Last updated 2026-07-09

TL;DR
A CRM consent audit checks every contact record for four things: a documented opt-in source, the timestamp it happened, the specific number and channel covered, and the exact consent language the contact saw. Miss any one of those and you're exposed under 47 U.S.C. 227 and the FCC's 2024 one-to-one consent rule. The audit takes a few hours. It can save you a six-figure settlement.
Why does a CRM consent audit matter under TCPA?
The Telephone Consumer Protection Act, codified at 47 U.S.C. 227, makes you liable for every call or text sent to a wireless number without prior express written consent. Statutory damages run $500 per violation for negligent violations and up to $1,500 per violation if a court finds willfulness. [1] In a class action, that number multiplies by every contact you reached. The Cash App TCPA class action settlement reached $7.5 million after plaintiffs alleged the company texted consumers without adequate consent. [2] Credit One Bank settled a similar suit for $12.5 million. [3]
The gap almost always starts in the CRM. A salesperson imports a purchased list. A form submission skips the timestamp. A legacy migration drops the opt-in source field. Nobody catches it until a plaintiff's attorney does.
The FCC's 2024 one-to-one consent rule, effective January 2025, raised the stakes. Under that rule, a single lead form that bundles consent for multiple sellers no longer meets the prior express written consent standard. [4] Each seller needs its own consent record. If your CRM holds shared lead-gen records from before that change, you have a specific, urgent problem sitting in your database right now.
What four fields must every contact record have?
Every complete consent record has four fields. They're non-negotiable under the FCC's framework for prior express written consent. Get clear on them before you open a single export.
1. Opt-in source. Where did the contact agree? A web form URL, a paper form ID, a call recording reference, an SMS keyword, or a signed contract. "Marketing list" is not a source.
2. Consent timestamp. The exact date and time, ideally in UTC, that consent was captured. Without it you can't prove the consent predates your first outreach.
3. Channel and number covered. Consent to call a home number does not cover texting a cell. The record must show which number was consented to and through which channel (voice, SMS, or autodialed).
4. Consent language. The actual words the contact agreed to, or a version ID that maps to archived form language. The FCC requires that the agreement be "clear and conspicuous" and that the consumer's signature not be a condition of purchase. [7]
Some teams add a fifth field: the IP address and user agent captured at opt-in. Not legally required. Extremely useful when you need to prove the opt-in was real and not spoofed.
If your CRM has a single checkbox labeled "opted in" with no timestamp or source, that field is decoration. It is not compliance.
How do you export and structure your CRM data for an audit?
Start with a full export of your active contact database as a flat CSV or spreadsheet. Include every field your CRM stores, more than the ones you think matter. You'll find columns you forgot existed.
Then build a mapping table. On the left, list the four required fields. On the right, map whatever column in your export is supposed to hold that data. Many CRMs store consent in odd places. HubSpot uses a "Legal basis" property. Salesforce teams often use a custom object. Older Zoho setups sometimes bury consent in the Notes field as free text.
| Required field | Common CRM column name | Red flag if... |
|---|---|---|
| Opt-in source | Lead source, UTM source, Form ID | Blank or "import" |
| Consent timestamp | Opt-in date, Created date (proxy only) | Missing entirely |
| Channel / number covered | Phone type, SMS consent flag | Not split by channel |
| Consent language version | Form version, T&C version | No versioning system |
Once you have that mapping, count the nulls and blanks in each required column. A simple =COUNTBLANK() in a spreadsheet works. So does a SQL COUNT WHERE field IS NULL if you have database access. The goal is a percentage: what share of records in your dialable or textable segments are missing each field.
If more than 5% of your active outreach list is missing a timestamp or source, stop outreach on those records until you resolve it. That threshold is not a legal standard. It's a practical one. At 5% missing you're talking about hundreds or thousands of contacts where your only defense in litigation is "we don't know."
How do you find contacts who were added without any consent record at all?
The hardest records to catch are the ones where consent was never captured in the first place, more than stored badly. These come from three sources.
Purchased or rented lists. Any contact whose lead source is "purchased list," "list import," "partner data," or a vendor name is a red flag. Third-party consent, where the lead vendor claims the consumer agreed to be contacted by "partners," no longer satisfies the FCC's one-to-one rule as of January 2025. [4] You have to check whether your vendor obtained consent specifically naming your company.
Legacy migrations. When companies switch CRMs or merge systems, consent fields are often the first thing dropped. If a cohort of records all share the same creation date in a past year with no opt-in source, that's almost certainly a migration artifact.
Manual entries. A salesperson who types in a business card contact has almost certainly not captured prior express written consent. For cold calling on landlines or business numbers this may be fine. For texting or autodialing cell phones it is not.
Filter your export for all three patterns. Any record with a lead source containing "import," "list," "partner," or "vendor." Any batch where 100 or more contacts share the exact same created-date. Any record created by a user role tied to manual data entry. Run those three filters and you'll find 80% of your consent gaps.
What should you do with records that are missing consent?
You have four options, listed here from safest to most aggressive. Be honest with yourself about which one you're actually choosing.
Option 1: Remove from outreach permanently. The cleanest legal position. Suppress the records from all automated calling and texting. You can still use them for direct mail if your data agreement permits. This is the right call for purchased-list contacts where the vendor can't produce a consent record naming your company.
Option 2: Re-consent via a permission-pass campaign. Send a single email (if you have email addresses and email consent is covered separately) asking the contact to opt in to calls or texts. This only works if email consent exists and the email channel isn't itself in question. A permission-pass email that lands on a disputed address proves nothing.
Option 3: Attempt manual verification. For high-value contacts, a compliance-reviewed outbound call to a landline business number, where autodialing and written consent requirements are lower, can open a conversation where you obtain fresh consent. This needs legal sign-off on the script.
Option 4: Get retroactive documentation from your lead vendor. If the vendor has records showing the contact agreed to be called by your company specifically, and they can produce those records in a format you can store, that documentation goes into the record. Do not accept a PDF with no metadata. You want a time-stamped data export.
For any contact you decide to keep contacting, cross-reference against the National Do Not Call Registry too. You can access the registry for a fee or through a paid scrubbing service. [5] Consent and DNC status are separate questions. A contact can have given consent and still sit on the DNC list. Both conditions have to be checked.
How do you fix the consent fields going forward, more than for today's records?
An audit that finds gaps but doesn't fix the intake process is a one-time chore that will be stale in 90 days. The real fix is upstream.
Every web form that feeds your CRM should capture and store, at the moment of submission, four things: the full URL of the page the form lived on, the timestamp in UTC, the IP address, and a version ID for the consent language on that form. Most marketing automation platforms do this natively. HubSpot stores form submission metadata including the page URL. Salesforce Web-to-Lead captures the referring URL. If your platform doesn't store this automatically, a hidden field populated by JavaScript at submission time will work.
For inbound calls where consent is obtained verbally, the record needs a call recording reference ID and the date of the call. For SMS opt-ins via keyword, the record needs the keyword, the short code or 10-digit long code, and the timestamp of the inbound message.
Version control your consent language. Every time your terms change, create a new version ID. When a contact submits a form, store that version ID. This lets you reconstruct exactly what language a contact saw, which matters because the FCC's requirement is that the consent be "clear and conspicuous." [7]
Set up a weekly automated report that flags any new contact record missing required consent fields. Every CRM has some workflow or list logic that can do this. In HubSpot it's a smart list filtered on blank consent properties. In Salesforce it's a validation rule or a dashboard report. In Zoho it's a custom view. Running this report takes ten minutes a week and catches problems before they compound.
LeadCompliant's free compliance kit includes a consent field checklist and a CRM field mapping template you can adapt for the major platforms. It's a useful starting point if you want a pre-built structure instead of building from scratch.
How often should you run a CRM consent audit?
There's no federal regulation setting an audit frequency. The practical answer is quarterly at minimum, plus immediately after any of three triggers.
Trigger 1: A new lead source goes live. Any time you start buying leads from a new vendor, add a new form, or integrate a new data partner, audit that cohort before you contact them.
Trigger 2: A regulatory change. The FCC's one-to-one consent rule is the most recent example. When the rules change, your existing records need to be evaluated against the new standard, not the one in place when the consent was obtained. [4]
Trigger 3: A complaint or litigation threat. If you get a TCPA demand letter or an FCC complaint, the first thing you need is a consent audit of every contact tied to the complainant, and ideally a full database audit to understand your exposure.
For small outbound teams, a quarterly audit is manageable. A team with 10,000 contacts and one person on compliance can complete the core steps (export, null count, flagging, and remediation decisions) in about four to six hours. Larger teams with 100,000-plus records should automate the detection layer and reserve human review for remediation decisions.
One honest caveat: nobody has published hard data on what audit frequency actually prevents TCPA suits. The logic is simple though. Gaps grow over time. A gap you catch 60 days after it opens is cheaper to fix than one you find 18 months later, after 50,000 outreach attempts.
What does a completed consent audit actually look like?
A finished audit produces three documents.
First, a gap report. This is your null-count spreadsheet showing, by field and by contact segment, what percentage of records are missing each required field. This is your before-picture. Keep it. If you're ever in litigation and need to show you identified and addressed a problem, this is exhibit A.
Second, a remediation log. For every record where you took action, log what the action was and when. If you suppressed 3,000 records from a purchased list, that entry reads: "2025-07-01: 3,042 contacts from [Vendor Name] import suppressed from autodialed outreach, consent records unavailable." If you re-consented a cohort, log the permission-pass campaign ID and the outcome.
Third, an updated field mapping and SOP. Document what your CRM fields are, where consent data lives, and what the process is for new contacts. This is the document a new sales ops hire or a new vendor needs to see on day one.
Those three documents together are what a competent compliance officer or outside counsel will ask for if your company faces a TCPA investigation or class action. Having them ready doesn't make you immune, but it shows the documented compliance effort that courts have weighed in damages determinations. Under the TCPA there's no explicit "reasonable procedures" safe harbor the way the FTC's DNC rules have one. [6]
For a cold call team that also runs SMS, your audit has to cover both channels separately. Consent is channel-specific. A contact who agreed to texts has not necessarily agreed to autodialed calls, and the reverse. Treat them as separate fields in your CRM and separate sections in your audit.
How does the FCC's 2024 one-to-one consent rule change what you need to store?
The FCC adopted the one-to-one consent rule in December 2023, with an effective date of January 27, 2025. [4] The rule amends 47 C.F.R. 64.1200 to require that prior express written consent for telemarketing calls be given to one specific seller at a time. A blanket consent form listing ten partner companies, or using language like "companies we work with," no longer meets the standard.
The rule requires that consent "clearly and conspicuously" disclose that the consumer agrees to receive calls from the specific seller seeking consent. [7] That's the key change.
For CRM purposes, your consent records need to show that the form or agreement named your company. Not a generic affiliate network. Not a lead aggregator. Not a marketing partner. Your company name.
If you buy leads, you need written confirmation from each vendor that their consent forms name you specifically. And you need to store that confirmation. A reasonable approach is to require each lead vendor to provide a sample of the consent form language, with your company name visible, and store that sample in your compliance file, linked to the lead batch.
For leads captured before January 27, 2025, the FCC has indicated the rule applies prospectively. But if you keep calling or texting those contacts after that date, the safer read is to confirm that their consent, whenever it was captured, meets the current standard. Old consent for a new regulatory environment is a gap. text message marketing teams that relied on bundled consent forms should treat those records as unverified until the vendor confirms new-standard compliance.
What are the biggest mistakes teams make during a consent audit?
The most common mistake is using "created date" as a proxy for consent timestamp. A record's creation date tells you when the record was entered, not when consent was given. A salesperson who types in a two-year-old business card today creates a record with today's timestamp. That does not mean consent was given today.
Second mistake: treating a single opt-in checkbox as enough without checking what that checkbox was connected to. A contact might have checked "I agree to receive marketing communications" on a page where the consent language was buried below the fold, lacked the required disclosures, or was a condition of purchase. Any of those voids the consent.
Third mistake: auditing only the contacts you plan to call next week instead of your whole database. The plaintiffs' bar does not care that you were careful with your next campaign. They care about the full population of people you have already contacted. Your exposure runs on historical outreach, not future intent.
Fourth mistake: fixing the data without fixing the process. An audit that produces clean records today but doesn't change how new contacts enter the system will need to be re-run in six months.
Fifth mistake: not scrubbing against the Do Not Call list as a separate step. Some teams conflate consent with DNC scrubbing. They're related but distinct. A contact on the do not call list may have signed a consent form and still cannot legally be called for telemarketing. Both checks are required. [5]
Look at what went wrong in major TCPA settlements to calibrate where real exposure sits. The cash app tcpa class action settlement and the credit one tcpa settlement both involved consent record failures at scale. The lesson isn't that the companies were evil. It's that they had no system to prove consent existed.
What tools can help automate consent field monitoring in a CRM?
You don't need expensive compliance software to do this well. The tools that work best are often the ones already built into your CRM.
In HubSpot, smart lists with filter logic on blank consent properties update automatically as records change. Set the filter once, "Legal basis for processing is unknown" or "Opt-in timestamp is blank," and the list stays current. Pair that with a workflow that assigns a task to a compliance owner whenever a new record hits the filter, and you have continuous monitoring.
In Salesforce, a validation rule can block records from entering a "dialable" or "textable" status without required fields populated. That's the enforcement layer rather than the detection layer, and it's more powerful because it stops the problem at intake instead of catching it after.
For DNC scrubbing, you need a service that queries the National Do Not Call Registry against your contact list and flags matches. The FTC charges access fees based on area codes for commercial users. [5] Most sales engagement platforms like Outreach, Salesloft, and Apollo have built-in or partnered DNC scrubbing. The mobile phone do not call list question comes up often: cell numbers can be registered on the national DNC list, and if they are, prior express written consent is required regardless of how you got the contact.
LeadCompliant's free tools include a TCPA risk checker that flags contact records against common consent gap patterns. Run it on a sample export for a quick read on where your database stands before you commit to a full audit.
For teams handling audit documentation at scale, a shared Google Sheet or Notion database works fine: columns for each required consent field, a status column (verified, flagged, suppressed), and a notes field for remediation actions. Not glamorous. But it's auditable, versioned, and shareable with outside counsel if it comes to that.
Frequently asked questions
What is prior express written consent under the TCPA?
Prior express written consent under 47 U.S.C. 227 and 47 C.F.R. 64.1200 means a signed, written agreement where the consumer clearly authorizes a specific company to contact them using an automatic telephone dialing system or prerecorded voice, at a specific number, for telemarketing. The agreement cannot be a condition of purchase and must include the phone number to be called. Since January 2025, consent must name a single seller specifically.
Can I use created date as the consent timestamp in my CRM?
No. Created date reflects when the CRM record was entered, not when the consumer gave consent. If a salesperson enters a contact manually today using information from a meeting two years ago, the created date is today. Courts and the FCC care about when consent was actually given, not when your database was updated. You need a separate field that captures the actual opt-in date and time.
Does a contact's consent to email cover calls and texts too?
No. Email consent and TCPA consent are separate. A contact who checked an email marketing box has not given prior express written consent to receive autodialed calls or texts to their cell phone. Your CRM needs separate consent fields for each channel: email, SMS, and voice. Bundling them into one checkbox creates a legal gap for any channel the consumer did not specifically agree to.
How do I handle old contacts from a purchased list I bought before the 2025 FCC rule?
The FCC's one-to-one consent rule is prospective, but if you're still contacting those people after January 27, 2025, the safer position is to confirm the original consent named your company specifically. If your vendor can't produce consent records showing your company's name, those contacts should be suppressed from autodialed calling and texting until you get fresh consent directly from the individuals.
What percentage of missing consent records is acceptable before I pause outreach?
There's no regulatory threshold. A practical working rule is to pause automated outreach on any segment where more than 5% of records are missing a timestamp or opt-in source. At that rate you're likely talking about hundreds or thousands of contacts with no documented consent, and your litigation exposure on those records is hard to defend. Clean the gap before resuming.
How do I check if my contacts are on the Do Not Call Registry?
For commercial telemarketers, the FTC provides access to the National Do Not Call Registry through its Subscription Account Management system. There's a fee based on the number of area codes you query. Most sales engagement platforms include DNC scrubbing as a built-in or add-on feature. DNC status is separate from consent status, and both must be checked before outbound campaigns.
Does verbal consent over the phone count as prior express written consent?
No. Verbal consent is sufficient only for prior express consent to receive informational calls. For telemarketing calls to a cell phone using an autodialer or prerecorded message, the TCPA requires prior express written consent, which includes electronic signatures captured via a web form or SMS opt-in. A call recording of someone saying yes helps as a backup but does not meet the written consent standard on its own.
What should I store to prove a web form opt-in was legitimate?
At minimum: the URL of the form page, the timestamp in UTC, the IP address of the submitter, the form version or the exact consent language shown, and the phone number submitted. An optional but strong addition is the user agent string from the browser. This combination lets you reconstruct the consent event if it's ever challenged, and it makes spoofed or fraudulent opt-ins easier to detect and exclude.
Can I re-consent existing contacts who are missing consent records?
Yes, through a permission-pass campaign, but only if you have a compliant channel to reach them with the request. Email is the most common vehicle, but only if you have email consent that isn't itself disputed. The re-consent message should clearly ask the contact to opt in to calls or texts, not assume agreement. Records where no safe contact channel exists should be suppressed rather than re-consented.
How long do I need to keep consent records?
The TCPA has a four-year statute of limitations, so at minimum keep consent records for four years from the date of last contact with each individual. Many compliance attorneys recommend five years as a buffer. Store them in a format you can export and produce in litigation: a database export, a CSV with metadata, or a dedicated compliance platform record. Paper files that can't be searched are not sufficient at scale.
What is the difference between the National DNC list and an internal do-not-contact list?
The National Do Not Call Registry is maintained by the FTC and covers consumers who have opted out of telemarketing calls from all commercial sellers. An internal DNC or do-not-contact list covers individuals who specifically asked your company to stop contacting them. Both lists must be maintained and honored. A contact can ask to be removed from your calls, and that request must be honored within 30 days regardless of national registry status.
Does the TCPA apply to business-to-business calls?
The TCPA's prior express written consent requirements focus mainly on calls to residential lines and wireless numbers. Most B2B calls to direct business lines carry lower requirements, though calls to an employee's cell phone still need consent if you're using an autodialer. The FCC has given some guidance, but the line between personal and business cell use is contested. The safest approach is to treat any cell number, even one on a business card, as requiring consent before autodialing.
What happened in the major TCPA settlements that involved consent record failures?
Both the Cash App TCPA class action settlement ($7.5 million) and the Credit One Bank settlement ($12.5 million) involved allegations that the companies texted or called consumers who had not given proper consent or who had revoked it. In both cases, the companies' inability to produce complete consent records for the affected contacts was central to the plaintiff's case. Clean, timestamped, source-linked consent records are your first line of defense.
How does the one-to-one consent rule affect lead generation vendors?
Under the FCC's 2024 rule, a lead vendor's consent form must name your company specifically. A form saying the consumer agrees to be contacted by 'partners' or 'affiliated companies' is no longer sufficient for telemarketing calls. You need written documentation from each vendor showing the form used when a specific lead opted in included your company's name. Vendors who can't provide this should be treated as sources of unverified contacts.
Sources
- U.S. Code, 47 U.S.C. 227, Telephone Consumer Protection Act: Statutory damages are $500 per violation, trebled to $1,500 for willful violations
- FTC, Legal Library, Cases and Proceedings (Cash App TCPA class action settlement records): Cash App TCPA class action settlement reached $7.5 million over alleged texting without adequate consent
- Consumer Financial Protection Bureau, Enforcement (Credit One Bank TCPA settlement records): Credit One Bank settled a TCPA suit for $12.5 million over consent record failures
- FTC, National Do Not Call Registry, Business Information: Commercial telemarketers must pay area-code-based fees to access the National Do Not Call Registry
- FTC, Telemarketing Sales Rule, 16 C.F.R. Part 310: FTC's Telemarketing Sales Rule provides an established business relationship and reasonable procedures defense for DNC violations
- Electronic Code of Federal Regulations, 47 C.F.R. 64.1200, Delivery Restrictions: Consent must be clear and conspicuous and cannot be a condition of purchase
- FTC, Complying with the Telemarketing Sales Rule: FTC guidance on internal do-not-call list requirements and 30-day honoring window
- Cornell Law School Legal Information Institute, 47 U.S.C. 227: TCPA has a four-year statute of limitations for private right of action