TCPA Compliance for SMS and Phone Collections: What You Actually Need to Know

If the FDCPA is the law that tells you what you can say to a debtor, the Telephone Consumer Protection Act is the law that tells you how you can reach them. And while FDCPA violations typically carry damages of up to $1,000 per case, TCPA violations carry statutory damages of $500 to $1,500 per call or text. In a class action involving thousands of consumers, those numbers add up to the kind of settlements that close agencies.

The TCPA was originally passed in 1991 to address telemarketing robocalls, but its reach has expanded steadily to cover text messages, prerecorded voicemails, and virtually any automated communication. For collections operations that rely on phone and SMS outreach – which is most of them – TCPA compliance is not optional and not something you can figure out later.

This guide covers the rules as they stand in 2026, including the impact of recent Supreme Court and circuit court decisions, FCC rulings, and the growing patchwork of state mini-TCPA laws that layer additional requirements on top of federal law.

Consent: The Foundation of Everything

The single most important concept in TCPA compliance is consent. Without proper consent, almost every automated call or text you send is a potential violation.

Types of Consent

The TCPA recognizes different levels of consent depending on the type of communication:

Prior express consent is required for non-marketing autodialed or prerecorded calls to cell phones. For debt collection, this is the most common standard. A consumer provides prior express consent when they give their phone number in connection with the transaction that created the debt – for example, listing their cell number on a credit application.

Prior express written consent is required for telemarketing calls using an autodialer or prerecorded voice. While most collection calls are not telemarketing (they concern an existing debt, not a new product), be careful with any call that crosses into marketing territory. If you are collecting on a debt and also pitching a debt consolidation product, the marketing portion requires written consent.

Where Consent Gets Complicated

Reassigned numbers. This has been one of the most litigated areas of the TCPA. When a consumer changes their phone number and the old number is reassigned to someone else, calls to that number intended for the original consumer become calls to a non-consenting third party. The FCC has established a reassigned numbers database, and collectors should be checking it. Calling a reassigned number after it appears in the database eliminates your good-faith defense.

Revocation of consent. Consumers can revoke consent at any time, through any reasonable means. This includes verbal statements during a phone call, text message replies like “STOP,” written letters, or messages through an online portal. The revocation is effective immediately upon receipt, and you must have a system in place to process it across all communication channels without delay.

Third-party consent. If a consumer provides someone else’s phone number (for example, a spouse’s cell phone as a contact number), the question of whether that constitutes consent from the phone’s owner is unsettled law. The safest practice is to confirm consent directly with the owner of the number before making autodialed calls to it.

Checklist items:

• [ ] Consent records are maintained for every phone number in the system, including the source and date of consent
• [ ] Reassigned number database is checked before outbound calls to cell phones
• [ ] Revocation of consent is processed across all channels within 24 hours (sooner is better)
• [ ] Collectors are trained to recognize and immediately document verbal consent revocations
• [ ] Third-party phone numbers are flagged for consent verification before autodialed calls

Autodialer Rules After Facebook v. Duguid

The definition of an automatic telephone dialing system (ATDS) was significantly narrowed by the Supreme Court’s 2021 decision in Facebook v. Duguid. The Court held that an ATDS must have the capacity to generate random or sequential phone numbers – simply dialing from a stored list does not qualify.

What This Means for Collectors

If your dialing system pulls numbers from your account database and dials them in a predetermined order, it is likely not an ATDS under the current federal definition. This means the TCPA’s consent requirements for autodialed calls may not apply to your system.

However, there are critical caveats:

Prerecorded messages still require consent. The Duguid decision addressed autodialers, not prerecorded or artificial voice messages. If your system delivers a prerecorded voicemail, you still need prior express consent regardless of how the number was dialed.

State laws may define autodialers differently. Several state mini-TCPA laws use broader definitions that were not affected by Duguid. We cover these below, but the short version is: do not assume the federal narrowing applies everywhere.

The FCC could redefine ATDS. Regulatory definitions can change. Building your compliance program around the narrowest possible reading of current law is a gamble. The more prudent approach is to maintain consent records and dial responsibly regardless of whether your system technically qualifies as an ATDS.

Checklist items:

• [ ] Dialing system capabilities are documented and reviewed by counsel for ATDS classification
• [ ] Prerecorded message consent requirements are followed regardless of dialer type
• [ ] State-level ATDS definitions are mapped for every jurisdiction where you operate
• [ ] Compliance program does not rely solely on the Duguid narrowing

Calling Time Restrictions

The TCPA restricts calls using prerecorded voices or autodialers to between 8:00 AM and 9:00 PM in the consumer’s local time zone. This interacts with (but is separate from) the FDCPA’s identical time restriction on all collection calls.

Practical Considerations

Time zone determination. You need the consumer’s actual time zone, not the time zone associated with their area code. Consumers port numbers across state lines regularly. Use the consumer’s address of record to determine their time zone, and update it if you receive returned mail or other evidence of relocation.

Daylight saving time transitions. On the two days per year when clocks change, your system needs to handle the transition correctly. A call placed at 9:01 PM because your system had not yet adjusted is still a violation.

Multi-time-zone operations. If your collectors are in Eastern time calling consumers in Pacific time, the calling window is narrower than your collectors’ work day might suggest. Build the time zone logic into your dialing system so collectors do not have to do the math themselves.

Saturday and Sunday calls. The TCPA does not distinguish between weekdays and weekends for its time restrictions. However, some state laws do restrict or prohibit weekend calling. Check applicable state law before scheduling weekend campaigns.

Checklist items:

• [ ] Calling window enforcement is based on consumer’s local time, not collector’s local time
• [ ] Time zone is determined by consumer address, not phone number area code
• [ ] System handles daylight saving time transitions automatically
• [ ] State-specific calling time restrictions are layered on top of federal rules
• [ ] Calling windows are enforced at the system level, not left to individual collector judgment

This is exactly the kind of rule that should be enforced by your software, not by trusting every collector to check a clock and do time zone math. Catchpole enforces calling windows automatically based on the consumer’s location, blocking outbound calls and texts outside permitted hours across every time zone and adjusting for state-level variations.

SMS-Specific Rules

Text messaging has become one of the most effective channels for collections outreach. Response rates for SMS consistently outperform phone calls and email. But SMS also carries significant TCPA risk because every text is a separate potential violation.

Consent for Text Messages

The FCC treats text messages the same as calls for TCPA purposes. This means:

• Text messages sent using an autodialer to a cell phone require prior express consent
• Marketing texts require prior express written consent
• Consent can be revoked at any time

Required Content and Identification

While the TCPA itself does not specify message content requirements (that is the FDCPA’s territory), practical compliance requires:

• Clear identification of who is sending the message
• A way for the consumer to opt out (typically “Reply STOP to opt out”)
• Compliance with FDCPA disclosure requirements in the message content
• No disclosure of the debt to third parties (be mindful that others may have access to the consumer’s phone)

Opt-Out Handling for SMS

SMS opt-out handling must be:

• Immediate. When a consumer texts “STOP” (or any reasonable opt-out language), processing should be automatic and near-instantaneous.
• Comprehensive. An opt-out from SMS should be applied to SMS. Whether it also applies to phone calls or email depends on the language used and your interpretation, but the safest approach is to confirm with the consumer which channels they want to stop.
• Confirmed. Send a single confirmation message acknowledging the opt-out. After that, no further texts.
• Permanent until reversed. An opt-out remains in effect until the consumer affirmatively opts back in. Do not re-enroll consumers after a waiting period.

Common SMS Compliance Mistakes

Sending texts before the validation notice. If you are texting a consumer before sending the required FDCPA validation notice, you are creating risk. The text may constitute an initial communication that triggers the five-day notice requirement.

Excessive frequency. Just because SMS is cheap does not mean you should send five texts a day. While the FDCPA’s Reg F frequency presumption technically applies only to phone calls, regulators and courts will apply similar harassment analysis to text messages. Keep it reasonable.

Link shorteners that obscure identity. If your text includes a link, the destination should clearly identify you as the sender and as a debt collector. Using generic URL shorteners that give no indication of where the link leads is a compliance risk.

Checklist items:

• [ ] SMS consent records are maintained separately and clearly documented
• [ ] Opt-out processing is automated and occurs within minutes, not hours or days
• [ ] Opt-out confirmation message is sent (one message only)
• [ ] SMS frequency is tracked and kept within reasonable limits
• [ ] Message content complies with both TCPA and FDCPA requirements
• [ ] Links in messages lead to clearly identified destinations

State Mini-TCPA Laws

This is where TCPA compliance gets genuinely difficult. A growing number of states have enacted their own telephone communication laws that impose requirements beyond the federal TCPA. These laws often survived the Duguid narrowing of the federal ATDS definition because they use their own, broader definitions.

Key State Laws to Know

Florida (Florida Telephone Solicitation Act - FTSA). Amended in 2021, the FTSA is one of the most aggressive state telecom laws in the country. It defines “automated system” more broadly than the federal ATDS definition, requires prior express written consent for all automated calls and texts (not just marketing), limits text messages to the same 8 AM to 9 PM window as calls, and provides a private right of action with $500 per violation ($1,500 if willful). Florida has become the leading state for TCPA-style class actions.

Washington (Automatic Dialing and Announcing Device statute). Washington’s law covers any device that can deliver a prerecorded message, with a broad definition that is not limited by Duguid. Violations carry penalties up to $1,000 per call.

Oklahoma. Enacted a mini-TCPA in 2022 that tracks the pre-Duguid federal ATDS definition, meaning systems that dial from stored lists may still be covered. Provides a private right of action.

Maryland, Michigan, and Wyoming. Each has state-level telecom laws with varying definitions of automated systems that may capture dialing equipment excluded from the federal ATDS definition after Duguid.

New York. While New York does not have a specific mini-TCPA, the state’s aggressive consumer protection enforcement and broad UDAP statute mean that TCPA-style violations are often pursued under state consumer protection law.

The Compliance Challenge

Managing state mini-TCPA compliance is a significant operational challenge because:

• You need to know which law applies based on the consumer’s location (not your location)
• Definitions of key terms like “autodialer” differ from state to state
• Consent standards vary (some require written consent where federal law requires only express consent)
• Penalty structures differ, creating varying risk profiles by state
• Laws are changing frequently as states respond to Duguid and FCC rulings

Checklist items:

• [ ] State mini-TCPA requirements mapped for all states where you contact consumers
• [ ] Dialing and texting systems comply with the strictest applicable standard for each consumer’s state
• [ ] Florida consumers are flagged for FTSA-specific compliance requirements
• [ ] Consent records meet the highest applicable standard (written consent where any applicable law requires it)
• [ ] Legal team monitors state legislative changes quarterly

Penalties and Enforcement

Understanding what is at stake makes the compliance investment easier to justify.

Federal TCPA Penalties

• $500 per violation for negligent violations (each call or text is a separate violation)
• $1,500 per violation for knowing or willful violations (treble damages)
• No cap on aggregate damages in class actions

To put this in perspective: if you send 10,000 text messages that are later found to violate the TCPA, your exposure is $5 million to $15 million. These are not hypothetical numbers. TCPA class action settlements routinely reach eight and nine figures.

State Penalties

State penalties stack on top of federal exposure. A single campaign that violates both the federal TCPA and a state mini-TCPA can generate two separate damage claims per violation.

Enforcement Trends

The FCC, FTC, CFPB, and state attorneys general all have authority to bring enforcement actions for TCPA violations. In addition, the private right of action means that any consumer (or their attorney) can file suit. The plaintiffs’ bar has built an entire practice area around TCPA litigation, and they actively look for agencies with sloppy compliance.

Recent trends include:

• Increased scrutiny of consent documentation (agencies that cannot prove consent bear the burden)
• Focus on reassigned number compliance following the FCC database launch
• State AG enforcement under mini-TCPA statutes, particularly in Florida
• Litigation funding increasing the volume of individual and class claims

Building a TCPA-Compliant Operation

TCPA compliance is not a policy you write once and file away. It is an operational discipline that touches your technology, your training, your data management, and your daily workflows.

Technology Requirements

Your dialing and messaging platform must be capable of:

• Enforcing calling windows by consumer time zone
• Processing opt-outs automatically and immediately across all channels
• Maintaining auditable consent records tied to specific phone numbers
• Checking the reassigned numbers database before outbound calls
• Applying state-specific rules based on consumer location
• Logging every call and text with timestamps, duration, and outcome

Catchpole handles opt-out tracking, calling window enforcement, and communication logging automatically at the platform level. When a consumer texts STOP, the system processes it immediately and blocks further outbound SMS – no collector intervention needed, no gap in coverage during shift changes or weekends.

Training Requirements

Every collector who makes calls or sends texts should understand:

• What constitutes consent and how to verify it
• How to recognize and process consent revocation in real time
• Calling time restrictions and time zone awareness
• What to do if they suspect a number has been reassigned
• The difference between manual and autodialed calls and why it matters
• State-specific rules for their assigned accounts

Documentation and Record Keeping

Maintain records of:

• Consent obtained: source, date, method, and specific language consented to
• Consent revoked: date, method, processing timestamp
• Every call and text: date, time, duration, outcome, consumer response
• Opt-out requests and processing confirmation
• Reassigned number database check results
• Training completion records for all personnel

The Bottom Line

TCPA compliance in collections is demanding, and it is getting more complex as states add their own requirements. But the agencies that invest in proper systems, training, and documentation are the ones that avoid the lawsuits that can genuinely threaten a business.

The cost of a solid compliance infrastructure – proper technology, ongoing training, regular audits – is a fraction of the cost of a single TCPA class action. That math is straightforward.

If you are evaluating your current compliance posture or looking for a collections platform that takes TCPA compliance seriously, Catchpole offers a free trial. See how automated opt-out processing, calling window enforcement, and full communication logging work in practice before making any commitments.