What’s Changing in TCPA, Telemarketing, and Privacy Compliance

    Convoso
    9 min. read

    Outbound teams are navigating a growing mix of federal TCPA developments, state telemarketing requirements, and consumer privacy laws.

    In Mac Murray & Shuster’s midyear Privacy Watch webinar, attorney Aaron Perry reviewed several developments likely to affect businesses that rely on calls, texts, and consumer data. Here are the most important takeaways—and practical steps businesses can take to strengthen compliance while supporting effective outbound operations.

    This article provides a general summary for educational purposes and is not legal advice. Consult qualified counsel about the requirements that may apply to your business.

    At a Glance

    • A recent Supreme Court decision gives federal courts more authority to interpret the TCPA independently, which could lead to different conclusions across jurisdictions.

    • The FCC delayed one portion of its consent-revocation requirements until January 31, 2027, but other opt-out and revocation obligations remain in effect.

    • Tennessee and Utah added telemarketing requirements involving certain automated calls, recordkeeping, opening disclosures, and cancellation rights.

    • Alabama, Oklahoma, Louisiana, and Vermont enacted broad consumer privacy laws, while other states continue expanding existing protections.

    • Businesses should strengthen opt-out management, audit data sharing and vendors, review sensitive-data practices, assess data-broker obligations, and update their breach-response plans.

    Federal TCPA developments continue to reshape compliance

    Recent court decisions and FCC activity are creating new questions about how parts of the TCPA should be interpreted and applied.

    A recent Supreme Court decision gives federal courts more authority to interpret the TCPA independently rather than automatically treating the FCC’s conclusions as binding. That could lead courts in different jurisdictions to reach different decisions on unresolved issues involving consent and whether text messages are covered by certain Do Not Call provisions.

    Because those questions remain unsettled, Perry recommended continuing to follow FCC consent guidance and treating text messages as calls for DNC purposes as a conservative compliance approach.

    The FCC has also delayed one portion of its consent-revocation requirements until January 31, 2027. The delayed requirement addresses how broadly some revocation requests must be applied, but the extension does not suspend existing obligations to honor opt-outs and consent revocations.

    Perry also highlighted ongoing FCC proceedings involving caller identification, phone-number practices, and foreign-originated calls. These proceedings have not necessarily resulted in final requirements, but outbound teams should continue monitoring them and be prepared to adjust their processes if new rules are adopted.

    States continue to tighten telemarketing requirements

    Federal TCPA developments are only one part of the compliance equation. Businesses must also account for state laws that can impose additional requirements involving call practices, disclosures, registration, consent, and recordkeeping.

    Tennessee adds requirements for certain automated calls

    Beginning July 1, 2026, Tennessee requires businesses making certain automated telephone solicitations with artificial or prerecorded voice messages to maintain monthly call records.

    The law also caps covered calls at 10,000 per month. Businesses making at least 500 covered calls in a month must begin providing records to the state at least twice a year beginning October 1, 2026.

    Although the requirements may sound broad, the law applies to a defined category of calls and includes exceptions. Perry said only “a sliver of calls” would likely fall within its scope.

    Businesses using automated dialing, prerecorded messages, artificial voices, or AI-powered calling technology should review the law with counsel rather than assuming their calls are either covered or exempt.

    Utah adds opening disclosures and strengthens cancellation rights

    Utah also modified its telephone-solicitation requirements. Before beginning a covered solicitation, sellers or their solicitors must orally provide their legal name, telephone number, mailing address, and email address.

    The amendments also affect consumers’ cancellation rights. Failing to provide required information or cancellation disclosures can extend the period during which a purchaser may cancel a sale.

    “Avoid the headache now by including those disclosures up front,” Perry said. “It will save you a lot of grief on the back end.”

    Businesses making calls into Utah should review their opening scripts and cancellation disclosures to ensure they reflect the amended requirements.

    Four more states enact broad consumer privacy laws

    Alabama, Oklahoma, Louisiana, and Vermont enacted broad consumer privacy laws in 2026.

    Although the specific requirements differ, these laws generally expand consumers’ control over their personal information and establish new obligations involving privacy disclosures, sensitive data, consumer requests, security, and the use or sale of personal information.

    General effective date of these new laws:

    Alabama: May 1, 2027

    Oklahoma: January 1, 2027

    Louisiana: January 1, 2027

    Vermont: January 1, 2028

    Each law defines covered businesses differently, so applicability will depend on factors such as the amount and type of consumer data processed, how the data is used, and whether the business derives revenue from selling personal information.

    Vermont is particularly notable because of its broader protections for sensitive information and consumer health data.

    Perry called it “probably the state with the most onerous privacy law” among the new measures.

    Businesses should begin preparing well before these laws take effect. That starts with knowing what consumer information they collect, where it comes from, how it is used, and who receives it.

    States are expanding existing privacy protections

    Existing privacy laws are changing almost as quickly as new ones are being passed.

    States are broadening consumer rights, placing tighter restrictions on sensitive and location data, and increasing their oversight of data brokers.

    The enforcement is real,” Perry said. “It’s weekly now that we’re seeing a state or federal action that’s related to privacy.”

    Some of the developments most relevant to businesses that rely on consumer data include:

    • Maryland: Expanded provisions involving sensitive information and location data. Businesses that collect health, financial, or precise location information should review how that data is collected, used, and shared.

    • Connecticut: Added data-broker registration and centralized deletion requirements and strengthened restrictions involving precise geolocation data. Businesses that buy, sell, or license consumer information should assess whether they may qualify as data brokers.

    • Virginia: Prohibited businesses covered by its Consumer Data Protection Act from selling or offering to sell precise geolocation data.

    For outbound organizations, the broader takeaway is that lead and customer data cannot be viewed only as a sales resource. How that information was obtained, what it contains, where it moves, and whether consumers can exercise their rights all affect compliance risk.

    Six compliance actions businesses can take now

    With federal and state requirements continuing to evolve, it can be difficult to know where to focus.

    Perry offered six practical recommendations for strengthening compliance programs and preparing for what comes next.

    1. Stay current on legal developments

    Privacy and telemarketing requirements are changing quickly.

    “There’s just so much going on that it’s hard to stay afloat with a reactive posture,” Perry said.

    Businesses should establish a regular process for monitoring court decisions, FCC activity, state legislation, enforcement actions, and upcoming effective dates. The goal is to identify relevant changes early enough to update scripts, policies, systems, training, and vendor requirements.

    2. Centralize opt-outs and consent revocations

    Continuing to contact consumers after they have asked communications to stop can create significant litigation and reputational risk.

    “We’ve seen a lot of increased litigation under the TCPA related to businesses that continue to contact consumers after they’ve opted out,” Perry said.

    Do Not Call requests, text-message opt-outs, and consent revocations should be communicated quickly across every system, campaign, department, and vendor involved in consumer outreach.

    Businesses should also be able to document when a request was received and how it was honored.

    3. Audit data sharing and vendor relationships

    “Vendor due diligence and oversight is a huge priority for regulators,” Perry said.

    Businesses should map where consumer data goes after it is collected, who has access to it, and whether vendors are using it only for authorized purposes.

    “Fairly often, when we go to work with a new client, they are stunned about what types of data sharing were going on that they really didn’t have a full grasp on,” Perry said.

    Look for vendors that are transparent about their data practices, maintain strong security and compliance processes, and provide the documentation and controls needed to support your own program.

    4. Review sensitive-data practices and privacy disclosures

    Health information, financial information, precise location data, and other sensitive information may be subject to additional protections.

    Businesses should review whether they need to collect that information, how it is secured, who can access it, and whether it is shared with vendors or other parties.

    Privacy policies also need attention. Perry encouraged businesses to “button up privacy policy disclosures,” calling them one of the easiest ways for regulators to evaluate how an organization approaches privacy compliance.

    Your privacy policy should accurately reflect what your business, technology, and vendors actually do with consumer data.

    5. Determine whether data-broker rules apply

    A data broker is generally a business that sells or licenses information about consumers with whom it does not have a direct relationship.

    Depending on the applicable state definition, that can include some lead generators, list providers, marketplaces, and businesses that buy and resell consumer leads.

    California has already launched a centralized deletion-request platform for data brokers. Registered brokers must begin processing requests submitted through the platform on August 1, 2026. Connecticut is developing a similar framework with its own registration and implementation timeline.

    Businesses involved in buying, selling, licensing, or exchanging leads should work with counsel to determine whether data-broker requirements apply.

    6. Strengthen your data-breach response plan

    Contact centers and outbound sales teams handle large volumes of consumer information. Even businesses with strong security controls need a plan for what happens if that information is exposed.

    Perry noted that many organizations invest heavily in preventing breaches but have not established a clear process for responding when a breach occurs.

    A documented plan should identify who will investigate the incident, assess the affected information, coordinate with vendors and counsel, meet notification requirements, and communicate with customers or regulators.

    “Getting a policy now in place will save a lot of headache down the road,” Perry said.

    Stronger compliance supports more sustainable outbound performance

    No single checklist can address every federal and state requirement affecting outbound outreach.

    Businesses can reduce risk, however, by treating compliance as an ongoing part of outbound operations—not a separate legal exercise addressed only after a problem occurs.

    Clear consent and opt-out processes, better visibility into consumer data, stronger vendor oversight, and well-maintained policies help teams adapt as requirements change. They can also reduce operational disruption and help businesses engage consumers more responsibly as they work to improve outbound performance.

    Build compliance into your outbound operations

    Evolving requirements shouldn’t force your team to choose between responsible outreach and stronger performance. See how Convoso helps outbound teams manage compliance, while enabling more effective outreach.

    Explore Convoso’s built-in compliance guardrails

    Frequently Asked Questions About Recent TCPA and Privacy Developments

    • The Court held that federal district courts are not automatically required to treat the FCC’s interpretations of the TCPA as binding. Courts have greater authority to interpret the law independently, which may lead to different conclusions across jurisdictions.

    • Courts have reached different conclusions about how certain TCPA Do Not Call provisions apply to text messages. Because the issue remains unsettled, businesses may choose to treat texts as calls for DNC and opt-out purposes as a conservative compliance approach.

    • The FCC extended the effective date of one portion of its consent-revocation rules until January 31, 2027. The delay does not suspend other obligations to honor applicable opt-outs and consent revocations.

    • Tennessee requires recordkeeping for certain automated telephone solicitations that deliver artificial or prerecorded voice messages. The law also establishes reporting requirements for businesses reaching specified call volumes and caps covered calls at 10,000 per month.

    • Alabama, Oklahoma, Louisiana, and Vermont enacted broad privacy laws in 2026. Their general provisions take effect between 2027 and 2028, but their definitions, thresholds, exemptions, and obligations differ.

    • Businesses should strengthen opt-out and consent-revocation processes, monitor changing requirements, audit data sharing and vendors, review sensitive-data practices, assess whether data-broker rules apply, and maintain a documented breach-response plan.

    Schedule a demo

    Supercharge your sales with our AI-powered contact center platform.

    4x your contact rates today!