FundScoutFundScout
Get early access
Smartphone glowing with multiple incoming call notifications on a dark desk
FundScout Editorial·

TCPA: A Huge Win for People Tired of Sales Calls. So Why Am I Still Getting Them?

The FCC tried to close the biggest telemarketing loophole in 2025 — and courts struck it down. Here's why your phone still rings, what states are doing about it, and where the law actually stands.

Looking for business funding?

One application. Matched to vetted lenders — no spam, no lead reselling, ever.

Get Early Access →
  • No cost to register
  • Vetted lenders only
  • Proprietary contact protection
  • No credit pull to apply

A lender? See lender details →

You did everything right. You registered on the Do Not Call list. You declined every "may we contact you" checkbox. You've sent calls to voicemail for so long that your carrier now labels half your incoming calls as "Spam Likely." And your phone is still ringing — daily — with someone trying to sell you something.

This isn't a glitch. It's a design feature of an industry that spent thirty years engineering around every law meant to stop it.

Here's what happened — and where things actually stand right now.

What TCPA Actually Says

The Telephone Consumer Protection Act was signed into law in 1991 — back when "telemarketing" meant someone reading from a script at a phone bank. TCPA restricted autodialers and pre-recorded calls to residential numbers without prior consent, capped calling hours, and required companies to maintain internal do-not-call lists.

In 2003, Congress directed the FTC to create the National Do Not Call Registry. More than 200 million numbers are now registered. Violations carry statutory damages of $500–$1,500 per call. Individuals can sue in small claims court without a lawyer. Class action TCPA suits regularly produce settlements in the tens of millions.

TCPA also gives you a right most people don't know they have: the right to demand that any specific company stop calling you, by any reasonable means. You don't have to send a certified letter. You don't have to find a form on their website. You can say it verbally on the call — "Do not call me again" — and that is legally sufficient. The company has 30 days to add your number to their internal do-not-call list. Every call after that is a fresh TCPA violation, carrying its own $500–$1,500 exposure. The National DNC Registry stops many callers, but the internal DNC right is sharper: it creates clean, documented, per-call liability against a specific company once you've made the request.

By any measure, TCPA is a serious law with real teeth. So why is it failing?

The Loophole That Swallowed the Law

The answer is one paragraph of fine print.

Starting in the late 2000s and accelerating through the 2010s, a category of companies called lead generators discovered a neat trick. A consumer visits a website — "get quotes for business loans," "compare mortgage rates," "find cheap car insurance" — and fills out a form. Buried in the terms, sometimes in six-point type below a pre-checked box, is language granting consent to be contacted by the website's "marketing partners" or "affiliated companies."

That one checkbox. Sold. To dozens of buyers.

A single consumer form submission could be — and routinely was — sold to 20, 30, sometimes 50 companies simultaneously. Each of those companies had "consent." Each had your cell phone number. And under TCPA's rules as interpreted by the FCC, consent given to a website extended to whoever purchased that consent downstream.

The lead generation industry became a multi-billion dollar consent arbitrage business. Collect one consent. Sell it many times.

This is why you filled out a form asking about refinancing your mortgage and then couldn't put your phone down for three weeks. It's why requesting a business loan quote historically meant months of unsolicited follow-up from lenders you never asked to hear from. The form was the product. You were the inventory.

The FCC Tried to Close It

On December 13, 2023, the FCC adopted a rule (FCC 23-107) that was supposed to end the practice. The core requirement: one-to-one consent. A consumer's consent to be contacted must be specific to a single, named company — not a blanket authorization for "partners." The company calling you must be the same company you consented to. No more consent bundling. No more downstream reselling of permission.

The rule also required that any call or text be "logically and topically associated" with the context in which consent was given — meaning a solar company couldn't buy consent from a mortgage comparison site and claim it was valid.

It was, on paper, a direct hit on the lead generation ecosystem that had turned American phone ownership into an opt-in liability.

The rule was set to take effect January 27, 2025.

The Industry Killed It

Lead generators didn't accept this quietly.

The Insurance Marketing Coalition filed suit in the Eleventh Circuit Court of Appeals, arguing the FCC had overstepped its authority. On January 24, 2025 — three days before the rule was to take effect — the Eleventh Circuit unanimously vacated it. Not stayed. Vacated. The rule is gone.

The court's reasoning matters. In a post-Chevron world (the Supreme Court eliminated deference to agency interpretations of ambiguous statutes in Loper Bright Enterprises v. Raimondo in 2024), courts no longer defer to the FCC's reading of TCPA. The Eleventh Circuit read TCPA's plain text — "prior express consent" — and found those words don't require one-to-one consent, and don't require any topical connection between the consent context and the call. Bundled consent, the court held, is exactly what the statute allows.

This is an important distinction: the court did not strike down TCPA. It struck down the FCC's regulatory interpretation of TCPA. The underlying statute — passed by Congress in 1991 — remains fully intact. What changed is that the FCC's attempt to tighten its definition of valid consent was thrown out. The law still prohibits autodialed and prerecorded calls without "prior express consent." Courts just have to decide for themselves what that phrase means, without deferring to the FCC.

That's a meaningful difference — and it's where most of the current legal action is happening.

The Statute Still Has Teeth — And the Lawsuits Are Surging

Here's the part the lead generation industry doesn't advertise: TCPA civil litigation didn't slow down after the FCC rule was vacated. It exploded.

TCPA class action filings in the first half of 2025 were up 95% year-over-year compared to the same period in 2024. In Q1 2025 alone, 507 TCPA class actions were filed — more than double Q1 2024's 239. The top ten TCPA settlements in 2024 alone totaled more than $84 million. Recent examples:

  • $29.5 millionHead v. Citibank N.A. (D. Ariz., 2024) — unsolicited robocalls
  • $21.88 millionSmith v. Assurance IQ LLC (Ill., 2024) — prerecorded calls
  • $20 millionBumpus v. Realogy Holdings (N.D. Cal., 2025) — real estate agent harassment

The reason is straightforward: private plaintiffs don't need the FCC's one-to-one consent rule to win. They need to show that the defendant called them using an autodialer or prerecorded message without valid "prior express consent" — which is what TCPA says, independent of anything the FCC has ever tried to add to it. Courts are now interpreting that standard on their own, which has actually created more litigation uncertainty for callers, not less.

The vacatur of the FCC rule didn't close the door on TCPA liability. It just made the law's meaning hazier — which, for a statute that awards $500–$1,500 per call, is a very expensive kind of ambiguity.

States Aren't Waiting for the Federal Government

While the federal one-to-one consent rule was being litigated out of existence, states were writing their own. Several now have "mini-TCPA" laws with private rights of action that exist entirely independent of the FCC:

Florida — Florida Telephone Solicitation Act (FTSA) The most aggressive state law in the country. Enacted in 2021 under Fla. Stat. §§ 501.059 and 501.616, it applies to calls and texts made with an automated dialing system, requires prior express written consent, and carries $500–$1,500 in statutory damages per violation — in addition to any federal TCPA claim. Violations can be stacked. The 2021 version triggered a flood of Florida TCPA litigation; a 2023 amendment added some defendant-friendly guardrails, but the private right of action remains robust.

Oklahoma — Oklahoma Telephone Solicitation Act (OTSA) Enacted in the 2023–2024 period. Modeled closely on TCPA and FTSA, with $500–$1,500 per violation. Explicit private right of action.

Maryland — Stop the Spam Calls Act of 2023 Effective January 1, 2024. Up to $10,000 per violation ($25,000 for repeat violations) under the Maryland Consumer Protection Act. Maryland residents have overlapping federal TCPA and state law remedies.

Texas Updated in 2025 under the Texas Deceptive Trade Practices Act to allow consumers to sue directly for telemarketing violations. DTPA's trebling provision means damages can multiply. Texas also maintains its own state-level Do Not Call list separate from the federal registry.

Washington, Colorado, Pennsylvania, New Jersey Each has some form of state telemarketing or robocall law with private rights of action or enhanced penalties. Washington's Consumer Protection Act has been used extensively alongside TCPA claims. Colorado's No Call List Act (C.R.S. § 6-1-901) allows up to $2,000 per call.

The practical implication: a caller who relies on the Eleventh Circuit's reading of TCPA may still be exposed to state law claims in Florida, Maryland, Oklahoma, and others. The patchwork creates compliance complexity — and multiplying liability for anyone operating nationally. For consumers, it means the most protection accrues to residents of the states that bothered to legislate.

The Honeypot Economy

There's a quieter corner of the TCPA enforcement world that rarely makes mainstream news: honeypot operations.

A honeypot, in this context, is a phone number — or a large bank of phone numbers — maintained specifically to attract unwanted calls. The owner doesn't actually want the calls. They want documentation of TCPA violations. Once a company calls a honeypot number, the call is logged, the autodialer is identified, and the violation is recorded.

The most prominent honeypot operator in the TCPA space is Nomorobo, the robocall-blocking service. Nomorobo maintains one of the largest known honeypot networks in the country, logging millions of calls from identified violators. But honeypot litigation has a ceiling: in Telephone Science Corp. v. Synchrony Financial, a court held that Nomorobo — as an operator of a honeypot — couldn't bring suit under TCPA for receipt of calls on numbers it doesn't actually use for communication. The standing issue is real.

Individual honeypot-style plaintiffs face less scrutiny, and there's an entire informal ecosystem of people who register their numbers publicly, complete lead-gen forms knowing they'll be contacted, and then document and sue. TCPA plaintiffs' attorneys have built practices around aggregating these claims. Some specialized services identify companies likely to be violating TCPA and bring claims at volume.

On the other side, a defense-focused service called The Blacklist Alliance operates as a scrubbing tool — callers check numbers against a database of known litigious plaintiffs before dialing, to avoid calling people who are likely to sue. This is now a standard compliance step for high-volume telemarketers.

The picture that emerges is less "regulatory enforcement" and more "arms race": plaintiffs building documentation infrastructure, defendants building avoidance infrastructure, lawyers profiting on both sides, and ordinary consumers remaining caught in the middle.

Why You're Still Getting Calls Right Now

Even with state laws and active litigation, there are six reasons your phone keeps ringing:

1. International callers ignore U.S. law entirely. A substantial portion of robocall volume originates overseas. FTC enforcement stops at the border. The calls are cheap to generate and effectively unpunishable.

2. Caller ID spoofing. "Neighbor spoofing" — calls that appear to come from local area codes — exploits the trust people place in familiar numbers. The technical infrastructure for spoofed calls is widely available and difficult to trace.

3. Existing business relationship exceptions. If you've ever done business with a company — or in some interpretations, merely inquired about doing business — they have a basis for contacting you for up to 18 months. Large financial institutions, insurance companies, and retailers have customer databases going back decades.

4. Political and charitable calls are largely exempt. TCPA's restrictions primarily apply to commercial calls. Political campaigns and nonprofits face far fewer restrictions.

5. Bundled consent lists are now federally legal again. The Eleventh Circuit's ruling means the old lead-gen consent model — one checkbox, sold to many buyers — is back. Lists built on that model before the FCC rule was vacated didn't disappear when the rule died. They're also being built fresh right now.

6. Compliance is a cost calculation, not a moral position. The bulk of TCPA enforcement comes from private litigation, not government action. Companies with high call volumes and thin compliance programs calculate that the probability of being sued is low enough to keep dialing. TCPA's $1,500-per-call maximum means a class action is devastating — but the probability-weighted expected cost, for a company that never gets caught, is close to zero.

What This Has to Do With Business Loans

The commercial lending industry runs heavily on lead generation. A borrower who submits a funding inquiry on a comparison site doesn't just hear from one lender — they hear from whoever purchased their data, often simultaneously, often for months.

The mechanics are identical to the consumer context: one consent, sold many times. The difference is that business borrowers tend to have higher lifetime value than consumer leads, which means more funders are willing to pay more for the data, which means more calls.

This is not incidental to the industry. It's the business model. The lead generation companies exist to aggregate borrower intent and sell it. The lenders who buy leads have no relationship with the borrower — just a phone number and a signal that they expressed some interest at some point in time.

The result is the experience every small business owner recognizes: you looked into financing once, and your phone became a recurring problem.

There's a Structural Alternative

The TCPA framework — consent + do-not-call + enforcement — is a rearguard action. It tries to put limits on a system that is fundamentally built around reselling contact information. The law says you need consent to call; the industry built an infrastructure for collecting technically-valid consent at scale and reselling it. The FCC tried to tighten the definition of consent; the courts threw it out.

A different approach is to not put contact information in a position where it can be resold in the first place.

FundScout is built on that premise. When a borrower submits a funding request, they're matched with specific vetted lenders — and all communication flows through a unique pair of proxy contact credentials assigned to that exact match. Neither party ever exchanges real contact information directly. If a lender resells a lead, the watermarked proxy contact traces back to them specifically. There's no ambiguous consent chain, no data broker in the middle, and no way for contact information to propagate beyond the intended relationship.

It doesn't patch TCPA. It removes the problem TCPA was trying to solve.

The law will keep evolving. States will keep passing their own versions. Courts will keep arguing about what "prior express consent" means. The lead generators will keep adapting. And if the history of this space is any guide, your phone will keep ringing regardless — unless you choose to interact with a system that doesn't treat your contact information as inventory.

Sources

  1. Telephone Consumer Protection Act (TCPA)47 U.S.C. § 227 (enacted 1991)
  2. National Do Not Call Registry — maintained by the FTC; 200+ million registered numbers; donotcall.gov
  3. FCC Order FCC 23-107 (adopted December 13, 2023) — one-to-one consent rule; FCC.gov
  4. Insurance Marketing Coalition v. FCC, No. 24-10277 (11th Cir. January 24, 2025) — vacated FCC 23-107
  5. Loper Bright Enterprises v. Raimondo, 603 U.S. 369 (2024) — Supreme Court eliminated Chevron agency deference
  6. TCPA class action filings up 95% (H1 2025 vs. H1 2024): WebRecon LLC TCPA Litigation Tracker — webrecon.com
  7. Head v. Citibank N.A., No. 2:20-cv-01203 (D. Ariz. 2024) — $29.5 million TCPA settlement
  8. Smith v. Assurance IQ LLC (Ill. 2024) — $21.88 million TCPA settlement
  9. Bumpus v. Realogy Holdings, No. 3:19-cv-06908 (N.D. Cal. 2025) — $20 million settlement
  10. Florida Telephone Solicitation Act (FTSA)Fla. Stat. §§ 501.059, 501.616 (enacted 2021, amended 2023)
  11. Oklahoma Telephone Solicitation Act (OTSA) — Okla. Stat. tit. 15 § 775A.1 et seq.
  12. Maryland Stop the Spam Calls Act (2023, effective January 1, 2024) — Md. Code, Com. Law § 14-3201 et seq.; up to $10,000 per violation
  13. Colorado No Call List ActC.R.S. § 6-1-901; up to $2,000 per call
  14. Telephone Science Corp. v. Synchrony Financial, No. 17-cv-5099 (N.D. Ill.) — honeypot standing ruling