNC) Regulations
The National Do Not Call Registry, maintained by the Federal Trade Commission, allows consumers to register their phone numbers to block most unsolicited telemarketing calls and texts. Businesses are required to scrub their calling and texting lists against the registry at least every 31 days and must stop contacting any registered number unless a specific exemption applies.
However, the federal DNC registry is only the starting point. State-level DNC regulations add a significant additional layer of complexity that many businesses underestimate — particularly when operating in states with their own telemarketing statutes.
States including Florida, Oklahoma, and others maintain their own do-not-call lists with registration requirements and enforcement mechanisms that are independent of the federal registry. Some state laws are stricter than TCPA in meaningful ways — different consent standards, shorter opt-out timelines, broader definitions of automated messaging, or lower thresholds for what constitutes a violation. Businesses that operate nationally need to be aware of the specific requirements in each state where their customers are located, not just the federal baseline.
Maintaining compliant calling and texting lists requires:
- Regular scrubs against the National DNC Registry (minimum every 31 days)
- Scrubs against applicable state DNC lists
- Maintenance of an internal DNC list that captures all consumer opt-outs from your own programs
- Documentation of scrub dates and list versions used for each campaign
Key TCPA Exemptions and When They Apply
Not every call or text message is subject to the full weight of TCPA consent requirements. Understanding the available exemptions — and their specific limitations — can give businesses meaningful operational flexibility without creating compliance exposure.
The established business relationship (EBR) exemption allows businesses to contact existing customers about the products or services they’ve purchased or inquired about, without obtaining prior express written consent, for a defined period of time. However, this exemption has limits: it applies to informational and transactional communications, not open-ended marketing, and it doesn’t override a consumer’s opt-out request.
The informational/transactional exemption covers messages that are non-promotional in nature — appointment reminders, order confirmations, delivery notifications, account alerts, and similar communications. These messages can typically be sent without marketing-level consent, provided they don’t include promotional content. The moment a transactional message includes an upsell, a promotional offer, or a marketing call to action, it loses its transactional status and requires full marketing consent.
The emergency exemption allows contact without prior consent when messages or calls are made to protect the health or safety of the recipient or others. This is a narrow exemption with a high bar — it’s not a loophole for urgent marketing.
Exemptions are frequently misapplied by businesses that stretch their scope beyond what the law actually supports. If you’re relying on an exemption to justify contact with a consumer, having legal counsel review that determination is well worth the investment.
How TCPA Connects to 10DLC and A2P Messaging
For businesses using SMS at scale, TCPA compliance and 10DLC (10-digit long code) registration are not separate concerns — they are deeply interconnected. The 10DLC framework, implemented by major US carriers to govern application-to-person (A2P) messaging, requires businesses to register their brand and campaigns before sending messages through long-code phone numbers.
As part of the campaign registration process, carriers and TCR (The Campaign Registry) evaluate the consent practices behind your messaging program. Campaigns that lack clearly defined opt-in flows, that can’t document how consent is obtained, or that have evidence of poor consent practices will face registration rejections, message filtering, or throughput restrictions.
More broadly, your TCPA compliance posture directly affects your carrier trust scores. High complaint rates, high opt-out rates, and evidence of messaging contacts who didn’t truly consent all degrade your sender reputation with carriers — leading to message filtering that can silently kill your deliverability even when your messages technically route. A program built on solid TCPA-compliant consent practices produces better engagement signals, better trust scores, and better deliverability outcomes across the board.
The FCC’s continued expansion of consent requirements — including recent rulings tightening the rules around lead generation consent and one-to-one consent requirements — means that businesses relying on broad, shared consent from third-party leads are facing increasing scrutiny. Building your program on first-party, properly documented consent isn’t just best practice; it’s increasingly the only defensible approach.
Common TCPA Compliance Mistakes to Avoid
Even businesses that believe they’re operating compliantly often have gaps that create meaningful exposure. The most common issues include:
Relying on implied or assumed consent. The fact that a customer gave you their phone number — even in a business context — does not constitute prior express written consent to receive automated marketing messages. Consent must be explicit and documented.
Using outdated consent records. Consent obtained years ago under different terms, or through a third party whose practices you can’t verify, is not reliable consent. Regularly auditing the age and quality of your consent records is essential.
Inconsistent opt-out honoring. Opt-outs must be honored across all channels and all campaigns. A subscriber who opted out of one campaign type must be excluded from all marketing until they affirmatively re-opt in.
Ignoring state-level requirements. Federal TCPA compliance is the floor, not the ceiling. State laws in Florida, Oklahoma, and other states add requirements that businesses operating nationally must address.
Inadequate vendor oversight. If you use a third-party SMS platform, dialer, or lead generation vendor, their compliance practices become your compliance risk. Contracts should clearly define responsibilities and you should regularly verify that vendors are operating within TCPA standards.
Building a Compliance Foundation That Protects Your Business
TCPA and DNC compliance isn’t a set-it-and-forget-it checklist. It’s an ongoing operational commitment that requires current consent documentation, functioning opt-out processes, regular list scrubbing, and a clear understanding of how the rules apply to your specific use cases and industries.
The businesses that get this right gain a real competitive advantage — not just in avoiding penalties, but in building higher-quality contact lists, better carrier standing, and more trustworthy customer relationships. The businesses that get it wrong face per-message liability that can scale from a nuisance into a crisis with alarming speed.
Stay Current on SMS Compliance and A2P Best Practices
Regulations evolve, carrier policies update, and FCC guidance shifts. Subscribe to the mytcrplus.com YouTube channel for ongoing coverage of TCPA updates, DNC compliance guidance, 10DLC registration best practices, and everything your business needs to keep its messaging and calling programs compliant and high-performing.
Getting the compliance foundation right is the most important investment you can make in the long-term viability of your outbound communications strategy.
