Cold calling compliance is not optional. It is not a box you check during legal review and forget. Every dial your team makes carries real statutory exposure, and a single class-action filing can produce settlement costs in the millions. Most B2B outreach teams treat compliance as an afterthought, something to handle after the pipeline strategy is set. That is exactly backward.
The legal framework around phone outreach has tightened considerably over the past two years. The FCC rewrote consent rules in 2024. State legislatures have added their own layers. And plaintiff attorneys have become specialists in TCPA class actions, which require minimal individual damages but aggregate into enormous settlements. Average TCPA class-action settlements run $2 million to $8 million, according to Bloomberg Law analysis.
This article maps the full compliance picture: TCPA, the FCC's new one-to-one consent rule, GDPR, CCPA, state-level laws, and the Do Not Call Registry. If your team is dialing from purchased lists without a clear understanding of these frameworks, you are carrying liability you probably haven't priced in.
TCPA: The Law That Makes Every Dial a Potential Liability
The Telephone Consumer Protection Act creates $500 in statutory damages per illegal call, no proof of actual harm required. Courts can triple that to $1,500 for willful or knowing violations. Because TCPA allows private rights of action and class certification, a single campaign reaching thousands of contacts can become a catastrophic liability event almost overnight.
TCPA applies to autodialed calls, prerecorded or artificial voice calls, and text messages sent to cellular numbers. The B2B exemption is real but narrow. Calls to business lines using a manual dial, where the caller is a live agent and the purpose is genuinely commercial, get more latitude than consumer calls. But that exemption evaporates the moment you use an autodialer or prerecorded message. And it does not eliminate the Do Not Call Registry obligation.
The "autodialer" definition has been litigated extensively since the Supreme Court's 2021 ruling in Facebook v. Duguid, which narrowed the definition somewhat. That ruling gave some B2B teams breathing room, but courts have not reached uniform conclusions on what constitutes an autodialer in every system configuration. If your dialing platform uses any predictive or sequential number generation, consult counsel before assuming you are in the clear.
The practical implication: even if you are running a pure B2B campaign with live agents on manual dials, you still need to scrub against the DNC Registry, and you still cannot rely on consent you did not obtain directly. The FCC received 2.3 million TCPA complaints in 2023. Enforcement activity is not slowing.
What Changed in 2025: The FCC One-to-One Consent Rule
Starting January 27, 2025, the FCC requires one-to-one consent for each seller that wants to contact a consumer. This is not a minor procedural update. It fundamentally broke a business model that much of the lead generation industry was built on.
Before this rule, a single opt-in form could authorize calls from dozens of "partner" companies. A consumer would click a checkbox agreeing to be contacted by "our trusted partners," and that single click would flow to a list of companies who had paid for access to those leads. The FCC called this the "lead generator loophole," and the January 2025 order closed it explicitly. Now, the consent must name the specific company making the calls. Generic partner consent does not satisfy the requirement.
This matters enormously for teams buying phone lists. If the vendor sourced consent through a lead generation form that listed multiple advertisers, or used vague partner language, that consent is not compliant under the new rule. Buying that list and dialing from it creates direct liability for your organization. The consent acquisition happened before you got involved, but the illegal call happens when your rep picks up the phone.
The safest path is working with data providers who can document the consent chain and confirm that your company is named in the consent language, or who provide data that does not rely on prior consumer consent because the outreach falls into a legitimate business relationship or an exempted manual B2B call. The ethics of AI-driven outreach are directly tied to this consent infrastructure. AI-powered dialing at scale, without one-to-one consent, is one of the higher-risk configurations in the current enforcement environment.
GDPR and Cold Calling: When EU Rules Apply to US Outreach Teams
GDPR applies to any company contacting EU residents, regardless of where the company is based. If your sales team is in Atlanta and you are calling a procurement manager in Munich, GDPR governs that call. US companies routinely underestimate this exposure because they think of GDPR as a "European law." It is, and it has extraterritorial reach by design.
Most B2B outreach teams rely on "legitimate interests" as their lawful basis for processing EU contact data. GDPR Article 6(1)(f) allows processing when the controller has a legitimate interest that is not overridden by the data subject's interests or rights. For B2B cold calling, this can work, but it requires a documented Legitimate Interests Assessment (LIA) that weighs the business need against the individual's privacy expectation. You cannot just assert legitimate interests. You have to evaluate it in writing and be able to produce that evaluation if asked.
GDPR fines reach up to €20 million or 4% of global annual revenue, whichever is higher. That calculation uses global revenue, not just EU-sourced revenue. A US company with $500 million in annual revenue faces a potential ceiling of $20 million on a GDPR violation, even if only a fraction of that revenue came from European customers. The fines at the top of the scale are reserved for serious violations, but data protection authorities across the EU have shown willingness to issue significant penalties for systemic non-compliance.
The practical controls for EU contacts: conduct an LIA before any outreach campaign, maintain records of processing activities under GDPR Article 30, provide a clear and easy way for contacts to object to processing, and honor those objections promptly. AI outreach compliance frameworks for EU contacts need to be built with these requirements as baseline constraints, not afterthoughts.
CCPA, CAN-SPAM, and State-Level Phone Laws
California's CCPA adds another layer on top of federal TCPA rules, and a growing stack of state laws has followed California's lead. CAN-SPAM governs email outreach, not calls, but it becomes relevant when your outreach sequence moves from email to phone. Both frameworks apply when your campaign crosses channels.
CCPA gives California residents the right to opt out of the sale of their personal data, which includes phone numbers. If you have purchased a list that contains California residents and the data provider "sold" that data in CCPA's definition of the term, those contacts have the right to request that their data not be used for further outreach. Your CRM and outreach workflows need a mechanism to honor those opt-out signals and suppress affected records. The definition of "sale" under CCPA is broad and has been interpreted to include many standard data licensing arrangements.
On the email side, CAN-SPAM requires honest subject lines, a physical mailing address in every commercial email, and a functioning opt-out mechanism honored within ten business days. If your sequence sends a cold email and then follows up with a call to contacts who opted out of email, you are running an operation that may violate both frameworks simultaneously. Track opt-outs across channels, not just within each channel.
State-level phone laws deserve specific attention. Florida's Mini-TCPA (enacted 2021) applies to calls and texts to Florida numbers and includes a private right of action with $500 per violation. Texas and Oklahoma have similar statutes. These laws sometimes apply even when the federal TCPA exemption would cover the call, because state law can be more restrictive. Before running a national campaign, map the state-specific rules for your highest-volume states. One other factor affecting outreach: STIR/SHAKEN call authentication protocols, now required for most carriers, flag unauthenticated calls as potential spam. This reduces answer rates and creates a practical problem independent of the legal framework.
Do Not Call Registry: The Baseline Everyone Needs to Scrub Against
Any number on the National DNC Registry cannot be called for telemarketing purposes. With 244 million registered numbers as of 2024, a meaningful percentage of any cold list will have DNC records. Calling those numbers is a per-violation TCPA offense, and class actions based on DNC violations are well-established.
The process: register with the FTC's Telemarketing Sales Rule program at donotcall.gov, pay the subscription fee (based on area codes you want access to), download the registry data, and scrub your outbound list before any campaign. You must re-scrub every 31 days. The FTC does not accept "we forgot to scrub" as a defense. Document every scrub with a timestamp and the version of the registry data used.
The B2B established-business-relationship exemption gives more latitude for existing customers and contacts who have already engaged with your company, but it does not apply to cold outreach. For purchased lists where you have no prior relationship, treat every number as potentially DNC-registered until your scrub confirms otherwise. Data decay erodes your DNC scrubbing over time: numbers change hands, consumers register new numbers, and a scrub from four months ago does not protect you today. Contact data enrichment that includes DNC status at the point of data delivery reduces the operational burden of maintaining scrub currency.
Building a Compliant Outreach Process (Compliance Checklist)
A compliant outreach process comes down to five operational controls. Get these right and you have a defensible position if you are ever challenged. Miss one, and the others do not fully protect you.
Compliance Checklist: Before You Dial
Required before any telemarketing call. Subscribe at FTC.gov. Re-scrub every 31 days.
Since Jan 2025, the consent must name your company specifically. Bundled consent is not enough.
Written policies, training records, and scrub logs are your first defense in litigation.
Required if you contact any EU-based prospects. Must be documented and reviewable.
Start with data from providers who maintain their own DNC and consent records. That's the easiest risk reduction available.
The first four controls are process controls. You can implement them with existing staff and systems. The fifth is a data sourcing decision that sets the baseline risk for everything else. If you are dialing from a list where consent provenance is unclear or DNC scrubbing is not current, no amount of internal process documentation fully protects you. The liability starts with the data.
Working with verified direct dials from sources that maintain their own DNC scrubbing and consent records is the most direct way to reduce your TCPA exposure per dial. It does not eliminate the need for your own scrubbing and documentation, but it means you are starting from a defensible position rather than an unknown one. The compliance posture of your data provider becomes part of your compliance posture.