Last updated 2026-07-10

TL;DR
The FCC's one-to-one consent rule, effective January 27, 2025, ended the practice of a single TCPA consent covering dozens of unrelated sellers. Now each seller needs its own express written consent before sending robocalls or robotexts. Lead generators who ran on shared consent forms had to rebuild their model from scratch.
What was the telemarketing consent loophole the FCC just closed?
For years, one checkbox on a lead form could authorize 20, 30, even 50 unrelated companies to call or text a consumer using an autodialer or prerecorded voice. The consumer thought they were asking one insurance company for a quote. What they actually signed was a blanket TCPA consent covering a roster of marketers they'd never heard of, all of whom then had legal cover to flood the phone.
This worked because of a gap in the statute. The TCPA's express written consent requirement, at 47 U.S.C. § 227(b), says a consumer must give "prior express written consent" to receive autodialed or prerecorded calls, but the text never says how many sellers one consent can name. Lead generators took that silence and ran. A single opt-in page became a clearinghouse. Consent was bundled, sold, and resold like pork bellies.
The FCC called this the "comparison shopping website" loophole. Its 2023 rulemaking described the model plainly: "consumers who visit websites seeking quotes or information are often presented with lengthy lists of companies that they are purportedly consenting to be contacted by." [1] That line is from the FCC's Notice of Proposed Rulemaking. The Commission found the practice at odds with the purpose of the TCPA and moved to kill it.
This was no obscure edge case. It was the operating spine of the insurance, mortgage, solar, and home services lead industries. Billions in call center revenue ran on it.
What exactly does the FCC one-to-one consent rule require?
The FCC adopted its one-to-one consent rule in a Report and Order released December 13, 2023, effective January 27, 2025. [2] The rule amends the FCC's TCPA regulations at 47 C.F.R. § 64.1200 to add two new requirements for a valid prior express written consent.
First, the consent has to be for calls and texts made by or on behalf of a single specific seller. One consent, one seller. A consumer filling out a form can still consent to several sellers, but only if the form names each one and the consumer makes a separate, clear affirmative act for each. The catchall disclosure naming a generic category like "our partners" or "participating lenders" is dead.
Second, the consent has to be logically and topically associated with the website or context where the consumer provides it. Visit a site about auto insurance, and that visit can't manufacture consent for a home security company. The topic has to match. The FCC framed this as making sure the consumer's agreement is a clear signal of willingness, not a buried disclosure nobody reads. [2]
Those two requirements are the whole rule. No grace period remains. The effective date was January 27, 2025. If your consent form still names multiple sellers under one checkbox, you are outside the rule today.
For the wider picture of what the TCPA requires on calling, cold calling is a good starting point.
When did this rule take effect, and is there still time to comply?
The rule took effect January 27, 2025. No further delay. The FCC published the Report and Order in the Federal Register on December 28, 2023, which started a 13-month runway for the industry to get ready. [2]
That runway is gone. Teams hoping for a last-minute judicial stay did get some suspense in late 2024. The Insurance Marketing Coalition sued in the Eleventh Circuit to vacate the rule, arguing the FCC blew past its statutory authority. The court declined to stay the rule before its effective date, though the underlying case rolled into 2025. [3] So the rule is live and enforceable while the litigation grinds on. Betting your operation on the rule getting overturned is a bet with real money on the table.
There is nothing left to "prepare" for. The only question now is whether your current consent flow is already compliant, or whether you're sitting on live liability.
Who does the one-to-one consent rule affect most?
The lead generation industry is the obvious bullseye. Publishers who run comparison sites, form fills, or ping-and-post networks had to rebuild their consent architecture or leave the business. For them, the old model was the business.
The damage runs downstream, though. Any company that buys leads from a third-party generator has to verify the consent underlying those leads is compliant under the new rule. A vendor telling you the consent is clean is not a legal defense. Under TCPA case law, the seller who makes the call carries the liability. Courts have found again and again that a caller can't hand off its consent obligations to whoever collected the form. [4]
Insurance carriers, solar companies, mortgage lenders, home services brands, any vertical running on purchased leads, all of them face this. So do the platforms powering the call centers those buyers run.
Small teams that generate their own leads through their own landing pages are far less exposed, assuming their forms already name only their company. If your form says "[YourCompany] may contact you," you're probably fine on the one-to-one requirement. If it says "our network of providers may contact you," you're not.
AI cold calling built on purchased lead pools carries double risk here, because the autodialer rules and the new consent requirement both bite.
How does the new rule change lead generation consent forms?
Under the old model, one disclosure at the bottom of a form could authorize a long list of companies. Legal teams wrote those disclosures to be technically visible and functionally unreadable. Scroll down, click "Get My Quote," and you've just consented to 40 companies calling you forever.
Under the new model, each seller needs its own clear affirmative consent that is (a) named specifically and (b) topically connected to the page. The workable ways to pull that off are limited.
One approach is a separate checkbox per seller on the form. Run a network with five buyers, show five checkboxes. None pre-checked. Each names the specific company. This works. But conversion on a form with five unchecked boxes is almost certainly lower than on a form with one agree-to-all button. That hit is real, and there's no way around it.
A second approach is a confirmed opt-in, or two-step flow. The first form collects a name and number. A second page then presents a specific seller and asks for consent outright. Fine for small rosters. Impractical at the scale lead gen networks used to run.
A third approach is walking away from shared consent entirely and operating as a first-party generator who only calls its own leads. Plenty of compliance-forward teams were already doing exactly that.
The FCC was blunt that it won't accept consent obtained through obscure or confusing disclosures. [2] Any form design a reasonable observer would call tricky is likely to fail in litigation.
What does "logically and topically associated" actually mean in practice?
This is the part of the rule with the least regulatory clarity so far, and it matters a lot for multi-vertical businesses. The short version: the seller's product has to be directly tied to the reason the consumer came to the page.
The FCC's Report and Order gives a couple of examples. A consumer on a mortgage refinance page consenting to contact from a mortgage lender is clearly topical. That same consumer on that same page consenting to contact from a health insurance company clearly is not. Everything in between is the gray zone.
Take a financial services hub covering auto loans, home equity lines, personal loans, and credit cards. Is each product its own topic? The FCC hasn't drawn those lines precisely. The safest read is that the seller's product must connect directly to why the consumer showed up. Somebody who searched "home equity loan" and landed on your page can be pitched a home equity lender. A life insurance company, probably not.
Most compliance attorneys are giving one piece of practical advice right now: if it takes you more than two sentences to explain why a seller is topically related to the page, it probably isn't. The FCC leaned on the word "clear" over and over. The standard is meant to be intuitive, not something you lawyer your way around.
For teams doing B2B outbound, B2B cold calling rules covers where TCPA consent requirements land differently in business-to-business contexts.
Does this rule apply to text messages, or just phone calls?
Both. The TCPA, at 47 U.S.C. § 227(b)(1)(A), covers autodialed calls and texts to mobile numbers, and the new one-to-one rule explicitly applies to "calls and texts." [2] The FCC has treated SMS as the equivalent of a call for TCPA purposes since at least its 2012 order.
This matters because SMS is where the consent loophole showed up most aggressively. A lead generator would grab a phone number, fire off an immediate text from one of the listed companies, and that text worked as both a marketing message and the handoff that kicked off the call sequence. The new rule shuts that pathway.
Any robotext (a text sent using an autodialer) to a wireless number now needs its own seller-specific written consent. If you're texting a list of purchased leads today, you need to verify that each record has a consent naming your company specifically and matching the topic of your offer.
For the rules on texting timing and opt-out, TCPA quiet hours covers the federal and state hour restrictions that stack on top of the consent requirements.
What are the TCPA penalties for violating the one-to-one consent rule?
The penalty structure is the same as any TCPA violation. Under 47 U.S.C. § 227(b)(3), a consumer can sue for $500 per violation. If a court finds the violation willful or knowing, that climbs to $1,500 per violation. [5] There's no cap per plaintiff, and class actions are the norm.
One blast to 10,000 numbers without valid consent is a potential $5 million exposure at $500 per call, or $15 million if the court finds willfulness. That arithmetic is why TCPA class actions settle for big numbers even when the conduct looks minor on paper.
The FCC can also impose forfeitures under 47 U.S.C. § 503(b). In the robocall context, the FCC has issued fines in the hundreds of millions of dollars against large-scale violators, though whether the money ever gets collected depends on whether the defendant has assets. [6]
Private class actions are the realistic threat for small teams. Plaintiff attorneys work on contingency and actively hunt non-compliant callers. A purchased list of 50,000 leads with defective consent is not a minor business headache. It's an extinction event.
The table below shows how the per-violation math scales.
| Calls/texts sent | Per-violation rate | Standard exposure | Willful exposure |
|---|---|---|---|
| 1,000 | $500 | $500,000 | $1,500,000 |
| 10,000 | $500 | $5,000,000 | $15,000,000 |
| 50,000 | $500 | $25,000,000 | $75,000,000 |
| 100,000 | $500 | $50,000,000 | $150,000,000 |
Can you still use lead generators and third-party lists legally?
Yes, but the due diligence load on you as the caller is much heavier now.
Before the one-to-one rule, a buyer could accept a vendor's word that consent had been collected and dial the list. Courts split on how much inquiry the caller owed. After the rule, the FCC's position is that consent must name your company specifically. If it doesn't name you, it doesn't cover you, no matter what the vendor promised.
So you need one of three things: (a) consent records that name your company, (b) the consumer re-consenting directly to you before you run any autodialed contact, or (c) a contact method that doesn't trigger the TCPA autodialer rules at all, like manual dialing by a human agent with no predictive or automated component.
Some lead networks are adapting with what they call co-registration flows, where the consumer sees your company's name and checks a box at the point of form submission. If that's genuinely what happens and you can prove it with logs, you have a defensible consent record. If the flow has dark patterns, pre-checks, or confusing disclosures, it won't survive litigation.
Verify. Audit your vendors. Get the consent timestamps, IP addresses, and form language in writing. LeadCompliant's free TCPA consent checker can help you evaluate whether a consent form's language meets the new standard before you dial against a purchased list. If you're rebuilding your consent process from scratch, the compliance kit at LeadCompliant.com has templates that reflect the post-January 2025 requirements.
How is the one-to-one rule different from the existing TCPA consent requirement?
Before the one-to-one rule, the TCPA already required "prior express written consent" for autodialed or prerecorded calls to wireless numbers and for telemarketing calls to residential lines. [5] That requirement existed and still does. The one-to-one rule adds specificity to what makes that consent valid.
The old requirement said consent had to be in writing, clear and conspicuous, tell the consumer they're agreeing to autodialed or prerecorded calls, and never be a condition of purchase. [7] Those elements still apply. The new rule adds two more: consent names one specific seller, and the topic matches the context where consent was gathered.
Think of it this way. The old requirement defines what format consent must take. The new rule defines how many parties one consent can cover (one) and what subject matter it has to relate to (the topic of the page).
The prior express written consent framework, which the FCC codified in its 2012 omnibus TCPA order, is still the foundation. The one-to-one rule is an amendment stacked on top of it, not a replacement. [7]
For how this meets the Telemarketing Sales Rule, which the FTC enforces on its own track, the FTC Telemarketing Sales Rule covers the parallel federal framework.
What do courts and regulators say about the lead gen loophole cases so far?
The FCC's rulemaking cited a wave of consumer complaints about comparison shopping sites as the factual basis for the rule. The Commission's 2022 report on unwanted calls put lead generator-sourced robocalls among the top complaint categories, though the FCC doesn't publish exact counts by source type. [6]
Before the rule took effect, some courts were already skeptical of shared consent. In Ginwright v. Exeter Finance Corp., a federal court held that consent obtained through a third-party lead generator did not transfer to the caller when the consumer had no direct relationship with that caller. [4] That ruling predates the one-to-one rule but points the same direction.
The Insurance Marketing Coalition's Eleventh Circuit challenge is the pending litigation to watch. The industry argued the FCC exceeded its authority because Congress never explicitly authorized the one-to-one limitation. The court did not stay the rule, which usually signals the judges didn't find the challenge likely to win, though no merits ruling had come down as of mid-2025. [3]
The broader regulatory wind is blowing against the lead gen model. The FTC has tightened its own telemarketing rules too. What the Telemarketing Sales Rule is designed to do covers the FTC's parallel framework and how it meets TCPA enforcement.
What should a small outbound team actually do right now?
If you generate your own leads through your own web properties, audit your consent language today. The form should name your company by name, describe the type of contact (autodialed calls and texts), avoid being a condition of purchase, and relate to the topic of the page. That's the checklist. Have a lawyer review the exact language if you're running any volume at all. Attorney review of a consent form runs a few hundred dollars. A TCPA class action runs into the millions.
If you buy leads from a third party, demand the consent documentation for every record before you call it. Ask flat out: does the consent name our company? What was the URL and form language at the time of consent? Get it in a data file you can produce in discovery if you have to. A lot of lead sellers won't be able to answer these questions for records collected before January 27, 2025, and that's a problem you own the second you dial.
If your team does cold calling and works from scripts, make sure your cold calling scripts disclose who's calling and why, which helps on the TSR side and builds a paper trail of consistent practice.
Stop trusting verbal claims from lead vendors about consent quality. The one-to-one rule made that approach legally indefensible. The consent record must name you. Anything short of that, and you're the party holding the TCPA exposure.
Frequently asked questions
What is the FCC one-to-one consent rule?
It is an FCC amendment to TCPA regulations, effective January 27, 2025, that requires each seller to have its own separately obtained prior express written consent before making autodialed or prerecorded calls or texts to a consumer. A single consent form can no longer authorize multiple unrelated companies to contact the same consumer.
When did the FCC one-to-one consent rule take effect?
January 27, 2025. The FCC adopted the rule in its Report and Order on December 13, 2023, giving industry about 13 months to comply. An Eleventh Circuit challenge failed to produce a stay before the effective date, so the rule is currently active and enforceable.
Does the one-to-one consent rule apply to text messages?
Yes. The TCPA covers autodialed calls and texts to mobile numbers equally, and the FCC's new rule explicitly applies to both. Any robotext sent to a consumer must be backed by a consent that names the specific sending company and relates to the topic of the page or context where the consumer gave consent.
Can I still buy leads from a third-party generator after the one-to-one rule?
You can, but the consent underlying those leads must name your company specifically. A generic partner consent does not cover you. Before calling a purchased list, verify that each record has a documented consent that identifies your company by name, was collected on a page topically related to your offer, and is not pre-January 27, 2025 shared consent.
What does "logically and topically associated" mean under the new FCC rule?
It means the seller's product or service must be directly relevant to why the consumer visited the page where consent was collected. A mortgage company getting consent on a mortgage quote page is topical. That same mortgage company getting consent on an auto insurance page is not. The FCC intended this standard to be intuitively clear, not lawyered around.
What are the penalties for violating the one-to-one consent rule?
The underlying TCPA penalty structure applies: $500 per violation, up to $1,500 per violation for willful or knowing violations, under 47 U.S.C. § 227(b)(3). Class actions are common. A blast to 10,000 numbers without proper consent is a potential $5 million to $15 million exposure before legal fees.
Is the FCC one-to-one rule being challenged in court?
Yes. The Insurance Marketing Coalition filed suit in the Eleventh Circuit arguing the FCC exceeded its statutory authority. As of mid-2025, the court had declined to stay the rule pending review, meaning it remains in effect. The merits challenge was ongoing, but the rule is enforceable now regardless of how the case ultimately ends.
Do I need separate consent for every seller in my network?
Yes, if those sellers use autodialed calls or texts. Each seller needs its own affirmative consent from the consumer. You can present multiple sellers on one form if each has a separate, unchecked checkbox with the seller's name clearly visible, but a single blanket checkbox covering a list of companies is no longer valid under the rule.
Does the one-to-one rule apply to B2B calls?
The TCPA's autodialer restrictions apply to calls to wireless numbers regardless of whether the recipient is a business or a consumer. B2B calls to landlines at a business have different TCPA treatment, but if you are calling a cell phone number, even to a business contact, the consent requirements apply. The one-to-one rule follows the same scope.
What should my consent form say to comply with the new rule?
It should name your company specifically, describe that you may make autodialed or prerecorded calls and texts, state the phone number being covered, avoid being a condition of purchase, and appear on a page topically related to your offer. The consumer must take an affirmative action, like checking an unchecked box, to grant it.
Does the one-to-one rule change anything about the National Do Not Call Registry?
No. The DNC rules are separate. Consumers who register their numbers on the National DNC Registry are protected regardless of whether they gave consent elsewhere. The one-to-one rule addresses the consent requirement for autodialed and prerecorded calls; DNC compliance is a parallel obligation that still applies independently.
What records do I need to keep to prove one-to-one consent compliance?
Keep the timestamp of consent, the IP address, the exact form language shown to the consumer, the URL of the page, and the consumer's phone number. You need to reproduce exactly what the consumer saw and agreed to. Courts in TCPA cases routinely order production of these records, and missing documentation is treated as absence of consent.
If I manually dial every call without an autodialer, does the one-to-one rule apply?
The one-to-one consent rule, as an FCC amendment to TCPA autodialer regulations, applies to autodialed and prerecorded calls. Truly manual calls, where a human dials each number without any predictive, automated, or sequential dialing technology, are generally outside the autodialer scope of the TCPA. However, the FTC Telemarketing Sales Rule has its own consent requirements that apply to telemarketing calls more broadly.
Sources
- FCC, Notice of Proposed Rulemaking, CG Docket No. 21-402 (2023): FCC described the comparison shopping website loophole and noted consumers are presented with lengthy lists of companies they purportedly consent to be contacted by
- FCC, Report and Order, CG Docket No. 21-402, adopted December 13, 2023, effective January 27, 2025: One-to-one consent rule requires consent specific to one seller and logically and topically associated with the website context; effective date January 27, 2025
- Insurance Marketing Coalition v. FCC, U.S. Court of Appeals for the Eleventh Circuit (2024-2025): Eleventh Circuit declined to stay the one-to-one consent rule before its January 27, 2025 effective date
- Ginwright v. Exeter Finance Corp., 280 F. Supp. 3d 674 (D. Md. 2017): Court held that consent obtained through a third-party lead generator did not transfer to the calling party that lacked a direct relationship with the consumer
- 47 U.S.C. § 227(b)(3), Telephone Consumer Protection Act: Provides $500 per violation, up to $1,500 for willful or knowing violations, and private right of action for consumers
- FCC, 2012 Omnibus TCPA Order, CG Docket No. 02-278, 27 FCC Rcd 1830: Established prior express written consent framework requiring written agreement, clear and conspicuous disclosure, not a condition of purchase, effective October 16, 2013
- 47 U.S.C. § 227, Telephone Consumer Protection Act (full statute): Statute text covering autodialed calls, prerecorded messages, and wireless number restrictions that underpin the TCPA consent framework
- 47 C.F.R. § 64.1200, FCC TCPA implementing regulations: FCC regulatory text implementing TCPA consent requirements, amended by the one-to-one consent rule
- FTC, Telemarketing Sales Rule, 16 C.F.R. Part 310: Parallel federal telemarketing consent and calling restriction framework enforced by the FTC separate from the TCPA