The Telephone Consumer Protection Act was signed into law in 1991. It was designed to stop telemarketers from flooding American households with unwanted calls. Three decades later, it has become the most litigated consumer protection statute in the country. In 2024 alone, over 4,000 TCPA lawsuits were filed in federal courts. The penalties range from $500 per violation for standard infractions to $1,500 per violation for willful violations. When each text message or phone call counts as a separate violation, the math gets terrifying fast.
Most businesses assume TCPA lawsuits only happen to shady robocall operations or massive telemarketing farms. That assumption is dangerously wrong. Legitimate companies, from Fortune 500 brands to regional lenders, healthcare providers, and insurance agencies, have paid millions in settlements for violations they did not even realize they were committing.
This article breaks down real cases, real dollar amounts, and the specific mistakes that triggered them. More importantly, it provides a practical compliance checklist you can implement today.
The math behind TCPA penalties
Before looking at specific cases, it helps to understand how quickly the numbers escalate. The TCPA assigns penalties on a per-violation basis, and every individual call or text message counts as a separate violation. A single campaign targeting 1,000 people can generate thousands of violations overnight.
Those numbers look manageable in isolation. They are not. Here is what happens when they multiply across a real campaign.
The chart tells the story. At the standard $500 rate, 1,000 messages cost $500,000. At the willful rate, that same campaign costs $1.5 million. Scale to 5,000 messages and you are looking at $7.5 million in potential liability. These are not hypothetical numbers. They are the actual math that courts use to calculate damages.
Case #1: $1.2 million for texting after opt-out
A national home services company continued sending promotional text messages to consumers who had replied "STOP." Their system processed opt-out requests in batches every 24 hours instead of in real time. During that processing window, opted-out consumers received between one and three additional messages each.
The violation was clear. Under TCPA and CTIA guidelines, opt-out processing must be near-instantaneous. The 24-hour batch processing was deemed willful negligence by the court.
The total cost: a $1.2 million class action settlement covering approximately 12,000 consumers. The company also paid $340,000 in plaintiff attorney fees and was required to completely overhaul its opt-out processing infrastructure.
"Every minute between a STOP request and actual suppression is a liability window. If your system batches opt-outs on any kind of delay, you are exposed."
The lesson here is straightforward. Opt-out handling cannot be delayed. Real-time processing is not a nice-to-have. It is a legal requirement. If your current system queues opt-out requests for batch processing at any interval, that interval represents your exposure.
Case #2: $925,000 for contacting before 8 AM
A financial services firm ran an automated dialing campaign to reach leads across multiple time zones. Their system was configured to begin calls at 8:00 AM Eastern. The problem: leads in Central, Mountain, and Pacific time zones received calls at 7:00 AM, 6:00 AM, and 5:00 AM local time respectively.
The TCPA restricts calls and texts to between 8:00 AM and 9:00 PM in the recipient's local time zone. The firm's system used sender-based timing instead of recipient-based timing.
Time zone logic must be based on the recipient's location, not the sender's. Areas near time zone borders require zip-code-level precision.
The settlement came to $925,000. The class included over 3,200 consumers who received calls before 8:00 AM in their local time zone over a six-month period. The per-consumer payout was modest, but the total was devastating for a mid-size financial services operation.
The lesson: "location" means more than state. Time zones do not follow state lines perfectly. Areas near time zone borders require zip-code-level or area-code-level precision to determine the correct calling window.
Case #3: $1.6 million for missing state-specific rules
This case is particularly instructive because the company did almost everything right. A large insurance marketing company ran a fully compliant federal TCPA campaign. They honored the 8 AM to 9 PM window. They processed opt-outs promptly. They maintained proper consent records.
But they overlooked state-level restrictions. Massachusetts prohibits commercial calls after 8:00 PM, not 9:00 PM. Florida has stricter weekend calling rules. Connecticut does not allow commercial calls before 9:00 AM. At least four states had rules stricter than federal law, and the company was violating all of them.
Plaintiffs in each state filed separate actions, which were later consolidated. The combined settlement: $1.6 million. The per-violation penalties were lower than the willful rate, but the sheer volume of violations, calls placed during the one-hour gaps between state and federal rules, was substantial.
At least 15 states have calling and texting restrictions that are stricter than federal TCPA rules. If your compliance engine only checks federal windows, you are likely violating state laws in every campaign that crosses state lines. Massachusetts, Connecticut, Florida, Oklahoma, and Washington all have unique restrictions that catch businesses off guard.
Case #4: $680,000 for inadequate consent records
A debt relief company collected leads through an online form. The form included a consent checkbox, but the checkbox language referenced "calls from partners" without naming the specific company that would be calling. When consumers received calls, they had no relationship with the calling company and filed complaints.
The TCPA requires "prior express written consent" that clearly identifies the specific caller. Blanket consent to receive calls from unnamed "partners" does not meet the standard established in the 2013 FCC ruling. The court found the consent language insufficient.
The settlement: $680,000. The company also lost access to its primary lead source and spent an additional $200,000 rebuilding its consent flow and legal review process. Total impact exceeded $880,000.
The lesson: "We got the lead from a form" is not a defense if the consent language does not name your company explicitly. Consent must be specific, documented with a timestamp and IP address, and tied directly to the entity making the call.
Consent records should be stored for a minimum of five years. Every message, timestamp, and opt-out event must be documented and auditable.
The anatomy of a TCPA class action
Understanding how these lawsuits unfold helps explain why prevention is so much cheaper than defense. The typical timeline follows a predictable pattern.
First, a consumer receives an unwanted call or text. They file a complaint with the FCC or contact a TCPA plaintiff attorney. The attorney identifies a pattern, meaning other consumers who received similar messages from the same company. A class is certified, grouping all affected consumers together. Discovery reveals the full volume of violations. Settlement is negotiated, typically taking 6 to 18 months. The company pays the settlement amount plus plaintiff attorney fees and is usually required to make infrastructure changes.
"By the time you receive the lawsuit, the violations have already accumulated. TCPA enforcement is reactive by nature, which means the damage is done long before you know about it."
This reactive nature is exactly why proactive compliance matters so much. You cannot undo violations after the fact. The only effective strategy is preventing them from happening in the first place.
The compliance checklist
Based on the patterns in these cases and current TCPA enforcement trends, here is the checklist every business running outbound calls or texts should follow.
Consent management
- Consent language names your specific company, not "partners" or "affiliates"
- Consent is documented with timestamp, IP address, and the exact language presented
- Consent records are stored for a minimum of 5 years
- Consent is obtained before first contact, never during or after
- Lead sources provide one-to-one consent per the FCC's 2024 ruling
Time and timing
- All timing is based on the recipient's local time zone, not the sender's
- System accounts for state-specific restrictions beyond federal 8 AM to 9 PM
- Holiday calling restrictions are programmed and automatically enforced
- Time zone is determined by area code or zip code, not state alone
- Weekend-specific rules are implemented for states that have them
Opt-out processing
- STOP and standard opt-out keywords trigger immediate suppression
- Opt-out processing happens in real time, never batched
- A single confirmation message is sent acknowledging the opt-out
- The suppression list is checked before every outbound message
- Soft refusals ("not interested," "don't contact me") are flagged for review
Record keeping
- Every message sent is logged with timestamp, recipient number, and content
- Consent records are linked to specific campaigns and contact events
- Opt-out events are timestamped and archived permanently
- Regular compliance audits are conducted quarterly at minimum
- All records are exportable for legal discovery if needed
Some businesses handle this complexity with dedicated compliance teams and manual processes. Others use automated compliance engines, like the one built into Arnis, that enforce these rules programmatically across every message and call. The approach matters less than the outcome: zero violations, zero exposure.
What to do if you receive a TCPA complaint
If a complaint has already arrived, here is the priority sequence.
First, do not ignore it. TCPA complaints escalate quickly, and delays only increase exposure. Second, immediately preserve all records. Messages sent, consent documentation, opt-out logs, system configurations. Third, consult a TCPA-specialized attorney rather than your general business counsel. TCPA litigation has specific procedural requirements that general practitioners often miss. Fourth, conduct an internal audit to determine the full scope of potential violations. Finally, fix the root cause before responding to the complaint. Demonstrating that the issue has been resolved can significantly impact settlement negotiations.
The regulatory direction is clear
The TCPA is not going away. If anything, enforcement is accelerating. The FCC's 2024 ruling closing the "lead generator loophole" now requires one-to-one consent for virtually all outbound marketing communication. State legislatures continue to pass their own restrictions. The plaintiff bar has built an entire practice area around TCPA litigation, with some firms handling hundreds of cases annually.
The companies that treat compliance as a core operational requirement, rather than an afterthought, are the ones that will avoid becoming the next case study.
The cost of getting it right is measured in software and process. The cost of getting it wrong is measured in millions.