TCPA Compliance Guide 2026: What Insurance Agents Need to Know

What Is the TCPA and Why Does It Matter for Insurance?

The Telephone Consumer Protection Act (TCPA), enacted in 1991 and significantly amended over the decades since, is a federal law that restricts telemarketing calls, auto-dialed calls, prerecorded calls, text messages, and unsolicited faxes. For insurance agents and agencies, the TCPA is the foundational law that determines how, when, and to whom you can make outbound calls.

Insurance is one of the most heavily affected industries because the business model depends on outbound calling—whether you are working aged leads, following up on web form submissions, or cold calling during AEP. A single campaign that violates TCPA rules can expose your agency to millions of dollars in statutory damages, and the plaintiffs' bar is more active than ever in filing class action lawsuits against insurance companies and their downstream agents.

The stakes are not hypothetical. In 2024 and 2025, insurance-related TCPA settlements have reached into the hundreds of millions of dollars. Individual agencies have faced multi-million dollar judgments. And unlike errors and omissions insurance, most general liability policies do not cover TCPA violations—meaning the financial exposure comes directly out of your bottom line.

Key 2025–2026 TCPA Updates You Need to Know

The TCPA landscape has shifted significantly over the past 18 months. Several FCC rulings, court decisions, and regulatory interpretations have changed the compliance requirements for insurance telemarketing. Here are the most critical updates:

The One-to-One Consent Rule (Effective January 2025)

The FCC's one-to-one consent rule, which took effect on January 27, 2025, is the most significant change to TCPA consent requirements in years. Under this rule, consumers who provide prior express written consent must give that consent to a single, identified seller. The era of lead generators collecting a single consent and selling it to dozens of insurance agencies is over.

Expanded Definition of Auto-Dialer

While the Supreme Court's 2021 Facebook v. Duguid decision narrowed the ATDS (Automatic Telephone Dialing System) definition to require random or sequential number generation, several states have passed their own mini-TCPA statutes with broader definitions. In 2025–2026, states including Florida, Washington, and Oklahoma have expanded their definitions to cover any system that dials from a list without human intervention—which captures most modern power dialers and predictive dialers.

Revocation of Consent by Any Reasonable Means

The FCC has clarified that consumers can revoke consent to receive calls or texts through any reasonable means—including replying "stop" to a text, telling an agent on the phone, submitting a web form, or even posting on social media. Agencies must have systems to capture and honor revocations regardless of the channel, and must stop calling within a reasonable time, which the FCC has indicated should be no more than 10 business days.

Consent Requirements: Express Written Consent vs. Prior Express Consent

One of the most misunderstood areas of TCPA compliance is the distinction between the two types of consent. Getting this wrong is the most common source of TCPA violations in the insurance industry.

Prior Express Written Consent (The Higher Standard)

Prior express written consent is required when you are making telemarketing or advertising calls using an auto-dialer or prerecorded/artificial voice. For insurance agents, this applies to virtually any outbound sales call made using a dialer system. The requirements are specific:

• The consent must be in writing (electronic signatures count, including web form submissions)
• It must include the consumer's telephone number
• It must clearly authorize the specific seller to make calls using an auto-dialer or prerecorded voice
• It must not be a condition of purchasing any goods or services
• Under the new one-to-one rule, it must identify your agency by name

Prior Express Consent (The Lower Standard)

Prior express consent—without the "written" qualifier—is sufficient for non-telemarketing calls made with an auto-dialer. This would cover informational calls such as appointment reminders, policy service calls, or claims updates. This consent can be implied by the consumer providing their phone number in connection with a transaction. However, the moment the call includes any sales or marketing content, the higher written consent standard kicks in.

Auto-Dialer Rules and Compliance

The type of dialing technology you use directly impacts your TCPA compliance obligations. Understanding the regulatory classification of your dialer is critical.

What Qualifies as an ATDS Under Federal Law

After Facebook v. Duguid, an ATDS under federal law is a system that has the capacity to store or produce telephone numbers using a random or sequential number generator and dial those numbers. A system that simply dials from a pre-loaded list—without generating numbers randomly or sequentially—does not qualify as an ATDS under this definition.

However, this narrow federal definition provides a false sense of security for many agencies. Here's why:

• State laws may be broader: Florida's mini-TCPA, for example, covers any system that dials without human intervention, regardless of how numbers are generated
• Prerecorded messages still require consent: Even if your dialer doesn't qualify as an ATDS, using prerecorded messages requires prior express written consent
• DNC rules apply regardless: Auto-dialer classification does not affect Do Not Call requirements
• The FCC could revise its interpretation: Regulatory guidance can change, and building your compliance program on the narrowest possible definition is risky

Compliance by Dialer Type

Different dialer types carry different levels of compliance risk. Predictive dialers present the highest risk because they dial multiple numbers simultaneously and may connect consumers to dead air or prerecorded messages if no agent is available. Power dialers are lower risk because they dial one number at a time with an agent always on the line. Preview/manual dialers carry the lowest risk because an agent initiates each call individually.

Do Not Call (DNC) Requirements

DNC compliance is a separate but equally important component of TCPA compliance. There are two types of DNC lists that insurance agencies must manage: the National Do Not Call Registry and internal DNC lists.

National Do Not Call Registry

• You must scrub your calling lists against the National DNC Registry before initiating any campaign
• Lists must be updated at least every 31 days—numbers are added to the registry continuously
• The Established Business Relationship (EBR) exemption allows you to call existing customers for up to 18 months after their last transaction, but this exemption does not override a consumer's direct request to stop calling
• You must register with the FTC and pay the applicable fees to access the registry

Internal Do Not Call Lists

Every agency must maintain its own internal DNC list containing the numbers of anyone who has requested not to be called. This list must be honored indefinitely—there is no expiration on an internal DNC request. When a consumer says "don't call me again" during a call, that request must be documented and the number added to your internal DNC list immediately.

Calling Hours and Frequency Limits

Federal law restricts telemarketing calls to the hours between 8:00 AM and 9:00 PM in the consumer's local time zone. This means your dialing system must be able to determine the time zone for each number you call—dialing a number in the Eastern time zone at 9:05 PM because your agency is in the Pacific time zone is a violation.

Some states have narrower calling windows. For example, several states restrict calls to 9:00 AM–8:00 PM, and some prohibit calls on Sundays or state holidays. Your dialing platform should enforce these restrictions automatically based on the area code and state of each number.

While the TCPA does not set explicit limits on how many times you can call a specific number per day, excessive calling can constitute harassment under the TCPA and state consumer protection laws. Industry best practice for insurance is no more than three call attempts per lead per day, with a maximum of eight to ten attempts over the life of a lead before moving it to a lower-priority status.

TCPA Penalties: The True Cost of Non-Compliance

TCPA violations carry significant statutory penalties, and because they are assessed per call or per text, the total liability in a class action or enforcement action can be astronomical.

Beyond the direct financial penalties, TCPA violations can result in reputational damage, loss of carrier appointments, increased E&O insurance premiums, and loss of lead vendor relationships. For agencies selling Medicare products, TCPA violations can also trigger CMS enforcement actions that put your ability to sell Medicare at risk.

Common TCPA Violations Insurance Agents Make

Understanding the most frequent violations helps agencies build targeted compliance programs. Based on enforcement actions and class action filings from 2024–2025, these are the most common TCPA violations in the insurance industry:

• Calling numbers on the DNC registry: Often caused by infrequent list scrubbing or using outdated data
• Insufficient consent documentation: Lead forms that don't meet the legal requirements for prior express written consent
• Calling after consent revocation: Failing to process and honor opt-out requests promptly
• Exceeding calling hours: Not accounting for the consumer's time zone, especially when calling across the country
• Using shared/multi-buyer leads without proper consent: Relying on lead aggregators who don't comply with the one-to-one consent rule
• Abandoned calls (predictive dialer overflow): Predictive dialers connecting calls with no agent available, resulting in dead air
• Failing to provide opt-out mechanisms: Not giving consumers a clear way to stop future calls during every interaction
• Calling reassigned numbers: The original consent holder may have given up the number, and the new owner never consented

How to Build a TCPA-Compliant Calling Program

Compliance is not a one-time project—it is an ongoing program that must be integrated into every aspect of your calling operations. Here is a systematic framework for building and maintaining TCPA compliance:

1. Audit Your Consent Collection

Review every source of leads your agency uses. For each source, verify that the consent language on the lead form meets the current TCPA requirements, including the one-to-one consent rule. If you buy leads from third parties, request copies of their consent forms and confirm that your agency is specifically named. Document your audit and repeat it quarterly.

2. Implement Robust DNC Scrubbing

Set up automated DNC scrubbing that runs against both the National DNC Registry and all applicable state registries before any campaign launches. Configure your system to re-scrub lists every 31 days at minimum. Integrate your internal DNC list with your dialer so that opt-out requests are honored in real time. For detailed guidance, see our complete DNC compliance guide.

3. Configure Your Dialer for Compliance

Your dialing platform should enforce compliance automatically. This includes time zone-aware calling hour restrictions, call frequency caps, abandoned call rate limits (no more than 3% for predictive dialers under the FCC safe harbor), and automatic DNC list integration. If your current dialer doesn't support these features, it's time to switch to a TCPA-compliant dialer built for insurance.

4. Train Your Agents

Every agent who makes outbound calls should receive TCPA training before they start dialing and at least annually thereafter. Training should cover consent requirements, DNC procedures, how to handle opt-out requests, calling hour restrictions, and what to do if a consumer expresses frustration or threatens legal action. Document all training with attendance records and test scores.

5. Monitor and Audit Continuously

Compliance is not set-and-forget. Implement ongoing monitoring that includes call recording review, consent documentation audits, DNC scrubbing verification, and agent compliance scoring. AI-powered monitoring tools can automate much of this work, flagging potential violations in real time so supervisors can intervene before problems escalate.

How AI Monitoring Strengthens TCPA Compliance

Manual compliance monitoring—listening to a random sample of calls and reviewing consent records by hand—catches only a fraction of potential violations. AI-powered compliance monitoring changes the equation by analyzing every single call for TCPA compliance indicators.

Modern AI compliance tools can detect when agents fail to provide required disclosures, identify calls made outside permitted hours, flag potential consent issues, and monitor for language that suggests harassment or undue pressure. Combined with AI-powered insurance compliance systems, agencies gain comprehensive protection across all regulatory requirements.

TCPA Compliance Checklist for Insurance Agencies

Use this checklist to assess your agency's current TCPA compliance posture and identify gaps that need to be addressed:

• All lead sources provide prior express written consent that names your agency specifically
• Consent records are stored securely and can be retrieved within 24 hours if challenged
• Calling lists are scrubbed against the National DNC Registry at least every 31 days
• Applicable state DNC registries are included in your scrubbing process
• An internal DNC list is maintained and integrated with your dialer
• Opt-out requests are processed and honored within 10 business days
• Calling hours are restricted to 8 AM–9 PM in the consumer's time zone
• State-specific calling hour restrictions are programmed into your dialer
• Predictive dialer abandon rate is maintained below 3%
• All agents receive annual TCPA compliance training
• Call recordings are retained for the required period
• A written TCPA compliance policy is in place and regularly updated

Conclusion: Compliance Is a Competitive Advantage

TCPA compliance is often viewed as a burden—another layer of regulation that makes it harder to sell. But the agencies that embrace compliance as a core operating principle actually gain a competitive advantage. They avoid the devastating costs of lawsuits and fines. They build trust with consumers who are increasingly wary of aggressive telemarketing. They maintain strong relationships with carriers and lead vendors. And they sleep better at night knowing their business is built on a solid legal foundation.

The key is to stop treating compliance as a manual, after-the-fact review process and start building it into the technology stack that powers your calling operations. When your dialer automatically enforces calling hours, scrubs DNC lists in real time, tracks consent at the lead level, and uses AI to monitor every call for compliance issues, TCPA compliance becomes a seamless part of your workflow rather than a separate, burdensome process.