Last updated 2026-07-11

TL;DR
To defend a TCPA lawsuit, you need more than a checkbox. You need a timestamped record of who consented, on which URL, at what time, with what disclosure language visible at that moment. Courts have dismissed claims when defendants produced this metadata and have awarded up to $1,500 per call when they could not. Store records for at least five years, ideally longer.
What is consent metadata and why does it matter for TCPA defense?
Consent metadata is the structured data that proves a specific person agreed to be contacted at a specific moment. It is not the opt-in itself. It is the evidence that the opt-in happened, when it happened, what was disclosed, and where.
The TCPA (47 U.S.C. § 227) requires prior express written consent before you send marketing texts or make telemarketing calls to cell phones using an autodialer or prerecorded message [1]. The statute text says consent must be "clear and conspicuous," but the statute does not define what proof of that consent looks like in litigation. Courts fill that gap. They fill it with metadata.
When a plaintiff sues, their attorney sends a demand letter or a complaint alleging they never consented, or that the consent they gave did not cover your specific type of contact. Your defense lives or dies on what you can produce in discovery. A signed paper form is almost useless. A database record showing IP address 98.134.22.71 submitted a form at 14:23:07 UTC on March 3, 2024 on URL yourdomain.com/quote, with session ID abc123, with version 4.2 of your consent disclosure language, is actual evidence.
The FCC's 2012 order implementing TCPA amendments made prior express written consent a firm requirement for autodialed marketing calls and texts to cell phones, replacing the prior express consent standard for those categories [2]. Since that order, plaintiffs' attorneys have built entire practices around the gap between "we had consent" and "we can prove we had consent." That gap costs companies real money. The Cash App TCPA class action settlement and the Credit One TCPA settlement both involved disputes over whether consent records were adequate.
Good metadata closes that gap.
What specific data points should you capture at the moment of consent?
Every consent event should fire a structured record with at least these fields:
| Field | What it proves | Example value |
|---|---|---|
| Timestamp (UTC) | When consent occurred | 2024-03-03T14:23:07Z |
| IP address | Where the submission came from | 98.134.22.71 |
| Phone number (E.164) | Who consented | +12125551234 |
| Email (if collected) | Corroborates identity | user@email.com |
| Form URL | The exact page shown | https://site.com/quote?utm_source=google |
| Consent disclosure version | What language they saw | disclosure_v4.2 |
| Full disclosure text (or hash) | Verbatim or cryptographic proof of the language | SHA-256: 3f8a... |
| User-agent string | Device and browser context | Mozilla/5.0 Chrome/122 |
| Session ID | Ties all page actions together | sess_a8b2c4d9 |
| Source/lead ID | Where the lead came from | leadid_xyz or TrustedForm cert URL |
| Double opt-in confirmation timestamp | Proof they confirmed on a separate step | 2024-03-03T14:25:01Z |
The IP address alone is not enough. Plaintiffs' attorneys have argued, and won, that an IP address does not prove the named plaintiff submitted the form, only that someone at that IP did. Pairing IP with session ID, user-agent, and a lead certification URL (from services like ActiveProspect's TrustedForm or Jornaya's LeadiD) makes the record much harder to attack, because those third-party certificates are generated in real time and are independently timestamped [3].
The consent disclosure version field is one people skip and then regret. Regulations change. Your disclosure language evolves. Six months into litigation, you need to show more than that you had a disclosure. You need to show that the disclosure visible on the exact day of that consent was legally sufficient. Store a hash of the disclosure text along with the record. Then you can prove the text later without storing gigabytes of HTML per record.
For text message marketing consent specifically, the FCC's 2023 one-to-one consent order (which faced legal challenges as of early 2025 but represented the agency's intended direction) pushed toward requiring that consent identify the specific seller, not a category of sellers [4]. Even if that rule's final status is uncertain, capturing the specific brand and phone number the consent referenced costs you nothing and protects you from the underlying argument.
How should you handle consent captured through lead generators or third-party forms?
Buying leads is where most TCPA exposure lives for small outbound teams. The person who submitted the form never heard of your company. They clicked a checkbox on some comparison site that said "I agree to be contacted by partners." Now you call them, and they sue you.
The core problem is that you did not control the consent event. You have to obtain the metadata from someone else, and that someone else has a financial incentive to make their consent look adequate even when it is not.
Here is what actually works. Require your lead vendor to provide a third-party consent certificate with every lead. TrustedForm and Jornaya LeadiD are the two main options; both generate a certificate URL at form submission time that you can independently verify and retain [3]. The certificate captures a session replay of the page, the timestamp, the IP address, and the exact form fields submitted. If a plaintiff later claims the disclosure was hidden in tiny text, you pull the session replay.
Get a data processing agreement with every vendor that specifies they will retain raw consent records for the same period you need and will produce them on your request within a defined timeframe. This matters because vendors go out of business, get acquired, or simply do not bother to retain old records.
Scrub every inbound lead list against the Do Not Call list before your first contact [5]. Consent does not override DNC registration for most purposes; the two are separate legal requirements. You need both.
If a vendor cannot or will not give you a third-party certificate, that lead is high risk. You are accepting their word that consent was captured. Some teams take that risk for certain lead sources. Just know you are taking it.
What does a consent record storage system actually look like?
There is no single required architecture, but there are four properties any system needs: immutability, redundancy, fast retrieval, and long retention.
Immutability matters because a consent record that an employee can edit after the fact is nearly useless in litigation. Courts have sanctioned defendants for record destruction. Store consent records in a write-once or append-only system. AWS S3 with Object Lock enabled, for example, prevents modification or deletion for the period you specify. Some teams use a dedicated compliance database with audit logging that records every read and write. The exact technology matters less than the property it achieves.
Redundancy is straightforward: a primary database and a separate backup that replicates in near-real time, at minimum. Store at least one copy offsite. If your CRM vendor shuts down, you should still have your consent records.
Fast retrieval means you can produce a specific consent record within hours, not weeks. In litigation, opposing counsel requests consent records in discovery and courts set deadlines. A system where you dig through flat files from years ago by hand is a liability. Structure your database so you can query by phone number, email, date range, or lead source and return the full record with all fields.
Long retention is covered more below, but your storage system needs to support whatever retention period you choose without auto-deletion policies quietly purging old records.
For teams using a CRM like Salesforce or HubSpot, the CRM is a reasonable place to store consent status and a reference to the full consent record. It is usually not the right place to store the raw metadata. CRMs get customized, records get merged, and audit trails get broken. Keep the authoritative consent record in a separate, purpose-built store and use your CRM to link to it by ID.
LeadCompliant's compliance kit includes a consent record schema template you can implement in any database system, which is a practical starting point if you are building this from scratch.
How long do you need to retain consent records?
The TCPA itself does not specify a retention period. That is both a relief and a trap.
The federal statute of limitations for TCPA claims is four years under 28 U.S.C. § 1658, the general federal question limitations period [6]. A plaintiff can sue you up to four years after the alleged violation. Your consent record needs to cover the date of every contact you made, plus four years. If you called someone in January 2022, you need that consent record available through at least January 2026.
Some states have longer periods. California, for instance, lets private plaintiffs bring state-law claims under the Invasion of Privacy Act (CIPA) or the California Consumer Privacy Act with different limitation periods [7]. Operate in multiple states, and you face a patchwork.
The practical answer most compliance attorneys give is five years minimum from the date of last contact, with many recommending seven years for companies in high-litigation states or industries. Five years covers the federal window with a margin. Seven years covers most state variations and gives you room if a claim is filed late and disputed.
Set your retention policy in writing. Define the start of the retention clock clearly: is it the date consent was captured, the date of first contact, or the date of last contact? Last contact is the safest, because the violation, if any, happens at the point of contact.
Think about what happens when someone revokes consent. Keep the revocation record too, including when it happened and through what channel. A claim that you called someone after they opted out requires you to produce proof of when you received the opt-out and when you stopped calling. Without that, the plaintiff's timeline controls the narrative.
What has actually happened in court when consent records were missing or inadequate?
Courts have been blunt about what inadequate records cost defendants.
In Berman v. Freedom Financial Network (9th Cir. 2022), the Ninth Circuit held that websites using pre-checked boxes or buried consent language did not produce valid consent, and the company's inability to show the specific disclosure language presented to the plaintiff was a serious problem in the record [8]. The fight cost Freedom Financial more than the settlement amount in legal fees and attention alone.
The Cash App TCPA class action settlement shows a different failure mode: even large companies with legal teams can end up in class action exposure when their consent capture has gaps at scale. When millions of contacts are in play, even a low percentage of incomplete records translates into an enormous class size.
On the defense side, courts have granted summary judgment to defendants who produced detailed consent metadata. When a defendant shows a third-party certificate timestamped before the first call, with a session replay of the disclosure page, matching the plaintiff's IP address and device fingerprint, the plaintiff's claim that they never consented becomes very hard to sustain.
Statutory damages under the TCPA are $500 per violation and $1,500 per willful violation [1]. In a class action, multiply that by tens of thousands of class members and you understand why plaintiffs' attorneys invest heavily in finding companies with poor consent records. Good records are your cheapest defense.
How do you capture consent metadata for cold calling campaigns specifically?
Cold calling is a different problem, because in many cases you are calling people who did not submit any web form. You are working from a purchased list, a referral, or a public directory. The consent analysis depends on who you are calling and with what equipment.
Calls to landlines using a human dialer and a natural voice do not require TCPA prior express written consent. They require the number not be on the Do Not Call telemarketer list and that you follow calling hour restrictions [5]. If you are making those calls, your "consent metadata" is really a DNC scrub record: when did you check the number against the national DNC registry, which registry version did you use, and when did you last run the scrub.
For cold calls to cell phones using an autodialer or prerecorded message, you need prior express written consent regardless of DNC status. That means you captured consent through some prior interaction, or the call falls under an established business relationship (EBR) exception that does not apply to most cold outreach.
For a cold calling operation targeting cell phones with manual dialing and live agents, the TCPA's autodialer restrictions technically do not apply after Facebook v. Duguid (2021) [9], but state laws may impose their own requirements. Washington State, Florida, and Oklahoma all have laws that go beyond the federal TCPA in various ways.
Document your DNC scrub process the way you document consent. Record the scrub date, the registry version number (the FTC updates the registry and version-stamps it), the vendor you used if any, and the result for each number. If you are on the mobile phone Do Not Call list side of this, the same record-keeping logic applies.
What should your consent disclosure language actually say to be defensible?
The FCC's 2012 TCPA order specifies that prior express written consent requires, at minimum, a written agreement that includes the consumer's phone number, a clear and conspicuous disclosure that the consumer authorizes the seller to make autodialed or prerecorded calls or texts, and the consumer's signature (which can be an electronic signature under the E-SIGN Act) [2].
The FCC's 2012 order requires that the agreement "clearly and conspicuously disclose to the consumer" the agreement to receive autodialed calls or texts. The disclosure cannot be buried in fine print, hidden behind a hyperlink, or pre-checked.
Here is what a defensible disclosure generally contains: the company name (or names, if multiple), the specific phone number or a description of the communications covered (marketing calls, automated texts, and so on), a statement that consent is not a condition of purchase, and the consumer's affirmative signature action (an unchecked checkbox they must check, not a pre-checked one).
Where most small teams get this wrong is the "not a condition of purchase" requirement. The FCC regulations implementing 47 U.S.C. § 227 require that prior express written consent may not be a condition of purchase [2]. If your only way through a checkout or quote form is to check the consent box, that consent is probably invalid.
Keep every historical version of your disclosure language with the date ranges it was live. When you update the language, archive the old version. Version your disclosures the way a software team versions code. This is the single easiest thing to implement and the one teams most consistently skip.
How do you handle consent revocation and document it properly?
Revocation is as important as the original consent. A consumer can revoke TCPA consent at any time, by any reasonable means [2]. That last phrase has been litigated, but it broadly means that if someone texts STOP, calls your office and says to stop calling, or emails the same, you have received a revocation and must honor it.
The FCC issued a ruling in 2024 clarifying that companies must honor opt-outs across the entire company relationship, more than for the specific phone number or campaign through which the opt-out was sent [4]. That ruling also addressed multi-opt-out mechanisms. Whether all of it survives judicial review, the direction is clear: revocations must be treated seriously and broadly.
Your revocation records need the same metadata discipline as your original consent records. Capture the channel (SMS STOP reply, phone call, email, web form), the exact timestamp, the agent or system that processed it, and the action taken (number suppressed, removed from lists). Record when the suppression actually took effect, more than when it was logged.
Build a suppression list that is separate from your active contact list and that gets checked before every campaign. The failure point is almost never the logging. It is the propagation: someone opts out, it gets logged, but the next campaign blast still includes them because the suppression list did not sync in time. Automate the sync and log it.
Keep revocation records for the same period as consent records. If someone sues you claiming you called them after they opted out, you need to show both that they opted out and that the opt-out was honored, and when.
What is a practical consent audit process to run before litigation hits?
Do not wait for a demand letter to find out your consent records are incomplete. Run an audit at least annually, and any time you change lead sources, platforms, or disclosure language.
A useful audit covers five areas. First, spot-check a random sample of recent consent records and verify every required field is present and populated correctly. A 2% sample of the last 90 days of leads is a reasonable start. If you find fields missing in more than 1 in 20 records, you have a systemic problem.
Second, test your retrieval process. Pick a random phone number from six months ago and time how long it takes to pull the complete consent record. More than 30 minutes, and your system will not survive discovery.
Third, verify that your consent disclosure language is current and that every version used in the past five years is archived and retrievable with the correct date ranges.
Fourth, confirm your DNC scrub logs are intact and that scrub dates for every campaign are recorded. If you ran a campaign without a documented scrub, flag it.
Fifth, test your revocation workflow end to end. Send a test opt-out through every channel you accept (STOP reply, email, call), and verify the suppression appears in your active list within whatever SLA you have set.
LeadCompliant's free compliance checkers can help you find gaps in your DNC scrub process as part of this kind of audit, but the consent record audit itself requires you to inspect your own database.
Document the audit results in writing and keep those records too. An audit trail showing you regularly checked your process is evidence of good-faith compliance, which can reduce statutory damages even if you lose on liability.
How do small teams with limited resources implement this without a dedicated compliance team?
The honest answer is that the core infrastructure is not expensive. The expensive part is not having it.
Start with three things. Build a consent record table in whatever database you already have, with the fields listed above. If you use a form tool like Typeform, Gravity Forms, or similar, most can be configured to send webhook data to a Google Sheet or Airtable on submission. That is a primitive consent log, but it beats nothing. Just make sure you capture the timestamp and form URL automatically.
Connect your forms to a third-party certificate provider. TrustedForm's basic pricing runs around $0.01 to $0.05 per certificate depending on volume, which is cheap insurance against the $500-per-violation exposure [3]. Jornaya LeadiD works similarly. Both providers document how to connect their scripts to common form builders.
Set up automated DNC scrubbing. Several vendors offer API-based scrubbing; you can also use the FTC's own process to access the national registry directly [5]. Whatever you use, log the scrub date and registry version with every lead record.
With those three pieces, a two-person sales team has a legally defensible baseline. It is not a full compliance program. You still benefit from a compliance attorney reviewing your disclosure language at least once. But the technical infrastructure is within reach for anyone.
As you grow, the next step is pushing the full consent record into your CRM with a unique ID per consent event, and adding an audit log so every read of a consent record is tracked. That is when you start looking at purpose-built tools rather than spreadsheets.
Frequently asked questions
What is the minimum information needed in a TCPA consent record?
At minimum you need: the consumer's phone number, a timestamp of when consent was given, the URL or medium where consent was captured, and the exact disclosure language that was shown (or a hash of it). IP address is strongly recommended. A third-party certificate from a service like TrustedForm adds independent verification. Missing any of these makes your record substantially weaker in litigation.
How long should you keep TCPA consent records?
The federal TCPA statute of limitations is four years under 28 U.S.C. § 1658. Most compliance attorneys recommend keeping records for five years from the date of last contact, and up to seven years if you operate in states with longer private right of action periods like California. Count the retention clock from last contact, not the date consent was captured.
Can a third-party consent certificate replace having your own consent records?
No. A TrustedForm or Jornaya certificate is strong corroborating evidence, but it does not replace your own records. The certificate proves a form was submitted at a time and place. Your records prove what you did with that consent and that you made contact only within its scope. You need both, plus records of every contact made and every opt-out received.
What happens if a consumer says they never consented and you cannot produce the record?
Without a consent record, you cannot disprove the plaintiff's claim. Courts generally treat TCPA consent as an affirmative defense, meaning the burden is on you to prove consent existed. If you cannot produce the record, you effectively concede the liability element, and the case becomes a dispute about damages only. Settlements in that posture are almost always higher than when you have records.
Does buying a lead list with consent included protect you from TCPA liability?
Not automatically. You are legally required to independently verify that consent was given for contact by your specific company, or at minimum for contact by sellers in your category. Vendor-supplied consent records are only as good as the vendor's capture process. Get a third-party certificate with each lead and a contractual warranty from the vendor, and review a sample of their consent flow before buying at scale.
Do you need separate consent records for calls versus texts?
Yes, practically speaking. The TCPA requires prior express written consent for both autodialed marketing calls and autodialed marketing texts to cell phones. If your consent disclosure only references calls, it likely does not cover texts, and vice versa. Your disclosure should explicitly reference each communication type you intend to use, and your records should reflect which types were authorized.
How do you document consent when it was given verbally over the phone?
Verbal consent is not prior express written consent under the TCPA for marketing calls to cell phones, so you cannot use it as the basis for ongoing automated marketing contact. For inbound calls where a live agent obtains consent, you would need a digital signature or SMS confirmation to meet the written requirement. Recording the call is useful but does not substitute for the written standard.
What is a consent disclosure version and why does it matter?
Your disclosure language changes over time as regulations evolve or legal counsel updates your forms. A consent disclosure version is a label (like v2.1 or a date-stamped identifier) tied to the exact text shown at the time of consent. Without versioning, you cannot show in litigation what a consumer agreed to on a specific date, because you can only produce your current language, which may differ from what they saw.
Are there specific consent record requirements for calling Do Not Call numbers?
Yes. A DNC-registered number can be called only if the consumer gave express written invitation or permission to that specific seller, or if there is an established business relationship. If you are relying on written permission to override DNC status, your consent record must document that permission clearly and show it predates the calls. The record also needs to show your DNC scrub, because the two defenses are independent.
What does immutable storage mean and do you actually need it?
Immutable storage means records cannot be altered or deleted after creation. AWS S3 with Object Lock is one example. You do not legally need immutable storage, but if your records can be edited by employees, opposing counsel will argue they may have been. Immutable storage removes that argument entirely. For teams that cannot implement it technically, strong audit logging showing every write and who made it is the next best option.
How quickly do you need to respond when consent records are subpoenaed?
Federal civil procedure rules set deadlines for responding to discovery requests, typically 30 days from service of a request for production. Courts can shorten that window. If finding your consent records takes weeks because they are spread across CRMs, spreadsheets, and vendor systems, you may miss the deadline and face sanctions. Design your system so any single record is retrievable in under an hour.
Does CCPA or state privacy law affect how you store TCPA consent records?
Yes, in some states. California's CCPA gives consumers the right to request deletion of their data, but there is a legal hold exception: if you have a litigation hold or a reasonable basis to anticipate litigation, you can retain records you would otherwise delete. More practically, if you delete consent records under a CCPA request before a TCPA claim arises, you may have destroyed the only evidence that would defend you. Document your retention rationale carefully.
What is the role of a consent audit in avoiding TCPA class actions?
Class actions require a common question of law or fact across all plaintiffs. If your consent records are systematically incomplete, that systemic gap can define the class. A pre-litigation audit that finds and fixes gaps across your entire lead database reduces the class size potential. Even if you still face individual suits, a documented audit showing good-faith compliance reduces the likelihood of willful violation findings and the $1,500-per-violation treble damages.
Sources
- Cornell LII, 47 U.S.C. § 227 (TCPA statutory text): TCPA requires prior express written consent for autodialed marketing calls and texts; statutory damages are $500 per violation, $1,500 for willful violations
- ActiveProspect, TrustedForm product documentation: TrustedForm generates real-time third-party consent certificates with session replay, timestamp, IP address, and form field capture
- FTC, National Do Not Call Registry information for businesses: Telemarketers must scrub against the national DNC registry; scrub records should document the registry version and date used
- Cornell LII, 28 U.S.C. § 1658 (federal statute of limitations): Federal statute of limitations for claims arising under acts of Congress is four years, applicable to TCPA private claims in federal court
- California Attorney General, California Consumer Privacy Act (CCPA): California's CCPA and related state laws create additional obligations that interact with TCPA consent record retention requirements
- U.S. Supreme Court, Facebook, Inc. v. Duguid, 592 U.S. 395 (2021): Supreme Court narrowed ATDS definition to systems using random or sequential number generation, affecting which cold calling equipment triggers TCPA prior express written consent requirements
- FTC, Telemarketing Sales Rule (16 C.F.R. Part 310): TSR governs DNC compliance for telemarketing, requires sellers to access the registry and document scrub activity; applies alongside TCPA
- Cornell LII, Electronic Signatures in Global and National Commerce Act (E-SIGN), 15 U.S.C. § 7001: E-SIGN Act validates electronic signatures, allowing digital checkbox consent to satisfy the written signature requirement for TCPA prior express written consent