Most businesses know the basics of TCPA compliance: no calls or texts before 8 a.m. or after 9 p.m. in the recipient's local time. What most businesses do not know is that federal rules are the floor, not the ceiling. At least a dozen states enforce stricter windows, tighter consent requirements, and harsher penalties that catch companies off guard every single day.
This is the guide that compliance officers bookmark. If your business sends marketing texts or makes outbound sales calls, the table below could save you from a six-figure lawsuit.
The federal baseline: TCPA 101
The Telephone Consumer Protection Act, passed in 1991 and updated repeatedly since, sets the national standard for outbound marketing communications. The core rules are straightforward:
- No calls or texts to mobile numbers using an autodialer without prior express written consent
- No marketing messages before 8:00 a.m. or after 9:00 p.m. in the recipient's local time zone
- Every message must include a clear opt-out mechanism
- Violations carry penalties of $500 to $1,500 per message in a class action
That sounds straightforward. The problem is that roughly 15 states have layered additional restrictions on top of federal law, and most sales teams have never reviewed them.
State-level regulations create a patchwork of rules that vary by geography, time, and consent requirements.
The states that go further
While federal TCPA sets the baseline, more than a dozen states impose tighter restrictions on when, how, and under what conditions businesses can contact consumers. Here is a breakdown of the most notable offenders.
Stricter calling and texting windows by state
The table below highlights states with restrictions that differ from or exceed the federal standard. If you contact consumers in any of these states, your compliance setup needs to account for these variations.
| State | Earliest Contact | Latest Contact | Additional Restrictions |
|---|---|---|---|
| Connecticut | 9:00 a.m. | 9:00 p.m. | No calls on Sundays before 11 a.m. |
| Florida | 8:00 a.m. | 8:00 p.m. | State registration required; stricter weekend rules |
| Georgia | 8:00 a.m. | 9:00 p.m. | No recorded messages without disclosure |
| Indiana | 9:00 a.m. | 9:00 p.m. | State Do Not Call list enforced separately |
| Louisiana | 8:00 a.m. | 9:00 p.m. | Written consent must be retained for 4 years |
| Massachusetts | 8:00 a.m. | 8:00 p.m. | Among the strictest windows in the country |
| New York | 8:00 a.m. | 9:00 p.m. | Registration and surety bond required |
| North Carolina | 8:00 a.m. | 9:00 p.m. | No calls on state holidays |
| Oklahoma | 8:00 a.m. | 9:00 p.m. | State-specific consent language requirements |
| Pennsylvania | 9:00 a.m. | 9:00 p.m. | No Sunday calls before noon |
| Tennessee | 8:00 a.m. | 9:00 p.m. | Caller identity required within 30 seconds |
| Texas | 8:00 a.m. | 9:00 p.m. | Separate state TCPA with private right of action |
| Washington | 8:00 a.m. | 8:00 p.m. | 8 p.m. cutoff; state AG actively enforces |
| Wisconsin | 8:00 a.m. | 9:00 p.m. | DNC compliance required within 30 days |
Several of these states also maintain separate Do Not Call registries that operate independently from the federal DNC list. Businesses must check both before initiating any outbound campaign.
The traps that catch good companies
Even companies that genuinely try to follow the rules get tripped up by edge cases and operational gaps. Here are the five most common compliance failures we see across the industry.
1. Timezone miscalculations
A lead in Massachusetts submits a form at 8:15 p.m. EST. Your autodialer, running on PST, sees it as 5:15 p.m. and fires off a text. Legal in federal terms, but Massachusetts cuts off at 8:00 p.m. That is a violation.
2. Ignoring state registration requirements
Florida, New York, and several other states require telemarketers to register and, in some cases, post a surety bond before making a single call. Many companies skip this step entirely, assuming federal compliance is sufficient.
3. Relying on a single opt-out mechanism
Federal TCPA requires opt-out capability. But some states mandate specific opt-out language, confirmation messages, or processing timelines. A generic "Reply STOP" may not be sufficient everywhere.
4. Contacting leads on state holidays
North Carolina and a handful of other states restrict or prohibit marketing contact on state-recognized holidays. These do not always align with federal holidays, which means your team could be making calls on a day that is perfectly normal in your state but restricted in the recipient's.
5. Failing to honor state Do Not Call lists
The federal DNC list is well known. But states like Indiana, Pennsylvania, and Texas maintain their own lists. Scrubbing against the federal list alone leaves gaps that can result in violations.
Compliance is not a one-time checkbox. The patchwork of state rules requires ongoing monitoring and operational discipline.
Real lawsuits, real numbers
TCPA class actions are not theoretical. They are one of the fastest-growing categories of consumer litigation in the United States. Here are some of the largest settlements and judgments on record.
Dish Network (2020): $210 million in penalties for calling numbers on the Do Not Call list. The largest TCPA judgment in history.
Caribbean Cruise Line (2016): $76 million settlement for unsolicited prerecorded calls.
Capital One (2014): $75.5 million settlement for placing autodialed calls without consent.
Wells Fargo (2017): $30.4 million settlement for calls and texts sent to wrong numbers.
Health IQ (2021): $3.5 million for sending marketing texts without proper consent.
What makes TCPA litigation so dangerous is the per-message math. A company that sends 50,000 non-compliant texts faces potential exposure of $25 million to $75 million. Even small campaigns of a few thousand messages can generate seven-figure liability.
A compliance checklist that actually works
Here is a practical checklist for any business running outbound SMS or calling campaigns. Print it, share it with your team, and run through it before every campaign launch.
Before you send anything
- Confirm you have prior express written consent for marketing messages
- Verify the recipient's timezone and apply the stricter of federal or state windows
- Scrub your list against both federal and state Do Not Call registries
- Check whether your state requires telemarketer registration or bonding
- Ensure your opt-out mechanism meets the strictest state requirements in your contact list
Every message you send
- Include clear sender identification
- Provide a working opt-out path and honor it within 10 business days (or faster if the state requires it)
- Log consent records with timestamps, IP addresses, and the specific language the consumer agreed to
- Respect frequency limits. Even where not legally mandated, excessive messaging increases complaint rates and litigation risk
Ongoing operations
- Audit compliance quarterly at minimum
- Monitor state legislative changes (new SMS regulations pass every session)
- Train every team member who touches outbound communication
- Keep consent records for at least 5 years (some states require 4 years; 5 covers all bases)
Tools like Arnis handle this logic automatically, checking both federal TCPA windows and state-specific restrictions in real time before any message goes out. But regardless of what tools you use, the checklist above is the minimum standard every outbound operation should meet.
What to watch in 2026
The regulatory landscape is tightening, not loosening. Several trends are worth monitoring closely this year.
FCC rulemaking on AI-generated calls. The FCC ruled in early 2024 that AI-generated voice calls qualify as "artificial" under TCPA, requiring prior consent. Expect further clarification on AI-driven text campaigns throughout 2026.
State mini-TCPA laws. Florida's 2021 overhaul (SB 1120) set the template for state-level reform. More states are drafting their own versions with private rights of action and shorter calling windows.
Consent revocation rules. The FCC finalized rules requiring businesses to honor revocation requests through any reasonable means, not just the word "STOP." This reshapes opt-out workflows for every outbound operation.
STIR/SHAKEN expansion. Carrier-level call authentication is expanding to text messaging, which means unregistered or non-compliant senders will see deliverability decline significantly.
"Compliance is not a one-time setup. It is an ongoing operational discipline that requires awareness of where your contacts live, what rules apply there, and how those rules change over time."
The companies that treat compliance as infrastructure, rather than an afterthought, are the ones that scale without legal exposure. Bookmark this page. Share it with your compliance team. And if you are sending outbound messages today, audit your current setup against the table above before your next campaign goes out.