Last updated 2026-07-09

TL;DR
The FCC adopted its one-to-one consent rule on December 13, 2023, requiring each seller to get its own written consent before sending robocalls or robotexts. The deadline was January 27, 2025. Three days early, on January 24, 2025, the Eleventh Circuit vacated the rule. The revocation rules survived. Prior express written consent under 47 U.S.C. 227 still applies. Here's what to do now.
What is the FCC one-to-one consent rule?
The FCC adopted the one-to-one consent rule on December 13, 2023, as part of a Report and Order aimed at lead generator loopholes in the Telephone Consumer Protection Act (TCPA) [1]. The idea was clean. A consumer's written consent to receive automated calls or texts had to name a single seller. You could not bundle it into a form that covered dozens of unrelated companies at once.
Before the rule, lead gen forms often read like this: "I agree to be contacted by up to 25 partners." One checkbox. Hundreds of calls. Lawful under the old reading. The FCC said that setup violated the prior express written consent requirement in 47 U.S.C. 227(b)(1)(A) because consent to one business was getting laundered into consent for many [2].
The Order said consent had to be "one-to-one" and "logically and topically associated" with the site or context where the consumer gave it. A person on a mortgage comparison site could not be treated as having consented to calls from an auto dealer, even if the fine print claimed otherwise.
What was the original compliance deadline for the one-to-one rule?
The FCC set January 27, 2025 as the effective date for the one-to-one consent requirement [1]. That gave the industry about 13 months from the December 2023 adoption to rebuild consent flows, audit lead vendor contracts, and retrain sales teams.
A second prong of the same Order, the lead generator provision requiring consent to be logically and topically associated with the site where it was obtained, carried the same January 27, 2025 date. Both provisions traveled together.
Many companies spent all of 2024 overhauling web forms, updating terms, and cutting vendor relationships that could not produce individual, named consents. That work was not wasted, even given what happened next.
Was the rule actually struck down? What did the court decide?
Yes. On January 24, 2025, three days before the deadline, the Eleventh Circuit Court of Appeals vacated the one-to-one consent rule in Insurance Marketing Coalition Ltd. v. FCC [3]. The court held the FCC exceeded its authority under the TCPA. The statute lets the FCC "prescribe regulations to implement" the TCPA's requirements, but the court found the one-to-one construct went past the statute's text.
The ruling left the rest of the December 2023 Order alone. It vacated the one-to-one and topically-associated provisions specifically. Other pieces, including the revocation-of-consent rules, survived.
So where does that leave you? The pre-2023 standard is back for the specific one-to-one requirement. You still need prior express written consent for automated or prerecorded calls and texts to cell phones. That baseline under 47 U.S.C. 227 never moved. Bundled consent forms covering multiple sellers are legal again, but they carry real litigation risk, because plaintiffs' lawyers argue individual consents are the cleaner record and juries tend to agree.
The FCC has not walked away from the policy goal. Expect a revised rulemaking. If you already rebuilt your consent flows to hit the January 2025 deadline, keeping them is almost certainly the right call.
What TCPA consent requirements are still in effect right now?
Even with the one-to-one rule gone, the core TCPA consent framework is fully intact and enforced daily [2]. Here is what you actually need.
Prior express written consent for autodialed or prerecorded calls and texts to cell phones. The consent has to be in writing (electronic signatures count), has to disclose that the person agrees to receive autodialed calls or texts, and has to include the phone number being consented. A checkbox buried in a terms-of-service page with no disclosure does not cut it.
Prior express consent (oral is fine) for informational calls to cell phones using an autodialer. Lower bar. Still requires affirmative agreement.
No calls to residential lines using an artificial or prerecorded voice without prior express consent, subject to narrow exemptions for healthcare and emergencies.
The 2023 Order's revocation rules also survived the Eleventh Circuit decision. Consumers can revoke consent through any reasonable means, and you have to honor it inside a set window. The FCC put that window at 10 business days for most purposes, though the exact application has drawn later FCC guidance [4].
For text message marketing, the consent bar sits highest. You need written, signed consent that covers automated texts explicitly. An inbound text to a keyword opt-in number can satisfy this, but only if your disclosures are clear at the moment of opt-in.
You also still have to scrub against the National Do Not Call Registry for telemarketing voice calls [5]. TCPA consent and DNC obligations run on separate tracks. Having one does not cover the other.
What changed about consent revocation under the 2023 FCC Order?
The revocation piece of the 2023 Order survived the Eleventh Circuit ruling. This part matters every single day of operations.
The FCC codified that consumers can revoke TCPA consent through "any reasonable means." If a consumer replies STOP to a text, calls in and says "stop calling me," or emails asking to be removed, you cannot argue revocation only counts through a specific method you designated [4]. You honor it.
The Order set a 10-business-day compliance window for honoring revocation requests on most telemarketing contacts. If you get a STOP reply on a Monday, a text sent that same day can still expose you (the standard is reasonable processing time), but your systems should stop outreach inside that window at the latest.
One practical point: your CRM or contact platform needs an opt-out mechanism that flags the number right away and blocks re-queuing. Manual processes break here fast. If you run outbound sales, a cold call to a number that opted out of texts may not itself break the revocation rule, but it becomes evidence of willful disregard if the consumer also said "do not call me."
Document every revocation request. Log the date, the channel, the action you took. That log is your defense when a class action shows up.
What does a compliant consent form look like in 2025?
Even though the strict one-to-one requirement is vacated, write your consent forms as if it were still law. Here is the reasoning: individual named consent is the cleanest record you can hold, and TCPA litigation does not wait for perfect legal clarity. Cases like the Cash App TCPA class action settlement show what happens when consent records are muddy or disputed.
A compliant consent form should include:
- The legal name of the specific company that will contact the consumer.
- The specific phone number being enrolled.
- Clear language that the consumer consents to autodialed or prerecorded calls and/or texts.
- A statement that consent is not required as a condition of purchase.
- A description of what the calls or texts will cover.
- A link to your privacy policy.
The "not a condition of purchase" language comes from FCC regulations at 47 C.F.R. 64.1200 [6]. Gate a transaction behind a consent checkbox and you have a problem.
For lead gen forms, the practical result of the Eleventh Circuit ruling is that bundled consent is technically back. But name five companies in one form and each of those five has to produce that record and prove it was not deceptive. That is hard to do at scale. Most compliance counsel now recommend keeping the one-to-one structure anyway.
One quick check: does your form have a pre-checked consent box? Pre-checked boxes are not valid consent under the FCC's reading. The consumer has to take an affirmative act.
What should your compliance checklist include right now?
This is the practical core. Work through each item and document that you did.
| Item | What to verify | Risk if missing |
|---|---|---|
| Consent language names your company | Check every active lead form | High: no valid consent record |
| Consent is not pre-checked | Audit web forms and app flows | High: affirmative act required |
| "Not required to purchase" disclosure present | Review form copy | Medium: FCC rule violation |
| Consent stored with timestamp + IP | Check your CRM or lead system | High: no proof of consent |
| Consent tied to specific phone number | Verify data mapping | High: wrong number liability |
Consent records
| Item | What to verify | Risk if missing |
|---|---|---|
| Vendor can produce individual consent records | Request sample records | High: you inherit their liability |
| Contract requires vendor to meet TCPA standards | Review agreement | Medium: indemnification gaps |
| Vendor names your company in their consent form | Review their live forms | High: consent may be invalid |
Lead vendor contracts
| Item | What to verify | Risk if missing |
|---|---|---|
| STOP/UNSUBSCRIBE replies processed within 10 business days | Test your SMS system | High: post-2023 Order requirement |
| Phone opt-outs logged and synced to dialer | Check CRM-to-dialer integration | High: repeat contact liability |
| Any-channel revocation honored | Review policy and training | Medium: post-2023 Order requirement |
Revocation and opt-out
| Item | What to verify | Risk if missing |
|---|---|---|
| Do Not Call Registry checked within 31 days | Confirm scrub frequency | High: DNC violation |
| Internal DNC list maintained and applied | Check suppression list | High: $500-$1,500 per call |
| Calling hours compliant (8am-9pm consumer local time) | Check dialer settings | High: TCPA violation |
| Caller ID not spoofed | Review outbound numbers | High: separate federal violation |
Calling practices
If you want a pre-built version, LeadCompliant's free compliance kit has a downloadable consent audit template you can run against your current forms.
For teams running outbound voice, document your cold calling policies. The TCPA covers automated and prerecorded calls. It does not cover live-agent manual calls to numbers not on the DNC list. But if your dialer has any automatic dialing capacity, you may be in TCPA territory no matter what you call it internally.
What are the TCPA penalties if you get consent wrong?
The TCPA carries statutory damages of $500 per violation and up to $1,500 per willful or knowing violation [2]. There is no cap once a class action is certified. That math gets ugly fast.
The Credit One TCPA settlement shows the exposure. Cases involving millions of calls can settle in the tens of millions of dollars even when the underlying failure looks small in isolation.
The FCC can also bring its own enforcement actions with civil penalties. Across 2023 and 2024, the agency issued several multi-million dollar forfeiture orders against robocall operations.
Class certification is the real weapon. A company that sent 500,000 texts without proper consent faces a class of all 500,000 recipients at $500 each, which is $250 million in theoretical exposure. Most cases settle for far less. The threat still drives behavior. Companies with clean, individually documented consent records settle faster and cheaper, because the liability is bounded and provable.
Willfulness matters. If you had a compliance program, followed it, and a vendor slipped a bad form past you, that is a different conversation than knowingly using a bundled form after being warned. Document your compliance decisions as you make them, not after the complaint lands.
How do you audit your existing lead sources for consent compliance?
Start with inventory. List every source feeding phone numbers into your dialer or SMS platform. For each one, answer two questions: what consent language was in place when the consumer submitted, and can the vendor produce that record on demand?
Request a sample of 20 to 50 consent records from each vendor. Ask for the exact form the consumer saw, the timestamp, the IP address, and the phone number captured. A vendor that cannot produce that within a few business days is a red flag.
For your own web properties, walk through every form that captures a phone number. Screenshot the form as the consumer sees it. Check whether the TCPA disclosure sits above the fold or gets buried. Check whether it names your company by legal name. Check whether the phone field is required before submission.
Aged leads are a special risk. Consent has no official TCPA expiration, but the FCC has said in guidance that a reasonable reading looks at whether the consumer could still expect contact [4]. A four-year-old lead from a mortgage comparison site, now called about solar panels, is a consent problem waiting to happen.
To check whether a number sits on the federal Do Not Call list or state equivalents, you need an active subscription to the National DNC Registry [5]. The mobile phone Do Not Call list is the same federal registry. There is no separate cell-phone list, despite the common myth. You can also read how to get the Do Not Call list for your specific use case.
Once audited, sort your sources. Clean, documented consent is green. Consent that is unclear or cannot be produced is red. Stop using red sources until they prove compliance or you replace them.
What records do you need to keep, and for how long?
The TCPA itself does not set a retention period for consent records. That is a gap in the law, and it hurts defendants more than plaintiffs. The statute of limitations for a TCPA private action is four years under 28 U.S.C. 1658 [7]. Keep every consent record for at least four years from the date of your last contact with that number.
What to keep:
- The original form or record showing the consumer's consent, including the exact disclosure language they saw.
- The timestamp and IP address of submission.
- The phone number captured at opt-in.
- The source or campaign that generated the consent.
- Any revocation records, with timestamps and channel.
Store these where they cannot be accidentally overwritten. A shared spreadsheet is not enough. If you use a lead management platform, confirm it has an audit log and that records are backed up.
For calls you actually made, keep call logs showing the number dialed, the date and time, and the caller ID used. Some TCPA defendants have lost cases for one reason: they could not produce records of what they called and when.
At LeadCompliant, we offer a free TCPA compliance checker that flags whether your current consent forms include the required disclosure elements. Good starting point before a deeper records audit.
The telemarketer Do Not Call list has its own record-keeping component. You must be able to show you accessed the registry within 31 days before each call [5].
What is the FCC likely to do next on one-to-one consent?
The FCC, under any administration, has called lead generator abuses a priority. The Eleventh Circuit ruling killed the specific one-to-one mechanism. It did not bar the FCC from trying a different legal path to the same result.
The court's reasoning was narrow: the TCPA's text does not specifically authorize the one-to-one construct. A future FCC could try a Notice of Proposed Rulemaking grounded in different statutory authority, or treat bundled consent as a deceptive practice under authority separate from the TCPA.
Nobody has good data on timing. The closest signal is the FCC's January 2025 statement acknowledging the ruling and saying it would review its options. Robocall and robotext complaints have topped the FCC's consumer complaint list for years [8], so the pressure to act stays high.
For planning, the answer is plain. Build your processes as if one-to-one consent is the standard. The risk of getting consent right is zero. The risk of leaning on bundled forms, if a new rule passes or a court reads the TCPA differently, is enormous.
Does the one-to-one rule apply to B2B outreach?
The TCPA's prior express written consent requirement for autodialed calls and texts applies whenever you call a cell phone, whether the recipient is a consumer or a business [2]. The number type drives the rule, not the commercial context.
So if you are a B2B company using an autodialer to call prospects on their cell phones, TCPA applies. Plenty of B2B outbound teams miss this. The exemption people cite, that TCPA does not cover business-to-business calls, is narrower than commonly understood. It touches calls to a business's landline in a limited way. It does not exempt autodialed calls to an individual's cell phone, even if that person is a business contact [9].
Live-agent manual dialing to cell phones generally falls outside TCPA's autodialer restrictions. If your team dials numbers one at a time with no automatic dialing and no prerecorded messages, you are outside the core cell phone restrictions. You still comply with DNC rules for telemarketing calls, but the autodialer consent requirement does not apply.
The line many B2B teams walk: run the dialer in manual mode for cell phones, reserve automated sequences for email. That keeps you clear of TCPA autodialer territory while the outbound engine keeps running. For any cold call to a cell phone using a predictive or power dialer, get written consent first or check with counsel on whether your specific dialer counts as an ATDS.
Frequently asked questions
Is the FCC one-to-one consent rule still in effect?
No. The Eleventh Circuit vacated the one-to-one and topically-associated provisions of the FCC's December 2023 Order in Insurance Marketing Coalition Ltd. v. FCC, decided January 24, 2025. The rest of the Order, including revocation rules, remains in force. The prior express written consent standard under 47 U.S.C. 227 still applies; only the specific one-to-one mechanism was struck down.
What was the original deadline for the FCC one-to-one consent rule?
The FCC set January 27, 2025 as the effective date for both the one-to-one consent requirement and the logically and topically associated provision from its December 13, 2023 Report and Order. The Eleventh Circuit vacated those provisions three days before that deadline.
Can I still use a lead gen form that lists multiple sellers after the court ruling?
Technically yes, since the one-to-one rule was vacated. But it carries real litigation risk. If a consumer argues the multi-seller form was deceptive or they did not meaningfully consent to your company specifically, you may lose that consent defense. Most TCPA counsel recommend keeping individual named consent even though it is no longer strictly required.
What is prior express written consent under the TCPA?
Prior express written consent is a signed agreement, including electronic signatures, in which the consumer agrees to receive autodialed or prerecorded calls or texts at a specific phone number. The agreement must disclose that automated calls or texts may be made and must not condition a purchase on providing consent. The requirement comes from 47 U.S.C. 227 and FCC regulations at 47 C.F.R. 64.1200.
How long do I have to honor a STOP or opt-out request under current FCC rules?
The FCC's 2023 Order, which survived the Eleventh Circuit ruling, requires you to honor revocation requests within 10 business days for most telemarketing contacts. Consumers can revoke through any reasonable means, more than a specific channel you designate. You should log the revocation date, channel, and action taken.
Do TCPA consent requirements apply to B2B sales calls?
Yes, if you are using an autodialer or prerecorded message to call a cell phone, TCPA applies regardless of whether the call is for business purposes. The exemption many cite for B2B calls is narrower than people think. Live-agent manual dialing to cell phones is generally outside the autodialer restriction, but predictive or power dialers to cell phones require consent.
What are the TCPA penalties for calling without consent?
The TCPA provides $500 in statutory damages per violation and up to $1,500 per willful or knowing violation under 47 U.S.C. 227(b)(3). There is no cap in a class action. A single campaign sending 100,000 unconsented texts faces up to $150 million in theoretical damages before any court discretion or settlement negotiations.
What records do I need to prove TCPA consent?
Keep the original consent form or a record of the exact disclosure language the consumer saw, the submission timestamp, IP address, phone number captured, and the source or campaign. Also retain call logs and revocation records. The TCPA statute of limitations is four years, so retain records for at least four years from your last contact with each number.
Does the National Do Not Call Registry still apply even if I have consent?
Yes. TCPA consent and DNC compliance are separate obligations. Having written consent to make autodialed calls does not override a DNC registration for telemarketing purposes. You must still scrub your call lists against the National DNC Registry at least every 31 days before making telemarketing calls to those numbers.
What is the logically and topically associated provision of the FCC Order?
This provision, also vacated by the Eleventh Circuit, would have required that consent obtained on a website be logically and topically related to that site's purpose. A consumer on a mortgage site could not have been deemed to consent to auto dealer calls. The goal was to stop lead gen forms from piggy-backing unrelated sellers onto a single consent event.
Is a pre-checked consent box on a web form valid TCPA consent?
No. The FCC requires that prior express written consent involve an affirmative act by the consumer. A pre-checked box where the consumer does nothing and is passively enrolled does not meet that standard. The consumer must take a deliberate action, such as checking an unchecked box or typing their number into an explicit consent field.
What should I do with aged leads I purchased before the 2025 deadline?
Evaluate the consent records for each lead source. If you cannot verify that the consent form named your company and included proper TCPA disclosure, treat those leads as unconsented for autodialed or prerecorded outreach. The consent has no official TCPA expiration, but calling a two- or three-year-old lead for a different product than what they signed up for significantly weakens your consent defense.
Will the FCC try to reinstate one-to-one consent rules?
Almost certainly yes in some form, though timing is uncertain. The FCC has described lead generator abuses as a priority, and the Eleventh Circuit ruling was narrow: it found the specific mechanism exceeded TCPA authority, not that the underlying policy goal was wrong. A new rulemaking could attempt a different statutory basis. Build your consent flows as if individual named consent will be required again.
What is the difference between prior express consent and prior express written consent?
Prior express consent (oral is acceptable) covers informational or non-telemarketing autodialed calls to cell phones. Prior express written consent is required for autodialed telemarketing calls and texts to cell phones and for any prerecorded telemarketing calls to residential lines. The written standard requires a signed agreement with specific disclosures. When in doubt, get written consent; it satisfies both standards.
Sources
- FCC, Report and Order on Robocalls and Consent (FCC 23-107, December 2023): FCC adopted the one-to-one consent rule on December 13, 2023 and set January 27, 2025 as the effective date
- 47 U.S.C. 227, Telephone Consumer Protection Act: TCPA prohibits autodialed or prerecorded calls to cell phones without prior express consent and provides $500-$1,500 per violation in statutory damages
- U.S. Court of Appeals, 11th Circuit, Insurance Marketing Coalition Ltd. v. FCC, No. 24-10277 (Jan. 24, 2025): Eleventh Circuit vacated the FCC's one-to-one consent and topically-associated provisions on January 24, 2025
- FTC, National Do Not Call Registry: Telemarketers must access the National DNC Registry and scrub call lists at least every 31 days before making telemarketing calls
- FCC, 47 C.F.R. 64.1200, Delivery Restrictions: FCC regulations require that prior express written consent state that agreement is not a condition of purchase and that the form be signed by the consumer
- 28 U.S.C. 1658, Federal Catch-All Statute of Limitations: The four-year federal catch-all statute of limitations applies to TCPA private actions
- FTC, Telemarketing Sales Rule guidance for business: TCPA and Telemarketing Sales Rule consent and DNC rules apply to cell phone calls regardless of business or consumer context
- FTC, Complying with the Telemarketing Sales Rule: Telemarketing Sales Rule requires maintenance of internal do-not-call lists and honoring requests immediately