AI chatbot lead collection TCPA consent best practices

AI chatbots can create $500, $1,500-per-call TCPA liability if consent language is wrong. Learn exactly what your chatbot must say and capture before dialing.

LeadCompliant Team
26 min read
In This Article

Last updated 2026-07-09

Hands on a laptop keyboard in a warmly lit home office during chatbot compliance work
Hands on a laptop keyboard in a warmly lit home office during chatbot compliance work

TL;DR

A chatbot can collect valid TCPA consent, but only if it shows a clear disclosure that the consumer agrees to autodialed or prerecorded calls and texts, names every seller who will contact them, and captures an unambiguous opt-in before any marketing outreach. Get any element wrong and each call or text costs $500 to $1,500 under 47 U.S.C. § 227.

The Telephone Consumer Protection Act, 47 U.S.C. § 227, makes it unlawful to place autodialed or prerecorded calls or texts to a cell phone without the called party's prior express written consent. [1] Damages run $500 per violation and $1,500 per willful violation. No cap per plaintiff. No need to prove actual harm. [1] Class actions turn that arithmetic into something that ends companies.

AI chatbots have become a dominant lead-collection surface. Insurance, mortgage, and home services companies run them to handle volume no human form-fill could match. The FCC and the courts have been blunt about one thing: the channel collecting consent does not change the legal standard. A chatbot that skips the required disclosure is not a cute technicality. It is an undefended lawsuit.

The risk is not hypothetical. In 2024 the FCC issued a declaratory ruling that AI-generated voice calls count as prerecorded calls under the TCPA, which tells you how the agency reads automation in the contact chain. [2] Hand a number to an auto-dialer without a legally sufficient consent record and you are on the wrong side of that line.

Small teams assume the chatbot vendor handles consent. The vendor almost never does. Consent language is a business decision, not a software default, and the liability stays with the seller who makes the call.

The FCC's 2012 TCPA order defined prior express written consent as an agreement, in writing, bearing the signature of the person called, that clearly authorizes the seller to deliver autodialed or prerecorded messages to a specific telephone number. [3] For digital consent, a checked box or typed agreement counts as a signature under the E-SIGN Act. [4]

Four elements have to be present. All four.

1. The consumer must see a clear and conspicuous disclosure. Buried fine print or a link to terms tucked behind a footnote does not satisfy this. "Clear and conspicuous" means a reasonable person reading the page would notice it and understand it.

2. The disclosure must state that by providing a phone number the consumer agrees to receive autodialed or prerecorded calls or texts. "We may contact you" is not enough. The FCC's rules require you to name the technology.

3. Consent cannot be a condition of buying anything. [3] If the chatbot will not let a user proceed without giving a number used for marketing, that design likely violates the anti-coercion rule.

4. The agreement must name the seller or sellers who will contact the consumer. This point got sharper teeth after the FCC's January 2025 one-to-one consent rule, which requires consent be granted to one seller at a time and that the seller's identity appear in the disclosure at the moment consent is given. [5]

The statute's own words matter. 47 U.S.C. § 227(b)(1) prohibits calls made "using any automatic telephone dialing system or an artificial or prerecorded voice" to a mobile number without "prior express consent of the called party." [1] That phrase has been litigated thousands of times. "Prior" means before you dial. "Express" means stated, not inferred. "Written" means documented and retrievable.

The FCC adopted a one-to-one consent rule in December 2023, effective January 27, 2025. [5] It says prior express written consent for telemarketing must be obtained one seller at a time. One consent grants authority to one seller, not to a list of marketing partners or a lead aggregator's whole network.

That breaks the old lead-gen model, where a single chatbot flow collected a number and then sold it to ten buyers, each claiming the chatbot's blanket consent covered them. That model is now unlawful for calls and texts to mobile numbers.

For a chatbot operator, the practical changes are big:

  • You cannot present a pre-checked list of dozens of partners and call that consent. The FCC named the practice specifically.
  • If your chatbot is the lead generator and you sell to downstream callers, each buyer needs their own consent event, or you collect consent that names each buyer individually.
  • The consent must be "logically and topically associated" with the website or chatbot interaction where it was collected. A mortgage chatbot cannot bundle in consent for unrelated insurance calls.

Then the courts stepped in. The U.S. Court of Appeals for the Eleventh Circuit vacated part of the FCC's one-to-one rule in January 2025, specifically the "logically and topically related" requirement, holding the FCC exceeded its statutory authority on that narrow point. [6] The core one-to-one requirement survived. Treat the named-seller and one-consent-per-seller rules as still in force while litigation settles the fringes.

Bottom line for your chatbot: pick one seller per consent flow, name them by legal business name, and do not aggregate.

TCPA key numbers for chatbot consent compliance Statutory thresholds and penalties every chatbot operator must know $500 Damages per TCPA violation (negligent) $1,500 Damages per TCPA violation (willful) $53k Max FTC DNC penalty per call $500 Florida FTSA per-violation… Source: 47 U.S.C. § 227 (Cornell LII); FTC Do Not Call Registry guidance, 2025

Good consent language is specific, short, and sitting where the consumer actually sees it before they hit submit. Here is a plain-English template that captures the required elements (adapt it with your own counsel's review):

"By providing your phone number and clicking [button label], you agree that [Company Legal Name] may contact you using an automatic telephone dialing system or prerecorded messages at the number you provided, even if your number is on a Do Not Call list. Message and data rates may apply. Consent is not a condition of purchase. Reply STOP to opt out."

Every bracketed item earns its place. "[Company Legal Name]" satisfies the one-to-one naming requirement. "Automatic telephone dialing system or prerecorded messages" tracks the statutory language in 47 U.S.C. § 227. [1] "Consent is not a condition of purchase" handles the anti-coercion rule from the FCC's 2012 order. [3] The STOP opt-out is required by FCC rules for text messages. [7]

A few design rules courts have used to judge whether consent was actually "clear and conspicuous":

  • Font size should be at least 12-point, or the same size as surrounding text. Not smaller.
  • The consent language should sit directly next to the submit button or phone field, not on a separate scrolled-past page.
  • Links to full terms do not substitute for the core disclosure. Link to more detail if you want, but the disclosure itself must be visible without a click.
  • In a chat interface, the consent prompt should appear in the chat window as a message the user affirmatively acknowledges, not as a passthrough screen.

If your chatbot grabs email alongside phone, email consent runs under CAN-SPAM, not the TCPA. You can handle both in the same flow, but keep them legally distinct.

Consent is only as good as your ability to prove it in court. TCPA plaintiffs know this. Their first discovery request is almost always the same: show me the consent record for the number you called.

A defensible record for each lead should hold:

  • The exact date and time of the consent event (UTC, or local with timezone noted)
  • The IP address of the device used
  • The URL or chatbot session identifier where consent happened
  • A screenshot or pixel-perfect reconstruction of what the disclosure looked like at that moment
  • The exact consent language version displayed (version your disclosures so you can reconstruct what a user saw six months back)
  • The consumer's phone number as entered
  • A record of the affirmative action taken (checkbox state, button click log)

Store these for at least five years. The TCPA's limitations period is four years under 28 U.S.C. § 1658, and you want buffer past it. [8] Some carriers and platforms auto-delete logs. Confirm your vendor's retention settings and override them if you have to.

The FCC has not mandated a storage format, but courts favor timestamped server-side logs over client-side records that a plaintiff can argue were manipulated. If your chatbot runs on a third-party platform, get a data processing agreement that guarantees log access and retention. If the vendor cannot provide that, treat every consent record as legally shaky.

LeadCompliant's free compliance kit includes a consent record checklist and a log-format template you can adapt for your chatbot stack. It is one way to get a first pass right without hiring a consultant.

Buying leads from an aggregator instead of running your own chatbot? Same standard. Verify the upstream consent record meets every requirement above before you dial. A vendor's word is not a defense.

Does the National Do Not Call Registry apply to chatbot-collected leads?

Yes. The National DNC Registry applies to telemarketing calls no matter how the number was collected. [9] Call a registered number for marketing without a valid exemption and you face up to $53,088 per violation under the FTC's current inflation-adjusted penalty (raised from $51,744 effective January 2025). [9]

The DNC exemption requires either an established business relationship (EBR) or written consent that explicitly addresses DNC numbers. The template phrase in the previous section ("even if your number is on a Do Not Call list") handles this. Drop that phrase and your chatbot consent may cover autodialer liability but not DNC liability.

For cell numbers, listing a number on the federal DNC registry protects it from telemarketing under both the Telemarketing Sales Rule (TSR) and the TCPA. [9] The do not call list rules apply to mobiles the same as landlines for marketing calls.

Some states run their own DNC lists with extra restrictions. Florida is the loud example: its state DNC list under the Florida Telephone Solicitation Act (FTSA) carries its own consent requirements and $500 per-violation penalties. [10] A chatbot capturing consent that clears federal TCPA standards may still fall short in Florida, which since 2021 requires affirmative written consent for any autodialed text, regardless of DNC status.

Safest design: scrub every lead against the federal DNC list and any applicable state lists before the first outreach, even when you hold chatbot-collected consent.

What TCPA risks are unique to AI-powered chatbots compared with static web forms?

A static web form has a fixed consent disclosure your legal team reviews once and your developers deploy. AI chatbots add failure modes that never existed on a plain form.

First, generative chatbots produce variable output. If the bot generates the consent prompt or the text around it, the AI can spit out a version that drops a required element. Hard-code the disclosure. Never let the model write it freeform.

Second, conversation creates consent confusion. A user ten messages deep in a chat may not connect a mid-thread consent prompt with the outbound calls landing three days later. Courts weigh the totality of the interaction. Bury the prompt in a long thread and a plaintiff's attorney will argue the user never meaningfully saw it.

Third, chatbots often grab a phone number early for "verification" or a callback, before any disclosure shows up. Collecting the number first does not retroactively validate the consent. Sequence matters: disclosure first, number second, or disclosure and number together with an affirmative acknowledgment before the user can proceed.

Fourth, a chatbot can reach across jurisdictions without the operator noticing. An English-language bot on a site with no geo-restriction could be talking to California consumers (CCPA and CPUC rules), Florida consumers (FTSA), or Texas consumers (Texas Business and Commerce Code Chapter 305), each layering rules on top of the federal TCPA. [10]

Fifth, voice-based AI chatbots that call out to users trigger the prerecorded-call rules in 47 U.S.C. § 227(b)(1)(A) even when the "AI" on the line sounds human. The FCC's 2024 declaratory ruling on AI voice calls confirmed it. [2] Outbound AI voice needs the same prior express written consent as a traditional robocall.

How do real TCPA lawsuits involving chatbot or web-form consent play out?

Courts have not built a large body of chatbot-specific TCPA cases yet. But the web-form consent cases already decided give a clear preview of what judges examine.

In Brickman v. Facebook (N.D. Cal. 2021), the court let a TCPA claim proceed where the plaintiff argued Facebook's consent language for SMS notifications was too unclear. The case settled, but the court's threshold analysis turned on whether a reasonable consumer would understand they were consenting to the specific messages they received. [11]

In Lucoff v. Navient Solutions (11th Cir. 2020), the court found that a consumer who had given written consent and later tried to revoke it by clicking a website checkbox had not actually revoked it, because the revocation mechanism was not clearly communicated. [12] Consent mechanics get close scrutiny, and that cuts both ways: opt-out mechanics do too.

The cash app tcpa class action settlement shows how automated-message liability scales, a settlement in the tens of millions over texts sent without adequate consent. text message marketing cases follow the same pattern.

The pattern across all of them: courts examine what the consent language actually said, where it appeared relative to the submit action, whether the consumer had a realistic chance to notice it, and what records exist to prove it. Operators who hard-code compliant language, position it right, and keep timestamped logs win or settle early and cheap. Operators who cannot produce a consent record settle high or lose at summary judgment.

For a sense of penalty exposure, the credit one tcpa settlement shows how fast per-call statutory damages compound when consent records are weak.

What is the minimum viable TCPA compliance setup for a small team using a chatbot?

"Minimum viable" depends on your call volume and the ATDS (automatic telephone dialing system) question. Here is the floor for any team doing outbound calls or texts from chatbot-collected leads.

Step one: audit your consent language against the four-part test (clear disclosure, ATDS language, non-coercive, named seller). If you cannot even locate the exact text your chatbot shows right now, that is already the problem.

Step two: confirm the consent prompt appears before or at the same time as phone number submission, with an affirmative action required (checkbox, button click) before the user can advance.

Step three: verify your platform logs the IP, timestamp, and disclosure version for every consent event, and that those logs are accessible and retained for five years.

Step four: put DNC scrubbing in front of every dial. The federal registry runs through the FTC's platform for a subscription fee that scales by area code. For a team calling fewer than five area codes, the annual cost is small. [9] See how do i get the do not call list for the access process.

Step five: document a revocation process. Under FCC rules and recent decisions, consumers can revoke consent at any time through any reasonable means. [7] Your chatbot and CRM have to honor STOP replies, verbal opt-outs during calls, and email opt-out requests, and suppress those numbers immediately.

Step six: if you use a lead aggregator or buy third-party chatbot leads, get a written representation that the consent meets TCPA standards and names the specific seller (you) in the disclosure. Without that, you are dialing on someone else's records.

This is not legal advice. Every team differs by volume, channels, states targeted, and the ATDS question for its dialing tech. A TCPA-focused attorney is worth an hour before you launch any real outbound program.

Revocation is where teams get sued after nailing the initial consent. The FCC's 2024 TCPA order confirmed consumers can revoke consent "at any time through any reasonable means." [7] That standard is deliberately broad. It covers replying STOP to a text, telling a live agent to quit calling, emailing a request, or clicking an unsubscribe link.

For chatbot-collected leads, build these before you start calling:

  • Any STOP reply to an SMS should immediately suppress the number in your CRM and dialer. Most SMS platforms do this automatically. Verify yours does. The suppression has to apply to all future contact from your brand, more than that one message thread.
  • If a consumer revokes during a chatbot interaction ("don't contact me," "remove me from your list"), log it with a timestamp and suppress the number. Easy to miss, because chatbot logs often are not wired to the dialer's suppression list.
  • Oral revocations during calls have to be honored. Train every agent handling chatbot-generated leads that a verbal opt-out ends all future contact, and that they enter it in the system before the call ends.
  • For cold calling teams, the TCPA's company-specific DNC rule means you maintain an internal suppression list and honor opt-outs for five years. [9]

Ignoring a revocation is expensive. Each contact after a documented opt-out is a separate willful violation at $1,500. Call someone five times after they texted STOP and that is $7,500 in statutory damages from a single consumer.

Several states passed laws stricter than the federal TCPA for autodialed or text outreach. The federal TCPA is a floor, not a ceiling.

Florida's Telephone Solicitation Act (FTSA), amended in 2021, requires written consent for any autodialed text to a Florida number, and the consent must explicitly authorize text messages, more than "calls." [10] Florida added a private right of action with $500 per-violation damages, which made it one of the most litigated state TCPA analogs in the country.

California's Consumer Privacy Act (CCPA) touches lead collection in ways that shape chatbot design. The CCPA gives consumers the right to opt out of the sale of their personal information, and phone numbers sold to downstream callers count. [13] If your chatbot sells leads, California consumers who opt out of data sales cannot have their numbers passed to buyers.

Washington, Oklahoma, and Indiana run state telemarketing laws with registration requirements for sellers and their agents. If your chatbot captures leads in those states, check whether your company has to register before dialing.

The table below summarizes state variations relevant to chatbot lead consent:

StateStricter than TCPA?Key extra requirementDamages
FloridaYesWritten consent for autodialed texts, private right of action$500/violation
CaliforniaPartialCCPA opt-out of data sales affects lead resaleVaries
TexasYesState registration and DNC rules layered on federal$5,000+/violation
WashingtonYesState telemarketer registration required$1,000/violation
IndianaNoRegistration requiredFederal floor

This is not exhaustive. If your chatbot reaches consumers across states without geo-filtering, review the laws of each state where you have real lead volume. The mobile phone do not call list rules also vary by state for certain call types.

What should you audit on your chatbot today to reduce TCPA exposure?

Run this audit quarterly, or any time you change your chatbot platform, disclosure language, or downstream callers.

Consent language check: pull the live disclosure from your chatbot. Compare it word for word against the four required elements (ATDS language, named seller, non-coercive, clear position). If any element is missing, pause outreach from that chatbot until it is fixed.

UI position check: open the chatbot on a phone, where most users interact with it. Can you see the disclosure without scrolling? Is it directly next to the submit action? On a 375px-wide screen, fine print below the fold is invisible.

Log access check: request a sample consent record from your vendor for one specific session. Can they produce IP, timestamp, disclosure version, and button-click confirmation? If pulling that record takes more than an hour, your litigation readiness is poor.

DNC scrub check: take five recent chatbot leads and run their numbers against the federal DNC registry by hand. Did your pre-dial scrub catch any of them? How recently did the scrub run? The FTC requires scrubbing no more than 31 days before a call. [9]

Opt-out chain check: send a STOP text to your own test number from your SMS system. Confirm it suppresses across your CRM, dialer, and any lead-buyer feeds within minutes, not hours.

Aggregator consent check: if you buy chatbot leads, request the disclosure screenshot and log record for three specific leads. If the aggregator cannot produce them, or the disclosure does not name you as the seller, stop calling those leads.

Want a structured way to do all this? The free tools at LeadCompliant include a TCPA consent record checker that flags gaps against current requirements.

Frequently asked questions

Yes, but it is harder to defend. A checkbox creates a clean affirmative record. A button click ("I agree and submit") can also work if the consent language sits directly visible above the button. Courts look for an affirmative action tied to an unambiguous disclosure. A passive scroll-past or a pre-checked box does not qualify. Hard-code a required checkbox for the cleanest record.

Only if the disclosure mentions both. If your disclosure says "autodialed calls" but not "text messages," you have consent to call but not to text. Write it to cover every channel you plan to use: calls, texts, or both. Add a new channel later and you update the disclosure and treat leads collected before the update as unconsented for that new channel.

The TCPA sets no expiration date for consent. In practice, courts and the FTC look at whether the consent is still reasonably current given the context. An established business relationship can support ongoing contact. If a lead has had zero interaction with your company for two or more years, re-confirm consent before resuming outreach. State laws may impose shorter windows.

Manual calls to cell phones without an ATDS do not require prior express written consent under the federal TCPA, only prior express consent, which can be verbal or implied. You still must honor DNC registrations and your internal suppression list. State laws like Florida's FTSA may require written consent regardless of dialing method for certain call types.

You are still liable. TCPA responsibility sits with the party making the call, or the party on whose behalf the call is made, not the software vendor. Put a change-notification requirement in your vendor contract and audit the live disclosure quarterly. Treat any unauthorized language change as a stop-work event for outbound until it is fixed and the affected lead set is reviewed.

No, under the FCC's one-to-one consent rule effective January 27, 2025. Each buyer must be named in the disclosure, and consent must be obtained one seller at a time. The old model of one blanket consent covering a network of buyers is unlawful for TCPA purposes. Each downstream caller either needs its own named consent or must be listed individually in the disclosure.

What is the statute of limitations for TCPA claims from chatbot leads?

Four years from the date of the violation under the general federal statute of limitations at 28 U.S.C. § 1658. A call made on a chatbot-collected lead today could be sued over until 2029. Retain consent records, call logs, and suppression list snapshots for at least five years to keep buffer past the limitations period.

No. Generic marketing language does not meet the TCPA's prior express written consent standard, which requires explicit reference to an automatic telephone dialing system or prerecorded voice. Courts have repeatedly rejected vague opt-in language as insufficient. The disclosure must identify the technology used to contact the consumer.

If a consumer provides a phone number voluntarily in a chatbot, is that implied consent?

Providing a number alone does not constitute prior express written consent for autodialed marketing calls or texts. The FCC requires an affirmative agreement, more than the act of typing a number. Implied consent from number-sharing applies in narrow contexts like transactional messages. For marketing outreach you need the full written consent with disclosure.

The consent must still name the actual seller who will make the calls, not the publisher. The FCC's one-to-one rule and the named-seller requirement apply regardless of which site hosts the chatbot. If your brand name does not appear in the disclosure, you do not have valid TCPA consent for your outbound calls, even if the publisher collected a signed agreement.

What records do I need to defend a TCPA lawsuit over a chatbot lead?

You need the exact disclosure text the user saw, the timestamp and IP address of the consent event, the affirmative action log (checkbox or button click), the phone number as entered, the disclosure version active at that moment, and your pre-dial DNC scrub result for that number. Courts favor server-side logs that cannot be altered after the fact. Client-side-only records are harder to defend.

The TCPA applies to calls to mobile phones regardless of whether the contact is business or consumer. If a B2B prospect gives you a personal cell and you autodial it for marketing, you need prior express written consent. Calls to business landlines for B2B carry a lower consent standard, but most B2B prospects are reachable only on cell, so treat B2B mobile numbers the same as consumer numbers.

You can use aggregator consent, but you carry the risk if it is defective. Since January 2025, the aggregator's consent must name you specifically as the seller. Request the consent record and disclosure screenshot for any purchased lead before dialing. If the aggregator refuses to provide records, or the disclosure does not name you, do not call. The FCC has made clear downstream callers cannot hide behind upstream consent failures.

What is the safest way to structure a chatbot flow to capture TCPA consent?

Show the full disclosure (ATDS language, your company's legal name, non-coercion statement, opt-out instruction) in a fixed, visible block directly above the phone field and submit button. Require an unchecked checkbox the user actively checks. Log the checkbox state, IP, timestamp, and disclosure version server-side. Block submission until the box is checked. Done consistently, this sequence is the most defensible design in current litigation.

Sources

  1. Cornell Law School LII, 47 U.S.C. § 227 (TCPA): TCPA prohibits autodialed or prerecorded calls to cell phones without prior express consent; damages are $500 per violation and $1,500 for willful violations
  2. Electronic Signatures in Global and National Commerce Act, 15 U.S.C. § 7001 (E-SIGN Act): Electronic signatures, including checkbox clicks and typed agreements, are legally valid for consent purposes
  3. U.S. Court of Appeals, Eleventh Circuit, Insurance Marketing Coalition v. FCC, January 2025: Eleventh Circuit vacated the FCC's logically and topically related requirement from the one-to-one consent rule but left the core one-to-one requirement intact
  4. Cornell Law School LII, 28 U.S.C. § 1658 (federal statute of limitations): General federal statute of limitations is four years, which applies to TCPA claims
  5. Federal Trade Commission, National Do Not Call Registry and Telemarketing Sales Rule: National DNC Registry applies to telemarketing regardless of how a number was collected; scrubbing required within 31 days; per-violation penalties adjusted for inflation
  6. Florida Legislature, Florida Telephone Solicitation Act, § 501.059 F.S.: Florida FTSA amended 2021 requires written consent for autodialed texts to Florida numbers and creates a private right of action for $500 per violation
  7. Brickman v. Facebook, Inc., N.D. Cal., Case No. 3:16-cv-00751 (2021): Court allowed TCPA claim to proceed where consent language for SMS notifications was found insufficiently clear by plaintiff's pleading standard
  8. Lucoff v. Navient Solutions, LLC, 11th Cir. 2020, No. 19-11463: Eleventh Circuit found consumer had not effectively revoked TCPA consent because the revocation mechanism and its effect were not clearly communicated
  9. California Attorney General, California Consumer Privacy Act (CCPA) Overview: CCPA gives California consumers the right to opt out of the sale of their personal information, including phone numbers sold to downstream callers for lead generation

Disclaimer: LeadCompliant is a compliance review tool, not a law firm. We do not provide legal advice. Consult with a TCPA attorney for legal guidance on specific compliance questions. Compliance scores, audits, and risk assessments are informational only.

LeadCompliant Team

LeadCompliant provides expert guidance and tools to help you succeed. Our content is reviewed for accuracy and kept up to date.

Related Articles

Related Glossary Terms

LeadCompliant
Build My Kit