TCPA Compliance Checklist for 2026: The Dialer Operator's Guide

If you operate a predictive dialer, you live under the TCPA whether you think about it or not. The Telephone Consumer Protection Act is the single largest source of legal risk for outbound calling operations in the United States. Penalties run $500 per violation for negligent conduct and $1,500 per violation for willful violations — and a single campaign touching 50,000 numbers can generate 50,000 individual violations. Class action firms specialize in these cases because the math is simple and the settlements are large.

This checklist is written by SIPNEX, an FCC-licensed carrier that provides SIP trunks for predictive dialers and VICIdial operations. We are not lawyers and this is not legal advice. What we are is the carrier that sees the compliance landscape from the infrastructure side — we know what goes wrong operationally because we watch the call traffic, handle the STIR/SHAKEN attestation, and field the questions from operators who are trying to stay legal while dialing at scale.

What TCPA is and why enforcement accelerated

The Telephone Consumer Protection Act (47 U.S.C. § 227) was enacted in 1991 to address consumer complaints about unsolicited telemarketing calls. It has been amended and reinterpreted multiple times since then, most significantly through FCC orders in 2012, 2015, 2021, and 2024-2025. The statute covers autodialed calls, prerecorded or artificial voice messages, unsolicited fax advertisements, and text messages.

The core prohibition: you cannot make a call or send a text using an automatic telephone dialing system (ATDS) or prerecorded voice to a cell phone without the called party’s prior express consent. For telemarketing calls specifically, the standard is higher — you need prior express written consent.

Penalties are statutory, meaning the plaintiff does not need to prove actual damages. Each call or text is a separate violation. $500 per violation is the baseline. Courts can treble that to $1,500 for willful or knowing violations. A campaign that dials 10,000 cell phones without proper consent faces potential liability of $5 million to $15 million before attorneys’ fees.

Enforcement has accelerated dramatically in recent years for three reasons. First, the FCC issued new orders in 2024 and 2025 tightening consent requirements, narrowing the definition of an established business relationship, and expanding the scope of what constitutes an ATDS in certain contexts. Second, the plaintiffs’ bar has become increasingly sophisticated — class action firms use analytics tools to identify high-volume callers and build cases before individual consumers even complain. Third, state attorneys general have begun bringing their own TCPA-style enforcement actions under state telemarketing laws, creating a second front of litigation risk.

The practical reality for operators: TCPA compliance is not a checkbox exercise you complete once during campaign setup. It is an ongoing operational discipline that touches your consent capture process, your data management, your dialer configuration, your DNC procedures, and your carrier relationship.

The consent framework

TCPA consent comes in two tiers, and confusing them is one of the most common compliance failures.

Prior express consent is the baseline. It means the person has provided their phone number voluntarily in a context where they would reasonably expect to receive calls. Example: a customer fills out a form on your website and provides their cell phone number as a contact method. By providing the number, they have given prior express consent for informational calls related to the transaction or relationship — things like appointment confirmations, account updates, or service notifications. This consent does NOT cover telemarketing.

Prior express written consent is the higher standard required for telemarketing calls made using an autodialer or prerecorded voice to cell phones. This requires: a written agreement (paper or electronic) that includes a clear and conspicuous disclosure that the consumer will receive telemarketing calls using an autodialer or prerecorded voice, the specific telephone number to be called, and the consumer’s signature or electronic equivalent. The agreement cannot be buried in a terms of service — it must be a standalone disclosure that the consumer affirmatively agrees to. It cannot be a condition of purchase — you cannot require consent as a prerequisite for buying your product or service.

Consent capture and storage is where many operators fail in litigation. You may have obtained valid consent, but if you cannot prove it two years later when the lawsuit arrives, it does not matter. Best practices: store the exact language of the consent disclosure the consumer agreed to, the timestamp, the method (web form, verbal recording, paper), the phone number consented, and any associated transaction ID. For web forms, capture the page URL, form version, IP address, and browser information. For verbal consent, record the call and store the recording with metadata linking it to the consent event.

Revocation is a right the consumer can exercise at any time through any reasonable means. The FCC’s 2025 orders reinforced this — a consumer can revoke consent by telling your agent on the phone, sending a text message saying “stop,” sending an email, or any other method that clearly communicates their desire to stop receiving calls. You must honor revocation immediately — the FCC has indicated that “immediately” means within a reasonable technical timeframe, not at the end of the campaign or billing cycle. Build revocation handling into your dialer workflow: when an agent receives a verbal revocation, there must be a mechanism to add that number to your internal DNC list during the call, not after it.

The ATDS question after Facebook v. Duguid

The definition of an automatic telephone dialing system has been the most litigated question in TCPA law for the past decade. The statute defines an ATDS as equipment with the capacity to store or produce telephone numbers to be called using a random or sequential number generator and to dial such numbers.

In April 2021, the Supreme Court decided Facebook v. Duguid and narrowed the ATDS definition significantly. The Court held that a device must actually use a random or sequential number generator to qualify as an ATDS — simply having the capacity to store and dial numbers from a list is not enough. This was a major win for businesses because it excluded most modern dialers that work from uploaded lead lists rather than randomly generated numbers.

However, the story did not end there. The FCC issued subsequent guidance indicating that it interprets the ATDS definition more broadly in certain contexts. Several circuit courts have adopted varying interpretations. Some state TCPA-equivalent statutes (like Florida’s Telephone Solicitation Act) have broader ATDS definitions that were not affected by the Duguid decision. And the plaintiffs’ bar has shifted tactics — instead of arguing ATDS, many suits now focus on consent defects, revocation failures, or DNC violations, which Duguid did not affect.

For VICIdial and predictive dialer operators specifically: VICIdial dials from uploaded lead lists, not from randomly generated numbers. Under the Duguid interpretation, this likely means VICIdial is not an ATDS for federal TCPA purposes. But “likely” is not “certainly,” and state laws may differ. The only safe approach is to treat your dialer as an ATDS and obtain prior express written consent for telemarketing calls regardless of the legal classification debate. If you have valid written consent, the ATDS question becomes irrelevant because you have already met the higher standard.

DNC compliance: federal and state

The Do Not Call provisions are separate from the ATDS/consent framework and they trip up operators who focus exclusively on consent.

The National Do Not Call Registry is maintained by the FTC. Before placing telemarketing calls, you must scrub your call lists against the National DNC Registry. The scrub must be performed at least every 31 days — the registry updates monthly and numbers can be added at any time. If you are dialing with a list older than 31 days since the last scrub, you are at risk. Access the registry at telemarketing.donotcall.gov. There is a per-area-code fee for access that is trivial compared to the cost of a violation.

Company-specific DNC lists are separate from the National Registry. When any consumer tells you — by any means — that they do not want to receive calls from your organization, you must add them to your internal company DNC list and honor that request for at least five years. This applies even if the consumer is not on the National Registry. Maintaining the company-specific list is your responsibility and the FCC provides no centralized mechanism for it. Build it into your CRM: when an agent marks a disposition as “DNC request” or “do not call,” that number must be suppressed from all future campaigns, not just the current one.

State DNC lists are an additional layer that many operators overlook. Indiana, Pennsylvania, Colorado, and several other states maintain their own do-not-call registries separate from the federal list. If you are calling into those states, you must scrub against the state registry in addition to the federal one. The penalties for state DNC violations vary but some states authorize private rights of action similar to the federal TCPA.

EBR (Established Business Relationship) exceptions exist but they are narrower than most operators assume. An existing customer relationship exempts you from the National DNC Registry for telemarketing calls for up to 18 months after the last transaction or 3 months after the last inquiry. But this exemption does NOT override a company-specific DNC request — if the customer says “do not call me,” the EBR exception is gone regardless of the recency of the relationship. And the EBR exception does not apply in states that do not recognize it.

Calling hours and restrictions

The federal TCPA restricts telemarketing calls to the hours of 8:00 a.m. to 9:00 p.m. local time of the called party. This is one of the most commonly violated provisions because operators forget that the time zone that matters is not their own — it is the recipient’s.

If your call center is in Texas (Central Time) and you start dialing at 8:00 a.m. Central, you are calling at 9:00 a.m. Eastern — which is fine. But you are also calling at 6:00 a.m. Pacific — which is a violation for every call that lands in California, Oregon, Washington, Nevada, and any other Pacific Time state. By the time it is 9:00 p.m. Central at your call center, it is 10:00 p.m. Eastern — and every call to the East Coast in the last hour was a violation.

The solution is not complicated but it requires intentional implementation. Determine the time zone of each phone number in your list using the area code as a starting point, then apply NPA-NXX (area code + prefix) level data for greater accuracy. Some area codes span multiple time zones — 219 in Indiana, for example, covers both Eastern and Central. When in doubt, use the more restrictive time zone.

In VICIdial, configure your hopper filters to enforce calling windows by time zone. Set the campaign-level calling hours to the most restrictive window (for continental US campaigns: 11:00 a.m. to 9:00 p.m. Eastern, which translates to 8:00 a.m. to 6:00 p.m. Pacific), then adjust per-list or per-filter based on the geographic distribution of your leads.

State variations exist. Some states restrict calling hours further — Oregon prohibits telemarketing calls before 9:00 a.m. Some states prohibit calls on certain holidays or Sundays. If you dial nationally, build a state-level calling hours matrix and apply it to your hopper configuration.

The carrier’s role vs your role

This is the section most operators skip, and it is the one that matters for choosing the right carrier.

What SIPNEX provides (carrier-level compliance infrastructure):

STIR/SHAKEN attestation — we sign your calls with our own SP-KI certificate. If your DIDs are verified, you get A-level attestation. This does not make you TCPA-compliant, but it ensures your calls are not degraded by attestation-related spam labeling on top of whatever TCPA obligations you are already managing.

Call recording infrastructure — we support carrier-level call recording that can be used for consent documentation, quality assurance, and dispute resolution. Recording is a tool. How you use it (including complying with state recording consent laws) is your responsibility.

CDR (Call Detail Record) access — real-time call records with timestamps, durations, and disposition codes. These records are essential for demonstrating compliance in litigation.

Opt-out signaling — technical infrastructure for processing STOP responses on SMS and honoring them within carrier-mandated timeframes.

What is YOUR responsibility (campaign-level compliance):

Consent capture and storage. DNC scrubbing against federal and state registries. Company-specific DNC list maintenance. Calling hour enforcement based on recipient time zone. Campaign content compliance (required disclosures, opt-out instructions). Abandon rate management (FCC requires under 3 percent for predictive dialers). Record keeping sufficient to demonstrate compliance in litigation.

We give you the infrastructure. You own the policy. SIPNEX is not your lawyer, your compliance officer, or your insurance policy. We are the carrier that gives you a technically sound foundation — clean attestation, reliable recording, accurate CDRs — so that your compliance efforts are built on solid infrastructure rather than on a reseller trunk that cannot even tell you what attestation level your calls are receiving.

The 2026 compliance checklist

Use this as a starting point for your own compliance program. Every item should be verifiable — if you cannot produce documentation for any line item, you have a gap.

Consent: Written consent forms capture phone number, disclosure language, signature/e-sign, and timestamp. Consent records stored with unique identifiers linked to call records. Consent language reviewed by legal counsel within the past 12 months. Revocation process documented and tested. Revocation honored within one business day maximum.

DNC: National DNC Registry scrubbed within the past 31 days. Company-specific DNC list maintained and suppressed across all campaigns. State DNC registries scrubbed for applicable states. DNC additions processed within 24 hours of request. DNC records retained for minimum 5 years.

Calling hours: Time zone determination applied to every lead record. Hopper filters enforce 8am-9pm recipient local time. State-specific restrictions applied where applicable. No calls placed outside permitted windows in the past 90 days (audit your CDRs).

Dialer configuration: Abandon rate monitored and maintained below 3 percent. Prerecorded messages include required disclosures (caller identity, purpose, opt-out mechanism). Live agent connects within 2 seconds of answer for predictive campaigns. Ringless voicemail treated as a call under TCPA (the FCC has indicated it is).

Documentation: All of the above documented in a written TCPA compliance policy. Policy reviewed and updated at least annually. Staff trained on TCPA obligations with training records maintained. Compliance audits conducted quarterly using CDR data and DNC records.

Frequently asked questions

What is TCPA compliance?

TCPA compliance means operating your outbound calling and texting operations in accordance with the Telephone Consumer Protection Act (47 U.S.C. § 227) and its implementing FCC regulations. In practice, it means obtaining proper consent before calling or texting consumers, honoring the National and company-specific Do Not Call lists, restricting calls to permitted hours based on the recipient’s time zone, maintaining abandon rates below FCC thresholds, and documenting everything sufficiently to defend against litigation. It is not a one-time setup — it is an ongoing operational discipline that requires regular auditing, list scrubbing, and policy updates as the FCC issues new guidance.

What are the penalties for TCPA violations?

Statutory damages are $500 per violation (per call or text) for negligent violations and up to $1,500 per violation for willful or knowing violations. There is no cap on total damages. A campaign that calls 20,000 numbers without proper consent faces potential liability of $10 million to $30 million. TCPA cases can be brought as class actions, which is why they are so aggressively pursued by plaintiffs’ attorneys. The FCC can also impose forfeiture penalties administratively. State attorneys general can bring enforcement actions under state telemarketing laws with their own penalty structures. The financial risk of non-compliance is existential for most calling operations.

Do I need written consent for all outbound calls?

Not all, but for the calls most dialer operators make, yes. Prior express written consent is required for telemarketing calls made using an autodialer or prerecorded voice to cell phones. If you are calling to sell something, promote a service, or solicit a donation using a predictive dialer, you need written consent. Informational calls (appointment reminders, account alerts, service notifications) require only prior express consent — the person gave you their number in a relevant context. Calls to landlines using live agents without prerecorded messages have different requirements. The safest practice for any operation running a predictive dialer for marketing or sales: get written consent for every number you dial.

Does STIR/SHAKEN replace TCPA compliance?

No. They operate at completely different layers. STIR/SHAKEN is a carrier-level technical framework for cryptographically verifying caller ID. It determines whether your call displays as “Verified Caller” or gets flagged as potential spam. TCPA is a federal consumer protection law governing consent, do-not-call obligations, calling hours, and autodialer usage. You can have perfect A-level STIR/SHAKEN attestation and still be in massive TCPA violation if you are calling without consent. Conversely, you can have bulletproof TCPA consent and still suffer terrible answer rates if your carrier only provides B-level attestation. You need both: the right carrier for attestation and your own TCPA compliance program for consent and DNC.

Is VICIdial considered an ATDS under TCPA?

After the Supreme Court’s 2021 decision in Facebook v. Duguid, the federal ATDS definition requires the use of a random or sequential number generator. VICIdial dials from uploaded lead lists, not from randomly generated numbers, so it likely does not qualify as an ATDS under the federal Duguid standard. However, this is not settled law — the FCC and various circuit courts have offered differing interpretations, and some state laws define ATDS more broadly than the federal statute. Florida’s Telephone Solicitation Act, for example, has a broader definition that may encompass list-based dialers. The only safe operational approach: treat VICIdial as an ATDS and obtain prior express written consent for telemarketing calls regardless. If you have valid written consent, the ATDS classification becomes irrelevant.

---

SIPNEX is an FCC-licensed carrier with its own STIR/SHAKEN Service Provider certificate. We provide the carrier-level infrastructure — A-level attestation, call recording, real-time CDRs — so your TCPA compliance program is built on a technically sound foundation. Talk to an operator or see our rates.