How to avoid a TCPA lawsuit: What actually holds up under scrutiny

The Telephone Consumer Protection Act (TCPA) has been around long enough that most organizations understand the basics. Consent is required. Opt-outs must be honored. Records should be maintained.

And yet lawsuits keep happening.

The issue isn’t awareness. It’s consistency. As outreach programs grow, they stretch across systems, vendors and channels. What started as a compliant process slowly drifts out of alignment, often without anyone noticing until there’s a complaint.

Consent is where everything starts and where many programs weaken

Most TCPA risk can be traced back to consent. Not because companies ignore it, but because they treat it too loosely.

It’s common to assume that if a consumer provided a phone number, they’re open to being contacted. In practice, that assumption doesn’t hold up. Consent needs to be explicit, tied to a clear disclosure and connected to the type of outreach being sent.

More importantly, it needs to be provable.

If you can’t show when and how consent was obtained — and what the consumer agreed to — it becomes difficult to defend the outreach later. This is where many organizations find themselves exposed, especially when lists are reused or campaigns evolve beyond their original purpose.

Opt-outs are simple in theory, harder in execution

Most companies understand that consumers should be able to opt out. The problem is making that work consistently across real systems.

Opt-outs come in different forms. Some are structured, like clicking a link or replying “STOP.” Others are less predictable — a message, a call or even a complaint routed through customer service. All of them need to be captured and applied the same way.

Where things break down is in the handoff between systems. An opt-out gets recorded in one place but doesn’t flow to another. A vendor continues outreach because their suppression list wasn’t updated. A delay of even a few hours can turn into repeated violations at scale.

Documentation is what determines the outcome

When a TCPA complaint arises, the conversation quickly shifts from intent to evidence.

At that point, what matters is whether you can show:

• What the consumer agreed to
• When outreach occurred
• What messages were sent
• How opt-outs were handled

If those records are incomplete or inconsistent, it becomes difficult to defend even well-intentioned programs.

The strongest organizations treat documentation as part of the process, not an afterthought. They assume that every campaign may need to be explained later and build their recordkeeping accordingly.

Timing and jurisdiction still trip people up

It seems straightforward to limit outreach to appropriate hours, but in practice, this is another area where small assumptions create risk.

Calls and texts should align with the recipient’s location, not just the phone number. With mobile devices, that distinction matters. A number that looks like it’s in one time zone may belong to someone in another.

On top of that, state-level rules can be more restrictive than federal standards. Applying a single national approach may seem efficient, but it doesn’t always hold up across jurisdictions.

Vendor oversight is where exposure grows quickly

Third-party vendors can expand reach, but they also expand risk.

Many TCPA issues originate from lead sources or messaging platforms that operate outside direct visibility. Even when contracts include compliance language, that doesn’t guarantee how outreach is actually executed.

The organizations that avoid problems tend to stay close to the details. They ask how consent is collected, how lists are managed and how opt-outs are enforced. They don’t assume alignment — they verify it.

The difference between a compliant program and a defensible one

Most companies can point to policies that say the right things. The question is whether those policies match what’s happening day to day.

A defensible program is one where:

• Consent practices are consistent and documented
• Opt-outs are applied across every channel without delay
• Records tell a clear, complete story
• Vendors operate within defined and monitored expectations

That kind of alignment doesn’t happen automatically. It requires ongoing attention, especially as programs evolve.

How Wipfli can help

Wipfli works with organizations to strengthen how their outreach programs operate in practice. That includes reviewing consent flows, validating suppression processes and identifying gaps between policy and execution.

To evaluate your current approach, explore our TCPA compliance services.

You can also use our TCPA compliance checklist to quickly assess where your program may need attention.