The TCPA Explained: Understanding the Law Behind Unwanted Calls and Texts

Everyone has received a call or text they never asked for. Maybe it came in at dinner. Maybe it was the third one that week from the same number. Maybe you didn’t recognize the company, or you’d already told them to stop. Whatever the specifics, the experience shares a common quality: it feels like a violation. Your phone is personal. Your attention is finite. And someone decided their message was more important than your preference not to receive it.

The Telephone Consumer Protection Act — the TCPA — exists specifically because Congress recognized that dynamic and decided to do something about it. Signed into law in 1991 and significantly strengthened in the decades since, the TCPA is the primary federal framework governing how businesses may contact consumers by phone and text. It is also one of the most heavily litigated consumer protection statutes in the United States, generating thousands of lawsuits annually against companies ranging from small local businesses to Fortune 500 corporations.

If your organization makes outbound calls, sends automated text messages, or uses any technology that touches consumer phone numbers, understanding the TCPA isn’t optional — it’s one of the most important pieces of regulatory knowledge your compliance team can have.

What the TCPA Actually Covers

The TCPA was originally designed to address the explosion of telemarketing calls that followed the widespread adoption of the telephone as a commercial tool. But its scope has expanded significantly over time, and today it covers a broad range of contact methods and technologies.

At its core, the TCPA restricts the use of:

• Automatic telephone dialing systems (ATDS), commonly called autodialers, to call or text cell phones without prior consent
• Prerecorded or artificial voice messages delivered to residential landlines or cell phones without consent
• Fax machines used to send unsolicited commercial advertisements
• Any call or text made to a number registered on the National Do Not Call Registry without a qualifying exemption

The law applies across industries. It doesn’t matter whether you’re a bank, a retailer, a political organization, a nonprofit, or a healthcare provider — if you’re using automated technology to reach consumers on their phones, the TCPA has something to say about how you do it.

What Triggers TCPA Liability

TCPA liability is triggered when a business contacts a consumer using covered technology without meeting the applicable consent standard, or when it contacts a consumer who has previously opted out of receiving messages. The law also imposes liability for violations of the Do Not Call rules, inadequate call disclosures, and calls made outside permitted hours.

The consent requirements are where most businesses run into trouble — not always through intentional disregard for the law, but through misunderstanding what level of consent the TCPA actually requires. There are three distinct consent standards under the TCPA, and they apply differently depending on the nature of the contact:

Prior express consent applies to informational calls and texts made using an autodialer or prerecorded voice. This is the baseline standard. To meet it, the consumer must have provided their phone number in the context that makes clear they’re agreeing to be contacted by that method. Simply having a customer’s phone number on file isn’t sufficient — the consent must be knowing and connected to the specific type of contact.

Prior express written consent is the higher standard that applies to marketing and promotional messages. Written consent must be a signed agreement — which in practice often means a checked box on a web form or a documented keyword opt-in — that explicitly authorizes the business to send automated marketing messages. This agreement must be clear, conspicuous, and separate from other terms of service. Pre-checked boxes don’t qualify. Buried consent language in lengthy terms doesn’t qualify. The consumer must affirmatively and knowingly agree.

Established business relationship (EBR) was once treated as a partial defense under some interpretations of the TCPA, but the FCC has significantly narrowed its application. An existing business relationship does not override the requirement for prior express written consent for marketing messages. Businesses that assume their existing customer base is automatically available for automated promotional outreach are operating on a legal assumption that the courts have repeatedly rejected.

The Autodialer Question: What the Courts Have Said

One of the most contested areas of TCPA jurisprudence involves the definition of an automatic telephone dialing system. The statute’s original definition — equipment with the capacity to store or produce numbers using a random or sequential number generator and to dial those numbers — was written for a technology landscape that predates smartphones, cloud infrastructure, and modern CRM platforms.

The Supreme Court addressed the ATDS definition directly in Facebook, Inc. v. Duguid (2021), ruling that a system must actually use a random or sequential number generator to qualify as an autodialer under the TCPA’s statutory definition. This narrowed the definition somewhat compared to the broader readings some lower courts had adopted. However, the ruling did not eliminate TCPA exposure for most modern messaging systems. Many platforms still qualify as autodialers under the narrower definition, and prerecorded message restrictions apply regardless of how the equipment used to send them is classified.

The practical takeaway for businesses is this: do not assume that a favorable Supreme Court ruling on the ATDS definition means your messaging program is no longer subject to TCPA requirements. The consent requirements, the Do Not Call rules, and the opt-out obligations all remain fully in force.

Where Businesses Most Commonly Cross the Line

TCPA violations are often unintentional. The most common compliance failures don’t come from companies that knowingly disregard consumer rights — they come from organizations that have outdated processes, incomplete documentation, or a misunderstanding of how their technology interacts with the law. The most frequently recurring problem areas include:

Purchased or rented lists. Buying a list of phone numbers and sending automated messages to those contacts is one of the fastest ways to generate TCPA exposure. Consent obtained by one entity is not automatically transferable to another. If your business uses a third-party list, you need documented proof that each contact on that list specifically consented to receive messages from your company — not just from whoever originally collected the number.

Insufficient consent language. Many businesses collect phone numbers without capturing consent language that is specific enough to withstand scrutiny. A web form that says “enter your phone number to receive updates” is substantially weaker than one that says “by providing your mobile number and checking this box, you agree to receive automated marketing text messages from [Company Name] at the number provided.” The specificity of the consent language matters enormously in litigation.

Failure to honor opt-outs promptly. Once a consumer opts out of receiving messages — by replying STOP, by calling in, by submitting a request online, or by any other clear expression of their wish to stop receiving communications — the business must honor that request immediately and ensure the number is suppressed across all systems. Delayed opt-out processing, siloed databases that don’t sync, and re-addition of opted-out numbers to new campaigns are all recurring sources of TCPA liability.

Reassigned numbers. Mobile numbers are regularly recycled and reassigned to new subscribers. A consumer who previously consented to receive messages may no longer own the number you have on file. Contacting a reassigned number whose new owner never consented to your messages is a TCPA violation — even if you had valid consent from the previous owner. Regular list hygiene and number validation processes are essential for managing this risk.

Calling outside permitted hours. The TCPA and FTC’s Telemarketing Sales Rule restrict telemarketing calls to the hours of 8:00 a.m. to 9:00 p.m. in the consumer’s local time zone. Many businesses fail to account for time zone differences when scheduling automated outreach, resulting in calls and texts that arrive before or after permitted hours — a straightforward violation that is entirely preventable.

The Stakes: What TCPA Violations Actually Cost

The financial exposure from TCPA violations is what gets the attention of legal departments and executive teams. The statute provides for statutory damages of $500 per violation — and up to $1,500 per violation if the court finds the conduct was willful or knowing. There is no cap on aggregate damages in class actions, which means a single widespread campaign sent to an insufficiently consented list can generate liability in the tens of millions of dollars.

Class action TCPA lawsuits are a significant and active area of plaintiff litigation. Attorneys who specialize in TCPA claims actively monitor complaint patterns, investigate company messaging practices, and recruit plaintiffs from consumers who have received unwanted contacts. The economics of TCPA litigation favor plaintiffs — statutory damages are fixed, discovery is focused, and settlements are common — which means the threat of litigation is not theoretical for companies operating large outbound communications programs.

Building a TCPA-Compliant Communications Program

Understanding TCPA liability is the first step. Building the processes and systems to consistently meet the law’s requirements is the ongoing work. The most resilient TCPA compliance programs share a few core characteristics: they document consent at the moment of capture with clear, specific opt-in language; they maintain auditable records of that consent that can be produced on demand; they implement real-time opt-out suppression across all messaging systems; they conduct regular list hygiene to identify reassigned numbers and inactive contacts; and they treat compliance as an operational function rather than a legal afterthought.

The businesses that navigate TCPA requirements successfully aren’t doing so by accident. They’ve built consent infrastructure that holds up under scrutiny, trained their teams to understand where the lines are, and made deliberate decisions about how their outreach technology is configured and used.

Stay Current on TCPA Compliance, 10DLC, and A2P Best Practices

The regulatory landscape around consumer communications continues to evolve. FCC rulemakings, court decisions, and carrier policy updates regularly change what’s required of businesses that rely on automated messaging. Subscribe to the mytcrplus.com YouTube channel for ongoing coverage of TCPA compliance, 10DLC registration, A2P messaging standards, and the practical steps your organization can take to protect itself while communicating effectively with customers.

The law behind unwanted calls and texts is detailed, actively enforced, and consequential. The businesses that understand it are the ones best positioned to communicate in a way that’s both impactful and legally sound.