Compliance risks in digital lead generation: what you need to know

Digital lead generation carries TCPA, FTC, and state-law risks that can cost $500, $1,500 per call or text. Here's how to spot and fix the biggest ones.

LeadCompliant Team
27 min read
In This Article

Last updated 2026-07-10

Person reviewing phone records at a desk, assessing digital lead generation compliance
Person reviewing phone records at a desk, assessing digital lead generation compliance

TL;DR

Digital lead gen compliance failures mostly come down to bad consent, recycled phone numbers, and lead vendors who cut corners. TCPA fines run $500 to $1,500 per call or text. The FTC's Telemarketing Sales Rule and the FCC's one-to-one consent rule (set for January 2025, then stayed) have raised the bar. Getting consent language right before you dial or text is the only fix that holds up.

What are the biggest compliance risks in digital lead generation?

The biggest risk in digital lead gen is one call or text to someone who never told your specific company it could contact them. That single mistake sits under four overlapping frameworks: the Telephone Consumer Protection Act (47 U.S.C. § 227), the FTC's Telemarketing Sales Rule (16 C.F.R. Part 310), the CAN-SPAM Act for email, and a growing pile of state laws including Florida's Mini-TCPA, Oklahoma's telemarketing act, and Washington's Commercial Electronic Mail Act.[1][2] Each one has a different trigger, a different damages formula, and a different list of who can be sued. That mix is what makes lead gen so exposed compared to a plain inbound funnel.

Here's how the top risk plays out in real life. You buy a list from a vendor. The vendor says the leads are "TCPA compliant." You start dialing. The consumer's "consent" turns out to be buried in fine print on a site they never read, granting permission to dozens of undisclosed companies at once. Class action firms live off exactly this pattern, and courts have been hostile to it.[3]

Number recycling is a close second. When a carrier reassigns a mobile number, any consent tied to that number dies with the old subscriber. The new person consented to nothing. Call them with an autodialer and you've broken the TCPA on the first attempt.[4] A list you bought three months ago already has reassigned numbers in it. You just don't know which ones.

Third is the buyer/seller liability chain. Courts have held lead buyers responsible for their vendors' consent practices under agency and ratification theories. If you knew or should have known the vendor's consent process was junk, "I just bought the list" is not a defense. That's the whole point of this article.

What does TCPA actually require for digital leads, and what changed in 2024 to 2025?

For marketing calls and texts to a cell phone, the TCPA requires prior express written consent: a signed agreement (electronic counts) that names the seller, names the number, and says an autodialer or prerecorded voice may be used. That standard has been in place since the FCC's 2012 order. The core text at 47 U.S.C. § 227(b)(1)(A) bars any call or text to a cellular number using an autodialer or prerecorded voice without "prior express consent of the called party."[5]

The FCC tried to tighten this in December 2023. Its order (FCC 23-107) would have required "one-to-one consent" starting January 27, 2025, meaning a consent form on a lead gen site would have to name your company specifically instead of a generic list of partners.[6] The Eleventh Circuit stayed the rule in January 2025 after an insurance industry challenge, and the FCC has since signaled it may rewrite the rule. As of mid-2025, one-to-one is not in force.

Don't read the stay as a green light. The direction is one way. Courts and regulators keep moving toward specificity, and the "catch-all partner" consent model was losing in class action litigation long before FCC 23-107 existed.[3] A form that names your company, states the product category, and discloses autodialer use has been best practice since 2012. Build to that standard now and the next rule change won't touch you.

For TCPA SMS compliance, the rule is the same in principle: written consent before marketing texts, clear disclosure, and a working opt-out. A well-built SMS opt-in form does most of the work.

How do FTC Telemarketing Sales Rule violations show up in lead gen?

The TSR applies the moment you use phone calls to sell something, including inbound calls generated by your ads.[2] Lead buyers get caught off guard because they assume the rule only touches pure telemarketing shops. It doesn't. Buy leads and call them, or run call tracking tied to digital ads, and the TSR is live.

The biggest TSR risk is calling numbers on the National DNC Registry without a valid exemption. The rule requires sellers and telemarketers to scrub their lists against the registry every 31 days and never call a registered number unless the consumer gave express written consent or has an established business relationship within the prior 18 months.[2] Civil penalties run high. The FTC can seek penalties in the tens of thousands per violation, with the exact maximum adjusted for inflation and published in the Federal Register each January.[7]

The second TSR trap is a landing page that promises something the sales call can't deliver. If your page names a specific price, approval odds, or a free service, and the downstream call contradicts it, the FTC can treat that gap as deceptive telemarketing. The agency's actions against student loan debt relief operators have followed this shape: a digital front-end making specific promises, and a call center that couldn't back them up.

The TSR also caps call abandonment. Run a predictive dialer and you cannot abandon more than 3% of calls answered by a live person over any 30-day period, and every abandoned call has to play a prerecorded ID message.[2] Miss that and each dropped call is its own problem.

Maximum penalty per violation by legal framework Federal and state exposure for a single non-compliant call or text TCPA statutory (per call/text) $500 TCPA willful violation (per call/… $1,500 TSR civil penalty (per violation) $52k Florida Mini-TCPA (per call) $500 Source: 47 U.S.C. § 227 [1]; 16 C.F.R. Part 310 [2]; Fla. Stat. § 501.059 [9]

What are the financial penalties for getting lead gen compliance wrong?

TCPA damages are $500 per violation, trebled to $1,500 per violation when a court finds the conduct willful or knowing.[1] In a class action, "per violation" means per call or text, per class member. Send 200,000 marketing texts to a list with 10% bad consent and the math points at $10 million to $30 million in statutory damages before anyone pays a lawyer.

The chart below lays out the per-violation ceilings across the frameworks that hit lead gen.

Settlements tell the real story. In Wakefield v. ViSalus (9th Cir. 2021), a district court entered a $925 million judgment against a multilevel marketer for 1.85 million TCPA-violating robocalls.[8] The Ninth Circuit sent the damages figure back for constitutional review but left the liability finding standing. A small shop won't hit that number. But 10,000 texts at $500 each is $5 million, and plaintiff's firms take these on contingency, so their cost to file is near zero.

State law stacks on top. Florida's statute (Fla. Stat. § 501.059) gives $500 per call and needs no class certification, so a single consumer can sue alone.[9] Oklahoma's telemarketing act carries a similar private right of action. Washington's CEMA adds email exposure. One annoyed Floridian can file an individual small-claims action for pocket change and walk away with real money.

Then there's your own legal bill. Plaintiff's attorneys get paid from the settlement. You pay your defense counsel the whole way through. A three-year fight over a $50,000 settlement routinely costs the defendant $150,000 or more in fees. The settlement is rarely the expensive part.

How does third-party lead vendor risk actually work?

Buy leads from an aggregator and you inherit its consent process, warts and all. The question a court asks is simple: was the consent the consumer gave on the vendor's site specific enough to cover your company reaching out? Under the pre-2025 standard, a form listing categories of "marketing partners" sometimes passed. Under the case law trend and the stayed one-to-one rule, it almost certainly won't going forward.

The case to know is Van Patten v. Vertical Fitness Group (9th Cir. 2017). The Ninth Circuit held that TCPA consent has to run to the specific entity contacting the consumer, or to a clearly disclosed agent of that entity.[3] Aggregators like to argue they disclosed a list of possible buyers, but courts want that disclosure clear, conspicuous, and actually seen. Small print inside a 3,000-word privacy policy doesn't cut it.

Due diligence has legal weight. Ask for the vendor's consent flow, sample opt-in language, and retention records before you buy, and you can argue you acted reasonably. Buy a cheap list off a one-line "TCPA certified" email and courts have called that willful blindness. The difference is whether you can show your work.

Here's what to ask every lead vendor before you pay:

Due Diligence ItemWhy It Matters
Sample consent language from the opt-in pageConfirms specificity and disclosure
Timestamp and IP address per lead recordProves when consent was given
Name of the website where consent was capturedLets you verify the consent page exists
Whether the site lists your company by nameMatches the post-FCC 23-107 trend
DNC scrub date and processTSR 31-day scrub requirement
Reassigned number scrub processCovers the FCC reassigned-number safe harbor

A vendor who can't answer these has told you everything you need to know.

What is the FCC's reassigned numbers database and why does it matter?

The FCC's Reassigned Numbers Database (RND) is a registry carriers report to when a mobile number is permanently disconnected and later handed to a new subscriber. It went live in 2021. Before you dial, you can check whether a number has been reassigned since the date of consent, which is the one clean way to avoid calling a stranger who never opted in.[4]

The safe harbor here is narrow. Under FCC rules, you get one call after a number is reassigned without liability, and only if you had no actual knowledge of the reassignment. After that first call, every additional call is a violation, even if you still believe the number belongs to the person who consented.[4] The logic is blunt: the first call might be your only way to learn the number changed hands. The second call has no excuse.

For lead gen, this means you scrub against the RND before the first dial, more than when you acquire the list. Numbers reassign every day. A lead bought in January and called in April can already belong to someone new. The FCC charges commercial users based on query volume, so it isn't free, but a query costs a rounding error next to a $500 claim.

The FCC posts its RND guidance at fcc.gov, and most teams reach the database through a compliance vendor that wraps it in an API. Lead generation compliance news tracks RND changes as they land.

How do state privacy and mini-TCPA laws add to federal risk?

Federal law is the floor. States build higher. The state laws touching digital lead gen now include Florida, Oklahoma, Maryland, Washington, and several others with active enforcement, and they generate most of the nuisance suits because individuals can file them cheaply.

Florida's "Mini-TCPA" (SB 1120, effective July 2021, codified at Fla. Stat. § 501.059) gets the most attention because it bites the hardest.[9] It bars calls using an "automated system for the selection or dialing of telephone numbers" without prior express written consent, and it defines that system broadly, skipping the federal "capacity" language from ACA International, so more dialers qualify. Florida also bans calls before 8 a.m. or after 8 p.m. local time. Damages are $500 per call. No class certification needed.

Oklahoma's Commercial Telephone Solicitation Act (59 O.S. § 1202 et seq.) runs a similar structure. Washington's Commercial Electronic Mail Act covers email with teeth: $500 to $1,000 per email.

Privacy law is a separate front. California's CCPA/CPRA, Virginia's VCDPA, and Colorado's CPA all give consumers rights over data, including data pulled through lead gen forms.[10] Capture data on a web form and pass it to a call center, and you need a privacy notice that describes that transfer. California's opt-out of "sale" kicks in whenever data flows to a third party for value, and buying or selling leads can count.

For B2B lead generation platforms with GDPR compliance, the EU framework adds a whole other layer if any EU residents land in your funnel.

The honest read: run nationally and you run under 50 overlapping frameworks. The TCPA and TSR carry the biggest dollar exposure. State laws carry the volume.

A compliant consent form for leads you plan to call or text has to do a few specific things, and they're all named in the FCC's 2012 order (In re Rules and Regulations Implementing the Telephone Consumer Protection Act of 1991, 27 FCC Rcd 1830). That order defined prior express written consent as "a written agreement (including a digital or electronic signature) that clearly authorizes the seller to deliver or cause to be delivered to the person called advertisements or telemarketing messages using an automatic telephone dialing system or an artificial or prerecorded voice."[5]

In practice, that means your form includes:

1. A checkbox the consumer actually checks (never pre-checked). 2. Text next to the checkbox naming your company (or the specific companies who will call) by name. 3. A description of the product or service category they'll hear about. 4. Disclosure that contact may use an autodialer or prerecorded voice, to the number provided. 5. Notice that consent is not required to buy anything. 6. A link to your privacy policy.

Item 5 goes missing the most, and it matters. The FCC and courts have held that conditioning a purchase on consent breaks the voluntariness the rule demands. No purchase should ride on that checkbox.

A good SMS opt-in setup mirrors this structure. For text programs, the CTIA's messaging guidelines add a message-frequency disclosure and a STOP opt-out instruction, which are carrier requirements sitting on top of the legal floor, not a replacement for it.[11]

LeadCompliant's free compliance kit has sample consent language you can drop into a landing page, checked against the current FCC standard. Worth a look before you launch anything new.

The sms double opt-in process adds a confirmation step. It isn't legally required, but it builds a stronger record of consent and cuts wrong-number errors out of your list.

How do you actually audit your existing lead gen program for compliance gaps?

Most people asking this have been running campaigns for a while and suspect something's off. They're usually right. Here's the audit sequence I'd run.

Start with consent documentation. Pull the live opt-in page or form for every lead source you use right now. Screenshot it. Does it hit all six items above? Buying third-party leads? Ask the vendor for the same. If they can't produce it inside 48 hours, stop buying from that source until they can.

Next, the DNC scrub. When was your list last scrubbed against the National DNC Registry? The TSR says every 31 days.[2] Do you have a record proving when it ran? Do you also scrub your own internal DNC list of people who told you to stop? Both are required. The internal list has no set interval, but the right answer is "immediately."

Then the dialing system. The autodialer definition has been in motion since Facebook v. Duguid (2021), which narrowed it to systems using a random or sequential number generator to store or produce numbers.[12] If your system dials from an uploaded list without that generation, the federal autodialer definition may not apply to you. But Florida and other states define it more broadly. Duguid did not fix your state-law exposure. Don't act like it did.

Last, call time windows. TCPA and TSR both ban calls before 8 a.m. and after 9 p.m. in the called party's local time. Not yours. Theirs. Sitting in California and calling East Coast leads at 6:30 a.m. Pacific? That's 9:30 a.m. Eastern, and legal. Calling West Coast leads at 7:45 a.m. Pacific? That's a violation, even with your office open.

For teams running text message marketing next to calls, run the same audit: consent records, opt-out processing time (near-instant), and message content that matches the landing page.

What are the riskiest lead gen practices that teams keep using anyway?

Ranked roughly by how often they surface in litigation:

Purchased lists from data brokers with no verified opt-in. Buying a CSV of numbers tied to demographics and cold-calling them is the single highest-risk move in outbound. A broker's claim that numbers are "opted in" is not your defense. You need the documentation, in your hands, per lead.

Shared consent pages listing dozens of partners. This is the aggregator model the FCC's one-to-one rule aimed to kill. The rule is stayed, but plaintiff's attorneys keep winning class actions by arguing consumers never meaningfully consented to a company not named on the page they submitted.

Recycling lead lists without re-consent. A consumer who opted in six months ago hasn't legally "expired" (there's no statutory clock). But the odds their number got reassigned climb every month you sit on it. A list untouched for a year is a reassigned-number claim waiting to happen.

Pre-checked consent boxes. Still common. Still wrong. The FCC's 2012 order requires an affirmative act. A pre-checked box is not one.

Not honoring opt-outs immediately. Once someone texts STOP, that number leaves your active list before the next message sends. "We process opt-outs weekly" is a fresh violation for every message you send in the meantime.

Ignoring the called party's time zone. Said it above, saying it again: time limits track where the consumer sits, not where you sit.

For TCPA fundamentals and the statutory text spelled out, the linked guide covers it in detail.

How do you evaluate lead gen vendors and platforms for compliance before you sign?

Vendor selection is where small teams lose the most ground. You're under pressure to fill pipeline, the rep sounds credible, and the contract's "TCPA compliance" language feels like a seatbelt. It isn't.

A clause where the vendor warrants TCPA compliance helps you in an indemnification fight. It does nothing to stop you getting sued. TCPA class actions routinely name both the vendor and the buyer as defendants. You can cross-claim against the vendor later, but you still spend years in the case first.

Here's what to actually check:

Ask for a live demo of the opt-in flow. Not screenshots. Walk the real form yourself. See what the consumer sees. Read the consent language out loud. If you wouldn't want a plaintiff's attorney reading it to a jury, fix it before launch.

Request a sample data file. Look at the fields. Does each record carry a timestamp, an IP address, and the consent language version? If all you get is name, phone, and email, there's no consent documentation. There's a list.

Check whether the platform scrubs the National DNC. Many tools offer built-in scrubbing. Ask if it runs automatically, how often, and whether you can export a scrub report. If you're weighing text message marketing software, scrubbing and opt-out management should be native, not paid add-ons.

Read their data ownership terms. Some vendors resell the same lead to other buyers. When a consumer gets called by six companies off one opt-in, their patience runs out and their attorney's begins. Exclusive leads cost more and carry less downstream liability.

LeadCompliant's free TCPA number checker tells you on the spot whether a number sits on the National DNC Registry before you dial, which at least closes the scrub gap on inbound lead records.

What records do you need to keep, and for how long?

Record-keeping is where small teams have the widest gap. If you can't prove consent, you don't have consent, at least not in a courtroom. That's the whole game.

For TCPA consent, retain:

  • The exact consent language the consumer saw at opt-in (the version live that day, not your current one).
  • The submission timestamp (UTC, or local with the time zone noted).
  • The IP address of the submitting device.
  • The phone number submitted.
  • The URL of the form or page where consent was captured.

The TCPA doesn't name a retention period, but the statute of limitations for TCPA claims is four years under 28 U.S.C. § 1658, the general federal catch-all most courts apply to these cases. Keep consent records at least four years from the date of last contact, not the date of consent.

For the TSR, the FTC requires telemarketers to keep, for five years: each customer's name and last known address, the goods or services purchased, the date and amount of each purchase, and copies of all verifiable authorizations (which covers consent records).[2]

For text programs, CTIA guidelines suggest keeping opt-in records for the program duration plus two years. That window is shorter than the TCPA limitations period, so default to the four-year rule.[11]

Cloud storage is fine. What matters is that records are immutable (not editable after the fact), retrievable by phone number and date range, and backed up. A spreadsheet anyone can edit is not adequate. A database with write-once records and an audit log is.

Frequently asked questions

Can I be sued for leads I bought if the vendor claimed they were TCPA compliant?

Yes. The lead buyer and the lead vendor are both potential defendants in a TCPA class action. Courts have found buyers liable under agency and ratification theories when the buyer used leads knowing or having reason to know the consent was questionable. A vendor's contractual warranty of TCPA compliance helps in a cross-claim for indemnification but does not prevent you from being named in the original suit.

Express consent (oral or written) is enough for informational calls to cell phones using an autodialer. Marketing calls and texts require express written consent: a signed written or electronic agreement that specifically authorizes the seller to contact the consumer at a particular number using an autodialer or prerecorded message. The written standard has applied to marketing calls since the FCC's 2012 order.

Does the TCPA apply to B2B calls and texts?

Generally yes, if you're calling a cell phone. The TCPA doesn't distinguish between consumer and business calls. It restricts calls to cellular numbers using an autodialer or prerecorded voice regardless of whether the recipient is a business owner or a consumer. The called party's status as a business creates no exemption. Some states have narrower B2B carve-outs, but the federal statute does not.

How often do I need to scrub my call list against the National DNC Registry?

The FTC's Telemarketing Sales Rule requires that your list be scrubbed against the National DNC Registry no more than 31 days before each call. Scrubbing once a year and continuing to dial is a TSR violation. Most compliant dialing platforms run automatic monthly scrubs. You must also maintain your own internal DNC list and honor opt-outs immediately.

What is the FCC's reassigned numbers database and do I have to use it?

The FCC's Reassigned Numbers Database (RND) is a registry carriers report to when a mobile number is permanently disconnected and reassigned to a new subscriber. You aren't legally required to query it before every call, but the TCPA's safe harbor for reassigned-number calls covers only the first call after reassignment. Querying the RND before dialing is the practical way to stay inside that safe harbor and avoid liability to new number holders.

Is a pre-checked opt-in checkbox on a lead gen form valid TCPA consent?

No. The FCC's 2012 TCPA order requires an affirmative act by the consumer. A pre-checked box is not one. If your form auto-selects the consent checkbox and the consumer submits without unchecking it, that consent is not valid under the TCPA's written consent standard for marketing calls and texts.

The FCC's December 2023 order (FCC 23-107) would have required that a consumer's consent on a lead gen website name the specific company contacting them, rather than a generic list of marketing partners. The rule was set to take effect January 27, 2025, but the Eleventh Circuit stayed it first. As of mid-2025, the one-to-one rule is not in force, but best practices and litigation trends already point that way.

What time of day am I allowed to call or text leads?

The TCPA and the FTC's Telemarketing Sales Rule both prohibit calls before 8 a.m. and after 9 p.m. in the local time of the called party. Florida's Mini-TCPA is slightly stricter: calls after 8 p.m. are prohibited under Florida law. The restriction tracks where the consumer is located, not where you are, so adjust for time zones before dialing.

How do state mini-TCPA laws like Florida's affect my national lead gen program?

Florida's Mini-TCPA (Fla. Stat. § 501.059) applies if you call a Florida consumer or use a Florida telephone number. It defines automated dialing more broadly than the federal TCPA post-Facebook v. Duguid, provides $500 per call with no class certification required, and prohibits calls after 8 p.m. Any national campaign that includes Florida numbers needs to meet Florida's stricter standard independently of federal compliance.

You need the exact consent language the consumer saw at opt-in (archived, not a current version), the timestamp and IP address of submission, the phone number submitted, and the URL of the page where consent was captured. The TCPA's statute of limitations is four years under the general federal statute, so retain these records for at least four years from the date of last contact.

Do I need a separate opt-in for calls versus texts if I generate leads digitally?

Technically the TCPA applies to both under the same written consent standard, so a single consent covering calls and texts using an autodialer is legally sufficient if it's clear. In practice, many forms list both explicitly to kill ambiguity. If your form only mentions calls, using it to send marketing texts is risky. The safest move is to name both channels in your consent language.

What happens if a consumer opts out and I accidentally text them again?

Each text sent after a valid opt-out is a separate TCPA violation at $500 to $1,500 per message. There is no grace period. Courts have found willfulness (and the potential for treble damages) where a defendant's opt-out processing had known delays. Opt-out requests must be honored immediately, and your platform should suppress the number before the next send cycle runs.

Can I use artificial intelligence tools to generate leads or personalize outreach and stay compliant?

AI tools don't change the consent requirements. If an AI system generates a personalized text and sends it using an autodialer, the TCPA applies exactly as it would to any automated text. The FCC has stated that AI-generated voice calls using prerecorded or synthesized voices fall under the TCPA's robocall restrictions. Consent, DNC scrubbing, and opt-out processing apply regardless of whether a human or an AI drafts the message.

What is the safest way to verify that a third-party lead vendor's consent is good?

Walk the actual opt-in flow yourself. Confirm the form has an unchecked checkbox, names your company specifically, describes the product category, discloses autodialer use, and states consent isn't required to purchase. Then ask for a sample data record showing timestamp, IP address, and page URL for each lead. If the vendor can't produce both, don't buy until they can. A contract warranty is no substitute for real documentation.

Sources

  1. Cornell Law School LII, 47 U.S.C. § 227 (Telephone Consumer Protection Act): TCPA statutory damages are $500 per violation, trebled to $1,500 for willful or knowing violations
  2. FTC, Telemarketing Sales Rule, 16 C.F.R. Part 310: TSR requires National DNC scrub every 31 days, prohibits calls before 8 a.m. and after 9 p.m. local time, limits predictive dialer abandonment to 3% per 30-day period, and requires five-year record retention
  3. Van Patten v. Vertical Fitness Group, 9th Cir. 2017 (847 F.3d 1037): Ninth Circuit held TCPA consent must be given to the specific entity that contacts the consumer or its clearly disclosed agent
  4. FTC, Federal Register notices on civil penalty inflation adjustments (Federal Civil Penalties Inflation Adjustment Act): TSR civil penalties are adjusted annually for inflation; the current per-violation maximum is published in the Federal Register each year
  5. Wakefield v. ViSalus, Inc., 9th Cir. 2021 (21-35201): District court entered a $925 million judgment for 1.85 million TCPA-violating robocalls in Wakefield v. ViSalus; Ninth Circuit addressed the damages award while upholding the liability finding
  6. Florida Legislature, Fla. Stat. § 501.059 (Florida Telemarketing Act): Florida's Mini-TCPA prohibits calls using automated dialing systems without prior express written consent, provides $500 per call, requires no class certification, and prohibits calls after 8 p.m.
  7. California Attorney General, California Consumer Privacy Act (CCPA): California's CCPA/CPRA requires privacy notices disclosing data transfers to third parties and provides consumers opt-out rights over sale of personal information
  8. Facebook, Inc. v. Duguid, 141 S. Ct. 1163 (2021), Supreme Court of the United States: Supreme Court held in 2021 that the TCPA's autodialer definition covers only systems that use a random or sequential number generator to store or produce numbers, narrowing the federal definition

Disclaimer: LeadCompliant is a compliance review tool, not a law firm. We do not provide legal advice. Consult with a TCPA attorney for legal guidance on specific compliance questions. Compliance scores, audits, and risk assessments are informational only.

LeadCompliant Team

LeadCompliant provides expert guidance and tools to help you succeed. Our content is reviewed for accuracy and kept up to date.

Related Articles

Related Glossary Terms

LeadCompliant
Build My Kit