TCPA List Hygiene 2026: DNC, Reassigned and Litigator Scrubbing

A single wrong call can cost you 500 dollars. Make that call willfully or repeatedly and the number triples to 1,500 dollars. Now multiply that across an autodialed campaign of tens of thousands of records, add a class action, and you have the kind of exposure that ends companies. This is the world of the Telephone Consumer Protection Act, and in 2026 the rules around it are stricter, the plaintiffs are more organized, and the cost of a dirty list is higher than it has ever been.

This guide is about TCPA compliance phone scrub work: the unglamorous but essential discipline of cleaning a calling list against the right suppression sources before anyone dials. We will cover the four pillars of modern list hygiene, the Do Not Call registry, the reassigned number database, internal suppression, and litigator lists, plus how to log every scrub so that if a demand letter ever lands on your desk, you have a defense instead of a panic attack.

This is not legal advice. It is an operational playbook for the people who actually run the lists. When the stakes are this high, talk to a qualified TCPA attorney about your specific program. What follows will help you ask the right questions and build the right process.

What the TCPA actually regulates#

Before diving into list hygiene, it helps to understand what the statute covers, because the scope is broader than most people assume. The TCPA governs how businesses may use telephones, autodialers, prerecorded and artificial voice messages, text messages, and fax machines to contact consumers. The provisions that drive most modern litigation cluster around a few themes:

• Autodialed and prerecorded calls and texts to wireless numbers. Calls and texts placed using regulated dialing technology or an artificial or prerecorded voice to a cell phone generally require prior express consent, and where the call is telemarketing, prior express written consent. This is the single most litigated area, because so much outbound marketing runs through dialers and SMS platforms.
• Calls to numbers on the Do Not Call Registry. Telemarketing calls to registered numbers are restricted absent an exemption.
• Calling time restrictions. Telemarketing calls are limited to specific local-time hours.
• Identification and opt-out requirements. Callers must identify themselves and honor stop requests.

What makes the TCPA dangerous is the combination of statutory damages and the volume of modern outreach. Because each violation carries a fixed dollar penalty regardless of actual harm, and because a single campaign can generate thousands of potential violations, the math scales into class-action territory fast. The defense is almost never “we did not call them.” It is “we called them lawfully, and here is the record that proves it.” That record is what list hygiene produces.

A quick vocabulary note, because these terms get used loosely. Scrubbing means comparing your list against a suppression source and removing matches. A suppression source is any list that tells you not to call a number: the DNC registry, the RND, your internal list, a litigator list. Consent is the consumer’s documented permission to be contacted, and it is the thing that makes a call lawful in the first place. List hygiene is the discipline of keeping consent valid and suppression current across all four sources at once.

Why TCPA list hygiene is non-negotiable in 2026#

The TCPA was passed in 1991 to curb abusive telemarketing. Three decades later it has become one of the most litigated consumer protection statutes in the United States, largely because it pairs strict liability with statutory damages that do not require the plaintiff to prove any actual harm. You do not have to have hurt anyone. You just have to have called a number you were not allowed to call.

Several forces have converged to make 2026 a particularly dangerous year to run sloppy lists:

• Repeat litigators are industrialized. A large share of TCPA lawsuits are now filed by a relatively small group of serial plaintiffs who treat unwanted calls as a revenue stream. Industry analyses have attributed roughly a third to over 40 percent of TCPA filings in recent years to repeat filers. These plaintiffs seed their numbers across data brokers and lead lists specifically so they get called.
• Reassigned numbers are a litigation magnet. Around 100,000 mobile numbers are reassigned by carriers every single day. Consent under the TCPA attaches to the person, not the phone number, so the moment a number changes hands your prior consent evaporates. Estimates suggest that as much as 20 percent of an aging consumer contact list can be reassigned numbers.
• One-to-one consent narrowed the funnel. The FCC’s one-to-one consent framework reshaped how lead consent is interpreted. The era of a single checkbox consenting a consumer to “partners and affiliates” is over in spirit, even as specific rules have shifted through litigation and rulemaking. Consent records now need to clearly identify who is allowed to call.

The practical takeaway is simple. Running a batch suppression pass before every campaign is no longer a nice-to-have. It is table stakes, and the absence of it is the first thing a plaintiff’s attorney will look for.

The four pillars of a defensible phone scrub#

A complete tcpa list hygiene process checks each number against four distinct categories of suppression. Skipping any one of them leaves a hole that a litigator can drive a class action through.

1. The National Do Not Call Registry (DNC)#

The National Do Not Call Registry is the foundation. Consumers add their numbers to tell telemarketers to stop calling. The TCPA and the related Telemarketing Sales Rule generally prohibit telemarketing calls to numbers on the registry, with limited exceptions such as an established business relationship or express written consent.

DNC obligations are layered:

• Federal DNC. The national registry maintained by the FTC. This is the baseline every telemarketer must scrub against.
• State DNC lists. Several states maintain their own registries with their own rules, and some are stricter than the federal version. A list that spans the country needs state-level scrubbing too.
• Wireless DNC. Specific rules govern calls to wireless numbers, which is one reason knowing line type up front matters so much. If you cannot tell a mobile from a landline, you cannot apply the right rule.

DNC scrubbing is the single most direct lawsuit-prevention investment available to an outbound operation, because so many filings hinge on a call to a registered number.

2. The Reassigned Numbers Database (RND)#

This is the pillar most teams underestimate. The FCC created the Reassigned Numbers Database to solve a specific problem: you obtained valid consent from a person, that person gave up their number, the carrier reassigned it to a stranger, and now your perfectly consented call goes to someone who never agreed to anything.

Here is how the RND actually works:

• Carriers must wait a minimum of 45 days between permanently disconnecting a number and reassigning it. This aging period creates a window during which the database can reflect the disconnection.
• You query the database with two inputs: the phone number and the date you obtained consent. The database checks whether the number was permanently disconnected at any point after your consent date.
• You get back one of three responses. “No” means the number has not been disconnected or reassigned since your consent date, so you can proceed if you otherwise have consent. “Yes” means it may have been reassigned, so you should suppress it. “No Data” means the database cannot answer, often because your consent date predates the records carriers were required to keep.

The RND came online for paid subscribers on November 1, 2021, and access is sold in tiers based on projected query volume, scaling all the way up to roughly 357,000 dollars per year for the largest subscriptions. You register at the official site. For high-volume callers, third-party compliance vendors often resell or bundle RND access alongside other scrub services.

The reason the RND matters so much is the safe harbor attached to it.

3. Internal Do Not Call and consent records#

Federal law requires telemarketers to maintain their own internal Do Not Call list. When a consumer asks you specifically to stop calling, that request must be honored and the number suppressed, typically for at least five years. This is separate from the national registry and applies even to consumers who have given consent for other purposes.

Your internal suppression should capture:

• Every opt-out and stop request, by channel and timestamp
• Numbers tied to complaints, disputes, or demand letters
• Numbers your reps flag as wrong-party or hostile
• Expired or revoked consent

Consent is not permanent. It can be revoked by any reasonable means, and once revoked it must be honored promptly. A clean internal list is your memory of who told you no.

4. Litigator and serial-plaintiff lists#

Scrubbing against known TCPA litigator lists is best practice rather than a strict legal requirement, but it is one of the cheapest forms of insurance available. A handful of vendors maintain lists of known serial plaintiffs and the attorneys who file on their behalf. Because a disproportionate share of TCPA class actions originates from this small population, removing their numbers from your list dramatically cuts your tail risk.

Think of the tcpa litigator list as a tripwire scrub. You are not just avoiding a single call. You are avoiding the specific people who are most likely to turn a single technical violation into an expensive lawsuit. It does not replace DNC or RND scrubbing. It sits on top of them as a final filter.

Understanding the RND safe harbor#

The Reassigned Numbers Database is the only one of the four pillars that comes with an explicit legal shield, so it deserves a closer look.

To qualify for the safe harbor and be shielded from liability for calling a reassigned number, a caller generally must show three things:

1. It obtained consent from the intended recipient in the first place.
2. It, or its authorized agent, checked the database before calling to verify the number had not been permanently disconnected or reassigned after the consent date.
3. The database returned a “No” response that turned out to be incorrect.

In other words, the safe harbor protects you when you did everything right and the database itself was wrong. It does not protect you if you never checked. And critically, the protection is narrow: it generally applies to the first call made after the check. You cannot query once and treat that result as a permanent license to keep dialing for months.

This narrowness is why cadence matters. Because numbers reassign constantly, a result that was accurate today can be stale in weeks. Common compliance guidance is to re-scrub lists against the RND on a regular cycle, often cited as roughly every 31 days, so that long-running campaigns stay inside the protection window. The exact cadence depends on your call frequency and your counsel’s risk tolerance, but the principle is the same: a scrub is a snapshot, not a permanent pass.

Why line type makes scrubbing possible#

Every one of these scrubs depends on knowing what kind of number you are looking at. Many of the strictest TCPA rules apply specifically to wireless numbers, because autodialed and prerecorded calls to cell phones carry heightened restrictions. If your list does not distinguish mobile from landline from VoIP, you cannot apply the correct rule to each record, and you end up either over-suppressing good numbers or under-suppressing risky ones.

This is where a line type lookup becomes a compliance tool, not just a deliverability one. Before you even reach the DNC and RND stages, you want to know:

• Mobile numbers get the strictest wireless treatment and are the highest-risk records for autodialer rules.
• Landlines follow different rules and cannot receive SMS at all.
• VoIP numbers behave unpredictably and are disproportionately associated with both spam and litigation traps.
• Invalid or disconnected numbers should be dropped before they ever consume a scrub query or a dial.

If you are new to the differences, our explainer on mobile vs landline vs VoIP walks through why each type changes how you can legally and effectively reach it. Layering a line type pass on top of your suppression sources means you are applying the right rule to the right number every time.

A practical TCPA scrub workflow#

Here is a sequence that turns the four pillars into a repeatable process. Adapt the order and cadence to your program and your counsel’s advice.

Step 1: Normalize and validate the raw list#

Before any suppression source sees your data, get it into a clean, consistent shape. Normalize every number to E.164 format, strip obviously broken records, and run a validation pass to drop numbers that are not even possible in their region. There is no point spending a paid RND query on a number that has the wrong digit count. A bulk validation step also tags line type, which sets up every rule downstream. Our guide to bulk phone verification covers how to take a messy CSV and turn it into clean, segmented, tagged data.

Step 2: Scrub against federal, state, and internal DNC#

Run the validated list against the national registry, any applicable state registries, and your own internal suppression list. Remove every match unless you have a documented exemption such as express written consent or a qualifying established business relationship. Record which lists you checked and when.

Step 3: Query the Reassigned Numbers Database#

For every number where you are relying on prior consent, query the RND with the number and the consent date. Suppress anything that comes back “Yes.” Treat “No Data” cautiously, because the absence of an answer is not the same as a clean result. Keep the “No” responses and their timestamps, because those are your safe harbor evidence.

Step 4: Apply litigator and serial-plaintiff suppression#

Run the survivors against your litigator list. This is your last filter before the list goes live. Pull every known plaintiff and flagged attorney number out entirely. The handful of records you lose here are not worth the lawsuit they could trigger.

Step 5: Segment by line type and timezone#

Now that the list is suppressed, segment it for execution. Separate mobiles from landlines so your SMS and voice channels apply the right rules. Attach timezone data so your dialer never places a call outside the permitted hours of 8am to 9pm in the recipient’s local time. Calling time is its own compliance surface, and our guide on the best time to cold call by timezone shows how to schedule around it without breaking the rules.

Step 6: Log everything#

This is the step that separates a defensible program from a hopeful one.

The compliance log: your only real defense#

If a demand letter or lawsuit arrives, your defense is not a feeling that you “always scrub.” Your defense is a record. For every number, you want to be able to produce a log that shows:

• Which lists were checked (federal DNC, the relevant state DNC, internal DNC, RND, litigator list)
• The date and time of each check
• The result of each check (clean, suppressed, no data)
• The consent record the call relied on, including who consented, when, and to whom

The mantra that experienced compliance teams repeat is blunt: no log, no defense. A pile of suppressed numbers proves nothing if you cannot show what you checked them against and when. Conversely, a clean, timestamped log of “we scrubbed this number against these lists on this date and got a pass” is exactly the evidence that turns a scary letter into a manageable one.

Automate the logging so it happens as a byproduct of the scrub rather than a manual afterthought. Manual logs are the first thing to slip when a campaign is rushed, and a missing log is indistinguishable from never having scrubbed.

Building the consent record that holds up#

Suppression tells you who not to call. Consent tells you who you may call. The two halves of a defensible program are inseparable, and consent is the one teams most often get wrong, because they treat it as a one-time event rather than a living record.

A consent record that survives scrutiny captures, at minimum:

• Who consented. The identity of the consumer, tied to the specific number.
• When they consented. A precise timestamp, which is also the date you feed into the RND query.
• To whom they consented. The specific company or companies the consumer agreed to hear from. Vague “partners and affiliates” language is exactly the kind of consent that has been challenged.
• For what. The scope of consent, including whether it covered telemarketing, which carries the higher prior-express-written-consent bar.
• How they consented. The mechanism, the form, the checkbox, the call recording, and ideally a capture of the exact disclosure language the consumer saw.

The reason the consent date matters so much operationally is that it is the pivot point for reassigned-number analysis. The RND does not ask “is this number good.” It asks “has this number been disconnected since the date you obtained consent.” Without an accurate, per-number consent date, you cannot run a meaningful RND query, and you cannot claim the safe harbor. Sloppy consent dating quietly invalidates your most important scrub.

Consent also decays. It can be revoked by any reasonable means, and once revoked it must be honored. Build the plumbing so that a revocation on any channel, a reply of STOP to a text, a verbal request on a call, an unsubscribe click, an email, flows into your internal suppression list quickly and permanently. A consent record that does not account for revocation is a liability dressed up as an asset.

Channel-specific wrinkles: voice versus SMS#

Phone outreach is really two channels wearing one set of digits, and they carry different obligations. A list that is clean for voice is not automatically clean for SMS, and vice versa.

Voice. Telemarketing voice calls are bound by the calling-hours window, the DNC registry, autodialer and prerecorded-message rules, and identification requirements. The most common voice mistakes are dialing registered numbers without an exemption, calling outside permitted hours due to timezone errors, and using regulated dialing technology against numbers without the right consent.

SMS. Text messages are treated as calls under the TCPA, which surprises teams new to SMS. That means texting a number can trigger the same consent requirements as dialing it, including the higher written-consent bar for marketing texts. On top of the legal layer, SMS has a deliverability layer: texting a landline fails silently, and texting numbers that generate complaints damages your sender reputation with carriers. This is why line type is doubly important for SMS, it is both a compliance input and a deliverability input. Our sibling guide on SMS list validation for SMMA digs into the deliverability side in detail.

The operational takeaway is to scrub and segment per channel. Run the full suppression stack, then split the survivors into a voice-eligible set and an SMS-eligible set, applying the line-type filter and the channel-specific consent check to each. A number can pass for one channel and fail for the other.

State law adds another layer#

Federal TCPA rules are the floor, not the ceiling. A growing number of states have enacted their own telemarketing and “mini-TCPA” statutes, some of which are materially stricter than the federal baseline. State rules can differ on:

• Calling hours, with some states imposing narrower windows than the federal 8am to 9pm.
• Consent standards, with some requiring clearer or more specific permission.
• Registration and disclosure, with some requiring telemarketers to register with the state.
• Private rights of action, which determine how easily individuals can sue.

For a list that spans the country, this means a single federal scrub is not enough. You need to know which state each number belongs to, apply that state’s calling-hour and consent rules, and scrub against that state’s DNC registry where one exists. This is yet another reason that resolving a number’s geography, via area code and verifier data, is foundational. You cannot apply state-specific rules to a number whose state you have not determined.

Common TCPA list hygiene mistakes#

Even teams that scrub diligently make predictable errors. Watch for these.

Scrubbing once and reusing the result forever#

A scrub is a snapshot in time. Numbers move onto the DNC registry, get reassigned, and become litigator-owned constantly. A result from three months ago is not a result you can rely on today. Re-scrub on a cadence that matches your call frequency.

Treating consent as permanent#

Consent can be revoked, and a revocation must be honored promptly through any reasonable channel. Build a fast path for opt-outs to flow into your internal suppression list, and make sure that path covers every channel a consumer might use to say stop.

Ignoring “No Data” from the RND#

A “No Data” response is not a green light. It usually means the database cannot speak to your consent date, often because that date predates the records carriers were required to keep. Treat it as an unknown and apply extra caution rather than assuming it means the number is clean.

Skipping line type segmentation#

Applying wireless autodialer rules to a list you have not segmented by line type means you are guessing on every record. Tag line type first, then apply the correct rule per segment. Guessing is exactly the gap plaintiffs look for.

Relying on the lead vendor’s word#

If you buy leads, the consent records come with them, and you inherit the liability. Verify that consent records actually name your company where required, and do not assume a vendor’s “TCPA compliant” label means the data will survive your own scrub. Run it through your full process anyway.

Where verification fits in the stack#

Suppression sources like the DNC registry, the RND, and litigator lists tell you who you cannot call. A phone verifier tells you whether a number is even worth processing in the first place and what kind of number it is. The two work together. Verification sits at the front of the funnel, dropping impossible numbers and tagging line type so that your expensive suppression queries and your dialer rules are applied only to real, correctly categorized records.

Running validation before suppression saves money on a metered RND subscription, sharpens your DNC accuracy by getting line type right, and gives your compliance log a clean, structured foundation. You can paste a single number into the PhoneVerify checker to see its validity and line type, or upload a CSV to tag thousands of rows at once before they ever reach your suppression pass.

Clean the rest of the funnel#

TCPA hygiene is about phone, but most outbound programs run more than one channel. If you also email your prospects, run those addresses through MailVerify to catch dead mailboxes and disposable domains before you send, since email has its own deliverability and compliance considerations. If you are building local-business lists from scratch, the Google Maps Lead Scraper exports a clean CSV you can run straight through phone and email verification. And if you are sourcing contacts from social platforms, the Free Social Media Scraper helps you build lists you can then verify and scrub.

Agencies that run all of this at scale, validate, suppress, log, segment by line type and timezone, and sequence across channels, manage the whole motion on Inflowave, the all-in-one platform for lead generation, outreach automation, and client growth.

Quick reference: the TCPA scrub checklist#

• Validate first. Normalize to E.164, drop impossible numbers, tag line type.
• DNC scrub. Federal, state, and internal Do Not Call lists.
• RND query. Phone number plus consent date; suppress “Yes,” treat “No Data” with caution, keep “No” as safe harbor evidence.
• Litigator scrub. Remove known serial plaintiffs and flagged attorneys.
• Segment. By line type and by timezone before execution.
• Log everything. Lists checked, timestamps, results, and consent records, for every number.
• Re-scrub on cadence. Snapshots go stale; refresh on a schedule that matches your call frequency.

Frequently asked questions#

How often should I scrub against the DNC registry?#

Treat DNC scrubbing as a recurring obligation, not a one-time event. The registry changes constantly as consumers add their numbers. Many telemarketing programs re-scrub on a regular cycle aligned to how often regulations expect registry data to be refreshed, and they always re-scrub before launching a new campaign. The exact cadence should be set with counsel, but the principle is fixed: an old scrub is not a current scrub, and only a current scrub defends you.

Is the Reassigned Numbers Database mandatory?#

Using the RND is not strictly mandatory in the sense that no rule forces you to subscribe. But the safe harbor it provides is the only documented shield against liability for calling a reassigned number, and reassigned numbers are a leading source of litigation. For any program relying on prior consent against numbers that may have aged, querying the RND, or using a vendor that does it for you, is the practical standard of care. Skipping it leaves a category of risk completely unhedged.

What is the difference between the DNC list and an internal Do Not Call list?#

The National Do Not Call Registry is a government list of consumers who have asked telemarketers generally to stop calling. Your internal Do Not Call list is your own record of consumers who have specifically asked your company to stop. They are separate obligations. A consumer can be off the national registry but on your internal list because they told you, specifically, to stop. You must honor both.

Do litigator lists guarantee I will not get sued?#

No. Litigator and serial-plaintiff lists reduce your exposure to the known population of repeat filers, who drive a disproportionate share of suits, but they are not exhaustive and not a legal shield. Treat them as a cheap final filter that meaningfully lowers your odds, layered on top of, never instead of, DNC and RND scrubbing.

How does line type affect TCPA compliance?#

Many of the strictest TCPA rules apply specifically to wireless numbers, because autodialed and prerecorded calls and texts to cell phones carry heightened consent requirements. If you cannot distinguish mobile from landline from VoIP, you cannot apply the correct rule to each number, which means you are either over-suppressing good numbers or, far worse, under-suppressing risky ones. Tagging line type up front is what lets you apply the right rule per record.

What records do I need to keep, and for how long?#

At a minimum, keep a per-number log of which suppression lists you checked, the date and time of each check, the result, and the consent record the call relied on. Internal Do Not Call requests typically must be honored for years. The precise retention period depends on the rule and your jurisdiction, so confirm it with counsel, but the safe default is to retain scrub logs and consent records long enough to defend any call within the relevant statute of limitations, which means keeping them well past the campaign that produced them.

Bringing it all together#

Get this process right and TCPA compliance stops being a source of dread and becomes a routine, auditable step in your campaign pipeline. The teams that sleep well are not the ones who avoid risky lists by luck. They are the ones who can prove, number by number, exactly what they checked and when.

The discipline comes down to a simple loop. Validate the list and tag line type. Scrub against federal, state, and internal DNC. Query the RND with accurate consent dates. Filter out known litigators. Segment by line type, timezone, and channel. Log every step. Re-run on a cadence. None of these steps is hard in isolation. The failure mode is almost always skipping one of them, or doing it once and assuming the result is permanent. Automate the pipeline so that hygiene happens by default rather than by heroics, and the whole program becomes both safer and faster. That is the goal: not just fewer lawsuits, but a calling operation where compliance is the path of least resistance.