Last updated 2026-07-11

TL;DR
A referral is not TCPA consent. Before calling or texting a referred number on a cell phone for marketing, you need prior express written consent signed by that person, not their friend. The safest path is a consent landing page or SMS opt-in triggered immediately after the referral is submitted, before any outbound contact happens.
Does a referral count as TCPA consent to call?
No. A referral does not count as TCPA consent, and this is the most expensive misunderstanding in outbound sales.
The TCPA, codified at 47 U.S.C. § 227, requires prior express written consent from the called party before a marketer sends autodialed calls or texts to a cell phone for advertising or telemarketing [1]. That phrase "called party" is doing a lot of work. The consent has to come from the person whose number you are dialing, not from whoever handed you their name.
So when a current customer fills out a "refer a friend" form and gives you their friend's cell number, they have given you zero legal authority to contact that friend. The friend consented to nothing. Autodial or robotext that number and you are exposed to TCPA liability from the second the call connects.
The FCC made this explicit in its 2012 Report and Order implementing the 2010 TCPA amendments: consent for autodialed or prerecorded telemarketing must be written and must come from the called party, not a third party. Lead aggregators, referral partners, and well-meaning existing customers do not satisfy that standard [2]. A referral is a warm intro. It is not a signature.
What does valid TCPA consent actually require for referrals?
For telemarketing calls or texts to cell phones, the FCC requires prior express written consent. That standard breaks into four practical elements [2]:
1. The consumer signs (electronically is fine) an agreement authorizing calls or texts. 2. The agreement clearly and conspicuously discloses that they are agreeing to receive autodialed or prerecorded calls or texts. 3. The agreement names the caller. 4. Consenting cannot be a condition of buying anything.
"Written" does not mean paper. An electronic signature under the E-SIGN Act satisfies the TCPA's written consent requirement [11]. A referred person checking a box on a web form, clicking an opt-in link in an email, or replying YES to a consent-trigger SMS all count, as long as the disclosure around that action meets the standard.
What does not count: a pre-checked box. A referral form where the referring customer ticks a box "on behalf of" their friend. A verbal referral passed to a rep. A lead from a data broker who claims consent was collected somewhere upstream. You cannot verify that last one, and you own the liability if it is wrong.
Getting this wrong is expensive. TCPA violations carry statutory damages of $500 per call and up to $1,500 per call for willful violations [1]. Class actions are the norm here, because every improperly contacted referral is a separate plaintiff. The Cash App TCPA class action settlement and the Credit One TCPA settlement both turned on consent chain problems at scale.
What are the practical ways to collect consent from a referral before calling?
Three workflows actually hold up. Pick the one that fits your funnel.
Option 1: Consent landing page triggered right after referral submission
The referring customer submits the form. Your system immediately sends an email (or SMS, if the referrer supplied a mobile number) to the referred person with a link to a branded landing page. That page carries the required disclosure and a single checkbox or button. The referred person clicks. Now you have timestamped, IP-logged prior express written consent before anyone on your team dials.
This is the cleanest method. The consent record is self-contained, the gap between referral and consent is minutes instead of days, and your CRM can hold the lead out of the dialable queue until the consent record is confirmed.
Option 2: SMS opt-in to the referred number
If the referrer gave you the referred person's mobile number and you have a business reason to send an initial text, you can send one message along the lines of: "[Company] received your contact info from [Referrer Name]. Reply YES to allow us to call you about [Product]. Reply STOP to decline. Msg rates may apply."
Honest caveat: this sits in a gray zone. That initial text to an unconfirmed number is itself an automated message to a cell phone. If you use an ATDS, or a system a court could treat as one, you may be triggering liability before you have any consent at all. A growing number of plaintiff attorneys argue any first outbound SMS to an unknown number needs pre-existing consent. Use this route only after a legal opinion, document it, and consider whether a human-sent text from a non-automated platform lowers your risk.
Option 3: Real-time consent capture at referral submission
Build the consent into the referring customer's form experience. A clearly labeled section asks the referring customer to pass a link or QR code to their friend so the friend opts in directly. You do not contact the referred person until that opt-in lands. This kills the gap risk entirely. It also drops referral conversion, because you added a step.
LeadCompliant's free consent checker can tell you whether your current consent language meets the FCC's four-part standard before you ship any of these flows.
What consent language should you actually use on the referral opt-in page?
The FCC publishes no approved form, but enforcement actions and court decisions make the required elements clear. Here is language that covers them:
"By checking this box and submitting this form, I agree that [Company Name] may contact me at the phone number provided using automated dialing technology or prerecorded messages for marketing purposes. I understand that consent is not a condition of any purchase. I may revoke this consent at any time by calling [number] or replying STOP to any text message. Message and data rates may apply."
A few notes on each piece.
"Automated dialing technology or prerecorded messages" names the call type. Vague language like "contact me," with no reference to the technology, has been challenged in court.
"Consent is not a condition of any purchase" is required by 47 C.F.R. § 64.1200(f)(9) and has to be conspicuous, not buried in fine print [4].
The company name must be specific. "Our partners and affiliates" does not cut it if you are the one dialing.
The revocation mechanism is required. Since the FCC's one-to-one consent rule (below), building a clear opt-out path into the consent itself is increasingly the expectation [5].
Placement matters too. The disclosure has to sit immediately next to the signature mechanism, not below a "submit" button and not behind a "terms and conditions" link. Courts have found that buried disclosures fail the "clear and conspicuous" standard.
What changed with the FCC's 2024 one-to-one consent rule for referral leads?
The FCC adopted a Report and Order in December 2023 (effective in early 2025) requiring that TCPA consent go to one company at a time and be logically and topically related to the website where it was collected [5]. People call it the "one-to-one consent" rule.
For referral programs, the practical hit is this. If you run your referral workflow through a shared lead form that also collects consent for multiple companies or a partner network, that consent is now invalid for your calls. Each caller has to be named individually. You cannot lean on a consent that says "[Company] and its marketing partners" to cover your outbound dialing.
The rule also reinforces that consent is topically bounded. If the referral landing page is about home insurance and the referred person consents to calls about home insurance, you cannot turn around and call them about auto insurance on that same consent.
The Eleventh Circuit's decision in Salcedo v. Hanna (2019) and later cases have kept courts leaning toward strict reading of consent scope [6]. A referral program that funnels leads across several product lines needs a separate consent capture for each line, or a single form that plainly lists every product category and company. One consent does not stretch to cover everything you sell.
Note: parts of this rule have faced legal challenge, so confirm the current effective status before you rebuild your forms.
Do you still need to check the DNC registry even with valid TCPA consent?
Yes. TCPA consent and the National Do Not Call Registry are two separate legal frameworks, and both apply.
A consumer can give you prior express written consent to receive marketing calls and still sit on the do not call list. Valid consent overrides the DNC restriction for calls to that specific number from your company, but only if the consent is solid and clearly covers telemarketing. If the consent is deficient in any way, you have neither protection [10].
You also have to keep your own internal Do Not Call list. Under 47 C.F.R. § 64.1200(d), anyone who asks not to be called goes on your company-specific DNC list and stays honored within 30 days [4]. Referrals who decline the consent opt-in belong on that internal list immediately, not parked in a "cold" queue for a retry next quarter.
Running high volumes of outbound? Checking numbers against both the National DNC Registry and your internal list before dialing is the baseline, not a bonus. See the tools section below, and the mobile phone do not call list rules for cell-specific considerations.
How do you handle referrals you collected before you had a consent workflow?
Carefully, and with a strong preference for not calling.
Got a backlog of referred numbers collected without consent from the referred person? You have a few options, none of them good.
First, do not autodial or robotext those numbers for any marketing purpose. If your system qualifies as an Automatic Telephone Dialing System (ATDS) under the TCPA, every call is a potential $500 violation. The Supreme Court's 2021 ruling in Facebook v. Duguid narrowed the ATDS definition, but the line is still being litigated and many courts remain plaintiff-friendly [7].
Second, if you want to try converting old referral leads, the safest path is a manually dialed, human-operated call that is purely informational, not promotional. The agent identifies who referred them, explains what your company does, and asks whether the person wants to be contacted further. If they say yes verbally, you still need written consent before any automated follow-up. A verbal yes is not prior express written consent.
Third, run every number against the National DNC Registry. Numbers on it cannot be called for telemarketing regardless of consent issues, unless you have a prior established business relationship that fits the narrow exemption. You do not have that with a referral who has never interacted with you. Here is how to access the registry.
Bottom line: old unconsented referral lists are a liability, not an asset. A single TCPA class action settlement dwarfs whatever pipeline value that list holds.
What records do you need to keep to prove TCPA consent for referrals?
If you get sued, the burden of proving consent falls on you, not the plaintiff. Courts and the FCC are clear on that. Your records need to answer four questions:
1. Who consented? (Name and phone number of the referred person.) 2. When did they consent? (Date, time, timezone.) 3. How did they consent? (URL of the page, the exact language shown, the signature method.) 4. What did they consent to? (The specific company and the call or text type disclosed.)
For web-based consent, that means logging the IP address, timestamp, and session ID for each opt-in. Store the version of the consent page that was live at that moment, so later edits to the form do not erase your record of what the person actually saw. Make all of it retrievable by phone number within hours if a lawsuit or FCC complaint arrives.
For SMS opt-in consent, store the full thread: the outbound invite, the consumer's opt-in reply, timestamps, and carrier delivery records if you have them.
The FTC's Telemarketing Sales Rule guidance points sellers toward keeping telemarketing and consent records for several years [8]. TCPA class actions can reach back for calls made years ago, and the statute of limitations runs 4 years from the violation date. Keeping records at least 4 years, and 5 to be safe, is a reasonable minimum.
Do not store these records only in your CRM's contact notes. If the contact gets merged, deleted, or reassigned, the record goes with it. A separate compliance data store or a dedicated consent management platform is the right infrastructure for anyone running referral programs at volume.
Can a referral partner collect TCPA consent on your behalf?
Yes, but only if the consent document names your company specifically, and only if you verify the consent was actually collected.
This is the lead generation and affiliate model, and it fails constantly because sellers assume partner-collected consent is valid without checking it. The FCC's one-to-one consent rule made this worse by requiring that the company named in the consent be the specific company placing the call [5]. A partner's generic form that says "[Partner] and its marketing associates" does not name you and does not protect you.
If you work with referral partners, your agreement should spell out:
The exact consent language, including your company name.
The technical method for capturing and transmitting consent records (timestamp, IP, form version).
A representation and warranty that consent was obtained before any lead is passed to you.
An indemnification clause for when their consent turns out to be defective.
Spot-check too. Pull a sample of records each month and confirm the consent documentation matches what you agreed to. If a partner cannot produce it, stop taking their leads.
For how cold calling and referral consent meet in practice, the FCC has consistently held the seller responsible for ensuring valid consent. Trusting what a partner told you is not a defense.
What happens if you call a referral without proper consent?
Statutory damages under 47 U.S.C. § 227(b)(3) run $500 per violation [1]. For willful or knowing violations, a court can treble that to $1,500 per call or text.
The math turns ugly fast. A refer-a-friend campaign that fires 50,000 autodialed texts at unconsented referred numbers carries potential exposure of $25 million at the base rate, and up to $75 million if a court finds willfulness. These are not hypotheticals. Large TCPA class actions regularly settle in the eight-figure range.
| Scenario | Calls/Texts | Base Exposure | Trebled Exposure |
|---|---|---|---|
| Small referral batch | 1,000 | $500,000 | $1,500,000 |
| Mid-size campaign | 10,000 | $5,000,000 | $15,000,000 |
| Large program | 50,000 | $25,000,000 | $75,000,000 |
Those figures assume one violation per contact. Courts have sometimes counted each call in a multi-call sequence as its own violation, which multiplies the exposure further.
State mini-TCPA laws stack on top. Florida (FTSA), Oklahoma, and Washington add liability with their own per-violation damages. Florida's FTSA imposes $500 per text message, independent of the federal TCPA, and does not require an ATDS, which makes claims easier to bring [9].
Here is the real risk for a small team. One annoyed referred consumer who got called without consent can file an individual claim for a few thousand dollars in small claims court. Or find a plaintiff attorney and become the named plaintiff in a class action that sweeps up everyone else your campaign touched. The Credit One TCPA settlement shows how consent chain failures grow into nine-figure liability.
How should you structure your CRM and dialer to prevent unconsented referral calls?
The consent workflow is only as good as the technical gates enforcing it. A consent form that is optional, easy to skip, or disconnected from your dialing queue is decoration.
Here is a workflow that closes the loop.
Step 1: Referral submitted. A new contact record is created in the CRM with status "Pending Consent." The record is blocked from any calling or texting queue in this state.
Step 2: An automated consent email or landing page link goes to the referred number or email. The consent system (or a logged webhook from your form tool) stores the page URL, version, and timestamp.
Step 3: When the referred person opts in, the consent record (timestamp, IP, consent text) writes to a consent log table in your database or compliance platform and links to the CRM contact. Status changes to "Consent Confirmed."
Step 4: The contact is now eligible for the dialing queue. Your dialer or SMS platform checks the consent status field before placing anyone in an outbound sequence.
Step 5: Before dialing, the number gets checked against the National DNC Registry and your internal DNC list. Automated, not manual.
Step 6: If the referred person does not opt in within a set window (7 to 14 days is reasonable), the contact gets marked "Consent Not Obtained" and closed. Do not drop them into a re-engagement queue.
On Salesforce or HubSpot, consent status fields are easy to add. The hard part is disciplining your team not to override them. If a rep can flag a contact "consented" without a matching consent record, the gate is broken.
For text message marketing specifically, your SMS platform should have a consent layer that blocks outbound sends to numbers without a confirmed opt-in record. Many platforms have it. The default settings are not always compliant, so check yours.
LeadCompliant's free compliance kit includes a consent record template and a CRM field configuration guide you can hand straight to your ops team.
Are there any exceptions that let you call referrals without consent?
There are narrow ones, and they are narrower than most sales teams think.
The established business relationship (EBR) exemption under the TCPA applies to calls to residential landlines, not to cell phones for telemarketing. If you are autodialing a cell phone for marketing, there is no EBR exemption. Period.
For cell phones, the real exceptions to prior express written consent come down to two.
Calls that are not marketing or telemarketing (informational calls, fraud alerts, appointment reminders) may qualify under the lower prior express consent standard. The moment a call carries any promotional content, the higher written standard kicks in.
Manually dialed calls from a human, using a phone with no autodialing or artificial voice technology, do not fall under the ATDS provisions of the TCPA. This is the so-called "human call" exception. If your rep picks up a phone, manually dials a number, and no autodialer or predictive dialer touches the call, the TCPA's cell phone consent requirement for autodialed calls does not apply to that specific call. State laws still apply. DNC restrictions still apply. The federal ATDS consent requirement does not.
That is why some small outbound teams run initial referral outreach as pure manual calls, confirm interest, then collect written consent before enrolling anyone in an automated sequence. It works. It does not scale, and it demands strict documentation of the dialing method.
Do not try to thread this needle without a TCPA attorney. Miscategorize your dialing technology and the liability is significant. See the TCPA overview at tcpa for the baseline rules.
Frequently asked questions
Can a friend's referral count as TCPA consent if the referred person's number is provided willingly?
No. The TCPA requires consent from the person being called, not from whoever refers them. Even if the referring friend genuinely has permission to share the number in a social sense, that is not prior express written consent under 47 U.S.C. § 227. You need the referred person to sign a consent agreement before you autodial or robotext their cell phone for marketing.
Does a verbal yes from a referred person on an initial call count as TCPA consent?
For non-marketing calls, verbal express consent can be enough. But for telemarketing calls and texts to cell phones, the FCC requires prior express written consent under 47 C.F.R. § 64.1200(f)(9). A verbal yes during a call does not satisfy the written requirement for future autodialed marketing contacts. Follow up with a written consent mechanism before adding the person to any automated sequence.
What is the minimum consent language required on a referral opt-in form?
The form must clearly state the consumer is agreeing to receive autodialed or prerecorded calls or texts, name your company specifically, confirm consent is not a condition of purchase, and give a revocation mechanism. The disclosure has to appear immediately next to the signature element, not buried in terms and conditions. A pre-checked checkbox does not count as consent.
How long do you have to contact a referral after they opt in?
The TCPA sets no expiration date on consent. But courts and the FCC hold that consent must be valid at the time of the call. As time passes, circumstances change, like the person adding their number to the DNC registry or asking to stop contact. Best practice is to make contact within 30 days of consent and refresh consent records if your program goes dormant for more than 6 months.
Can you text a referral to ask for their consent before calling?
This sits in a legal gray zone. Sending an autodialed or ATDS-generated text to an unconsented cell number to solicit consent is itself potentially a TCPA violation, because the text is the first contact. A manually sent, human-composed text from a non-automated platform reduces but does not eliminate the risk. Get legal advice before using outbound texting as your consent collection method for referrals.
Do referrals on the National Do Not Call Registry still need separate TCPA consent?
Yes, they need both. Valid prior express written consent for telemarketing covers the DNC restriction for your company's calls, but only if the consent is fully compliant. If the consent is deficient for any reason, DNC protections apply independently. And even with valid consent, if the consumer later asks to be on your internal DNC list, you must honor that within 30 days.
How does the FCC's 2024 one-to-one consent rule change referral lead practices?
Under the rule, consent must name one company specifically and be logically related to the website or context where it was collected. Referral forms that collect consent on behalf of multiple companies or marketing partners no longer satisfy the standard for any individual caller. Each company that wants to contact the referred person needs its own named consent from that person. Confirm the current effective status, since the rule has faced legal challenge.
What records do you need to defend a TCPA suit from a referral who claims they never consented?
You need the timestamp of consent, the IP address or device identifier, the exact text of the disclosure shown, the URL or platform where consent was collected, and the phone number tied to the opt-in. Ideally the session ID and form version too. Courts put the burden of proving consent on the caller. If you cannot produce detailed records, you effectively lose the consent defense.
Can your referral partner collect TCPA consent on your behalf?
Yes, but the consent document must name your company specifically, more than the partner. After the FCC's one-to-one consent rule, generic forms naming a partner and its affiliates no longer cover you. You must also obtain and verify the actual consent records from your partner before dialing. A contractual warranty is not a substitute for documented consent records.
What is the per-call penalty if you call a referral without proper TCPA consent?
The statutory minimum is $500 per call or text under 47 U.S.C. § 227(b)(3). If a court finds the violation willful or knowing, that rises to $1,500 per call. A referral campaign that contacts 10,000 unconsented numbers faces base exposure of $5 million. Class actions multiply this, because each person the campaign reached is a potential plaintiff.
Is there a TCPA exception for manually dialed calls to referrals?
Yes. The TCPA's autodialing consent requirement applies to calls made using an Automatic Telephone Dialing System or prerecorded voice. A true manual call, where a human physically dials the number with no autodialer involved, falls outside that specific requirement. DNC rules and state laws still apply. This works for small teams but does not scale, and documenting the manual-only nature of the call is essential if you ever face a lawsuit.
How should a small outbound team structure their referral workflow to stay TCPA compliant?
Block all referral contacts from your dialing queue until a confirmed consent record exists. Send a consent landing page link right after the referral is submitted. Log the opt-in with timestamp and IP. Check the number against the National DNC Registry and your internal list before the first dial. Close referrals that do not opt in within 7 to 14 days rather than retrying them through other channels.
Do state laws add extra requirements on top of TCPA consent for referral calls?
Yes. Florida's Telephone Solicitation Act (FTSA) imposes $500 per text message for violations and does not require an ATDS, which makes claims easier to bring than under the federal TCPA. Oklahoma, Washington, and several other states have their own telemarketing statutes with independent damages. A referral program running nationally has to account for the strictest applicable state law, more than the federal floor.
What should you do with a backlog of old referral numbers collected before you had a consent workflow?
Do not autodial or robotext them. Run every number against the National DNC Registry. If you want to attempt contact at all, use a manually dialed, human-operated call that is purely informational, identify the referral source, and ask if the person wants to be contacted. If they say yes, collect written consent before any automated follow-up. Old unconsented referral lists carry significant liability and rarely justify the risk.
Sources
- U.S. Government, 47 U.S.C. § 227 (TCPA statute text, Cornell LII): TCPA statutory damages of $500 per violation, up to $1,500 for willful violations, and the prior express consent requirement for autodialed calls to cell phones
- Code of Federal Regulations, 47 C.F.R. § 64.1200, FCC TCPA implementing regulations: Consent is not a condition of purchase requirement under 47 C.F.R. § 64.1200(f)(9), and the 30-day internal DNC list honor requirement under 47 C.F.R. § 64.1200(d)
- Salcedo v. Hanna, 936 F.3d 1162 (11th Cir. 2019): Eleventh Circuit decision relevant to scope of TCPA consent and what constitutes concrete harm from a single text message
- Facebook, Inc. v. Duguid, 592 U.S. 395 (2021), Supreme Court of the United States: Supreme Court narrowing the ATDS definition to systems that use a random or sequential number generator, not all autodialers
- FTC, Complying with the Telemarketing Sales Rule (business guidance): FTC guidance on retaining consent and telemarketing records under the Telemarketing Sales Rule
- Florida Statutes, Florida Telephone Solicitation Act (FTSA), Fla. Stat. § 501.059: Florida FTSA imposing $500 per text message damages, without requiring an ATDS, independently of federal TCPA
- FTC, National Do Not Call Registry (consumer and business information): National DNC Registry applies independently of TCPA consent, and valid consent overrides DNC restrictions for that company's calls
- Electronic Signatures in Global and National Commerce Act (E-SIGN Act), 15 U.S.C. § 7001, Cornell LII: Electronic signatures have the same legal effect as written signatures, satisfying the TCPA's prior express written consent requirement
- FTC, Telemarketing Sales Rule, 16 C.F.R. Part 310: Telemarketing Sales Rule independent of TCPA, governing telemarketing practices including recordkeeping and consent at the federal level