Your Internal Do-Not-Call Policy: What the Law Actually Requires Beyond the National Registry
If you make calls to consumers, here's a trap I've watched good operators fall into: they scrub the National Do-Not-Call Registry religiously, pat themselves on the back, and assume they're covered. They aren't. The National Registry is a separate obligation from your own internal, company-specific do-not-call list. You need both. And the internal one is the piece that most teams either skip entirely or fake with a spreadsheet nobody trained anyone to use.
The internal do-not-call rule is where a lot of TCPA lawsuits actually land, because it's easy to prove you didn't have the paperwork. This is a walk through what the federal rules literally require, and how I'd build a policy that survives a plaintiff's attorney reading it back to you in a deposition.
The rule most people never read: 47 CFR 64.1200(d)
The FCC's TCPA regulations flatly prohibit telephone solicitations unless you've first put internal procedures in place. The regulation lists six specific components, and they are not suggestions.
The literal requirement
47 CFR 64.1200(d) states that persons or entities making calls for telemarketing purposes "must have a written policy, available upon demand, for maintaining a do-not-call list." The six subparts (d)(1)-(d)(6) each impose a distinct, independently enforceable obligation.
Here are the six components, straight from the current regulation:
- (d)(1) Written policy. You must have a written do-not-call policy, and it has to be "available upon demand." Not a policy in your head. Not tribal knowledge. A document.
- (d)(2) Training of personnel. Anyone "engaged in any aspect of telemarketing must be informed and trained in the existence and use of the do-not-call list." Training the closer isn't enough if the appointment-setter never heard of it.
- (d)(3) Recording and honoring requests. When someone asks not to be called, you must "record the request and place the subscriber's name, if provided, and telephone number on the do-not-call list at the time the request is made," and honor it "within a reasonable time... This period may not exceed ten (10) business days from the receipt of such request."
- (d)(4) Identifying the caller. On the call, you must provide "the name of the individual caller, the name of the person or entity on whose behalf the call is being made, and a telephone number or address at which the person or entity may be contacted."
- (d)(5) The affiliated-persons rule. Absent a specific request otherwise, a do-not-call request "shall apply to the particular entity making the call... and will not apply to affiliated entities unless the consumer reasonably would expect them to be included given the identification of the caller and the product being advertised."
- (d)(6) Record retention. You "must maintain a record of a consumer's request not to receive further calls," and "a do-not-call request must be honored for 5 years from the time the request is made."
The 10-day window is a hard ceiling
"A reasonable time" is the standard, and ten business days is the outer wall you may not exceed. If a request sits in someone's inbox for three weeks before it hits the list, you've already violated (d)(3) even if you never actually re-dialed the number. Build your logging so honoring is same-day, not eleventh-hour.
The 5-year record you'll wish you had
Subpart (d)(6) is the one that quietly wins or loses cases. It's not enough to stop calling someone. You have to keep the record that they asked, and honor it for five years. When a plaintiff claims they told you to stop, your defense is a dated, timestamped log entry showing exactly when the request came in and when it was honored. No record, no defense.
Treat that five-year clock as a floor for the request itself. In practice, I keep the surrounding evidence, call recordings, agent notes, the CRM event, for as long as I hold the internal list, because the request record is only as credible as the trail around it.
The FTC's parallel rule: the Telemarketing Sales Rule
If the FCC's rule were the only one, life would be simpler. It isn't. The FTC enforces the Telemarketing Sales Rule (TSR), and it has its own entity-specific do-not-call obligation plus the National Registry scrub cadence.
- Entity-specific DNC, 16 CFR 310.4(b)(1)(iii)(A). It's an abusive practice to call a person after that person "previously has stated that he or she does not wish to receive an outbound telephone call made by or on behalf of the seller whose goods or services are being offered." That's the TSR's version of your internal list.
- National Registry scrub, 16 CFR 310.4(b)(3)(iv). To claim the safe harbor, you must employ "a version of the 'do-not-call' registry obtained from the Commission no more than thirty-one (31) days prior to the date any call is made," and maintain records documenting that process.
Two lists, two clocks
The National Registry (scrubbed at least every 31 days per the TSR) protects consumers who don't want calls from anyone. Your internal list protects consumers who don't want calls from you specifically. A number can be clean on the National Registry and still be on your internal do-not-call list, and calling it is still a violation.
The TSR safe harbor in 16 CFR 310.4(b)(3) also expects you to have "established and implemented written procedures" and to have "trained its personnel... in the procedures established." Notice the pattern: written procedures plus training show up in both the FCC and FTC rules. That overlap is your blueprint.
The Operator’s Compliance Brief
What changed in lead-gen compliance, and what to do about it. Free, no spam.
Why a national scrub isn't enough: the state layer
Here's where operators get blindsided. Federal law sets a floor, not a ceiling. A number of states run their own do-not-call regimes and mini-TCPA statutes with tighter rules, their own state registries, narrower calling windows, and in several states, private rights of action with statutory damages that stack on top of the federal exposure.
A once-a-month National Registry scrub does nothing for a state-specific list you never pulled, and it does nothing for a caller-specific request logged under a state statute with a shorter honor window than ten days. Your internal policy has to be the layer that absorbs all of it: federal, state registry, and the individual "stop calling me" your rep heard on Tuesday.
Design to the strictest rule you touch
Rather than maintaining a maze of per-state honor windows, I set the internal standard to the tightest one that applies across the states I call into, and honor every request there. It's simpler to operate, easier to train, and it means a surprise state audit finds you already compliant instead of scrambling.
Building a policy that actually holds up
The regulation tells you the components. Here's how I'd operationalize them so the paperwork matches reality:
- Write the actual policy document. Name who owns the internal DNC list, how a request gets captured, the honor window (I use "same business day, never exceeding the federal ten-business-day ceiling"), the retention period (minimum five years), and who can access and edit the list. Keep it "available upon demand" per (d)(1), a shared, versioned doc, not a file on one person's laptop.
- Train everyone who touches a phone, and log the training. Appointment-setters, closers, retention, vendors calling on your behalf. Date every training session and keep sign-offs. The record of training is itself evidence for the safe harbor.
- Log requests at the moment they happen. The rule says "at the time the request is made." Give reps a one-click way to flag a number in the CRM the instant they hear "don't call me," capturing timestamp, the number, name if given, channel, and who took the request.
- Honor across channels and across systems. A do-not-call request should propagate to every dialer, list, and campaign, not just the one that made the call. If your SMS and email suppression live in different systems, make sure a phone opt-out that also signals other channels is respected everywhere it legally should be.
- Keep an audit trail you can hand to a lawyer. Immutable, timestamped log entries; regular exports; documented proof of your National Registry pulls dated within 31 days. The goal is that when someone claims you called after they opted out, you can produce the record faster than they can finish the sentence.
The affiliated-persons trap
Under (d)(5), a request generally applies only to the specific entity that called, not automatically to your affiliates, but only if your caller identification and product made that scope clear to the consumer. If you brand loosely across a family of companies, a consumer could "reasonably expect" the opt-out to cover all of them. Get this scoping wrong and one opt-out you thought was narrow becomes a violation across your whole portfolio.
None of this is exotic. It's a document, a training log, a suppression workflow, and disciplined record-keeping. The reason it matters is that every one of the six components is independently provable, which means it's independently disprovable when you skip it. Build the boring version well and it quietly protects you for years.
Not legal advice
This is a practical field guide for operators, not legal advice. Compliance rules change and turn on your specific facts. Confirm anything here with a qualified telemarketing/TCPA attorney before you rely on it.
Sources
- 47 CFR 64.1200 - Delivery restrictions — Electronic Code of Federal Regulations (eCFR) (accessed 2026-07-03)
- 16 CFR 310.4 - Abusive telemarketing acts or practices — Electronic Code of Federal Regulations (eCFR) (accessed 2026-07-03)
- 47 CFR 64.1200 — Cornell Law School Legal Information Institute (accessed 2026-07-03)
- Complying with the Telemarketing Sales Rule — Federal Trade Commission (accessed 2026-07-03)
30+ years in lead gen · BRSG Founder
Bill Rice has spent 30+ years in mortgage, lending, and performance marketing — generating leads, buying them, and building the systems that route and work them. He founded a performance-marketing agency, owned a direct-to-consumer lender, and wrote The Lead Buyer's Playbook. He built Lead Compliance Hub to help operators navigate the legal landmines of online lead generation from an operator's seat, not a law firm's. Nothing he writes here is legal advice.
Key Terms to Know
FCRA
The Fair Credit Reporting Act (15 U.S.C. § 1681 et seq.), the federal law governing how consumer reports may be furnished and used — including the prescreen/firm-offer exception at § 1681b(c).
Firm Offer of Credit
Under FCRA § 603(l), an offer of credit or insurance that will be honored if the consumer meets pre-selected criteria. It supplies the “permissible purpose” that historically made prescreened trigger-lead solicitations lawful without consumer consent.
HPPA
The Homebuyers Privacy Protection Act — H.R. 2808, Public Law 119-36, signed September 5, 2025, effective 180 days later (≈ March 4, 2026). It restricts when credit bureaus may sell a mortgage trigger lead to a third party.
Mini-TCPA
A state telemarketing statute that is stricter than the federal TCPA — for example Florida’s and Oklahoma’s. These laws can impose their own consent standards and private rights of action, so federal compliance alone is not enough.
One-to-One Consent
The FCC rule that would have required a consumer’s TCPA consent to name a single specific seller. It was vacated by a federal appeals court in 2025 before taking effect — but state mini-TCPAs and the underlying PEWC standard still govern.
Permissible Purpose
The FCRA requirement that a consumer report may only be furnished for an enumerated reason. A “firm offer of credit or insurance” not initiated by the consumer is one such permissible purpose.
The Operator’s Compliance Brief
What changed in lead-gen compliance, and what to do about it. Free, no spam.