TCPA 2026: What Changed and What It Means for Outbound Teams

The Telephone Consumer Protection Act turns 35 in 2026. The text hasn't changed much — but the FCC's interpretations, the Supreme Court's narrowing of the autodialer definition, and the plaintiff's bar's evolving theories have reshaped what compliance actually looks like. What was safe in 2019 is risky in 2026. What was aggressive in 2019 is standard now.

This guide covers what changed in 2024–2026, what the current enforcement and litigation landscape looks like, and what operational changes outbound teams are making to stay ahead.

This is educational content. Consult a TCPA-experienced attorney for your specific situation.

Table of Contents

• What TCPA Covers — The 2026 Scope
• The Facebook v. Duguid Aftermath
• The 2024 FCC One-to-One Consent Rule
• STIR/SHAKEN and Attestation Requirements
• The Revoked-Consent Problem
• What the Plaintiff's Bar Is Targeting
• Operational Compliance Checklist
• Frequently Asked Questions

What TCPA Covers

The TCPA's core provisions:

1. Autodialer to cell phones requires prior express consent (express written consent for marketing)
2. Prerecorded/artificial voice calls to residential lines require consent for marketing
3. Do-not-call (DNC) restrictions — national registry + internal DNC required
4. Time-of-day restrictions — no telemarketing calls before 8 AM or after 9 PM recipient local time
5. Identification requirements — callers must identify themselves and a callback method
6. Opt-out honoring — revocable consent, and revocations must be honored within reasonable time

Violations: statutory damages of $500 per call, trebled to $1,500 for willful violations. Private right of action enables class actions that routinely settle in the $10M–$100M+ range.

The authoritative references: FCC TCPA rules, 47 U.S.C. § 227.

The Facebook v. Duguid Aftermath

The Supreme Court's 2021 decision in Facebook v. Duguid narrowed what qualifies as an "autodialer" (ATDS) under the TCPA. The Court held that an autodialer must have the capacity to "store or produce telephone numbers to be called, using a random or sequential number generator."

The impact: many dialing systems that were considered ATDS pre-Duguid no longer are. Click-to-call dialers using stored lists aren't ATDS. Predictive dialers using loaded lists aren't ATDS. Preview dialers aren't ATDS.

What still triggers TCPA:

• Pre-recorded or artificial voice messages (ATDS status doesn't matter)
• Random or sequential number generator dialing (rare in modern outbound)
• State-level mini-TCPA laws with broader definitions
• Marketing calls to residential landlines (different subsection)

What this means practically: for non-prerecorded outbound using loaded lists, TCPA federal exposure dropped in 2022–2023. But state laws (Florida, Washington, Maryland) and DNC/consent rules still create substantial risk.

The 2024 FCC One-to-One Consent Rule

In late 2023, the FCC adopted a rule requiring that prior express written consent for marketing calls be obtained on a one-to-one basis — meaning a consumer consenting to be contacted by "Company A and its partners" no longer covers calls from Company B.

The rule was scheduled for a 2024 effective date, then delayed by a Fifth Circuit challenge. As of early 2026, the regulatory status is in flux — the rule has been vacated by the court but may be reinstated or modified.

Operational implications regardless of legal status:

• Lead generators selling to multiple buyers ("lead aggregators") face existential pressure under any version of one-to-one
• Consent capture forms need to name specific buyer companies, not "marketing partners"
• Aged consent records (pre-2024, generic partner consent) have elevated litigation risk
• Internal DNC tracking matters more — if a consumer opts out from Buyer A, consent for Buyer B (even under the same original form) needs separate validation

Most sophisticated outbound operations operationalized one-to-one consent capture in 2024 regardless of the rule's final status.

STIR/SHAKEN and Attestation

STIR/SHAKEN is the call authentication framework carriers use to verify that calls actually come from the number they claim. Attestation levels:

• A-level: the originating carrier has verified the caller's right to use the number
• B-level: the carrier has verified the customer but not the number-use
• C-level: the carrier has verified neither

Why it matters in 2026:

• Carriers increasingly block or spam-label C-attestation calls
• Enterprise phone numbers not registered with carrier STIR/SHAKEN frameworks may never reach consumer phones
• FCC rules now require originating carriers to verify customer identity for A-attestation
• Spam-labeling cascades: once a number gets flagged, reputation recovery takes weeks

Operational requirements:

• Register outbound numbers with your carrier's STIR/SHAKEN framework
• Monitor call labels across major spam-label services (First Orion, Hiya)
• Rotate numbers that get flagged — don't try to rehabilitate heavily-flagged numbers
• Keep call patterns consistent — sudden volume changes trigger carrier scrutiny

See the best power dialer guide for dialers with native STIR/SHAKEN management.

The Revoked-Consent Problem

A recurring TCPA class-action theory in 2024–2026: the consumer revoked consent (via reply to a text, voicemail, or statement on a call), and the business continued calling.

What counts as revocation:

Per FCC and court interpretations, revocation can be verbal, written, or even gestural (hanging up after stating intent not to be called). "Any reasonable method" of revocation must be honored. Specific words aren't required.

The operational challenge:

If a consumer says "don't call me" on a call, "stop texting me" in a reply, or "remove me from your list" on a voicemail, the business has received revocation — but that information needs to cascade across all channels and all campaigns within a "reasonable time" (typically interpreted as 24–48 hours).

Teams that rely on manual revocation logging at the rep level lose. Platform-enforced revocation cascade is the standard now.

What the Plaintiff's Bar Is Targeting

Current litigation patterns as of 2026:

1. Revoked-consent continuation. Easy to prove, hard to defend. Discovery demands internal DNC logs; gaps become class claims.

2. Pre-Duguid-era class certifications. Some cases originated before Duguid are still being litigated under broader autodialer definitions. Old claims, old exposure.

3. One-to-one consent theories. Notwithstanding the Fifth Circuit ruling, plaintiffs test the theory in friendlier jurisdictions.

4. Prerecorded-voice class actions. Voicemail drops structured as artificial/prerecorded voice without consent are fertile territory. This is why agent-triggered voicemail drop has become standard over ringless voicemail.

5. State-law mini-TCPA. Florida TCPA (FTSA), Washington CEMA, Maryland MTCPA all have expanded definitions or broader private rights of action. Federal compliance isn't sufficient.

6. Do-not-call (DNC) registry violations. Consumers on the national DNC registry still called by marketing operations. Statutory damages stack.

Operational Compliance Checklist

Consent capture

• [ ] Consent forms use one-to-one language naming specific buyers
• [ ] Consent records retained with timestamp and source documentation
• [ ] Separate consent records for voice vs SMS vs prerecorded
• [ ] Consent revocable via any reasonable method

Revocation handling

• [ ] Platform-level DNC flag cascades within 24 hours across all channels
• [ ] Revocations captured from voice calls, SMS replies, email replies, web forms
• [ ] AI QA flags revocation language in call recordings
• [ ] Supervisor escalation for any post-revocation contact

Time-of-day enforcement

• [ ] Automatic 8 AM–9 PM enforcement by consumer local time
• [ ] Zip-code or area-code-based timezone calculation
• [ ] State-law stricter windows honored where applicable

DNC management

• [ ] National DNC registry scrubbed monthly (minimum)
• [ ] Internal DNC list enforced across all campaigns
• [ ] State DNC registries scrubbed where applicable
• [ ] Reassigned-number database (RND) checked for wireless numbers

STIR/SHAKEN

• [ ] Outbound numbers A-attested with originating carrier
• [ ] Carrier spam-labels monitored weekly
• [ ] Rotation plan for numbers that get flagged
• [ ] Consistent call patterns per number (no sudden volume spikes)

Audit trail

• [ ] 100% call recording
• [ ] Consent records retrievable within 72 hours of any subpoena
• [ ] AI QA scoring flags compliance-adjacent issues
• [ ] Quarterly internal TCPA audit

People Plus Platform

TCPA violations are preventable with platform enforcement + trained agents. Most violations start as well-meaning rep error (continued calling a revocation, wrong timezone assumption) that cascades into class-action territory because the rest of the operation didn't catch it.

For outbound operations scaling in regulated verticals, ScaleOps BPO provides nearshore agents trained on TCPA, FDCPA, and Reg F before they touch a live US consumer. Pairing trained agents with platform-enforced compliance is the combination that keeps operators out of TCPA litigation.

Frequently Asked Questions

Did the Supreme Court get rid of the TCPA?

No. Facebook v. Duguid narrowed the autodialer definition, reducing exposure for certain dialing technologies. But the TCPA's other provisions — prior express consent for marketing, DNC registry, time-of-day, revocation rights — remain fully in force. State-law mini-TCPAs also continue to apply.

What's the penalty for a TCPA violation?

Statutory damages of $500 per call, trebled to $1,500 for willful or knowing violations. No cap on class damages. Most class-action settlements fall between $10M and $100M+. Private right of action means plaintiffs don't need regulatory enforcement to bring cases.

Is cold outbound to cell phones legal?

It depends. Calls to cell phones using an "ATDS" (narrowly defined post-Duguid) or artificial/prerecorded voice require prior express consent. Calls using modern dialers with loaded lists and live agent-placed calls generally fall outside the ATDS definition federally — but state laws and DNC registry rules still apply.

What's "one-to-one consent"?

An FCC rule requiring that consent for marketing calls be obtained on a per-company basis, not per-"partners" or per-"affiliates." The rule's final status is in flux as of 2026 (Fifth Circuit vacated it; further proceedings expected). Many operators have operationalized one-to-one anyway to reduce litigation risk regardless of the rule's legal status.

Do I need to scrub against the DNC registry?

Yes, for telemarketing calls. The national DNC registry applies to telemarketing to residential lines. Internal DNC lists must also be maintained regardless. Violations carry TCPA statutory damages. Monthly scrubbing is minimum; weekly is best practice for high-volume operations.

The Bottom Line

TCPA compliance in 2026 isn't about memorizing the statute — it's about operationalizing a platform that enforces the rules consistently, trained agents who don't rely on memory for consent and revocation, and audit trails that let you respond to discovery in hours, not weeks. The operators getting hit with class actions aren't the ones reading the statute wrong — they're the ones without systems.

See TCPA-aware compliance controls → or book a walkthrough.