In January 2026, the Federal Trade Commission released its annual report on the National Do Not Call Registry. The numbers tell a story of an enforcement apparatus that is growing, not shrinking.
258 million telephone numbers are now registered on the DNC list — an increase of 4.8 million over the prior year. The FTC received 2.6 million complaints about unwanted calls during fiscal year 2025. And the agency has collected over $400 million in civil penalties through enforcement actions since the registry’s inception.
These are not abstract statistics. They represent a consumer base that is actively engaged in protecting itself from unwanted calls, a regulator that is well-funded and motivated, and a legal framework that continues to tighten.
But the headline numbers are only part of the story. The FTC’s recent amendments to the Telemarketing Sales Rule (TSR) introduce changes that will have a more direct operational impact on lead generators, call centers, and anyone in the B2B telemarketing space than the DNC numbers themselves.
The DNC Registry: What the Numbers Tell Us
The DNC registry has been growing steadily since its creation in 2003, but the rate of growth is worth noting. Adding 4.8 million numbers in a single year means that roughly 13,000 consumers per day are registering their numbers. That is not a program in decline.
The FTC’s report breaks down complaints by category. The top categories for FY2025 were:
- Debt reduction and credit repair — consistently one of the highest-complaint categories, driven by aggressive outbound campaigns targeting consumers in financial distress.
- Imposters and scams — calls where the caller misrepresents their identity, often posing as government agencies, banks, or service providers.
- Medical and prescription offers — insurance leads, Medicare supplement pitches, and pharmaceutical promotions, particularly targeting the 65+ demographic.
- Auto warranty extensions — the perennial top-of-list complaint category that has generated multiple FTC enforcement actions.
For companies operating in the insurance and medical lead generation space, the third category is a direct warning. The FTC has explicitly called out medical and prescription leads as a high-complaint category. If your outbound campaigns touch health insurance, Medicare, or pharmaceutical verticals, you are operating in a zone of heightened regulatory scrutiny.
The TSR Amendments: What Actually Changed
The FTC’s amendments to the Telemarketing Sales Rule (16 C.F.R. Part 310) went beyond updating DNC registry procedures. Three changes stand out for their operational impact.
1. B2B Calls Are Now Covered
The original TSR exempted certain business-to-business telemarketing calls from its requirements. The amended rule narrows that exemption significantly. B2B telemarketing calls that involve the sale of goods or services to businesses now fall under the TSR’s requirements, including DNC compliance, calling time restrictions, and disclosure obligations.
This matters for lead generation companies that sell leads to businesses or that make outbound calls to business owners pitching services like merchant cash advances, commercial insurance, payroll services, or SaaS products. If you are calling business phone numbers for telemarketing purposes, you now need to scrub against the DNC registry and comply with the TSR’s calling restrictions.
The exemption still applies to calls that are purely solicitations of sales to businesses that have an established business relationship (EBR) with the caller. But the EBR exemption is narrow: it requires a transaction or business relationship within the prior 18 months, or an inquiry or application within the prior 3 months.
2. Record Retention Increased from 2 to 5 Years
This is the change that will force the most significant operational adjustments.
Under the prior TSR, telemarketers were required to retain records related to telemarketing transactions and compliance for 2 years. The amended rule increases that to 5 years.
The records that must be retained for 5 years include:
- Advertising and promotional materials
- Sales scripts and call recordings
- Consent records, including documentation of prior express written consent
- Prize and premium records
- Employee and contractor records
- Customer information related to telemarketing transactions
For lead generators, the consent record requirement is the critical item. If you generate a lead today and sell it to a buyer who calls the consumer, you need to retain the consent documentation — the form, the disclosure language, the consumer’s affirmative action, the timestamp, the metadata — for 5 full years from the date of the lead.
Consider the lifecycle. A lead is generated in January 2026. The buyer calls the consumer in February 2026. The consumer files a complaint in March 2026. Under the old rule, if the FTC or a plaintiff’s attorney came looking for the consent record in January 2029, the 2-year window would have closed and the record could have been destroyed. Under the new rule, that record must be available through January 2031.
Five years is a long time in the lead generation industry. Companies fold, merge, rebrand, and switch technology platforms regularly. Consent records stored in CRM systems that are decommissioned, databases that are migrated without full data transfer, or file servers that are eventually wiped — all of these represent compliance failures under the new retention standard.
3. Penalties Increased to $51,744 Per Violation
The FTC has adjusted its civil penalty amounts for inflation under the Federal Civil Penalties Inflation Adjustment Act. The current maximum penalty for a TSR violation is $51,744 per violation.
In a telemarketing context, each call can constitute a separate violation. A campaign that makes 10,000 calls in violation of the TSR carries a theoretical penalty exposure of over $517 million. Even in a negotiated enforcement action, the numbers are staggering.
The FTC has demonstrated its willingness to pursue large penalties. The $400 million collected to date includes multiple eight-figure settlements. Companies operating in the high-complaint categories identified in the FTC’s report — debt reduction, medical leads, auto warranties — face the highest enforcement risk.
Insurance and Medical Leads: In the Crosshairs
The FTC’s report did not bury its concerns about the medical and insurance lead generation space. The agency explicitly identified these verticals as sources of significant consumer complaints.
For companies generating Medicare supplement leads, health insurance leads, or prescription-related leads, the message is direct: you are in a high-scrutiny vertical. The FTC is watching, consumers are complaining, and the penalties are large.
The combination of the 5-year retention requirement and heightened scrutiny in the medical/insurance space creates a specific compliance obligation: you must be able to produce a complete, verifiable consent record for any medical or insurance lead for 5 years after the lead was generated.
This is not a theoretical requirement. When the FTC investigates a complaint about unwanted calls related to Medicare supplement insurance, one of its first requests is for the consent record underlying the call. If the consent record has been deleted, lost, or was never properly captured in the first place, the company has no defense.
How eConsent’s 7-Year Retention Exceeds the New Standard
eConsent was built with long-term legal defensibility in mind, not just minimum regulatory compliance. Every consent certificate generated by the platform is stored with 7-year retention backed by Amazon S3 Object Lock in compliance mode.
S3 Object Lock in compliance mode means the records cannot be deleted or modified by anyone — not the customer, not eConsent, not even AWS — until the retention period expires. This is not a policy control. It is an infrastructure-level enforcement mechanism that prevents deletion at the storage layer.
Seven years exceeds the FTC’s new 5-year requirement by a full two years. That margin matters, because the statute of limitations for TCPA claims varies by state (typically 1-4 years from the date of the violation), and the 5-year retention clock runs from the date of the lead, not the date of the call. A lead generated today could be called months later, and the statute of limitations on that call extends further still. A 5-year retention window, while compliant with the TSR, may not cover the full litigation exposure window. Seven years does.
Each eConsent certificate includes the complete session recording of the consent event, the exact disclosure language displayed, the consumer’s affirmative action, IP address, device fingerprint, timestamp, and a cryptographic hash that proves the record has not been tampered with. This is the type of record that satisfies both regulatory inquiries and litigation discovery demands.
What You Should Do Now
1. Audit your current retention periods. Check how long your consent records, call recordings, lead data, and marketing materials are retained. If the answer is less than 5 years, you are now non-compliant under the amended TSR.
2. Verify your storage is immutable. Retaining records for 5 years is meaningless if those records can be altered or accidentally deleted. Your retention system should prevent modification and deletion — not just through access controls, but through infrastructure-level protections like object lock or write-once storage.
3. Scrub against the DNC registry. With 258 million numbers on the list and growing, the probability that your calling list includes DNC-registered numbers increases every day. Scrub before every campaign. The cost of a DNC scrub service is negligible compared to the cost of a $51,744-per-call penalty.
4. Review your B2B calling practices. If you make outbound telemarketing calls to businesses, determine whether your calls fall within the TSR’s newly expanded scope. If they do, you need to implement the same DNC scrubbing, consent documentation, and record retention practices you use for B2C campaigns.
5. Pay attention to your vertical. If you operate in debt reduction, insurance, medical leads, or auto warranty spaces, treat the FTC’s complaint data as an early warning system. These verticals are generating the most complaints and will attract the most enforcement attention.
6. Plan for the long term. Five years of record retention means your consent management and storage infrastructure needs to survive technology transitions, vendor changes, and organizational restructuring. Choose systems and formats that are durable. A consent record stored in a proprietary CRM format that cannot be exported or read in five years is effectively lost.
The FTC’s DNC report and TSR amendments make one thing clear: the regulatory apparatus around telemarketing is getting stricter, penalties are getting larger, and retention obligations are getting longer. The companies that invest in durable, verifiable consent records today will be the ones that can defend themselves in 2031.