TCPA, GDPR, DNC: The Compliance Cheatsheet for Outbound Marketers

Why this matters

Compliance fines bankrupt small marketers. A single TCPA class action can hit $5M+. GDPR fines can reach 4% of global annual turnover. Most violations are accidental — marketers just don't know the rules. Here's the plain-English version for the 5 markets that matter most.

🇺🇸 US — TCPA + state DNC

Rules

• Express written consent required to call/SMS for promotional purposes
• National DNC registry — call/SMS to registered numbers = $500/violation, $1,500 if willful
• State DNC lists in TX, MO, FL, IN, LA, TN — separate registration, separate fines
• 9pm-8am quiet hours in recipient's local time
• STOP keyword for SMS — must honor opt-outs immediately
• 10DLC registration for any commercial SMS via long codes (since 2022)
• 4-year consent retention requirement

What "consent" actually means

An unchecked checkbox they ticked saying "I agree to receive marketing calls/texts at this number". NOT enough: pre-checked boxes, opt-in via terms-of-service, "by submitting this form you agree...".

What's exempt

B2B calls to office numbers, transactional/informational calls (delivery updates, account alerts), surveys/political/religious — but state laws vary, so check every market.

🇪🇺 EU — GDPR + ePrivacy

Rules

• Specific consent per channel — opting in for email doesn't cover SMS or calls
• Soft opt-in allowed for existing customers (similar product, easy unsubscribe)
• Easy withdrawal — must be as easy to opt out as it was to opt in
• Data minimization — only collect what you need
• Right to erasure (Art. 17) — must delete on request
• Right of access (Art. 15) — must provide data export on request
• Privacy notice at point of collection
• 72-hour breach notification to authorities
• Fines up to €20M or 4% of global revenue (whichever higher)

The cookie part

Any non-essential cookie (analytics, ads) requires explicit opt-in via a banner. Pre-checked = invalid. "Accept all" + "Reject" must be equally prominent.

🇬🇧 UK — UK GDPR + PECR + TPS

Post-Brexit, UK kept GDPR (renamed UK GDPR) plus its own additions:

• PECR — Privacy and Electronic Communications Regulations — covers SMS, email, calls, cookies
• TPS (Telephone Preference Service) — UK's national DNC. Mandatory wash before any cold call to UK numbers.
• CTPS — Corporate TPS, applies to B2B numbers too
• Soft opt-in exception works similar to EU
• Fines up to £17.5M or 4% global revenue

🇨🇦 Canada — CASL

• Express opt-in required for every commercial electronic message (CEM)
• Two-year implied consent window for existing customers
• Identification + opt-out required in every message
• Fines up to CAD $10M per violation
• One of the strictest regimes globally — assume CASL applies and you're rarely wrong

🇦🇺 Australia — Spam Act + DNCR

• Express or inferred consent required (inferred = strong existing relationship)
• Do Not Call Register — register your campaign + wash before each send
• Identify sender + provide opt-out in every commercial message
• Fines up to AUD $2.2M per day for repeat breaches

🇮🇳 India — DLT registration (TRAI)

• DLT (Distributed Ledger Tech) registration required to send any commercial SMS to Indian numbers
• Sender ID + every template must be pre-registered with the operator
• Unregistered SMS = blocked at the carrier
• WhatsApp traffic outside the official Business API is technically against TRAI but loosely enforced

The 5-point compliance routine for every campaign

1. Identify markets — which countries are you targeting?
2. Wash against DNC for every targeted market
3. Verify consent for every record (express, soft opt-in, or B2B exemption)
4. Honor quiet hours by recipient timezone
5. Include identification + easy opt-out in every message

The boring documentation that saves you

If a regulator comes asking, you need to show:

• Source of every contact (which form, when, IP, opt-in checkbox state)
• DNC wash logs with dates
• Opt-out timestamp for every unsubscribe
• Privacy notice version shown at time of collection

Most CRMs and email tools store this automatically — confirm yours does.

Where reputable lead vendors fit in

A good lead vendor handles compliance scaffolding for you:

• Pre-DNC-scrubbed for major markets
• Source documentation provided on request (opt-in proof)
• Updated against new state DNC adds
• Clear marker for sensitive jurisdictions

You're still the data controller — but starting from compliant data dramatically reduces your risk. Read our full sourcing & compliance disclosure →

Disclaimer

This isn't legal advice. Every campaign needs local-counsel sign-off if you're at meaningful scale. Use this as a self-audit starting point.