B2B Insights

Cold Calling Laws in 2026: The Complete Compliance Guide for B2B Sales Teams

Lauren Daniels

July 14, 2026

TCPA class action filings rose roughly 97% year-over-year through Q3 2025. That is the environment outbound teams are operating in now. 

Cold calling is not illegal. What is illegal is calling the wrong numbers, ignoring opt-outs, using the wrong technology, or missing state-specific registration requirements that most national outbound programmes have never heard of. The distinction matters because the legal risk in 2026 is not coming primarily from federal regulators. Federal rules are generally softening. The risk is coming from state mini-TCPAs expanding in the opposite direction, and from a plaintiffs' bar that has become very efficient at turning non-compliance into class action filings.

Is Cold Calling Still Legal in 2026?

Cold calling is legal across the US, Canada, the UK, and the EU. What changed is not the legality of the activity. What changed is how quickly and aggressively non-compliance gets acted on. 

The FTC's National Do Not Call Registry now holds over 249 million active numbers. Violations carry fines up to $51,744 per call, indexed annually for inflation. TCPA statutory damages run $500 per call for unintentional violations and $1,500 per call for willful or knowing ones. A 200-call campaign against a dirty list can theoretically generate six figures in liability before a single complaint reaches a courtroom. 

Roughly 68 to 78% of all TCPA filings are class actions. This is not individual consumers filing grievances. It is organised plaintiff firms working at scale, identifying patterns of non-compliance and filing on behalf of large groups simultaneously. 

The B2B distinction matters but is narrower than most teams assume. The federal Telephone Sales Rule generally exempts B2B calls to verified business landlines from DNC requirements. Personal cell phones used for business receive no such exemption. The TCPA treats every wireless number as residential regardless of how the device is actually used. If your prospect takes calls on a personal mobile, federal consumer protections apply to that number regardless of what their job title says. 

 

Key Definitions Every Outbound Team Should Know 

Cold call: A first-touch outbound phone call to a prospect who has not engaged with your company or provided consent to be contacted. Treated as a telephone solicitation under the TCPA. 

Robocall: A call placed using an automatic telephone dialing system or one that delivers a prerecorded or artificial voice message. The FCC's February 2024 ruling confirmed that AI-generated voices fall under the artificial voice definition, meaning they are treated as robocalls under the TCPA. 

ATDS (Automatic Telephone Dialing System): Equipment that uses a random or sequential number generator to store or dial numbers. After the Supreme Court's Facebook v. Duguid decision in 2021, the federal definition narrowed significantly. Most modern power dialers that call from preloaded lists no longer qualify federally. State definitions are broader, which is where exposure creeps back in. 

Prior Express Written Consent (PEWC): A signed agreement, digital or physical, from the prospect that clearly discloses they are agreeing to receive marketing calls or texts, identifies the specific company, and includes the number being used. Pre-checked boxes do not qualify. 

National Do Not Call Registry (NDNCR): The FTC-maintained database of over 249 million active opt-out numbers. Telemarketers must scrub against it at least every 31 days. Business landlines are generally exempt. Personal cell phones used for business are not. 

 

What Changed Between 2024 and 2026 

The regulatory picture shifted substantially across both 2024 and 2025, with federal rules moving in one direction and state rules moving sharply in the other. 

The FCC's February 2024 AI ruling classified AI-generated voices as artificial or prerecorded voice under the TCPA. Any outbound call where AI speaks now requires prior express written consent. State attorneys general have begun enforcement actions under this ruling. 

The Eleventh Circuit struck down the one-to-one consent rule in January 2025. The FCC rule that would have required consent to be obtained on a strict one-seller-at-a-time basis was vacated. Bundled or marketing-partner consent is permitted again at the federal level. The FCC formally repealed the rule and will not appeal. 

The FCC delayed the revoke-all opt-out rule in January 2026, pushing it back to January 31, 2027, pending a broader review of whether to modify or remove the rule altogether. Combined with the October 2025 rulemaking that opened an evaluation of whether multiple TCPA and DNC rules should be modified or eliminated, the federal trajectory is clearly toward fewer restrictions. 

State mini-TCPAs are moving in exactly the opposite direction. Texas, Oregon, Virginia, Maine, and Washington all expanded or enacted telemarketing laws between 2024 and 2026, most including private rights of action. The TSR's misrepresentation rules now cover B2B calls as well. DNC provisions still do not apply to B2B, but false or misleading statements on any call, B2B or B2C, are now prohibited under federal rules. 

 

AI Cold Calling: Where the Legal Lines Actually Are 

The FCC's February 2024 ruling is unambiguous: AI-generated or prerecorded voices on outbound calls trigger TCPA consent requirements. Calling a cell phone or residential line with an AI voice without prior express written consent is a violation. Statutory damages run $500 per call for unintentional violations and $1,500 per call for willful ones. Most courts treat AI voice calls without consent as willful. The technology is too deliberate to claim ignorance. 

AI as a copilot for a live human SDR is fully compliant. AI that generates context briefs, surfaces intent signals, suggests talk tracks, transcribes calls, or flags objections in real time carries no TCPA risk. The human speaks on the call. That distinction is the operative one. 

The autodialer question has a similar split. After Facebook v. Duguid in 2021, most modern power dialers pulling from preloaded lists do not qualify as an ATDS under federal law. But Florida, Oklahoma, Texas, and other states define autodialers far more broadly. A dialer that is compliant federally can still violate state law, and the state exposure is where the active litigation risk sits. 

The vendor economics do not account for the liability. AI voice agents that promise thousands of calls a day at a fraction of human cost look attractive in a demo. The exposure on a 10,000-call campaign without consent can exceed $15 million. That is how class-action settlements actually get calculated. 

Buyer perception matters independently of legality. Even where documented consent exists, prospects frequently experience unsolicited AI voices as scam-adjacent. Buyer trust is moving against unannounced AI calling regardless of what the law technically permits. 

 

AI Compliance Status Table
AI Use Case Compliance Status
AI speaking on the call (outbound) Requires PEWC. Without it, TCPA violation.
AI-powered autodialing to cell phones Requires PEWC at minimum; exposure broader in FL, OK, TX
AI as live-call assistant for human SDR Fully compliant in all jurisdictions
AI for post-call analysis, context brief, sequencing Fully compliant

Legal Calling Hours: What Federal Law Says and Where States Override It 

The federal US rule permits telemarketing calls between 8 AM and 9 PM in the recipient's local time zone. B2B calls to verified business landlines are generally exempt federally, but personal cell phones used for business follow consumer rules regardless of the recipient's role or industry. 

At least 15 states impose stricter windows than federal law. Most outbound teams get the federal window right and miss the state-level restrictions entirely. The table below covers the states with the most significant deviations. 

State Calling Window Additional Rules Effective Date Oregon 8 AM - 8 PM 3-call cap per 24 hrs (calls and texts combined) Jan 1, 2026 Texas 9 AM - 9 PM Mon-Sat, Noon - 9 PM Sun $10,000 surety bond required Sept 1, 2025 Florida 8 AM - 8 PM 3-call cap per 24 hrs, broad autodialer definition Active Maine 9 AM - 9 PM weekdays, 9 AM - 5 PM Sat, no Sunday RND scrub required Active Connecticut 9 AM - 8 PM PEWC required for any telephonic sales call Active Virginia 8 AM - 9 PM 10-year text opt-out retention July 1, 2026 Rhode Island 8 AM - 6 PM weekdays Standard hours apply Active

The practical safe window for national outbound campaigns is 11 AM to 8 PM Eastern, Monday through Friday. This respects the strictest state-by-state rules across the continental US, avoids weekend prohibitions in states that have them, and provides a defensible posture if a complaint arrives. 

Outside the US: Canada's CRTC rules permit telemarketing 9 AM to 9:30 PM Monday through Friday, 10 AM to 6 PM Saturday and Sunday in the recipient's local time. The UK's PECR recommends 8 AM to 9 PM weekdays, and businesses registered on the Corporate Telephone Preference Service cannot be called for marketing. Most EU member states align around 8 AM to 8 or 9 PM, with country-specific additions: Germany requires documented presumed consent for B2B calls; France prohibits calls before 10 AM, after 8 PM, on weekends, or on public holidays. Australia permits calls 9 AM to 8 PM weekdays and 9 AM to 5 PM Saturdays, with no Sunday or public holiday contact. 

 

The State Mini-TCPA Wave: What Changed and What Teams Keep Missing 

While federal rules soften, state legislatures are filling the gap with mini-TCPAs: laws modelled on the TCPA but with broader autodialer definitions, narrower calling windows, additional registration requirements, and their own private rights of action. The practical rule for multi-state campaigns is that each state's rules apply the moment a call reaches a recipient in that state. Running a single federal playbook across a multi-state list is how teams generate exposure they were not expecting. 

Texas SB140, effective September 1, 2025, extends telemarketing rules to text messages, narrows the calling window to 9 AM to 9 PM Monday through Saturday and noon to 9 PM Sunday, and requires a $10,000 surety bond for telemarketers reaching Texas residents. Private right of action with up to $5,000 per violation. The bond requirement alone has caused some national outbound vendors to stop Texas-targeted campaigns entirely. 

Oregon HB 3865, effective January 1, 2026, tightens the calling window to 8 AM to 8 PM and imposes a hard cap of three solicitations per 24-hour period, with calls and texts counted together. Violations are treated as unlawful trade practices; consumers can recover actual damages or $200 per violation, whichever is greater, plus punitive damages. 

Virginia HB 2367 and SB 1148, effective July 1, 2026, require companies to honour text opt-out requests for 10 years, the longest retention period in the country, and add tighter caller identification requirements. 

Florida's FTSA remains among the most plaintiff-friendly telemarketing statutes in the country. The 8 AM to 8 PM window, three-call daily cap, and autodialer definition far broader than the federal Duguid standard have produced sustained litigation through 2024 and 2026. 

Maine's Reassigned Numbers Database mandate, effective July 2024, requires telemarketers reaching Maine residents to scrub against the FCC's Reassigned Numbers Database, effectively making RND scrubbing a practical requirement for national outbound rather than just a good practice. 

Connecticut's $20,000 per violation penalty is among the highest state-level figures in the country. Georgia has no cap on damages. Oklahoma's OTSA and Georgia SB 73 each carry their own exposure that multi-state programmes need to map before launching. 

 

DNC Lists, Consent, and Who You Can Actually Call 

The National DNC Registry covers over 249 million active numbers. Calling a registered number without an applicable exemption risks FTC penalties up to $51,744 per call, plus private TCPA claims of $500 to $1,500 per call. Every list must be scrubbed against it at minimum every 31 days. 

The B2B exemption has meaningful limits. The federal TSR exempts B2B calls to verified business landlines from the National DNC Registry. This exemption does not cover personal cell phones used for business, does not override individual opt-out requests, and does not apply in states that maintain separate DNC lists covering business numbers, including Pennsylvania, Mississippi, and Colorado, among others. 

Internal DNC management is where many programmes develop gaps. Any opt-out request from any contact must be processed within 31 days and retained for at least five years under federal rules. Best practice is permanent, universal suppression across all channels and all campaigns. Oregon caps total solicitations at three per 24 hours across calls and texts combined. Virginia requires text opt-out retention for 10 years. Florida and Texas treat contact after an opt-out as a per-call violation. 

The Eleventh Circuit's January 2025 ruling vacating the one-to-one consent rule permits bundled or marketing-partner consent again at the federal level. State laws do not follow this carve-out. Document specific, single-seller consent wherever possible to maintain a defensible position at the state level. 

Reassigned numbers represent a quiet but significant risk. A number that originally belonged to a consenting prospect may have been reassigned to someone who never agreed to be contacted. The TCPA does not account for good-faith ignorance of a reassignment. Scrubbing against the FCC's Reassigned Numbers Database provides a federal safe harbor: if a team scrubs against the RND and calls the number in good faith, they are protected even if a reassignment occurred. Maine's mandate made RND scrubbing a practical requirement. Teams running national outbound should treat it as standard procedure regardless of which states they are targeting. For more on building clean list infrastructure, Whistle's guide to outbound lead generation covers data hygiene as a core pillar of sustainable pipeline generation. 

Canada requires scrubbing against the CRTC's National Do Not Call List. Internal opt-outs must be honoured within 14 days and retained for three years. CASL governs accompanying email outreach and generally requires opt-in consent. The UK's Telephone Preference Service and Corporate Telephone Preference Service must both be screened before cold calling. EU member states each maintain their own opt-out registries. B2B outbound across the EU typically requires a documented Legitimate Interest Assessment as the lawful basis under GDPR. 

 

What Compliant Cold Calling Looks Like in 2026 

1. Build compliance into the platform 

Training reps is necessary but not sufficient. The systems around them need to prevent violations technically, not just discourage them. Dialer rules should automatically block calls outside permitted hours in the recipient's state. List-load processes should auto-scrub before a single call goes out. Opt-out entries should propagate across CRM, dialer, and every outreach channel in real time. 

2. Use technology that does the compliance work automatically 

State-by-state aware call blocking rather than federal defaults. Automatic suppression of federal DNC, state DNC, internal DNC, and RND hits. Cell phone identification with routing to manual-dial workflows where required. Daily contact caps per recipient matching the strictest applicable rule — Oregon and Florida both allow three contacts per 24 hours across calls and texts combined. 

3. Open every call with identity, company, and purpose within the first 10 seconds 

The TSR requires it. The TCPA requires it. State mini-TCPAs require it. And plaintiff attorneys review call recordings specifically for it. The courtesy call framing is legally dangerous. The TSR explicitly prohibits misrepresenting the purpose of a call. If the call is a sales call, it needs to be introduced as one. 

4. Coordinate channels rather than running them independently 

A prospect who receives six calls, four emails, and three LinkedIn messages in one week experiences that as harassment regardless of whether each touch was technically compliant. State laws capping daily contacts, including Oregon and Florida, are expanding to include texts in the count. Federal regulators have signalled the same direction. Coordinated multi-channel sequences spread across a longer window convert better than concentrated single-channel pressure and carry less compliance risk. 

5. Document everything 

Consent records: what was agreed to, by whom, on what date, through what channel, and for which company. Opt-out logs: when the request came in, when it was processed, and confirmation of propagation across all channels. Call records: date, time, recipient state, agent, dial mode, outcome, and duration. List provenance: where the data came from and when it was last scrubbed. 

6. Adjust the approach by region 

North America: Direct, hypothesis-led calls. Manual dial first-touch for any cell or mixed-use number. Europe: Longer nurture cycles, more formal tone, documented legitimate interest, disclosure of call recording at the start of each conversation. LATAM: Relationship-building openers. Direct transactional cold calls underperform in most markets. APAC: Highly relationship-driven. Brief, polite calls focused on securing a meeting rather than qualifying during the call itself. 

7. Review the playbook quarterly 

The 2025 to 2026 cycle demonstrated exactly why annual compliance reviews are insufficient. Texas SB140 and Oregon HB 3865 both took effect within months of passing. Virginia amendments hit in mid-2026. The FCC's sweeping rulemaking opened in October 2025. Federal regulatory monitoring should happen weekly. State-level monitoring should be monthly across all 50 states. EU and Canada monitoring quarterly, with annual Legitimate Interest Assessment reviews. 

8. Treat outbound as a long-term programme 

The operating model that generates class-action exposure is short-term: a hard six-week push with uncleaned lists, untested scripts, and no documentation discipline. Compliant outbound programmes compound over time. The compliance infrastructure is what makes sustained performance possible. 

 

Your Roadmap to 2026 Compliance 

Register with the National DNC Registry and scrub call lists at least every 31 days. Layer in state DNC scrubs for every state with its own registry, including Pennsylvania, Indiana, Colorado, Mississippi, Texas, and Florida. Run an internal DNC scrub on every list load, universal, indefinite, and propagated across all channels. 

Scrub against the FCC's Reassigned Numbers Database for the federal safe harbor. Identify cell phones separately and route them to manual-dial workflows for first-touch outbound. Document consent type, Prior Express Consent versus Prior Express Written Consent, for every contact before dialing. 

Restrict calling hours to 8 AM to 9 PM local time federally and apply stricter state rules automatically at the dialer level. Honour opt-out requests within 10 business days by any method the prospect uses: call, email, text, or verbal. Retain all call records, consent documentation, and opt-out logs for a minimum of five years. 

Identify state-specific registration requirements before launching campaigns into any new state. The Texas surety bond and state telemarketer registration filings are examples that catch national programmes off guard. Suppress AI voice and prerecorded messaging for any number without documented prior express written consent. Review and update the compliance playbook quarterly. 

 

Running Outbound at Scale 

The compliance layer described in this guide is not optional, but it is manageable when built into the operating model from the start. Teams that treat it as an afterthought pay for it, either in legal exposure or in the operational cost of retrofitting systems that were not designed with compliance in mind. 

The teams generating consistent, sustainable pipeline through cold calling in 2026 are running state-aware dialer rules, clean data, coordinated multi-channel sequences, and documented audit trails. None of that is extraordinary. It is infrastructure, and like most infrastructure, it is far cheaper to build correctly the first time than to repair after something goes wrong. 

Running all of this across multiple states, time zones, and jurisdictions is a meaningful operational commitment. It requires dialer-level enforcement, state-by-state rule mapping, data hygiene processes, channel coordination, and someone accountable for monitoring regulatory changes on a regular cadence. For teams building that infrastructure in-house, this guide is the starting point. For sales leaders trying to decide where to invest time and resources, Whistle manages this full-stack across outbound programmes for B2B teams. If you want to understand what compliant, scalable cold calling looks like in practice, it starts with a conversation. 

Explore more from our blog

Unlock the B2B sales playbooks, outreach strategies, and closing techniques we’ve refined across more than 1,000 successful campaigns.
View More

Not Sure Which Service Is Right for You?

Let’s figure it out together. Book a quick call and we’ll walk you through the best-fit options based on your goals, team structure, and current setup.
Latest posts

Demo content

Interviews, tips, guides, industry best practices, and news.
Office setting
Design
8 min read

UX review presentations

How do you create compelling presentations that wow your colleagues and impress your managers?
Read post
Man working at desk
Product
8 min read

Migrating to Linear 101

Linear helps streamline software projects, sprints, tasks, and bug tracking. Here’s how to get started.
Read post
Man pinning images on wall

Building your API Stack

The rise of RESTful APIs has been met by a rise in tools for creating, testing, and managing them.
Read post