Last updated 2026-07-11

TL;DR
Under 47 U.S.C. § 227, the burden of proving prior express written consent falls on the caller, not the plaintiff. If you can't produce a complete, tamper-evident consent record, including who collected it, when, from what source, and how it was stored, courts treat that as no consent. This guide shows you how to build that chain of custody before litigation finds you.
Why does chain of custody matter so much in a TCPA case?
The TCPA does not ask plaintiffs to prove you lacked consent. It asks you to prove you had it. [1] That one asymmetry turns consent recordkeeping into a litigation problem, not a compliance checkbox.
When a plaintiff files suit, their first move in discovery is a request for all records supporting your claimed consent. If you hand over a spreadsheet with a name, a phone number, and a checkbox value of "1", opposing counsel will ask: who collected this? From what form? On what URL? At what timestamp? Was the timestamp server-side or client-side? Was the lead resold before you called it? If you can't answer those questions with contemporaneous documentation, the court has no basis to find consent.
In Berman v. Freedom Financial Network (9th Cir. 2021), the court found that checkbox-style consent disclosures buried in fine print did not satisfy the TCPA's prior express written consent standard because the required clear and conspicuous disclosure was absent. [2] The company had records. They just couldn't prove those records reflected a disclosure that met the legal standard. That's the failure mode most teams miss. It isn't always about missing records. Sometimes it's about records that can't be tied back to a specific, qualifying consent moment.
For text message marketing and outbound calls to cell phones, the FCC defines prior express written consent as an agreement that clearly authorizes the seller to deliver calls or texts using an automatic telephone dialing system (ATDS), to a specific number, and that includes the disclosure that consent is not a condition of purchase. [3] Every word of that definition is something you have to prove, more than assert.
What exactly does a complete consent record need to contain?
Think of consent like a chain with five links. Break any one link and the whole thing fails in court.
The five links are capture, disclosure, identity, transmission, and storage.
Capture means a record of the exact moment and mechanism of consent. This is your server-side timestamp, the IP address of the submitting device, the form version or session ID, and ideally a screenshot or archived copy of the web form as it appeared to the user at that moment. Client-side timestamps are almost worthless in litigation because they can be spoofed or manipulated on the user's device.
Disclosure means you can show what the user actually saw before agreeing. This requires version-controlled archives of every consent form, landing page, and call script that ever collected consent. If your form said "by submitting you agree to be contacted" but omitted that consent is not a condition of purchase, you do not have TCPA-compliant written consent, and no amount of recordkeeping fixes that. [3]
Identity means tying the consent event to the specific phone number you later contacted. This sounds obvious but frequently breaks down when numbers are ported, when users submit one number and a lead vendor appends a "better" number, or when a lead aggregator matches records by name rather than by phone number.
Transmission is the record of how the consented lead moved from the point of collection to your dialer. Every handoff, every file transfer, every API call is a potential break in the chain. If you bought leads from a vendor, you need their documentation of who collected the consent, more than their contractual promise that consent exists.
Storage means the data is held in a system that logs access, prevents unauthorized modification, and retains records for at least four years to cover the TCPA's four-year statute of limitations under 28 U.S.C. § 1658. [4] Some practitioners argue for five years to account for discovery timelines after a suit is filed.
| Chain Link | What to Document | Common Failure Mode |
|---|---|---|
| Capture | Server-side timestamp, IP, form ID | Client-side timestamp only |
| Disclosure | Archived form showing full TCPA language | Form updated after consent collected |
| Identity | Phone number tied directly to submission | Number appended by lead vendor |
| Transmission | API logs, file transfer records, vendor contracts | No paper trail from vendor to dialer |
| Storage | Immutable logs, access controls, 4-year retention | Deletions, overwrites, no audit trail |
How long do you actually need to keep consent records under the TCPA?
The TCPA statute itself does not specify a retention period. [1] The FCC has not issued a binding retention rule either. So the answer comes from the statute of limitations.
The general federal statute of limitations for private TCPA claims is four years, under 28 U.S.C. § 1658. [4] That clock runs from the date of the call or text, not from the date of consent. So if you send a text today and a plaintiff files suit three years and 11 months from now, you need consent records that were created years before that suit was filed.
In practice, keep records for at least five years from the date of last contact with any given number, not five years from consent capture. If you run a multi-year nurture campaign, your retention window stretches with it.
Some state TCPA analogs run longer. Florida's Telephone Solicitation Act, for example, allows civil claims under a framework with its own limitations rules. If you operate in multiple states, set your retention schedule by the longest applicable window, not the shortest. [5]
One thing everyone agrees on: deleting consent records after a lawsuit is filed or threatened is spoliation. Courts have sanctioned defendants hard for it, including adverse inference instructions that tell juries to assume the deleted records would have proven the plaintiff's case. Don't delete anything once a demand letter lands.
What should you do when you buy leads from a third party?
Buying leads is where most TCPA chain-of-custody problems start. You didn't collect the consent. You have no idea what form the consumer actually saw. You have a vendor's assurance, which is contractually useful but evidentially thin.
The FCC's January 2024 one-to-one consent rule, which requires consumers to individually and expressly consent to each seller rather than to a broad category of sellers through a list embedded in a form, makes third-party lead consent even harder to rely on. [6] Under that rule, a lead gen form that lists 50 partner companies no longer qualifies for any of them. Each seller needs individualized consent on its own.
If you still buy leads, your minimum documentation package from every vendor should include the exact form URL and a dated screenshot, the full text of the consent disclosure as it appeared to the consumer, the server-side timestamp and IP for each lead, a description of what suppression scrubbing the vendor performed, and a contractual indemnification clause that actually specifies which party bears the cost of TCPA claims arising from defective consent.
That last point matters more than people think. In Wakefield v. ViSalus (9th Cir. 2023), the court addressed a $925 million verdict tied to a calling campaign with inadequate consent documentation, and the appeals process turned on whether that aggregate award was constitutionally disproportionate. [7] When you're looking at $500 to $1,500 per violation, a calling list of 100,000 records with bad consent is an existential number. See how settlements actually land in cases like the cash app tcpa class action settlement and the credit one tcpa settlement.
Get vendor consent documentation in writing before you make a single call. Not after. Before.
How do courts evaluate whether your consent records are authentic?
Courts look for two things: contemporaneity and integrity.
Contemporaneity means the record was created at the time of the consent event, not reconstructed afterward. Metadata matters here. If your server logs show a consent record was created at 2:00 PM but the associated lead file was uploaded to your CRM at 8:00 AM the same day, that's a red flag a competent opposing expert will find.
Integrity means the record hasn't been altered since creation. The gold standard is a write-once storage system, a database or object store where records can be appended but not modified or deleted, with a hash or cryptographic signature on each record. This isn't exotic technology. Amazon S3 Object Lock, Azure Immutable Blob Storage, and similar tools are widely available and cost a small fraction of what a single TCPA defense costs.
In discovery, expect requests for your database schema, access logs showing who queried or modified consent records, any backup or archival policies, and depositions of whoever administers your consent storage system. If your "system" is a CSV file on a shared drive, that's not going to hold up.
Experts hired by plaintiffs' firms are good at this. They hunt for timestamp anomalies, gaps in record sequences, and inconsistencies between what your dialer logs show and what your consent database shows. If those two systems aren't synchronized, you have a credibility problem even if your underlying consent was genuine.
What's the right internal process for documenting consent at the moment of capture?
The consent event itself should trigger an automated, server-side write to your consent record store. That write should capture at minimum the phone number in E.164 format, the timestamp in UTC, the IP address of the submitting device, a unique identifier for the form or consent flow version, the full text of the consent disclosure (or a versioned hash pointing to an archived copy), and the channel (web form, inbound call, SMS keyword, and so on).
For inbound call consent, your call recording or script-adherence log is the contemporaneous record. If you collect consent verbally, that recording needs to be retained under the same five-year window and indexed by the phone number that called.
For cold calling and cold call workflows where you're calling on the basis of a business relationship or established relationship exception rather than written consent, document that basis explicitly. Don't rely on institutional memory. Write it down: what relationship, what date it was established, what the applicable exception is.
Suppression is part of the process too. Before any outbound campaign, run your list against the National Do Not Call Registry and your internal DNC list. Log that scrub with a timestamp and the registry access date. The FCC's safe harbor requires that callers access the registry within 31 days before calling. [8] Keep the evidence that you did. The do not call list and mobile phone do not call list pages have more on what that scrub needs to cover.
At LeadCompliant, the free TCPA consent checklist tool is built around exactly this workflow. It prompts you for each data point and generates a timestamped record you can export. That's not a substitute for legal advice, but it gives smaller teams a starting structure before they build something bespoke.
What happens during TCPA discovery and how should you prepare?
TCPA class actions move fast on discovery. Plaintiffs' attorneys file early motions for class certification, and the consent records question sits at the center of that fight. If you can show individualized consent for each putative class member, certification gets much harder for plaintiffs because individual questions predominate over common ones. If you can't show consent records at scale, you're staring at a class that may number in the thousands or tens of thousands.
Expect these document requests in any TCPA suit: all consent records for the named plaintiff and any putative class members, all contracts with lead generators or data vendors, all dialer configuration records and call logs, all training materials for agents who collect or verify consent, all suppression list documentation, and all prior complaints or DNC requests from consumers.
Write a litigation hold policy now, before you get sued. That policy should define who gets notified, what systems get frozen from any data deletion or modification, and what the escalation path is. It should go into effect the moment you receive a demand letter, a complaint, or a letter threatening litigation. Courts have held that the duty to preserve evidence can arise before a lawsuit is filed, when litigation is reasonably anticipated. [9]
You also want someone in your organization who can testify as a 30(b)(6) witness on your data practices. That person needs to actually know how your systems work. Designating a witness who testifies "I think the data is accurate" without being able to explain how the timestamp is generated or how the form version is stored is a liability.
How does revocation of consent affect your records obligation?
The Supreme Court's 2021 decision in Facebook v. Duguid narrowed the definition of an ATDS, which reshaped some TCPA exposure calculations. [10] But the FCC's 2024 order on consent revocation cut the other way. It confirmed that consumers may revoke prior express consent at any time and through any reasonable means, and that callers must honor that revocation within a reasonable time that the FCC said should not exceed 10 business days. [6]
That means your revocation events are part of your chain of custody obligation. When a consumer opts out, you need a record of the date and time of the opt-out request, the channel it came through (text STOP reply, verbal request, email, web form), the phone number affected, which lists or campaigns the number was suppressed from, and the date suppression was actually applied.
If you delay suppression and call or text someone after they've revoked, that's a new violation. Your chain of custody has to cover the revocation leg, more than the consent leg.
The do not call telemarketer list process and your internal DNC list work together here. Any opt-out request should flow into both your campaign suppression and your internal DNC record at the same time, with a timestamp.
What technology systems actually support a defensible consent chain of custody?
You don't need enterprise software to do this right, but you do need a few properties that many off-the-shelf CRMs don't provide by default.
Immutable logging. Your consent store should append records, never overwrite. Database triggers that log every write event to a separate audit table are a minimum. Write-once object storage is better.
Form version control. Every change to a consent form should be saved as a new version with a deploy timestamp, not written over the old form. Tools like GitHub, Netlify, or even manual date-stamped backups work. The point is that you can reconstruct exactly what a consumer saw on any given date.
API-level audit trails. If you use a third-party consent management platform, it should expose an API endpoint that logs every write and every read, with authentication records. That log is your evidence.
Dialer-to-consent record matching. Your dialer should reference the consent record store before each call or text, not a flat file loaded at campaign start. If a consent record is revoked between when you built your list and when you make the call, a live lookup catches that.
For text message marketing, your SMS platform's opt-out processing should write a revocation event to the same consent store, not to a separate suppression table that isn't linked to the consent record.
None of this requires a six-figure compliance platform. A well-structured Postgres database with row-level audit logging, a version-controlled form repository, and a documented process for vendor record intake covers the basics for most small teams.
What are the biggest mistakes teams make with consent records before litigation?
The most common mistake is conflating CRM contact creation with consent documentation. Your CRM record shows that a lead exists. It does not, by itself, show that valid TCPA consent was given. Those are two different things, and courts treat them differently.
The second biggest mistake is trusting vendor representations without documentation. "Our leads are TCPA compliant" in a contract does not give you a defense. It gives you a breach of contract claim against the vendor after you've already lost or settled the TCPA suit. That's cold comfort.
Third: not archiving consent forms. Teams update landing pages constantly. If you can't show what the form looked like on the date a specific consumer submitted it, you can't prove the disclosure was adequate. Consent defenses have collapsed in litigation because a landing page was redesigned and the old version wasn't archived anywhere.
Fourth: inadequate suppression documentation. The FCC's safe harbor for DNC violations requires that callers have accessed the registry within 31 days before calling and maintained internal procedures for honoring DNC requests. [8] If you have no log of your scrub dates, you can't claim the safe harbor. The rule at 47 C.F.R. § 64.1200(c)(3) protects a caller who can show it "has accessed the national do-not-call database no more than 31 days prior to the date any call is made." [8]
Fifth: no litigation hold policy. When a suit lands and you scramble to pull records, that scramble itself can delete or corrupt evidence. A written litigation hold policy means the moment a demand letter arrives, everyone knows exactly what to freeze and who to notify.
What should a TCPA litigation prep checklist include for consent records?
Here's the working checklist. This is not legal advice, and you should have a TCPA attorney review your specific setup.
Pre-litigation (do these now):
- Audit every source of leads in your current campaigns and obtain full consent documentation packets from each vendor
- Archive your current consent forms with date-stamped screenshots and version identifiers
- Verify your database stores consent records with server-side timestamps, IP addresses, and form version IDs
- Confirm your storage system is immutable or has append-only audit logging
- Set a five-year retention schedule from the date of last contact for each number
- Document your DNC scrub process, including the dates you accessed the registry
- Create a written revocation/opt-out process that specifies how revocations are logged and how quickly suppression is applied
- Write a litigation hold policy and make sure your IT team knows how to execute it
When a demand letter or suit arrives:
- Issue a litigation hold immediately: freeze all deletion policies on consent records, call logs, dialer records, and vendor files
- Identify and preserve all records relating to the named plaintiff(s)
- Document your litigation hold issuance with a timestamp and distribution list
- Do not update, delete, or "clean up" any data without explicit legal clearance
- Identify your 30(b)(6) witness and brief them on your systems
The LeadCompliant compliance kit includes a pre-built consent record checklist and a vendor documentation request template you can use when onboarding new lead sources. That gives small teams a concrete starting point rather than building from scratch.
The underlying tcpa framework and the statutes that govern it are not going away, and class action volume has stayed high. Getting your records right now costs a fraction of what defending or settling a case costs later.
Frequently asked questions
Who has the burden of proof on consent in a TCPA case?
The caller bears the burden of proving prior express written consent, not the plaintiff. Under 47 U.S.C. § 227, making a call or sending a text to a cell phone using an ATDS without consent is the violation. The defendant must affirmatively show valid consent existed. If your records are incomplete, ambiguous, or missing, you effectively have no defense even if consent was genuinely given.
How long should I keep TCPA consent records?
The TCPA's private right of action carries a four-year federal statute of limitations under 28 U.S.C. § 1658. Because that clock runs from the date of each call or text, not the date of consent, you should retain records for at least five years from the date of last contact with any given number. Some state analogs have longer windows, so check the states where you operate.
Does buying leads from a vendor satisfy my TCPA consent obligation?
No, not automatically. The FCC's 2024 one-to-one consent rule requires that the consumer individually consent to your specific company, not to a broad list of partners. A vendor's contractual representation of compliance is not a defense in litigation. You need the vendor's underlying documentation: the form text, the timestamp, the IP, and evidence of what disclosure the consumer actually saw.
What is prior express written consent under the TCPA?
The FCC defines it as a signed written agreement that clearly authorizes the seller to deliver calls or texts using an ATDS or prerecorded voice to a specific telephone number, and that includes a clear disclosure that consenting is not a condition of purchase. The agreement must be signed, which includes electronic signatures under the E-SIGN Act. A bare checkbox without the required disclosures does not meet this standard.
What happens if I can't produce consent records in discovery?
Courts can draw adverse inferences, meaning the jury is told to assume the missing records would have been harmful to you. Judges can also impose sanctions including fee awards. At the class certification stage, inability to produce individualized consent records for each class member makes it much harder to defeat commonality arguments, which can result in certification of a very large class.
Can a consumer revoke TCPA consent, and do I have to document that?
Yes to both. The FCC's 2024 order confirmed consumers can revoke consent at any time through any reasonable means, and callers must honor revocation within 10 business days. You need a dated record of every revocation event: when it was received, through what channel, which number was affected, and when suppression was applied. Any contact after an unprocessed revocation is a separate violation.
What is a litigation hold and when should I issue one for a TCPA case?
A litigation hold is a formal directive to stop any routine deletion or modification of potentially relevant records. Courts have held that the duty to preserve evidence arises when litigation is reasonably anticipated, which includes receipt of a demand letter, even before a complaint is filed. Issue a hold immediately upon receiving any written communication threatening a TCPA claim, and document when you issued it and who received it.
What should I ask a lead vendor to provide before I start calling their leads?
At minimum: a dated screenshot or archived copy of the consent form the consumer saw, the full disclosure text as it appeared, server-side timestamps and IP addresses for each lead record, documentation of what DNC scrubbing the vendor performed, and a written representation specifying which entity bears liability for TCPA claims arising from defective consent. Get this before your first call, not after a complaint arrives.
Does the TCPA apply to text messages the same way it applies to calls?
Yes. The FCC confirmed in 2003 and in later orders that text messages to wireless numbers are covered by the same prior express written consent requirements as calls using an ATDS. The required disclosures and recordkeeping standards are identical. Revocation through SMS STOP replies is explicitly recognized, and those revocation events need to be documented in your consent record system.
What technology is needed to maintain a legally defensible consent record?
You need immutable or append-only storage so records can't be altered after creation, server-side timestamps for all consent events, version-controlled archives of every consent form you've ever used, and audit logs showing who accessed or queried the consent data. A well-configured relational database with row-level audit logging and a versioned form archive covers most small teams. You don't need enterprise-grade software, but you do need a documented, repeatable process.
How does the FCC's 2024 one-to-one consent rule change lead generation?
The FCC's January 2024 order requires that consumers give express written consent to each seller individually, on a one-to-one basis. A single consent form that lists dozens of partner companies, or embeds a partner list accessible via hyperlink, no longer satisfies the standard for any of those companies. Each company must be individually named and individually consented to. This effectively breaks the multi-seller lead generation model that was common before 2024.
What is the TCPA safe harbor for do-not-call violations and how do I document it?
Under 47 C.F.R. § 64.1200(c)(3), callers can claim a safe harbor if they have written DNC procedures, train personnel on those procedures, maintain an internal DNC list, and access the national registry within 31 days before calling. You document it by logging each registry access with a date, retaining suppression records, and keeping your training materials. Without that paper trail, the safe harbor is unavailable.
What's the difference between internal DNC records and the national registry for chain-of-custody purposes?
Both need documentation, but they serve different jobs. The national registry access log proves you complied with federal DNC scrubbing requirements within the 31-day window. Your internal DNC list documents consumer opt-out requests that may not be on the national registry yet, including people who said don't call me during a call or sent a STOP text. Both logs need timestamps and should be retained under the same five-year schedule as consent records.
Sources
- Cornell LII, 47 U.S.C. § 227 (TCPA statute text): The TCPA prohibits calls/texts to wireless numbers using an ATDS without prior express consent; the caller bears the burden of proving consent.
- U.S. Courts, Court of Appeals for the Ninth Circuit (Berman v. Freedom Financial Network, No. 19-17282, 2021): Checkbox-style consent disclosures that lack clear and conspicuous TCPA language do not satisfy prior express written consent requirements.
- Cornell LII, 28 U.S.C. § 1658 (federal catch-all statute of limitations): The general federal statute of limitations for private TCPA claims is four years from the date of the violation.
- Florida Legislature, Florida Telephone Solicitation Act, Fla. Stat. § 501.059: Florida's Telephone Solicitation Act creates state-level telemarketing restrictions that interact with TCPA compliance obligations for Florida contacts.
- U.S. Courts, Court of Appeals for the Ninth Circuit (Wakefield v. ViSalus, Inc., No. 20-35827, 2023): The Ninth Circuit addressed a $925 million TCPA verdict tied to a calling campaign with inadequate consent documentation, with the appeal focused on constitutional proportionality of the aggregate award.
- eCFR, 47 C.F.R. § 64.1200 (TCPA implementing rules including DNC safe harbor): 47 C.F.R. § 64.1200(c)(3) requires callers to have accessed the national do-not-call database within the preceding 31 days to qualify for the safe harbor defense.
- U.S. Courts, Federal Rules of Civil Procedure, Rule 37(e) (failure to preserve electronically stored information): Courts may impose sanctions including adverse inference instructions when a party fails to preserve electronically stored information, including consent records, after litigation is reasonably anticipated.
- U.S. Supreme Court (Facebook, Inc. v. Duguid, 592 U.S. 395, 2021): The Supreme Court narrowed the ATDS definition in 2021, holding that a system must use a random or sequential number generator to qualify, reducing some TCPA exposure.
- FTC, National Do Not Call Registry information for businesses: The national DNC registry must be accessed and scrubbed against before outbound telemarketing calls; documentation of scrub dates is required for safe harbor eligibility.