Last updated 2026-07-09

TL;DR
A referral does not transfer consent. Under the TCPA (47 U.S.C. § 227), each consumer must give prior express written consent to the specific seller before you can call or text them with autodialed or prerecorded messages. Your referral partner's form has to name your company, or you get consent directly before you dial. No exceptions since January 2025.
Why does a referral lead need separate TCPA consent?
A warm referral does not come with permission to call. It never has. This is the most common and most expensive myth in outbound sales.
The TCPA, at 47 U.S.C. § 227(b)(1)(A), prohibits using an automatic telephone dialing system or prerecorded voice to call a cell phone without "prior express consent" of the called party [1]. The FCC's 2012 rules raised that bar and now require "prior express written consent" for telemarketing calls and texts [2]. That written consent has to name the seller who does the calling. A referral partner is not you. Their opt-in form is not your consent.
The FCC has said this plainly. Its January 2024 one-to-one consent order (Report and Order, FCC 24-17) wrote into rule what many courts had already ruled: consent obtained on a third-party lead generation page does not transfer to any seller who is not named on that page [3]. The rule took effect January 27, 2025. If your lead source collected a generic "I agree to be contacted by partners" consent, that language is worthless for your calls now.
Referral leads feel different from cold lists because a real human connection exists. That feeling changes nothing in the statute. Your exposure is the same as calling a stranger with zero consent, and TCPA statutory damages run $500 to $1,500 per call or text [1].
For a plain-English overview of the statute itself, see our guide to tcpa.
What counts as valid prior express written consent under the TCPA?
Prior express written consent has four required elements, all drawn from 47 C.F.R. § 64.1200(f)(9) [2]. Miss one and the whole thing fails.
1. A clear and conspicuous disclosure that the consumer authorizes the seller to make autodialed or prerecorded calls or texts to a specified phone number. 2. The disclosure names the specific seller (or sellers, each listed individually after the FCC's 2025 one-to-one consent rule). 3. The consumer actively agrees. A pre-checked box does not count. 4. The agreement is not a condition of buying any goods or services.
For referral scenarios, element two breaks most lead-gen arrangements. A generic "I agree to be contacted by marketing partners" phrase fails because it does not name you.
"Written" under the TCPA includes electronic records. A typed name in a web form, an e-signature, or a checkbox the consumer actively checks all qualify, as long as the disclosure text above it names your company and describes the contact methods you will use [2].
Consent also has to match the phone number the consumer gave you. You cannot reuse consent from two years ago for a number the person no longer owns.
| Consent element | Passes TCPA? | Common mistake |
|---|---|---|
| Pre-checked opt-in box | No | Passive agreement |
| "I agree to hear from partners" | No | Seller not named |
| "I agree [Company X] may call/text me at [number]" + active check | Yes | None if done right |
| Verbal consent, no recording | Risky for texts | No written record |
| Email reply "yes" to a named sender | Arguable | No explicit number authorization |
How does a referral partner's opt-in form need to be set up to cover your calls?
You need your name on the referring partner's form before the consumer hits submit. That is the whole trick. There is no other compliant path under the current rules.
In practice, you hand your partner the exact disclosure language and they display it on their form. The FCC's one-to-one consent order means you cannot be bundled with a list of unnamed "marketing partners" or even a long list of named companies. Each consumer separately and actively consents to each company [3]. If the partner has five referring sellers, the consumer checks five separate boxes.
That creates a real business tradeoff. Partners who generate leads for dozens of companies now run forms that are longer and full of friction. Conversion drops. Some lead-gen vendors are trying progressive disclosure (show one company at a time, get one consent at a time), but those designs are still being tested against FCC scrutiny.
What your partner's form should include for your leads:
- Your company's legal name, not a DBA or trade name that differs from your registered entity
- The specific contact methods you will use (autodialed calls, prerecorded messages, SMS, or all of the above)
- The phone number field the consumer fills in, adjacent to or directly above the consent language
- A non-prechecked checkbox or affirmative click tied to your disclosure
- A timestamp and IP address capture on form submission (this is for your record, but partners have to pass it to you)
Skip that last piece and you may have technical consent but no way to prove it in court. Courts and the FTC both accept electronic records with timestamps as valid documentation under the E-SIGN Act [4].
Can you call a referral lead at all before getting TCPA consent?
Yes, with real limits.
The TCPA's autodialer and prerecorded message restrictions apply to calls and texts made with an automatic telephone dialing system (ATDS) or an artificial or prerecorded voice. A human agent manually dialing a cell phone number, no autodialer involved, does not trigger the TCPA's prior express consent requirement for that call [1].
This is where a lot of small outbound teams live. One rep, one phone, manual dial. That is legal under the TCPA even without consent. But two other obligations still apply.
First, you honor Do Not Call registrations. A manually dialed telemarketing call is still illegal if the number sits on the National DNC Registry [5]. Check the number before you dial. See our guide on the do not call list for the lookup process.
Second, state laws apply no matter how you dial. Florida's Mini-TCPA (FTSA) covers calls made with any automated system to Florida numbers, and its definition of "automated system" runs broader than the federal ATDS definition. Several other states have similar statutes [6].
So here is the honest answer. One manual call to a referral lead, to introduce yourself and ask for consent, is the lowest-risk path there is. You call, you say who you are, you ask if they are okay getting future calls and texts from you, and you capture their verbal yes (or better, follow up with a confirmation text they can reply to). That reply becomes your written consent record for automated follow-ups.
What is the best process to capture fresh consent from a referral lead?
The most defensible approach, given where FCC enforcement is heading, is a two-step confirmation flow.
Step one: your partner collects consent on their form, naming your company. You receive the lead with a timestamp, an IP address, and the exact disclosure text the consumer agreed to. Keep all of it.
Step two: before any automated outreach, send one non-automated confirmation message. A single manually sent SMS works: "Hi [Name], [Your Company] received your information from [Partner]. Reply YES to confirm you agree to receive automated calls and texts from us at this number. Reply STOP to opt out." Their YES reply is your documented written consent for all automated contact after that [2].
This flow does three things worth the effort. It builds a clean paper trail. It filters out disconnected numbers before you burn autodialer credits. And it gives you a second chance to capture consent even when the partner's form language looks shaky.
On the record-keeping side, store:
- The lead source and form version (screenshot partner forms periodically)
- Submission timestamp and IP
- The confirmation reply with its timestamp
- The phone number as consented, plus any number changes after
LeadCompliant's free compliance kit includes a consent record template you can adapt to this flow.
One warning. The confirmation text cannot be a marketing message. Keep it purely transactional. Slip a product pitch into it and you would need consent before sending it, which defeats the entire point.
Does a referral from an existing customer count as consent?
No, though it is a warmer lead than a cold name on a list.
When your customer refers a friend, the customer's relationship with you does not stretch to the friend. Legally, the friend is a stranger. They have no established business relationship with you, and they never handed you their phone number [1].
What the referral gives you is context. Use it in your opening line. "Hi, Jane Smith suggested I reach out" is a sentence a rep can say on a manual call. It is not TCPA consent.
Some teams try referral cards or digital referral links that send the referred person to a consent-capture landing page. That works if the landing page carries proper disclosure language and the person fills it out themselves. What does not work is autodialing the referred number your customer handed you, with no consent from that person at all.
The cold calling article goes deeper on the line between a warm lead and a legally pre-consented lead.
What records do you need to prove consent was given?
If you get sued or draw an FCC complaint, the burden lands on you to prove consent existed. Courts have held this consistently: the caller produces evidence of consent, not the other way around [4].
You need:
1. The exact disclosure text the consumer agreed to, including your company's name, the contact methods described, and the phone number the consent covered. 2. A timestamp (date and time) of when consent was given. 3. An IP address or device identifier showing where the form submission came from. 4. Proof that the number the consumer consented to is the number you called. 5. Proof that the consent language was not buried in fine print below the fold, and that the checkbox or signature was not pre-filled.
For leads from third-party partners, you need all of this from them, in a format you can pull up fast. A spreadsheet emailed once a month is not good enough. Push consent data into your CRM record the moment the lead arrives, not after the fact.
The federal E-SIGN Act treats electronic records, including timestamps and IP data, as valid written documentation, and that standard carries into federal civil litigation over consent [4]. If you cannot produce a record, assume you cannot win the case.
For real-world stakes, the credit one tcpa settlement and cash app tcpa class action settlement both turned on consent record quality.
How does the FCC's 2025 one-to-one consent rule change referral lead programs?
The FCC's Report and Order (FCC 24-17), effective January 27, 2025, closed what the Commission called the "lead generator loophole" [3].
Before the rule, a single consent page could carry language like "I agree to be contacted by our marketing partners" followed by a list of 20 companies, or no list at all. Leads generated that way got sold to dozens of callers at once. Courts had split on whether that consent held up. The FCC ended the split by rule.
After the rule, prior express written consent has to be "logically and topically associated" with the website or app where it is collected, and each seller has to be individually and separately consented to by the consumer. You cannot buy a shared-consent lead pool and legally call everyone in it anymore.
For referral programs, this means three things:
- Your partner's form names you, and the consumer opts in to you.
- If the consumer does not check your box (or the form has no box for you), that lead carries no valid consent for your automated outreach.
- Lead aggregators reselling shared consents to multiple buyers without individual disclosures are now selling legally defective leads.
The effect on the referral market is large. Leads from compliant, one-to-one consent sources cost more because conversion on those forms is lower. Cheaper leads from old-style aggregate forms carry serious litigation risk. Budget accordingly.
What disclosure language actually works for a referral consent form?
Here is what compliant disclosure language for a referral consent form should contain, in plain English. This is not legal advice. Have an attorney review your specific language before you deploy it.
A passing example (adapt for your actual product, company name, and number field):
"By checking this box, I authorize [Your Company Legal Name] to contact me at the phone number I provided above using automated dialing technology and/or prerecorded messages for marketing purposes. I understand my consent is not required to purchase any product or service."
The elements present in that example:
- Named company (your legal name)
- Specific phone number reference ("the number I provided above")
- Contact methods named (automated dialing, prerecorded messages)
- Marketing purpose acknowledged
- No-purchase-required statement
What you should not do:
- Point to a generic "terms and conditions" link instead of spelling it out inline. Courts have rejected buried-hyperlink consent again and again.
- Use the word "partners" as a stand-in for your name.
- Collect consent on one page and redirect to a separate company's follow-up. That creates a consent gap.
- Let partners reuse the same form version for months without versioning it. If your language changes, you need to know which version each lead saw.
For text programs, the CTIA's Messaging Principles and Best Practices also ask that SMS opt-ins include the program name, a message frequency disclosure, and opt-out instructions [7]. The TCPA minimum and the CTIA standard are two different floors. Clear both.
Are there state laws that add requirements on top of federal TCPA consent rules?
Yes, several, and they matter for referral leads because state laws often apply based on the consumer's location, not yours.
Florida's Telephone Solicitation Act (FTSA, Fla. Stat. § 501.059) is the most aggressive state analog. It covers calls and texts to Florida residents made with any "automated system for the selection or dialing of telephone numbers," a broader definition than the federal ATDS standard [6]. Florida also requires written consent for texts specifically, and private plaintiffs can sue for $500 per violation. Florida has produced a disproportionate share of TCPA-style litigation over the last three years.
California's CCPA and its successor CPRA add data rights obligations on top of consent. Collect a California resident's phone number through a referral and you may also owe them a privacy notice at or before the point of collection [8].
Other states with notable telemarketing-specific rules include Oklahoma, Texas, and Washington, each running its own DNC registry requirements on top of the federal registry [9].
For multi-state referral programs, design your consent language and process to satisfy the strictest applicable state standard. Florida's written-consent-for-texts requirement plus California's disclosure rules gives you a practical floor that covers most of the country if you follow both.
For more on checking state DNC lists before calling, see how do i get the do not call list and mobile phone do not call list.
What happens if you call a referral lead without valid consent?
Short version: each call or text without valid consent is a separate TCPA violation worth $500 in statutory damages, trebled to $1,500 if a court finds the violation was willful [1]. There is no per-plaintiff cap in a single-plaintiff case, and class actions aggregate violations across everyone you called the same way.
The cash app tcpa class action settlement reached $3 million. The credit one tcpa settlement reached $6.6 million. Both traced back to consent failures at the lead acquisition or opt-in stage.
For small outbound teams, the more common scenario is a single-plaintiff demand letter or a small-claims filing. A plaintiff's attorney who spots 10 calls to a cell phone with no valid consent has a $5,000 to $15,000 statutory damages claim with almost no work. Most of these settle for $3,000 to $8,000 (rough estimate from published settlement reports; amounts vary a lot by jurisdiction and call volume).
Then there is FCC enforcement. The FCC can issue forfeiture orders up to $23,727 per violation and up to $237,268 per day for continuing violations, figures adjusted periodically for inflation [10]. FCC enforcement has historically chased high-volume callers, but the agency has gone after operations of every size.
None of this should scare you into paralysis. A well-run referral program with clean consent records is genuinely low-risk. The trouble almost always comes from one of three things: buying leads from a source that cannot document consent, failing to keep records, or scaling outreach before you fix the consent gap.
How should you vet a referral lead source's consent practices before buying leads?
Ask for documentation before you spend a dollar. A legitimate lead source answers all of these questions on the spot. A source that hedges or stalls is a source you walk away from.
Questions to ask:
1. Show me the exact form the consumer fills out. Send a screenshot or a staging URL. 2. What does your consent disclosure say, word for word? 3. Is my company named in that disclosure? 4. What metadata do you pass with each lead? (Must include timestamp, IP, form version ID.) 5. How many other companies receive consent on the same form submission? (After January 27, 2025, the answer should be "only your company" for your leads.) 6. How do you handle revocations? If a consumer opts out with one of your clients, do you suppress across all clients? 7. What is your data retention policy for consent records?
If a partner says they use "blanket consent" or cannot provide per-lead metadata, do not use them for automated outreach. You can still manually call those leads (subject to DNC rules), but you cannot automate.
For checking DNC status of the leads you do receive, the do not call telemarketer list article explains how to reach the federal registry for commercial callers. LeadCompliant also has a free phone number checker that runs numbers against DNC lists before you dial.
Build a short vendor questionnaire from these questions and keep the partner's answers on file. That file is evidence of your own good faith if a lawsuit lands. Courts and the FCC both weigh whether a company took reasonable steps to verify consent.
Frequently asked questions
Does a referral from a friend or family member count as TCPA consent?
No. When someone gives you a friend's number, they are not the person whose consent matters. The friend is a third party who has not agreed to be contacted by your company. You can manually call that number once to introduce yourself and ask for consent, but you cannot add them to automated outreach until they directly give you prior express written consent naming your company.
Can I text a referral lead right away if I got their number from a partner?
Only if the partner's opt-in form named your company and the consumer actively agreed to receive texts from you. If the form used generic "marketing partners" language, or you cannot see the exact disclosure text the consumer agreed to, do not send an automated text. The FCC's one-to-one consent rule, effective January 27, 2025, makes generic partner consent invalid for SMS outreach.
What is the minimum information I need to keep as a consent record?
At minimum: the disclosure text the consumer agreed to (including your company name), a timestamp, the consumer's IP address, the phone number consented to, and the form version. Store this in your CRM the moment the lead arrives. If you cannot produce all five elements in discovery, courts generally treat it as no consent at all.
Is a verbal referral consent good enough, or does it need to be in writing?
Verbal consent meets the TCPA's "prior express consent" standard for non-telemarketing calls. For telemarketing calls and texts made with an autodialer or prerecorded voice, 47 C.F.R. § 64.1200(f)(9) requires written consent. Even for manual calls, a written record protects you in court. If someone says "yes, call me," follow up with a text confirmation and keep their reply.
Can I use a double opt-in text to establish consent for a referral lead?
Yes, and it is one of the most defensible methods available. Send one non-automated, human-initiated text explaining who you are and asking the consumer to reply YES to receive future automated messages. Their affirmative reply is prior express written consent under the TCPA. Keep the message non-promotional; a marketing pitch in that first message creates a circular consent problem.
What changed with the FCC's 2025 one-to-one consent rule for referral leads?
The FCC's FCC 24-17 order, effective January 27, 2025, requires that each consumer individually and separately consent to each named seller. A referral partner's form can no longer bundle consent for multiple companies under one checkbox. Every company that wants to make automated calls or send texts to a lead must have its own named, active consent from that consumer.
Do I need to check the National DNC Registry for referral leads?
Yes. DNC registration is separate from TCPA consent. Even with valid written consent for automated calls, a consumer can be on the DNC Registry and you still cannot call them for telemarketing without an established business relationship or their express invitation. Check the registry before dialing any number. The FTC charges $79 per area code annually for commercial registry access.
What if my referral partner goes out of business and I can no longer verify the original consent?
This is a real problem. If you cannot produce the consent record, you effectively have no consent in a dispute. Before that happens, request and store complete consent data, including form screenshots, submission logs, and metadata, from partners at the time leads are transferred. Do not rely on a partner's system as your only copy. Annual data exports are a reasonable minimum.
Can a referral lead revoke consent after giving it, and how does that work?
Yes. The FCC's 2023 revocation order (FCC 23-107) clarified that consumers can revoke consent through any reasonable means, including replying STOP to a text, pressing an opt-out key during a call, or asking orally. You must honor revocations within a reasonable time, and the FCC's current expectation is within 10 business days. Once revoked, consent cannot be reestablished by the original form.
Does the TCPA apply to B2B referral leads or only consumers?
The TCPA protects the phone number, not the person's role. If a B2B referral lead's mobile number is called with an autodialer, the TCPA applies regardless of whether the purpose is business-to-business. Many B2B callers use manual dialing to sidestep the autodialer question. State laws like Florida's FTSA also reach B2B cell numbers, so the business context is not a blanket exemption.
How long is TCPA consent valid for referral leads?
The statute sets no expiration date, but courts and the FCC have indicated consent can go stale if significant time passes or if the nature of the contact changes materially from what was disclosed. A reasonable internal policy treats consent as active for 18 months and requires re-consent after that, especially if the consumer has had no interaction with your company in the meantime.
What should I do if I bought a batch of referral leads and I am not sure the consent is valid?
Stop automated outreach on that batch immediately. Review the partner's form documentation. If you cannot confirm your company was named and individual consent was obtained, your options are: manually call to request fresh consent (legal under the TCPA for manual dials), send a consent-request text manually, or leave the list alone. Re-consenting costs far less than a class action.
Are there safe harbor provisions in the TCPA that protect me if I relied on a partner's consent in good faith?
There is no explicit safe harbor in the TCPA statute for relying on third-party consent. Courts have sometimes weighed good-faith reliance in willfulness determinations, which affects whether damages triple from $500 to $1,500 per call. But good faith does not erase liability. Your real protection is contractual indemnification from your lead source plus your own independent records.
Sources
- U.S. Government, 47 U.S.C. § 227, Telephone Consumer Protection Act (full statute text): TCPA prohibits autodialed or prerecorded calls to cell phones without prior express consent; statutory damages are $500 per violation, trebled to $1,500 for willful violations
- FCC, 47 C.F.R. § 64.1200, Rules and Regulations Implementing the Telephone Consumer Protection Act: Prior express written consent for telemarketing calls and texts must include a clear disclosure naming the seller, the phone number, and the contact methods, with an active consumer agreement not conditioned on a purchase
- Federal Register, FCC Report and Order FCC 24-17, Implementing the Telephone Consumer Protection Act of 1991 (one-to-one consent rule): FCC's one-to-one consent rule effective January 27, 2025 requires prior express written consent to be obtained separately for each seller; generic partner consent language is no longer valid
- U.S. Government, Electronic Signatures in Global and National Commerce Act (E-SIGN Act), 15 U.S.C. § 7001: Electronic records including timestamps and IP addresses satisfy written consent documentation requirements in federal civil litigation
- FTC, National Do Not Call Registry, About the Do Not Call Registry: Numbers registered on the National DNC Registry may not be called for telemarketing regardless of whether an autodialer is used
- Florida Legislature, Florida Telephone Solicitation Act, Fla. Stat. § 501.059: Florida's FTSA covers calls and texts made using any automated system for the selection or dialing of telephone numbers, a broader definition than federal ATDS, and requires written consent for texts to Florida residents
- California Attorney General, California Consumer Privacy Act (CCPA) / CPRA: California's CCPA and CPRA require privacy notices to California residents at or before the point of personal data collection, including phone numbers collected through referral programs
- FTC, Telemarketing Sales Rule, 16 C.F.R. Part 310: Several states maintain their own DNC registries with requirements that layer on top of the federal registry; telemarketers must comply with both state and federal lists
- eCFR, 47 C.F.R. § 1.80, FCC forfeiture penalty amounts adjusted for inflation: FCC can issue forfeiture orders up to $23,727 per TCPA violation with ongoing daily maximums, amounts adjusted periodically under the Federal Civil Penalties Inflation Adjustment Act
- Federal Register, FCC Report and Order FCC 23-107, Implementing the Telephone Consumer Protection Act of 1991 (revocation of consent): FCC 2023 order clarified that consumers can revoke TCPA consent through any reasonable means and callers must honor revocations within 10 business days