The short answer: yes, B2B cold calling is legal in the United States — but the answer gets complicated fast. The federal TCPA primarily targets consumer calls, but if you’re dialing mobile numbers (and most B2B teams are), you’re in TCPA territory whether the prospect is a CEO or a homeowner. Add four state mini-TCPA laws with no B2B exemption, and the compliance picture is very different from what most US sales teams assume.
This guide breaks down what’s actually legal in 2026, where the real risk lives, and how to keep prospecting effectively without writing checks to plaintiffs’ attorneys.
TCPA isn’t a regulation. It’s a class action lawsuit waiting for a process server. Compliance isn’t paperwork — it’s risk management.
Federal law: what the TCPA actually says
The Telephone Consumer Protection Act (TCPA, 1991) is the federal framework that governs telemarketing and unsolicited calls in the United States. It’s enforced by the FCC and the FTC, and it includes a private right of action — meaning recipients can sue you directly, individually or as a class.
What the TCPA restricts
| Restriction | What it means in practice |
|---|---|
| Calling hours | 8 AM - 9 PM in the recipient’s local timezone |
| Auto-dialed calls to mobile | Require prior express written consent |
| Pre-recorded / artificial voice messages | Require prior express written consent |
| Internal Do-Not-Call list | Honor opt-out requests within 10 business days, retain for 4 years |
| Identification | Must state caller name and company at the start of the call |
What the TCPA exempts
- Calls to existing customers (within 18 months of last transaction)
- Calls to non-residential business landlines (the “B2B exemption”)
- Manually dialed calls to residential landlines on the DNC
Where the B2B exemption breaks
The TCPA has a B2B exemption — but it’s narrower than most teams realize. Mobile numbers are treated as residential under the TCPA, regardless of whether the recipient uses them for business. In 2026, the majority of B2B contacts in your CRM are mobile-first. If you’re auto-dialing them with anything that even looks like an automatic telephone dialing system (ATDS), you’re in TCPA territory.
The Supreme Court’s Facebook v. Duguid (2021) narrowed the ATDS definition, but recent state laws and lower court rulings have re-expanded it state by state. Don’t rely on the 2021 ruling alone.
State mini-TCPAs: where the real risk lives in 2026
Four states have enacted their own mini-TCPA laws with stricter rules and no B2B exemption. If you’re calling into any of these, federal compliance is not enough.
Florida — FTSA (Florida Telephone Solicitation Act)
Effective July 1, 2021. The original mini-TCPA blueprint.
| Provision | Detail |
|---|---|
| Calling window | 8 AM - 8 PM in the recipient’s timezone |
| Contact frequency cap | 3 attempts per recipient per rolling 24 hours |
| Autodialer consent | Prior express written consent required for any “automated system” |
| B2B exemption | None — applies equally to B2B |
| Damages | $500 per violation, $1,500 for willful, plus attorney fees |
| Private right of action | Yes |
Oklahoma — OTSA (Oklahoma Telephone Solicitation Act)
Effective November 1, 2022. Modeled directly on Florida’s FTSA.
| Provision | Detail |
|---|---|
| Calling window | 8 AM - 8 PM local |
| Contact frequency cap | 3 attempts per 24 hours, regardless of phone number used |
| Autodialer consent | Required — broad autodialer definition (almost any electronic dialing tool qualifies) |
| B2B exemption | None |
| Existing business relationship exemption | Yes — calls to past customers exempt |
Washington — CEMA (Commercial Electronic Mail Act + telephone provisions)
Strict consent rules and broad enforcement authority for the AG’s office.
| Provision | Detail |
|---|---|
| Calling window | 8 AM - 9 PM local |
| Penalty | Up to $25,000 per violation under the Consumer Protection Act |
| B2B exemption | None |
Maryland — Telephone Solicitations Act
Strict consent and disclosure requirements with state AG enforcement.
| Provision | Detail |
|---|---|
| Calling window | 8 AM - 9 PM local |
| Penalty | Civil penalties up to $25,000 per violation |
| B2B exemption | None |
The state-by-state cost of getting it wrong
| State | Per-call penalty | Private right of action |
|---|---|---|
| Florida | $500 / $1,500 | Yes |
| Oklahoma | $500 / $1,500 | Yes |
| Washington | Up to $25,000 | State AG only |
| Maryland | Up to $25,000 | State AG only |
| Connecticut | Up to $20,000 | State AG only |
| New York | Up to $20,000 | State AG only |
The DNC Registry and your obligations
The federal Do Not Call Registry (managed by the FTC) is the consumer-facing opt-out list. Two things to know:
Federal DNC
- Applies primarily to residential numbers
- B2B calls to business landlines are generally exempt
- But: every mobile number on your list is treated as residential, whether the prospect uses it for business or not
Internal DNC list (mandatory for everyone)
Every business making telemarketing calls — B2B included — is required to maintain an internal DNC list. The rules:
- Honor any opt-out request within 10 business days
- Retain opt-outs for at least 4 years (5 years in some states)
- Apply opt-outs across all your campaigns, not just the one the prospect was on
This is the easiest TCPA violation to commit accidentally and the easiest one to litigate. Build the suppression list into your CRM workflow, not into a spreadsheet someone forgets about.
Call recording laws by state
Recording calls in the US is governed by state law, not federal. Two regimes:
One-party consent states (39 states + federal default)
The rep recording the call is one of the parties — the call can be recorded without disclosure.
Two-party / all-party consent states (11 states)
All parties on the call must consent before recording. These states are:
- California
- Florida
- Illinois
- Maryland
- Massachusetts
- Michigan
- Montana
- Nevada
- New Hampshire
- Pennsylvania
- Washington
Practical rule: if any of your reps record any call from any of those states, always disclose at the start of the call. “Hi, this call may be recorded for quality and training purposes” is the standard one-liner that keeps you safe nationwide.
The 7 compliance practices every US SDR team needs
Calculate calling windows by recipient timezone, not yours
The TCPA window is 8 AM - 9 PM in the recipient’s time zone. Florida is 8 AM - 8 PM. Configure your dialer to enforce this automatically — never let a rep dial across a state line at 8:30 PM Pacific without realizing the prospect is in Florida.
Scrub your list against the federal DNC + state DNC where applicable
Use a compliant data provider or a DNC scrubbing service before every campaign. Don’t rely on your CRM’s contact source field — verify against the live DNC.
Maintain an internal DNC list across all campaigns
The moment a prospect says “take me off your list,” that contact moves to a permanent suppression list shared by every campaign in your org. No exceptions, no ‘6 months from now’ callbacks.
Cap attempts at 3 per 24 hours when calling FL or OK numbers
Florida and Oklahoma both cap at 3 attempts per recipient per rolling 24-hour window. Configure your dialer to enforce per-state attempt limits, or carve those states out of high-frequency cadences entirely.
Disclose call recording on every call from any state
The simplest and safest rule: open every recorded call with “this call may be recorded for quality and training purposes.” That single line covers you in all 50 states without any state-by-state logic.
Train every SDR on TCPA basics during onboarding
Most violations come from reps who didn’t know the rules. A 30-minute compliance training during onboarding pays for itself the first time it prevents a class action.
Document everything — call dates, durations, opt-outs, consent
In a TCPA suit, the burden is on you to prove compliance. Every call logged with timestamp, every opt-out logged with date, every prior consent documented in the contact record. Future-you will thank present-you.
What’s coming in 2026 and beyond
Three regulatory shifts to watch for the rest of 2026:
McLaughlin v. McKesson (June 2025)
The Supreme Court ruled that district courts don’t have to defer to FCC interpretations of the TCPA. Practical impact: the same dialer or workflow can be legal in one circuit and a violation in another. National outbound teams need to start tracking circuit-level case law, not just FCC guidance.
One-to-One Consent Rule (vacated, but the spirit lives)
The FCC’s 2024 One-to-One Consent Rule was vacated by the 11th Circuit in early 2025, but the trend it represented — requiring per-seller consent rather than blanket lead-buying — is being adopted by state legislatures. Expect more mini-TCPAs in 2026.
AI bot calls
The FCC has clarified that calls made with AI-generated voices are subject to TCPA, including the consent requirements. If you’re piloting AI SDR voice tools, run the compliance review first.
How Skipcall keeps your outbound compliant
Skipcall isn’t a workaround for TCPA — it’s built around it. Compliance features that ship in the platform:
- Timezone-aware calling windows: configure 8 AM - 9 PM (or 8 PM for Florida) and Skipcall blocks any dial that would land outside the recipient’s local window
- Per-contact attempt tracking: hard caps on the 3-per-24-hour Florida and Oklahoma rules, enforced automatically
- Internal DNC suppression: opt-outs are applied across every campaign, every list, every rep, every time
- Call audit logs: timestamped records of every dial, duration, and outcome — exportable for any subpoena or audit request
- Recording disclosure controls: insert standard disclosures into your call openers automatically
Compliance isn’t a tax on growth. It’s the difference between a sales motion that scales and one that gets sued out of business.
This article is general information, not legal advice. TCPA compliance depends on your specific use case, your dialer configuration, and the jurisdictions you call into. When the stakes are real, consult a TCPA-specialized attorney.