Guides
Federal and state DNC compliance checklist for AI outbound calling. Covers registry scrubbing requirements, internal suppression workflows, EBR exemptions, safe harbor defense, and how Thoughtly enforces DNC rules automatically.
Last updated
There are more than 258 million active phone numbers on the National Do Not Call Registry. Every one of those numbers is a potential violation if your AI outbound workflowWorkflowAn automated, multi-step process — usually triggered by an event (form fill, new lead) and orchestrating one or more voice / SMS / email actions. dials it without proper scrubbing. For revenue teams deploying AI voiceAI voiceAn artificially generated, natural-sounding voice produced by a TTS model. Thoughtly supports a library of AI voices and brand-specific cloning. agents at scale, DNC compliance is not a nice-to-have checkbox — it is the operational foundation that determines whether your outbound program generates pipeline or generates lawsuits.
This guide covers the federal and state DNC regulations that apply to AI-powered outbound calling, provides a practical compliance checklist, explains how Thoughtly's platform features support compliant outbound workflows, and identifies the mistakes that most commonly trip up operations teams.
DNC compliance sits at the intersection of two federal regulatory frameworks: the FTC's Telemarketing Sales Rule (TSR) and the FCC's rules under the Telephone Consumer Protection ActTCPAUS federal law governing telemarketing calls and SMS. Thoughtly enforces consent capture, time-of-day windows, and DNC scrubbing automatically. (TCPA). Both impose specific obligations on any organization making outbound telemarketing calls — including calls placed by AI voice agents.
The FTC created the National Do Not Call Registry in 2003 under the Telemarketing Sales Rule (16 CFR § 310.4(b)(1)(iii)). The registry allows consumers to opt out of telemarketing calls, and it is enforced by the FTC, FCC, and state attorneys general.
Key requirements for businesses:
The registry covers calls to sell goods or services through interstate phone calls. It does not cover political calls, charitable solicitations by the charity itself, surveys, or calls from companies with which the consumer has an established business relationship (EBR).
A company may call a consumer whose number is on the National DNC Registry if an established business relationship exists. Under the TSR, an EBR is defined as:
Even with an EBR, if the consumer explicitly asks not to be called, you must honor that request immediately and add the number to your internal do-not-call list. Calling again after such a request — even during the EBR window — is a violation.
The TCPA (47 U.S.C. § 227) and the FCC's implementing rules (47 CFR § 64.1200) impose additional DNC obligations. Under the TCPA, every telemarketer must maintain its own company-specific internal do-not-call list. When a consumer says "take me off your list" or words to that effect, that number must be suppressed for a minimum of five years.
The TCPA also requires that any call made using an automatic telephone dialing system (ATDS) or prerecorded/artificial voice to a cell phone requires prior express consent — and for telemarketing calls, prior express written consent. The FCC's February 2024 ruling explicitly classified AI-generated voice calls as "artificial voice" under the TCPA, meaning AI voice agents are subject to the same consent and DNC requirements as any other automated outbound call.
In addition to the federal registry, multiple states maintain their own DNC lists with separate registration and scrubbing requirements. States with active registries include Colorado, Florida, Indiana, Louisiana, Massachusetts, Missouri, Oklahoma, Pennsylvania, Tennessee, Texas, and Wyoming.
State penalties vary significantly. Indiana imposes penalties up to $25,000 per subsequent violation. Texas maintains two separate state registries — one for residential and mobile numbers and one for businesses. Florida requires consumers to re-register every five years, but its enforcement is active. If your AI outbound workflows touch consumers across multiple states, you need to scrub against every applicable state list in addition to the federal registry.
| Source | Penalty per violation | Notes |
|---|---|---|
| FTC / TSR | Up to $53,088 per call | Inflation-adjusted; each call is a separate violation |
| FCC / TCPA | $500–$1,500 per call | $500 base; $1,500 for knowing/willful violations; private right of action |
| State DNC laws | $100–$25,000 per call | Varies by state; state AGs can pursue enforcement independently |
| TCPA class actions | Uncapped aggregate | Per-call statutory damages; recent verdicts have reached nine figures |
These penalties compound quickly. An AI voice agent making 500 calls to unscrubbed numbers could generate exposure well into seven figures under the TSR alone.
Use this checklist to verify your outbound AI workflows are operating within federal and state DNC requirements.
| Step | Requirement | Frequency |
|---|---|---|
| 1. Subscribe to the National DNC Registry | Register at telemarketing.donotcall.gov and pay area code fees for every region you call | Annually (renewal) |
| 2. Scrub outbound lists against the federal registry | Download the latest registry data and remove matching numbers before dialing | Every 31 days minimum; before each campaign is best practice |
| 3. Scrub against state DNC registries | Download and remove numbers from applicable state lists (CO, FL, IN, LA, MA, MO, OK, PA, TN, TX, WY) | Per state requirements; typically every 30–90 days |
| 4. Maintain an internal DNC list | Record every consumer opt-out request with timestamp, source, and channel | Updated in real time; honored permanently (TCPA: minimum 5 years) |
| 5. Verify consent before automated calls | For AI voice calls to cell phones: prior express written consent required; for informational calls: prior express consent | Before every campaign |
| 6. Check EBR status before calling DNC-listed numbers | Confirm transaction within 18 months or inquiry within 3 months; document the EBR | Before each dial |
| 7. Enforce calling windows | Outbound calls only between 8 AM and 9 PM in the recipient's local time zone | Every call |
| 8. Train your team on DNC procedures | Document written DNC policies; train all personnel who touch outbound workflows | At onboarding and at least annually |
| 9. Audit and document scrub records | Retain records of every scrub: date, registry version, list size before/after | After every scrub; retain for safe harbor defense |
| 10. Monitor for opt-out requests across all channels | Capture and centralize opt-outs from calls, SMS, email, web forms, and verbal requests | Continuously |
The TSR provides a "safe harbor" for inadvertent DNC violations. If your organization meets all safe harbor requirements, it will not be subject to civil penalties for mistakenly calling a consumer on the registry. To qualify, you must demonstrate that your organization:
For AI outbound teams, the safe harbor is your insurance policy. Automated workflows make it easier to prove consistent scrubbing — but they also make it harder to argue "error" if the scrubbing step was never configured in the first place.
Thoughtly provides several platform features that support compliant outbound workflows. These are operational tools that help your team implement the requirements above — not a substitute for legal counsel or your own compliance program.
Thoughtly scrubs every outbound call against federal and internal do-not-call registries. As documented on the insurance solutions page: "State-specific recording-consent disclosures, FCC-compliant time windows, internal/external DNC scrubbingDNC scrubbingFiltering outbound dialing lists against federal and internal Do-Not-Call registries. Required for compliant outbound — Thoughtly scrubs every call., and recorded consent on every call. The compliance layer is enforced — not optional." DNC scrubbing runs automatically as part of the outbound dialing flow, so numbers on the registry are blocked before they are ever dialed.
Thoughtly's consent mode gives workspace administrators two enforcement options:
The suppression list records contacts who should not receive outbound communication. Entries can be created automatically — for example, when a contact sends an opt-out keyword via SMS — or manually by an admin. Each entry includes the identifier, channel, reason, source, and timestamp.
When an outbound call or message is blocked by suppression, it appears in the History log with a "Suppressed" status. This makes it straightforward to distinguish compliance-blocked outreach from technical failures during audits.
For SMS and messaging channels, Thoughtly recognizes standard opt-out keywords — STOP, UNSUBSCRIBE, CANCEL, END, and QUIT. When a contact sends one of these keywords, they are automatically added to the suppression list for that channel. If consent mode is set to Universal, they are suppressed across all channels.
Thoughtly's dark windows feature lets you configure per-channel quiet hours so outbound calls and messages are blocked during prohibited time windows. You can set separate windows for voice, SMS, email, WhatsApp, and iMessage. Dark windows are evaluated against your workspace timezone, with contact-level timezone behavior available for teams calling across regions.
Pairing dark windows with suppression lists ensures that your AI outbound workflows respect both who you can contact and when you can contact them.
Thoughtly's contact attribute system supports persistent per-contact fields that can be used for routing and suppression logic. For example, setting a do_not_call_until attribute on a contact allows your automation to check that field before dialing and skip the contact if the date has not passed. Combined with post-call automations that tag contacts based on call outcomes, this gives operations teams fine-grained control over who gets called and when.
Scrubbing your list at campaign launch and never again is a violation if the campaign runs longer than 31 days. The registry adds roughly 400,000 new numbers every month. Set your scrub cadence to at least every 31 days — or automate it before every campaign.
Federal registry compliance alone is not sufficient if you call consumers in states with their own registries. Each state list has its own registration process, scrubbing requirements, and penalty structure.
An established business relationship lets you call DNC-listed numbers within specific time windows — but the moment a consumer says "don't call me," the EBR exemption ends for that consumer. Document every EBR carefully and honor opt-outs immediately.
The TCPA requires every telemarketer to maintain a company-specific DNC list, separate from the national registry. If a consumer asks not to be called and you do not record that request, you lose both the individual opt-out record and the safe harbor defense.
A consumer who says "stop calling me" during a voice call may expect that request to cover SMS and email as well. Unless your compliance policy explicitly supports granular per-channel suppression, treat opt-outs as universal to reduce risk.
If you cannot prove when you last scrubbed your list, which version of the registry you used, and how your internal DNC list was maintained, you cannot qualify for the TSR safe harbor. Automated scrubbing without documentation is almost as risky as not scrubbing at all.
Yes. The FCC's February 2024 ruling classified AI-generated voice as "artificial voice" under the TCPA. AI voice agents are subject to the same DNC scrubbing, consent, and calling-window requirements as any other automated outbound call system.
At a minimum, every 31 days. The TSR's safe harbor requires that you accessed the registry no more than 31 days before making a call. Best practice for high-volume AI outbound is to scrub before every campaign launch.
The federal registry is maintained by the FTC and contains numbers from consumers who opted out of telemarketing calls generally. Your internal DNC list is company-specific and contains numbers from consumers who asked your organization specifically not to call them. You need to scrub against both. The internal list is required under the TCPA regardless of whether a number appears on the federal registry.
Potentially, under the established business relationship exemption — an inquiry or application creates a 3-month EBR window. However, for AI-generated voice calls to cell phones, you also need prior express written consent under the TCPA, which is a separate requirement from the EBR exemption. The safest approach is to obtain explicit written consent at the point of form submission.
If you meet all six safe harbor requirements (written procedures, training, monitoring, internal DNC list, registry access within 31 days, and the call was an error), you may avoid civil penalties. If you cannot demonstrate compliance with the safe harbor, each call is a separate violation — up to $53,088 under the TSR or $500–$1,500 under the TCPA, plus potential state penalties.
This article is informational and does not constitute legal advice. Consult qualified legal counsel for compliance decisions specific to your organization.
