FCC one-to-one consent rule: the telemarketing loophole closed January 27, 2025

The FCC's one-to-one consent rule took effect January 27, 2025, closing the lead-gen loophole. Here's what changed, who's affected, and what to do now.

LeadCompliant Team
25 min read
In This Article

Last updated 2026-07-10

Compliance officer reviewing TCPA consent documents at a desk with a phone nearby
Compliance officer reviewing TCPA consent documents at a desk with a phone nearby

TL;DR

Before January 27, 2025, one consumer consent form could legally authorize dozens of unrelated telemarketers to call or text. The FCC closed that loophole in a December 2023 order. Now prior express written consent under the TCPA must name a single seller and cannot bundle unrelated third parties. One court fight has already reshaped part of the rule.

What was the telemarketing loophole that the FCC just closed?

Lead generation companies built an entire business model on a single consent checkbox. A consumer landed on a website asking about, say, solar panels, checked a box agreeing to be contacted, and that one click legally authorized fifty or a hundred unrelated companies to call or text. Insurance sellers. Debt relief firms. Mortgage brokers. The checkbox usually read something like "by submitting this form you agree to receive calls and texts from our partners and affiliates," followed by a list of company names so long you had to scroll to reach the bottom.

This worked because the FCC's prior reading of the TCPA's "prior express written consent" requirement did not explicitly bar consent from covering multiple sellers at once. The FCC itself acknowledged the gap. In its December 2023 order the agency wrote that the practice had "spawned a lead generation industry" that left consumers "inundated with unwanted calls" from companies they had never heard of [1].

The loophole worked so well because TCPA liability is strict. Once a company held a signed consent form with the consumer's phone number, plaintiffs had a much harder time winning. The lead gen ecosystem sold that legal shield at scale, marketing "TCPA-compliant leads" to any buyer willing to pay, no matter whether the consumer had any idea those specific companies would be calling.

That is what changed on January 27, 2025.

What exactly did the FCC's December 2023 order do?

The FCC released its Report and Order on December 13, 2023, adopting new rules under the TCPA (47 U.S.C. § 227) that targeted the one-to-one consent requirement and the lead generator loophole [1]. The rules were published in the Federal Register with an effective date of January 27, 2025, giving industry roughly thirteen months to adjust [9].

The order made three concrete changes.

One seller per consent. Prior express written consent must identify a single, specific seller. A consent form listing multiple companies, or one using language like "our partners" to sweep in unnamed third parties, does not satisfy the TCPA for any of those third parties. Each seller needs its own consent.

Logical and topical relationship requirement. The website or context where consent is obtained had to be logically and topically related to the seller seeking consent. The FCC used a mortgage comparison site as its example: consent gathered there could reach mortgage lenders, but not insurance companies or car dealers. This prong hit the aggregator model hardest, since many lead gen sites collected consent across wildly unrelated product categories. (A federal appeals court later vacated this piece. More on that below.)

No more "partner" bundling. Consent forms that fold unrelated third parties into a single agreement are no longer valid under the rule, even if every company's name technically appears somewhere in fine print.

The statutory hook is 47 U.S.C. § 227(b)(1), which bars calls and texts to cell phones using an automatic telephone dialing system or a prerecorded voice without "prior express consent of the called party" [2]. The 2023 order is the agency defining what that consent must look like.

Why did the FCC act on this in 2023, and why the January 2025 effective date?

The FCC had been collecting consumer complaints about bundled consent for years. Robocalls consistently rank as the top consumer complaint the agency receives [3]. The December 2023 rulemaking answered sustained pressure from consumer groups and members of Congress who argued the lead gen loophole was a primary driver of unwanted call volume.

The thirteen-month gap between the order and the January 27, 2025 effective date was deliberate. Companies across the lead generation and telemarketing supply chain had built real operational infrastructure around the old model. Compliance teams needed time to audit consent flows, renegotiate lead-purchase agreements, and rebuild web forms.

For larger insurance carriers and mortgage originators, that runway was genuinely useful. Many had already started moving toward first-party lead generation before the rule dropped, partly because aggregator lead quality had been sliding and partly because TCPA class action settlements kept climbing. The rule gave compliance teams the regulatory hook to push internal stakeholders toward cleaner practices.

For smaller outbound teams simply buying lists of "pre-consented" leads from brokers, the effective date landed hard. Many did not learn the details until late 2024. That is not enough time to rebuild a pipeline.

TCPA one-to-one consent rule: key numbers Penalties, deadlines, and thresholds that define post-January 2025 compliance 500 Statutory damages per viola… (negligent) 1,500 Statutory damages per viola… (willful) 24k Max FCC forfeiture per violation (inflation-adjust… 13 Months industry had to comply (Dec 2023 to Source: 47 U.S.C. § 227 (TCPA), FCC 23-107 (2023), 47 C.F.R. § 64.1200

The practical impact is big. Under the old model a single lead could be sold to ten, twenty, or fifty buyers. Each buyer had a colorable TCPA consent defense. Revenue per lead was high, volume was easy, and the friction of individual consent was someone else's problem.

Under the new model a website can still collect consent to contact the consumer, but that consent is valid for only one named seller. If an insurance comparison site wants to feed five carriers, it needs five separate consent acknowledgments, each naming only that carrier.

That is buildable. It also breaks the unit economics. A consumer willing to fill out five separate consent screens is a rare creature. Most comparison sites see conversion rates drop when they try to gather granular one-to-one consent for every buyer. The alternative is to pick one seller relationship and operate as a lead originator for that specific seller, becoming a marketing partner rather than a lead exchange.

The scope of the vacated "logical and topical relationship" prong was always fuzzy at the edges. A home services site covering roofing, HVAC, and solar: are all three logically related? The FCC's order never gave a bright-line test, and the court that vacated the prong (see below) removed the question in one stroke, at least for now.

For teams doing their own outbound calling and not buying third-party leads, the rule still bites. If your website contact form is the consent basis for outbound calls, that form has to name your company specifically. Generic "contact us" forms that bundle consent language for multiple corporate affiliates may no longer hold up.

The order does not prescribe exact consent language. Reading it alongside the FCC's existing prior express written consent regulations (47 C.F.R. § 64.1200) gives you a workable checklist [4].

Compliant consent under the new rule should:

1. Name your company specifically. Not "our partners," not "affiliated companies," not a generic brand family. Your legal entity name.

2. Appear on a page that makes logical sense for your product. A consumer seeking roofing quotes who sees your roofing company named in the disclosure: logically related. The same consumer seeing your dental insurance company named: not related. (This prong was vacated by the Eleventh Circuit, but naming the seller on a related page still reduces your exposure, so keep doing it.)

3. Be a clear and conspicuous disclosure. The consumer can actually see and understand it before submitting. Courts have repeatedly found that consent buried in terms-of-service links, or in tiny gray text below a submit button, fails the "clear and conspicuous" standard that predates this rule.

4. Reflect the consumer's affirmative agreement. Pre-checked boxes do not satisfy prior express written consent under existing FCC rules [4]. That has not changed.

5. Be documented. Store the timestamp, IP address, form version, and the exact consent language the consumer saw at submission. If you can't reconstruct what the form looked like on the day the consumer consented, you effectively have no consent record for litigation.

Buying leads from a third party? You now need to verify that the originating site collected consent naming your company, with the elements above in place. A seller's promise that leads are "TCPA compliant" is not enough. See the consent flow yourself, or get contractual indemnification that specifically covers the one-to-one requirement. And remember: indemnification is only as good as the seller's ability to pay a judgment.

For a practical audit of your current consent forms and call workflows, LeadCompliant's free TCPA compliance kit walks through the specific disclosure elements the FCC now requires.

Does this rule apply to SMS texts and email, or only to phone calls?

The one-to-one consent requirement applies to autodialed or prerecorded calls and texts to cell phones under 47 U.S.C. § 227(b)(1) [2]. That covers most outbound sales and marketing: ringless voicemails (which the FCC treats as calls), SMS sent through any platform using a list-based send function, and traditional robocalls.

Email sits outside the TCPA. The CAN-SPAM Act governs commercial email, and its consent requirements are different and generally looser.

Live agent calls that use no automatic telephone dialing system and play no prerecorded message fall outside the TCPA's prior express written consent requirement, though the FTC's Telemarketing Sales Rule and the National DNC Registry still apply [6][8]. See what the telemarketing sales rule is designed to do for how those rules interact.

One gray area: calls to landlines. The TCPA requires prior express consent (not the written version) for prerecorded calls to residential landlines. The one-to-one rule is framed around prior express written consent, the cell phone standard. How the FCC's new language maps onto landline prerecorded calls is worth clarifying with counsel.

Most outbound sales teams are calling cell phones with some form of automated system. If that describes you, assume the one-to-one rule applies to every call and text in your workflow.

What are the TCPA penalties if you get this wrong after January 27, 2025?

TCPA statutory damages run $500 per violation for negligent violations and $1,500 per violation for willful or knowing ones [2]. Each call or text is a separate violation. A small campaign sending 10,000 texts without compliant one-to-one consent is $5 million of exposure at the floor, and $15 million if a court finds the conduct willful.

TCPA claims are exceptionally friendly to class action plaintiffs. Damages are statutory, so nobody has to prove actual harm, and the class is easy to define: everyone who got an unconsented call or text. Settlements in TCPA class actions routinely reach the tens of millions. The largest have topped $75 million, though most small-business cases settle for far less because defendants run out of money first.

The FCC can also issue forfeiture orders, separate from private litigation. Under 47 U.S.C. § 503(b), the FCC can impose forfeitures up to $23,727 per violation, a figure that adjusts for inflation periodically [10]. In big robocall cases the FCC has levied nine-figure fines, though collecting against fly-by-night operators is spotty.

The "I bought leads from a vendor who said they were compliant" defense has failed consistently in TCPA litigation. The called party's consent must run directly to the company making the call. Vendor representations do not transfer that consent. After January 27, 2025, any company still buying bundled leads and dialing them carries exposure that an indemnification clause is unlikely to fully cover.

Violation typeStatutory damages per call/textNotes
Negligent$500Floor; court sets amount
Willful or knowing$1,500Up to 3x the base amount
FCC forfeiture (adjusted)Up to $23,727Separate from private suit
Class action typical settlementVaries widelyTens of millions for large campaigns

How does the rule affect B2B telemarketing specifically?

This is a genuine gray zone, and honest practitioners say so. The TCPA applies to calls to numbers assigned to a cellular telephone service, full stop. It does not ask whether the call is business-to-business or business-to-consumer [2]. If you are dialing someone's cell phone, the TCPA's consent requirements apply no matter how you label the call.

B2B callers have historically leaned on two arguments: that many business calls hit landlines (a lower consent bar for non-prerecorded calls), or that an "established business relationship" exemption applies in certain contexts. Neither fully resolves the one-to-one consent question for cell phone calls.

For B2B teams calling mobile numbers from a contact database, risk went up on January 27, 2025. If those numbers came from a data provider claiming to have consent, you now need to verify whether that consent named your company and was obtained in a topically related context. Most B2B contact databases cannot show you that.

The advice most compliance attorneys are giving B2B teams: live agent calls to verified business numbers, with no ATDS, are lower risk. Automated or prerecorded calls to cell phones in a B2B context need the same one-to-one consent as a consumer campaign. See B2B cold calling rules: what's legal, what's not, and what to do for a fuller breakdown of how the TCPA applies to business calls.

The FTC's Telemarketing Sales Rule has its own B2B exemptions, but those are separate from the TCPA analysis [6]. Read FTC Telemarketing Sales Rule, B2B calls, and AI voice in 2024 for how the TSR interacts with these TCPA changes.

Was the rule challenged legally, and is there any chance it gets reversed?

Yes. The rule was challenged almost immediately. Industry groups including the Insurance Marketing Coalition petitioned to overturn the FCC's December 2023 order in federal court. The Eleventh Circuit Court of Appeals heard the case and in early 2025 vacated part of the order, specifically the "logical and topical relationship" requirement, finding the FCC exceeded its statutory authority under the TCPA on that prong [5].

This matters, and the compliance community is still sorting through it. Here is the current state.

The one-to-one requirement (one seller per consent) was not vacated. That piece remains in effect. The part thrown out was the requirement that the consent page be logically and topically related to the seller. So the aggregator model is partly rescued: you can still collect consent for multiple unrelated sellers on the same page, as long as each seller is named individually.

The FCC has not said whether it will re-adopt the topical relationship requirement through a new rulemaking. The broader regulatory environment has generally been skeptical of expansive agency rulemaking, which complicates the odds of the FCC reviving the vacated prong.

What this means for you: the one-to-one named-seller requirement is real and in force. The topical relationship requirement is gone for now. Running consent forms that name each seller individually stays the safest approach. It satisfies the named-seller prong, and it keeps you cleaner if the FCC or another court ever revisits the topical piece.

What should your compliance process look like right now?

Given the legal uncertainty after the Eleventh Circuit decision, teams are making different judgment calls. Here is a reasonable compliance process for today, without waiting for the courts to finish.

First, audit every consent form and landing page your company uses to establish TCPA consent. For each one: does the form name your company by its actual legal name? Does the consumer clearly see that name before submitting? Is there a clear disclosure that they agree to receive autodialed or prerecorded calls and texts? Do you store the timestamp, IP, and form version?

Second, if you buy leads, stop accepting "TCPA compliant" as a label and start demanding documentation. Ask the vendor to show the actual consent flow: what the form looked like, what language appeared, whether your company was named. If the vendor can't produce that, or the consent came from a page with no relationship to what you sell, treat the lead as unconsented for autodialing.

Third, review your call and text campaigns for use of automatic telephone dialing systems or prerecorded messages. Any automated outreach to cell phones triggers the one-to-one named-seller requirement. Live agent calls without automation carry less TCPA risk but still need DNC compliance. See TCPA quiet hours: what times you can and cannot call or text for the time-of-day rules that apply regardless of consent.

Fourth, get your consent records into a system where you can pull them on demand. TCPA defendants who win almost always win because they produce the exact consent record for the specific number that got called. Defendants who lose often can't find the record, or find one that turns out to be a different form version than what the consumer actually saw.

LeadCompliant's free compliance checklist covers the documentation fields plaintiffs' attorneys and FCC investigators request first. It is a useful starting audit template even if you customize it later.

For teams doing cold calling with live agents, document your dialing methodology clearly so you can show you are not using an ATDS if that question surfaces in discovery.

Documentation is where companies get burned. They had a compliant form at some point, but they can't reconstruct what it looked like on the date a specific consumer submitted. Courts have held that a consent defense requires showing the specific consent you actually obtained, more than proof that you had a form capable of generating compliant consent.

The minimum record for each consent should include: the consumer's name and phone number as submitted, the exact date and time as a timestamp, the source IP address, the URL of the consent page, a versioned copy of the form language, and the action the consumer took (button click, form submit).

A versioned form means you treat your consent disclosure like software. Every time the language changes, you increment the version and keep the old one with its date range. If you collected consent under version 1.2 from January through March 2025, you need version 1.2 in your records indefinitely, more than the current form.

Some teams screenshot their consent pages, which beats nothing but scales poorly. Better options: consent management platforms that log the exact HTML rendered to a specific session, or database-backed form systems that store form version IDs alongside each submission.

For AI-driven outreach, the documentation burden is identical. An AI voice call or AI-sent text is still an autodialed or prerecorded communication under the TCPA if the system can send to a list without human initiation of each call. See AI cold calling for how the FCC has been treating AI voice in the post-2025 environment.

Frequently asked questions

The FCC's one-to-one consent rule, adopted in December 2023 and effective January 27, 2025, requires that prior express written consent under the TCPA identify a single, specific seller. A consent form can no longer authorize an unlimited number of unrelated companies to call or text a consumer. Each company making autodialed or prerecorded calls to a consumer's cell phone needs its own individual consent from that consumer.

The rule took effect January 27, 2025. The FCC adopted the underlying order on December 13, 2023, and set the effective date roughly thirteen months later to give lead generators, telemarketers, and their technology vendors time to rebuild consent flows and renegotiate lead-purchase agreements. Any autodialed or prerecorded call or text to a cell phone made after January 27, 2025 must rest on consent that meets the new standard.

What loophole did the FCC close with the January 2025 rule?

The old loophole let one consumer consent form authorize dozens or hundreds of unrelated companies to call or text. Lead gen sites collected a single consent checkbox, then sold that lead to many buyers, each claiming TCPA coverage under the same consent event. The FCC's rule closed this by requiring consent to name only one seller. Each seller now needs its own consent, obtained from the consumer directly.

Partially. The Eleventh Circuit Court of Appeals vacated the "logical and topical relationship" requirement, finding the FCC exceeded its authority on that specific prong. The core one-to-one named-seller requirement was not vacated and remains in effect. So you still need consent that names your company specifically, but the requirement that the consent page be topically related to your product is no longer enforceable following the court's ruling.

Yes, if you are calling cell phones using an automatic telephone dialing system or playing a prerecorded message, the TCPA applies regardless of whether the call is B2B or B2C. Live agent calls to verified business landlines carry lower TCPA risk, but autodialed or prerecorded calls to mobile numbers require compliant one-to-one consent even for business contacts. Most B2B contact databases cannot demonstrate they collected consent naming your specific company.

Can I still buy leads from a lead generator after January 27, 2025?

You can, but the risk profile changed significantly. Under the one-to-one rule, the consent collected by the lead generator must name your company specifically. If the lead gen site named a different company, or used generic "partner" language, that consent does not cover your calls. You need to see the actual consent flow, confirm your legal entity name appears, and verify the consumer took an affirmative action. Vendor representations alone are not a defense.

What are the TCPA penalties for violating the one-to-one consent rule?

TCPA statutory damages are $500 per call or text for negligent violations and $1,500 per call or text for willful violations. Each contact is a separate violation. A campaign of 10,000 texts without proper consent is a $5 million to $15 million exposure before any class action premium. The FCC can also impose separate forfeiture penalties of up to $23,727 per violation under 47 U.S.C. § 503(b).

A compliant form names your specific company (not "partners" or affiliates), contains a clear and conspicuous disclosure that the consumer agrees to receive autodialed or prerecorded calls and texts, requires an affirmative action like a checkbox (not a pre-checked box), and links to a signed or electronic record you can retrieve later. You must store the timestamp, IP address, form version, and exact disclosure language shown at the time of submission.

Yes. The TCPA covers autodialed or prerecorded texts to cell phones under the same statutory provision as calls (47 U.S.C. § 227(b)(1)). The one-to-one consent requirement applies to any text message sent through a system that can send to a list without human initiation of each individual message. A compliant text campaign needs the same named-seller consent as a call campaign.

How does the FCC rule affect comparison websites and insurance aggregators?

It hits them hardest. The old model let a comparison site collect one consent and distribute the lead to many carriers. Under the one-to-one rule, each carrier needs to be named individually in a separate consent. The Eleventh Circuit's vacatur of the topical relationship prong offers some relief for aggregators, but the named-seller requirement still stands. Most aggregators are moving toward single-carrier lead flows or first-party marketing arrangements.

You need the consumer's submitted phone number, the exact date and time of submission, the source IP address, the URL of the consent page, a versioned copy of the form language as it appeared on that date, and evidence of the consumer's affirmative action. Form language must be versioned and retained permanently, more than the current version. Courts require you to show the specific consent for the specific number sued upon.

Is a pre-checked box enough for TCPA prior express written consent?

No. The FCC's existing regulations and court decisions consistently hold that prior express written consent requires an affirmative consumer action. A pre-checked box that the consumer must uncheck to opt out does not satisfy the standard. The consumer must take a positive step, such as checking an empty box or clicking a clearly labeled agree button, to create valid written consent under 47 C.F.R. § 64.1200.

Prior express written consent is the higher standard and is required for autodialed or prerecorded calls and texts to cell phones for telemarketing purposes. It must be a signed written agreement, which includes electronic signatures. Prior express consent (without the written requirement) applies to informational non-telemarketing calls to cell phones and to some landline prerecorded calls. The one-to-one rule targets the written consent standard for telemarketing.

Does the FCC rule apply to ringless voicemail drops?

The FCC has taken the position that ringless voicemails are "calls" under the TCPA. A 2022 FCC declaratory ruling confirmed this, meaning ringless voicemail to a cell phone requires prior express written consent for telemarketing purposes, the same as any other prerecorded call. The one-to-one consent requirement applies. Ringless voicemail vendors who market their product as a TCPA loophole are selling a risk, not a compliance solution.

Sources

  1. FCC, In the Matter of Rules and Regulations Implementing the Telephone Consumer Protection Act of 1991, Report and Order, FCC 23-107 (December 2023): FCC December 2023 order adopting one-to-one consent requirement and finding that lead generation practices had 'spawned a lead generation industry' leaving consumers 'inundated with unwanted calls'
  2. 47 U.S.C. § 227, Telephone Consumer Protection Act, Cornell Legal Information Institute: TCPA statutory text prohibiting autodialed and prerecorded calls/texts to cell phones without prior express consent; statutory damages of $500 per violation, $1,500 for willful violations
  3. FCC, 47 C.F.R. § 64.1200, Code of Federal Regulations via eCFR: FCC regulations defining prior express written consent requirements, including prohibition on pre-checked boxes and requirement for affirmative consumer action
  4. Insurance Marketing Coalition Ltd. v. FCC, No. 24-10277, U.S. Court of Appeals for the Eleventh Circuit: Eleventh Circuit vacated the FCC's logical and topical relationship requirement, finding the FCC exceeded its statutory authority on that prong of the one-to-one consent rule
  5. FTC, Telemarketing Sales Rule, 16 C.F.R. Part 310, Federal Trade Commission: FTC Telemarketing Sales Rule requirements applicable to telemarketing calls, including National DNC Registry obligations separate from TCPA consent
  6. FCC, Declaratory Ruling treating ringless voicemail as a call under the TCPA (2022): FCC confirmed in a 2022 declaratory ruling that ringless voicemail constitutes a 'call' under the TCPA requiring prior express written consent for telemarketing purposes
  7. National Do Not Call Registry, Federal Trade Commission: National DNC Registry obligations apply to telemarketing calls regardless of TCPA consent status; separate compliance track from one-to-one consent rule
  8. Federal Register, FCC TCPA Final Rule (2024), effective January 27, 2025: Federal Register publication of FCC one-to-one consent rule setting effective date of January 27, 2025
  9. 47 U.S.C. § 503(b), Communications Act forfeiture penalty authority, Cornell Legal Information Institute: FCC forfeiture penalty authority under the Communications Act, basis for per-violation fines separate from private TCPA litigation

Disclaimer: LeadCompliant is a compliance review tool, not a law firm. We do not provide legal advice. Consult with a TCPA attorney for legal guidance on specific compliance questions. Compliance scores, audits, and risk assessments are informational only.

LeadCompliant Team

LeadCompliant provides expert guidance and tools to help you succeed. Our content is reviewed for accuracy and kept up to date.

Related Articles

Related Glossary Terms

LeadCompliant
Build My Kit