FundScoutFundScout
Get early access
Compliance checklist and legal documents on a professional desk with a telephone
FundScout Editorial·

The Telemarketer's DNC Compliance Guide: The Rules You're Probably Missing

Federal DNC compliance is the floor, not the ceiling. This guide covers the 11 state registries, the any-reasonable-means rule, the cell phone trap, and the cross-channel revocation rules taking effect in 2026.

Looking for business funding?

One application. Matched to vetted lenders — no spam, no lead reselling, ever.

Get Early Access →
  • No cost to register
  • Vetted lenders only
  • Proprietary contact protection
  • No credit pull to apply

A lender? See lender details →

Most telemarketing compliance programs have one thing in common: they're built around the National Do Not Call Registry, the 8am–9pm calling window, and not much else. That's a 1990s compliance posture applied to a 2026 legal landscape, and the gap between the two is where class action attorneys live.

This guide is for people who make outbound calls — sales teams, lenders, ISOs, lead buyers — and want to understand what the rules actually require today, not what they required when someone set up the compliance program.

Layer One: The National DNC Registry (And Why It's Not Enough)

The National Do Not Call Registry, maintained by the FTC, has more than 200 million registered numbers. Telemarketers are required to:

  • Subscribe to the registry and pay the required annual fee (based on area codes accessed)
  • Scrub contact lists against the registry no more than 31 days before calling any number — once the scrub is stale, you lose safe harbor
  • Maintain written DNC policies and procedures
  • Train personnel on those procedures and document it
  • Keep records of scrub dates for at least three years

Safe harbor is available if you follow all of the above and still call a registered number due to a list error. It's a defense that can reduce penalties — it does not eliminate liability. "We scrubbed but missed it" requires documented proof that you actually scrubbed, recently, correctly.

That's the floor. Here's what's built on top of it.

Layer Two: The Eleven State Registries You Also Have to Scrub

Registering with the federal list does not cover state DNC registries. They're separate databases, maintained by state agencies, and they can include numbers that aren't on the federal list. If you call a number that's on a state registry without scrubbing that registry, you're in violation of state law regardless of your federal compliance.

As of 2026, eleven states maintain their own Do Not Call registries requiring independent scrubbing:

State Notable penalty / feature
Colorado Deceptive trade practice liability; enforcement after 3 violations/month
Florida $500–$1,500/violation under FTSA; attorney fees; up to 3× damages; private right of action
Indiana One of the oldest state DNC laws (IC 24-4.7); AG enforcement with restitution authority
Louisiana State registry; penalties vary by violation type
Massachusetts State registry; enforced under consumer protection statute
Missouri $1,000–$5,000 per knowing violation
Oklahoma State registry; OTSA also provides $500–$1,500/violation private right of action
Pennsylvania State registry; additional state-level exposure alongside federal
Tennessee Up to $2,000/violation to Tennessee Regulatory Authority
Texas PUC enforces; $1,000/violation ($3,000 if willful); consumers can sue for $500/knowing violation; state list managed by PUC is separate from national
Wyoming $500 first offense, $2,500 second, $5,000+ thereafter

Note: Wisconsin, Minnesota, and Georgia are common assumptions that are wrong — those states have adopted the National DNC Registry and do not maintain separate lists.

If you're calling into Florida, Texas, Oklahoma, or Indiana in particular, the state-level exposure is meaningful. Florida's FTSA generates significant litigation — the private right of action and $1,500/violation ceiling make it a plaintiff-friendly statute with an active plaintiffs' bar.

Compliance tools like PossibleNOW, CompliancePoint, and similar services offer multi-state scrubbing products that cover all eleven state registries in a single pass. If you're calling nationally, that's the practical path.

"Any Reasonable Means": What It Actually Requires

When someone on a call says "don't call me again," that is a binding do-not-call request. You don't need them to fill out a form. You don't need them to navigate your website. You don't need it in writing. Any reasonable means of communicating the request is legally sufficient.

Under 47 CFR § 64.1200(d)(3), companies must:

  • Honor do-not-call requests made at any time, by any means
  • Add the number to the internal suppression list within 30 days
  • Honor the request for a minimum of five years

Every call made to that number after the 30-day window — even if it falls through a gap in your CRM workflow — is a TCPA violation. At $500–$1,500 per call, a handful of missed opt-outs in a high-volume operation can produce material liability fast.

Internal DNC list maintenance is where most compliance programs have their worst hygiene. Opt-out requests that come in verbally get missed because the rep doesn't enter them. Requests that come in as part of a sales conversation don't make it to the suppression system. A compliance program that handles written requests well but drops verbal requests is still a liability.

Cross-Channel Opt-Outs: Where the Law Is Headed

The intuitive position — that opting out of calls also means opting out of texts from the same company — has been treated as standard compliance practice for years. The legal picture is more complicated, and it's actively being resolved.

The FCC issued FCC 24-24 in February 2024, establishing explicit rules for consent revocation: when a consumer revokes permission for autodialed calls or texts (by texting STOP, calling in, emailing, using a website form, or any reasonable method), that revocation applies to all future communications from that company across all channels, including calls, texts, and emails on any topic. The rule was delayed and is currently scheduled to take effect April 11, 2026.

Note what FCC 24-24 covers and what it doesn't: it governs revocation of consent for communications where consent was the legal basis. It doesn't directly address the National DNC Registry's scope for text messages, which is a separate and genuinely unsettled question. A 2025 district court split illustrates the issue: the District of Oregon held DNC protections apply to texts; the Central District of Illinois held they don't, on the reasoning that the DNC statute was written in 1991 when texts didn't exist.

The practical compliance position: treat any opt-out request — regardless of channel — as an opt-out from all contact, and document it. Relying on the argument that a DNC request for calls doesn't cover texts is a litigation risk the case law doesn't support taking. Pre-April 2026, it's a grey area. Post-April 2026, FCC 24-24 removes the ambiguity for consent-based communications.

The Cell Phone Trap: "But It's a Business Number"

This is one of the most consequential misunderstandings in commercial telemarketing. The belief: if a phone number is listed on a business website, business card, or commercial directory, it's a business number exempt from TCPA's heightened cell phone restrictions. That belief is wrong.

TCPA's autodialer and prerecorded call prohibition (47 U.S.C. § 227(b)) applies to any call or text made using an automatic telephone dialing system to "any telephone number assigned to a paging service, cellular telephone service, specialized mobile radio service, or other radio common carrier service." The statute doesn't say "residential cellular." It says cellular. Whether the phone is used for business, listed on a company website, or carried by a CEO doesn't change the technology classification.

The DNC Registry's scope is narrower — it applies to "residential telephone subscribers." But the Ninth Circuit has established a rebuttable presumption that cellular numbers are residential even when used for business, absent strong evidence that the number is used exclusively as a business line. Mixed-use phones — a cell that a sole proprietor uses for both business and personal calls — is presumptively residential. The burden to rebut that falls on the caller, and courts have been skeptical.

The practical implication: a cell phone number appearing on a company website is not prior express consent for autodialed marketing calls. Pulling a number from LinkedIn, a business directory, or a "Contact Us" page and loading it into a dialer is not compliant practice for cell numbers. You need affirmative opt-in — prior express consent, obtained specifically by that person, for your calls or texts.

The exception that occasionally applies: in debt collection contexts, if a consumer provided their cell number to the creditor on a credit application or account form, courts have found that constitutes consent for account-servicing calls (not marketing). That's a narrow exception that doesn't extend to marketing contact.

The Compliance Checklist

Federal DNC Registry

  • Subscribed and fee current for all area codes you call
  • Contact lists scrubbed within 31 days before any call
  • Scrub dates logged and retained (minimum 3 years)
  • Written DNC policy document exists and is current
  • All outbound calling staff trained; training documented

State DNC Registries

  • Identified all states you call where a separate registry exists
  • Scrubbing against Colorado, Florida, Indiana, Louisiana, Massachusetts, Missouri, Oklahoma, Pennsylvania, Tennessee, Texas, Wyoming registries as applicable
  • State scrub dates also logged and retained

Internal Suppression List

  • Verbal opt-out requests captured by reps and entered within 24 hours
  • Written/email/text opt-out requests entered within 24 hours
  • Suppression list honored for minimum five years
  • List covers all internal brands/DBAs operating from the same legal entity

Cross-Channel Revocation (ahead of April 2026)

  • STOP keyword processing on texts (within 10 business days)
  • Any opt-out by any channel triggers suppression across all channels
  • Opt-out confirmation message allowed (no promotional content, within 5 minutes)

Cell Phone Compliance

  • Contact list distinguishes cell vs. landline numbers
  • Prior express consent documented for all autodialed or prerecorded contacts to cell numbers
  • Business directory / website listings not treated as consent for cell numbers
  • Consent records retained (minimum 3 years recommended)

Calling Window

  • 8:00 AM – 9:00 PM in recipient's local time (by area code)
  • Texas automated texts: 9:00 AM – 9:00 PM local

Caller ID

  • Caller ID displays accurate company name and callback number
  • No spoofed or fictitious caller ID information

A Note on Architecture

The compliance burden outlined above exists because the dominant model in commercial telemarketing — acquire a list, add leads to a dialer, call — structurally separates the caller from the person who gave consent. Someone filled out a form somewhere, their number entered a lead ecosystem, and now a company they've never interacted with is trying to reach them and hoping their consent documentation holds up.

FundScout is built around a different architecture for commercial lending specifically. Lender contact only happens after a borrower has explicitly requested an introduction to that lender, via a matched funding request. All communication flows through proxy contact credentials assigned to that specific relationship. There's no list acquisition, no autodialer scrub to run, no downstream consent question — because the borrower initiated the contact and the lender's only channel back is the proxy assigned for that match.

That's not a TCPA compliance program. It's a system that doesn't generate the underlying problem.

If you're a lender who does operate outbound calling programs alongside marketplace activity, treat this checklist as a baseline review. The exposure from a single missed state registry scrub or a CRM that silently drops verbal opt-out requests is significant — and it compounds with volume.

Sources

  1. Telephone Consumer Protection Act (TCPA)47 U.S.C. § 227; autodialer and prerecorded call restrictions at § 227(b); $500–$1,500 per violation
  2. TCPA opt-out requirements47 CFR § 64.1200(d)(3); honor do-not-call requests by "any reasonable means" within 30 days; retain for 5 years
  3. National Do Not Call Registry — maintained by the FTC; 200+ million registered numbers; donotcall.gov; scrub no more than 31 days before calling
  4. FCC Order FCC 24-24 (February 2024) — cross-channel consent revocation; effective April 11, 2026; applies across all communication channels
  5. Florida Telephone Solicitation Act (FTSA)Fla. Stat. §§ 501.059, 501.616; $500–$1,500 per violation; private right of action
  6. Indiana Telephone Privacy ActInd. Code § 24-4.7
  7. Colorado No Call List ActC.R.S. § 6-1-901 et seq.
  8. Oklahoma Telephone Solicitation Act (OTSA) — Okla. Stat. tit. 15 § 775A.1 et seq.; $500–$1,500 per violation; private right of action
  9. Wyoming No-Call Act — Wyo. Stat. § 40-12-301 et seq.
  10. Cellular number DNC presumptionSuttles v. Facebook, Inc., 461 F. Supp. 3d 479; Gallion v. Charter Communications Inc., 900 F.3d 458 (9th Cir. 2018); cellular numbers treated as residential absent strong contrary evidence
  11. STIR/SHAKEN authentication — FCC mandate effective June 2021; 47 CFR Part 64 Subpart AA; carrier-level call authentication and attestation