How to get verbal consent on a call and document it properly

Verbal TCPA consent is legal but risky without a paper trail. Learn the exact script, documentation steps, and storage rules that hold up in court.

LeadCompliant Team
23 min read
In This Article

Last updated 2026-07-11

Sales rep documenting verbal consent on a call with a structured logbook
Sales rep documenting verbal consent on a call with a structured logbook

TL;DR

Verbal consent to receive calls or texts is legal under the TCPA (47 U.S.C. § 227), but you have to record the exact words spoken, who said them, when, and on which number. Without a timestamped record tied to that specific consumer and phone number, verbal consent is close to worthless in a lawsuit. Written consent is safer. If you go verbal, follow the steps below as your floor.

Yes, with a catch that matters. The TCPA, codified at 47 U.S.C. § 227, does not require written consent for every kind of call. The FCC's 2012 omnibus order (FCC 12-21) tightened things, but the line it drew was between call types, not between written and verbal as a blanket rule. [1]

For calls or texts to a mobile number using an autodialer or prerecorded voice for marketing, the FCC requires "prior express written consent." That phrase comes straight from 47 C.F.R. § 64.1200(a)(2). "Written" there covers electronic records too, so it's broader than ink on paper, but it still rules out purely verbal agreements for autodialed marketing calls. [2]

For non-marketing informational calls to a mobile number, "prior express consent" (no written modifier) is enough, and that consent can be verbal or implied by conduct. For prerecorded telemarketing to landlines, written consent is required again under the 2012 rules.

Here's the practical answer. Verbal consent works legally for a narrower slice of calls than most people assume. Autodialed or prerecorded marketing to cell phones? Verbal alone fails. Live-agent calls or informational calls? Verbal can suffice. The documentation problem is identical either way, and that's where teams get hurt.

What words does a caller actually need to say to get valid verbal consent?

The FCC has never published a mandatory word-for-word script. What the regulations and case law demand is that consent be informed and unambiguous. Turn that into a live call, and you need to cover five things before the consumer says yes.

1. Identify your company by name. 2. State that you want to call or text them, and name the number you'll contact. 3. Describe what the calls or texts will be about (marketing, reminders, account updates). 4. Tell them the calls may use an automated system or prerecorded voice, if that applies. 5. Tell them consent is not required to buy anything (for marketing calls).

A verbal consent script that works sounds like this: "This is [Company Name]. I'd like your permission to contact you at [phone number] with offers about [product/service]. These contacts may include automated or prerecorded messages. Your consent is not required as a condition of any purchase. Do you agree to receive these calls or texts?"

The answer needs to be "yes," "sure," "go ahead," any clear affirmative. A non-answer, a laugh, or a mushy "I guess" is not consent worth betting on. Train reps to ask again when the response is murky.

Courts keep rejecting consent that got buried inside a longer conversation the consumer never really understood. In Mais v. Gulf Coast Collection Bureau, the court looked hard at whether the consumer got clear disclosure before the calls started. [3] Clarity isn't optional here.

This is where most teams fall down. Getting the words right on the call means nothing if you can't prove it happened six months later, the day a plaintiff's attorney mails a demand letter.

The minimum documentation package for one verbal consent event has four parts.

  • A call recording that captures the consent exchange word for word, timestamped by your telephony system.
  • A CRM record the agent creates at the moment of consent, logging the date, time, agent ID, the number consented to, and the scope (marketing, informational).
  • The source number already in your system, so you can show how you got their number or that they called you first.
  • A retention tag on that record so a routine 90-day cleanup doesn't wipe it.

The recording is the piece that matters most. Without audio, you're asking a court to trust your agent's notes over a consumer swearing they never agreed to anything. Some states require two-party notification before you record, so you need a disclosure at the top of the call: "This call may be recorded for quality and compliance purposes." [4]

Keep recordings at least four years. The TCPA has a four-year statute of limitations under 28 U.S.C. § 1658. [5] Teams that keep audio for 90 days because that's the telephony default are handing a plaintiff the case.

For high-volume outbound teams, a dedicated cold calling compliance workflow earns its keep. Make the CRM entry structured, not a free-text notes field. Free text is unsearchable and unreliable the moment you hit discovery.

TCPA verbal consent: key numbers every compliance team needs Statutory thresholds, retention requirements, and damage exposure under 47 U.S.C. § 227 500 Statutory damage per violat… 1,500 Max damage per willful violation ($) 4 Consent record retention (y… 4 TCPA statute of limitations (years) Source: 47 U.S.C. § 227, 28 U.S.C. § 1658, FCC 15-72

Can a confirmation text serve as documentation for verbal consent given on a call?

Yes, and it's one of the most practical safeguards you have. Right after the consumer agrees on the call, send a text to the number they just consented to. Keep it plain: "You agreed on [date] to receive [type of messages] from [Company]. Reply STOP to opt out at any time."

That one text does three jobs. It proves the number is active and owned by that person. It gives the consumer an instant chance to opt out if there was a mix-up. It creates a second, independent record of the consent event in your SMS platform logs, with its own timestamp.

Here's the caveat that trips people up. If you send that first text with an autodialer to a cell number, and you don't already have express written consent for marketing texts, you may be using the exact tool you still need consent for. That's a real legal wrinkle. The safest play is to send the confirmation manually or from a non-ATDS system, or to treat the inbound call itself as the implied consent trigger for a confirmation-only text. Ask a TCPA attorney before you automate this. This article is not legal advice.

The confirmation text has held up in litigation as corroboration for verbal consent. The catch is that the text has to go to the exact number the consumer gave, and your platform logs have to show that delivery.

What should your CRM record actually contain?

A CRM note that reads "customer agreed to calls" is not a consent record. It's a placeholder, and it falls apart under cross-examination.

A compliant verbal consent record should hold this:

FieldWhat to capture
Consent timestampDate and time to the minute, in a standard timezone
Agent IDThe specific rep who obtained consent
Contact numberThe exact E.164-formatted number consented to
Call recording referenceFile path or cloud storage ID for the recording
Consent scopeMarketing, informational, or both; channel (calls, texts)
MethodVerbal, inbound call, outbound call, etc.
IP / session IDIf any web session was part of the interaction
Revocation logBlank at creation; updated if consumer later revokes

The revocation field matters more than people think. A consumer can revoke consent at any time by any reasonable means, per the FCC's 2015 Declaratory Ruling and Order (FCC 15-72). [6] Call a number after revocation and you've lost your consent defense, even if the original consent was flawless. Your system needs to catch revocations, timestamp them, and suppress that number from future outreach right away.

This structured process is what separates teams that win TCPA defenses from teams that write settlement checks. For a sense of what those checks look like, the credit one tcpa settlement reached $75 million, and weak consent documentation sat at the center of it.

Keep them four years, minimum. The TCPA's statute of limitations is four years, so hold your consent records, including call recordings, for at least four years from the date of consent. [5]

Here's the part teams miss. That four-year clock runs from each individual call or text, not from the day you got consent. A campaign that runs two years means some records need to survive six years from the original consent date to cover the last calls placed.

Recordings need special attention. Telephony providers default to short retention windows. Go into Twilio, RingCentral, or whatever you use, and change the default to at least 48 months. Export recordings to cold storage (S3 with object lock is a clean option) as a backup. Storage is cheap. A TCPA class action is not.

A few states run their own consumer protection statutes with longer lookback periods. California's CIPA (Penal Code § 632) and its broader framework have shown up alongside TCPA claims, so if you're calling California residents, get state-specific advice on retention.

You lose the consent element. The burden of proof sits on the caller. The FCC and courts have held consistently that the party claiming consent has to prove it. If someone sues you under the TCPA and you can't produce a timestamped, retrievable record showing that specific consumer consented before you autodialed their cell phone, you almost certainly lose on that point.

TCPA statutory damages run $500 per violation, up to $1,500 per willful violation. [7] Send 10,000 texts without provable consent and your exposure starts at $5 million. Class treatment is common because the facts repeat across thousands of recipients.

This isn't hypothetical. The cash app tcpa class action settlement and cases like it settled partly because companies couldn't document consent across large contact lists. The documentation failure is the liability.

If you're already in litigation and can't find records for a batch of contacts, a plaintiff's attorney can spin that gap into evidence of willfulness. "We always got verbal consent, we just didn't write it down" is not a defense. It's an admission.

For autodialed or bulk SMS marketing to cell phones, no. The FCC's 2012 rules require prior express written consent for marketing texts sent through an ATDS (automatic telephone dialing system). Verbal consent does not clear that bar. [2]

For conversational texts a live agent sends without ATDS technology, the analysis gets murkier. The FCC's definition of what counts as an ATDS has been unsettled since the Supreme Court's 2021 decision in Facebook, Inc. v. Duguid (141 S. Ct. 1163), which narrowed the definition but didn't erase it. [8]

Practical rule: if you're texting customers for marketing through any platform that stores and dials numbers automatically, treat it as requiring written consent. For the details on compliant text message marketing, opt-in language, confirmation messages, and opt-out handling are their own subject.

Verbal consent is most defensible for live inbound calls where you capture agreement to future informational contacts, not marketing texts. Even there, document it every time.

Does calling from an inbound call already mean you have consent?

Partly, and only for a return contact through the channel the consumer used. When someone calls you, they've given implied consent to a return call at the number they called from, for a reason connected to why they called. That's a basic consent-by-conduct principle the FCC and courts recognize.

That implied consent does not stretch to adding the person to an autodialed marketing list. It doesn't hand you a license to send promotional texts forever. Implied consent from an inbound call is narrow in scope and short in duration.

The safest move is simple. When a consumer calls you, capture verbal consent on that same call for any future marketing you want to send. They're already on the phone. Ask directly. Script it, record it, log it. Now you've got something defensible.

Teams that dump inbound callers onto outbound marketing lists without this step create consent gaps that are easy to attack. The number was never on your do not call list suppression file, but the consumer never clearly agreed to marketing either. That gap costs money.

You don't need pricey purpose-built compliance software for this, though it helps at scale. Here's the minimum stack for a small outbound team.

  • A telephony system that records calls and gives you a retrievable, timestamped file per call (Twilio, RingCentral, Dialpad, and Aircall all do this).
  • A CRM with structured consent fields, more than a notes field (Salesforce, HubSpot, and most mid-market CRMs support custom fields; build a consent record object if yours allows it).
  • A link between the call recording ID and the contact record.
  • A process that updates your DNC or suppression list the moment a consumer revokes consent.

For high-volume outbound, compliance tools that auto-populate consent records from call metadata, flag missing records, and alert you when a recording didn't capture are worth paying for. LeadCompliant's free TCPA compliance kit includes a verbal consent documentation checklist and a field-mapping guide if you want a starting template.

Here's an underused move: run a consent audit. Pull a random 50-record sample every month and check that each one has a retrievable recording, a properly scoped consent entry, and no revocation gap. That's a 30-minute exercise, and it surfaces broken workflows before a lawsuit surfaces them for you.

If you're running a cold call team at any volume, that audit cadence matters more than which specific tool you pick.

Honor it fast, and honor it through any channel. The FCC's 2015 order (FCC 15-72) said consumers can revoke consent "at any time through any reasonable means." [6] That means a verbal statement on a call, a text reply saying stop, an email, a voicemail, even a mailed letter. You don't get to force a specific opt-out channel.

When a revocation lands:

  • Log it immediately with a timestamp and the method used (spoken on call, SMS STOP, email).
  • Suppress that number from every outbound dialing and texting list within 24 hours. The FCC hasn't set a hard processing deadline, but courts have found liability when companies kept calling days after revocation. Same-business-day processing is the standard to aim for.
  • Keep the revocation record for the same four-year window as the original consent. You need to prove two things: that you had consent, and that you honored the revocation.

For SMS, STOP replies should automatically trigger suppression in any legitimate platform. Confirm that yours does, and that the suppression list syncs back to your CRM so agents can't manually override it.

For more on managing phone suppression lists, see the guidance on mobile phone do not call list requirements.

Are there state laws that go further than the TCPA on consent?

Yes, several. The TCPA sets a federal floor. States can and do stack extra requirements on top.

California has both the CCPA and CIPA. Under CIPA (California Penal Code § 632), recording a phone call without the consent of all parties can be a crime. [9] So your "this call may be recorded" disclosure isn't a nicety in California. It's legally required before you can record the consent exchange itself.

Florida amended its Telephone Solicitation Act in 2021 (FTSA, Fla. Stat. § 501.059) to create a private right of action, with a $500-per-call statutory damage floor much like the TCPA. [10] Florida courts saw a wave of FTSA filings in 2022 and 2023. Written consent is strongly advisable for Florida contacts.

Washington, Indiana, Texas, and others run their own telemarketing statutes, some of which require prior written or verified consent.

The takeaway is straightforward. Check the states where your contacts live, more than federal law. For most small outbound teams working multiple states, the safest default is to treat every contact by the standard you'd use for the most restrictive state on your list.

For how state rules interact with the tcpa framework, reviewing your state exposure before a campaign is far cheaper than reviewing it after.

An audit is simple. Pick a date range, pull every outbound call in that window, and confirm each contact has a valid consent record that predates the call.

For verbal consent, verify these things.

  • The call recording exists and is retrievable.
  • The recording includes an audible, clear consent exchange with the required disclosure elements.
  • The CRM record was created at or near the call time, not backdated.
  • The number called matches the number in the consent record.
  • No revocation was logged between the consent date and the call date.

Any failed check is a potential gap. Remediation depends on the situation. You might re-obtain consent, suppress the number, or accept the risk if the contact type doesn't require prior express written consent.

Run this audit before every major campaign launch, not after. A pre-campaign consent audit is the single most effective risk-reduction step a small team can take. LeadCompliant's free compliance kit includes a downloadable audit template built for this workflow.

For teams pulling contacts from third-party do not call telemarketer list scrubs and DNC registries, the audit should also confirm those suppression checks ran on the final dialing list, not an older copy of it.

Frequently asked questions

Verbal consent is valid for live-agent informational calls and some non-marketing contacts, but the TCPA and FCC rules require prior express written consent for autodialed or prerecorded marketing calls and texts to cell phones. Verbal consent alone does not meet that written standard. Outside the autodialed marketing category, verbal consent is valid if you document it properly.

Identify your company by name, state the number you want to contact, describe what the calls or texts will cover, disclose that automated systems or prerecorded voices may be used if applicable, state that consent is not required to purchase anything, then ask for a clear yes. The response must be an unambiguous affirmative. Record the whole exchange and log it in your CRM immediately.

At least four years. The TCPA has a four-year statute of limitations under 28 U.S.C. § 1658, and the clock runs from each individual call or text, not from consent capture. A two-year campaign means some records need to survive six years from the original consent date to cover calls made near the end. Export recordings to durable storage and set explicit retention policies.

A confirmation text sent right after verbal consent strengthens your documentation by creating a second timestamped record and confirming the consumer owns that number. It does not convert verbal consent into written consent for the TCPA's autodialed marketing rules. For those calls and texts, you still need the consumer to affirmatively sign or click an agreement, more than receive a text you sent them.

The burden is on the caller to prove consent. If your recording is missing or the CRM record is incomplete, you have no defense on that contact. Courts don't give callers the benefit of the doubt. Missing documentation reads as an absence of consent. Statutory damages start at $500 per call and reach $1,500 for willful violations, turning a few thousand undocumented contacts into serious exposure.

Does a consumer calling me inbound mean I automatically have consent to market to them?

Only narrowly. An inbound call implies consent for a return contact related to the reason they called. It does not grant consent for adding them to an autodialed marketing list or sending promotional texts. The smart move is to capture verbal consent on the inbound call itself, using a proper disclosure script, then record and log it before adding them to any marketing outreach.

The FCC requires you to honor revocation but has not set a specific deadline in hours. Courts have found liability when companies kept contacting consumers days after revocation. Same-business-day suppression is the practical standard. Your suppression update should also sync to your CRM so agents cannot manually override it. Keep the revocation record for four years, like the original consent.

Yes. California's CIPA requires all-party consent before recording a call, so your recording disclosure must come before the consent exchange. Florida's FTSA creates a private right of action for unconsented calls with a $500-per-call damage floor. Several other states run their own telemarketing statutes. For multi-state campaigns, apply the most restrictive standard across your entire contact list.

You can ask for consent on an outbound call, but here's the circular problem: to make that outbound autodialed call in the first place, you generally need prior consent. A live-agent manual-dial call to a number not on the DNC list is different. Make a compliant manual outbound call, capture verbal consent on it, and you now have documented consent for future autodialed contacts, as long as you cover every required disclosure element.

At minimum: consent timestamp, agent ID, the exact phone number consented to, a reference to the call recording file, the scope of consent (marketing, informational, channels), the method (verbal, inbound, outbound), and a revocation field that updates if the consumer later opts out. A free-text notes field is not enough. Use structured fields that are searchable and exportable for litigation response.

No. The FCC has never mandated word-for-word language for verbal consent. The regulations require that consent be informed and unambiguous, meaning the consumer understood who was contacting them, what number would be called, what the calls would cover, and that automated systems might be used. Your script needs to hit those elements. Any clear affirmative response to a proper disclosure qualifies.

Prior express consent applies to informational calls to cell phones and permits verbal agreement. Prior express written consent is required for autodialed or prerecorded telemarketing calls and texts to cell phones. Written consent includes electronic records like signed web forms, checked opt-in boxes with a clear disclosure, or documented digital agreements. It does not include purely verbal confirmations, no matter how clearly they were recorded.

Pull a sample of outbound calls from a defined date range. For each contact, verify a retrievable recording exists, the recording contains a clear consent exchange, the CRM record was created near the call time and matches the number dialed, and no revocation was logged before later contacts. Any failed check is a gap. Run this audit before every campaign launch, not after a complaint.

No. The $500-per-violation structure means even small undocumented campaigns carry real exposure. A batch of 200 contacts without provable consent is $100,000 at the base rate, $300,000 if a court finds willfulness. Class treatment multiplies that by the size of the contact list. There is no safe harbor based on campaign size.

Sources

  1. Code of Federal Regulations, 47 C.F.R. § 64.1200: 47 C.F.R. § 64.1200(a)(2) requires prior express written consent for autodialed or prerecorded telemarketing calls and texts to wireless numbers
  2. Mais v. Gulf Coast Collection Bureau, Inc., 768 F.3d 1110 (11th Cir. 2014): Court examined whether consumer received clear disclosure of consent scope before calls were made
  3. National Conference of State Legislatures, State Laws on Recording Telephone Calls: Multiple states require all-party consent before recording a telephone call
  4. U.S. Code, 28 U.S.C. § 1658, Limitations on actions: General four-year statute of limitations for federal civil actions, applied to TCPA claims
  5. U.S. Code, 47 U.S.C. § 227(b)(3), Telephone Consumer Protection Act statutory damages: TCPA provides $500 per violation and up to $1,500 per willful violation in statutory damages
  6. California Penal Code § 632 (California Invasion of Privacy Act): California CIPA requires consent of all parties to a call before recording, making all-party disclosure legally required in California
  7. Florida Statute § 501.059, Florida Telephone Solicitation Act: Florida's 2021 FTSA amendment created a private right of action with $500 per-call statutory damages for unconsented telemarketing calls
  8. Federal Trade Commission, Telemarketing Sales Rule, 16 C.F.R. Part 310: FTC Telemarketing Sales Rule governs do-not-call requirements and consent standards for telemarketing alongside TCPA

Disclaimer: LeadCompliant is a compliance review tool, not a law firm. We do not provide legal advice. Consult with a TCPA attorney for legal guidance on specific compliance questions. Compliance scores, audits, and risk assessments are informational only.

LeadCompliant Team

LeadCompliant provides expert guidance and tools to help you succeed. Our content is reviewed for accuracy and kept up to date.

Related Articles

Related Glossary Terms

LeadCompliant
Build My Kit