Cold Calling Laws in 2026: The Complete Compliance Guide for B2B Sales Teams

Introduction

The cold calling rulebook keeps shifting. Through 2025, TCPA class action filings rose roughly 97% year-over-year (11), the FCC delayed its sweeping “revoke-all” opt-out rule for the second time — now pushed to January 31, 2027 (12) — and at least five states passed or expanded mini-TCPAs that catch B2B teams off guard. Meanwhile, the FCC’s 2024 ruling that AI-generated voice calls count as robocalls is still in force (2), and state attorneys general are using it.

One question keeps surfacing on outbound floors: “Is cold calling against the law now?” The short answer is no — cold calling itself remains legal across the US, Canada, the UK, and the EU. The longer answer is that the gap between legal and lawsuit bait has narrowed. Compliance is no longer a checklist; it’s a moving target.

This guide breaks down what changed in 2026, what stayed the same, and how to run a B2B cold calling program that generates qualified pipeline without inviting a class action. We cover federal TCPA and TSR rules, the new state mini-TCPA wave (Texas, Oregon, Virginia, Maine), AI voice calling restrictions, GDPR and PECR for European outreach, Canadian CRTC rules, and the practical compliance playbook our SDR teams use across North America, Europe, and LATAM.

This article was built by reviewing federal regulations, state legislation, recent FCC orders, and litigation data, then interpreted through Martal Group’s perspective from running compliant outbound campaigns globally for 16+ years. Our goal is to give B2B sales leaders a clear, current picture of what’s actually enforceable in 2026 — without the legal jargon.

Note: We’re not lawyers. This is general guidance, not legal advice. Cold calling laws change frequently and vary by jurisdiction — always confirm with counsel before launching a campaign in a new region.

What Is a Cold Call? Definitions Every B2B Sales Team Needs

Before we get into the rules, we need to be precise about what those rules actually cover. A surprising number of TCPA disputes turn on definitions — what counts as an autodialer, what counts as a robocall, whether a number is residential or business — so the vocabulary matters.

Cold call. A first-touch outbound phone call to a prospect who has not previously engaged with your company and has not given consent to be contacted. Under the TCPA, this is treated as “telephone solicitation” — an unsolicited call meant to encourage the purchase of property, goods, or services. If you’ve already exchanged emails, met at an event, or the prospect filled out a form, the call is technically warm, not cold — and different consent rules may apply.

Robocall. A call placed using an automatic telephone dialing system (ATDS) or one that delivers a prerecorded or artificial voice message. Under the FCC’s February 2024 ruling (2), AI-generated voices fall squarely into the “artificial voice” category. Every robocall to a cell phone or residential line for marketing purposes requires prior express written consent under federal law.

ATDS (Automatic Telephone Dialing System). Equipment that uses a random or sequential number generator to store or dial telephone numbers. After the Supreme Court’s Facebook v. Duguid decision in 2021 (13), this definition narrowed significantly at the federal level — most modern power dialers that pull from preloaded contact lists no longer qualify as an ATDS. State definitions, however, are broader. Florida’s FTSA and Oklahoma’s OTSA both define autodialing systems much more loosely, which means a dialer that’s compliant federally can still violate state law.

AI dialer / AI power dialer / conversational AI sales agent. Newer category covering software that uses AI to handle parts of the outbound call workflow — number selection, voice synthesis, conversation, or qualification. The legal status depends entirely on what the AI is doing. AI that suggests talk tracks to a live human rep is generally fine. AI that speaks on the call is treated as an artificial voice and requires prior express written consent. AI that auto-dials lists may or may not qualify as an ATDS depending on how it selects numbers.

Prior Express Written Consent (PEWC). A signed agreement (digital or physical) from the prospect that clearly discloses they’re agreeing to receive marketing calls or texts using an autodialer or artificial voice, identifies the specific company doing the calling, and includes the phone number being used. Pre-checked boxes don’t qualify. Bundled consent for “marketing partners” was challenged by the FCC’s one-to-one consent rule, which the Eleventh Circuit struck down in January 2025 (12)— but if you can document specific, single-seller consent, you’re on solid ground in any jurisdiction.

National Do Not Call Registry (NDNCR). The FTC-maintained database of consumer phone numbers that have opted out of telemarketing. The registry contains over 249 million active numbers (8), and telemarketers must scrub against it at least every 31 days. Business landlines are generally exempt from the registry, but personal cell numbers used for business are not — which is the single biggest trap for B2B teams.

With the vocabulary out of the way, let’s start with the question almost every sales leader asks first.

Is Cold Calling Illegal in 2026? The Honest Answer for B2B Teams

The FTC’s National Do Not Call Registry now holds over 249 million active numbers and TCPA class action filings rose roughly 97% year-over-year through Q3 2025.

Reference Source: FTC, WebRecon via ACA International

Let’s address the question that keeps coming up on outbound floors and Reddit threads: is cold calling illegal? No. Cold calling itself is legal in the US, Canada, the UK, and the EU. What’s illegal is cold calling done the wrong way — calling the wrong type of number, using the wrong technology, ignoring opt-outs, or operating in a state without registering when registration is required.

That distinction matters more in 2026 than it did even a year ago. The class-action surge through 2025 wasn’t driven by new enforcement campaigns from the FCC or FTC. It was driven by a small number of plaintiffs’ firms and serial litigators who file routinely against any company whose calling practices have a procedural gap. A single non-compliant campaign can generate seven-figure exposure inside a month. The federal cops aren’t the main risk anymore — the private bar is.

Cold calling is legal, but with conditions. In the United States, cold calls are allowed only if you comply with theTelemarketing Sales Rule (TSR) (1). These rules govern who you can call, when, and how. Violating the TSR can trigger fines up to $51,744 per call (the figure is indexed annually for inflation). Under the TCPA, calling someone who didn’t consent can trigger statutory damages of $500 per violation, tripled to $1,500 per violation if a court finds the violation was willful or knowing.

That means a 200-call campaign with uncleaned lists could theoretically generate $100,000 to $300,000 in liability. A 10,000-call campaign could clear $15 million. Those numbers aren’t theoretical — they’re how class-action settlements actually get calculated.

The B2B vs. B2C Distinction (and the Cell Phone Trap)

One of the most common questions sales leaders ask is: “Is there a law against cold calling businesses?”

Federally, no. The FTC’s TSR generally exempts B2B solicitation calls from the National Do Not Call Registry rules — meaning calling a company’s main switchboard or an employee’s desk line at a verified business landline doesn’t require a DNC scrub at the federal level. But that exemption is much narrower than most teams assume, and the gap creates the single biggest compliance trap in B2B outbound.

The trap is the cell phone. Another question that comes up constantly: “Is it illegal to cold call cell phones?” The answer depends on three things: who owns the phone, how you’re dialing it, and what state the recipient is in.

The federal TCPA was written in 1991 to protect consumers from intrusive cell phone calls, and it treats every wireless number as residential — regardless of whether the prospect uses it for business. There is no “business use” carve-out for cell phones at the federal level. If a CFO uses her personal mobile as her primary work line and gives that number out at conferences, calling it for a marketing pitch is governed by consumer TCPA rules, not B2B exemptions.

The practical implications for a B2B outbound team:

– Manually dialed cold calls to cell phones during legal hours are generally legal, as long as you scrub against the DNC and honor opt-outs.

– Autodialed or AI-voiced calls to cell phones require prior express written consent — full stop. Even if the number is on a business contact list, even if the person uses it for work.

– Power dialers and parallel dialers are the gray zone. Most modern dialers that pull from preloaded lists don’t qualify as an “ATDS” under the federal Facebook v. Duguid standard (13), which means they’re often safe federally — but Florida, Oklahoma, Texas, and several other states define autodialers more broadly. A dialer that’s compliant in California can be a violation in Tampa.

Several states — Arizona, Louisiana, New Jersey, Texas, and Wyoming among them — restrict even manually dialed calls in certain contexts. The “B2B exemption” narrative most teams operate on is a federal narrative; states didn’t sign up for it.

Europe and Canada: Lawful, But with Stricter Privacy Frameworks

Outside the US, cold calling legality hinges on consent and purpose more than on dialing technology.

Canada permits cold calling but requires scrupulous registration and scrubbing through the CRTC’s National Do Not Call List (5), plus adherence to call curfew hours (we cover specifics in the Calling Times section below). Internal opt-outs must be honored within 14 days and retained for 3 years. CASL (Canada’s Anti-Spam Legislation) governs related electronic outreach.

The EU’s GDPR (14) doesn’t outlaw cold calling outright, but it requires a lawful basis to process the prospect’s personal data for marketing — typically “legitimate interest” for B2B outreach, which must be documented and balanced against the prospect’s privacy rights. 

The UK’s PECR layers on the Telephone Preference Service (TPS) for consumers and CTPS for businesses (15)— both opt-out registries that must be screened before calling. Most EU member states maintain their own equivalents (France’s Bloctel, Spain’s Lista Robinson, Italy’s Registro Pubblico delle Opposizioni). EU regulators continue to issue substantial fines for unlawful marketing — Italy’s data protection authority has imposed multi-million-euro penalties in recent enforcement actions, and Germany’s UWG allows individual fines up to €300,000 per violation.

Bottom line: Cold calling is lawful as a B2B outreach method in every market we operate in — North America, Europe, and LATAM. But “lawful” doesn’t mean “automatic.” Each region requires its own playbook. Cross-border outbound campaigns fail compliance most often when teams apply US assumptions to EU prospects, or vice versa.

How This Plays Out in Practice

One of the clearest examples we can point to: a Stockholm-based IoT facilities and climate-control company partnered with us to build US pipeline. They couldn’t run their own US outbound from Sweden — the dialing infrastructure, time-zone coverage, state registration requirements, and DNC scrubbing all sit outside their domestic operations.

Over a 24-month engagement, our onshore North American team ran appointment setting campaigns that generated 139 booked meetings with US enterprise prospects, all run through Martal’s US-resident compliance infrastructure. The compliance work isn’t optional overhead for that kind of cross-border motion — it’s the precondition that makes the campaign possible at all.

So what are these rules you actually need to follow? We’ll start with the topic generating the most regulatory heat in 2026: AI in cold calling, and why autodialers and “robot calls” carry the steepest fines on the books.

Is AI Cold Calling Illegal? (Robocalls, AI Voices & Autodialers)

Companies can owe $500 per call for unintentional TCPA violations, $1,500 per call for willful ones and AI voice calls without consent are presumed willful by most courts.

Reference Source: FCC TCPA Rules

The vendor pitches arrive in our SDRs’ inboxes constantly: AI voice agents that promise to make 10,000 calls a day at a fraction of a human rep’s cost. Conversational AI sales agents that handle qualification end-to-end. AI dialers and AI power dialers that book meetings without an SDR ever picking up the phone.

The economics look great in a deck. The legal status is more complicated than most of those decks let on.

Is AI Cold Calling Illegal?

One of the most direct questions we get from heads of sales evaluating this category: “Is AI cold calling illegal in the US?”

The short answer is not inherently — but using AI voices in cold calls without consent is illegal. In February 2024, the FCC ruled unanimously (2) that calls made with AI-generated or prerecorded voices are subject to the same strict rules as traditional robocalls. Any “artificial or prerecorded voice” in a call triggers the TCPA’s consent requirement. An AI voice clone talking to a prospect on the phone is, legally speaking, an artificial voice under the statute.

If you call a cell phone or residential line with an AI voice and you don’t have the prospect’s prior express written consent, you’re violating the TCPA. Statutory damages run $500 per call for unintentional violations and $1,500 per call for willful or knowing violations. Most courts treat AI voice calls without consent as willful by default — the technology is too deliberate to plead ignorance. A campaign of 10,000 AI-dialed calls without consent could clear $15 million in liability.

State attorneys general can also pursue these damages directly under the FCC’s 2024 ruling, and they’ve started doing it. The 2025 enforcement trend was clear: regulators stopped sending warning letters and started filing actions.

What About “Is Voice AI Safe” — and AI Voice Scams?

The harder question consumers and regulators are asking: “Is voice AI safe?”

The technology itself isn’t the problem. The misuse is. Through 2024 and 2025, AI voice scams exploded — fraudsters using cloned voices to impersonate executives, family members, government officials, and brand representatives. The FCC’s TCPA ruling on AI voices was specifically designed to give regulators and consumers a clean enforcement hook against bad actors, and to draw a sharp line between consented AI voice use (legitimate) and unconsented AI voice use (presumptively a scam).

For B2B sales teams, the implication is reputational as much as legal. Even if your AI voice cold call is technically permitted because you have documented consent, the prospect on the other end may not realize that — they may experience the call as “another AI voice scam” and respond accordingly. Buyer trust is moving against unannounced AI calling fast. Our position at Martal is unambiguous: AI is most powerful when it amplifies a human SDR, not when it replaces one. A senior rep with AI-prepared context, real-time prompts, and post-call intelligence converts at multiples of a synthetic-voice agent dialing the same list. The legal advantage is the same as the conversion advantage.

What About Autodialers, AI Dialers, and AI Power Dialers?

The third question that surfaces constantly: “What’s the difference between an autodialer and an AI dialer — and which ones are legal?”

The legal answer hinges on the technical definition of an Automatic Telephone Dialing System (ATDS) under the TCPA. After the Supreme Court’s Facebook v. Duguid decision in 2021 (13), the federal definition narrowed to equipment that uses a random or sequential number generator to store or dial telephone numbers. Most modern AI dialers and AI power dialers pull from preloaded contact lists rather than generating random numbers, which means they often don’t qualify as an ATDS at the federal level — and aren’t subject to the strict prior-consent rule for cell phone calls under federal law.

That federal carve-out is fragile. State definitions are broader:

– Florida’s FTSA (6) and Oklahoma’s OTSA both define autodialing systems much more loosely than the federal Duguid standard, and both create private rights of action.

– Texas’s SB140 (16) (effective September 1, 2025) treats automated dialing equipment broadly and adds a $10,000 surety bond requirement for telemarketers reaching Texas residents.

– Several states — Arizona, Louisiana, New Jersey, Texas, Wyoming — restrict even manually dialed sales calls in certain contexts.

The practical rule of thumb our team operates under: AI is a copilot, not a caller. AI that helps a human SDR — drafting context briefs, suggesting talk tracks, transcribing and analyzing calls, identifying buying signals from prior interactions — is fully compliant in every market we work in. AI that speaks on the call, dials autonomously across cell numbers, or replaces the human rep entirely requires explicit consent that is rarely available in pure cold outbound.

What’s Changing in 2026: The Eleventh Circuit, the FCC’s Revoke-All Delay, and “Delete, Delete, Delete”

Three regulatory developments through 2025 reshaped the AI calling landscape — and a fourth is pending.

1. The Eleventh Circuit struck down the FCC’s “one-to-one consent” rule. On January 24, 2025 (12), the federal appeals court vacated the FCC rule that would have required marketers to obtain consent on a strict one-seller-at-a-time basis. The court found the FCC exceeded its statutory authority. Bundled or marketing-partner consent is permitted again — though marketers should still document specific, single-seller consent wherever possible to stay defensible against state-level claims.

2. The FCC delayed its “revoke-all” rule for the second time. The rule that would require a single opt-out request to apply across all communications from a caller — originally scheduled for April 2025 — was delayed first to April 2026, then delayed again on January 6, 2026 to January 31, 2027 (12). The Bureau cited operational concerns from financial institutions and the FCC’s own pending review of whether to modify or eliminate the rule altogether.

3. The FCC opened a “Delete, Delete, Delete” rulemaking. In October 2025, under new leadership, the FCC opened a sweeping proceeding to evaluate whether multiple TCPA and DNC rules (17) — including AI-call identification requirements and the revoke-all rule — should be modified or eliminated. The direction of travel is toward fewer federal restrictions, not more.

4. State legislatures are moving the opposite direction. As federal rules contract, state mini-TCPAs are expanding. Texas, Oregon, Virginia, Washington, and Maine all enacted or amended laws in 2024–2026 that catch AI calling, autodialed texts, and broader dialing technology than the federal Duguid definition allows. We cover the state landscape in detail in the State Mini-TCPA Snapshot section below.

The net effect: federal AI calling rules are softening, but compliance complexity is rising — because state-by-state divergence is now the bigger risk than federal enforcement. National outbound teams can no longer run a single playbook.

The Operating Model That Works in 2026

Across the campaigns our SDR teams run for clients in AI/ML, cybersecurity, manufacturing, fintech, and adjacent verticals, the same compliance pattern holds: AI handles the prep and the post-call work; a senior human handles the conversation. Our AI SDR Platform generates ICP-aligned prospect intelligence, drafts outreach context, surfaces intent signals, and supports deliverability — but the dial itself, the conversation, and the qualification are all done by an experienced onshore rep. That structure isn’t just a compliance choice. It’s also a conversion choice. Buyers respond better to a senior human who knows their business than to a synthetic voice working from a script.

Key takeaways for AI and autodialers in 2026:

– Treat AI voices as robocalls. Any AI-generated voice on the call requires prior express written consent in the US. That consent has to be documented, specific, and tied to your company by name.

– Identify the caller and the AI, even where rules are softening. TCPA still requires caller identification and an opt-out mechanism on artificial-voice calls. State rules can require more.

– Use AI as a copilot, not a replacement. AI that helps a live SDR — context briefs, real-time prompts, post-call analysis, deliverability — is universally compliant. AI that speaks or dials autonomously is the legal exposure zone.

– Watch state laws more than federal ones. The federal trajectory is toward fewer rules. State trajectories are toward more. National outbound campaigns need state-aware playbooks.

– Document everything. Consent records, opt-out timestamps, call logs, dialer configurations — if a class action arrives, the audit trail is your defense.Next, we’ll look at a more straightforward but equally critical compliance dimension: when you’re legally allowed to call.

Cold Calling Times Allowed: Legal Time to Call Customers

The federal calling window is 8 AM–9 PM in the recipient’s local time zone. At least 15 US states impose stricter rules — Oregon’s window narrowed to 8 AM–8 PM effective January 1, 2026, with a 3-call-per-day cap that includes texts.

Reference Source: Troutman Pepper Locke

One of the most concrete cold calling rules is also one of the most commonly violated: when you’re allowed to call. Federal law caps US telemarketing at 8 AM to 9 PM in the recipient’s local time. Most teams get the federal window right and miss the state overrides — and the state overrides are where 2025–2026 enforcement risk is concentrating.

Sales leaders ask us this all the time: “What time can telemarketers legally call?” The honest answer is it depends on three things — federal rules, the recipient’s state, and (for cell phones) any state opt-in registries that override the defaults. We’ll walk through each region, then give you a single safe-window heuristic at the end.

Federal US Rules

The Telemarketing Sales Rule (1) cap telemarketing calls between 8:00 AM and 9:00 PM in the recipient’s local time zone. That window applies to consumer calls; B2B calls to verified business landlines are generally exempt federally, but personal cell phones used for business get treated as residential under the TCPA and fall under the federal window regardless.

State-Level Overrides (the 2025–2026 Wave)

At least 15 states impose stricter rules than federal law, and the wave keeps building:

– Oregon (HB 3865) — Effective January 1, 2026. Calling window narrowed to 8 AM–8 PM, with a hard cap of 3 solicitations per 24 hours (calls or texts combined) (18). Violations are unlawful trade practices under Oregon’s UTPA, exposing companies to civil penalties and a private right of action.

– Texas (SB140) — Effective September 1, 2025. Texas amendments extend telemarketing rules to text messages, narrow the calling window, require a $10,000 surety bond from telemarketers reaching Texas residents, and create a private right of action with statutory damages of up to $5,000 per violation (16).

– Virginia — Effective July 1, 2026. Virginia’s amendments require companies to honor text opt-out requests for 10 years and add tighter caller-identification requirements.

– Florida (FTSA) — Window: 8 AM–8 PM. Three-call cap per 24 hours. Broader autodialer definition than the federal Duguid standard, plus a private right of action that has driven heavy class-action filings since 2021.

– Connecticut — No telemarketing calls before noon on Sundays.

– Rhode Island — Window narrows to 8 AM–6 PM on weekdays.

– Maine — Window: 9 AM–9 PM weekdays, 9 AM–5 PM Saturdays, no Sunday calling. Also operates a Reassigned Numbers Database mandate effective since July 2024 (19)— adding a scrub layer beyond the federal RND.

– Mississippi, Pennsylvania, Colorado — All maintain state DNC lists that include some categories of business numbers. Don’t assume the federal B2B exemption applies.

– Arizona, Louisiana, New Jersey, Wyoming — Restrict even manually dialed sales calls in certain contexts.

The Practical Safe Window

If you’re running national outbound and don’t want to maintain 50 state-specific calling schedules, the cleanest universal window is:

11:00 AM to 8:00 PM Eastern Time, Monday through Friday.

That window respects the strictest state-by-state rules across the continental US, avoids almost all Sunday and weekend prohibitions, lands during high-engagement business hours for most time zones, and gives you a defensible compliance posture if a complaint arrives. Our SDR teams running US campaigns operate inside this window by default, then expand when a specific state’s rules and a specific account’s profile justify it.

Canada

Canada’s CRTC rules permit telemarketing 9:00 AM to 9:30 PM Monday through Friday and 10:00 AM to 6:00 PM Saturday and Sunday (recipient’s local time) (5). Cold email is restricted by CASL requiring opt-in consent for most B2C and many B2B contexts — which is why our Canada-targeted campaigns lean on cold calling and LinkedIn outreach rather than email.

EU and UK

EU member states largely align around 8 AM to 8 PM or 9 PM windows, but several countries have additional restrictions:

– United Kingdom — PECR recommends 8 AM–9 PM weekdays only (15), with weekends and bank holidays generally avoided. Companies on the Corporate Telephone Preference Service (CTPS) cannot be called for marketing (20).

– Germany — Strictly forbids unsolicited B2C calls without prior opt-in consent under the UWG. B2B calls require “presumed consent” — a documented assumption that the called business would consent based on the relevance of the offer. Calls limited to standard business hours.

– France — Operates Bloctel, the national opt-out registry for consumers. No calls before 10 AM, after 8 PM, on weekends, or on holidays (21).

– Italy — Maintains the Registro Pubblico delle Opposizioni and continues to issue substantial GDPR fines for unauthorized marketing calls (22).

– Spain — Operates Lista Robinson as the national opt-out service (23).

Australia

Australia’s Do Not Call Register Act prohibits unsolicited telemarketing on Sundays and national holidays, with weekday calls limited to 9 AM–8 PM and Saturday calls 9 AM–5 PM (10).

Why This Matters in 2026

Calling outside permitted hours doesn’t just annoy prospects. It opens companies to violations under federal TCPA, the TSR, and the rapidly expanding mini-TCPAs at the state level — and most state mini-TCPAs include private rights of action with statutory damages of $200–$5,000 per violation. A single non-compliant outbound campaign can generate exposure that exceeds the campaign’s revenue.

One more thing worth noting: timing also affects conversion. The legally permissible window is wider than the commercially effective window. Calls before 9 AM or after 5 PM rarely convert in B2B regardless of whether they’re legal. Our highest connect rates run in the late-morning and mid-afternoon blocks — roughly 10 AM–noon and 3–4:30 PM in the prospect’s local time — which sit comfortably inside every regulatory window we operate in.

State Mini-TCPA Snapshot: The 2026 Compliance Map 

One of the questions we hear most often from sales leaders running national outbound: “Is there a new cold calling law I should know about?”

The answer in 2026 is yes — and probably more than one. While federal TCPA rules have stabilized or softened (the Eleventh Circuit struck down the one-to-one consent rule, the FCC delayed the revoke-all rule to 2027), state legislatures have moved in the opposite direction. Mini-TCPAs — state laws modeled on the federal TCPA but with broader autodialer definitions, narrower calling windows, additional registration requirements, and private rights of action — are now the bigger compliance risk for B2B teams running multi-state campaigns.

Here’s what changed in 2025–2026, organized by impact:

Texas — SB140 (Effective September 1, 2025)

The most aggressive mini-TCPA expansion of 2025. Texas SB140 extends the state’s existing telemarketing rules to text messages, narrows calling hours to 9 AM–9 PM Mon–Sat and noon–9 PM Sunday, requires telemarketers reaching Texas residents to post a $10,000 surety bond, and creates a private right of action with statutory damages up to $5,000 per violation. The bond requirement alone has caused several national outbound vendors to cease Texas-targeted campaigns entirely.

Oregon — HB 3865 (Effective January 1, 2026)

Oregon’s Telemarketing Modernization Act tightened calling hours to 8 AM–8 PM, capped contacts at 3 per 24-hour period (calls and texts combined), expanded the definition of “telephone solicitation” to include text messages, and made violations actionable as unlawful trade practices under Oregon’s UTPA. Consumers can recover actual damages or $200 per violation, whichever is greater, plus punitive damages. Oregon’s Department of Justice can also pursue independent enforcement.

Virginia — HB 2367 / SB 1148 (Effective July 1, 2026)

Virginia’s amendments require companies to honor text opt-out requests for 10 years, tighten caller identification requirements, and align state penalties more closely with federal TCPA damages. The text-opt-out retention period is the longest in the country and creates a substantial data-management burden for companies running ongoing nurture campaigns.

Florida — FTSA (Refined 2023, Active Litigation 2024–2026)

The original 2021 FTSA was scaled back in 2023 after a wave of class actions threatened to make the state ungovernable for legitimate outbound. The current rules cap calls between 8 AM–8 PM, limit contacts to 3 per 24 hours, and define autodialing systems much more broadly than the federal Duguid standard. Florida’s private right of action remains active, and Florida courts continue to be one of the most plaintiff-friendly venues for TCPA class actions in the country.

Maine — Reassigned Numbers Database Mandate (Effective July 2024)

Maine became one of the first states to mandate scrubbing against the FCC’s Reassigned Numbers Database for any telemarketer reaching Maine residents. The RND lets callers verify whether a number has been reassigned to a new subscriber since consent was originally given — a major source of inadvertent TCPA violations. Federal rules already provide a safe harbor for callers who scrub the RND; Maine made that scrub effectively required.

Washington — Updated UCPA (2025 Amendments)

Washington updated its consumer protection framework with stricter caller identification requirements and expanded private rights of action for unlawful telemarketing. Violations can be pursued under both the state’s CPA and federal TCPA in parallel.

Other States to Watch

Oklahoma’s OTSA maintains a broad autodialer definition similar to Florida’s, with a private right of action (9).

Connecticut, Mississippi, Pennsylvania, Colorado all maintain state DNC lists that include some categories of business numbers — meaning the federal B2B exemption isn’t available for residents in those states.

Arizona, Louisiana, New Jersey, Wyoming restrict even manually dialed sales calls in certain contexts. Manual dial doesn’t always equal compliance. 

How This Plays Out for Multi-State B2B Campaigns

The compliance burden is real, but it’s manageable when the operating model is built for it. We ran a 14-month outbound lead generation campaign for a manufacturing client in the industrial tools space — a US market entry from a non-US operating base — that delivered 1,596 qualified leads and 203 SQLs across electrical and safety verticals. That campaign required state-by-state calling cadence variation, dialer configuration that toggled by recipient state, scrubbing against both the federal NDNCR and Maine’s RND requirement, and a documented audit trail per call. None of that was optional. The campaign worked because the compliance infrastructure was the precondition, not an afterthought.

The practical rule we follow for any multi-state US campaign:

1. Calling cadence defaults to 11 AM–8 PM Eastern Mon–Fri — the universal safe window covered in the previous section.

2. State-aware dialer rules — recipient state lookup at dial time, with stricter rules applied automatically (Oregon caps at 3/day, Texas requires bond verification, Maine requires RND scrub).

3. Autodialer suppression for FL/OK/TX residents — manual or click-to-dial only, regardless of federal Duguid posture.

4. Internal DNC enforcement is universal — any opt-out request is logged and propagated across all channels and all states, indefinitely.

5. Documentation per call — timestamp, channel, agent, recipient state, consent source, and outcome. If a class action arrives, this is the defense.

This isn’t a checklist most teams want to build in-house. It’s part of why our sales outsourcing clients hand the entire compliance layer to us along with the outbound execution — the operational overhead is meaningful, and getting it wrong is expensive.

With the state map covered, the next layer is the rules around who you can call and the consent and DNC mechanics that govern that question.

Cold Call Lists, DNC, and Consent: The Mechanics of Who You Can Call

Calling a number on the U.S. National DNC Registry without consent can result in fines up to $51,000 per call.

Reference Source: FTC DNC Registry FAQs

The calling window is one half of compliance. The contact list is the other half — and arguably the bigger trap. Most TCPA class actions don’t allege calls at the wrong time. They allege calls to numbers the company shouldn’t have had on the list to begin with: numbers on the federal DNC, numbers the prospect previously asked to be removed from, numbers reassigned to someone who never consented.

Three real human questions surface here constantly. We’ll address each one inline.

“What Happens If You Cold Call Someone on the Do Not Call List?”

This is the most common entry point question. The mechanics work like this:

The US National Do Not Call Registry is operated by the FTC and contains over 249 million active numbers (8) — essentially every US consumer who has ever opted out of telemarketing. The registry covers personal landlines and personal cell phones; it does not generally cover business landlines.

Calling a number on the federal DNC without an applicable exemption can trigger:

– FTC penalties up to $51,744 per violation (the figure is indexed annually for inflation under the Federal Civil Penalties Inflation Adjustment Act).

– Private TCPA claims of $500 per call, trebled to $1,500 if a court finds the violation willful or knowing. The TCPA’s private right of action is what drives the class-action volume — a single uncleaned list of 5,000 numbers can theoretically generate $7.5M in exposure if every call triggers willful damages.

– State attorneys general can pursue independent enforcement under their own statutes, with their own penalty structures.

The federal scrub requirement is every 31 days — any list older than 31 days cannot legally be used for telemarketing. Best practice is automated scrubbing on every list load and every campaign launch.

“How Often Can a Telemarketer Call You?” (Internal DNC Rules)

Federal DNC handles the who you can call. Internal DNC handles what happens after you call.

Anyone who tells your company “stop calling me” gets added to your internal DNC list — and that request must be honored across the entire organization, not just on the specific campaign that generated the request. Federal rules require the request be processed within 31 days of receipt and retained for at least 5 years. As a practical matter, internal DNC entries should be permanent.

The 2024 FCC opt-out rule that would have required a single revocation request to apply to all robocalls and robotexts from that caller — even on unrelated topics — was delayed for the second time on January 6, 2026, now pushed to January 31, 2027 (12). The Bureau cited operational concerns and the FCC’s own pending review of whether to modify or eliminate the rule. For now, the existing TCPA opt-out rules remain in force: any reasonable revocation request must be honored within 10 business days, but a revocation tied to one type of message doesn’t automatically apply to all communications from the caller.

State rules go further. Oregon’s HB 3865 caps total solicitations at 3 per 24 hours, calls and texts combined. Virginia requires text opt-out retention for 10 years (18). Florida and Texas both treat repeat contact after opt-out as a per-call violation under their mini-TCPAs.

“Is Bundled Consent Still Allowed?” (The Eleventh Circuit Reset)

One of the most consequential 2025 developments for B2B teams operating from third-party lead lists: on January 24, 2025, the Eleventh Circuit struck down the FCC’s “one-to-one consent” rule (12). The rule would have required marketers to obtain prospect consent one seller at a time and would have invalidated bundled consent across “marketing partners.”

The court found the FCC exceeded its statutory authority. Bundled consent — where a prospect agrees to receive marketing from a defined list of partners — is permitted again at the federal level. The FCC subsequently confirmed it would not appeal the decision and has formally repealed the rule.

The practical implication: lead-generation networks and partner-marketing arrangements that were under threat in late 2024 are now operationally viable again. But state laws don’t follow this federal carve-out — Florida’s FTSA and several other state mini-TCPAs apply consent standards regardless of federal rule changes. Document specific, single-seller consent wherever possible to stay defensible against state-level claims, even if you’re technically permitted to operate on bundled consent federally.

Reassigned Numbers: The Quiet Risk Most Teams Underestimate

One source of inadvertent TCPA violations that most outbound teams underestimate: phone numbers that have been reassigned to new subscribers since the original consent was given. The original prospect consented; the current subscriber didn’t. The TCPA doesn’t care that you didn’t know.

The FCC operates the Reassigned Numbers Database (RND) for exactly this scenario (7). Callers who scrub their consent records against the RND get a federal safe harbor — meaning if the database returns “no reassignment” and you call the number, you’re protected from TCPA liability for that call even if a reassignment did occur and the database was wrong.

Maine made RND scrubbing effectively required for any telemarketer reaching Maine residents in July 2024, and several other states are considering similar requirements. National outbound teams should treat RND scrubbing as a standard operating procedure regardless of where the recipient is — the safe harbor alone justifies the scrub cost.

B2B Specifics: Where the Federal Exemption Holds and Where It Doesn’t

The federal B2B exemption from the National DNC Registry covers calls to verified business landlines. It does not cover:

– Personal cell phones used for business — treated as residential under the TCPA regardless of business use.

– Business numbers in states that maintain state DNC lists covering business numbers — Pennsylvania, Mississippi, Colorado all maintain such lists in some form.

– Calls using artificial voice or autodialers to wireless numbers — federal robocall and TCPA cell phone rules apply universally, B2B or B2C.

– Calls after an opt-out — the federal exemption protects DNC scrubbing requirements, not the right to ignore individual revocation requests.

Many sales leaders also ask: “Can I sue for cold calls?” — usually after a business contact at one of their prospects threatens it. The answer is yes, the TCPA provides a private right of action for $500–$1,500 per call, and most state mini-TCPAs add their own private rights of action on top. Class actions are the dominant form (about 68–78% of all TCPA filings through 2025 are class actions (11)). The plaintiffs’ bar is sophisticated, well-organized, and watching.

Canada — DNCL and CASL

Canada’s National Do Not Call List is operated by the CRTC and must be scrubbed by every telemarketer calling Canadian phone numbers (5). B2B calls are largely exempt from DNCL scrubbing, but internal opt-outs must still be honored within 14 days and retained for 3 years. Penalties run up to CA$15,000 per call for corporations.

CASL — Canada’s Anti-Spam Legislation — governs electronic messaging including most B2B email (4). Any cold email accompanying calls to Canadian prospects must comply with CASL’s opt-in consent framework or fall within a documented exemption. CASL is one of the strictest anti-spam regimes in the world; assume opt-in is required unless a specific exemption applies.

UK and EU — Suppression Lists and Legitimate Interest

The UK operates two opt-out registries: the Telephone Preference Service (TPS) for consumers and the Corporate Telephone Preference Service (CTPS) for businesses (20). Both must be screened before cold calling. Calling a TPS- or CTPS-registered number triggers ICO enforcement under PECR (15), with fines up to £500,000 (and up to 4% of global turnover under UK GDPR for serious data violations).

EU member states each maintain their own opt-out registries — Bloctel (France), Lista Robinson (Spain), Registro Pubblico delle Opposizioni (Italy), Robinsonliste (Germany). Most must be scrubbed before any consumer outbound. For B2B outbound, GDPR typically requires “legitimate interest” as the lawful basis (14) — which means a documented Legitimate Interest Assessment (LIA) balancing your commercial interest against the prospect’s privacy rights. A prospect’s right to object must be honored immediately and permanently.

EU regulators continue to issue substantial penalties for unauthorized marketing calls. Italy’s data protection authority has imposed multi-million-euro fines in recent enforcement actions. Germany’s UWG allows fines up to €300,000 per violation.

LATAM and APAC

Most countries have some form of DNC or consent regime. Brazil’s Não Me Perturbe registry covers consumer marketing. Mexico’s REPEP serves the same function (3). Australia’s Do Not Call Register is mandatory for B2C telemarketers (10) (B2B is largely exempt). India operates DND under TRAI rules. Japan requires opt-out compliance. Singapore’s PDPA combines opt-out registries with consent rules.

The Practical List Hygiene Standard

Across our appointment setting and outbound campaigns, the same list-hygiene standard applies before any cold call leaves our infrastructure:

1. Federal DNC scrub — every list, every load, every 31 days minimum.

2. State DNC scrubs — for every state with its own registry (PA, IN, CO, MS, TX, FL, and others).

3. Internal DNC scrub — universal, indefinite, propagated across all clients and channels.

4. Reassigned Numbers Database scrub — for the federal safe harbor.

5. Cell phone identification — separate handling for any number flagged as wireless or mixed-use.

6. Audit trail per call — timestamp, source of consent (or exemption), agent, recipient state, dialer mode.

That hygiene layer isn’t strategic; it’s table stakes. The strategic layer — the targeting, the messaging, the cadence, the qualification — only matters if the list underneath it is clean.

Now let’s translate everything we’ve covered so far into the operational best practices that separate legally-defensible cold calling programs from the ones that end up on a class-action complaint.

What Compliant Cold Calling Actually Looks Like in 2026

73% of sales teams using AI calling tools were found to be non-compliant with consent laws in a 2023 audit.

Reference Source: The Pipeline Group

The legal landscape is one half of the story. The other half is what actually works in real campaign delivery. We’ve seen what separates compliant outbound programs from the ones that end up on class-action complaints — and the differences usually aren’t legal, they’re operational.

Here’s the playbook our SDR teams operate from across NA, EU, and LATAM campaigns: 

1. Treat Compliance as Engineering, Not Training

The standard advice is “train your reps.” That’s necessary, but it’s not the part that fails. Reps with good intentions still make compliance mistakes when the systems around them allow it. The real work is engineering the calling environment so violations are technically prevented, not just discouraged.

That means dialer rules that block calls outside the recipient’s permitted hours automatically. List-load processes that auto-scrub federal DNC, state DNC, and the Reassigned Numbers Database before a single call goes out. Consent records that propagate across CRM, dialer, email platform, and LinkedIn outreach in real time. Audit logs that capture every dial attempt, channel touch, and opt-out request with timestamps.

One thing we see often when teams build outbound programs in-house: compliance is treated as a checklist the SDR follows, not infrastructure the platform enforces. Every list-load is manual. Every state lookup is the rep’s responsibility. Every internal DNC propagation lives in someone’s head. That model worked when TCPA enforcement was rare. With class-action filings up roughly 97% year-over-year through 2025, it doesn’t work anymore.

2. Use Technology That Actually Prevents Violations

The right outbound stack does most of the compliance work invisibly. Dialer-level controls should automatically:

– Block calls outside the recipient’s local calling window (state-by-state aware, not just federal default).

– Refuse to dial federal DNC numbers, state DNC numbers, internal DNC entries, and Reassigned Numbers Database hits.

– Identify cell phones versus business landlines and route them to manual-dial workflows where required.

– Suppress AI voice and prerecorded messaging for any number without documented PEWC.

– Cap daily contacts per recipient to match the strictest applicable rule (3/day for OR and FL, more permissive elsewhere).

Our AI SDR Platform handles most of this layer for the campaigns we run. The reason isn’t marketing positioning — it’s that compliance enforcement at the platform layer is meaningfully harder to maintain than compliance enforcement at the rep layer, and outsourcing it to dedicated infrastructure removes a class of operational risk most internal teams underestimate.

3. Open Every Call with Identity, Company, and Purpose

The TSR requires it. The TCPA requires it. State mini-TCPAs require it. And every plaintiff’s lawyer reviewing a TCPA complaint will check the call recording for it.

Within the first 10 seconds:

– The rep’s first name

– The company they represent

– The reason for the call (a marketing or sales purpose, not a “courtesy” or “research” framing)

The “courtesy call” euphemism is one of the most common — and most legally dangerous — patterns we see in outbound scripts. The TSR explicitly prohibits misrepresenting the purpose of a call. If you’re calling to sell, say you’re calling to sell. The conversion rates aren’t materially different from the euphemistic openers, and the legal exposure drops to zero.

4. Run Coordinated Omnichannel — Not Stacked Single Channels

Most regulators, plaintiffs’ lawyers, and prospects all evaluate the same thing: frequency of unwanted contact. A prospect who gets hit by 6 calls, 4 emails, and 3 LinkedIn messages in a week experiences that as harassment regardless of whether each individual touch was technically compliant. State laws that cap calls per day (Oregon, Florida) increasingly include text messages in the count. Federal regulators have signaled the same direction.

The compliant operating model is coordinated omnichannel — one outbound system running across email, phone, and LinkedIn, with cadence rules that prevent over-contact within any single window. The opposite — three uncoordinated channels each running their own cadence — is how teams accidentally generate harassment complaints even when each individual touch was lawful.

This is also where the conversion math favors compliance. Spread, well-paced multi-channel sequences convert better than concentrated single-channel pressure. A prospect who gets a thoughtful LinkedIn connection request, a relevant email, and a well-timed call across 3 weeks responds at meaningfully higher rates than the same prospect hit with 12 calls over 5 days. Our omnichannel approach is built around that combined logic — fewer total touches, more relevance per touch, no single-channel saturation.

5. Document Consent, Opt-Outs, and Every Channel Touch

If a TCPA class action arrives, the audit trail is the defense. Specifically:

– Consent records — what was agreed to, by whom, on what date, through what channel, identifying which company.

– Opt-out logs — when the request was received, when it was processed, and confirmation that it propagated to every channel and platform.

– Call records — date, time, recipient state, channel, agent, dial mode (manual or power), call outcome, and call duration.

– List provenance — where the contact data came from, when it was last scrubbed against federal and state DNC, and any RND verification.

The point isn’t bureaucracy. It’s defensibility. The same documentation discipline that satisfies a regulator or plaintiff’s lawyer also makes the outbound campaign measurable — every metric a sales leader cares about (connect rate, conversion rate, channel attribution) lives in the same audit layer that protects the program legally.

For EU campaigns, GDPR adds explicit documentation requirements: a Legitimate Interest Assessment (LIA) for B2B outreach, plus subject-access-request handling within 30 days of any prospect inquiry. CASL adds parallel obligations for Canadian outreach. None of these are optional, and none of them have to be onerous if the documentation is built into the workflow rather than retrofitted.

6. Adjust for Cultural and Legal Context by Region

Cross-border B2B outbound requires different playbooks per region — not just different scripts.

– North America: Direct, hypothesis-led calls with strong opening relevance. Federal calling window 8 AM–9 PM with state-by-state overrides. Manual dial first-touch for any cell or mixed-use number.

– Europe: More formal tone, longer email-driven nurture cycles, and channel-aware sequencing. Cold calling in the EU works well when paired with documented legitimate interest and accompanied by clear opt-out at every contact. Two-party consent for call recording in many jurisdictions — disclose recording at the start of the call.

– LATAM: Calls work well with relationship-building openers; transactional cold calls underperform. Local language proficiency for the content of the call matters more than for the cold open.

– APAC: Highly relationship-driven. Direct cold outbound is generally less effective than warm intro and account-based motions; when calls do happen, they should be brief, polite, and lead to a meeting rather than attempt to qualify in the call itself.

One example from our cross-border work: when a London-based AI trust & safety company partnered with us to enter the US market, the playbook had to flip. UK norms favor formal, structured outreach with clear value statements upfront. US enterprise buyers in the AI vertical responded better to direct, hypothesis-driven openers that named a specific pain. Same product, same ICP profile, different outbound voice — and the campaign ramped to 35 qualified leads per month in a niche category as a result. Read the full case study.

7. Update the Playbook Quarterly, Not Annually

The 2025–2026 cycle showed why annual compliance reviews are no longer enough. In 12 months: the Eleventh Circuit struck down the one-to-one consent rule, the FCC delayed the revoke-all rule twice, Texas and Oregon passed mini-TCPAs that took effect within 4 months of each other, Virginia amendments hit, the FCC opened a “Delete, Delete, Delete” rulemaking, and class action filings surged.

An annual playbook review would have left a national outbound team operating on April 2025 rules in October 2026 — a 6-month exposure window during which Texas SB140 alone could generate seven-figure liability for a non-compliant program.

The cadence we operate on:

– Federal regulatory monitoring — weekly, with operational changes pushed to dialer config and SDR scripts within 7 days of effective date.

– State regulatory monitoring — monthly across all 50 states, with state-specific dialer rules updated as legislation passes.

– EU and Canada monitoring — quarterly, with country-by-country LIA reviews refreshed annually.

– List hygiene — federal DNC every 31 days, state DNC every 31 days, internal DNC continuous, RND scrub on every list load.

8. Treat Outbound as a Long-Term Program, Not a Campaign

The single biggest pattern we see in non-compliant outbound: short-term thinking. A team launches a 6-week push, dials hard, hits the quarter, and treats compliance as a problem to revisit later. The 6-week push is exactly the operating mode that generates class-action exposure — uncleaned lists, untested scripts, untrained reps, no documentation discipline.

Compliant outbound is a long-term program where the compliance infrastructure is the precondition. The targeting, messaging, and cadence sit on top of that infrastructure. When the infrastructure is right, the campaigns run cleanly for years; when it’s wrong, every campaign is a fresh exposure event.

The clearest examples we point to are the long-engagement campaigns where the compliance discipline compounds. The Stockholm-based IoT and climate-control company we mentioned earlier ran with us for 24 months and generated 139 booked meetings in the US enterprise market. A logistics and supply chain SaaS company we worked with ran a 31-month engagement that generated 1,491 leads and 108 meetings. Neither of those programs would have been viable as a 6-week push. The compliance infrastructure that made them sustainable also made them performant.

With the operating playbook covered, let’s close with the bottom line — and what to do next.

The Bottom Line for B2B Sales Leaders in 2026

Cold calling is not getting harder. It’s getting more particular. The federal trajectory is toward fewer rules — the Eleventh Circuit struck down one-to-one consent, the FCC delayed the revoke-all rule to 2027, and the “Delete, Delete, Delete” rulemaking is actively reviewing what else to remove. The state trajectory is the opposite — Texas, Oregon, Virginia, Maine, and Washington all expanded their telemarketing laws in 2025–2026, with private rights of action that drove TCPA class actions up roughly 97% year-over-year.

That divergence is the real story. National outbound campaigns can no longer run a single playbook. Compliance has to be state-aware, channel-aware, and infrastructure-driven — not a checklist a rep follows after the dial.

The takeaways worth retaining:

– Cold calling is legal everywhere we operate — US, Canada, UK, EU, LATAM. What’s illegal is calling the wrong type of number, using the wrong technology, or ignoring opt-outs.

– AI voice calls require prior express written consent in the US. AI as a copilot is fine; AI as the caller is the legal exposure zone.

– The cell phone is the B2B trap. TCPA treats every wireless number as residential regardless of business use. Manual dial first-touch outreach to mobile numbers; reserve power dialers for landlines.

– The federal calling window is 8 AM–9 PM local, but at least 15 states impose stricter rules. The clean universal safe window: 11 AM–8 PM Eastern, Monday through Friday.

– State mini-TCPAs are the bigger risk than federal enforcement. Texas SB140, Oregon HB 3865, Virginia amendments, Florida FTSA, Maine RND mandate. Each has its own rules, its own penalties, and most include private rights of action.

– DNC scrubbing is every 31 days at the federal level. Add Reassigned Numbers Database scrubbing for the federal safe harbor.

– Internal DNC requests are universal and indefinite. Once a prospect asks to stop, that propagates across every channel and every campaign — forever.

– Outbound in Europe runs on legitimate interest, documented in an LIA. Not assumed. Documented.

– Compliance has to be infrastructure, not training. Reps with good intentions still make mistakes when the systems around them allow it.

– Coordinated omnichannel beats stacked single-channel — for both compliance and conversion. Spread, well-paced sequences across email, phone, and LinkedIn outperform concentrated single-channel pressure on every metric that matters.

What separates the outbound programs that scale from the ones that end up on a class-action complaint isn’t legal sophistication. It’s whether the compliance layer is built into the platform or bolted on around the reps. Build it in, and outbound becomes a long-term predictable pipeline channel. Bolt it on, and every campaign is a fresh exposure event.

Where Martal Comes In

Running compliant cold calling at scale across multiple states, multiple regions, and multiple jurisdictions isn’t a workflow most internal teams want to maintain. The dialer-level enforcement, the state-by-state rule mapping, the consent documentation, the RND scrubbing, the cross-channel cadence coordination, the time-zone-aware calling cadence — that’s a full compliance stack that has to run cleanly before the first call leaves the platform.

That stack is what we maintain. For 16+ years, our outbound services have combined experienced onshore SDRs with our proprietary AI Sales Platform, running cold calling, cold emailing, and LinkedIn outreach as a coordinated omnichannel package across North America, Europe, and LATAM. The compliance infrastructure isn’t a feature we describe in a deck — it’s the operational baseline our clients hand to us along with the outbound execution. We’ve delivered qualified pipeline for 2,000+ B2B brands across 50+ verticals, including cross-border programs that ran for 24 to 31 months without a compliance incident.

If you’re running a B2B sales program where cold calling is part of the motion — and you’d rather have the compliance layer handled by a team that runs this every day across every major jurisdiction — book a consultation. We’ll review your current outbound posture, identify the highest-risk gaps, and walk through what a compliant, conversion-optimized outbound program looks like for your ICP and target markets.

Today’s compliance environment rewards teams that take it seriously. We can help you take it seriously without slowing down your pipeline.

Disclaimer: This article is for informational purposes only. We’re not attorneys, and nothing here should be taken as legal advice. Cold calling laws vary by country and change over time, so always check with a lawyer.

References

1. Federal Trade Commission
2. Wilson Sonsini Law Firm
3. Brazil’s Não Me Perturbe
4. CASL
5. CRTC (Canada)
6. NatLawReview
7. FCC – Reassigned Numbers Database (RND)
8. FTC – US National Do Not Call Registry
9. OTSA – Manatt, Phelps & Phillips
10. Australia’s Do Not Call Register Act
11. ACA International
12. Wiley
13. Supremecourt.gov
14. GDPR
15. Information Commissioner’s Office
16. Morrison & Foerster
17. Squire Patton Boggs
18. Troutman Pepper Locke
19. Maine.gov
20. Telephone Preference Service
21. Bloctel
22. Registro Pubblico delle Opposizioni
23. Lista Robinson

FAQs: Cold Calling Laws

1

Is cold calling illegal in 2026?

No. Cold calling itself is legal in the US, Canada, the UK, and the EU. What’s regulated is how you do it — calling hours, dialing technology, consent for cell phones, scrubbing against Do Not Call registries, and state-level mini-TCPA requirements. A compliant program respects all of these; a non-compliant program risks $500–$1,500 per call in TCPA damages, plus state penalties that can reach $5,000 per violation. The activity isn’t banned; sloppy execution is what generates exposure.

2

What is the 8 AM to 9 PM rule for cold calling?

The TSR and TCPA both restrict telemarketing calls to between 8:00 AM and 9:00 PM in the recipient’s local time zone. This is the federal default. At least 15 states impose tighter windows — Oregon and Florida cap at 8 PM, Rhode Island ends at 6 PM weekdays, Maine prohibits Sunday calling, and several states require later morning starts on Sundays. National outbound teams should default to 11 AM–8 PM Eastern Mon–Fri to stay inside every state-level rule, then expand only when a specific state and account profile justify it.

3

Do I need consent to cold call a business?

For verified business landlines in the US, federal law generally allows cold calling without prior consent — the FTC’s Telemarketing Sales Rule exempts most B2B solicitation from the National Do Not Call Registry. The exemption breaks down in three places: (1) calls to personal cell phones used for business, which the TCPA treats as residential, (2) states like Pennsylvania, Mississippi, and Colorado that maintain state DNC lists covering business numbers, and (3) AI-voiced or autodialed calls to any wireless number, which require prior express written consent regardless of B2B exemptions.

4

Is AI cold calling illegal?

Using AI-generated voices to make cold calls without prior express written consent is illegal in the US. The FCC ruled in February 2024 that AI voices are treated as “artificial voices” under the TCPA, triggering robocall consent rules. Statutory damages run $500 per call ($1,500 if willful), and state attorneys general can pursue these damages directly. AI used as a copilot for a live SDR — drafting context briefs, suggesting talk tracks, transcribing calls — is fully compliant. AI used as the caller, dialing autonomously or speaking on the call, requires documented consent that’s rarely available in pure cold outbound.

5

What is the difference between TCPA and TSR?

Both regulate telemarketing in the US, but they cover different things. The TCPA (Telephone Consumer Protection Act, enforced by the FCC) governs the technology used to dial — autodialers, prerecorded and AI voices, and consent requirements for cell phones. The TSR (Telemarketing Sales Rule, enforced by the FTC) governs call timing, call conduct, disclosure requirements, and the National Do Not Call Registry. They work together: a single non-compliant call can violate both. The TCPA carries a private right of action ($500–$1,500 per call); the TSR carries FTC penalties up to $51,744 per call.

6

What are state mini-TCPAs and why do they matter?

State mini-TCPAs are state-level laws modeled on the federal TCPA but with broader autodialer definitions, stricter calling windows, additional registration requirements, and private rights of action. The most aggressive in 2026: Texas SB140 (effective September 2025, $10,000 surety bond requirement, $5,000 per violation), Oregon HB 3865 (effective January 2026, 8 AM–8 PM window, 3-call daily cap), Virginia amendments (effective July 2026, 10-year text opt-out retention), and Florida’s FTSA. A cold call that’s compliant federally can still violate state law — and most state mini-TCPAs allow consumers to sue directly.

7

Can I record cold calls legally?

It depends on the state. Federal law and most US states require only one-party consent — the rep recording the call counts as the consenting party. But 12 states (including California, Florida, Pennsylvania, Washington, Maryland, Massachusetts) require two-party or all-party consent, meaning the prospect must also be informed and agree. The safest practice for any multi-state outbound program: disclose recording at the start of every call. EU GDPR and several individual EU countries require similar disclosures. Two-party consent disclosure is also good practice for trust — most prospects are fine with it when the disclosure is professional and brief.