Do Not Call scrubbing stopped being a compliance checkbox the moment serial litigators built repeatable lawsuit factories around the 31-day rule.
DNC scrubbing is now litigation insurance, not box-checking
The National Do Not Call Registry held 258 million active phone number registrations as of September 30, 2025 – roughly 76% of the US population. The FTC received 2.6 million Do Not Call complaints during fiscal year 2025 alone. Since the Registry’s 2003 launch, the agency has filed 173 enforcement actions against 570 companies and 449 individuals, collecting nearly $400 million in penalties. None of those numbers describe a settled regulatory regime. They describe an enforcement surface that is still expanding twenty-three years in.
The economics for plaintiff firms shifted decisively between 2023 and 2026. Analysis of TCPA filings shows that 31% to 41% of all TCPA lawsuits in 2024 were brought by individuals who had previously filed TCPA suits – the professional-plaintiff cohort that operators in the lead generation business call TCPA litigation farmers. One frequently cited operator, Craig Cunningham, has filed more than 150 TCPA actions over a decade. A typical nuisance settlement runs $2,500 to $15,000 per claim. A litigator filing twenty cases a year at an average $7,500 generates $150,000 in pre-tax income – and the inputs to that business model are unscrubbed phone numbers and undocumented consent.
The penalty surface tightened in parallel. The Telemarketing Sales Rule’s maximum civil penalty rose from $50,120 in 2023 to $51,744 in 2024 and $53,088 in 2025 under the annual inflation-adjustment regime at 16 CFR 1.98. Each illegal call counts as a separate violation. A modestly sized outbound campaign that violates the DNC rules across 1,000 calls produces theoretical TSR exposure approaching $53 million before any private TCPA claim attaches.
This article treats DNC scrubbing the way operators should: as a multi-list, multi-vendor, multi-frequency operating system that prevents both regulatory action and private litigation. The federal registry is the floor. Eleven state lists, the Reassigned Numbers Database, internal opt-outs, and litigator-list overlays add the rest of the structure.
The four DNC lists every operator must scrub against
Operators who treat the National Registry as the entire scrubbing universe ship leads into avoidable litigation. The actual stack contains four distinct lists, each with its own mechanics, frequency requirements, and failure modes.
| List | Administrator | Coverage | Scrub Frequency | Cost Driver |
|---|---|---|---|---|
| National Do Not Call Registry | FTC / FCC | 258M numbers nationwide | Every 31 days minimum | $82/area code/year, $22,626 cap |
| State Do Not Call lists | 11 state agencies | State-specific residents and businesses | Per state rule (typically 30 days) | $25–$500 per state per cycle |
| Reassigned Numbers Database | FCC (Somos administrator) | All US numbers ever assigned | Pre-call for any consent older than 30 days | $0.0025–$0.05 per query |
| Internal company DNC list | Each seller | All consumers who opted out from that seller | Real-time on every campaign | Internal infrastructure cost |
Each list answers a different compliance question. The National Registry answers whether the consumer has opted out of telemarketing in general. State lists capture residents who registered before federal coverage existed or who hold state-specific protections beyond the federal rule. The RND answers whether the number still belongs to the person who gave consent. The internal list answers whether this specific consumer ever told this specific seller to stop.
A scrub against any one list catches roughly 60% to 75% of the violations the others would catch – but the missing 25% to 40% is where litigation farms operate. Treating any single list as a substitute for the rest is the most common operator error and the most expensive one to defend.
Federal DNC mechanics: the 31-day rule, exemptions, and access fees
The National Do Not Call Registry was created by the FTC’s Telemarketing Sales Rule at 16 CFR Part 310 in 2003 and is enforced jointly with the FCC under 47 CFR 64.1200(c). Every seller initiating outbound telemarketing calls to residential or wireless numbers must scrub against the registry at least every 31 days under both rules. The 31-day window is not a target – it is the maximum allowable staleness before the next scrub becomes mandatory.
The registry adds approximately 4.8 million new numbers per fiscal year, according to the FTC’s 2026 Data Book. For an operator running a 100,000-number weekly outbound campaign, a list scrubbed thirty days ago will contain roughly 800 to 1,200 numbers that became DNC-protected since the last scrub – enough exposure to fund a class action even at minimum statutory damages.
Access mechanics and 2026 fees
The FTC charges per-area-code access fees that scaled in fiscal year 2026 to $82 per area code annually, with the first five area codes free. Half-year access runs $41 per area code. The maximum any single entity pays for full national coverage is $22,626. These fees are paid directly to the FTC at telemarketing.donotcall.gov and do not cover scrubbing technology, state lists, RND queries, or vendor services. Charitable organizations and political committees that qualify under the TSR’s nonprofit and political-speech exemptions can download the entire registry at no cost.
Established business relationship and consent exemptions
The TSR recognizes two narrow exemptions to DNC obligations. The established business relationship (EBR) exemption permits calls to consumers who purchased, leased, or rented from the seller within the prior 18 months, or who made an inquiry within the prior three months. The exemption is brittle: it expires automatically, requires the seller to track triggering transactions in a way that survives audit, and is voided the moment the consumer asks to be added to the seller’s internal list. The prior express written consent (PEWC) exemption – covered in detail in the PEWC guide – overrides DNC protections only when the consent meets the FCC’s 2024 specificity rules and the operator can produce the consent record on demand.
Both exemptions create scrubbing complexity rather than relieving it. An operator who relies on EBR or PEWC to call DNC-listed numbers must still scrub the list, then layer EBR and consent records on top to whitelist the calls that qualify. Most operators end up running two parallel scrubs – one for unconsented numbers (DNC-bound) and one for consented numbers (RND-bound but DNC-exempt). This is the structural reason scrubbing software is rarely a single-list product.
State DNC overlay: eleven registries and the carve-outs that catch operators
Eleven states maintain separate Do Not Call lists that telemarketers must scrub against in addition to the National Registry: Colorado, Florida, Indiana, Louisiana, Massachusetts, Missouri, Oklahoma, Pennsylvania, Tennessee, Texas, and Wyoming. Mississippi previously belonged to this group but discontinued its separate state list effective July 1, 2023, transferring oversight to the Attorney General’s office and adopting the federal National Registry as the operative list for Mississippi residents (numbers on the prior Public Service Commission list as of that date remain protected under state law for grandfathered enforcement). Each remaining state operates its own registration regime, charges its own fees, sets its own scrub-frequency rule, and imposes its own private right of action. The compliance overhead is not the cost of the lists – it is the cost of tracking eleven separate update cycles and eleven separate carve-outs.
The state-level patchwork
Florida’s state DNC list requires consumers to renew their registration every five years, even though their National Registry placement is permanent. Operators relying on a federal-only scrub miss Florida residents who let their state registration lapse and re-registered, but never re-registered federally. Pennsylvania administers its DNC list under the Telemarketer Registration Act through the Office of Attorney General, which actively investigates complaints. Texas operates two state lists: a general residential and mobile list, and a separate list specific to retail electric provider solicitations.
Indiana’s regime is the strictest in practice – the state’s Telephone Privacy Act has been used to bring private actions against out-of-state telemarketers and class certification has been granted in cases that would have settled on a nuisance basis under federal law alone. Missouri’s No-Call list applies to in-state residents and is enforced by the Attorney General with civil penalties up to $5,000 per violation. Tennessee’s Do Not Call Sales Solicitation Register requires both registration and a separate solicitor permit. Wyoming maintains its list through the Public Service Commission with annual renewal requirements that telemarketers frequently miss.
The Texas SB 140 expansion
Texas SB 140 took effect September 1, 2025, and reshaped the state’s telemarketing regime more aggressively than any other 2025 state action. The bill expanded the definition of “telephone solicitation” under Chapter 302 of the Business and Commerce Code to include “transmission of a text or graphic message or of an image” intended to induce a purchase. Marketing SMS to Texas residents now triggers the same registration, recordkeeping, and bonding obligations as voice telemarketing – including a $200 registration fee filed with the Secretary of State and a $10,000 security bond. The Texas Attorney General clarified in a November 2025 guidance letter that opt-in SMS sent only to consumers with documented prior express written consent is exempt from the registration and bond requirements, but the underlying expansion of “solicitation” to cover texts remains in force for unconsented messaging. This intersects directly with the Illinois SMS DNC ruling handed down in Rabbit v. Rohrman on March 30, 2026, which held that SMS messages are calls under the federal TCPA’s DNC subsection.
The combined effect of Texas SB 140 and the Illinois ruling is that operators running outbound SMS in 2026 must treat texts the same way they treat voice calls for DNC purposes – scrubbing against federal, state, and internal lists with the same frequency. A useful adjacent reference for state-by-state outbound timing is the telemarketing calling hours guide, which documents the windows during which scrubbed-and-consented contacts can lawfully be placed. The Illinois SMS ruling – Rabbit v. Rohrman – was issued on March 27, 2026 and remains the controlling Northern District of Illinois precedent on the SMS-as-call question.
The Reassigned Numbers Database: what it is and when to use it
The Reassigned Numbers Database (RND) launched on November 1, 2021 and is administered by Somos under FCC contract. It is a paid-subscription lookup service that answers a single question: was this phone number permanently disconnected after a specified date? The date provided in the query is the date the operator obtained consent from the original subscriber. A “Yes” response means the number has been disconnected since that date and is therefore likely reassigned. A “No” response means the number has not been disconnected and the original consent likely remains valid. A “No Data” response means the database has no record covering the queried date.
Pricing and access
The FCC reduced RND query pricing by 20% effective April 28, 2025, and added two new subscription tiers. Subscriptions run from Extra Small through Jumbo across one-month, three-month, and six-month commitments. Effective per-query cost ranges from approximately $0.0025 at Jumbo-tier monthly volumes down to $0.05 for low-volume Extra Small subscriptions. Pricing is published at reassigned.us. Operators integrating RND through middleware vendors typically pay a small markup over the FCC rate, with most enterprise scrubbing platforms now bundling RND queries into their per-lookup fee.
The safe harbor mechanics
RND query existence creates a TCPA safe harbor at 47 CFR 64.1200(l). To claim the safe harbor, a caller must prove three elements: it obtained valid consent from the intended call recipient; it queried the RND prior to calling and the query covered the consent date; and the database returned a “No” that turned out to be incorrect. The safe harbor does not protect callers who skipped the query, who queried after the call, or who received “No Data” and called anyway. Operators that buy leads from third-party vendors should require RND-query attestation as a contractual condition of purchase – a practice that has become standard among insurance and home-services buyers in 2025–2026.
When to query
The RND does not need to be queried before every call. The query is meaningful only when the original consent date predates the most recent disconnection event for that number. Most operators query the RND in two scenarios: at lead intake (to flag stale consents before pushing leads into dialers) and at dial time (to catch reassignments that occurred between intake and outreach). For consents obtained within the prior 30 to 60 days, the marginal value of an RND query is low – the database simply will not have new disconnect data. For consents older than 90 days, especially in verticals with long sales cycles like solar or mortgage, the RND becomes essential because reassignment risk compounds over time.
Vendor comparison: PossibleNOW, Gryphon.ai, Contact Center Compliance, and DNC.com
Four vendors dominate the DNC scrubbing market for serious outbound operators. Each takes a different architectural approach and serves a different operator profile.
| Vendor | Core Product | Federal | State | RND | Internal | Litigator List | Integrations | Pricing Model |
|---|---|---|---|---|---|---|---|---|
| PossibleNOW | DNCSolution 3.0 | Yes | Yes (12 states) | Yes | Yes | Yes | Salesforce, Five9, custom API | $200–$450+/month tiered |
| Gryphon.ai | Compliance Cloud | Yes | Yes | Yes | Yes | Yes | Real-time call-blocking middleware | Enterprise quote-based |
| Contact Center Compliance (DNC.com) | DNCScrub + LitigatorScrub | Yes | Yes | Yes | Yes | Yes | Salesforce, Five9, Genesys, ActiveProspect, VICIDial, Mitel | Per-record + subscription |
| Convoso | Built-in scrubber | Yes | Yes | Yes | Yes | Limited | Native to Convoso dialer only | Bundled with dialer |
PossibleNOW DNCSolution
PossibleNOW operates DNCSolution 3.0 with monthly pricing starting at $200 and scaling to $450 and beyond based on volume and feature mix. The product covers federal, state, RND, and internal lists with native Salesforce integration through a packaged Salesforce app. PossibleNOW’s strength is enterprise compliance documentation – the company publishes attestation reports that operators can show to insurers and counsel during audit. The weakness is the absence of a native dialer; PossibleNOW is a scrubbing layer that sits in front of operator-chosen dialers, requiring integration work that smaller operators sometimes find cumbersome.
Gryphon.ai
Gryphon.ai operates a real-time compliance middleware that intercepts outbound calls at the point of dial and blocks non-compliant attempts before connection. The architecture is the most aggressive in the market – instead of scrubbing lists in batches, Gryphon evaluates every dial against federal, state, internal, RND, and litigator-list data in real time. Pricing is enterprise quote-based and not published, which signals a target customer of mid-market and large outbound operations. Gryphon’s positioning emphasizes “automated DNC, TCPA, and collections compliance,” and the product is favored by financial services, debt collection, and large insurance call centers where regulator attention is highest.
Contact Center Compliance (DNC.com)
Contact Center Compliance, operating under the DNC.com brand, is the broadest-integration vendor in the category. The company reports more than 70 billion phone-number scrubs performed and integrations with Salesforce, Five9, Genesys, ActiveProspect, VICIDial, AutoReach, and Mitel. The flagship products are DNCScrub for general DNC compliance and LitigatorScrub for known-plaintiff filtering. DNC.com claims that no client has ever incurred a violation, lawsuit, or fine attributable to inaccurate scrubbing data – a claim that is unverifiable but consistent with the vendor’s twenty-plus years in the market. Pricing combines per-record fees with subscription tiers. The Genesys Cloud integration documentation describes just-in-time scrubbing at point of record selection, which functionally matches Gryphon’s real-time architecture for operators on Genesys.
Convoso and other dialer-bundled scrubbers
Convoso, ChaseData, and several other call-center platforms bundle DNC scrubbing into the dialer subscription. The tradeoff is breadth: bundled scrubbers cover federal and state DNC lists but typically offer thinner litigator-list coverage and weaker third-party integration. For single-vendor operators running entirely inside a Convoso or similar stack, the bundled scrubber is functionally adequate. For operators distributing leads to multiple buyers across multiple dialers – the standard ping-post architecture in insurance and lending – a stand-alone scrubber from PossibleNOW, Gryphon, or DNC.com is the only architecture that produces consistent compliance across the buyer network.
Vendor selection criteria
Three factors should drive vendor selection. First, integration depth: an operator running on Genesys or Five9 should weight DNC.com’s pre-built integrations heavily, while a Salesforce-native operation should weight PossibleNOW. Second, real-time versus batch architecture: high-volume outbound operators (>100,000 dials/day) need real-time blocking, which favors Gryphon and DNC.com’s just-in-time integrations over batch-style PossibleNOW. Third, audit posture: operators in regulated verticals (debt collection, insurance, healthcare) need vendors that produce defensible attestation documentation, which is PossibleNOW’s strongest positioning.
Internal DNC and the five-year retention rule
The internal company DNC list is the most operator-controllable of the four lists and the source of the largest preventable litigation losses. Every seller and telemarketer must maintain its own internal opt-out list under both 16 CFR 310.4(b)(1)(iii) and 47 CFR 64.1200(d). Any consumer who tells the seller – or the seller’s agent – to stop calling must be added to the internal list within a reasonable time and never contacted again unless they affirmatively opt back in.
The May 2024 retention extension
The FTC amended 16 CFR 310.5(a)(10) effective May 16, 2024, extending the retention period for internal DNC records from two years to five years. The amendment aligned the recordkeeping period with the five-year statute of limitations for civil penalty actions under the Telemarketing Sales Rule. The records that must be retained include the consumer’s name, the telephone number(s) at issue, the seller or charity the consumer declined contact from, the telemarketer that made the call, the date of the request, and the goods or services that were being offered. Compliance with the expanded recordkeeping rule was required by October 15, 2024.
What the rule actually requires
A defensible internal DNC operation has five components that the FTC and FCC examine during enforcement actions. The first is request capture across every channel – voice calls, SMS responses, email, web forms, postal mail – into a single normalized list. The second is sub-day propagation to every dialing platform, predictive system, manual outbound team, and SMS sender associated with the seller. The third is retention of the original request artifact (the call recording, the SMS opt-out keyword response, the email) for five years. The fourth is documented training of every employee and vendor agent on capture and propagation procedures. The fifth is auditability – the seller must be able to produce, on demand, the full opt-out history for any specific phone number going back five years.
The internal DNC list management guide covers the operational architecture in depth. The point worth emphasizing here is that internal DNC failures are the easiest violations for plaintiff counsel to prove. A National Registry violation requires the plaintiff to prove the number was on the federal list and the defendant lacked an exemption – both verifiable with FTC records. An internal DNC violation requires only the plaintiff to prove they made an opt-out request and the defendant called again. The proof asymmetry favors the plaintiff overwhelmingly.
The FCC 2024 revocation rules
The FCC’s April 2024 Declaratory Ruling on consent revocation, effective April 11, 2025, expanded the methods consumers can use to revoke consent. Reasonable methods now include responding “STOP” or any similarly worded keyword to a text, replying to an email with “unsubscribe,” or stating revocation orally during any call from the seller. The ruling also requires sellers to honor revocation across all channels – a consumer who texts “STOP” to a seller’s SMS program must also be added to that seller’s internal voice DNC list. Operators running multi-channel outreach now need internal DNC infrastructure that propagates opt-outs horizontally across SMS, voice, email, and direct mail simultaneously.
Operator playbook: scrub-on-purchase versus scrub-on-dial economics
The operational question every lead buyer and outbound center asks is when to scrub. The answer is both – but the cost structure of running both differs enough to deserve explicit math.
The two scrub points
Scrub-on-purchase happens at the moment a lead is acquired from a vendor or generated through an owned form. The operator scrubs the inbound phone number against federal, state, RND, and internal lists before paying for the lead or before pushing it into the dialer queue. Scrub-on-purchase prevents two losses: the cost of a non-contactable lead, and the litigation risk of dialing a DNC number whose status changed between vendor scrub and operator delivery.
Scrub-on-dial happens at the moment of attempted contact, either as a batch run before each campaign or as a real-time check at the point of dial. Scrub-on-dial captures DNC additions that occurred between purchase and contact – a meaningful gap given the 4.8 million numbers added to the National Registry annually and the routine seven-to-fourteen day window between lead purchase and first contact attempt in most outbound operations.
The per-call cost math
Enterprise scrubbing services charge fractions of a cent per lookup at scale. Bundled federal + state + RND + internal + litigator scrubs typically run $0.005 to $0.02 per call at volume, with PossibleNOW and DNC.com pricing in the lower end of that range and Gryphon’s real-time architecture priced at the upper end. For an operator running 100,000 dials per day, scrub-on-dial costs $500 to $2,000 per day – $182,500 to $730,000 per year.
The relevant comparison is not the scrub cost but the unscrubbed-call cost. The TCPA private right of action at 47 USC 227(c) allows consumers to recover up to $500 per call in statutory damages and up to $1,500 per call for knowing or willful violations. The TSR civil penalty maximum is $53,088 per call as of 2025. A blended-exposure model that assumes 10% of unscrubbed calls draw a private claim at $500 per call and 0.1% draw an FTC enforcement action at $53,088 produces an expected liability of roughly $103 per unscrubbed call – five thousand to twenty thousand times the cost of scrubbing the same call.
Why scrub-on-purchase is structurally underused
Lead vendors often represent that their leads are scrubbed before delivery. The representation is frequently true at the moment of vendor scrub and frequently false by the time the operator dials. The 31-day federal scrub floor combined with the typical three-to-fourteen day vendor-to-buyer transit window means that even diligent vendors deliver leads with a small but measurable rate of newly-DNC-listed numbers. Scrub-on-purchase is the only way for the buyer to confirm DNC status at the moment of purchase rather than relying on vendor attestation.
The cost asymmetry cuts hard against vendors who skip pre-delivery scrubbing. A buyer that scrubs on purchase will, over a 90-day vendor evaluation period, generate a quantifiable rate of DNC-list hits that the vendor failed to catch. Lead-gen contracts that include scrub-on-purchase reporting create accountability that vendor-side scrub representations cannot. This is the operational reason why mature insurance, mortgage, and solar buyers now require pre-scrub attestation contractually and run independent scrub-on-purchase as a verification layer.
Recommended architecture
A defensible 2026 outbound operation runs four scrubs in series. The first is pre-delivery scrub by the vendor, with attestation contractually required. The second is scrub-on-purchase by the buyer, against federal, state, internal, and litigator lists, before payment is approved. The third is scrub-on-dial in real time, against the same lists plus RND for any consent older than 30 days. The fourth is post-call review of any disposition that suggests a wrong number or reassignment, with automatic addition of those numbers to the internal list. The combined cost runs $0.01 to $0.04 per dial, which against a 1% claim rate at $500 per claim produces a cost-of-defense ratio of roughly 1:125 – the kind of ratio that turns scrubbing from a compliance line item into a measurable insurance product.
Key Takeaways
- The National Do Not Call Registry held 258 million active registrations as of September 30, 2025; 31% to 41% of TCPA lawsuits in 2024 were filed by repeat litigators, making DNC scrubbing the most direct lawsuit-prevention investment available to outbound operators.
- Operators must scrub against four distinct lists: the federal National Registry (every 31 days), eleven state DNC lists, the FCC Reassigned Numbers Database (per-call when consent is older than 30 days), and their own internal opt-out list (continuously).
- The 2025 FTC inflation adjustment raised the maximum TSR civil penalty to $53,088 per illegal call; the TCPA private right of action allows $500 per call in statutory damages, trebled to $1,500 for knowing or willful violations.
- The May 16, 2024 amendment to 16 CFR 310.5(a)(10) extended internal DNC record retention from two years to five years, aligning with the civil-penalty statute of limitations.
- Texas SB 140 (effective September 1, 2025) and the Illinois Rabbit v. Rohrman ruling (March 27, 2026) confirm that SMS marketing messages are subject to DNC rules at both the state and federal level, requiring operators to scrub texts the same way they scrub voice calls.
- PossibleNOW DNCSolution favors Salesforce-native enterprises with audit-heavy regulatory exposure; Gryphon.ai serves high-volume real-time call-blocking environments; Contact Center Compliance (DNC.com) offers the broadest integration footprint across Genesys, Five9, ActiveProspect, and VICIDial.
- FY 2026 National Registry access fees are $82 per area code with the first five free; full nationwide access is capped at $22,626; charitable and political organizations remain exempt.
- Scrub-on-purchase plus scrub-on-dial at $0.01 to $0.04 per call is roughly 1:125 to the expected per-call liability under blended TSR and private-TCPA exposure – the math favors scrubbing aggressively over scrubbing minimally.
Sources
- FTC National Do Not Call Registry Data Book for Fiscal Year 2025 – registration totals, complaint volumes, enforcement statistics
- 16 CFR Part 310 – Telemarketing Sales Rule (eCFR) – TSR scrub frequency, internal DNC requirements, recordkeeping
- 47 USC 227 – Restrictions on Use of Telephone Equipment – TCPA private right of action, statutory damages, willful-violation trebling
- FCC Reassigned Numbers Database – RND launch, query mechanics, safe harbor provisions
- FTC: Telemarketer Fees to Access the DNC Registry to Increase in 2026 – FY 2026 area-code and nationwide access fees
- FTC: Inflation-Adjusted Civil Penalty Amounts for 2025 – $53,088 per-violation TSR maximum
- Federal Register: TSR Final Rule, May 16, 2024 Recordkeeping Amendments – five-year internal DNC retention requirement
- PossibleNOW DNCSolution 3.0 – vendor product capabilities, federal/state/RND/internal coverage
- Gryphon.ai Automated DNC, TCPA, and Collections Compliance – real-time compliance middleware architecture
- Contact Center Compliance (DNC.com) – DNCScrub, LitigatorScrub, integration partner list