DNC & Opt-Out Violations Guide | TCPA Defense

National Do-Not-Call Registry

Key Statute: The National Do-Not-Call Registry is administered by the FTC under 16 CFR 310.4(b)(1)(iii) and enforced under the TCPA via 47 CFR 64.1200. Calling a number on the registry without exemption triggers $500-$1,500 per call liability.

Safe Harbor Requirements

The FCC provides a "safe harbor" defense for companies that can demonstrate they took reasonable steps to avoid calling registered numbers. To qualify:

Written DNC Policy: Maintain a written policy for DNC compliance available to personnel
Training: Personnel engaged in outbound calls must be trained on DNC procedures
Scrubbing: Access the National Registry and scrub calling lists against it
Recordkeeping: Maintain records of DNC compliance efforts for at least 5 years
Process for Errors: Have a documented process for handling violations when they occur

31-Day Scrubbing Requirement

Critical Timing: You must scrub your calling lists against the National Registry no more than 31 days before initiating a call. Scrubbing performed more than 31 days prior does NOT provide safe harbor protection.

Scrubbing Best Practices

Frequency	Risk Level	Recommendation
Daily	Lowest	Ideal for high-volume callers; strongest safe harbor position
Weekly	Low	Acceptable for moderate volume; document scrub dates
Monthly (within 31 days)	Moderate	Minimum compliance; risk increases as you approach day 31
Less than Monthly	High	NO safe harbor protection; exposed to full liability

Established Business Relationship (EBR) Exemption

The EBR exemption allows calls to registered numbers if you have an existing business relationship:

Transaction-Based EBR

Duration: 18 months from last purchase, delivery, or payment
Proof Required: Transaction records with timestamps
Scope: Only the entity that conducted the transaction

Inquiry-Based EBR

Duration: 3 months from inquiry or application
Proof Required: Lead form, inquiry record, application submission
Scope: Only the entity that received the inquiry

EBR Does NOT Override Opt-Out: Even with a valid EBR, if the consumer has requested not to be called (internal DNC), you CANNOT call them. The EBR exemption only applies to the National Registry, not to internal opt-out requests.

Accessing the National Registry

To scrub your lists against the National DNC Registry:

Register: Create an account at telemarketing.donotcall.gov
Pay Access Fee: Fees based on area codes accessed (starts at ~$70/area code)
Download Data: Download registry data for your calling areas
Scrub Lists: Compare your calling list against registry data
Document: Keep records of scrub dates, area codes, and results

Vendor Scrubbing: Many dialer platforms and lead vendors offer automatic DNC scrubbing. If using a vendor, ensure you have documentation of their scrubbing procedures and timing to support your safe harbor defense.

Internal Do-Not-Call List Requirements

TCPA Requirement: Under 47 CFR 64.1200(d), any person or entity making telephone solicitations must maintain a company-specific "do not call" list of persons who have requested not to receive calls from that specific caller.

Core Internal DNC Requirements

Maintain the List: Keep a current list of persons who have requested not to be called
Honor Requests Indefinitely: Unlike the 5-year expiration on the National Registry, internal DNC requests have NO expiration
Apply Across Campaigns: Internal DNC must be honored across ALL calling campaigns, not just the one the consumer complained about
Train Personnel: All agents must know how to record and honor DNC requests
Implement Within Reasonable Time: FCC expects implementation within a "reasonable time" (generally interpreted as 24-72 hours)

Reasonable Processing Time

The TCPA requires honoring internal DNC requests within a "reasonable time." Courts and the FCC have provided guidance:

Timeframe	Assessment	Notes
Same day (24 hours)	Best practice	Demonstrates good faith; strongest defense
1-3 business days	Generally reasonable	Acceptable for most businesses
5-10 business days	May be reasonable	Must justify with system limitations
10+ business days	Likely unreasonable	Difficult to defend; invites willfulness finding

Each Call Counts: If you call someone after they've requested to be placed on your internal DNC, EVERY subsequent call is a separate violation at $500-$1,500 each. High-frequency dialers can accumulate massive exposure quickly.

Cross-Platform Synchronization

Modern businesses often use multiple platforms for outreach. Internal DNC must be synchronized across ALL platforms:

Common Sync Failures

Dialer vs. CRM: Customer says "stop" to agent; added to CRM but not dialer suppression
SMS vs. Voice: Customer opts out of texts; still receives voice calls
Multiple Dialers: Using different vendors for different campaigns; DNC not shared
Acquired Lists: Purchasing new leads without checking against internal DNC
Vendor Handoffs: Outsourcing to third-party call center without sharing DNC list

Synchronization Best Practices

Internal DNC Sync Checklist

[ ] Single source of truth database for all DNC entries
[ ] Real-time API sync between CRM and dialer platforms
[ ] Daily batch export/import if real-time not available
[ ] Voice and SMS suppression lists unified
[ ] All vendors receive updated DNC list before each campaign
[ ] Audit log tracking when numbers added and to which systems
[ ] Quarterly reconciliation between all platforms
[ ] New lead purchases scrubbed against internal DNC before loading

Recording DNC Requests

Document every internal DNC request with:

Phone Number: The number that requested DNC status
Date/Time: When the request was received
Channel: How the request was received (phone, email, SMS, web form)
Agent/System: Who or what received the request
Confirmation: What confirmation was provided to the consumer
Propagation: When the request was synced to all systems

Retention Period: Keep internal DNC records indefinitely, or at minimum 5 years. These records are your primary defense against "I asked to be removed" claims.

Opt-Out and STOP Mechanics

SMS Opt-Out Standard: Under CTIA guidelines and TCPA requirements, consumers must be able to opt out of SMS messages by replying "STOP" (or similar keywords), and the opt-out must be processed immediately and automatically.

SMS STOP Keyword Handling

Required Keywords

Your SMS platform must recognize and honor these standard opt-out keywords:

Keyword	Requirement	Response
STOP	Mandatory	Confirm opt-out, cease all messages
UNSUBSCRIBE	Mandatory	Confirm opt-out, cease all messages
CANCEL	Recommended	Confirm opt-out, cease all messages
END	Recommended	Confirm opt-out, cease all messages
QUIT	Recommended	Confirm opt-out, cease all messages

Fuzzy Matching: Best practice is to recognize variations like "STOP!", "Stop please", "stop all", "STOPP" (typos). Courts have found liability where obvious opt-out intent was ignored due to technical formatting requirements.

Opt-Out Confirmation Requirements

After receiving an opt-out, you must:

Send ONE Confirmation Message: A single message confirming the opt-out is permitted (and recommended)
Cease All Further Messages: No marketing, no "we miss you," no surveys after the confirmation
Process Immediately: Opt-out should be effective within seconds for SMS, not days

Compliant STOP Confirmation Message:

[Company]: You've been unsubscribed and will no longer receive messages from us. Reply HELP for help. Msg&Data rates may apply.

Suppression Propagation

Opt-outs must propagate across your entire messaging ecosystem:

Propagation Requirements

All Short Codes: If you use multiple short codes, opt-out from one should apply to all
All 10DLC Numbers: Opt-out applies to all your registered 10DLC numbers
All Campaigns: Opt-out from marketing applies to all marketing campaigns (not just one)
All Vendors: If using multiple SMS vendors, opt-outs must sync between them
Voice Calls: Consider whether SMS opt-out should also suppress voice calls

Transactional Exception: True transactional messages (order confirmations, appointment reminders, security alerts) may continue after marketing opt-out IF they are purely informational. However, any promotional content in a "transactional" message after opt-out creates liability.

Repeat-Contact Liability

Contacting someone after they've opted out creates severe exposure:

Contacts After Opt-Out	Liability Assessment	Willfulness Risk
1 contact	$500-$1,500	May claim processing delay
2-5 contacts	$1,000-$7,500	Increasing willfulness inference
5+ contacts	$2,500-$7,500+	Strong willfulness presumption
Pattern across consumers	Class action exposure	Systemic failure = punitive

Voice Opt-Out Handling

For voice calls, opt-outs are typically verbal and require agent training:

What Constitutes an Opt-Out

"Take me off your list"
"Don't call me again"
"Remove my number"
"Stop calling me"
"I don't want any more calls"
Pressing a DTMF option to opt-out (if offered)

Agent Training Requirements

Agent Opt-Out Script:

When a consumer requests to be removed from calling list, agent should:
1. Acknowledge the request: "I understand. I will remove your number from our calling list."
2. Confirm the number: "Just to confirm, I'm removing [phone number], correct?"
3. Provide timeframe: "This will be processed within 24 hours."
4. Document in CRM: Add note with date, time, and reason for DNC request
5. Add to suppression: Submit to internal DNC list immediately after call

Common DNC and Opt-Out Failures

Why This Matters: Understanding common failure points helps you identify vulnerabilities in your current processes AND provides context for defending past violations. Many failures result from systemic issues, not intentional misconduct.

Vendor List Not Synced

The Problem

Using multiple vendors (dialer, SMS platform, lead provider) without synchronizing suppression lists between them.

How It Happens

Primary dialer has DNC list; secondary vendor doesn't receive updates
Marketing team uses different platform than sales team
New vendor onboarded without receiving historical DNC data
Vendor merger/acquisition loses suppression data
API integration fails silently; no monitoring in place

Defense Considerations

Mitigating Factor: If you can show you had processes in place and a specific vendor failure caused the gap, this may reduce willfulness finding. Document your sync procedures and investigate vendor's failure.

STOP Processed Late

The Problem

Consumer sends "STOP" but receives additional messages before it takes effect.

How It Happens

Batch processing: STOP collected hourly/daily instead of real-time
Queue delay: Messages already queued when STOP received
Timezone issues: STOP at 11:59 PM, next message scheduled for 12:01 AM
Platform lag: SMS gateway delays pushing opt-out to suppression
Manual processing: Human review required before adding to DNC

Defense Considerations

Limited Defense: Courts expect near-instantaneous STOP processing for SMS. One message in queue may be defensible; multiple messages or hours of delay is difficult to justify. Document exact processing times and any technical limitations.

Reassigned Numbers

The Problem

Phone number was reassigned from your consenting customer to a new person who never consented.

How It Happens

Customer cancels phone service; carrier reassigns number within 90 days
Your consent record shows valid consent for the OLD owner
New owner receives your calls/texts without ever opting in
Average number reassignment: 37 million per year in the US

Post-2021 FCC Framework

One Free Call Rule: Under the FCC's 2021 order, callers get ONE call after reassignment before liability attaches. After that, each subsequent contact is a violation. Use the Reassigned Numbers Database (RND) to check for reassignments.

Defense Considerations

Check RND: Subscribe to FCC's Reassigned Numbers Database and document checks
Monitor Responses: "Wrong number" or "Who is this?" should trigger suppression
Consent Age: Fresh consent (under 90 days) has lower reassignment risk
Good Faith: Document your processes for identifying reassigned numbers

EBR Miscalculation

The Problem

Claiming Established Business Relationship exemption when it has expired or doesn't apply.

Common Errors

Error	Reality
Counting from sign-up date	Must count from last transaction/payment
Affiliate EBR claims	EBR is entity-specific; affiliates don't inherit
Inquiry EBR beyond 3 months	Inquiry EBR expires at 3 months, not 18
Using EBR after opt-out	EBR doesn't override internal DNC request

Oral Opt-Out Not Recorded

The Problem

Consumer verbally requested DNC during a call, but agent didn't record it or it wasn't processed.

How It Happens

Agent distracted; didn't hear or process request
No CRM field or workflow for capturing verbal DNC
Agent assumed request was for "this campaign" only
Call dropped before agent could document
Consumer said "don't call back" during voicemail; not monitored

Defense Considerations

Call Recording Is Key: If you have call recordings, review them. If the consumer didn't actually request DNC, the recording is your best defense. If they did request DNC and it wasn't honored, prepare for settlement.

Cross-Channel Opt-Out Gaps

The Problem

Consumer opts out of SMS but continues receiving voice calls (or vice versa).

How It Happens

SMS and voice platforms use separate suppression lists
Different teams manage different channels
Consumer assumes "STOP" means all contact; business interprets as SMS-only
Legal ambiguity: Does SMS opt-out legally require voice suppression?

Best Practice

Unified Suppression: While technically a voice opt-out may not legally require SMS suppression (and vice versa), the safest approach is unified suppression across all channels. When in doubt, suppress everywhere.

Remediation Steps

Purpose: Whether you're responding to a demand letter or proactively fixing compliance gaps, this section provides templates and checklists for remediation. Strong remediation documentation can reduce willfulness findings and support settlement negotiations.

DNC Policy Template

[COMPANY NAME] DO-NOT-CALL POLICY Effective Date: [DATE] Last Updated: [DATE] 1. POLICY STATEMENT [Company Name] is committed to compliance with the Telephone Consumer Protection Act (TCPA), FCC regulations, and the FTC Telemarketing Sales Rule. This policy establishes our procedures for maintaining and honoring Do-Not-Call requests. 2. NATIONAL DO-NOT-CALL REGISTRY COMPLIANCE a) We subscribe to the National Do-Not-Call Registry and access it at: [telemarketing.donotcall.gov] b) Calling lists are scrubbed against the Registry every [X] days (not exceeding 31 days) c) Scrubbing is documented with date, time, area codes accessed, and results d) Registry data is retained for 5 years 3. INTERNAL DO-NOT-CALL LIST a) We maintain a company-specific do-not-call list b) Requests are processed within [24-72] hours of receipt c) Internal DNC requests have no expiration and are honored indefinitely d) Internal DNC is honored across ALL campaigns and platforms 4. PROCESSING OPT-OUT REQUESTS Opt-out requests can be received via: - Phone call to any agent - Reply "STOP" to any SMS message - Email to [optout@company.com] - Web form at [company.com/optout] 5. TRAINING All personnel involved in telephone solicitation receive: - Initial DNC training before making calls - Annual refresher training - Training on recognizing and recording opt-out requests - Access to this policy document 6. RECORDKEEPING We maintain records of: - All DNC requests with date, source, and phone number - Registry access dates and results - Training completion records - This policy and any amendments 7. ENFORCEMENT Violations of this policy will result in disciplinary action up to and including termination. 8. POLICY OWNER [Name/Title] is responsible for maintaining and updating this policy.

Training Checklist

DNC COMPLIANCE TRAINING CHECKLIST Employee Information: Name: _______________________ Start Date: _______________________ Training Date: _______________________ Trainer: _______________________ Module 1: Legal Overview [ ] TCPA basics and penalties ($500-$1,500 per violation) [ ] FTC Telemarketing Sales Rule requirements [ ] State-specific telemarketing laws (if applicable) [ ] Personal liability for agents (in extreme cases) Module 2: National Do-Not-Call Registry [ ] What is the National Registry [ ] EBR exemption and its limits [ ] 31-day scrubbing requirement [ ] How to check if a number is on the Registry Module 3: Internal DNC Procedures [ ] How to recognize a DNC request [ ] Verbal cues that indicate opt-out intent [ ] How to document a DNC request in CRM [ ] Processing timeline expectations [ ] Cross-channel suppression policy Module 4: SMS Opt-Out Handling [ ] STOP keyword recognition [ ] Confirmation message requirements [ ] What NOT to send after STOP [ ] Escalation for unusual requests Module 5: Script Compliance [ ] Required disclosures [ ] Prohibited statements [ ] Responding to "How did you get my number?" [ ] Responding to hostile consumers Acknowledgment: I have completed DNC compliance training and understand my obligations. Signature: _______________________ Date: _______________________

Audit Procedures

Quarterly DNC Audit Checklist

DNC COMPLIANCE QUARTERLY AUDIT Audit Period: [Q1/Q2/Q3/Q4] [YEAR] Audit Date: [DATE] Auditor: [NAME] 1. REGISTRY COMPLIANCE [ ] Verify active subscription to National DNC Registry [ ] Confirm scrub logs exist for all 31-day periods [ ] Sample 100 called numbers; verify none on Registry (without EBR) [ ] Document any violations found: _______ 2. INTERNAL DNC LIST [ ] Export current internal DNC list [ ] Count of numbers on list: _______ [ ] Verify list is applied to ALL active campaigns [ ] Sample 50 recent DNC requests; verify processing time [ ] Average processing time: _______ hours 3. PLATFORM SYNCHRONIZATION [ ] List all platforms in use: _______ [ ] Verify DNC sync between platforms [ ] Test: Add number to DNC on Platform A; verify appears on Platform B [ ] Time to sync: _______ (should be under 24 hours) 4. SMS OPT-OUT TESTING [ ] Test STOP keyword - processed correctly: Y/N [ ] Test UNSUBSCRIBE keyword - processed correctly: Y/N [ ] Confirmation message sent: Y/N [ ] No further messages after opt-out: Y/N 5. TRAINING RECORDS [ ] All current agents have completed training: Y/N [ ] Percentage trained: _______% [ ] Refresher training current (within 12 months): Y/N 6. POLICY REVIEW [ ] DNC policy document is current [ ] Policy is accessible to all staff [ ] Policy reflects actual current procedures 7. FINDINGS AND REMEDIATION Issues Identified: 1. _______________________ 2. _______________________ 3. _______________________ Remediation Steps: 1. _______________________ 2. _______________________ 3. _______________________ Audit Completed By: _______________________ Reviewed By: _______________________ Date: _______________________

Immediate Remediation After Demand Letter

If You've Received a Demand: Take these steps immediately to stop the bleeding and document your good faith remediation efforts.

Day 1: Add claimant's number to internal DNC across ALL platforms
Day 1: Freeze any campaigns that may have contacted this number
Day 1-3: Pull all records for this number (call logs, consent, opt-out history)
Day 1-3: Conduct emergency audit of DNC sync between platforms
Week 1: Identify root cause of the violation
Week 1-2: Implement fix for root cause
Week 2: Document all remediation steps taken
Week 2: Conduct training refresher for involved personnel
Week 3: Perform follow-up audit to verify fix is working

Need Help With TCPA Remediation?

Whether you're responding to a demand letter or proactively fixing compliance gaps, professional guidance can help you build a stronger defense and avoid future violations.