Last updated 2026-07-11

TL;DR
Under the TCPA, the company that makes the call or sends the text is liable, even if an affiliate collected the consent. Courts hold sellers responsible for their affiliates' consent failures. You need written consent that names your company by name, a clean audit trail tying each call to a record, and contractual indemnification from every lead vendor you buy from.
What is the TCPA responsibility chain in affiliate marketing?
The TCPA responsibility chain is about who pays when a consumer gets an unwanted call or text and the lead came from an affiliate. Short version: everyone in the chain carries some risk, but the company that placed the call or sent the message is the primary target.
Here's the structure. A publisher or affiliate runs a landing page, collects consumer information, and sells that lead to a buyer, often through an aggregator or lead network. The buyer's sales team then calls or texts the consumer. When the consumer claims they never consented, or that the consent they gave doesn't cover that specific seller, the lawsuit names the buyer. The buyer made the contact. [1]
The FCC codified vicarious liability for TCPA violations in its 2013 Declaratory Ruling. Sellers can be held liable for calls made by third-party telemarketers if the seller ratified the conduct, had actual knowledge of it, or created an apparent agency relationship. [2] That ruling opened the door to suing the brand behind the affiliate, not the affiliate itself.
Why does that matter to you? Affiliates are often small, judgment-proof, or offshore. A plaintiff's attorney goes after the well-capitalized buyer. Understand this before you buy your first affiliate lead.
What does the TCPA actually require for consent to call or text?
The TCPA, codified at 47 U.S.C. § 227, bars using an automatic telephone dialing system or a prerecorded voice to call or text a cell phone without prior express consent. For telemarketing calls and texts, the standard is higher: prior express written consent. [1]
The FCC's 2012 rule change (effective October 16, 2013) raised the bar from "prior express consent" to "prior express written consent" for any call or text that includes or introduces an advertisement or counts as telemarketing. The regulation at 47 C.F.R. § 64.1200(f)(9) defines prior express written consent as an agreement, in writing, bearing the signature of the person called, that clearly and conspicuously authorizes the seller to deliver calls using an ATDS or prerecorded voice. [3]
The key word in that definition is "seller." The consent has to identify the specific entity calling. This is where affiliate leads blow up. A consumer fills out a form on a publisher's comparison site consenting to be contacted by "insurance companies." That blanket language is not prior express written consent naming your company. Courts have rejected that kind of consent over and over.
The FCC's one-to-one consent rule, which would have required each seller to be individually named in the consent form, was vacated by the 11th Circuit in January 2025 before it took full effect. [4] Don't read that vacatur as a green light for vague, pooled consent. Courts still apply the written consent requirement strictly. The vacatur removed a new regulatory layer. The underlying TCPA written consent requirement is still there. [4]
For text message marketing, the same prior express written consent standard applies. There's no lower bar just because it's a text.
Can you be held liable for what an affiliate did wrong?
Yes. The FCC's 2013 Declaratory Ruling says a seller is liable for a third party's TCPA violations under federal common law agency principles if the seller authorized the conduct, knew about it and let it continue, or held the caller out as its agent. [2]
Courts have pushed this further. In Jones v. Royal Administration Services, the Ninth Circuit held that evidence of a seller controlling how leads are generated, or setting the script a telemarketer uses, can establish vicarious liability. [5] The Supreme Court's 2016 decision in Gomez v. Campbell-Ewald turned on standing and mootness, but the agency theory that drives these affiliate cases stayed intact.
Here's the practical problem. If you give your affiliate a script, brand guidelines, call disposition instructions, or any performance feedback on lead quality, a plaintiff can argue you controlled the affiliate's conduct. That looks like agency.
Even if you controlled nothing, some courts apply a ratification theory. Accept and monetize leads while ignoring obvious red flags about how they were collected, and you ratified the affiliate's conduct. Ignorance is not a clean defense.
Statutory damages under the TCPA run $500 per violation, up to $1,500 for willful violations, with no cap on the number of violations in a class action. [1] The Cash App TCPA class action settlement and the Credit One TCPA settlement show how fast those per-message numbers compound into eight-figure exposure.
What consent language actually holds up in court?
Courts have been consistent on a few elements. The disclosure has to be conspicuous, meaning not buried in fine print below the fold. It has to be separate from the general terms and conditions. It has to name, or at least let the consumer see and understand, who will contact them. And the consumer has to take an affirmative act to agree, like checking an unchecked box. Not a pre-checked one. [3]
For affiliate-collected consent to survive a TCPA dispute, you want language that reads something like this: "By clicking [Submit], I agree to be contacted by [Your Company Name] at the number I provided, including by autodialer or prerecorded message, for marketing purposes. Consent is not a condition of purchase." That last line matters because 47 C.F.R. § 64.1200(f)(9) explicitly bars making consent a condition of buying a good or service. [3]
The "not a condition of purchase" language goes missing from affiliate consent forms constantly. When you audit a lead vendor's consent flow, that's the first thing to check.
If the affiliate uses a co-registration model, where multiple companies share one consent form, each listed company has to be visible at the moment of consent. A hyperlinked list of hundreds of marketing partners three clicks away doesn't meet the clear and conspicuous standard under any fair reading of FCC guidance. [2]
How does a lead aggregator or network fit into the liability chain?
Lead aggregators sit between publishers and buyers. They collect leads from multiple affiliates, sometimes run their own compliance checks, and resell to buyers in bulk or in real time. Their spot in the chain splits how courts treat them.
The aggregator usually isn't the one calling, so they're rarely the primary TCPA defendant. But buyers routinely try to pull aggregators into litigation as indemnitors when the consent breaks down. Whether that works depends almost entirely on the contract.
If your agreement with the aggregator includes a representation and warranty that all leads were collected with prior express written TCPA consent, you have a contractual claim against them when consent turns out to be deficient. Collecting on that claim is a separate question. A small aggregator with thin margins can't pay a seven-figure indemnification. The clause is only as good as the balance sheet behind it. [6]
Some aggregators now sell "certified leads" with stored consent records. Better than nothing. But you still have to verify what the certification actually means. Ask for a sample consent form, a sample stored record, and the mechanism they use to match the consent record to the lead data you receive. Then have a lawyer read it.
What records do you need to prove consent if you get sued?
The FTC and FCC don't set an exact retention period for TCPA consent records. The practical answer: keep them as long as you might get sued, plus the statute of limitations. The TCPA carries a four-year statute of limitations under 28 U.S.C. § 1658, the federal catch-all, though some circuits have argued over it. [7] Five years of retained consent records is a reasonable floor.
What the record needs to show:
- The consumer's name, phone number, and IP address at the time of consent
- A timestamp accurate to at least the minute, ideally with a server-side log
- The exact consent language shown to the consumer at that moment (version-controlled)
- The source URL or affiliate tag identifying where the lead came from
- Evidence the consumer took an affirmative action (checkbox state, button click event)
A lead with just a name and phone number is not a defensible consent record. Neither is a spreadsheet the affiliate emailed you claiming "all leads are TCPA compliant."
Here's how it plays out in litigation. Plaintiffs' attorneys subpoena your call logs, then ask you to produce the matching consent record for each call. Can't match them? Each unmatched call is a potential $500 violation. You need a system that ties consent records to contact records at the individual consumer level. Your do not call list scrubbing logs are a separate requirement, but store them the same way.
LeadCompliant's free tools include a consent audit checklist that walks through each of these record fields. Run through it before you sign a new affiliate contract.
What should your affiliate contracts say to reduce TCPA exposure?
Contract language won't erase liability. It shifts risk and gives you a path to recover costs from the party that caused the problem. These are the clauses that matter.
Start with an explicit TCPA compliance representation. The affiliate warrants that every lead was collected with prior express written consent under 47 U.S.C. § 227 and 47 C.F.R. § 64.1200, using a consent form that names your company (or the specific marketing entity), isn't pre-checked, and isn't bundled with terms of service. [1][3]
Next, a consent record delivery obligation. The affiliate has to deliver, with each lead or within 24 hours of a request, the full consent record: IP address, timestamp, source URL, and a screenshot or archived version of the consent form as the consumer saw it.
Then indemnification. The affiliate indemnifies you, holds you harmless, and pays defense costs for any TCPA claim arising from a lead they supplied. Make it uncapped, or at least capped at a meaningful multiple of what you paid for the leads.
Audit rights come next. You get the right to audit their lead collection practices, consent flows, and records on reasonable notice. This clause documents your due diligence, which itself helps your defense.
Add DNC scrubbing. The affiliate scrubs leads against the National DNC Registry before delivering them, or certifies that you're getting raw leads and you'll scrub them yourself. Don't leave it ambiguous. The do not call telemarketer list requirements apply to both parties depending on who initiates the call.
Close with termination for TCPA exposure. You can immediately terminate and claw back payments if TCPA claims referencing their leads cross a defined threshold.
What are the biggest mistakes buyers make when purchasing affiliate leads?
Read enough of these cases and the same mistakes repeat.
Buying leads without seeing the consent form. Plenty of buyers never look at how the affiliate collects consent. They see a price and a volume, they sign up, they start calling. This is the single most common setup for a TCPA suit. See the live consent flow before you call one lead from a new affiliate. Screenshot it. Archive it.
Trusting platform certifications without verifying. Some aggregator platforms badge leads as "TCPA compliant." That badge means the platform ran some filter. It doesn't mean the specific lead you're about to call has an auditable consent record that survives discovery. Ask what the certification actually covers.
Using aged leads without checking freshness. Consent has practical limits. The FCC hasn't set a hard expiration date, but courts have questioned whether a consumer who consented 18 months ago for one purpose still meaningfully consents to a call today for a different offer. A 90-day-old or 180-day-old lead carries more risk than a fresh one, especially when your offer differs from what the consumer thought they signed up for.
Calling a mobile phone do not call list number without consent. A number on the national DNC registry that you call with an ATDS and no TCPA-compliant consent stacks two violations: the DNC violation and the TCPA consent violation. Plaintiffs love these. They're easy to document.
Skipping the internal cold calling compliance review when switching to affiliate leads. Teams moving from cold outreach to affiliate leads sometimes assume affiliate leads are pre-cleared for everything. They aren't. You still scrub DNC, you still need valid consent for ATDS use, and you still can't call before 8 a.m. or after 9 p.m. local time.
How do courts determine whether consent was valid in a specific case?
Courts run a fact-intensive inquiry. The plaintiff says they didn't consent, or that the consent didn't cover this seller. The defendant says here's our consent record. Then the court weighs a handful of things.
Was the consent form presented clearly? Courts look at the visual design of the page. Was the consent language above the fold? Was it 8-point gray font on a gray background? Did the consumer see the disclosure before hitting submit, or did it show up only in a post-confirmation email? Several district courts have rejected consent that appeared only in a post-submission email, because the consumer never had a chance to decline. [5]
Did the consumer actually see and assent to this specific disclosure? IP address logs help but don't settle it. Plaintiffs argue session data can be spoofed or miscaptured. A server-side event log combined with a hash of the page content at the time of submission is more defensible than a client-side JavaScript event.
Did the consent cover the specific type of contact? A consumer who agreed to hear about "home improvement services" probably didn't consent to calls from a life insurance seller. Courts have thrown out consent where the solicitation category materially differed from what the consent form described.
One more thing, and it's the one people forget. The burden of proof is on the caller. You have to prove you had consent. The consumer doesn't have to prove they didn't give it. That asymmetry means your records need to be affirmative, more than the absence of a complaint. [1]
What is the FCC's current position on one-to-one consent for affiliate leads?
The FCC adopted a rule in December 2023, originally effective January 27, 2025, that would have required one-to-one consent for each seller. The rule would have banned the common affiliate practice of bundling consent for multiple companies in one form. It stated that a consumer's agreement to receive calls from one entity couldn't be treated as agreement to receive calls from another. [4]
The 11th Circuit vacated that specific rule in January 2025, finding the FCC exceeded its statutory authority. [4] So the one-to-one requirement as a new regulatory layer is gone. That doesn't reset the clock to the pre-2013 era.
The existing written consent requirement under 47 C.F.R. § 64.1200(f)(9) still requires the consent to clearly identify who will be calling. Courts reading the pre-2025 framework have generally held that generic consent to contact by "marketing partners" doesn't satisfy the written consent requirement when a specific identified seller makes the call. [3]
So the takeaway is narrow. The 11th Circuit ruling removed one regulatory layer. It didn't change the underlying consent standard. If you planned to rely on pooled, vague affiliate consent after the vacatur, you're still exposed under the existing TCPA framework.
Expect the FCC to issue further guidance or propose a modified rule. The commission's stated policy goal, consumer-specific consent, didn't vanish when the rule was vacated. Watch for new rulemaking in 2025 or 2026.
How should you audit an affiliate or lead vendor before buying leads?
A pre-purchase audit is your best practical defense. Here's what to check.
Request and test the live consent flow. Walk through the affiliate's lead capture page yourself, the way a consumer would. Screenshot every step. Confirm the consent language is present before submission, names your company or lists it specifically, isn't pre-checked, and includes the "not a condition of purchase" line. Do this on mobile too. The mobile view often truncates the disclosure or hides it behind a scroll.
Ask for a sample consent record. Before signing, ask for five or ten sample records from recent leads. Look at the fields. If they can't or won't provide them, stop there.
Review their DNC scrubbing process. Ask whether they scrub against the National DNC Registry before delivering leads, or whether that falls to you. Confirm who holds the SAN (Subscription Account Number) for registry access. [8] Gaps here become your liability.
Check their subaffiliate practices. Many affiliates aggregate leads from their own network of sub-publishers. Ask whether the consent standard and audit rights flow down to those subaffiliates. Usually they don't. That's where the worst consent failures happen.
Run a test batch with real scrubbing before scaling. Buy a small batch, run it through DNC scrubbing, pull a random sample, try to verify the consent records, then make a handful of calls with a compliant cold call script. See what happens. Scale only after the process holds up.
LeadCompliant's one-time compliance kit includes a vendor audit questionnaire you can send to affiliates before signing. It covers the consent form review, record delivery requirements, and subaffiliate pass-through language.
What do TCPA settlements show about affiliate lead liability?
Settlements don't create legal precedent. But they show what buyers actually pay when affiliate consent goes wrong.
The pattern in major settlements: the calling company pays, even when it points at affiliate failure. In the Credit One TCPA settlement, the company resolved claims for tens of millions of dollars over calls to consumers who alleged they hadn't consented. The affiliate relationship didn't shield anyone.
Class actions under the TCPA are especially dangerous for affiliate-lead buyers because the class is defined by the calls, not by the consent source. Every consumer who got a call from your ATDS and can plausibly claim the consent was deficient is a potential class member. At $500 per call, a class of 50,000 consumers is $25 million in exposure before trebling for willfulness. [1]
Defense costs alone in TCPA class actions typically run into the hundreds of thousands of dollars before you reach a settlement. For a small team, that number by itself is existential.
Nobody has reliable public data on what share of TCPA class actions come from affiliate consent failures versus other causes. The closest source is the law firm WebRecon, which publishes monthly TCPA case filing counts. Federal TCPA suits have run roughly 3,000 to 5,000 per year lately. [9] Affiliate consent disputes are a large and growing slice, based on the fact patterns in published opinions.
Frequently asked questions
Who is legally responsible when an affiliate collects bad TCPA consent?
The company that makes the call or sends the text is the primary TCPA defendant, even if an affiliate collected the consent. Under the FCC's 2013 Declaratory Ruling, sellers can also be held vicariously liable for their affiliates' conduct if they authorized it, had knowledge of it, or created an apparent agency relationship. Contractual indemnification from the affiliate helps but doesn't eliminate your exposure.
Does the FCC's one-to-one consent rule still apply after the 11th Circuit vacated it?
The specific one-to-one rule adopted in December 2023 was vacated by the 11th Circuit in January 2025. But the underlying TCPA written consent requirement under 47 C.F.R. § 64.1200(f)(9) still applies. Courts have consistently held that generic affiliate consent to contact by unspecified 'marketing partners' doesn't satisfy the written consent standard when a specific seller makes the call.
Can a consumer sue me for a call made from an affiliate lead even if I didn't generate the lead myself?
Yes. The TCPA imposes liability on whoever places the call or sends the text. If your sales team called the consumer, you're the defendant regardless of who collected the lead. Vicarious liability also means you can be named for calls your contracted telemarketer made, if you had control over or knowledge of their methods.
What does prior express written consent actually require for affiliate-collected leads?
Under 47 C.F.R. § 64.1200(f)(9), the consumer must sign (including an electronic signature) an agreement that clearly and conspicuously authorizes the specific seller to contact them via ATDS or prerecorded voice for marketing. The consent can't be pre-checked, can't be buried in terms of service, and can't be a condition of purchase. Generic consent to 'marketing partners' generally doesn't meet this standard.
How long should I keep TCPA consent records from affiliate leads?
Keep them at least five years. The TCPA's federal statute of limitations under 28 U.S.C. § 1658 is four years, and some state TCPA analogs extend longer. Each record should include the consumer's name, phone number, IP address, timestamp, the exact consent language shown at the time, and the source URL or affiliate tag. A spreadsheet from the affiliate saying 'all leads are compliant' is not a consent record.
What contract clauses should I require from affiliate lead vendors?
At minimum: a TCPA compliance representation citing 47 U.S.C. § 227 and 47 C.F.R. § 64.1200, a consent record delivery obligation with IP address and timestamp, uncapped indemnification for TCPA claims, audit rights over their consent flows, DNC scrubbing obligations, and a termination clause triggered by TCPA claims above a defined threshold. These won't prevent suits but they create a recovery path against the affiliate.
Does consent expire? Can I use affiliate leads that are six months old?
The FCC hasn't set a hard expiration date for TCPA consent. But courts and FCC guidance suggest aged consent is riskier, especially if the offer differs from what the consumer signed up for. Leads older than 90 days carry meaningfully more litigation risk than fresh ones. If the affiliate's offer category doesn't match your product, the consent may be invalid regardless of age.
What is vicarious liability under the TCPA and how does it apply to affiliate marketing?
Vicarious TCPA liability means you can be held responsible for a third party's call if that party acted as your agent, apparent agent, or with your authorization or ratification. The FCC established this in its 2013 Declaratory Ruling. In affiliate marketing, you face vicarious liability if you gave the affiliate a script, brand guidelines, or call instructions, or if you kept accepting leads after learning about consent problems.
Do I still need to scrub affiliate leads against the National Do Not Call Registry?
Yes. TCPA consent for autodialed calls and DNC compliance are separate obligations. Valid written consent lets you use an ATDS to call a cell phone, but it doesn't override a consumer's DNC registration for telemarketing calls. You need both: valid consent and a DNC scrub. Confirm with your affiliate who holds the Subscription Account Number for registry access so you know who runs the scrub.
Can I get TCPA consent through a co-registration form that lists multiple companies?
Co-registration consent is legally risky. Courts have found that listing hundreds of marketing partners via hyperlink, or using vague language like 'our partners,' doesn't give consumers meaningful notice of who will contact them. If you use co-reg leads, each company named in the form must be clearly visible to the consumer at the moment of consent, not buried in a linked document. And you should keep a copy of the form as it appeared at the time.
What statutory damages can I face for TCPA violations from affiliate leads?
The TCPA allows $500 per violation and up to $1,500 per willful violation, with no statutory cap on the number of violations in a class action. At $500 per call, a class of 10,000 consumers exposed to an illegal contact is $5 million before trebling. Defense costs in TCPA class actions routinely run into the hundreds of thousands before settlement, which alone can be fatal for smaller teams.
How do I verify that an affiliate's consent form actually meets TCPA standards?
Walk through their lead capture flow yourself, as a consumer would, on both desktop and mobile. Screenshot each step. Confirm the consent language appears before the submit button, names your company specifically, uses an unchecked opt-in checkbox, and includes 'consent is not a condition of purchase.' Then ask for a sample stored consent record for a recent lead to confirm they capture IP address, timestamp, and source URL.
What happens if my affiliate goes out of business and I get sued over their leads?
You're still the primary defendant because you made the calls. A contractual indemnification clause becomes worthless if the affiliate has no assets or is defunct. That's why pre-purchase due diligence on consent quality matters more than contract clauses alone. For high-volume affiliate programs, some buyers require affiliates to carry E&O or media liability insurance with the buyer named as additional insured.
Sources
- U.S. Congress, 47 U.S.C. § 227 (TCPA statutory text): $500 per violation, up to $1,500 for willful violations; prior express consent requirement for ATDS calls to cell phones
- FCC, 47 C.F.R. § 64.1200 (TCPA implementing regulations): Prior express written consent definition; consent cannot be a condition of purchase; unchecked checkbox requirement
- U.S. Court of Appeals, 11th Circuit, Insurance Marketing Coalition v. FCC, No. 24-10277 (Jan. 2025): 11th Circuit vacated the FCC's one-to-one consent rule in January 2025, finding the agency exceeded its statutory authority
- U.S. Court of Appeals, 9th Circuit, Jones v. Royal Administration Services, 887 F.3d 443 (2018): Seller can be vicariously liable for telemarketer's TCPA violations based on agency and apparent authority; control over scripts and conduct is evidence of agency
- FTC, Complying with the Telemarketing Sales Rule: Lead aggregators and sellers both face compliance obligations under telemarketing rules; contractual representations do not fully transfer liability
- U.S. Congress, 28 U.S.C. § 1658 (federal catch-all statute of limitations): Four-year statute of limitations applies to TCPA claims filed in federal court
- FTC, National Do Not Call Registry (business guidance): Telemarketers must obtain a Subscription Account Number (SAN) to access and scrub against the National DNC Registry
- WebRecon LLC, Monthly TCPA, FDCPA, and FCRA Lawsuit Statistics: Federal TCPA lawsuit filings have ranged between approximately 3,000 and 5,000 per year in recent years