Key Takeaways:
- The FCC has proposed significant TCPA updates to simplify do-not-call rules, refine consent revocation, and strengthen caller ID authentication to combat fraud.
- These changes could reduce certain compliance burdens but create new ones—particularly for businesses that rely on opt-in marketing or outbound calling.
- Businesses should evaluate their TCPA compliance programs and technical capabilities in anticipation of potential rule changes and consider submitting comments during the rulemaking process to help shape the final regulations before their expected implementation in 2026.
On October 7, 2024, the Federal Communications Commission (“FCC” or “Commission”) released its latest Further Notice of Proposed Rulemaking (“FNPRM”). The expansive proposal, set for review at the Commission’s Open Meeting on October 28, 2025, aims to reshape and modernize crucial elements of the Telephone Consumer Protection Act (“TCPA”) by:
- Eliminating company-specific do-not-call redundancies, relying instead on the National DNC Registry.
- Revising “all-or-nothing” consent revocation rules to give consumers more precise control over stopping unwanted calls.
- Strengthening caller ID authentication with new tools that legitimize trusted telephone callers and recognized businesses by transmitting verified caller identifying information to called parties.
- Enhancing anti-fraud verification measures by requiring “gateway” and “intermediate” service providers to broadcast attestations or additional information to called parties, designed to combat spoofed, deceptive or otherwise unlawful calls.
Key Proposed Changes
- Abandoning Internal Do-Not-Call (IDNC) List Requirements.
One of the most consequential proposals is the Commission’s plan to streamline—or possibly eliminate—the long-standing requirement that businesses maintain internal do-not-call lists in addition to registering and complying with the National DNC Registry. For over two decades, businesses have been required to track and honor consumers’ opt-out requests, train staff and maintain internal no-call lists. The Commission now argues that this dual system, comprising both a national and internal do-not-call list, is redundant and burdensome, citing consumer complaints about inefficiency.
From a compliance perspective, this can be a double-edged sword. This change would eliminate internal do-not-call litigation but could create a chronological problem for businesses that rely solely on opt-ins (and may not necessarily use the National DNC Registry). These businesses may face new obligations to subscribe and maintain compliance with the National DNC Registry, introducing additional costs and new operational burdens across the industry. Conversely, consumers may face the unintended consequence of overly broad opt-outs, where a single National DNC registration could be interpreted as a universal refusal of all calls—even for businesses they want to hear from.
2. Modifying Consent Revocation Rules.
The FCC also proposes replacing the current “all-or-nothing” consent revocation rule—which treats any opt-out request as applying to all types of future calls—with a more flexible framework. Under the new approach, consumers would gain the ability to revoke consent by category or type of service, allowing for more tailored control over their communication preferences and personal needs (rejecting unwanted outreach and welcoming lawful contact). Notably, the FNPRM also proposes amendments that permit businesses to designate a specific, “less restrictive” opt-out mechanism. This change could significantly reduce existing ambiguity and litigation risk by replacing the current standard—requiring businesses to assess whether a revocation request was made using “reasonable means”—with a clearer, more predictable process on exactly how to opt out.
Overall, the FNPRM will likely require businesses to revisit their consent tracking processes and procedures to accommodate the new developments but these amendments represent a significant opportunity for businesses to streamline compliance and reduce exposure. Thus, companies should strongly consider engaging in the notice and rulemaking process by submitting comments to help shape the final framework.
For now, the Commission’s Consumer and Governmental Affairs Bureau has delayed the implementation of this rule until April 11, 2026, to give businesses time to adapt. See DA 25-312, April 7, 2025, Order (finding good cause to delay the effective date “to allow affected parties a reasonable opportunity to implement modifications to communications systems in a cost-effective manner to ensure that they can process revocation requests in accordance with this rule.”)
3. Verified Caller ID: The STIR/SHAKEN and Rich Call Data (RCD) Framework.
The FNPRM expands the existing STIR/SHAKEN framework to improve caller ID authentication and introduces RCD, which may display more verified details directly to consumers, such as a caller’s name, photo, logo, email address, location and the reason for the call. These updates aim to reduce spoofing and the rate of unlawful calls but may create new compliance burdens, especially for smaller entities adapting to these developments. These changes are particularly relevant for businesses—e.g., those utilizing call centers—that may face caller ID-related claims or need to demonstrate their technical compliance.
The FNPRM also targets foreign-originated unlawful calls by requiring gateway and intermediate providers to transmit information for offshore calls entering the U.S. network.
The FCC’s FNPRM signals another evolution in TCPA enforcement: pairing enhanced call-tracking technology for consumer protection with new compliance challenges for businesses. While the proposal may offer meaningful relief for TCPA defense, companies should actively engage with the rulemaking process during the comment period and consult counsel to assess potential impacts, prepare compliance strategies and mitigate future litigation exposure before any final order is adopted.