Cold Calling Laws: Compliance and Best Practices for Sales Teams
Your top-performing sales rep lands a promising cold call, but they face an angry response from the lead. Frustrated with the phone call, they accuse your salespeople of violating regulations. It’s a tricky situation that can lead to lost opportunities, reputational damage, or even legal consequences.
For enterprise sales teams, driving pipeline growth while maintaining compliance can be challenging. Beyond meeting quotas, you’re navigating a complex web of regulations like TCPA and GDPR and trying your best to ensure your team operates confidently and within the law.
In this article, we’ll explore:
- Key cold calling laws (including TCPA, one-party vs two-party consent states, CCPA, GDPR, and STIR/SHAKEN)
- Practical strategies to help you stay compliant with each one
- Typical penalties for violations
- Pro tips and the best automation tools to use
Consider it your guide to building a legally sound and effective operation within your sales team.
Stay on top of cold calling laws
Discover how Orum simplifies call tracking, routing, and sales training to help you stay compliant.
Request a demo
What is TCPA?
The Telephone Consumer Protection Act (TCPA) is a 1991 federal law regulating telemarketing calls, auto-dialing, prerecorded messages, text messages, and faxes. Its primary purpose is to protect consumers from unsolicited communications and ensure companies receive proper consent before contacting individuals.
💡Did you know? The TCPA is enforced by the Federal Communications Commission (FCC) and imposes strict penalties for violations. This includes fines up to $1,500 per unsolicited call or message. You’ll learn more about penalties later in the article.
Key requirements for TCPA compliance
To stay compliant with the TCPA, your salespeople must understand and follow this set of rules.
Get clear consent
If your cold callers use autodialers or prerecorded messages, they must have written consent from the person they’re calling. The person on the other side of the phone needs to know exactly what they agree to, and it can’t be tied to a purchase.
Stick to calling hours
You can only make telemarketing calls between 8:00 AM and 9:00 PM in the recipient’s local time. Calling outside these hours isn’t just annoying—it’s a violation of the TCPA. Time-of-day restrictions are there for a reason.
Respect the Do Not Call list
Keep your own Do Not Call list and honor requests to be added to it for a minimum of five years. Also, make sure to check phone numbers against the national Do Not Call Registry that falls under the Federal Trade Commission (FTC). You can’t call people on that list unless they’ve given you explicit permission.
Be transparent about your caller ID
Always provide accurate caller ID information. This includes your phone number and, ideally, your company name. If people don’t know who’s calling, it’s a legal problem that can result in penalties.
Keep records of your telemarketing campaigns
Make sure you save proof of consent, call logs, and campaign details. If someone questions your compliance, having the right records can save you from hefty fines. In case of audits or complaints, you want to have them easily accessible.
Understand exceptions for certain types of calls
The TCPA limits how often you can call someone without their consent. These limits apply to both artificial and prerecorded voice calls. Cold callers need to be aware of these exceptions:
- For certain exempted calls (such as non-commercial calls, commercial calls that don’t include unsolicited advertisements, and calls from tax-exempt nonprofit organizations), the limit is three calls within any consecutive 30-day period
- For healthcare-related calls subject to the Health Insurance Portability and Accountability Act (HIPAA), the restriction is one call per day, with a maximum of three calls per week.
Provide an easy way to opt-out
Even with prior consent, you need to enable users to easily stop any type of communication. In other words, every call must include a way for people to opt out immediately. For prerecorded messages, this could be as simple as pressing a number to stop future calls.
🧠 Good to know Similar to the TCPA, the Telemarketing Sales Rule (TSR) is designed to protect consumers from unwanted telemarketing calls. The key difference is that, while the TCPA broadly covers all telemarketing activities, the TSR focuses more on ensuring human accountability in telemarketing practices. It aims to protect consumers from shady telemarketing practices and scams.
Penalties for non-compliance
Failure to comply with TCPA regulations can lead to serious consequences for your company. Let’s first examine monetary penalties.
Your business can be fined up to $500 per violation, which increases to $1,500 per violation for willful or knowing breaches. Let’s do a simple calculation to fully understand how seriously you should take this. If a company makes 1,000 unauthorized calls, it could face fines of up to $1.5 million.
Beyond the direct financial costs, TCPA violations can severely damage your brand. Negative press and consumer distrust can negatively impact business relationships and future growth, often outweighing monetary penalties.
💡Did you know?
TCPA violations can result in costly class-action lawsuits. Settlements often reach millions. In a recent case, a real-estate company agreed to a $40 million settlement, showing just how expensive non-compliance can be. Besides the serious financial losses, lawsuits and regulatory scrutiny can divert time and resources away from core business operations, which can impact your productivity and revenue.
One-party vs. two-party consent states
Understanding consent laws is critical when recording sales calls. Here’s the key difference between one-party and two-party consent states.
One-party consent states | Two-party consent states |
---|---|
In these states, only one person on the call needs to know it’s being recorded. That means if your sales rep is aware and agrees, you’re good to go. Most states in the U.S. fall under this rule. | In these states, everyone on the call has to give permission for the recording. Without that consent, recording is illegal. States like California, Florida, and Pennsylvania follow this stricter approach. |
So, what does this mean for your business?
If your team is making calls into two-party consent states, you need to get clear permission before hitting the record button. To stay on the safe side, you can:
- Train your team to understand which states require two-party consent
- Make sure your cold callers clearly ask for permission when recording conversations
- Use technology that blocks recording unless consent is given
❗Important note Some states have nuances in their laws. For instance, Connecticut has different rules for in-person and telephone conversations. Always consult legal counsel to ensure compliance.
Knowing the rules for each state is key to making sure your telemarketing stays compliant. Here’s a quick look at how the regulations vary across the U.S.*
State | Consent requirement | Do Not Call rules | Permissible calling hours | Weekend/holiday restrictions |
---|---|---|---|---|
Alabama | One-party consent | Adheres to federal DNC list (no additional state list) | 8 AM – 8 PM | No calls on Sundays or legal holidays |
California | Two-party consent | Enforces both federal and state DNC lists (stricter compliance required) | 8 AM – 9 PM | No specific restrictions, but avoid calling on holidays |
Florida | Two-party consent | Adheres to federal DNC list (no additional state list) | 8 AM – 9 PM | No specific restrictions |
Louisiana | One-party consent | Enforces both federal and state DNC lists (stricter compliance required) | 8 AM – 9 PM | No calls on Sundays or legal holidays |
New York | One-party consent | Adheres to federal DNC list (no additional state list) | 8 AM – 9 PM | No specific restrictions |
Pennsylvania | Two-party consent | Enforces both federal and state DNC lists (stricter compliance required) | 8 AM – 9 PM | No specific restrictions, but avoid calling on holidays |
Texas | One-party consent | Adheres to federal DNC list (no additional state list) | 9 AM – 9 PM | No specific restrictions |
Utah | One-party consent | Adheres to federal DNC list (no additional state list) | 9 AM – 9 PM | No calls on Sundays or legal holidays |
*The states in the table were selected to provide a representative sample of varying consent laws and enforcement of Do Not Call (DNC) rules.
Now let’s see how you can navigate consent requirements during calls.
How to navigate consent requirements during calls
Managing consent requirements during sales calls doesn’t have to be complicated, especially with a solution like Orum. Here’s how to simplify compliance and make it hassle-free.
Always confirm consent at the start of calls in two-party consent states
For states where all parties must consent to call recording, Orum allows admins to configure call recording settings to comply with these laws. You can set the system to automatically record calls only in specific area codes, or to record only the representative's audio. This is an easy way to ensure you comply with two-party consent requirements.
💡Pro tip
Orum’s call settings can prompt reps to ask for consent at the very beginning of the call, so nothing slips through the cracks. Being direct and transparent will also help you build trust in sales.
Train your salespeople to understand state-specific consent law
The best way to make sure you don’t annoy your potential customers? Provide proper sales coaching and help your team understand state-specific consent laws. With Orum integrated into your CRM, reps can see at a glance which states require two-party consent and remove the guesswork.
As you can see, it’s fairly easy to sync call activity and prospect details and, therefore, track and flag consent requirements by region.
Use call-routing technology based on state laws
Orum’s call-routing technology can direct calls to reps based on the recipient’s state's consent requirements. This ensures that calls are handled appropriately from the start.
Let’s say your sales rep is calling a list of prospects across multiple states. With Orum's call routing, calls to two-party consent states (e.g., California) are automatically flagged. At the start of the call, the rep receives a notification or is prompted to confirm consent.
For regions with stricter laws, the platform might reroute calls to a more experienced rep who’s trained in handling complex compliance requirements.
💡Did you know? Using a call-routing technology can also improve sales productivity and save your team time. Knowing that calls are routed with compliance in mind, reps can focus on selling without worrying about legal risks. Plus, reps don’t have to manually check consent laws for each contact. The system does the work for them.
Provide compliant call scripts
Lastly, you can help your reps stay on track with compliant call scripts. These scripts can guide them through the process of explaining call recording and documenting consent.
Orum’s Salesfloor comes into play here. Think of it as a virtual sales hub where reps can collaborate, share best practices, and get real-time coaching. For example, if a rep is calling someone in a two-party consent state, the script can prompt them to say, “Just a heads-up, this call may be recorded for SDR training purposes. Is that okay with you?”
If they forget about this or stumble, a manager listening in through Salesfloor can quickly jump in to provide guidance or feedback.
What is CCPA?
The California Consumer Privacy Act (CCPA) gives California residents more control over their personal data. It requires businesses to be transparent about the data they collect, let consumers opt out of data sales, and honor requests to access or delete personal information.
If you’re doing business in California and handling customer data, staying compliant is non-negotiable. Violations can lead to hefty fines.
Key requirements for cold calling under CCPA
If you’re cold calling in California, staying compliant with the CCPA is a must. Here’s what you need to take into account:
- Let individuals know what personal information you’re collecting, why you’re collecting it, and how it will be used.
- Offer an opt-out option for data collection.
- If someone has used their “Do Not Sell” rights, take them off your calling list.
- Keep thorough records of consent, opt-outs, and communications to demonstrate compliance if audited.
- Do not collect data or target individuals under 16 years old without explicit consent from a parent or guardian.
Let’s take a closer look at how you can make sure you stay compliant with CCPA regulations.
How to ensure compliance with CCPA regulations
Staying compliant with TCPA regulations also helps ensure CCPA compliance, as both laws emphasize consumer rights, such as transparency, consent, and respecting opt-out requests.
This means that, if you’re already following TCPA rules (like obtaining consent before calling and honoring opt-out requests), you’re well on your way to meeting CCPA requirements. Here are actionable steps you can take to make sure you’re on the right track:
- Make sure your sales reps understand the CCPA rules and can clearly explain why you’re collecting data and how it will be used.
- Use software that updates your contact lists immediately when someone opts out, so you’re not calling people who don’t want to hear from you.
- Integrate your CRM with compliance tools to flag individuals who’ve opted out or requested data deletion.
- Regularly audit cold calling practices.
- Provide scripts with compliant language for disclosures and opt-out instructions.
Train your team with Orum’s Call Library
Orum’s Call Library makes it easy to train your sales team on CCPA compliance by using real examples from their own calls. You can save and organize recordings that show how to handle things like giving proper disclosures or responding to opt-out requests.
💡Did you know?
The average ramp-up time for new sales reps is considered to be the company’s sales cycle + 3 months. Automating part of your team’s training can help you decrease sales ramp up time significantly.
Cold calling and GDPR
The General Data Protection Regulation (GDPR) is a data privacy law that applies to businesses operating in the European Union or dealing with the personal data of EU residents. Its main focus is protecting individuals’ personal data and giving them control over how it’s collected, used, and stored.
When it comes to cold calling, GDPR requires businesses to:
- Have a legitimate reason for contacting individuals
- Obtain consent before processing personal data
- Clearly inform prospects about how their data is being used
Non-compliance can result in severe penalties, including fines of up to €20 million or 4% of annual global turnover.
Steps to remain GDPR-compliant during calls
GDPR can feel complex, but the right tools make it easier to stay on top of compliance. Here’s how Orum’s data tracking and consent management features can help:
- With Orum’s data tracking, you can make sure the person you’re contacting has agreed to let you store and use their data.
- Orum’s tools can help you flag opt-outs and remove them from your contact lists immediately.
- You can safely store and handle personal data using secure systems that meet GDPR standards.
- Stay compliant by continually training your team on GDPR.
What is STIR/SHAKEN?
STIR/SHAKEN is a framework designed to combat caller ID spoofing and reduce robocalls. It works by verifying the authenticity of caller IDs during phone calls. To be more precise:
- STIR (Secure Telephone Identity Revisited) makes sure the caller’s information is securely tied to the call
- SHAKEN (Signature-based Handling of Asserted Information Using toKENs) checks that this information stays intact as the call moves through networks
Together, STIR/SHAKEN helps phone carriers identify and block fraudulent calls. This makes it harder for scammers to disguise their identities.
💡 Pro tip
Here’s how you can implement STIR/SHAKEN-compatible systems:
- Choose a provider that already supports the framework to handle call authentication for you
- Make sure your outbound calling systems are compatible with STIR/SHAKEN protocols
- Obtain a certificate from a trusted authority to verify your business as a legitimate caller within the framework
- Use analytics tools to track the authentication of your calls and identify any issues early on
B2B vs. B2C cold calling compliance
When it comes to cold calling, the rules for B2C and B2B calls are quite different. Calling consumers comes with tighter restrictions. You’ll usually need explicit consent and must respect Do Not Call (DNC) lists.
In general, you can expect to have more leeway with B2B calls. These types of calls target professionals, and many regions allow these under “legitimate interest” exemptions. This means you can call without prior consent as long as your outreach is relevant and professional.
Adapting strategies for each audience
Here’s how you can adapt your cold calling strategy depending on your target audience.
B2B cold calling
Do:
- Get explicit consent before calling
- Follow Do Not Call (DNC) list rules
- Focus on personal benefits and solving consumer pain points
Don't:
- Call outside reasonable hours
- Ignore opt-out requests or DNC registrations
- Use overly aggressive or pushy tactics
B2C cold calling
Do:
- Be professional, concise, and relevant
- Call during business hours
- Highlight how your product/service solves business challenges
Don’t:
- Assume you don’t need permission (check local laws)
- Waste time on unqualified leads
- Use generic pitches that don’t address the prospect’s pain points
Nail your cold calling without stress
Respecting cold calling laws boils down to three key elements: Educating your team, keeping a clear audit trail, and automating compliance whenever possible. Make sure to do your due diligence and log every call, consent confirmation, and opt-out request in your CRM to ensure nothing slips through the cracks
As the final takeaway, remember this: A well-informed team is your first line of defense, while tools like Orum provide the support and peace of mind needed to automate and streamline compliance.
Stay on top of cold calling laws
Discover how our Orum simplifies call tracking, routing, and sales training to help you stay compliant.
Request a demo