SalesPulse
Start Free Trial
ComplianceTCPA complianceinsurance agent compliance

TCPA Compliance for Insurance Agents: 2026 Guide

A practical TCPA compliance guide for insurance agents — consent rules, calling windows, DNC scrubbing, and how to avoid five-figure fines in 2026.

Kyle Elliott, Founder, SalesPulseMay 6, 202613 min read

If you sell insurance — life, Medicare, final expense, annuities, P&C — the Telephone Consumer Protection Act (TCPA) is the single most expensive law you can break by accident. A single unsolicited autodialed call to a wrong number can carry statutory damages of $500 to $1,500. Class actions have settled for tens of millions. And in 2024, the FCC closed the so-called "lead generator loophole," forcing every agent to obtain one-to-one consent from the actual consumer before calling them.

Most agents I talk to think they're compliant because they "don't robocall" or "buy good leads." Both assumptions are wrong, and both are getting agents sued in 2026. This guide walks through the rules you actually have to follow, the gray areas where most violations happen, and the operational checklist your CRM, dialer, and SMS system need to enforce so you can prospect aggressively without becoming a defendant.

What the TCPA Actually Regulates

The TCPA was passed in 1991, but the rules that affect insurance agents today are the result of decades of FCC orders, court decisions, and the FCC's 2023–2024 modernization. Strip away the legal language and the law regulates four things: who you can call, how you can call them, when you can call them, and what records you have to keep.

For insurance prospecting specifically, four federal regimes overlap and you have to comply with all of them simultaneously: the TCPA itself, the FCC's implementing rules, the FTC's Telemarketing Sales Rule, and state-level mini-TCPAs (Florida, Oklahoma, Washington, and Maryland are particularly aggressive). On top of that, most carriers have their own contractual rules that mirror or exceed the federal floor.

The penalty structure is what makes this an existential risk for small agencies. Each violating call or text is $500 in statutory damages, tripled to $1,500 if the violation is willful. There is no cap. A single agent making 100 dials a day to the wrong list can manufacture seven figures of liability inside a quarter, which is why TCPA class actions are one of the highest-volume areas of consumer litigation in the country.

The Consent Rules That Trip Up Insurance Agents

Insurance is a heavily prospected vertical, which means most TCPA exposure comes from cold and warm outreach gone wrong. There are three consent levels, and you need to know which one applies before you press "dial."

No Consent Required: Manual Calls to Non-DNC Numbers

If you are personally dialing a number that is not on the National Do Not Call Registry, not on your internal DNC list, and you are not using an autodialer or prerecorded voice, the TCPA's most punitive sections don't apply. You still have to honor calling windows, identify yourself, and stop on request — but a manually dialed live conversation is the lowest-risk way to prospect.

The catch: most modern dialers are arguably autodialers under the FCC's current definition, which includes any system that can store or produce numbers using a random or sequential number generator. Power dialers that pull from a list aren't necessarily autodialers, but the line is blurry. SalesPulse's power dialer is built so that each call requires explicit agent action to initiate, keeping you on the manual side of the line.

Prior Express Consent: For Informational Calls

Informational calls — appointment reminders, policy renewal notices, claim updates — require prior express consent. That consent can be implied when a customer gives you their phone number for that purpose. If a client puts their cell number on your intake form and you call to remind them about their underwriting appointment, you're fine.

Prior Express Written Consent: For Marketing

This is where most violations live. Any autodialed call, prerecorded message, or text that is marketing in nature — including a "courtesy quote" follow-up to a web lead — requires prior express written consent (PEWC) under TCPA Section 227(b). Written consent can be electronic (an unchecked checkbox on a web form), but it must include specific disclosures: the consumer's signature, the seller's name, a clear statement that the consumer agrees to receive marketing calls/texts including via autodialer or prerecorded voice, and a statement that consent is not a condition of purchase.

The 2024 FCC order made one-to-one consent mandatory. A consumer who fills out a comparison site form can no longer be "shared" with 50 carriers. They have to consent to each seller individually, by name, on the same web page, and the topics of those calls must be "logically and topically associated with the interaction that prompted the consent."

The DNC Lists You Have to Scrub Against

There is no single DNC list. There are at least four you need to check before any marketing call:

The National Do Not Call Registry is the federal list. Any number registered there has been off-limits for 31+ days. Penalties for unsolicited calls to registered numbers are up to $51,744 per violation (FTC ceiling) plus TCPA statutory damages.

State DNC lists exist in about 15 states, with their own rules and registration processes. Some states (notably Florida) require separate registration as a telemarketer before any commercial calls.

Your internal DNC list is mandatory under federal law. Anyone who tells you "stop calling" — verbally, by text, by email, or by hanging up after a request — must be added and never contacted again, period. Most TCPA judgments hinge on whether the agent could prove a robust internal DNC system existed.

The reassigned numbers database is the FCC-run database (operated by Somos) that tells you when a phone number has been reassigned to a new owner. Calling a number that has been reassigned is a violation even if the original consumer consented, unless you queried the database and got a "no" response within the safe harbor window.

A compliant prospecting workflow scrubs every list before it is dialed, ideally inside your CRM so it cannot be skipped. SalesPulse's lead management layer enforces DNC checks at import and re-checks before each outreach attempt, with timestamps stored for the four-year audit window.

Calling Windows and Quiet Hours

Federal law restricts marketing calls and texts to between 8:00 a.m. and 9:00 p.m. in the consumer's local time zone. State law often tightens that further: Florida's mini-TCPA shrinks the window to 8:00 a.m. to 8:00 p.m. and limits commercial outreach to no more than three attempts per 24 hours per device.

The compliance trap here is time zones. An agent sitting in Phoenix who dials a Boston lead at 6:30 a.m. local time is hitting the prospect's phone at 9:30 a.m. — perfectly fine. The same agent dialing a California lead at 6:30 a.m. local time is hitting them at 5:30 a.m. local — a violation. Modern CRMs route calls through a time-zone aware scheduler that simply refuses to dial outside the legal window for the recipient's location. If your system doesn't enforce this, every dial is a coin flip on liability.

SMS and A2P 10DLC Compliance

Text messaging carries the same TCPA exposure as calling, plus an additional carrier-level compliance regime. Every commercial SMS sent through US carriers must originate from a registered A2P 10DLC campaign tied to a registered Brand. Without registration, your messages get filtered, fined, or both.

The intersection of TCPA and A2P 10DLC is where most insurance agencies underestimate the work. TCPA tells you what consent you need to legally send the text. A2P 10DLC tells the carriers what content, opt-in flow, and sender identity you've registered. A message that is TCPA-compliant can still be blocked or fined by carriers if your A2P registration doesn't match what you're actually sending. We dug into the carrier side in our guide to A2P 10DLC registration for insurance agents — pair that with the consent rules above and you'll have both halves of the equation locked.

Three SMS-specific rules every insurance agent should hard-wire:

  • Every marketing text must include the sender's identity and clear opt-out instructions ("Reply STOP to unsubscribe") on the first message in a conversation, not just on subsequent messages.
  • Opt-out keywords must be processed in real time. STOP, END, QUIT, CANCEL, and UNSUBSCRIBE all have to immediately stop further messaging from that number.
  • Frequency disclosures matter. If you advertised "monthly tips" in your opt-in language, you can't send daily quote reminders. Match your sending behavior to your registered consent.

Prerecorded Voice, Voicemail Drops, and AI Voice Agents

Any call that delivers a prerecorded or artificial voice message to a residential or wireless number requires prior express written consent — even if the message is informational. Ringless voicemail (RVM) drops are treated as calls under most current court interpretations, and several federal circuit courts have specifically held that RVMs to consumer cell phones are TCPA-regulated.

AI voice agents — the kind that have actual conversations with prospects — sit in newer legal territory. The FCC issued a 2024 declaratory ruling confirming that calls using AI-generated voices fall under the TCPA's "artificial or prerecorded voice" provisions, meaning PEWC is required for any marketing use. Disclosure of AI use is also becoming a state-level requirement (California's AB 2655 and similar bills are moving through other states).

That doesn't make AI voice unusable — it makes it consent-gated. SalesPulse's AI voice agents are deployed exclusively against opted-in contacts inside the consent framework you've already established, and every call discloses that the consumer is speaking with an AI assistant. Used on the right list, AI calling is one of the highest-leverage tools in modern insurance prospecting. Used on the wrong list, it's a class action waiting to happen.

Record-Keeping: The Four-Year Rule

The TCPA's statute of limitations is four years. That means every consent record, every DNC scrub timestamp, every opt-out request, and every sent message has to be retrievable for four years after the last contact. In practice, you want longer — most plaintiff's firms request five years of records during discovery.

What "records" actually means in a courtroom:

  • The exact form, language, and version of consent the consumer agreed to
  • A timestamp and IP address tied to that consent
  • The DNC scrub results for the consumer's number, with timestamps
  • The full outreach log — calls, texts, voicemails, with dates, times, and channel
  • Any opt-out request and the timestamp of when it was processed
  • The internal DNC list with the date each entry was added

If your CRM doesn't hold all of this in one place, you'll never assemble it under deposition pressure. This is why most TCPA defendants settle even when they think they did nothing wrong — the cost of producing records is sometimes higher than the settlement.

A 10-Step TCPA Compliance Checklist for Insurance Agents

Print this, post it where you can see it, and audit yourself quarterly:

  1. Register every device you call from with the National DNC Registry as a seller (not just your agency).
  2. Maintain a written TCPA compliance policy and require every agent and ISA to read and sign it annually.
  3. Use a CRM that scrubs against National DNC, state DNC, internal DNC, and the reassigned numbers database before every outreach.
  4. Capture and store one-to-one written consent for every lead, with the exact form copy, IP address, and timestamp preserved for at least four years.
  5. Configure your dialer to enforce time-zone-correct calling windows automatically.
  6. For texting, register all 10DLC campaigns with accurate brand details, opt-in flow descriptions, and sample content matching what you actually send.
  7. Process opt-outs in real time across all channels — voice, SMS, email — and propagate them to every connected system.
  8. Document the consent flow for every lead source you buy from, and require lead vendors to indemnify you against TCPA violations in writing.
  9. Disclose AI use on any AI-driven voice or chat interaction, and obtain explicit consent for AI-driven outreach.
  10. Run a quarterly internal audit pulling random records and verifying that every required artifact is present and retrievable.

How CRM Architecture Decides Your TCPA Risk

The biggest predictor of whether an agency will eventually face a TCPA action is not how aggressive they are — it's whether their tooling makes compliance the default or the exception. If a single agent can override the DNC check, dial outside the window, or send a text without an A2P registration, somebody eventually will. If the system simply refuses, the violations don't happen.

When evaluating CRMs, the compliance questions to ask are concrete. Does the platform scrub against all four DNC lists at import and pre-dial? Does it enforce time-zone windows automatically? Does it preserve consent records with version history? Does it route SMS exclusively through registered A2P campaigns? Does it propagate opt-outs across voice, text, and email simultaneously? If the answer to any of those is "you have to remember to do that," your compliance is one mistake away from collapsing. We walked through the broader framework in our guide on how to choose an insurance CRM — TCPA enforcement should be a non-negotiable line item.

What to Do If You Get a TCPA Demand Letter

If a demand letter shows up — and if you prospect at any volume, eventually one will — three things matter in the first 48 hours.

First, do not call the consumer. Any further contact converts a single-violation case into a willful, multi-violation case at $1,500 per touch.

Second, immediately preserve every record related to that consumer. Lock the contact in your CRM so no further changes are recorded against it, export the full activity log, and pull the original consent record with timestamp and IP.

Third, get a lawyer who has actually defended TCPA cases. This is not general practice work. The plaintiff's bar in this space is sophisticated, and the defenses (consent, manual dialing, EBR, established business relationship) all hinge on technical interpretations of recent rulings.

The Bigger Picture

TCPA compliance feels like a tax on growth, but in practice it's a forcing function for higher-quality prospecting. Agents who scrub their lists, capture real consent, and call only the people who actually want to hear from them close at higher rates than agents who blast everyone with everything. The legal protection is a side effect of the better sales outcomes.

The era of buying $5 shared leads and dialing them with no consent is over. The agents who win in 2026 are the ones who treat compliance infrastructure as a competitive advantage — because every competitor cutting corners is one demand letter away from being out of the business.

Start for free — no credit card required

Ready to Transform Your Insurance Sales?

Join thousands of insurance agents using SalesPulse to automate follow-ups, power their dialers, and close more deals — all in one platform for $79/month.

Start Your Free TrialView Pricing
Share:TwitterLinkedIn

Related Articles

April 22, 2026 · 11 min read

NAIC Compliance for Insurance Agents: 2026 Guide

Read article