Updated November 14, 2025
TL;DR: TCPA violations cost $500-$1,500 per incident. A single campaign to 1,000 contacts without consent can trigger fines up to $1.5 million. This checklist gives you six practical steps to build compliant campaigns: document consent, honor opt-outs in 10 days, maintain clean lists, follow ID rules, monitor weekly, and train your team. Instantly's compliance features (unlimited accounts, verified contacts, unified inbox, and automated health monitoring) help you scale safely while protecting your brand and deliverability.
Why compliance matters for your sales team's outreach
TCPA violations cost $500 per incident, rising to $1,500 for willful infractions. A single campaign to 1,000 contacts without proper consent can trigger $500,000 to $1.5 million in fines. Class-action lawsuits have resulted in settlements reaching hundreds of millions of dollars, permanently damaging company finances and brand trust.
Beyond fines, non-compliance destroys deliverability. When mailbox providers flag your domains for consent violations or spam complaints, your sender reputation collapses. Your team needs primary-inbox placement to hit pipeline targets, and regulators now enforce consent rules more aggressively than ever.
The FCC updated TCPA rules in 2024, tightening consent requirements. Sales leaders who treat compliance as an afterthought face reputational damage, customer backlash, and potential shutdowns of entire outreach operations.
Key compliance regulations at a glance
Here is a quick comparison of the four key regulations sales leaders must understand:
| Regulation | Scope | Consent Type | Opt-Out Requirement | Penalties |
|---|---|---|---|---|
| TCPA | Automated SMS & calls to wireless numbers (U.S.) | Prior express written consent for marketing | Honor "STOP" immediately, process within 10 business days | $500-$1,500 per violation |
| CAN-SPAM | Commercial email (U.S.) | Opt-out basis (no prior consent required) | Process within 10 business days, visible unsubscribe link | Up to $53,088 per email |
| GDPR | EU residents' personal data | Explicit opt-in consent required | Honor data deletion and access requests | Up to 4% of global revenue or €20M |
| CCPA | California residents' personal data | No opt-in required, but must allow opt-out of data sales | Provide clear opt-out mechanism | $2,663-$7,988 per violation |
Understanding TCPA for SMS and automated calling
The Telephone Consumer Protection Act (TCPA), enacted in 1991 and enforced by the Federal Communications Commission, governs unsolicited marketing communications. The TCPA treats text messages similarly to calls, imposing strict requirements on businesses.
Prior express written consent is mandatory before sending marketing SMS using automated systems. Consent must be clear, unambiguous, and tied to a specific phone number and business name. It cannot be a condition of purchase. Recent FCC guidance clarifies that consent must be specific to one identified seller and that messages must be logically related to the interaction that prompted consent.
An Autodialer (Automatic Telephone Dialing System) is equipment that can store or produce phone numbers using a random or sequential number generator and dial them automatically. If you use any automated system to send SMS, assume TCPA applies and obtain prior written consent.
Before a consumer opts in, disclose:
- They are signing up for automated marketing messages.
- Consent is not required for purchase.
- Estimated message frequency.
- "Msg & data rates may apply."
Every SMS must include clear opt-out instructions. Common opt-out phrases like "STOP," "UNSUBSCRIBE," or "END" must be recognized and processed immediately. A single opt-out should revoke consent for all marketing messages from your company. Telemarketing messages are prohibited before 8 a.m. or after 9 p.m. in the recipient's local time zone.
Instantly makes this simple for you to do in just a few clicks. Read our help doc on how it's done.
Understanding email compliance: CAN-SPAM, GDPR, and CCPA
Commercial email operates under a different regulatory framework than SMS, but the principles of consent, transparency, and consumer control remain central.
CAN-SPAM Act essentials:
The CAN-SPAM Act of 2003 operates on an opt-out basis, meaning you can send commercial emails without prior consent if you follow the rules. However, adopting an opt-in approach is a best practice.
CAN-SPAM requires:
- Accurate sender identification and truthful subject lines.
- Clear indication the message is an advertisement.
- Valid physical postal address.
- Visible unsubscribe mechanism, processed within 10 business days.
Penalties reach $50,120 per individual email.
GDPR and CCPA:
The General Data Protection Regulation (GDPR) requires explicit opt-in consent for marketing emails to EU contacts. Consent must be freely given, specific, informed, and unambiguous. The California Consumer Privacy Act (CCPA) gives California residents rights over their personal information, including the right to delete data and opt out of its sale.
Instantly's Data Processing Agreement outlines how we handle data in compliance with GDPR and other privacy laws.
Your 2025 TCPA compliance checklist for cold outreach
This checklist provides a practical, step-by-step framework for sales leaders to ensure compliant cold email and SMS campaigns.
1. Obtain and document consent
- For SMS: Explicit prior written consent is critical. Use online forms with unchecked checkboxes that clearly state the consumer agrees to receive automated marketing messages. Digital signatures, such as a checkbox coupled with a submit button, are acceptable. Implement a keyword system where consumers text a specific word (e.g., "JOIN") to a short code, followed by a confirmation message.
- For email: While CAN-SPAM operates on an opt-out basis, adopt an opt-in approach when possible. Clearly explain what recipients are subscribing to and provide links to your privacy policy and terms of service.
- Consent management system: Maintain comprehensive records of all consent obtained, including the method of consent, the date and time, the specific language presented, and the phone number or email address. Legal experts recommend retaining consent records for a minimum of four years.
2. Implement clear and easy opt-out processes
- SMS: Honor "STOP" keywords immediately and cease all communication. Send a one-time confirmation text acknowledging the opt-out, containing no promotional content.
- Email: Include a visible unsubscribe link in every commercial email. Process opt-out requests within 10 business days. Once a recipient opts out, send no further commercial emails.
- Maintain Do Not Contact lists: Keep updated internal "Do Not Email" and "Do Not Text" lists. Regularly scrub your contact lists against national Do Not Call registries.
Instantly gives you a whole range of options when creating campaigns including added an unsubscribe option.
3. Maintain accurate contact data and list hygiene
- Verified contacts: Use tools that provide access to verified B2B leads with multiple enrichment providers. Verified data reduces the risk of sending to invalid addresses, which protects your sender reputation and ensures compliance.
- Regular list cleaning: Remove bounces, unsubscribes, and DNC numbers weekly. Email list hygiene keeps your outreach in the primary inbox. Instantly's automated bounce detection and health monitoring help you maintain clean lists at scale.
- Third-party data due diligence: If using purchased lists, rigorously vet data providers to ensure they obtained consent legally and can provide proof. Relying on broad, bundled consent from lead generators is a significant risk due to recent FCC rules. Directly obtaining consent from contacts is always the safest approach.
4. Adhere to identification and content rules
- Sender identity: Ensure your business name is clear, accurate, and not deceptive in every message. For SMS, the initial message should clearly state its purpose and your company's identity. For email, use truthful and non-deceptive subject lines that accurately reflect the email's content.
- Message content: Keep it non-deceptive, relevant, and avoid misleading claims. For SMS, disclose estimated message frequency and "Msg & data rates may apply." Provide links to your terms and conditions and privacy policy. For email, clearly state that the message is an advertisement or solicitation and include a valid physical postal address.
5. Monitor and audit campaigns regularly
- Track opt-outs: Monitor unsubscribe rates and spam complaint rates weekly. Aim for inbox placement above 80-85%, hard bounces below 2%, and spam complaints under 0.3%.
- Review message content: Regularly check for risky language or non-compliant practices. Conduct periodic audits of consent records, opt-out processing times, and list hygiene practices quarterly.
6. Train your sales team on compliance protocols
- Standardize processes: Implement clear guidelines for all outreach. Provide ongoing training on TCPA, CAN-SPAM, GDPR, and CCPA requirements.
- Educate on consequences: Ensure the team understands the risks of non-compliance, including personal liability in some TCPA cases. Instantly's Help Center and tutorial videos help ramp new team members quickly on compliant campaign setup.
- Prevent rogue behavior: Use admin controls to prevent individual reps from bypassing compliance workflows.
How Instantly supports your compliance efforts
Instantly combines deliverability, data, automation, and AI to help you scale cold outreach while staying compliant.
Unlimited accounts and warmup for risk distribution:
Unlimited email accounts on all plans let you distribute sending volume across multiple domains and inboxes, reducing the risk of any single domain being flagged. Our built-in warmup gradually increases send volume while engagement signals build trust with mailbox providers. According to company marketing, Instantly's deliverability network includes over 4.2M accounts underpinning this system.
Verified leads and consent clarity:
SuperSearch provides access to what Instantly markets as 450M+ verified B2B contacts with waterfall enrichment across 5+ providers. Verified data reduces the risk of bad contacts, invalid emails, and potential consent issues. Higher engagement signals to mailbox providers that your messages are wanted, protecting sender reputation.
Watch how it works in practice in the tutorial below:
Unified inbox for reply management:
Unibox centralizes replies from all your inboxes and campaigns in one interface. This streamlines the processing of opt-out requests and ensures timely compliance with the 10-business-day rule. Our AI Reply Agent can help handle lead replies, freeing your team to focus on live conversations while automated workflows ensure opt-outs are honored immediately.
Admin controls and automated health monitoring:
Instantly's team workspaces and admin controls provide visibility into every campaign, send event, and reply. Our Inbox Placement tests provide real-time feedback on where your emails land (primary inbox, promotions tab, or spam), so you can fix issues before they escalate. Instantly's AI Spam Checker identifies risky language before you send, and automated Rules & Alerts pause campaigns when placement or complaints exceed safe thresholds.
"Instantly makes their interface very easy to use... Good color combination as well makes the site easy to look at over long periods of times." - Landon O., Instantly user
Build a compliant, high-performing sales engine
TCPA, CAN-SPAM, GDPR, and CCPA compliance is not a barrier to growth. It is the foundation of sustainable, ethical outreach that protects your brand, pipeline, and bottom line. Implement this checklist step by step: document consent meticulously, honor opt-outs immediately, maintain clean contact lists, train your team on protocols, and monitor campaigns weekly.
Ready to build a compliant outreach system that scales? Try Instantly free and apply this checklist with unlimited accounts, built-in warmup, verified contacts, and automated health monitoring. Focus on booking meetings, not managing legal risk.
FAQs
What is the penalty for a single TCPA violation?
$500 per violation, rising to $1,500 if deemed willful or knowing. A single campaign to 1,000 contacts without consent can cost $500,000 to $1.5 million.
Do I need prior consent for cold emails under CAN-SPAM?
No, CAN-SPAM operates on an opt-out basis, but you must provide a clear unsubscribe mechanism and process requests within 10 days. Opt-in consent is a best practice.
Does providing my phone number to a business constitute TCPA consent?
No, for marketing SMS using an autodialer. You must give explicit prior written consent for automated marketing texts. For informational messages from HIPAA-covered entities, providing your number may constitute consent, but this is a narrow exception.
Can I use purchased lists for SMS marketing?
Only if the vendor provides irrefutable proof of TCPA-compliant, prior express written consent specifically naming your business. This is rare and risky. Direct consent is safer.
How long should I retain consent records?
Legal experts typically recommend at least four to five years after the last time the consent was relied upon, aligning with civil penalty statutes of limitations.
Key terms glossary
TCPA (Telephone Consumer Protection Act): Federal law enacted in 1991 governing unsolicited calls and texts, requiring prior express written consent for automated marketing messages to wireless numbers.
CAN-SPAM Act: U.S. law regulating commercial email, requiring accurate sender identification, clear opt-out mechanisms, and truthful subject lines. Penalties reach $50,120 per email.
Prior Express Written Consent (PEWC): TCPA standard requiring consumers to provide clear, unambiguous agreement in writing to receive automated marketing messages from a specific business.
Autodialer (ATDS): Equipment that stores or produces phone numbers using a random or sequential generator and dials them automatically. Triggers TCPA consent requirements.
GDPR (General Data Protection Regulation): EU privacy law requiring explicit opt-in consent for marketing emails, data subject rights, and stringent data protection measures.
CCPA (California Consumer Privacy Act): California law granting residents rights over personal data, including the right to know, delete, and opt out of data sales.
Sender Reputation: Score assigned by mailbox providers based on authentication, engagement, bounces, spam complaints, and consent practices. Determines primary-inbox placement or spam filtering.
List Hygiene: Process of regularly cleaning contact lists by removing bounces, duplicates, invalid addresses, and opted-out contacts to maintain high deliverability.
