How to build a compliant re-engagement campaign for lapsed leads

Re-engaging old leads risks TCPA suits if consent has expired. Learn the exact steps to scrub, re-consent, and contact lapsed leads legally. Free checklist inside.

LeadCompliant Team
26 min read
In This Article

Last updated 2026-07-11

Sales manager reviewing lapsed lead contact sheets at a desk for compliance
Sales manager reviewing lapsed lead contact sheets at a desk for compliance

TL;DR

A compliant re-engagement campaign starts with proof that consent is still valid. Scrub every number against the National DNC Registry and your internal list, check whether the consent has gone stale, and capture fresh opt-in before you send texts or place auto-dialed calls. Miss one step and you're exposed to $500 to $1,500 in TCPA damages per call.

What is a lapsed lead, and why does re-engaging one carry legal risk?

A lapsed lead is a contact who showed interest once and then went silent for months or years. Maybe they filled out a form in 2021, talked to a rep, and never bought. They sit in your CRM costing you nothing. The urge to work that list again is understandable.

The risk comes from how the TCPA actually works. Under 47 U.S.C. § 227, calling or texting a mobile number with an automatic telephone dialing system (ATDS) or a prerecorded voice, without prior express written consent, is a federal violation [1]. Damages run $500 per violation, up to $1,500 for willful ones. Consent is not permanent. The FCC has held repeatedly that consent can be revoked and that sellers have to honor revocation promptly [2].

Here's what makes lapsed leads risky in a way fresh ones aren't. The person may have changed their number. That number may now belong to a stranger who never consented to anything. The lead may have joined the National Do Not Call Registry after opting in with you. Or your consent record may be thin and unprovable. Any one of those facts turns friendly outreach into a lawsuit.

The cases that produce the biggest settlements, like the Cash App TCPA class action settlement, almost always involve companies that contacted people whose consent was stale, missing, or impossible to document. Get this right before you dial. It's not optional.

The TCPA sets no hard expiration date on consent. But the FCC and the courts have made clear that consent goes legally unreliable in ways that expose you to real liability. This question trips up more teams than any other.

The FCC's 2012 order, codified at 47 C.F.R. § 64.1200, requires prior express written consent for autodialed or prerecorded telemarketing calls and texts to mobile numbers [3]. It never says consent expires after 18 months or any other number. What the FCC has said, through rulings and enforcement, is that revocation must be honored right away, and that ambiguous or undocumented consent is the seller's problem, not the consumer's.

Most compliance attorneys treat consent as potentially stale after 18 to 24 months of silence, though there's no bright-line federal rule. The bigger risk is number reassignment, not the calendar. The FCC's Reassigned Numbers Database tracks numbers that carriers have handed to new subscribers [4]. If you call a number you have consent for, but it was reassigned since the opt-in, the new subscriber has no relationship with you. You've violated the TCPA as far as the law cares.

Work from the safe assumption: any lead you haven't touched, and who hasn't engaged, in 18 or more months needs fresh consent before you autodial their mobile or send a marketing text.

What does the National DNC Registry require for re-engagement campaigns?

The National Do Not Call Registry, run by the FTC under 16 C.F.R. Part 310 (the Telemarketing Sales Rule), bars telemarketing calls to any listed number unless you have an established business relationship (EBR) or express written permission from that consumer [5]. Both exceptions have tight limits.

An EBR, in the FTC's definition, exists when a consumer bought from you or made a financial transaction within the past 18 months, or inquired or applied within the past 3 months. Those windows are not suggestions. A lead who filled out a webform 4 months ago but never bought is likely outside the 3-month inquiry window. A lead from 2022 is gone.

Scrub every number on your outreach list against the current National DNC Registry before you dial. You have to subscribe for commercial access, and you have to re-scrub at least every 31 days [5]. Pulling the list once and sitting on it for three months is a violation waiting to surface.

You also need an internal DNC list. If anyone on your lapsed list ever asked you not to call, that request stands for at least 5 years under the TSR. Your CRM needs a field for it, and that field needs a check before any number enters a dialing sequence. These are separate rules, and both apply at once. See our overview of the do not call list for the full registration and scrubbing workflow.

State registries add another layer. Texas, Indiana, Wyoming, and others maintain their own lists. If you call into those states, check both the federal registry and the state one.

Key TCPA and TSR thresholds for re-engagement campaigns Statutory limits and time windows that determine whether outreach is compliant 500 TCPA damages per violation (negligent) 1,500 TCPA damages per violation (willful) 18 EBR window from last purchase (months) 3 EBR window from last inquiry (months) Source: 47 U.S.C. § 227, 16 C.F.R. Part 310 (FTC TSR), FCC 47 C.F.R. § 64.1200

Pull your full lapsed list and, for every record, ask four questions before it goes near a dialer or a text campaign. This audit is where most of the exposure gets caught.

First, do you have documented proof of consent? For TCPA purposes, proof means a timestamp, an IP address, the exact language the person saw, and the URL where they opted in. A rep's note that says "talked to John, interested" is not consent. A screenshot of a webform with a checkbox is better but still needs backup. If you can't produce a clear opt-in record for a number, treat it as no consent.

Second, was the consent written and specific? The FCC's rules require prior express written consent for autodialed or prerecorded marketing, and the agreement has to name the seller [3]. Generic language like "you may be contacted by our partners" may not cover you if your company wasn't named.

Third, has the number been reassigned? Run every number through the FCC's Reassigned Numbers Database or a third-party validator that queries it. The database went live in 2021 and carriers submit disconnected numbers to it [4]. A subscription costs money. A single class action costs a great deal more.

Fourth, is the number on the DNC Registry, and do you have an active EBR covering it? Check the last purchase or inquiry date against the 18-month and 3-month windows.

A table helps here:

Consent issueWhat it means for outreach
No documented opt-inDo not contact via ATDS or prerecorded call; consider manual call only if DNC-clean
Written consent older than 18 months, no engagementGet fresh opt-in before autodialing or texting
Number flagged as reassigned in RNDRemove from list entirely
Number on National DNC, no EBRDo not call; needs express written permission
Number on internal DNCDo not call under any circumstances
Valid written consent, recent engagement, not on DNCSafe to include in campaign

Getting fresh consent is the cleanest path when your old records are ambiguous or outdated. The catch is circular: you can't easily get fresh consent through the channel that requires consent. You can't autodial a text asking someone if they want to be texted.

Here's what actually works. If the lead has an email address and your email program is clean (CAN-SPAM compliance sits separate from TCPA), an email re-permission campaign is a common move. The email asks the person to click a link, fill out a short form, or reply to confirm they want to hear from you. The confirmation captures a timestamp and IP address. Store that as your new consent record.

If you have agents making manual calls (no ATDS), some teams place a single manual call to a lapsed lead as a re-permission touch. The call isn't an autodialed marketing pitch. It's a rep asking whether the person still wants contact. Manual calls to mobile numbers don't carry the same TCPA consent requirement as autodialed ones, though DNC rules still apply. This is a nuanced area. Run it past counsel before you deploy it at scale.

For any fresh opt-in form, follow the FCC's requirements to the letter: clear and conspicuous disclosure of who will contact the person, a statement that consent is not required to buy, and the phone number or text program the person is agreeing to [3]. Don't bury this in a 400-word terms block. The disclosure belongs right next to the button.

LeadCompliant's free compliance kit has a pre-built opt-in disclosure template and a consent audit worksheet covering the documentation fields the FCC expects to see if a complaint ever lands.

What scrubbing steps need to happen before the first call or text goes out?

Scrubbing is not a one-time checkbox. It's a sequence that has to run close in time to your actual outreach, because DNC registrations and number reassignments happen every day. Do it too early and it's worthless by launch.

Start with number validation. Run every number through a real-time lookup that tells you whether it's active, whether it's mobile or landline, and whether it shows up in reassignment data. TCPA protections apply specifically to cell phones for autodialed calls and texts [1], so line type matters.

Next, scrub against the National DNC Registry. You need a current subscription. The safe harbor for a seller who accidentally calls a registered number depends on having accessed the registry within the past 31 days [5]. Pull a fresh scrub file.

Then check your internal DNC list. This is a maintained database of everyone who has ever told your company to stop. The TSR requires you to keep it and honor it for at least 5 years [5].

Sending SMS? Confirm the original opt-in language explicitly covered text messages from your brand. Consent that says "we may call you" does not automatically cover texts. SMS has its own layer. See the text message marketing rules breakdown for the full picture.

Check state requirements for every state you call into. Some states set stricter consent standards than federal law. Florida's mini-TCPA, effective 2021, restricts calls even from non-ATDS equipment in some cases, and it carries a private right of action.

Do all of this within 72 hours of launch. If the campaign runs past 31 days, re-scrub the DNC before day 32.

How do you structure the re-engagement sequence itself to stay compliant?

Your list is scrubbed, your consent is current, your opt-in records hold up. Now structure the sequence so you don't create fresh liability on the way out the door.

Set calling hours and hold the line. The TCPA limits calls to between 8 a.m. and 9 p.m. in the recipient's local time zone, not yours [1]. If your contact is in Denver and your team is in New York, the 9 a.m. Eastern call lands at 7 a.m. Mountain, and that's a violation. Your dialer needs to handle time-zone logic on its own.

For texts, the same 8 a.m. to 9 p.m. local window gets applied widely, though the statute references those hours mainly for calls. CTIA guidelines and carrier codes of conduct reinforce the window for SMS [9].

Build an opt-out into every message and call. For SMS, your first text in any sequence must include clear stop instructions, and STOP replies must be honored immediately and confirmed [2]. For prerecorded voice calls, the message has to identify the caller and offer an automated opt-out at the start [3].

Keep the sequence short. Two to three touches, spaced 3 to 7 days apart, is a reasonable re-engagement window. No response after three attempts, move the lead to suppressed. Hammering a lapsed list with 8 attempts in 10 days is the exact pattern that shows up in class action complaints as evidence of willfulness, which triggers the $1,500 per-call enhanced damages. The Credit One TCPA settlement shows how aggressive dialing multiplies exposure.

Log every outbound attempt with a timestamp, the number dialed, the agent or system used, and the result. Those records are your defense when a complaint lands.

What records do you need to keep, and for how long?

Good recordkeeping is the difference between a complaint that dies quietly and a lawsuit you can't defend. The FTC's TSR requires sellers to keep records for 24 months from the date of the telemarketing campaign [5]. Many attorneys push for 4 to 5 years, given the TCPA's statute of limitations, which courts have generally set at 4 years under 28 U.S.C. § 1658, with some circuit variation.

At minimum, keep the opt-in record for each contact (timestamp, IP, the exact disclosure language shown), the date and result of every DNC scrub, your internal DNC list with the date each number was added, call logs for all outbound attempts, opt-out requests and confirmations, and training records for the people running your campaigns.

Store consent records in a format you can actually produce during litigation. A spreadsheet on one rep's laptop is not a system. A CRM field that exports with a date-stamped audit trail is. When a plaintiff's attorney sends a discovery request, you need clean records in hand within days.

One mistake teams make: they delete records for people who opted out, thinking that honors the opt-out. Don't. You need the opt-out record to prove you processed it. What you delete is the outreach permission, not the suppression flag.

What are the actual penalties if you get a re-engagement campaign wrong?

The TCPA's statutory damages are $500 per violation for negligent violations and $1,500 per violation for knowing or willful ones [1]. Each call or text counts separately. A campaign that fires 10,000 texts to a list with stale consent carries exposure of $5 million to $15 million before a class is even certified. The attorneys who file these suits know the arithmetic cold.

Class actions are the real threat. TCPA claims are easy to plead, so a single plaintiff's attorney can certify a class of thousands and negotiate a settlement untethered from any actual harm. The Cash App case and dozens like it follow the same script: big company, big list, arguable consent, large settlement.

For small teams, the danger is individual plaintiffs and professional litigants who buy burner phones, register them on the DNC, and wait for marketers to call. These "TCPA trolls" are real. A small outbound team that dials 500 lapsed leads without scrubbing could face 500 separate small-claims or federal suits at $500 to $1,500 each.

The FCC can add its own penalties through enforcement actions, up to $10,000 per violation under 47 U.S.C. § 503(b) [6]. Agency enforcement is rare for small teams, but it happens, especially for egregious patterns like ignoring opt-out requests.

The math on doing this right is plain. A solid setup costs a few hundred dollars a month in scrubbing subscriptions plus a few hours of process work. A single class action settlement costs millions and eats years.

Are there special rules for re-engaging leads who originally came through a lead generator?

Yes, and this is where a lot of small teams carry a false sense of security. If you bought leads from a third-party lead generator, the consent that generator collected may or may not transfer to you. Assume it doesn't until you've proven it does.

The FCC's one-to-one consent order, adopted in December 2023 and set to take effect in 2025, reshaped the rules here [7]. Under that order, a consumer's consent has to be specific to the seller who will make the call or send the text. A form that says "you agree to be contacted by our marketing partners" and then sells that consent to 50 companies does not give any of those 50 valid federal consent. (Enforcement of the effective date has been contested in court, so confirm the current status with counsel before you rely on a specific date.)

If your lapsed leads came from a lead gen partner, go back and verify three things: that your company was named in the disclosure the consumer saw, that the consent met the applicable standard for its date, and that the lead gen company holds records you can actually obtain.

Many lead generators can't produce that documentation. When they can't, treat those leads as unconsented for autodialing and texting. You can still reach them through channels that don't require TCPA consent (email, direct mail), and run a re-permission campaign through those channels to build compliant consent in your own name.

LeadCompliant's consent audit checklist covers the one-to-one requirements and includes a template letter you can send to lead gen partners to request the documentation you need.

For a broader look at what consent documentation the FCC expects, the cold calling rules overview covers the standards for voice outreach specifically.

What should a re-engagement campaign compliance checklist actually look like?

Here's a pre-launch checklist that covers the major exposure points. Work through it in order before any outreach goes out.

Consent verification

  • [ ] Pull all leads from the target list with their original opt-in date and documentation
  • [ ] Flag any leads with no documented written consent and move them to a manual-only or email-only segment
  • [ ] Flag leads with consent older than 18 months and no engagement since for re-permission before autodialing
  • [ ] Confirm consent language named your company specifically (one-to-one consent requirement) [7]
  • [ ] Verify lead-gen sourced leads have transferable, documented consent

Number validation and suppression

  • [ ] Run every number through a real-time line-type validator
  • [ ] Query the FCC Reassigned Numbers Database or a licensed provider that queries it [4]
  • [ ] Scrub against the National DNC Registry with a subscription dated within 31 days [5]
  • [ ] Scrub against your internal DNC list
  • [ ] Check applicable state DNC registries for states you're calling into

Campaign structure

  • [ ] Confirm calling hours are set to 8 a.m. to 9 p.m. recipient local time [1]
  • [ ] Confirm opt-out instructions are in every text message
  • [ ] Confirm prerecorded messages identify the caller and offer opt-out at the start [3]
  • [ ] Set a maximum of 2 to 3 touch attempts per lead before suppression
  • [ ] Enable automatic logging of every outbound attempt

Recordkeeping

  • [ ] Verify consent records are stored in an exportable, auditable format
  • [ ] Confirm DNC scrub results are saved with timestamps
  • [ ] Confirm opt-out requests will be logged and processed within 24 hours

This checklist won't cover every edge case, and nothing here is legal advice. Working through it before launch is the kind of documented diligence that helps you in court and in FCC proceedings.

When does a re-engagement campaign cross the line into a cold call, legally speaking?

A re-engagement call becomes a cold call the moment you've lost the factual basis to claim prior consent or an established business relationship. That's a practical distinction, not a label you get to pick.

If the lead's consent is expired, unverifiable, or never met the FCC's written standard, and you're placing an autodialed or prerecorded call to their mobile, you're making an unconsented call. The fact that this person once downloaded your white paper does nothing to the statute's requirements.

Same with the DNC rules. A number on the National DNC Registry requires either an EBR inside the time windows or express written permission. A lead from 2020 who converted once and went quiet has no active EBR with you. Calling them is a cold call for DNC purposes.

What's the difference in practice? A true warm re-engagement call, consent current and documented, is compliant. An unconsented call to a DNC-listed number is a cold call that stacks TSR liability on top of TCPA liability. For cold call rules and what the federal standards require, that's worth understanding on its own before you build the sequence.

The advice: when you're unsure whether a specific record clears the consent or EBR standard, exclude it from your autodialed campaign. The marginal revenue from reactivating a borderline lead never covers the exposure.

Frequently asked questions

There's no hard federal deadline, but the FCC's framework and the FTC's 18-month EBR window make 18 months the practical threshold most compliance attorneys use. If a lead gave consent more than 18 months ago and hasn't engaged since, get fresh opt-in before placing autodialed calls or sending marketing texts. Number reassignment risk also climbs sharply after that window.

Can I text a lapsed lead to ask if they want to opt back in?

Generally, no. Sending a text via an ATDS to someone whose consent has lapsed or is unverifiable is itself a potential TCPA violation. The exception is when the original consent was clearly valid and covers this outreach. A safer path is email re-permission or a manual (non-ATDS) call where agents individually dial to confirm interest before adding numbers back to an automated sequence.

Does the established business relationship exception protect me for lapsed leads?

Only inside the FTC's windows: 18 months from the last purchase or financial transaction, or 3 months from an inquiry or application. A lead who filled out a form 3 years ago with no purchase has no active EBR under the Telemarketing Sales Rule. The EBR is also no defense under the TCPA for autodialed or prerecorded calls to mobile numbers. That still requires written consent.

What is the FCC Reassigned Numbers Database and do I have to use it?

The FCC's Reassigned Numbers Database collects disconnected numbers from carriers so callers can avoid contacting new subscribers who never consented. Using it isn't technically mandatory, but the FCC has indicated it provides a safe harbor against claims that you called a reassigned number in good faith. Skipping it removes that defense. Subscriptions are available directly from the FCC or through licensed third-party providers [4].

The FCC's one-to-one order requires that consent be specific to the seller making the contact, not a general agreement to hear from unspecified partners [7]. Leads bought before the rule took effect may not have consent language that meets the standard. You'll need to verify your company was named in the original disclosure. If it wasn't, those leads need re-permission before you autodial or text them. Confirm the current effective date with counsel, since it has been litigated.

What do I do if someone on my lapsed list is also on the National DNC Registry?

Remove them from your dialing sequence. You can only call a DNC-registered number with express written permission from that specific consumer or an active established business relationship inside the TSR's time windows. A lapsed lead who signed up years ago and has since registered with the DNC has stated their preference. Calling anyway carries TSR liability, with per-violation penalties running above $50,000 as of recent FTC inflation adjustments [5].

Are the TCPA rules different for B2B re-engagement versus consumer re-engagement?

Yes, meaningfully. The TCPA's consent requirements apply to calls and texts to mobile numbers whether the recipient is a business or a consumer. The DNC Registry rules under the TSR, though, apply specifically to personal, not business-to-business, transactions. If you're calling someone's direct business mobile for a true B2B purpose, you may have more room, but the number type and its registration status still matter.

You need documentation from the third party showing the exact language displayed on the opt-in form at submission, a timestamp, the submitter's IP address, and confirmation that your company was named. Under the one-to-one rule, generic partner consent isn't enough. Request this documentation from your lead vendor in writing and keep it with your campaign records.

What calling hours apply to a re-engagement campaign?

The TCPA restricts calls to between 8 a.m. and 9 p.m. in the called party's local time zone, under 47 U.S.C. § 227 and the regulations at 47 C.F.R. § 64.1200 [1]. This applies to both autodialed and prerecorded calls. Some states, like California, impose stricter windows. Your dialer or CRM has to assign time zones automatically from the number's area code and locality data.

How often do I have to re-scrub my list against the DNC Registry during a long campaign?

At least every 31 days. The FTC's Telemarketing Sales Rule requires that you access the National DNC Registry no more than 31 days before placing a telemarketing call to any number [5]. If your campaign runs two months, you need at least two fresh scrubs. Save each scrub result with a timestamp as part of your compliance records.

Yes. If the original consent wasn't properly documented, the number was reassigned to a new person, the lead revoked consent (even informally), or your contact method wasn't covered by the original language, a plaintiff can and likely will prevail. Courts have held that the burden of proving valid consent sits with the caller, not the consumer. If you can't produce clean records, that burden is very hard to meet.

What is a reasonable number of contact attempts for a re-engagement campaign?

Two to three attempts spaced several days apart is a defensible standard. No federal rule caps the number of attempts outright, but dialing patterns showing repeated calls after no response are exactly what plaintiffs' attorneys point to as evidence of willfulness, which triggers the $1,500 per-call enhanced damages under the TCPA. After three unanswered attempts, suppress the number.

Do I need a separate process for re-engaging leads who originally opted in via text keyword?

Yes. Text keyword opt-ins are valid consent for SMS, but confirm the language covered your specific brand and message type. If you now plan to call those leads via autodialer, a text keyword opt-in generally doesn't provide the written consent the TCPA requires for voice calls. You'd need a separate consent capture that specifically authorizes autodialed calls.

Move them to a suppressed or manual-only segment rather than deleting the records. You can still reach out through channels that don't require TCPA consent, like email under CAN-SPAM, and use those touches to collect fresh documented consent. Keep the record with a note that consent was unverifiable as of the audit date. Deleting records that might matter to a future claim can create its own legal exposure.

Sources

  1. U.S. Congress, Telephone Consumer Protection Act, 47 U.S.C. § 227: TCPA prohibits autodialed or prerecorded calls/texts to mobile numbers without prior express consent; damages are $500-$1,500 per violation; calling hours restricted to 8 a.m.-9 p.m. recipient local time
  2. FCC, 2015 TCPA Omnibus Declaratory Ruling and Order, CG Docket No. 02-278: FCC held that consumers can revoke consent through any reasonable means and sellers must honor revocation promptly; also confirmed opt-out must be immediate for text messages
  3. FCC, 47 C.F.R. § 64.1200 (Telemarketing rules implementing TCPA): Prior express written consent required for autodialed or prerecorded telemarketing calls/texts to mobile numbers; consent must clearly authorize the seller by name; prerecorded messages must identify caller and provide opt-out at the start
  4. FCC, Reassigned Numbers Database (reassigned.us, administered under FCC rules): FCC's Reassigned Numbers Database collects disconnected numbers from carriers; launched 2021; provides safe harbor for callers who query it in good faith
  5. FTC, Telemarketing Sales Rule, 16 C.F.R. Part 310: TSR prohibits calling DNC-registered numbers without EBR (18 months from purchase, 3 months from inquiry) or express written permission; requires DNC scrub within 31 days of calling; internal DNC list must be maintained 5 years; TSR records must be kept 24 months
  6. FCC, 47 U.S.C. § 503(b) (forfeiture penalties): FCC can impose forfeiture penalties up to $10,000 per violation for willful or repeated violations of the Communications Act
  7. FCC, Report and Order on One-to-One Consent, CG Docket No. 21-402 (adopted December 2023): FCC's one-to-one consent order requires that TCPA consent be specific to the individual seller; generic partner consent forms no longer sufficient
  8. FTC, National Do Not Call Registry: National DNC Registry maintained by FTC; commercial access requires subscription; numbers must be scrubbed no more than 31 days before a telemarketing call
  9. CTIA, Messaging Principles and Best Practices: CTIA guidelines reinforce 8 a.m.-9 p.m. local time restriction for commercial SMS and require clear opt-out instructions in text message campaigns
  10. FTC, Complying with the Telemarketing Sales Rule (business guidance): FTC guidance confirms TSR record retention requirement of 24 months and describes internal DNC list maintenance obligations for sellers

Disclaimer: LeadCompliant is a compliance review tool, not a law firm. We do not provide legal advice. Consult with a TCPA attorney for legal guidance on specific compliance questions. Compliance scores, audits, and risk assessments are informational only.

LeadCompliant Team

LeadCompliant provides expert guidance and tools to help you succeed. Our content is reviewed for accuracy and kept up to date.

Related Articles

Related Glossary Terms

LeadCompliant
Build My Kit