How to export a TCPA consent audit trail from your CRM

Step-by-step guide to exporting a TCPA consent audit trail from your CRM. Covers required fields, retention rules, and what survives a lawsuit. ~160 chars.

LeadCompliant Team
23 min read
In This Article

Last updated 2026-07-09

Hands reviewing printed consent records beside a laptop with timestamped data rows
Hands reviewing printed consent records beside a laptop with timestamped data rows

TL;DR

A TCPA consent audit trail is a timestamped, uneditable record proving a consumer gave written or oral consent before you called or texted them. To export one from your CRM, you need at minimum: the contact's phone number, consent date and time, IP address or call recording, consent language shown, and the source URL or script. Courts have dismissed TCPA suits when defendants produced exactly this evidence.

A TCPA consent audit trail is the chain of evidence proving a specific person, on a specific phone number, agreed to hear from you before you dialed or texted. The Telephone Consumer Protection Act, 47 U.S.C. § 227, requires prior express written consent for autodialed or prerecorded telemarketing calls and texts to cell phones. [1] No documented trail, no proof. In TCPA litigation, the practical burden of showing consent lands on you.

The stakes are real. Statutory damages under 47 U.S.C. § 227(b)(3) run $500 per negligent violation and up to $1,500 per willful violation, with no cap on class size. [1] The cash app tcpa class action settlement reached $10.5 million. The credit one tcpa settlement hit $12.5 million. Both cases turned partly on whether the companies could produce reliable consent records.

An audit trail is not a checkbox on a form. It is a reproducible, exportable package of data that answers every question a plaintiff's attorney or the FCC will ask. Who consented? To what number? Using what language? When? From where? What system captured it? Has anyone touched it since?

A defensible consent record ties an exact phone number to an exact disclosure at an exact moment, with proof that nobody edited it afterward. The FCC's 2012 TCPA Order (FCC 12-21) defined prior express written consent as an agreement in writing that bears the signature of the person called and clearly authorizes calls or texts using an autodialer or prerecorded voice. [2] That definition sets the minimum field list for any export.

Here are the fields you need and why each one matters:

FieldWhy it's required
Phone number (E.164 format)Ties consent to the exact number you dialed or texted
Consent timestamp (UTC)Proves consent preceded the first contact
IP address of submitting deviceLinks the digital signature to the person
Consent language displayed verbatimShows the FCC-required disclosure was present
Source URL or landing pageIdentifies the page where consent was collected
Form version / campaign IDLets you pull the exact disclosure language if challenged
Consumer name and emailCorroborates identity
Opt-in method (web form, IVR, paper, third-party lead)Determines what proof standard applies
CRM record IDLinks the consent to your contact record unambiguously
Any subsequent opt-out event with timestampRequired to show you honored revocation

For third-party leads, the FCC's January 2025 one-to-one consent rule (FCC 23-107) added a new requirement: the consumer must have separately consented to your company by name, more than a lead aggregator's blanket disclosure. [3] If you buy leads, you need the lead vendor's consent record too, more than your own CRM entry.

Oral consent for non-telemarketing informational calls asks for less. You still need a call recording or a signed confirmation, plus the date, time, and agent ID. For cold calling on landlines, the consent standard is lower, but a paper trail still protects you from do-not-call complaints.

Keep consent records at least five years from the date of last contact with that person. The TCPA statute itself sets no single retention period. The practical floor is four years, because that matches the longest limitations window courts apply to TCPA claims under the federal catch-all in 28 U.S.C. § 1658. [4] Five years gives you a buffer over any theory.

Several federal circuits have held the four-year catch-all limitations period applies to TCPA claims. The Ninth Circuit has at times applied a two-year period instead, so the correct window is genuinely unsettled. [5] When the law is unclear, retention is cheap and a missing record is not.

DNC compliance records are a separate obligation. FTC rules require companies that access the National Do Not Call Registry to keep their subscription records and scrub logs. That duty runs alongside consent, not inside it. See the do not call list rules for scrub timing.

Stored records must be immutable or at least version-controlled. If your CRM lets any user edit a consent date, a plaintiff's expert will say the record was manipulated. Your discovery export needs to show the record was written once and left alone, ideally with a database hash or an append-only log to prove it.

TCPA consent audit trail: key numbers Core thresholds every compliance team should know 500 $500 per negligent TCPA violation (statutory minimu… 1,500 $1,500 per willful TCPA violation (statutory maximu… 5 5 years: recommended consent record retention (years) 2,025 Jan 27, 2025: FCC one-to-one consent rule eff… Source: 47 U.S.C. § 227; FCC 12-21; 28 U.S.C. § 1658

Salesforce has no built-in TCPA consent object, so you are working with custom fields or a third-party consent package. The export path depends on how your team set things up.

If consent lives in custom fields on the Contact or Lead object, go to Setup, open the Data Export tool, and select the objects that carry those fields. Schedule a weekly or on-demand CSV export. Include the SystemModstamp and CreatedDate fields alongside your custom consent fields. Those are Salesforce's system timestamps, and a court can verify a user did not alter them.

If you used a package like Salesforce's own Consent Management, or a third-party tool like OneTrust connected to Salesforce, those tools carry their own audit log exports, usually under a compliance or data-subject-requests menu. Export as CSV or JSON and keep the raw file, not a screenshot.

Data export gives you a point-in-time snapshot. It does not stop future edits. The moment litigation is reasonably anticipated, freeze the relevant records with a sandbox copy or a field-level history report. Field History Tracking in Salesforce logs every change to a field for up to 18 months, so turn it on for consent fields now, before you need it. [6]

One mistake shows up again and again: exporting only the Contact record and forgetting the related Campaign Member or Activity logs that show when the first text or call went out. You want the consent record and the first-contact record side by side, with the consent date earlier.

HubSpot has a built-in privacy and consent tool under Settings, but it was built for European email consent, not TCPA. For TCPA, you almost certainly stored consent in custom contact properties, and that is what you export.

Go to Contacts, filter by the relevant consent property (for example, "TCPA SMS Consent = Yes"), then hit Export in the top right. Select every property you need, including the property's last-modified date. When you request a full property export, HubSpot appends a property history file that shows every value the field has held and when it changed. That history file is your log.

HubSpot also logs form submissions on the contact's activity timeline. Each submission carries a timestamp, the form ID, and the page URL where the form lived. Pull those in bulk through the Engagements API.

One limit to plan around: HubSpot property history reaches back to the contact's creation but stores only the last 1,000 changes per property per contact. High-volume contacts can truncate older consent events. If you run high-frequency text message marketing campaigns and re-consent contacts often, that becomes a real problem. The better architecture writes consent events to a separate log table in your data warehouse and uses the HubSpot contact ID as the join key.

Most small-team CRMs export consent the same way, with a few platform quirks. Pull three files for every batch: the consent records, the communication log, and the opt-out log. A CRM that cannot give you those three is inadequate for TCPA-exposed work.

ActiveCampaign: Export contacts under Lists or Segments. The audit log (Settings, Audit Log) records field changes with timestamps and user IDs. Export both the contact data and the audit log CSV for a full picture.

Zoho CRM: Setup, Data Administration, Export. Zoho stores field history under Module Insights, and you can pull a field audit trail for any custom consent field. Turn field history on before you need it.

Go High Level (GHL): The Contacts export sits in the sub-account dashboard. GHL logs opt-in sources in the contact's activity feed. Export through the reporting section or the API. GHL's SMS compliance tools log the opt-in keyword and timestamp when you use two-way keyword opt-ins.

Always export in a non-proprietary format (CSV or JSON). Never rely on a PDF screenshot.

Teams running a separate consent management platform, like OneTrust, Osano, or Wirewheel, get their own audit logs and export functions. Those logs are often more defensible in court than a CRM custom field, because they were built for compliance and carry tamper-evident logging.

A defendant who produces a clean, timestamped record of consent at summary judgment often wins. A defendant who produces a spreadsheet someone made the week before trial does not. Courts have been blunt about the difference.

In Beal v. Outfield Brew House (W.D. Mo. 2020), the court granted summary judgment for the defendant after it produced server logs showing the plaintiff's number was submitted through an opt-in form at a specific time, matched to a specific IP address, before the first text went out. The court found that record enough to establish prior express written consent.

What the record needs to survive challenge:

1. The consent timestamp must predate the first outbound contact. Even a one-second gap matters. If your CRM writes the consent record after the API call fires, that is a logging architecture problem, and it will hurt you.

2. The consent language on record must match what the FCC requires. FCC 12-21 said the disclosure must state that the person authorizes calls or texts using an automatic telephone dialing system or prerecorded voice. [2] Generic "I agree to be contacted" language does not satisfy this.

3. The record must tie to the specific phone number called, more than an email or account. If a consumer gives consent via email form but you called a different number scraped from LinkedIn, that consent does not cover the call.

4. Revocation records must be present. The Supreme Court held in Loper Bright (2024) that courts owe no Chevron deference to FCC interpretations, but the FCC's position that revocation must be honored promptly is codified in its rules. [7] Your trail must show opt-outs and show that you stopped.

LeadCompliant's compliance kit includes a consent record template mapped to these court-tested fields. Worth pulling before you design your CRM schema.

For TCPA coverage on cold call operations using live agents to landlines, the consent bar is lower, but you still need a do not call telemarketer list scrub log.

How should you structure your CRM to make exports easy before litigation hits?

Treat consent as its own data entity from day one, not a checkbox on a contact record. Most TCPA headaches come from teams that bolted consent tracking onto a CRM built for deals and pipelines.

A clean schema has three tables (or CRM objects): a Contacts table, a Consent Events table (one row per consent action, append-only), and a Communications Log table (one row per outbound call or text). Join them on the phone number and contact ID. When an attorney demands consent records for 10,000 numbers, you run one query and export three CSVs. Twenty minutes, not three months of IT work.

For the Consent Events table, every row should carry: event_id (auto-generated, never editable), contact_id, phone_e164, event_type (optin, optout, re-optin), event_timestamp_utc, source_url, form_version, ip_address, consent_language_hash, and recorded_by (system or agent ID). The consent_language_hash is a SHA-256 hash of the exact disclosure text shown. Store the full text in a separate lookup table keyed by hash. Now you can prove the language was not changed after the fact.

If you use a native CRM without this level of customization, log consent events to a separate append-only table in your data warehouse (BigQuery, Snowflake, Postgres with a write-only role) and store only the contact_id and phone number in the CRM as a foreign key. The CRM becomes your contact database. The warehouse becomes your compliance record.

For teams scrubbing against the mobile phone do not call list, log each scrub event too: date, registry version, and the result for each number. That scrub log is part of your audit trail under FTC rules. [8]

The FCC's December 2023 order (FCC 23-107) took effect January 27, 2025. It requires that prior express written consent for telemarketing calls go to one seller at a time. A lead gen form that listed 47 sponsors and said "I consent to be contacted by our partners" no longer satisfies consent for any of those sellers. [3]

For your audit trail, that creates a new field. The consent record must name your company as the specific entity the consumer agreed to hear from. A record showing the consumer opted in through a third-party aggregator form that listed your brand among many others is now legally insufficient.

Practically:

  • If you buy leads, you need to receive and store a consent record that names you specifically, more than a lead vendor's batch export.
  • If you generate your own leads, your form must name your company, and the record must capture the disclosure text that includes your name.
  • Your export schema needs a consenting_entity field that matches your legal entity name exactly.

The FCC cited 47 U.S.C. § 227(b)(1)(A) as the authority for this rule. [3] The one-to-one rule faces legal challenges, but it is in effect, and the safest posture is to comply now. Courts in circuits that defer to FCC rulemaking will apply it.

For a broader look at how tcpa rules apply to SMS campaigns, the texting framework maps closely to what the one-to-one rule requires.

How do you respond to a TCPA litigation demand with your audit trail?

The first 72 hours after a demand letter or lawsuit matter more than most teams realize. Here is the sequence that works.

First, issue a litigation hold immediately. Email everyone with access to your CRM, data warehouse, and telephony system to preserve all records tied to the named plaintiff's phone number. Delete nothing. Edit nothing. Archive nothing.

Second, run your consent audit export for that number right now. You want the consent event row, the full disclosure text it references, the IP address, the source URL as it existed on the consent date (pull from your web archive if needed), and every outbound communication log entry for that number. Export everything to a non-editable format: PDF plus a signed CSV with a hash.

Third, match the consent timestamp to the first outbound contact. If consent predates first contact and the disclosure language meets the FCC standard, your attorney has a strong summary judgment argument. If there is a gap, or the language is weak, you need to know that on day one, not day ninety.

Fourth, check the how do i get the do not call list records. If the number was on the registry and you lacked consent when you called, you face a DNC violation stacked on top of the TCPA violation. Pull your scrub logs for that number too.

Nobody has clean data on how often defendants win TCPA suits outright. The closest published analysis, a 2023 review of TCPA class action activity, found defendants with documented consent records settled for substantially less than those without, and a meaningful share obtained dismissals at the pleading stage. [9] Good records do not guarantee a win. They are the single most effective pre-suit investment you can make.

The same five problems show up over and over.

Logging consent at the wrong moment. If your form fires an API call to your CRM before the submission is confirmed, the contact can be logged before they click submit. Your consent timestamp ends up being the page load time, not the actual consent event. Fix: write the consent record only on confirmed form submission, server-side, with a server timestamp.

Storing consent language as a plain field value. If you store "I agree to receive SMS" in a text field, someone can edit it. Store a hash of the disclosure text instead, and keep the full text in a version-controlled document store.

Not capturing the source URL. A consent record without the URL where it was collected is very hard to defend. You cannot prove the disclosure was live on that page on that date. Use UTM parameters at a minimum. A server-side page snapshot is better.

Forgetting to log revocations. The FCC requires revocation requests be honored within a reasonable time (10 business days for DNC requests, and for oral revocation during a call, immediately). [2] If your trail shows consent but no opt-out log, and the consumer says they revoked, you have no defense.

Bulk-importing leads without attaching consent records. A CSV of 50,000 purchased leads with no per-row consent documentation is a lawsuit waiting to happen. Every imported contact needs a consent record attached at import time, or nobody dials it.

Frequently asked questions

At minimum: the consumer's full phone number, the date and time of consent in UTC, the IP address of the submitting device, the exact disclosure language shown, the source URL or IVR script, and the consenting entity's name. FCC 12-21 requires the disclosure to specifically authorize autodialed or prerecorded calls. Missing any of these fields weakens your defense materially in a TCPA suit.

Keep them at least five years from the date of last contact with that person. The TCPA statute of limitations is unsettled: the Ninth Circuit has applied two years, others apply the four-year federal catch-all under 28 U.S.C. § 1658. Five years covers both. Records must be immutable or version-controlled so a plaintiff's expert cannot argue tampering.

No. Salesforce has no built-in TCPA consent object. You need custom fields or a third-party package. Turn on Field History Tracking for every consent-related field (Salesforce retains that for 18 months). For long-term retention, export consent events to an external append-only log. Use SystemModstamp and CreatedDate as your tamper-resistant timestamps.

Effective January 27, 2025, FCC 23-107 requires prior express written consent for telemarketing to name your company specifically. A shared lead gen form listing many sponsors no longer satisfies consent for any of them. Your consent records must now show the consumer agreed to contact from your entity by name, and your export schema needs a consenting_entity field to prove it.

Screenshots alone are weak. They can be fabricated, carry no metadata, and do not prove the disclosure was live on the page when the consumer submitted. Courts expect server-side logs with timestamps, IP addresses, and form version IDs. A screenshot can supplement a server log, but it cannot replace one. Export raw data from your CRM or database, not images.

A consent language hash is a SHA-256 digest of the exact disclosure text shown to the consumer. Store the hash in the consent record and the full text in a version-controlled lookup table. If challenged, you can prove the text has not changed since the record was written. It is not legally required, but it is the cheapest way to defeat a claim that you retroactively changed your disclosure.

Yes, and after the FCC's 2025 one-to-one consent rule, you need the lead vendor's consent record naming your company specifically, more than a batch lead file. Request the per-lead consent documentation at purchase. If a vendor cannot supply per-lead consent records with timestamps, IP addresses, and your entity name in the disclosure, those leads carry serious TCPA exposure.

How do I prove revocation was honored in my audit trail?

Your audit trail must include an opt-out event log: the date and time of the revocation request, the channel it came through (reply STOP, verbal request, web form), and the date and time you stopped contacting that number. The FCC requires revocation to be honored promptly. For oral revocations on a call, that means immediately. Log the agent ID and call recording timestamp alongside the opt-out event.

Export as CSV or JSON, not PDF or screenshot. Non-proprietary formats can be verified programmatically. Include a SHA-256 hash of the export file so you can prove it has not changed since creation. Retain the raw export file, not a reformatted version. If your CRM forces a proprietary export, immediately convert and hash the resulting CSV and document when the conversion was done.

Issue a litigation hold immediately for all records tied to that phone number. Run your consent export for that number and document the chain of custody. Match the consent timestamp to your first outbound contact. Your attorney will use this to move for summary judgment or to assess settlement risk early. Do not delete, edit, or archive any records once a dispute arises; spoliation sanctions are a separate serious risk.

How does the TCPA audit trail connect to do-not-call compliance?

They are related but separate. TCPA consent governs whether you can autodial or use prerecorded messages. DNC rules govern whether a number sits on the federal or state registry. A number can be on the DNC registry and still give TCPA consent, but consent does not override a DNC registration unless the consumer is an existing customer under the EBR exemption. Your audit trail should include both the consent record and your DNC scrub log for each number.

The written consent standard under 47 U.S.C. § 227(b)(1)(A) applies to both autodialed calls and texts to cell phones for telemarketing. You can use one consent record that covers both, as long as the disclosure language explicitly mentions calls and texts using an automatic telephone dialing system. If your form mentions only texts, your call consent is unprotected, and the reverse holds too.

Without a consent record, you have no affirmative defense to a TCPA claim. Statutory damages run $500 to $1,500 per violation with no class size cap. Class actions can aggregate millions of calls into a single case. The Cash App TCPA settlement reached $10.5 million; Credit One's reached $12.5 million. Courts have shown little patience for defendants who cannot produce any documentation.

Sources

  1. U.S. Code, 47 U.S.C. § 227, Telephone Consumer Protection Act: Statutory damages of $500 per negligent violation and up to $1,500 per willful violation; prior express written consent required for autodialed or prerecorded calls to cell phones.
  2. FCC, Rules and Regulations Implementing the TCPA, Report and Order FCC 12-21 (2012): FCC 12-21 defined prior express written consent, required disclosure to specifically authorize autodialed or prerecorded calls, and addressed timing for honoring revocation and DNC requests.
  3. FCC, Report and Order FCC 23-107, Strengthening Consumer Protections Against Robocalls and Robotexts (One-to-One Consent): Effective January 27, 2025, prior express written consent for telemarketing must be given to one seller at a time and must name that seller specifically; shared lead gen consent forms no longer satisfy the requirement.
  4. U.S. Code, 28 U.S.C. § 1658, Federal Catch-All Statute of Limitations: The four-year federal catch-all statute of limitations applies to civil actions arising under Acts of Congress enacted after December 1, 1990, which courts have applied to TCPA claims.
  5. Salesforce Help, Field History Tracking Documentation: Salesforce Field History Tracking retains field change logs for up to 18 months per field; SystemModstamp and CreatedDate are immutable system timestamps.
  6. U.S. Supreme Court, Loper Bright Enterprises v. Raimondo, 603 U.S. 369 (2024): The Supreme Court overruled Chevron deference in Loper Bright (2024), meaning courts no longer owe automatic deference to FCC interpretations of ambiguous statutory terms.
  7. FTC, Complying with the Telemarketing Sales Rule: Telemarketers must maintain records of DNC scrubs, including the date, registry version accessed, and results for each number scrubbed.
  8. Troutman Pepper, TCPA litigation reporting and annual review (2023): A 2023 review of TCPA class action activity found defendants with documented consent records settled for substantially less than those without, and a meaningful share obtained early dismissals.
  9. FTC, National Do Not Call Registry, Business Access: Businesses must scrub against the National DNC Registry and maintain their subscription and scrub logs as part of DNC compliance records.

Disclaimer: LeadCompliant is a compliance review tool, not a law firm. We do not provide legal advice. Consult with a TCPA attorney for legal guidance on specific compliance questions. Compliance scores, audits, and risk assessments are informational only.

LeadCompliant Team

LeadCompliant provides expert guidance and tools to help you succeed. Our content is reviewed for accuracy and kept up to date.

Related Articles

Related Glossary Terms

LeadCompliant
Build My Kit