How to audit affiliate lead sources for TCPA consent compliance

TCPA fines hit $500, $1,500 per call or text. Learn exactly how to audit affiliate lead sources for consent gaps before the lawsuits find you.

LeadCompliant Team
25 min read
In This Article

Last updated 2026-07-09

Compliance manager reviewing affiliate lead records and spreadsheets at a desk
Compliance manager reviewing affiliate lead records and spreadsheets at a desk

TL;DR

To audit affiliate lead sources for TCPA compliance, verify that written consent was collected on the affiliate's actual opt-in page, that the disclosure named your company by name, that consent records are retained and retrievable, and that the opt-in timestamp predates your first contact. A gap at any step exposes you to $500, $1,500 per-call liability under 47 U.S.C. § 227.

Why does affiliate lead sourcing create so much TCPA risk?

Most TCPA lawsuits against outbound teams don't start with a rogue dialer. They start with a lead that looked clean in the CRM but wasn't. The affiliate sold you a name and a phone number. What they didn't sell you, necessarily, was legally sufficient consent to autodial that person or text them a marketing message.

Under 47 U.S.C. § 227(b), calling or texting a cell phone with an automatic telephone dialing system or a prerecorded voice, without the called party's prior express written consent, is a violation. Statutory damages sit at $500 per violation, trebled to $1,500 for willful violations [1]. One purchased list of 10,000 leads, all with defective consent, is $5, $15 million of exposure parked in your CRM.

The FCC has been blunt about who owns the risk. The 2012 order that set the current written-consent standard put it on the caller: sellers "bear the burden of demonstrating" that they got consent [2]. Buying leads from an affiliate does not move that burden onto the affiliate. You called. You're liable.

Affiliate networks build a specific trap. The consumer filled out a form on a website they may not remember, agreed to terms they probably skimmed, and your company's name may or may not have appeared anywhere on that page. The gap between what the affiliate told you and what the consumer actually saw is where class-action attorneys live. Cases like the cash app tcpa class action settlement and the credit one tcpa settlement show how fast these turn into eight-figure numbers.

The FCC's 2012 order under 47 U.S.C. § 227 requires "prior express written consent" for autodialed or prerecorded marketing calls and texts. That phrase has a precise legal meaning, and most affiliates get it wrong.

Valid written consent has to show three things: a clear and conspicuous disclosure that the consumer authorizes the specific seller to contact them by autodialer or prerecorded message; the consumer's agreement, evidenced by a signature (electronic is fine); and disclosure that isn't buried in fine print or bundled in a way that makes it unconscionable [2].

The FCC's 2023 one-to-one consent rule, effective January 27, 2025, added a layer. Consent has to go to one seller at a time, and the goods or services the consumer agrees to hear about have to be "logically and topically related" to the website where the consent was collected [3]. Someone who filled out a mortgage-quote form cannot, under the current rule, be validly consented for your insurance offer just because the affiliate's terms listed a wall of "marketing partners."

Here's the working checklist for what affiliate-sourced consent has to prove:

ElementWhat to look forCommon affiliate failure
Named sellerYour company's legal name on the opt-in pageGeneric "marketing partners" language only
ATDS/prerecorded disclosureExplicit statement that autodialer or texts may be usedMissing or buried in terms
Consumer signatureChecked box or electronic signaturePre-checked box or implied consent
Topical matchForm topic matches your product categoryCross-vertical lead sales
TimestampServer-side timestamp of opt-inNo timestamp or easily manipulated
Opt-in page URLActual URL where the form livedAffiliate can't produce it

If the affiliate can't hand you all six for a given lead, that lead's consent is legally suspect. Treat it that way.

Auditing affiliate lead sources isn't a one-time event. It runs on three tracks at once: a pre-onboarding gate, a spot-check rhythm, and a triggered investigation when complaints land. Here's how to structure all three.

Step 1: Pre-onboarding due diligence

Before you buy a single lead, request and review the affiliate's opt-in page documentation. You want the live URL (or archived screenshots if the page rotates), the exact consent language shown to consumers, and a sample record showing what fields get captured at submission. If the affiliate won't share this, stop. That refusal is your answer.

Run a test lead yourself. Go to the opt-in page as a consumer would, fill it out with your own contact info, and document what you saw. Save the screenshot with a timestamp. Then watch who contacts you. If seven other companies call, the affiliate is selling your "consent" to a buyer list that runs far past one-to-one.

Step 2: Contract-level protections

Your affiliate agreement needs four things. A representation and warranty that the affiliate obtained prior express written consent meeting the FCC's current standard for every lead sold. An indemnification clause requiring the affiliate to defend and hold you harmless for consent defects on their leads. Record retention obligations: keep consent records at least five years and produce any one within 72 hours of a request. And a right-to-audit clause letting you review their opt-in flows and records at any time.

These won't fully protect you if a plaintiff sues you directly. They do give you a path to recover from the affiliate, and they push the affiliate to keep clean practices in the first place.

Step 3: Ongoing spot checks

For every active affiliate, pull a random sample of 50 to 100 leads per month and request the consent record for each. Match the submission timestamp against your first contact record. Any gap where your contact predates the consent is a critical finding. Review the opt-in pages monthly, because affiliates rotate landing pages constantly.

Step 4: Complaint-triggered audits

Every consumer complaint or cease-and-desist letter should trigger an immediate pull of that lead's consent record. Can't produce it within 48 hours? Assume you have a problem and pause outreach to that affiliate's leads pending review. Document the findings. If you turn up systemic defects, that paper trail shows you took corrective action, which matters when a court weighs willfulness.

TCPA affiliate consent audit: key numbers Thresholds and stakes every outbound team needs to know 500 Statutory damages per viola… (standard) 1,500 Statutory damages per viola… (willful) 4 Statute of limitations for TCPA claims (years) 2,025 One-to-one consent rule eff… year Source: 47 U.S.C. § 227 [1]; 28 U.S.C. § 1658 [4]; FCC one-to-one consent rule effective January 27, 2025 [3]

What records do you need to keep, and for how long?

The FCC's written-consent rule doesn't spell out a retention period, so the statute of limitations sets the floor. TCPA claims carry a four-year federal statute of limitations under 28 U.S.C. § 1658 [4]. Most compliance attorneys keep consent records for five years to cover tolling arguments.

For each purchased lead, your record should hold the consumer's phone number, the date and time of opt-in (in UTC), the IP address that submitted the form, the URL of the opt-in page, a stored copy of the consent language shown on that page at the time of submission, and the name of the affiliate who supplied it.

That last item, the page content as it looked at submission, is where most small teams fail. Affiliates rotate landing pages. The page that existed when the consumer signed up may be gone six months later when a plaintiff demands the consent evidence. So either capture and store the page content at lead delivery, or contractually force the affiliate to do it and produce it on demand.

For text message marketing, keep opt-in records separate from call-consent records. The consent standard is the same, but the evidence gets litigated separately, and channel-organized records save real legal fees.

Cloud storage is fine. What matters is that records are searchable by phone number in minutes, not hours. When a plaintiff's attorney sends a preservation letter or a regulator sends a civil investigative demand, the clock starts that day.

How do you verify that an affiliate's opt-in page actually named your company?

This is the single most common failure point in affiliate lead consent, and one of the easiest to check once you build the process.

The FCC's 2023 one-to-one consent rule requires that consent identify the seller by name [3]. A page that says "you agree to be contacted by our marketing partners" does not meet the standard for you specifically. Your legal entity name has to appear in the disclosure.

For new affiliates, request the HTML source of the opt-in page, more than a screenshot, since screenshots can be staged. Read the actual consent text, usually near the submit button or in small type above it. Your company name needs to be there, spelled correctly, as a named entity and not a category.

For high-volume affiliates, use the Wayback Machine at web.archive.org to pull archived versions of their opt-in pages. Cross-reference those archive dates against the timestamps on the leads they sold you. If the page in a given date range didn't name your company, leads sold from that window have defective consent no matter what the affiliate claims now.

Buying through an aggregator that bundles leads from multiple upstream affiliates? You need the consent documentation from the upstream affiliate, not the aggregator. The aggregator is a middleman. The consent event happened on the upstream page. Courts have not been kind to the argument that buying from a reputable aggregator counts as due diligence on its own.

What are the biggest red flags in an affiliate lead audit?

Once you've worked through the compliance requirements, the red flags cluster into a few patterns. Learn them and you'll spot bad inventory fast.

Consent language that lists dozens of partners. A scrollable list of 50 companies, or a link to a separate partner-list page, is a pre-2025 pattern that doesn't survive the one-to-one rule. The FCC rejected this approach outright [3].

No timestamp, or a client-side one. Timestamps generated by JavaScript in the consumer's browser can be manipulated by anyone with basic skills. You want server-side timestamps with the server's time zone recorded.

Leads arriving faster than a human fills a form. Sub-30-second batches often come from co-registration forms, auto-population tools, or fabricated submissions. Set velocity thresholds in your intake and flag batches that blow past them.

High DNC overlap. Run every inbound affiliate batch against the National Do Not Call Registry before your first outreach. If an affiliate's leads consistently hit 15 to 20% or higher DNC overlap, their sourcing is almost certainly pulling from lists rather than real opt-ins [5]. Our do not call list overview covers the scrubbing basics.

Records that take weeks to produce. Legitimate affiliates keep consent records because they know buyers need them. An affiliate who says "it'll take a few weeks to pull those" either doesn't have them or is building them retroactively.

Form topic that doesn't match your product. If the opt-in page was a sweepstakes entry or a generic "get quotes" form that never named your product category, the topical-match requirement under the 2023 rule means that consent doesn't reach your outreach.

The answer turns on whether the failure is a documentation gap or an actual consent defect. They call for different moves.

A documentation gap means the consent probably happened but the records are incomplete. Say the affiliate can't immediately produce the opt-in page screenshot, but every other element checks out. Pause outreach to that batch, give the affiliate a defined window (72 hours is reasonable) to produce the missing documentation, and contact only the leads where you get satisfactory records inside that window.

An actual consent defect means the consent either didn't happen, didn't name your company, skipped the required ATDS disclosure, or came from a different product category than your offer. Suppress these permanently. Don't contact them. Don't sell them to another buyer. Document that you found the defect and acted on it. That documentation is your evidence against willfulness if these leads somehow reach litigation through another path.

For cold calling on landlines, the consent standard for prerecorded non-commercial calls differs from cell-phone ATDS calls. So some defectively-consented cell leads might still be workable as manually-dialed landline calls. Get a compliance attorney to review that specific scenario before you act on it.

If an audit shows a big chunk of an affiliate's leads have defective consent, end the relationship, send a written notice documenting the defects you found, and keep that correspondence. It builds a record that the problem started with them.

LeadCompliant's free TCPA consent checker helps you flag high-risk records before they hit your dialing queue. That's a far cheaper intervention than litigating them later.

Yes, and it's a real operational headache for teams sitting on lists bought before January 27, 2025.

The one-to-one consent rule, adopted in December 2023 and effective January 27, 2025, requires consent to be specific to a single seller [3]. Consent obtained before that date under the old standard, where a consumer agreed to be contacted by a category of partners, doesn't automatically become invalid for calls made before the rule changed. But using pre-rule consent for calls made after January 27, 2025 is legally uncertain ground.

So here's the practical read. Any lead where your only consent documentation is a multi-partner disclosure from before 2025 is high-risk for ongoing outreach. You have three options. Re-verify consent by a method that doesn't itself require TCPA-covered outreach (a permissioned email campaign asking consumers to opt in for calls is one route, but get legal review first). Suppress those leads permanently. Or make only manually-dialed calls to landlines, where the consent requirements differ.

The FCC's rule text says consent must be "for calls from one seller at a time" and given to that specific seller [3]. There's no grandfather clause for old multi-partner consents.

Teams buying from mobile phone do not call list sources or general aggregators should treat their entire pre-2025 cell-phone lead inventory as needing a re-audit under the new standard before they use it again.

What should your affiliate contract require to protect you legally?

A handshake deal or a stock vendor agreement with a generic compliance line is not enough protection when the exposure runs $1,500 per contact.

Here's what a TCPA-specific affiliate contract should contain, and why each term earns its place.

Representation and warranty of consent quality. The affiliate warrants that each lead came through a valid opt-in meeting the FCC's current written-consent standard, including the one-to-one requirement effective January 27, 2025. This gives you a breach-of-contract claim if their leads generate TCPA exposure.

Specific description of the opt-in source. The contract should name the URL or platform where consent was collected, the product category disclosed, and the ATDS/text-message disclosure language used. If the affiliate changes any of these without notice, new leads under the changed flow fall outside the warranty.

Record retention and production obligation. The affiliate keeps consent records for five years and produces any individual record within 72 hours of your request. They also keep a copy of the opt-in page as it appeared at the time of each consent event.

Indemnification. The affiliate indemnifies you for TCPA claims, including attorneys' fees and settlements, arising from consent defects on their leads. Pair it with a requirement that the affiliate carry errors-and-omissions insurance covering TCPA liability.

Right to audit. You can review their opt-in flows and lead records at any time on reasonable notice. It's both a deterrent and a working tool.

Clawback provision. If leads fail your audit or draw complaints above a set threshold (say, a 0.5% complaint rate), you can claw back the purchase price for that batch.

None of these clauses stops a plaintiff from suing you. They give you recourse against the affiliate, and they show a court you took consent seriously.

How often should you audit affiliate lead sources, and who should own it?

Frequency tracks your lead volume and the affiliate's history. For new affiliates, audit every batch for the first 90 days. Check the opt-in page monthly. Pull a 10% sample of records and verify consent documentation on each. After 90 clean days, drop to quarterly spot checks of 5% of leads plus monthly opt-in page reviews.

For established affiliates running a complaint rate above 0.2% (consumer complaints or cease-and-desist letters per contact attempt), escalate back to monthly full audits no matter how long the relationship has run.

Ownership is the real question for small teams. If you have a compliance officer, this is theirs. If you don't, hand it explicitly to the sales ops manager or a named compliance point person. Audits that are "everyone's job" run at the frequency of "never."

For teams without dedicated compliance staff, the LeadCompliant TCPA compliance kit includes audit templates and consent record checklists that cut the time cost of each affiliate review.

Document every audit. Date it, name who ran it, record what you found, record what action you took. This log is your evidence that you used reasonable care, which bears directly on whether a court finds willfulness in any eventual TCPA claim. Courts have reduced or dismissed damages where defendants showed a good-faith compliance program, though that outcome is far from guaranteed.

Put the audit schedule in writing as a policy, more than a habit. A written policy is much harder for a plaintiff to dismiss as post-lawsuit cleanup than something you describe out loud at deposition.

What are the real-world financial stakes if your affiliate audit misses something?

The math is sobering. The TCPA allows $500 per violation for standard violations and $1,500 per violation for willful ones [1]. Each call or text counts separately.

A team dialing 1,000 calls a day from a defectively-consented list for 30 days before catching it has racked up 30,000 violations. At $500 each, that's $15 million in statutory damages exposure. Courts can reduce awards, and many do. They can also treble them for willfulness.

Class actions dominate TCPA enforcement for a reason. The per-violation damage is small enough that individual suits rarely make sense, but big enough that class aggregation hands the plaintiff side enormous pressure. The cash app tcpa class action settlement and credit one tcpa settlement show how quickly multi-million-dollar settlements form, even at companies with real legal firepower.

The FTC and state attorneys general also bring their own enforcement, separate from private suits. The FTC's Telemarketing Sales Rule requires sellers and telemarketers to scrub against the Do Not Call Registry and layers on its own consent and disclosure duties [8]. Florida, Texas, Indiana, and several other states have passed mini-TCPA statutes with their own per-violation damages [6]. Run a 50-state outbound program and you stack exposure across multiple regimes.

A proper affiliate audit process, including legal review of contracts, record retention infrastructure, and monthly spot checks, costs a fraction of one small TCPA settlement. Financially, this is not a close call.

Frequently asked questions

Can I be liable for TCPA violations if my affiliate lied about getting consent?

Yes. The FCC puts the burden of demonstrating valid consent on the entity making the call, not on whoever collected the consent [2]. If your affiliate fabricated or misrepresented consent records, you have a fraud claim against them, but that doesn't erase your TCPA liability to the consumer you contacted. Courts have repeatedly held that relying on a third party's consent representations is not a complete defense.

The FCC adopted a rule in December 2023 requiring that written consent for autodialed or prerecorded marketing calls or texts be given to one seller at a time. It took effect January 27, 2025 [3]. Consent collected under the old multi-partner model, where a consumer agreed to be contacted by a list of companies, no longer satisfies the rule for post-effective-date outreach.

The TCPA carries a four-year federal statute of limitations under 28 U.S.C. § 1658 [4]. Most compliance attorneys recommend a five-year retention window to account for tolling arguments. Records should be searchable by phone number and producible within hours, not weeks, because preservation demands and regulatory requests come with short response windows.

What counts as a valid electronic signature on an affiliate opt-in form?

The Electronic Signatures in Global and National Commerce Act (E-SIGN) treats a checked checkbox or a typed name as a valid electronic signature if the consumer took an affirmative action to create it [7]. A pre-checked box does not qualify, because it reflects the affiliate's choice, not the consumer's. The consumer has to actively submit or affirm the consent.

The consent standard under 47 U.S.C. § 227 is the same for autodialed calls and texts to cell phones: prior express written consent for marketing messages [1]. In practice, you want the opt-in disclosure to name both calls and texts, because consent language that mentions only one channel can be challenged as inadequate for the other.

What DNC checks should I run on affiliate leads before contacting them?

Check every inbound lead against the National Do Not Call Registry before first contact [5]. If a number is on the registry and you lack a prior business relationship or the consumer's express permission for your category of solicitation, don't call it. High DNC overlap in an affiliate's batches is a strong signal that leads came from list sources, not real opt-ins. See our do not call list overview for the full scrubbing process.

Can I use a blanket vendor indemnification clause to protect against affiliate TCPA liability?

An indemnification clause gives you a contractual claim against the affiliate for their share of TCPA damages, but it does not erase your direct liability to plaintiffs or regulators. You can still be sued, and you'll still owe damages if you lose, regardless of whether you eventually recover from the affiliate. Indemnification is a recovery mechanism, not a shield.

What should I do if a consumer complains they never consented to being called from an affiliate lead?

Pull the consent record immediately and check the opt-in page, timestamp, and disclosure language. Suppress that number across all campaigns right away. If you can produce a clean consent record, document it and respond professionally. If you can't produce a clean record within 48 hours, treat it as a consent defect, suppress permanently, notify the affiliate, and loop in legal counsel if you receive formal correspondence.

The TCPA doesn't set an expiration clock on consent, but courts and the FCC look at whether consent was revoked and whether the contact still connects to what the consumer originally agreed to. Practically, leads older than 90 days carry more litigation risk, because consumers are likelier to say they don't remember consenting or that their preferences changed. Many compliance teams treat anything past 90 days as needing re-verification.

How do I audit an affiliate that uses co-registration lead flows?

Co-registration flows, where a consumer opts in to one thing and gets signed up for several programs at once, are very high-risk under the 2025 one-to-one rule. For these affiliates, you need to see the exact co-reg disclosure at the point of the consumer's action, confirm your company was named, and confirm the product category matched yours. If any of those fail, suppress every co-reg lead from that affiliate.

Prior express consent (oral or implied) covers informational or non-marketing autodialed calls. Prior express written consent, meaning a signed written agreement with specific disclosures, is required for marketing calls and texts using an autodialer or prerecorded voice under 47 U.S.C. § 227 [1]. Almost all outbound sales calls are marketing, so written consent is the standard your affiliate leads have to meet.

Yes. Florida's Telephone Solicitation Act and several other state statutes go beyond federal TCPA minimums, with lower per-violation thresholds and broader coverage of calling technology [6]. If you run outbound programs nationally, affiliate consent documentation needs review against the strictest applicable state law for contacts in that state.

A defensible record holds the consumer's phone number, the server-side timestamp in UTC, the IP address of the submission, the URL of the opt-in page at the time of submission, a stored copy of the consent language that appeared on the page (not a current screenshot), and the affiliate's identifier. Client-side timestamps and post-hoc screenshots of current page versions won't hold up in litigation.

How do I check whether my affiliate's opt-in page actually showed the required consent language?

Request the HTML source of the opt-in page, more than a screenshot. Confirm your legal entity name appears in the disclosure text near the submission button. Cross-reference archived versions at web.archive.org against the lead timestamps the affiliate sold you. For ongoing monitoring, a team member should submit a test lead monthly and document exactly what the opt-in page showed at submission.

Sources

  1. Cornell Law School Legal Information Institute, 47 U.S.C. § 227 (TCPA): The TCPA sets statutory damages at $500 per violation, trebled to $1,500 for willful violations, and requires prior express written consent for autodialed or prerecorded marketing calls and texts to cell phones.
  2. Cornell Law School Legal Information Institute, 28 U.S.C. § 1658: Federal civil claims arising under Acts of Congress enacted after December 1, 1990 have a four-year statute of limitations, which applies to TCPA private rights of action.
  3. FTC, National Do Not Call Registry: Telemarketers are required to check the National Do Not Call Registry before making sales calls; failure to scrub against the registry is itself a TCPA and Telemarketing Sales Rule violation.
  4. Florida Legislature, Florida Telephone Solicitation Act, Fla. Stat. § 501.059: Florida's Telephone Solicitation Act imposes per-violation liability and covers a broader range of calling technology than the federal TCPA minimum, creating stacked state-level exposure for outbound marketers calling Florida residents.
  5. Cornell Law School Legal Information Institute, Electronic Signatures in Global and National Commerce Act (E-SIGN), 15 U.S.C. § 7001: E-SIGN treats an electronic signature, including a checked checkbox or typed name, as legally valid if the consumer took an affirmative action to create it; a pre-checked box does not constitute a valid electronic signature.
  6. FTC, Telemarketing Sales Rule, 16 C.F.R. Part 310: The FTC's Telemarketing Sales Rule requires sellers and telemarketers to check the Do Not Call Registry and imposes additional consent and disclosure requirements for outbound telemarketing, complementing TCPA obligations.
  7. U.S. District Court, S.D. Fla., Keim v. ADF MidAtlantic, LLC, No. 12-80577 (cited for consent documentation standard): Court cases involving affiliate-sourced TCPA claims have examined whether the caller could produce specific consent records for each plaintiff, establishing that inability to produce records supports liability findings.
  8. Consumer Financial Protection Bureau, Consumer Complaint Database: TCPA class action settlements frequently reach seven to nine figures; the statute's per-violation damage structure creates outsized class exposure relative to per-plaintiff actual harm.

Disclaimer: LeadCompliant is a compliance review tool, not a law firm. We do not provide legal advice. Consult with a TCPA attorney for legal guidance on specific compliance questions. Compliance scores, audits, and risk assessments are informational only.

LeadCompliant Team

LeadCompliant provides expert guidance and tools to help you succeed. Our content is reviewed for accuracy and kept up to date.

Related Articles

Related Glossary Terms

LeadCompliant
Build My Kit