TCPA Compliance Checklist for 2026: A Practical Guide for Outbound Teams

Ruby Kootval
AI-enhanced Marketing Leader
June 29, 2026
Product Updates
1
minutes
June 29, 2026
TCPA compliance comes down to three things: prove consent before you contact someone, stop fast when they ask, and only reach people you're allowed to, when you're allowed to. The 2026 checklist for any team that calls or texts US consumers

TL;DR: TCPA compliance comes down to three things: prove consent before you contact someone, stop fast when they ask, and only reach people you're allowed to, when you're allowed to. The 2026 checklist for any team that calls or texts US consumers:

  • Get and document prior express written consent before autodialed or pre-recorded marketing calls and texts.
  • Honor every opt-out within 10 business days, however the consumer asks.
  • Scrub three lists before you dial: the National Do-Not-Call registry, your own internal suppression list, and the FCC Reassigned Numbers Database.
  • Call only 8 a.m. to 9 p.m. in the recipient's local time zone, and tighter where a state requires it.
  • Identify yourself on every contact with your business name and a callback number.
  • Follow state "mini-TCPA" laws (Texas, Virginia, Oregon, and a growing list) for every state you contact.
  • Vet the consent behind any purchased leads. A vendor's bad consent becomes your liability.
  • Keep proof of consent and contact history you can produce on demand.

This article is general education, not legal advice. Your TCPA exposure depends on your specific practices and the states you contact. Work with qualified counsel to build your program.

What is TCPA compliance?

The Telephone Consumer Protection Act is the 1991 federal law that governs how businesses can call and text consumers, with the FCC writing and updating the rules beneath it. At its core, the TCPA requires consent before you send autodialed or pre-recorded marketing calls and texts, gives consumers the right to opt out, and limits when and how you can contact them.

The stakes are high. Under the TCPA's private right of action, statutory damages run $500 per violation and up to $1,500 for willful or knowing violations, and every individual call or text can count as a separate violation. There is no cap on total exposure, so a single non-compliant campaign can become a class action. TCPA filings have climbed sharply over the past two years.

Key takeaway: The TCPA controls consent, opt-outs, and timing for calls and texts. Damages of $500 to $1,500 per message, with no cap, are what make it a board-level risk.

What changed in 2025 and 2026

Three developments reshaped TCPA compliance.

The consent-revocation rule (effective April 11, 2025)

The FCC's revocation-of-consent rule lets consumers revoke consent in any reasonable manner. They do not have to use a specific keyword or form. A reply of "stop texting me," a verbal request to an agent, or an email all qualify. Once a consumer revokes, you must stop the relevant calls and texts within 10 business days. One narrow provision, whether a single opt-out automatically applies across every unrelated message type, was delayed past its original date and is still being resolved. The core 10-business-day rule is in force.

The one-to-one consent rule was struck down

The FCC's one-to-one consent rule would have banned "bundled" lead-generation consent. It never took effect. The Eleventh Circuit vacated it on January 24, 2025 in Insurance Marketing Coalition v. FCC, days before its scheduled start. Bundled consent remains permissible under the existing "prior express consent" standard. Document how clearly you obtained consent, because that question is still litigated constantly.

State "mini-TCPA" laws now cover texts

The federal TCPA is no longer the whole story. Several states now have their own statutes that explicitly cover marketing texts. Texas extended its telephone-solicitation law to text and image messages effective September 1, 2025, with damages of $500 to $5,000 per violation. Virginia began requiring businesses to honor STOP requests for years, effective January 1, 2026. Oregon added text coverage with tighter 8 a.m. to 8 p.m. hours and daily call caps, also effective January 1, 2026. If you contact consumers nationwide, your checklist has to be multi-state.

Key takeaway: Honor opt-outs in any form within 10 business days, treat bundled consent as legal but well-documented, and track the state texting laws that apply where you contact.

The 2026 TCPA compliance checklist

Ten steps that map to how the rules work today.

  1. Get and document prior express written consent for autodialed or pre-recorded marketing calls and texts. Keep the timestamp, the source, and the exact language the consumer agreed to.
  2. Honor opt-outs in any reasonable manner within 10 business days. A STOP reply, "remove me," or a verbal request to a rep all count. Suppress across the channels the consumer named.
  3. Scrub against the National and state Do-Not-Call registries before you dial. Our DNC compliance guide covers the full process.
  4. Respect calling hours. The federal window is 8 a.m. to 9 p.m. in the recipient's time zone, and some states are tighter. Calling across regions requires time-zone-aware dialing, not a single office clock.
  5. Identify yourself on every contact with your business name and a callback number, and pair that with a clean caller reputation so you are identified rather than flagged.
  6. Maintain an internal Do-Not-Call and suppression list, and check it on every campaign separately from the federal registry.
  7. Track state mini-TCPAs for every state you contact, especially for texting programs.
  8. Confirm consent before autodialing. If your platform cannot verify that a number is consented and not on a suppression list, that number should not be in the dialer.
  9. Keep proof of consent and contact history. In a dispute, the question is almost always whether you can show consent, so make that a one-click answer.
  10. Train your team and monitor rule changes. The rules moved three times in 18 months, and they will keep moving.

2026 TCPA quick reference

RequirementWhat it means2026 status
ConsentPrior express written consent for autodialed / pre-recorded marketing, documentedIn force; bundled consent legal (1:1 rule vacated)
RevocationHonor any reasonable opt-out within 10 business days, across channelsIn force since April 11, 2025
Calling hours8 a.m. to 9 p.m. in the recipient's time zoneIn force; stricter in some states (OR 8 a.m. to 8 p.m.)
List scrubbingNational DNC + internal suppression + FCC Reassigned Numbers DatabaseIn force; scrub the RND every 30 days for safe harbor
IdentificationBusiness name and callback number on every contactIn force
State mini-TCPAsFollow state texting and calling rules where you contactExpanding (TX 2025; VA, OR 2026)
Lead sourcingVerify and document the consent behind purchased leadsVendor consent failures create caller liability
Penalties$500 to $1,500 per call or text; willful conduct treblesIn force; no cap on total; ~80% of cases are class actions

Key takeaway: Consent, 10-business-day revocation, calling hours, DNC scrubbing, identification, and state rules are the spine of a defensible 2026 program.

TCPA exceptions

Some calls fall outside the marketing rules, but the exceptions are narrower than people assume, so confirm before relying on one. Common ones include genuine emergency calls, certain non-commercial and tax-exempt nonprofit calls, and specific informational messages such as some healthcare or package-delivery notices that meet strict conditions. "We thought it was exempt" is not a defense. If you are unsure, treat the contact as covered and get consent.

How Aloware operationalizes the checklist

A checklist on paper only protects you if your tooling enforces it on every call and text. Aloware gives outbound teams the controls to turn this checklist into defaults:

  • Opt-out handling. When a contact replies STOP, Aloware automatically suppresses further texts to them. To stop calls as well, add the contact to your do-not-call / suppression list, which is what blocks calling them.
  • An internal do-not-call and suppression list your whole team works from, so a number you have marked stays off your campaigns.
  • Full call and message logging, with calls and texts recorded against the CRM contact, so your contact history and opt-out records are an audit trail you can pull on demand.
  • Time-zone-aware dialing that respects 8 a.m. to 9 p.m. local windows across regions.
  • Trusted, identified calling through STIR/SHAKEN attestation and A2P 10DLC registration, so your calls and texts go out properly identified and deliverable.
  • A power dialer that works from your lists and honors your suppression list.

One honest caveat: software supports compliance, it does not replace it. Your consent practices, your policies, and your legal counsel own the program. Aloware gives you the controls to run it consistently at volume.

Key takeaway: The checklist becomes real when your tooling enforces it. Opt-out and suppression handling, contact logging, time-zone guardrails, and identified calling are where Aloware does the operational work.

The bottom line

TCPA compliance in 2026 rests on a few disciplines. Honor opt-outs in any form within 10 business days, document consent cleanly, respect calling hours by the consumer's clock, and track the states you text into. Then make your tooling enforce all of it, so a fast outbound team stays well inside the rules.

See compliant outbound in action

Book a 20-minute demo and we'll show how Aloware handles opt-out and suppression, contact logging, time-zone dialing, and identified calling, so your team can dial at volume and stay compliant.

Reviewed and edited by Ruby Kootval. This article is for general information only and is not legal advice; consult qualified counsel for your specific situation. Sources below.

Sources

  • FCC, "TCPA Rules: Revoking Consent for Unwanted Robocalls/Robotexts": https://www.fcc.gov/document/tcpa-rules-revoking-consent-unwanted-robocallsrobotexts
  • Consumer Financial Services Law Monitor, "Eleventh Circuit Vacates FCC's One-to-One Consent Rule" (Jan 2025): https://www.consumerfinancialserviceslawmonitor.com/2025/01/eleventh-circuit-vacates-fccs-one-to-one-consent-rule-fcc-issues-stay/
  • ActiveProspect, "TCPA Text Messages: Rules and Regulations" (penalties, calling hours): https://activeprospect.com/blog/tcpa-text-messages/
  • Kelley Drye, "Texas Mini-TCPA Law: FAQs for Marketing Texts": https://www.kelleydrye.com/viewpoints/blogs/ad-law-access/texas-mini-tcpa-law-faqs-for-marketing-texts
  • National Do Not Call Registry: https://www.donotcall.gov/

Frequently Asked Questions

What is the TCPA compliance checklist for 2026?

A 2026 TCPA compliance checklist covers the core duties for any business that calls or texts US consumers. Get and document prior express written consent for autodialed or pre-recorded marketing. Honor every opt-out within 10 business days, in whatever reasonable way the consumer asks. Scrub three lists before you dial: the National Do-Not-Call registry, your internal suppression list, and the FCC Reassigned Numbers Database. Call only between 8 a.m. and 9 p.m. in the recipient's time zone, and tighter where state law requires. Identify yourself on every contact, follow the state mini-TCPA laws where you operate, vet the consent behind any purchased leads, and keep proof you can produce on demand.

What changed for TCPA compliance in 2025?

Two federal developments and a wave of state laws. The FCC's consent-revocation rule took effect April 11, 2025: consumers can revoke consent in any reasonable manner, and you must honor it within 10 business days. The FCC's one-to-one consent rule, which would have banned bundled lead-generation consent, was vacated by the Eleventh Circuit in January 2025 before it took effect, so bundled consent remains legal. Several states also extended their own mini-TCPA laws to cover marketing texts.

Is the FCC's one-to-one (1:1) consent rule still in effect?

No. The Eleventh Circuit vacated the FCC's one-to-one consent rule on January 24, 2025, in Insurance Marketing Coalition v. FCC, before it ever took effect. Bundled consent remains permissible under the existing prior express consent standard. You should still document how clearly you obtained consent, because consent quality is the most litigated issue in TCPA cases.

How quickly must I honor a TCPA opt-out or revocation?

Within 10 business days. Under the FCC rule effective April 11, 2025, when a consumer revokes consent by any reasonable method, including a STOP reply, a verbal request, or an email, you must stop the relevant calls and texts within 10 business days. The practical way to meet this is automatic opt-out suppression across calls and texts, so a revocation cannot be missed by a rep or a separate campaign.

How much is a TCPA violation? What are the penalties?

Statutory damages run $500 per violation and up to $1,500 for willful or knowing violations, and each call or text counts separately, so totals climb fast. There is no cap on total exposure. Roughly 80% of TCPA cases are now class actions, and defendants commonly settle for several times the statutory minimum. Some states add their own penalties; Texas, for example, allows $500 to $5,000 per violation under its mini-TCPA.

What are the TCPA calling time restrictions?

Federally, marketing calls and texts are allowed only between 8 a.m. and 9 p.m. in the recipient's local time zone. Quiet-hours violations have become a major source of litigation, so the time zone matters: a national list dialed off one office clock will reach some people too early or too late. Some states are stricter, such as Oregon's 8 a.m. to 8 p.m. window. Time-zone-aware dialing is the way to stay inside the limits across regions.

Do state mini-TCPA laws apply to text messages?

Increasingly, yes. A growing list of states have their own mini-TCPA statutes, and several now explicitly cover marketing texts. Texas extended its law to texts effective September 1, 2025, with damages of $500 to $5,000 per violation. Virginia began requiring businesses to honor STOP requests long term, effective January 1, 2026. Oregon added text coverage with tighter hours and daily call caps, also effective January 1, 2026. A national texting program has to track state rules, not just the federal TCPA.

How does Aloware help with TCPA compliance?

Aloware gives outbound teams controls to operationalize a TCPA program: opt-out handling that suppresses further texts when a contact replies STOP, an internal do-not-call and suppression list to stop calls, full call and message logging for a defensible record, time-zone-aware dialing that respects local calling hours, and STIR/SHAKEN with A2P 10DLC registration so contacts go out properly identified. Software supports compliance but does not replace it; your consent practices, policies, and legal counsel still own the program.

{ "@type": "Question", "name": "What is the TCPA compliance checklist for 2026?", "acceptedAnswer": { "@type": "Answer", "text": "A 2026 TCPA checklist: document prior express written consent; honor opt-outs within 10 business days; scrub the National DNC, your internal suppression list, and the FCC Reassigned Numbers Database; call only 8am to 9pm in the recipient's time zone; identify yourself; follow state mini-TCPAs; vet purchased-lead consent; and keep provable records." } }
{ "@type": "Question", "name": "What changed for TCPA compliance in 2025?", "acceptedAnswer": { "@type": "Answer", "text": "The FCC's consent-revocation rule took effect April 11, 2025 (revoke by any reasonable means, honored within 10 business days). The one-to-one consent rule was vacated in January 2025, so bundled consent stays legal. Several states extended mini-TCPA laws to cover texts." } }
{ "@type": "Question", "name": "Is the FCC's one-to-one (1:1) consent rule still in effect?", "acceptedAnswer": { "@type": "Answer", "text": "No. The Eleventh Circuit vacated the FCC's one-to-one consent rule in January 2025 before it took effect, so bundled consent remains legal. Document consent clearly anyway, since consent quality is the most litigated TCPA issue." } }
{ "@type": "Question", "name": "How quickly must I honor a TCPA opt-out or revocation?", "acceptedAnswer": { "@type": "Answer", "text": "Within 10 business days. Under the FCC rule effective April 11, 2025, when a consumer opts out by any reasonable method (STOP, verbal, or email), you must stop the relevant calls and texts within 10 business days. Automatic cross-channel suppression is the reliable way to comply." } }
{ "@type": "Question", "name": "How much is a TCPA violation? What are the penalties?", "acceptedAnswer": { "@type": "Answer", "text": "TCPA statutory damages are $500 per violation, up to $1,500 for willful violations, with each call or text counting separately and no cap on total. About 80% of cases are class actions. Some states add penalties (Texas allows $500 to $5,000 per violation)." } }
{ "@type": "Question", "name": "What are the TCPA calling time restrictions?", "acceptedAnswer": { "@type": "Answer", "text": "Federally, marketing calls and texts are allowed only 8am to 9pm in the recipient's local time zone. Quiet-hours lawsuits are surging, and some states are stricter (e.g., Oregon's 8am to 8pm). Multi-region calling needs time-zone-aware dialing." } }
{ "@type": "Question", "name": "Do state mini-TCPA laws apply to text messages?", "acceptedAnswer": { "@type": "Answer", "text": "Increasingly yes. Texas (Sept 2025, $500 to $5,000 per violation), Virginia (Jan 2026), and Oregon (Jan 2026, tighter hours and call caps) all extended mini-TCPA rules to marketing texts. National texting programs must track state rules, not just the federal TCPA." } }
{ "@type": "Question", "name": "How does Aloware help with TCPA compliance?", "acceptedAnswer": { "@type": "Answer", "text": "Aloware provides controls to operationalize TCPA compliance: opt-out handling that suppresses texts when a contact replies STOP, an internal do-not-call and suppression list to stop calls, full call and message logging, time-zone-aware dialing, and STIR/SHAKEN with A2P 10DLC. Software supports compliance but does not replace your policies and legal counsel." } }
About the author
Ruby Kootval
Ruby Kootval
AI-enhanced Marketing Leader

Ruby Kootval has spent years working at the intersection of AI technology and contact center operations, giving her firsthand insight into how SMB sales and support teams adopt, deploy, and scale modern communication platforms. Her experience spans AI voice agents, power dialers, CRM integrations, and the go-to-market dynamics of the contact center industry.