TCPA Compliance Remediation Guide

[COMPANY NAME]: You have been unsubscribed and will not receive any more marketing messages from us. Reply HELP for help or contact [EMAIL/PHONE].

[COMPANY NAME] Alerts: For help, contact [EMAIL] or call [PHONE]. Msg & data rates may apply. Msg frequency varies. Reply STOP to cancel.

SUPPRESSION LIST ARCHITECTURE 1. CENTRAL SUPPRESSION DATABASE - Phone number (E.164 format) - Opt-out timestamp - Opt-out source (SMS reply, email, phone call, web form) - Opt-out scope (all marketing, specific campaign, specific sender) 2. INTEGRATION POINTS - SMS platform (Twilio, etc.) - webhook on STOP - Email system - unsubscribe sync - CRM - phone DNC field - Dialer - real-time suppression check - Marketing automation - list exclusion 3. SYNC FREQUENCY - Real-time preferred - Maximum: 15 minutes for inbound STOP - All campaigns must check before send 4. CROSS-PLATFORM FLOW User texts STOP -> SMS platform receives -> Webhook to suppression API -> Updates central database -> Syncs to all platforms -> Prevents future contact via any channel

OPT-OUT RECORD SCHEMA { "optout_id": "uuid-opt-12345", "phone_number": "+14155551234", "optout_timestamp_utc": "2024-03-15T10:23:45Z", "processed_timestamp_utc": "2024-03-15T10:23:46Z", "source_channel": "sms_reply", "source_keyword": "STOP", "source_message_full": "Please stop texting me", "sending_number": "+18005551234", "campaign_id": "camp-789", "scope": "all_marketing", "confirmation_sent": true, "confirmation_timestamp": "2024-03-15T10:23:47Z", "platforms_synced": ["twilio", "hubspot", "dialpad"], "sync_completed_timestamp": "2024-03-15T10:24:01Z" }

[COMPANY NAME] INTERNAL DO-NOT-CALL POLICY Effective Date: [DATE] Last Updated: [DATE] Policy Owner: [NAME/TITLE] 1. PURPOSE This policy establishes [COMPANY NAME]'s procedures for maintaining and honoring our internal do-not-call ("DNC") list in compliance with the Telephone Consumer Protection Act (47 U.S.C. 227) and FCC regulations (47 C.F.R. 64.1200). 2. SCOPE This policy applies to: - All employees who make or authorize telephone calls or text messages - All vendors, contractors, and partners who make calls/texts on our behalf - All telephone numbers (landline and mobile) of consumers who request not to be called 3. DO-NOT-CALL LIST MANAGEMENT 3.1 Maintenance - The internal DNC list shall be maintained in [SYSTEM NAME] - The list shall be updated within 24 hours of receiving any DNC request - The list shall be retained for a minimum of five (5) years 3.2 Sources of DNC Requests DNC requests may come from: - Verbal request during phone call - STOP reply to text message - Written request (email, letter, web form) - Consumer's statement "take me off your list" or similar 3.3 Recording Requirements For each DNC entry, record: - Phone number (E.164 format) - Date and time of request - Source of request (call, text, email, etc.) - Employee who received request - Any relevant notes 4. HONORING DNC REQUESTS 4.1 Immediate Action Upon receiving a DNC request: - Add number to internal DNC list immediately - Confirm addition to consumer (if contact channel allows) - Notify relevant teams/systems 4.2 Scrubbing Requirements - All calling/texting lists must be scrubbed against internal DNC before each campaign - Scrubbing must occur no more than [24/48] hours before calling - Document each scrub with date, time, list source, and numbers removed 5. NATIONAL DNC COMPLIANCE 5.1 Registration [COMPANY NAME] is registered with the National Do-Not-Call Registry Account Number: [NUMBER] Areas of Coverage: [AREA CODES/STATES] 5.2 Access and Scrubbing - Download updated National DNC data at least every 31 days - Scrub all telemarketing lists against National DNC before calling - Document each National DNC scrub 5.3 Exemptions The following calls are exempt from National DNC requirements: - Calls to consumers with whom we have an established business relationship (within 18 months of purchase or 3 months of inquiry) - Calls to consumers who have given prior express written consent - Calls that are not telemarketing (e.g., purely informational) 6. TRAINING REQUIREMENTS 6.1 Initial Training All employees involved in telemarketing must complete DNC compliance training before making calls. Training covers: - TCPA requirements - Internal DNC procedures - How to handle DNC requests - Consequences of violations 6.2 Ongoing Training - Annual refresher training required - Training upon any policy updates - Training records maintained for 3 years 7. VENDOR REQUIREMENTS All vendors making calls on our behalf must: - Maintain their own internal DNC procedures - Scrub against our internal DNC list before calling - Provide proof of National DNC compliance - Report all DNC requests received to us within 24 hours - Comply with this policy as a condition of their contract 8. ENFORCEMENT 8.1 Violations Violations of this policy may result in: - Disciplinary action up to termination - Vendor contract termination - Personal liability for willful violations 8.2 Reporting Report suspected violations to [COMPLIANCE OFFICER] immediately. 9. RECORDKEEPING Maintain records for five (5) years: - Internal DNC list with all entries - DNC request documentation - Scrub logs - Training records - Vendor compliance documentation 10. POLICY REVIEW This policy shall be reviewed annually and updated as needed to reflect changes in law or business practices. Approved by: _________________________ Date: _______ [NAME, TITLE]

DO-NOT-CALL REQUEST LOG Entry Date: [DATE] Entry Time: [TIME] Entered By: [EMPLOYEE NAME] CONSUMER INFORMATION Phone Number: [XXX-XXX-XXXX] Consumer Name (if known): [NAME] Original Source: [Lead list / Customer / Inquiry] REQUEST DETAILS Request Date: [DATE] Request Time: [TIME] Request Method: [ ] Verbal during call [ ] STOP text reply [ ] Email [ ] Web form [ ] Written letter [ ] Other: _________ Exact Words Used (if verbal): "[QUOTE]" Employee Who Received: [NAME] Campaign/Number Called From: [CAMPAIGN ID / PHONE NUMBER] PROCESSING Added to Internal DNC: [ ] Yes [ ] No If No, Reason: _________ Confirmation Sent: [ ] Yes [ ] No [ ] N/A Platforms Updated: [LIST] Vendor Notified: [ ] Yes [ ] No [ ] N/A NOTES [Additional relevant information]

DNC SCRUB LOG Scrub Date: [DATE] Scrub Time: [TIME] Performed By: [NAME] CAMPAIGN INFORMATION Campaign Name: [NAME] Campaign ID: [ID] Scheduled Start: [DATE/TIME] LIST DETAILS List Source: [VENDOR/INTERNAL/LEAD GEN] Total Numbers Before Scrub: [NUMBER] SCRUB RESULTS Internal DNC Matches: [NUMBER] removed National DNC Matches: [NUMBER] removed State DNC Matches: [NUMBER] removed (if applicable) Total Numbers After Scrub: [NUMBER] VERIFICATION National DNC Data Date: [DATE] Internal DNC Data Date: [DATE] Scrub Completed By: _____________ Date: _______ Verified By: _____________ Date: _______

TCPA COMPLIANCE ADDENDUM This TCPA Compliance Addendum ("Addendum") is incorporated into and made part of the [AGREEMENT NAME] dated [DATE] (the "Agreement") between [COMPANY NAME] ("Company") and [VENDOR NAME] ("Vendor"). 1. TCPA COMPLIANCE 1.1 General Compliance. Vendor shall comply with all applicable provisions of the Telephone Consumer Protection Act, 47 U.S.C. 227, and its implementing regulations at 47 C.F.R. 64.1200, as well as all applicable state telemarketing laws (collectively, "Telemarketing Laws"). 1.2 Consent Requirements. Vendor shall not make any call or send any text message on behalf of Company unless: (a) The call or text is made with valid prior express written consent that meets TCPA requirements; or (b) The call or text falls within a recognized exemption under applicable Telemarketing Laws. 1.3 Do-Not-Call Compliance. Vendor shall: (a) Maintain an internal do-not-call list and honor all opt-out requests within 24 hours; (b) Scrub all calling lists against Company's internal DNC list before each campaign; (c) Comply with National Do-Not-Call Registry requirements; (d) Report all opt-out requests to Company within 24 hours. 1.4 Technology Restrictions. Vendor shall not use any automatic telephone dialing system (ATDS), prerecorded or artificial voice message, or automated text messaging system except as expressly authorized by Company and permitted by law. 1.5 Calling Hours. Vendor shall not make telemarketing calls before 8:00 a.m. or after 9:00 p.m. in the called party's time zone. 2. LEAD PROVENANCE 2.1 Lead Source Documentation. For any leads provided by Vendor: (a) Vendor shall maintain records of the source of each lead; (b) Vendor shall provide proof of consent upon Company's request; (c) Consent must be obtained directly by Vendor or by a party from whom Vendor has documentation of consent capture. 2.2 Lead Age. Leads provided to Company shall be no more than [90] days old from date of consent, unless otherwise agreed in writing. 2.3 Consent Chain. Vendor represents that for each lead: (a) Consent was obtained through a clear and conspicuous disclosure; (b) The consumer affirmatively agreed to receive calls/texts from Company (by name or as a clearly identified marketing partner); (c) Vendor can produce documentation of consent upon 48 hours' notice. 3. REPRESENTATIONS AND WARRANTIES Vendor represents and warrants that: 3.1 Vendor has implemented written policies and procedures to ensure compliance with Telemarketing Laws; 3.2 Vendor trains all personnel involved in telemarketing on TCPA compliance requirements; 3.3 Vendor maintains complete and accurate records of all calls/texts made on Company's behalf, including consent documentation, for at least five (5) years; 3.4 Vendor has not been found liable for, and has no pending claims alleging, violations of Telemarketing Laws in the past [3] years; 3.5 All subcontractors used by Vendor are bound by equivalent compliance obligations. 4. AUDIT RIGHTS 4.1 Company's Right to Audit. Company may, upon reasonable notice, audit Vendor's TCPA compliance, including: (a) Review of consent documentation and lead sources; (b) Inspection of calling/texting records; (c) Review of policies, procedures, and training materials; (d) Interviews with Vendor personnel. 4.2 Cooperation. Vendor shall cooperate fully with any audit and provide requested documentation within [5] business days. 4.3 Cost. Each party bears its own audit costs unless the audit reveals material non-compliance, in which case Vendor shall reimburse Company's reasonable audit costs. 5. INDEMNIFICATION Vendor shall defend, indemnify, and hold harmless Company, its officers, directors, employees, and agents from and against any and all claims, damages, losses, costs, and expenses (including reasonable attorney fees) arising from or related to: (a) Any violation of Telemarketing Laws by Vendor or its subcontractors; (b) Any call or text made without valid consent; (c) Any breach of Vendor's representations, warranties, or obligations under this Addendum. 6. INSURANCE Vendor shall maintain: (a) Commercial general liability insurance with limits of at least $[1,000,000] per occurrence; (b) Errors and omissions / professional liability insurance with limits of at least $[1,000,000] per occurrence; (c) Such policies shall name Company as an additional insured. 7. TERMINATION Company may terminate the Agreement immediately upon written notice if: (a) Vendor breaches any provision of this Addendum; (b) Any claim alleging TCPA violation is filed against Company relating to Vendor's activities; (c) Vendor fails to promptly cure any compliance deficiency identified by Company. 8. SURVIVAL The provisions of this Addendum regarding indemnification, audit rights, and recordkeeping shall survive termination of the Agreement. IN WITNESS WHEREOF, the parties have executed this Addendum as of [DATE]. COMPANY: VENDOR: [COMPANY NAME] [VENDOR NAME] By: _____________ By: _____________ Name: Name: Title: Title: Date: Date:

LEAD PROVENANCE CHECKLIST For each lead batch received, verify: [ ] Lead source identified (website URL, form name, campaign) [ ] Consent language provided (exact text shown to consumer) [ ] Consent capture method documented (checkbox, click, signature) [ ] Timestamp format specified and verified [ ] Your company name appears in consent disclosure [ ] Lead age within acceptable range (consent date to delivery) [ ] IP address / device data available for random sample [ ] No evidence of incentivized consent (e.g., "consent to enter sweepstakes") [ ] Not derived from purchased lists without consent chain [ ] Vendor can produce original consent record within 48 hours SAMPLE TESTING Select [5-10] random leads and request: [ ] Full consent record with timestamp [ ] Screenshot or archive of consent page [ ] Confirmation phone number matches consent record [ ] Lead source page is still live and compliant RESULTS Pass: [ ] Proceed with campaign Fail: [ ] Reject lead batch, document issues Conditional: [ ] Require remediation before use

TCPA QUARTERLY COMPLIANCE REVIEW Quarter: Q[1/2/3/4] [YEAR] Review Date: [DATE] Reviewer: [NAME] Approved By: [NAME] ==================================== SECTION 1: CONSENT MANAGEMENT ==================================== [ ] Review consent capture forms for current compliance Notes: _________________________________ [ ] Verify consent language matches current FCC requirements Notes: _________________________________ [ ] Sample test 10 recent consent records for completeness - Records tested: [LIST IDs] - Issues found: [ ] None [ ] See notes Notes: _________________________________ [ ] Confirm consent records are being retained properly - Storage location: _________________________________ - Retention period configured: [ ] Yes [ ] No Notes: _________________________________ ==================================== SECTION 2: OPT-OUT PROCESSING ==================================== [ ] Test STOP keyword functionality - Test date: [DATE] - Response time: [SECONDS] - Confirmation received: [ ] Yes [ ] No Notes: _________________________________ [ ] Verify opt-out sync across all platforms - Platforms checked: _________________________________ - Sync delay: _________________________________ Notes: _________________________________ [ ] Review opt-out log for processing time compliance - Sample size: [NUMBER] - Average processing time: _________________________________ - Any over 24 hours: [ ] Yes [ ] No Notes: _________________________________ [ ] Confirm opt-out requests from other channels are being processed - Email requests: [ ] Yes [ ] N/A - Phone requests: [ ] Yes [ ] N/A - Web form requests: [ ] Yes [ ] N/A Notes: _________________________________ ==================================== SECTION 3: DO-NOT-CALL COMPLIANCE ==================================== [ ] Verify National DNC data is current - Last download date: [DATE] - Download frequency: [ ] Monthly [ ] Other: _____ Notes: _________________________________ [ ] Review DNC scrub logs for past quarter - Number of campaigns: [NUMBER] - All properly scrubbed: [ ] Yes [ ] No Notes: _________________________________ [ ] Verify internal DNC list is being maintained - Total entries: [NUMBER] - New entries this quarter: [NUMBER] Notes: _________________________________ [ ] Check for any calls to DNC numbers (complaint review) - Complaints received: [NUMBER] - Root cause analysis completed: [ ] Yes [ ] N/A Notes: _________________________________ ==================================== SECTION 4: VENDOR COMPLIANCE ==================================== [ ] Review vendor compliance certifications - Vendors reviewed: _________________________________ - All current: [ ] Yes [ ] No Notes: _________________________________ [ ] Conduct sample audit of vendor consent records - Vendor: _________________________________ - Sample size: [NUMBER] - Issues found: [ ] None [ ] See notes Notes: _________________________________ [ ] Review vendor-reported opt-outs - Number reported: [NUMBER] - All processed timely: [ ] Yes [ ] No Notes: _________________________________ [ ] Verify vendor contracts include TCPA addendum - New vendors this quarter: [NUMBER] - All have addendum: [ ] Yes [ ] No Notes: _________________________________ ==================================== SECTION 5: TRAINING & DOCUMENTATION ==================================== [ ] Verify all telemarketing staff have current training - Staff count: [NUMBER] - Training current: [ ] All [ ] [NUMBER] need refresh Notes: _________________________________ [ ] Review and update TCPA policies if needed - Policy current: [ ] Yes [ ] Updates needed - Last update: [DATE] Notes: _________________________________ [ ] Ensure compliance documentation is organized and accessible - Location: _________________________________ - Backup exists: [ ] Yes [ ] No Notes: _________________________________ ==================================== SECTION 6: COMPLAINT & CLAIM REVIEW ==================================== [ ] Review TCPA complaints received this quarter - Total complaints: [NUMBER] - Demand letters: [NUMBER] - Lawsuits: [NUMBER] Notes: _________________________________ [ ] Analyze complaint patterns - Common issues: _________________________________ - Remediation actions: _________________________________ Notes: _________________________________ [ ] Review any settlements or judgments - Number: [NUMBER] - Total cost: $[AMOUNT] - Lessons learned: _________________________________ Notes: _________________________________ ==================================== OVERALL ASSESSMENT ==================================== Compliance Status: [ ] Good [ ] Needs Improvement [ ] Critical Issues Priority Action Items: 1. _________________________________ 2. _________________________________ 3. _________________________________ Next Review Date: [DATE] Signatures: Reviewer: _________________________ Date: _______ Compliance Officer: _________________________ Date: _______ Executive Approval: _________________________ Date: _______

CONSENT RECORD SAMPLE TESTING PROCEDURE Purpose: Verify consent records are complete and compliant Frequency: Monthly (minimum 10 records) or Quarterly (minimum 25 records) SELECTION METHOD - Use random number generator to select record IDs - Include records from different sources (web, vendor, phone) - Include records from different time periods FOR EACH RECORD, VERIFY: 1. COMPLETENESS [ ] Phone number present and valid format [ ] Timestamp present and reasonable [ ] IP address present (for web submissions) [ ] Source/form identified [ ] Consent text version recorded 2. CONSENT LANGUAGE COMPLIANCE [ ] Caller/company identified [ ] ATDS/prerecorded disclosure present [ ] "Not required for purchase" statement present [ ] Opt-out instructions provided 3. CONSENT MECHANISM [ ] Affirmative action required (not pre-checked) [ ] Separate from other consents [ ] Clear and conspicuous placement 4. SUPPORTING DOCUMENTATION [ ] Can retrieve original consent page/form [ ] Consent text matches current version records [ ] If vendor lead, provenance documentation available SCORING Pass: All items verified Conditional Pass: Minor documentation gaps, correctable Fail: Missing consent, invalid consent language, or cannot verify DOCUMENTATION Record results in testing log: - Date tested - Record ID - Result (Pass/Conditional/Fail) - Issues found - Corrective action (if any)

OPT-OUT SYSTEM TESTING PROCEDURE Purpose: Verify opt-out processing works correctly end-to-end Frequency: Monthly TEST PREPARATION - Use designated test phone number - Ensure test number is NOT on suppression list before testing - Coordinate with platform teams TEST EXECUTION Test 1: STOP Keyword Response 1. Send text message containing "STOP" to campaign number 2. Record timestamp of send 3. Verify confirmation response received 4. Record timestamp of response 5. Calculate response time Target: < 30 seconds Maximum: < 60 seconds Test 2: Keyword Variations Repeat Test 1 with variations: - "stop" (lowercase) - "STOP " (trailing space) - "Stop please" - "CANCEL" - "UNSUBSCRIBE" - "END" - "QUIT" Test 3: Suppression Verification 1. After opt-out confirmation, wait 5 minutes 2. Attempt to add test number to new campaign 3. Verify system blocks the number 4. Check suppression list entry exists Test 4: Cross-Platform Sync 1. Verify opt-out appears in: [ ] SMS platform (e.g., Twilio) [ ] CRM system [ ] Marketing automation [ ] Dialer system 2. Record sync time for each platform Test 5: Resubscription Block 1. Attempt to re-add test number via web form 2. Verify system either: - Blocks submission, or - Requires explicit re-consent acknowledgment RESULTS DOCUMENTATION Test Date: [DATE] Tester: [NAME] | Test | Result | Response Time | Notes | |------|--------|---------------|-------| | STOP keyword | Pass/Fail | [X] sec | | | Variations | Pass/Fail | | | | Suppression | Pass/Fail | | | | Cross-platform | Pass/Fail | [X] min | | | Resub block | Pass/Fail | | | Issues Found: _________________________________ Corrective Actions: _________________________________