How to audit your existing lead database for consent gaps

A step-by-step guide to auditing your lead database for TCPA consent gaps, covering what records to pull, red flags to fix, and how to avoid $500, $1,500 per-call fines.

LeadCompliant Team
26 min read
In This Article

Last updated 2026-07-09

Compliance officer reviewing lead database records on a desk with printed spreadsheets
Compliance officer reviewing lead database records on a desk with printed spreadsheets

TL;DR

A consent audit means reviewing every lead record to confirm you have documented, legally sufficient proof of consent before calling or texting that person. Under 47 USC 227, calling or texting a wireless number without prior express written consent can cost $500 to $1,500 per call. This guide walks you through exactly how to find the gaps, fix them, and build a process so they stop appearing.

Every unauthorized call or text to a cell phone is its own separate violation under the Telephone Consumer Protection Act (47 USC 227). The math is what makes it dangerous. Statutory damages run $500 per call for negligent violations and $1,500 per call when a court finds willfulness. [1] Blast 10,000 people without valid consent and a plaintiff's attorney sees a $5 million to $15 million case sitting on a spreadsheet.

The FCC's 2015 Omnibus Declaratory Ruling put the burden squarely on sellers, more than on the carriers or lead vendors delivering the calls, to prove consent existed at the moment of the call. [2] That ruling is why "we bought the list and they said everyone opted in" is not a defense. The burden is yours.

Some of the biggest settlements in TCPA history came from companies that thought their records were clean. The Cash App TCPA class action settlement and the Credit One TCPA settlement both turned on whether consent was captured correctly or matched to the right kind of outreach. Neither company set out to break the law. They had process gaps.

A consent audit is how you find those gaps before a plaintiff does.

There are two tiers of consent under the TCPA, and they apply to different situations. Knowing which tier a record needs is the whole game. Get the tier wrong and a perfectly documented opt-in still fails.

First tier: prior express consent. This covers informational calls and texts to cell phones sent with an autodialer. The person has to have voluntarily provided their number in a context that made clear they might be contacted.

Second tier: prior express written consent. This is required for any telemarketing or advertising call or text to a wireless number using an autodialer or prerecorded voice. The FCC defines it as an agreement "that clearly and conspicuously authorizes" the seller to deliver calls or texts, signed by the consumer, containing the phone number being authorized, the name of the seller, and a disclosure that consent is not required to buy anything. [2]

The FCC's one-to-one consent rule, effective January 27, 2025, added a wrinkle: express written consent for robotexts and robocalls has to be given to one seller at a time. A lead gen form that bundled consent for dozens of sellers no longer clears the bar. [3]

For cold calling landlines with a live agent and no prerecorded message, the standard is looser. The National Do Not Call Registry still applies, though. Anyone on the DNC cannot get a telemarketing call regardless of consent status. [4]

When you audit, tag each contact with its tier first, then confirm the record meets that tier's standard.

What records do you need to pull before you start an audit?

Gather your source documentation before you touch a single lead. Consent requirements flow from the lead source, so you need to know where every lead came from and what it agreed to.

Here is the full set of records to collect:

Record typeWhy you need itWhere it usually lives
Lead vendor contractsStates what the vendor represented about consentLegal/procurement files
Opt-in form screenshots or archivesProves what language was shown at captureWeb archive, marketing team
Form submission logs with timestampsTies each record to a specific opt-in eventCRM, marketing automation, lead vendor portal
IP address and device logsCorroborates that a real human submitted the formWeb analytics, form provider
Call/text logsShows which leads were actually contacted and whenDialer platform, SMS platform
Revocation recordsShows who asked to stop receiving calls/textsCRM, opt-out logs
DNC scrub recordsShows which numbers were checked against the National RegistryDNC scrub provider

Missing any of these for a segment of your database? That segment has a consent gap by definition. You cannot prove what you cannot document.

For numbers you picked up through a do not call telemarketer list or a third-party lead vendor, ask for their audit trail too. If they cannot produce it, treat those records as unconsented.

Key TCPA consent audit thresholds at a glance Numbers every compliance owner should have memorized 500 $500 per call (negligent TCPA violation) 1,500 $1,500 per call (willful violation) 31 31-day DNC scrub window (maximum days between scrub… 249M 249M+ active National DNC registrations (FY2024) Source: FTC (16 CFR 310), FCC (47 USC 227, FCC 15-72, FCC 23-107), 2024

A three-bucket scoring system keeps the audit manageable. Assign each lead to green, yellow, or red. That is it.

Green means you have a timestamped form submission, the form language met the applicable standard at the time, the number was scrubbed against the National DNC Registry within the required 31-day window [4], and there is no revocation on file. You can call or text this lead today, subject to any state rules.

Yellow means something is incomplete but potentially fixable. You have a form submission but cannot confirm the exact consent language shown. Or the DNC scrub is older than 31 days but you have no reason to think the person registered. Yellow leads need a secondary review before contact. Do more than dial them because a record probably exists somewhere.

Red means a documented gap you cannot fix after the fact. The lead came from a vendor who cannot produce any consent record. The person previously sent a revocation. The number is on the National DNC Registry and no business relationship exception still applies. Red leads go on a suppression list. Do not contact them.

The common mistake is working yellow leads like they are green because the team feels pressure to hit the whole database. That is how a class action starts. Suppressing an uncertain record costs you a few lost dials. Getting it wrong costs $500 to $1,500 per contact times however many yellows you have.

A handful of patterns show up over and over in how TCPA litigation actually plays out.

Expired or stale consent. The FCC has not set a hard expiration date, but courts have found consent can become unreasonable after years pass with no contact. The safe harbor most compliance people use is 18 months for inactive leads. That is a judgment call, not a statute. If you have leads from 2019 with no contact history, assume the consent quality has degraded.

Bundled or daisy-chained consent. A single opt-in form that listed 50 partner companies, or consent sold from company A to company B to company C, almost certainly fails the post-2025 one-to-one standard. [3] If your lead vendor was aggregating consent across multiple buyers, those records are high-risk.

Missing revocation records. The TCPA requires you to honor opt-outs. [1] If your CRM and your dialer are not synced, someone who texted STOP yesterday can get called tomorrow. Audit the connection between your opt-out mechanism and your do-not-contact list.

Wrong consent tier for the outreach type. A company that collected tier-one consent (informational) and then started sending promotional texts needs tier-two consent (written, with all required disclosures) for those texts. The consent you have has to match the contact you are making.

Phone number reassignment. Wireless numbers get recycled, which is why the FCC's Reassigned Numbers Database exists. If a number was reassigned after the original owner consented, the new owner never agreed to anything. [5] Checking numbers against that database is not optional if you are calling or texting numbers you collected more than a few months ago.

If you are unsure about your DNC exposure alongside the consent question, get clear on who is on the do not call list and how the mobile phone do not call list works. That is a necessary parallel step.

This is the hardest part. You have real leads, sometimes bought for real money, and you cannot prove consent. So what do you do?

Option one: suppress and move on. Cold as it sounds, this is the safest choice. If you cannot document consent, the record is effectively unconsented. Suppressing costs you pipeline. Getting sued costs more.

Option two: re-engage through a channel the TCPA does not cover. If the leads include email addresses and you have permission to email them, send a re-permissioning request inviting them to opt in for calls or texts. Do not call or text them to ask for permission to call or text them. That is circular and still a TCPA violation if you use an autodialer on a wireless number.

Option three: live-agent manual dial with no autodialer. The autodialer restrictions only apply when you use an autodialer, as defined in 47 USC 227(a)(1). [1] A true manual dial to a landline, to a non-DNC number, with a live agent and no prerecorded message, sits outside the strictest requirements. This is a narrow path. Courts have fought for years over what counts as an autodialer, so run it past a lawyer before you try it.

Option four: go back to the lead vendor. If the vendor sold you the leads with a consent warranty and cannot produce the documentation, you may have a contract claim against them. That does not cure your exposure to the consumer, but it gives you recourse.

Most teams end up suppressing the undocumented records and building better intake for new leads. That is the right call.

What is the step-by-step audit process from start to finish?

Run the audit in a structured way that leaves a defensible paper trail. Here is the sequence.

Step 1: Freeze new contact activity for the database being audited. Do not keep dialing while you audit. Find violations mid-campaign and you have just compounded your exposure.

Step 2: Export every lead record with all available metadata. You want name, phone number, lead source, lead date, form version at capture, IP address if available, prior contact history, and any opt-out or complaint history.

Step 3: Match each phone number against the National DNC Registry. The FTC offers the first five area codes free per year and charges up to about $22,038 for full access to all area codes annually, with rates set each year. [4] If you have not scrubbed within 31 days, every number needs a fresh scrub.

Step 4: Check numbers against the FCC's Reassigned Numbers Database. Access runs a few cents per query for occasional use or a flat annual fee. [5] Flag any number where the reassignment date lands after your consent capture date.

Step 5: Pull the consent documentation for each lead source and map it to the leads from that source. If a source cannot be matched to documentation, every lead from that source becomes yellow or red.

Step 6: Apply the green/yellow/red scoring from the earlier section.

Step 7: Move red records to a suppression list immediately. Do not park them in the same table as active leads. They need a hard suppression tag that blocks future contact regardless of what campaigns run.

Step 8: Review yellow records by hand. Someone with compliance authority, more than a sales rep, makes the call on yellows.

Step 9: Document everything. The audit, the methodology, who reviewed it, what got decided, and when. If you are ever sued, this is what shows good faith.

Step 10: Set a calendar reminder for 90 days out to check whether your intake process has improved so new leads do not carry the same gaps.

LeadCompliant's compliance kit includes a pre-built audit spreadsheet and suppression list template that maps to this workflow, which saves a few hours of setup if you want a starting point.

For the wider picture of your obligations alongside the consent piece, the TCPA overview is worth reading first if you are new to this.

How often should you re-audit your database?

Do a full audit at least once a year and a rolling mini-audit every quarter. That is what most teams who have been through TCPA litigation land on. The annual audit catches structural issues: consent tiers, vendor contract alignment, DNC scrub gaps. The quarterly check catches operational drift, which is what happens when a sales rep adds a new lead source and forgets to tell compliance.

Some events should trigger an audit outside the regular schedule:

You sign a new lead vendor. You launch a new marketing channel. You swap your dialing platform or SMS provider. You get a TCPA complaint or demand letter. The FCC issues new guidance that touches your outreach type. The one-to-one consent rule that took effect January 2025 is the obvious example. [3] Any company using aggregated consent from a lead gen site should have run an audit the day that rule went live.

For teams doing heavy cold call outreach, the DNC scrub has to happen on a rolling basis, more than at annual audit time. The 31-day scrub window under the Telemarketing Sales Rule is a legal requirement, not a suggestion. [4]

You do not need expensive software to run a consent audit. The right tools just make it faster.

For DNC scrubbing, the FTC's National Do Not Call Registry is the primary source. [4] Most dialer platforms, including Five9, NICE, and Salesforce Dialer, ship with DNC scrub integrations. If yours does not, buy scrub access directly from the FTC or use a third-party scrub service. Third-party services usually charge between $0.001 and $0.01 per number depending on volume.

For reassigned numbers, the FCC's Reassigned Numbers Database is the authoritative source. [5] Some third-party data providers offer reassignment lookups bundled with number validation.

For consent documentation, the honest answer is that no software conjures up records you never collected. Tools like Jornaya and ActiveProspect (which runs TrustedForm) embed a consent token in lead gen forms, creating a timestamped, auditable record of exactly what the consumer saw and agreed to. [6] If your lead vendors are not using one of these, that is a gap in your intake process to fix for future leads.

For managing suppression at scale, a Customer Data Platform with real-time suppression across all channels beats a spreadsheet. The spreadsheet works for small databases. At tens of thousands of records, manual suppression lists drift and people slip through.

LeadCompliant's free consent checker is a simple option for smaller teams that want to validate phone numbers against the DNC and run a basic consent assessment without building a full stack.

The FTC's Telemarketing Sales Rule, 16 CFR Part 310, lays out the recordkeeping requirements directly if you want the primary source on what you are supposed to retain. [4]

What happens if you find violations during the audit?

Finding a problem during an audit is uncomfortable. It is a lot better than a plaintiff's attorney finding it first.

If calls or texts already went out to records that lacked proper consent, stop any ongoing contact with those people first. Keep contacting them after you know the consent is deficient and you move from negligent to potentially willful, which is where that $1,500 per call ceiling kicks in. [1]

Get legal counsel involved. This is not a fix-it-quietly-and-hope situation. An attorney who does TCPA defense can size up your exposure, tell you whether the violations look isolated or systemic, and advise on proactive remediation.

Document the discovery and your response. Courts look kindly on companies that caught problems through internal compliance and took corrective action. The good faith argument falls apart if you found out in January and kept calling through March.

If a demand letter or lawsuit already arrived, do not send anything to the plaintiff or their counsel without attorney guidance. TCPA class action plaintiffs are often represented by firms that have filed hundreds of these. The text message marketing space in particular draws aggressive litigation because the violations are so easy to document.

For a sense of real exposure, TCPA class actions have settled for a few hundred thousand dollars for small defendants up to hundreds of millions for major financial institutions. The Credit One case shows how these numbers scale.

How do state laws change what your audit needs to cover?

The TCPA sets a federal floor. States can go further, and plenty do, which means your audit has to account for where your leads live, more than where your office sits.

Florida's Telephone Solicitation Act (Florida Statutes 501.059) is one of the strictest. It requires written consent for telephonic sales calls using an autodialer or prerecorded message, creates a $500 per-call private right of action, and runs its own state DNC list separate from the federal registry. [7]

California adds CCPA rules for how you handle personal data in your CRM, and the California Invasion of Privacy Act sets separate all-party consent obligations for recorded calls. [8]

Washington, Oklahoma, and Texas all run state DNC registries or enhanced telemarketing statutes that pile requirements on top of the federal TCPA.

The practical move for an audit: segment your database by the lead's state of residence (use area code as a rough proxy if you do not have address data), find which states have enhanced rules, and apply the stricter standard to those records. Contacting Florida residents with automated calls means your consent standard is the Florida written consent requirement, more than the federal one.

Nobody has a clean count of exactly how many states have their own mini-TCPA laws. The best current estimate is roughly 35 states with some form of enhanced telemarketing rule, though the specifics swing wildly. State attorney general websites are the most reliable source for current text.

Auditing your existing database is a one-time cleanup. The real payoff is building intake that stops the same gaps from showing up in new records.

For owned lead gen (your own forms, landing pages, and ads), the fix is clean. Use a consent management platform or a certified form tool that timestamps and archives the exact opt-in language shown at capture. Put all required TCPA disclosures on the form: name your company, state that consent is not required to purchase, and list the type of outreach the consumer agrees to. For post-2025 compliance, do not bundle consent for multiple companies. [3]

For purchased leads, require vendors to hand over a Jornaya or TrustedForm certificate, or an equivalent consent token, for every lead. Make it a contract term, not a polite request. If a vendor refuses, treat their leads as high-risk. Build a lead intake checklist your team runs for every new vendor before the first record enters your CRM.

For DNC scrubbing of new leads, bake it into your automation. Scrub every new record within 24 hours of ingestion. Re-scrub before contact if more than 31 days have passed since the last scrub. [4]

On the how do i get the do not call list question that comes up constantly: the FTC provides direct access to the National Registry at donotcall.gov, where organizations subscribe and download the data for scrubbing. That is the authoritative source.

Frequently asked questions

The TCPA itself does not set a retention period, but the FTC's Telemarketing Sales Rule requires telemarketers to keep records of express consent for 24 months from the date the record was created or the date of last contact, whichever is later. Many compliance attorneys recommend keeping consent documentation for at least four years, matching the TCPA's four-year federal statute of limitations.

Can I call a lead who consented five years ago?

There is no hard statutory expiration, but courts have found that very old consent with no intervening contact can become unreasonable. The safer standard used in practice is 18 months of inactivity. If your lead consented five years ago and you have had no contact since, treat the record as stale and either seek fresh consent through a non-TCPA-restricted channel or suppress the number.

Does a lead's phone number on a website or business card count as consent to be called?

For landlines called by a live agent with no prerecorded message, providing a number in a business context generally satisfies prior express consent for informational calls. It does not satisfy prior express written consent for telemarketing. For wireless numbers reached via autodialer or prerecorded message, a business card or website listing alone is not enough consent under the TCPA.

The FCC's December 2023 order, effective January 27, 2025, requires that express written consent for robocalls and robotexts be obtained for one seller at a time. Consent forms that listed multiple sellers or consented to a broad category of third parties no longer satisfy the requirement. Any leads acquired through multi-party aggregator forms before that date should be reviewed against this standard before contact.

Is scrubbing against the National DNC Registry enough, or do I also need to check a state DNC list?

It is often not enough. Florida, Texas, Indiana, Wyoming, and several other states run their own state DNC registries. If you are calling consumers in those states, you must scrub against both the federal National Do Not Call Registry and the applicable state list. Failing to scrub against a state list can expose you to state-level penalties even when the federal scrub is clean.

What is the Reassigned Numbers Database and do I have to use it?

The FCC's Reassigned Numbers Database is a central repository of wireless numbers that have been disconnected and potentially reassigned to new subscribers. Callers who check the database and get a reassigned or permanently disconnected result lose the safe harbor for good faith reliance on prior consent. Checking is not strictly required, but calling a reassigned number after the database shows reassignment removes any good-faith defense.

Yes. The FCC's 2015 Omnibus Ruling confirmed that sellers bear the burden of proving consent at the moment of contact. A vendor's contractual warranty that leads are consented does not shift TCPA liability to the vendor in a lawsuit brought by a consumer against you. You may have a breach of contract claim against the vendor, but that is a separate proceeding. The consumer can still sue you directly.

In practice, yes. Consent to receive calls does not automatically extend to texts, and vice versa. The opt-in language should specify which channels are authorized. If your consent form said we may call you and you are now texting, the text program needs its own consent capture. Review your form language carefully and match it to your actual outreach channels.

How does an established business relationship (EBR) affect consent requirements?

An EBR allows calls to existing customers on the National DNC Registry for up to 18 months after the last transaction, and up to three months after an inquiry. But an EBR only applies to calls with a live agent and no autodialer on landlines. It does not override the prior express written consent requirement for autodialed or prerecorded calls to wireless numbers for telemarketing. Do not rely on EBR as a substitute for written consent on cell phones.

What counts as a sufficient opt-out under the TCPA and how do I track it?

A consumer can revoke consent through any reasonable means: saying stop on a call, replying STOP to a text, emailing your company, or verbally asking an agent to stop. The FCC confirmed in its 2024 revocation order that callers must honor revocation regardless of the method used. Your systems need to capture every type of revocation and push it to a suppression list that all contact systems check before dialing or texting.

How much does a TCPA class action settlement typically cost?

Settlement amounts vary widely. Small-defendant cases with isolated violations settle in the low hundreds of thousands. Major financial institutions and large telemarketers have settled for tens of millions to hundreds of millions. Per-violation damages of $500 to $1,500 mean even a campaign of 10,000 unconsented texts creates theoretical exposure of $5 million to $15 million, which is why class certification is so dangerous.

An audit done after a complaint or lawsuit lands has less defensive value than one done proactively, because a court may read it as reactive rather than evidence of a real compliance program. That said, an audit showing any violation is contained, and that the company acted quickly to fix it, can support an argument for lower damages or against class certification. Get counsel involved immediately if litigation has started.

Prior express consent is the lower standard and covers informational calls and texts to wireless numbers made with an autodialer. The person simply has to have voluntarily provided their number in a relevant context. Prior express written consent is required for all telemarketing or advertising calls and texts to wireless numbers using an autodialer or prerecorded voice. It requires a written agreement naming the seller, disclosing that consent is not required to purchase, and specifying the phone number and contact types covered.

Check your dialer and SMS platform logs. Most platforms record whether a message went out via short code, long code, or ATDS-type system, and whether calls used a prerecorded message. If you genuinely cannot tell what dialing technology a historical campaign used, apply the stricter written consent standard rather than assuming manual dialing. When the record is unclear, treat it as higher-risk.

Sources

  1. U.S. Code, 47 USC 227 (Telephone Consumer Protection Act): Statutory damages of $500 per violation and up to $1,500 for willful violations; prohibition on autodialed calls to wireless numbers without prior express consent
  2. FCC, Report and Order on One-to-One Consent (FCC 23-107), effective January 27, 2025: Express written consent for robocalls and robotexts must be granted to one seller at a time; multi-party bundled consent no longer satisfies the standard
  3. FTC, Telemarketing Sales Rule, 16 CFR Part 310, and National Do Not Call Registry: Telemarketers must scrub against the National DNC Registry within 31 days before calling; recordkeeping required for 24 months; DNC subscription pricing structure
  4. FCC, Reassigned Numbers Database (reassigned.us): FCC maintains a database of disconnected and reassigned wireless numbers; callers who ignore a reassigned result lose good-faith safe harbor protection
  5. ActiveProspect, TrustedForm Consent Certificate Documentation: TrustedForm creates a timestamped, auditable record of exactly what a consumer saw and agreed to on a lead gen form at the moment of submission
  6. Florida Legislature, Florida Telephone Solicitation Act, Florida Statutes Section 501.059: Florida requires written consent for autodialed or prerecorded telephonic sales calls; $500 per-call private right of action; separate state DNC list
  7. California Legislature, California Invasion of Privacy Act, Penal Code Section 630 et seq.: California imposes all-party consent requirements for recorded telephone calls that create additional compliance obligations for telemarketers contacting California residents
  8. FTC, National Do Not Call Registry Data Book FY 2024: More than 249 million active registrations on the National Do Not Call Registry as of fiscal year 2024

Disclaimer: LeadCompliant is a compliance review tool, not a law firm. We do not provide legal advice. Consult with a TCPA attorney for legal guidance on specific compliance questions. Compliance scores, audits, and risk assessments are informational only.

LeadCompliant Team

LeadCompliant provides expert guidance and tools to help you succeed. Our content is reviewed for accuracy and kept up to date.

Related Articles

Related Glossary Terms

LeadCompliant
Build My Kit