How to Defend a Do-Not-Call Violation Case using the Safe Harbor Defense


In order to use the safe harbor defense against a TCPA privacy or automated calling suit, good record keeping is critical.


The TCPA allows individuals to sue companies in state or federal court for violations of the law, including failure to honor a company specific “do-not-call” request or making an illegal prerecorded telephone call.

There are two types of restrictions in the TCPA, however, and a lawsuit will differ depending on what type of restriction the plaintiff alleges has been violated.

First, the private cause of action for violations of the restrictions on use of automated telephone equipment is found at 47 U.S.C. § 227(b)(3). These actions involve illegal prerecorded calls or calls to cell phones. A plaintiff can sue under this section even if he or she has received only one call.

Next, the private cause of action for violations of protection of subscriber privacy rights (i.e. “do-not-call” requests or national “do-not-call” list) reads slightly differently and is set forth at 47 U.S.C. § 227(c)(5):

Private right of action. A person who has received more than one telephone call within any 12-month period by or on behalf of the same entity in violation of the regulations prescribed under this subsection may, if otherwise permitted by the laws or rules of court of a State bring in an appropriate court of that State—

    (A) an action based on a violation of the regulations prescribed under this subsection to enjoin such violation,

    (B) an action to recover for actual monetary loss from such a violation, or to receive up to $ 500 in damages for each such violation, whichever is greater, or

    (C) both such actions.

  It shall be an affirmative defense in any action brought under this paragraph that the defendant has established and implemented, with due care, reasonable practices and procedures to effectively prevent telephone solicitations in violation of the regulations prescribed under this subsection. If the court finds that the defendant willfully or knowingly violated the regulations prescribed under this subsection, the court may, in its discretion, increase the amount of the award to an amount equal to not more than 3 times the amount available under subparagraph (B) of this paragraph.

Id. (emphasis added).

There are two big differences (there are other small differences, as well) for distinguishing TCPA privacy suits from TCPA automated calling suits: 1) the plaintiff must have received more than one illegal call, and 2) the defendant has a “good faith” or “safe harbor” defense if it can prove certain compliance measures and that a subsequent call was sent as a result of error.

The key to defending such a suit using the safe harbor defense is good record keeping. You should keep records regarding “do-not-call” compliance for a period of at least five years (the Telemarketing Sales Rule’s statute of limitations).  A safe harbor defense requires that you have in place:

1.  Written procedures to comply with the national “do-not-call” rules including a process to prevent telephone solicitations to any telephone number on any list established pursuant to the “do-not-call” rules, employing a version of the national do-not-call registry obtained from the administrator of the registry no more than 31 days prior to the date any call is made, and maintains records documenting this process;

2.  Records showing training of personnel, and any entity assisting in its compliance, in procedures established pursuant to the national “do-not-call” rules;

3. Records showing compliance with company specific “do-not-call” requests;

As you may know, the FTC’s Telemarketing Sales Rule contains similar restrictions to the TCPA enforceable by the FTC and state Attorneys General. Because the statute of limitations for the TSR is longer (five years instead of four years) than the TCPA’s, you need to keep the safe harbor records for at least five years.

If you have good records, you have the start needed to defeat a TCPA private action based on privacy restrictions.