Last updated 2026-07-09

TL;DR
TCPA requires you to prove prior express written consent before sending autodialed calls or texts to cell phones. Your CRM needs at minimum: consent timestamp, consent source URL, consent language verbatim, opt-in method, phone number consented to, and a revocation log. Without these fields, you cannot defend a $500, $1,500-per-violation TCPA lawsuit.
Why does your CRM structure matter for TCPA compliance?
The burden of proof in a TCPA case sits entirely on you, not the plaintiff. Under 47 U.S.C. § 227, a consumer only has to show they got an autodialed or prerecorded call or text on a cell phone without permission. You then have to prove they gave "prior express written consent." If your CRM can't produce that proof on demand, you've lost the argument before discovery even starts.
The FCC's 2012 amendments to its TCPA rules (effective October 16, 2013) tightened the standard. The agency moved from "prior express consent" for telemarketing calls to "prior express written consent," meaning a signed written agreement that clearly authorized automated contact. [1] That agreement has to live in your records, not on a landing page somebody redesigned two years ago.
Courts keep ruling the same way: a defendant who can't produce contemporaneous consent records loses. In Mais v. Gulf Coast Collection Bureau, the Eleventh Circuit reinforced that the defendant carries the burden of showing valid consent. [2] You'll find plenty of TCPA cases where the only fight was whether the company could document consent, not whether consent actually happened.
So when a plaintiff's lawyer sends a litigation hold letter, your CRM has to answer five things fast: who consented, to what number, on what date, through what mechanism, with what exact language on screen. Each answer needs its own database field.
What is "prior express written consent" under TCPA and what does it require?
The FCC defines prior express written consent in 47 C.F.R. § 64.1200(f)(9). The regulation says it is "an agreement, in writing, bearing the signature of the person called that clearly authorizes the seller to deliver or cause to be delivered to the person called advertisements or telemarketing messages using an automatic telephone dialing system or an artificial or prerecorded voice." [1]
Four components sit inside that one sentence, and each maps to a CRM field.
An agreement in writing. Store the consent mechanism: web form, paper form, verbal recording, or SMS keyword.
Bearing the signature. A typed name, checkbox, or electronic signature qualifies under the E-SIGN Act, but you have to capture which form they completed and log that action.
The person called. The specific phone number consented to has to be tied to the consent record, more than floating on the contact record.
Clearly authorizes. Store the exact disclosure language shown at consent, word for word, because courts read "clearly authorizes" narrowly.
Since January 2025, the FCC's one-to-one consent rule has gone further: each seller has to be named individually in the consent language. The FCC's December 2023 Report and Order (FCC 23-107) set that effective date at January 27, 2025. [3] A generic "and our partners" disclosure no longer covers you. Every lead source's form has to name your company, and your CRM has to record that the consumer saw and agreed to language that named you.
For cold calling to cell phones, the stakes are identical. The TCPA doesn't split voice calls from SMS for the autodialer and prerecorded voice provisions. [1] Your text message marketing campaigns carry the same exposure as your calls.
What are the exact CRM fields you need to store TCPA consent?
There is no official FCC field list. But there is an effective one, built from what litigators ask for in discovery and what the regulation's four elements require. Here is every field you should have, with why each one earns its place.
Core consent record fields
| Field | Data type | Why it matters |
|---|---|---|
| consent_timestamp | Datetime (UTC, ms precision) | Establishes when consent was given; ties to server logs |
| consent_phone_number | String (E.164 format) | Consent follows the number, not the person |
| consent_source_url | String (full URL with query string) | Identifies the exact page and campaign that captured consent |
| consent_language_verbatim | Long text | Courts want the exact words shown, not a summary |
| opt_in_method | Enum (web form, SMS keyword, paper, verbal recording) | Affects what proof exists |
| ip_address_at_consent | String | Corroborates the source URL; helps fight fraud claims |
| session_id_or_jornaya_token | String | Third-party token anchors your consent to an independent audit trail |
| lead_source_id | Foreign key | Lets you trace consent to the specific lead vendor or campaign |
| tcpa_consent_flag | Boolean | The simple yes/no that drives call routing logic |
Post-consent tracking fields
| Field | Data type | Why it matters |
|---|---|---|
| revocation_timestamp | Datetime | Opt-outs must be honored within a reasonable time; logs protect you |
| revocation_channel | Enum (verbal, SMS STOP, web, email) | Different channels carry different compliance timelines |
| dnc_flag | Boolean | Separate from consent; links to your internal do not call list suppression logic |
| last_contact_attempt | Datetime | Helps prove you stopped calling after revocation |
| consent_document_id | String or file reference | Points to the archived PDF, screenshot, or recording for offline consent |
The Jornaya (now part of Verisk) LeadiD token deserves its own callout. Jornaya's platform captures an independent, time-stamped token the moment a consumer fills out a web form. Store that token and you have a corroborating record you didn't create yourself. That matters when a plaintiff swears they never consented, because you can pull Jornaya's record to show exactly what they filled in. TrustedForm from ActiveProspect does the same job. [4] Neither is required by law. Any outbound team doing real volume should still run one.
For leads you buy from third parties, add a `lead_vendor_consent_cert` field. Require vendors to hand over a certificate or token proving they captured consent. No certificate, no call. The FCC's one-to-one consent rule means a vendor's generic multi-seller consent doesn't shield you anyway. [3]
How long do you need to keep TCPA consent records?
Keep them five years. The TCPA statute of limitations is four years under the federal catch-all statute (28 U.S.C. § 1658), so four years is the legal floor. Some state mini-TCPA laws stretch exposure further. Washington's Consumer Protection Act, for example, runs a four-year window that can begin at discovery, which pushes real-world exposure past the filing date. [5]
The FTC's Telemarketing Sales Rule at 16 C.F.R. § 310.5 requires sellers to keep certain records, including express consent and authorization records, for 24 months from the date they were made. [6] My honest take: 24 months is not enough. Five years is the right number because class actions move slowly, and discovery requests routinely reach back three to four years from the filing date.
Archiving strategy matters as much as retention length. A consent record living only in a live CRM field is exposed to accidental overwrites, deletions by sales reps, and data migrations that quietly drop custom fields. Export consent records to immutable storage (an append-only table, or an archived flat file with a hash) at the moment of capture, and never let a later update to the contact record overwrite them.
If your team also calls cell phones that might sit on the National do not call telemarketer list, your DNC scrub records need the same retention logic. Courts and the FTC can ask you to show when you last checked a number against the registry.
Does consent follow a person or a phone number?
The phone number. This is one of the most common misunderstandings, and it creates real liability.
The FCC made it clear in its 2015 Declaratory Ruling (FCC 15-72) that reassigned numbers are a specific trap: if a consumer gave you consent and their number later got reassigned to someone new, you get one free call to discover the change. After that one call, the prior owner's consent no longer covers calls to the new subscriber. [7]
So your CRM needs to treat the phone number as the consent object, not the person. Consent fields should live on a phone number entity or a contact-phone junction table, not on the top-level contact record. When a rep updates a contact's phone number, your system should flag that the new number has no consent and block autodialed outreach until you re-capture it.
Reassigned number lookups should run before every campaign. Twilio Lookup, Numeracle, and the industry-run Reassigned Numbers Database check for reassignments. The Reassigned Numbers Database was established by FCC order and is operated by an outside administrator under FCC oversight. [7] Log the lookup result and timestamp in your CRM so you can prove you checked.
For contacts with more than one number, each number needs its own consent record. Consent to call a mobile doesn't transfer to a work line. Obvious when it's written out. Yet plenty of CRM schemas store a single phone consent flag at the contact level, and that flag covers nothing.
What happens if a consumer revokes consent? How do you document that?
Revocation is immediate and it sticks. The Supreme Court's 2021 ruling in Facebook, Inc. v. Duguid narrowed the autodialer definition, but it changed nothing about revocation. [9] The FCC's 2015 Declaratory Ruling said consumers can revoke consent "at any time and through any reasonable means." You cannot contractually box in how someone revokes.
That creates a documentation problem. Someone texts STOP, emails your support inbox, tells a rep on a call, or types in your web chat that they're done. All of them count. Your CRM has to capture every channel.
The fields for this are `revocation_timestamp`, `revocation_channel`, and a `revocation_notes` free text field for verbal requests. Reps need a trained reflex to log revocations in real time, not at the end of a shift. A verbal opt-out logged six hours later, after two more autodial attempts landed, is a TCPA violation.
For SMS, STOP keyword processing should be automatic at the carrier or platform level, but you still have to write that revocation back to your CRM. Twilio and Bandwidth can fire webhooks on STOP replies. Build the webhook handler to update the field the instant it arrives.
The FCC's 2024 rulemaking on consent revocation confirmed that callers must honor an opt-out request promptly and stop further messages. Separate from the mobile phone do not call list, this is about your own first-party record of who told you to stop.
Case outcomes back this up. Large settlements like the Cash App TCPA class action settlement and the Credit One TCPA settlement often turned on allegations that companies kept calling after opt-out. When a company couldn't produce clean revocation records, the settlement got a lot more expensive.
How should third-party lead consent be stored differently?
Third-party lead consent is the riskiest consent you'll touch. You didn't build the form, you didn't write the disclosure, and you can't confirm what the consumer actually saw unless the vendor hands you documentation.
The FCC's one-to-one consent rule (FCC 23-107) means that as of early 2025, a lead form bundling consent for a whole slate of sellers doesn't cover you. [3] The consumer had to see your company's name in the consent language. In practice, you can no longer use old-style aggregated internet leads for autodialed outreach unless you can show name-specific consent.
For third-party leads, add these fields on top of your standard schema:
- `lead_vendor_name`: the entity that captured consent
- `vendor_consent_cert_url`: a URL or file reference to the vendor's certificate or TrustedForm/Jornaya token
- `consent_form_screenshot_url`: an archived screenshot of the exact form the consumer saw
- `vendor_contract_reference`: a pointer to the data purchase agreement stating what consent the vendor warranted
No TrustedForm or Jornaya token plus a screenshot naming your company? Don't call that lead on an autodialer. You can try a manual cold call if the number isn't on the how do I get the do not call list registry, but automated contact without documentation is exposure you don't need to buy.
Audit vendors at onboarding and once a year after that. Pull a sample of tokens and verify them independently. If a vendor's TrustedForm tokens keep failing verification, stop buying from them. Switching vendors costs less than one certified class.
What CRM platforms handle TCPA consent fields best?
No major CRM ships a purpose-built TCPA consent module. Salesforce, HubSpot, and Zoho all give you room to build the fields above, but you do the building. Here are the honest tradeoffs.
Salesforce has the strongest audit log infrastructure. Field history tracking records every change to a consent field with a timestamp and the user who made it, which is worth a lot in litigation. But the default config doesn't turn on field history for custom objects, and the 20-field history limit per object means you have to pick which fields you track.
HubSpot stores communication consent natively through its GDPR tools, but GDPR consent is not TCPA consent. HubSpot's built-in consent fields aren't granular enough for the TCPA standard. You'll need custom contact properties for every field in the table above, plus workflows that block sequence enrollment when `tcpa_consent_flag` is false.
For high-volume teams, LeadCompliant's compliance toolkit includes a pre-built field schema and import template that configures your CRM without designing the data model from scratch.
Smaller teams on spreadsheets should stop today. A Google Sheet with a consent tab is not defensible in litigation. The moment you touch any autodialer, even a power dialer with a human making the connection, you need a database that logs field-level changes with timestamps.
Whatever platform you pick, the one architectural decision that outranks the rest is immutability of the original consent record. Never let a process overwrite the first consent you captured. Create a new record if consent gets re-captured, and keep the original. Append. Never replace.
How do you validate that your consent fields are actually being populated?
Having the fields is step one. Making sure they're populated before a call goes out is step two, and most teams fail step two.
Build a pre-dial gate in your outreach tool or CRM that checks three conditions before a number can enter a dialing queue: `tcpa_consent_flag` equals true, `revocation_timestamp` is null (or older than the most recent consent), and the number passed a DNC scrub in the last 30 days. Any failed check and the number is not dialable by an autodialer, full stop.
Run a monthly data quality audit. Pull every contact in your outreach lists and check what percentage has a populated `consent_source_url` and `consent_timestamp`. Below 100% is your legal exposure staring back at you. Close that gap before you add a single new contact.
For inbound leads, test the web form submission flow end to end every quarter. Submit a test lead, then confirm in the CRM that every field populated correctly. Form edits, CRM API updates, and landing page A/B tests break field mapping more often than teams expect, and they break it silently.
A consent record that exists but can't be found fast in litigation is nearly as bad as one that never existed. Create a `consent_record_id` field and make sure your legal team knows how to query it. If a plaintiff names a phone number in a complaint, you should be able to pull the full consent record in under two minutes.
For the wider framework around calls and texts, the TCPA statute's full text and the FCC's implementing rules at 47 C.F.R. § 64.1200 are the primary reference. [1]
What does a TCPA-compliant consent record look like in practice?
Here is a concrete record, with no invented people or companies.
A consumer visits a mortgage refinance comparison page on July 9, 2026, at 14:23:07 UTC. They enter a phone number (+12025551234) and check a box next to text that reads: "By submitting this form, I authorize [Your Company Name] to contact me at the number provided using automated dialing systems, prerecorded messages, or text messages. I understand consent is not required to purchase. [Your Company Name] Privacy Policy applies." They click Submit.
The complete consent record for that interaction holds:
- `consent_timestamp`: 2026-07-09T14:23:07.412Z
- `consent_phone_number`: +12025551234
- `consent_source_url`: https://example.com/mortgage-refi?utm_source=google&utm_campaign=refi_july
- `consent_language_verbatim`: the full sentence above
- `opt_in_method`: web_form_checkbox
- `ip_address_at_consent`: 198.51.100.42
- `jornaya_token`: eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9... (truncated)
- `lead_source_id`: GOOGLE_REFI_JULY_2026
- `tcpa_consent_flag`: true
- `revocation_timestamp`: null
- `dnc_scrub_last_checked`: 2026-07-09T15:00:00Z
- `dnc_scrub_result`: not_on_list
That record is defensible. It answers every element of the FCC's prior express written consent definition. It carries a third-party token. It names a specific URL, so the archived form is retrievable. It ties consent to the exact number.
Most companies store a sliver of this. A `do_not_call` checkbox on the contact record, maybe an opt-in date. That is not enough.
What are the TCPA penalties for getting consent documentation wrong?
The statutory damage range under 47 U.S.C. § 227(b)(3) is $500 per violation for negligent violations and $1,500 per violation for willful or knowing ones. [10] Each call or text is a separate violation. Autodial 10,000 people without proper consent documentation and you're sitting on $5 million to $15 million of statutory exposure before a single expert gets retained.
Willfulness doesn't require bad intent. Courts have found it where a company knew about the consent requirement and still failed to build adequate documentation practices. If you've been served a demand letter before, any later violation is very likely to be read as willful.
Class certification blows individual exposure up. A class of 100,000 consumers at $500 per violation is $50 million. That math is why TCPA cases settle in the eight and nine figures. The Credit One Bank TCPA settlement is a useful reference point: the company agreed to a $12.5 million settlement covering allegations of autodialed calls placed without valid consent. [11] The full docket and settlement documents are the primary source for those figures.
The CRM work becomes obvious against that math. Forty hours and $0 to build proper consent fields, versus $500 per undocumented contact, is not a close call. This is the rare corner of compliance where the fix is nearly free and the downside is enormous.
Frequently asked questions
Do I need separate consent fields for calls versus texts?
You need separate records if the consent language differed for calls versus texts, or if they were captured at different times. The TCPA treats autodialed calls and autodialed texts the same under 47 U.S.C. § 227(b)(1)(A), so the same prior express written consent standard applies to both. But if your web form only mentioned texts and you now want to call, that consent doesn't transfer. Track the authorized channel in a `consented_channels` field.
Can a verbal opt-in over the phone count as prior express written consent?
No. Prior express written consent requires a written agreement under 47 C.F.R. § 64.1200(f)(9). A verbal agreement on a call can satisfy prior express consent for certain non-telemarketing informational calls, but it doesn't meet the written standard for telemarketing autodial calls or texts. Record the verbal consent anyway using `opt_in_method` set to 'verbal_recording', but do not use that contact for automated telemarketing outreach.
What is a Jornaya token and do I need one?
A Jornaya LeadiD token is an independent, time-stamped audit token generated when a consumer fills out a web form. Jornaya (now part of Verisk) captures the session independently, so you get a corroborating record you didn't create yourself. It's not legally required, but it is the single most effective tool for defending an 'I never consented' claim. Store the token in your CRM's `jornaya_token` or `third_party_consent_token` field at lead capture.
How do I handle consent for leads I purchased from a lead vendor?
You need documentation that the vendor's consent form named your company specifically (required under the FCC's one-to-one consent rule, effective January 2025) and that the language met the written standard. Request the TrustedForm or Jornaya token for each lead. Store the vendor's name, the token, and a screenshot of their consent form. If the vendor can't supply those, do not use an autodialer on those leads.
Is there a TCPA field specifically for the National DNC Registry?
Yes, and it's separate from your consent flag. Store a `dnc_scrub_last_checked` datetime and a `dnc_scrub_result` field. The FTC requires sellers to scrub against the registry before each campaign, and you must scrub numbers acquired more than 31 days before calling. Your scrub result and timestamp is your proof you checked. A consent record doesn't override a DNC registration; you need both fields clean to autodial a number.
What if a contact updates their phone number? Does old consent carry over?
No. Consent is tied to the specific number consented to, not the person. If a contact updates their phone number, the new number has no consent record. Build a CRM rule that sets `tcpa_consent_flag` to false and clears `consent_timestamp` on the new number when a phone field changes. Re-capture consent before autodialing the new number.
How quickly do I have to honor a revocation request?
The FCC's 2015 Declaratory Ruling said revocation must be honored within a reasonable time. What's reasonable depends on the channel, but most compliance attorneys treat any revocation as effective immediately and build their systems that way. For SMS the standard is near-instant, since STOP handling can be automated. Log the revocation timestamp the moment the request arrives, and block the number from dialing queues before the next campaign run.
Can I store consent records in a spreadsheet?
You can, but you shouldn't if you run any autodialed outreach. Spreadsheets don't enforce field-level change tracking, don't stop records from being overwritten, and don't integrate with dialing tools as a pre-dial gate. In litigation, a spreadsheet gets challenged as editable after the fact. Use a database-backed CRM with field history enabled for consent fields, and export records to immutable storage at capture.
Does the FCC's one-to-one consent rule change which fields I need?
Yes. The FCC's December 2023 Report and Order (FCC 23-107) requires each seller to be named individually in the consent language. You now need a field storing the exact consent text (which must include your company name), plus a field referencing the lead vendor's documentation confirming your name appeared. Buying list leads with generic multi-seller disclosures no longer gives you valid consent for autodialed outreach.
How often should I scrub my contact list against consent records?
Before every campaign, more than at lead capture. Consent can expire or be revoked between the time a lead enters your CRM and the time a campaign runs. Build an automated pre-campaign check that joins your outreach list against your consent table and drops any contact where `tcpa_consent_flag` is false, `revocation_timestamp` is populated, or the DNC scrub is older than 31 days. Spot-check that logic monthly.
What should the consent language actually say to meet the written standard?
The FCC's rule at 47 C.F.R. § 64.1200(f)(9) requires the agreement to clearly authorize the named seller to deliver autodialed calls, texts, or prerecorded messages; state that consent is not required as a condition of purchase; and be signed (a checkbox with the consumer's action counts under E-SIGN). Store the verbatim text in `consent_language_verbatim` so you can reproduce it exactly, without relying on a live page that may have changed.
How long should I keep TCPA consent records?
At minimum, keep them for the four-year TCPA statute of limitations under 28 U.S.C. § 1658. The FTC's Telemarketing Sales Rule requires 24 months for certain records. Most compliance attorneys recommend five years to cover slow-moving class actions where the discovery window reaches back several years from filing. Export records to immutable storage at capture and never let the original record be overwritten.
Do I need consent documentation for calls made by a human dialing manually?
For telemarketing calls to numbers on the National Do Not Call Registry, yes, you need an established business relationship or prior express consent regardless of dialing method. For autodialer calls to cell phones, the TCPA requires prior express written consent. A purely manual call to a number not on the DNC registry carries lower documentation requirements, but logging the contact and any established business relationship basis is still good practice.
What is the difference between a TCPA consent flag and a DNC flag in my CRM?
They're separate, and both matter. The TCPA consent flag (`tcpa_consent_flag`) records that the person affirmatively agreed to autodialer or prerecorded contact. The DNC flag records that the person registered on the National Do Not Call Registry or made an internal do-not-call request. A person can have consent on file and still be on the DNC registry; in that case, most attorneys treat the DNC registration as controlling for telemarketing calls.
Sources
- FCC, 47 C.F.R. § 64.1200 — Delivery restrictions for telephone solicitations: FCC definition of prior express written consent and the requirements for telemarketing autodialed calls and texts under 47 C.F.R. § 64.1200(f)(9)
- Mais v. Gulf Coast Collection Bureau, 768 F.3d 1110 (11th Cir. 2014): Eleventh Circuit holding that the defendant bears the burden of demonstrating valid prior express consent under TCPA
- ActiveProspect, TrustedForm product overview: TrustedForm generates an independent third-party certificate documenting the consumer's consent interaction on a web form
- Washington State Legislature, Consumer Protection Act, RCW 19.86: Washington state Consumer Protection Act statute of limitations framework applicable to TCPA-related state claims
- FTC, Telemarketing Sales Rule, 16 C.F.R. § 310.5 — Recordkeeping requirements: FTC Telemarketing Sales Rule requiring sellers to keep express consent and authorization records for 24 months
- Facebook, Inc. v. Duguid, 592 U.S. 395 (2021): Supreme Court ruling narrowing the TCPA autodialer definition to systems that use a random or sequential number generator
- 47 U.S.C. § 227 — Telephone Consumer Protection Act, statutory text: TCPA statutory damage amounts of $500 per violation and $1,500 per willful or knowing violation under 47 U.S.C. § 227(b)(3)
- Credit One Bank TCPA class action settlement — federal court docket and settlement records: Credit One Bank agreed to a $12.5 million TCPA class action settlement covering allegations of autodialed calls without valid consent