TCPA, DNC, and call recording — what your carriers expect of you and what keeps you out of upstream drama

This article is a working operator's reference for the regulatory floor your call center has to clear, the carrier expectations layered on top of that floor, and the recording-law patchwork that determines whether you legally need to announce that the call may be recorded. Not legal advice — talk to a telecom lawyer if you're sized to need one. The notes here are what the regulations actually require, sourced from the FCC rules themselves (47 CFR § 64.1200), not summaries.

TCPA in one paragraph

The Telephone Consumer Protection Act (47 U.S.C. § 227) is the federal framework. The headline rules that matter for predictive dialing:

• Calling time window: 8:00 AM to 9:00 PM in the called party's local time. Not yours.
• Prior express written consent for autodialed or artificial/prerecorded-voice calls to wireless numbers. Predictive dialing is autodialing. The FCC's 2015 interpretation (reaffirmed in 2019 and 2020) puts essentially all Vicidial-style operations in scope.
• Abandon rate capped at 3% per campaign per 30-day rolling window for outbound commercial telemarketing.
• Caller ID must be transmitted, must be a valid number that the called party can return-call to reach a live person, and must identify the entity responsible for the call.
• Identification within the first minute: agent must state the business name and a callback number where the recipient can opt out.
• Internal DNC list — opt-outs must be honored within 30 days, retained for 5 years, and scrubbed against on every subsequent campaign.

Political, charitable, and informational/transactional calls have narrower exemptions but most are NOT exempt from the wireless-consent rule under the FCC's current interpretation. Assume TCPA applies unless your lawyer says otherwise.

Federal and state DNC lists

Federal DNC list: telemarketing.donotcall.gov. Subscribe as a seller; scrub your leads against it before every campaign. Subscription is per-area-code and costs roughly $19/area code/year as of 2026, capped at ~$11K/year for nationwide access.

State-by-state DNC lists are an additional layer. Most are folded into the federal list now, but a handful (Indiana, Louisiana, Mississippi, Pennsylvania, Tennessee, Texas, Wyoming) maintain their own lists with separate registration and scrub requirements. Check the current state list against your dialing plan; failing to scrub a state-DNC number is a separate violation on top of TCPA.

Where Vicidial helps and where it doesn't

Vicidial maintains your internal DNC list automatically — every "Do Not Call" disposition the agent selects appends to a list that's scrubbed against future loads. It does NOT:

• Scrub against federal or state DNC unless you load those lists as suppression lists.
• Enforce the 3% abandon rate cap — it shows you the rate in real-time, doesn't throttle.
• Enforce calling-time windows — the campaign's local-call-time fields are advisory only; if the time-zone lookup is wrong on a lead, Vicidial will happily dial.
• Generate or send the consent-evidence records that prove you had prior express consent.

All of those are operator responsibility.

Recording laws — federal and state

Federal law (18 U.S.C. § 2511) is one-party consent: as long as one party to the call consents to recording (which can be you), the recording is legal under federal law.

State law overrides for inbound and outbound where the recording happens. The two-party-consent states ("all-party consent" is the precise term):

California, Connecticut, Delaware, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, Nevada, New Hampshire, Oregon (mixed-rules), Pennsylvania, Washington.

If either you OR the prospect is physically in any of those states at call time, you need consent from all parties. The practical workaround: a beep tone or recorded announcement at call start ("This call may be recorded for quality assurance") constitutes constructive consent if the called party continues the conversation.

If you record any calls and dial nationwide, you should play a recording-notice on every call. Configure in Vicidial: Campaigns → Modify → Wrap-up Script and the inbound-message system. Most operators use a single recording_notice.gsm audio file inserted as a campaign intro.

What your carriers expect of you

Telnyx, Flowroute, Bandwidth, VoIP.ms — all major US-routing carriers — have AUPs that mirror TCPA. Their self-protective interest is that complaints from your traffic reach the FCC and the FCC walks back up the routing chain. If they conclude you're a high-complaint customer, they will:

1. Throttle or downgrade your STIR/SHAKEN attestation, which crashes your answer rate (carriers downstream will mark your calls as "Likely Spam" or refuse to deliver).
2. Cap your concurrent channel count.
3. Terminate your account with 24-48 hours notice.

What carriers expect you do, regardless of TCPA:

• Use accurate, callback-able caller ID (no spoofing unrelated numbers — STIR/SHAKEN attestation tier depends on this).
• Maintain a low complaint rate per number. Carriers rotate your outbound numbers if any one accumulates complaints; the responsibility shifts to you when the rotation pool itself starts getting flagged.
• Stay under their per-second call rate (CPS) limits, often 5-10 CPS unless negotiated higher.
• Honor immediate opt-out requests — if you get a complaint and ignore it, the carrier sees the repeat-complaint pattern.

What LYLIX (your hoster) expects of you

The AUP at lylix.net/legal/aup covers this. Short version: illegal calling activity gets you suspended on report. We respond to USTelecom Industry Traceback notices and FCC complaints by identifying the customer of record and, if the activity continues, terminating the service.

We don't pre-vet your campaigns or your consent records. That's your job and your lawyer's. We do require that you operate within US law for US-routing traffic, EU law (including e-Privacy Directive and member-state implementations) for EU-routing traffic, and your account stays in good standing as long as that's the case.

Operational practices that keep you out of trouble

• Log consent evidence. Every lead in your list should have a timestamped consent record — a web form submission, an inbound call, a signed contract. If you can't produce the consent for a complainant, you have no TCPA defense.
• Recycle internal DNC into every scrub. Vicidial does this automatically for new loads if you keep the suppression list pointed at the DNC table.
• Quarterly external DNC re-scrub on long-lived lists. Numbers get added to federal DNC constantly; a list you loaded 6 months ago has accumulated new opt-outs.
• Per-campaign abandon-rate alarm. Vicidial's reports show 30-day rolling rate. Set a weekly check or build a small cron job that emails you if it goes above 2% (giving you headroom on the 3% cap).
• Maintain your STIR/SHAKEN A-attestation. Carriers issue attestation tiers (A, B, C) based on the relationship and call patterns. A-tier requires the carrier to have verified ownership of the caller ID and observed clean traffic. B/C tiers get more spam-flagged. Don't let it drift.

EU-specific notes (LYLIX Frankfurt)

The EU regime is the ePrivacy Directive (2002/58/EC, amended 2009/136/EC) plus GDPR. Unsolicited automated calls require prior consent across all EU member states — there is no "established business relationship" exemption broadly recognized.

National implementations vary in penalties and specifics. If you're dialing EU subjects from a LYLIX Frankfurt host, treat the regulatory floor as "prior opt-in consent recorded per subject, retainable for the audit period your national authority specifies." Consult local counsel.