Guides · Compliance
TCPA compliance checklist
By Mandeep Rao, Founder · Published May 18, 2026 · Updated May 24, 2026
Use this checklist before you run any AI or automated calling program to U.S. consumers. Each item maps to a real TCPA, FCC, CTIA, or state requirement. Miss one and each call can be a $500–$1,500 statutory violation.
Short answer
TCPA compliance for AI and automated marketing calls in the United States comes down to eight things: capture prior express written consent (PEWC) before you dial; scrub every number against the National DNC Registry and your internal opt-out list at least every 31 days; honor STOP and “do not call” requests immediately and permanently; call only between 8 a.m. and 9 p.m. in the recipient's local time; deliver an upfront artificial-voice / AI disclosure (47 C.F.R. § 64.1200(b)) and never deny the call is automated; get two-party recording consent in all-party-consent states; register for 10DLC before sending A2P SMS; and keep an audit trail of consent, scrubs, opt-outs, and disclosures. Each missed item can be a $500–$1,500 statutory violation per call, and the burden of proof is on the caller.
1. Capture prior express written consent (PEWC)
For AI/artificial-voice marketing calls and texts, get the contact’s signed, written agreement to be contacted at that number before you dial. Store the consent text, timestamp, and source. A bought list is not consent.
2. Scrub against the National DNC Registry
Check every number against the federal Do Not Call Registry and your internal opt-out list, refreshed at least every 31 days. Suppress matches automatically.
3. Honor opt-outs immediately and permanently
Process STOP/UNSUBSCRIBE on SMS and verbal "do not call" on voice the moment they happen, and never contact that number again on that channel. Send the CTIA-required STOP confirmation and answer HELP.
Try Lead Friendly free for 7 days
AI voice agents + CRM + TCPA-gated compliance. 30 minutes included. No card required.
4. Call only within permitted hours
Restrict calling to 8 a.m.–9 p.m. in the called party’s local time (resolve timezone from their number/address, not yours). Apply per-contact attempt and frequency caps.
5. Deliver the artificial-voice / AI disclosure
Per 47 C.F.R. § 64.1200(b), identify the caller and the business at the start of the call and disclose it is an automated/AI call. The agent must never deny being AI. Layer state AI-transparency laws (e.g., CA SB 1001) on top.
6. Handle two-party recording consent
In all-party-consent states (CA, WA, IL, FL, PA and others), disclose recording to every party before recording — or don’t record. Treat unknown states as two-party. Recording without consent there can be a criminal offense.
7. Register for 10DLC if you send SMS
U.S. A2P texting requires brand + campaign registration (10DLC/TCR) through your carrier. Unregistered traffic is filtered or blocked and can carry penalties.
8. Keep an audit trail
Log consent records, DNC scrubs, opt-outs, disclosures, and every compliance block. If a regulator or plaintiff asks, the burden is on you to show the call was permitted. Retain records for the applicable limitations window.
Build it in, don’t bolt it on
Every item above is enforced automatically in Lead Friendly — the consent gate, DNC and opt-out suppression, quiet-hours by contact timezone, the non-removable AI disclosure, recording-consent gating, 10DLC registration, and an immutable audit log of every block. See the compliance overview.
Stop assembling a compliance stack
Lead Friendly ships the gate that runs before every call, text, and email.
See pricingThis checklist is general information, not legal advice, and is not exhaustive. Consult qualified telecom/TCPA counsel for your specific program.