How to handle TCPA compliance when buying third-party leads

Buying third-party leads without proper consent verification exposes you to $500, $1,500 per call TCPA fines. Here's how to protect yourself before you dial.

LeadCompliant Team
26 min read
In This Article

Last updated 2026-07-09

Person reviewing lead records at office desk beside a telephone
Person reviewing lead records at office desk beside a telephone

TL;DR

When you buy third-party leads, you inherit the consent problem. The FCC and courts hold callers, not lead generators, responsible if consent was invalid. You need prior express written consent tied to your company name, DNC scrubbing before every dial, and a contract that shifts liability to the vendor. Without those three things, every call is a live grenade.

Why does buying third-party leads create a TCPA problem in the first place?

The Telephone Consumer Protection Act, 47 U.S.C. § 227, prohibits autodialed or prerecorded calls to cell phones without the prior express written consent of the called party [1]. That word 'prior' is the whole problem with purchased leads. The consumer gave consent to someone else, at some point, for some purpose. They almost certainly did not give it to you.

The FCC's 2012 rules tightened this hard. Before 2012, an 'established business relationship' could stand in for express consent. That safe harbor is gone [2]. Since October 16, 2013, every autodialed or prerecorded marketing call to a cell phone requires written consent, full stop. It does not matter that you paid a legitimate-looking vendor for the list.

Courts have been unambiguous on who carries the risk. In Campbell-Ewald Co. v. Gomez (2016), the Supreme Court held that a TCPA suit survives even when the defendant offers full statutory damages before class certification, so these cases do not go away cheaply [3]. Lower courts have said again and again that a caller cannot hand its consent obligations to a lead-gen partner and walk away clean.

So why do people keep buying leads? Because real, properly structured consent works. The problem is the lead-gen market runs thick with consent that is vague, too old, never tied to your company, or simply made up.

Valid consent for autodialed marketing to a cell phone is a written agreement (electronic counts) that names a specific company, authorizes calls or texts to a specific number for marketing, and states plainly that consent is not a condition of purchase [2]. The FCC set that standard in its 2012 order. Anything short of it is not usable for an automated dial.

For a purchased lead to work under an autodialer or for robotexts, the form the consumer filled out has to name you, or name your company specifically. Generic language like 'our marketing partners' or 'trusted third parties' gets challenged in litigation constantly. The FCC's one-to-one consent rule, adopted in December 2023 with an effective date of January 27, 2025, sharpened this further: consent has to run to one seller at a time, not to an entire industry category [4]. That rule aimed straight at the old 'by submitting this form you agree to be contacted by up to 57 partners' model that ran the lead-gen business for years.

Here is what defensible consent documentation should contain:

ElementWhat it needs to say
Named callerYour company's legal name
Specific phone number or methodAutodialed calls and/or text messages
Marketing purposemore than 'informational'
Not a condition of purchaseExplicit statement required
Date and time stampFor your records
IP addressTies the consent to the actual consumer
Opt-in page URL or screenshotProves what was disclosed

If your vendor can't produce all of that for each record, the consent is not usable for autodialed calls. You can still make manual, human-dialed calls to non-cell numbers in many cases. But the moment you fire up an ATDS or drop a ringless voicemail, you need the documentation.

What TCPA penalties can you face if a purchased lead goes wrong?

Statutory damages under 47 U.S.C. § 227(b)(3) are $500 per violation for negligent violations and $1,500 per violation for willful or knowing ones [1]. Each call or text is a separate violation. A campaign of 10,000 records with bad consent is $5 million to $15 million in exposure before anyone says the words 'class certification.'

TCPA class actions are the real threat. The statute pays statutory damages with no proof of actual harm required, so plaintiffs don't need to show they lost a dollar. They just need to show you called. That makes TCPA one of the few statutes where plaintiff attorneys file nationwide class suits for millions of consumers and pull eight-figure settlements out of companies that would have been fine if they had just checked the list.

The settlements tell the story. Cash App paid $18 million to settle a TCPA class action over text messages see the [cash app tcpa class action settlement]. Credit One Bank paid $12.5 million over autodialed calls see the [credit one tcpa settlement]. These are not fly-by-night shops. They had compliance teams. They still had a gap somewhere in the consent chain.

The FCC can bring its own enforcement actions on top of private suits. And many states run TCPA-parallel statutes that add their own per-call penalties.

TCPA purchased-lead compliance: key thresholds Real numbers you need to know before your first dial 500 $500 per call 1,500 $1,500 per willful violation 72 $72 per area code / year (DNC access) 4 4-year statute of limitatio… Source: 47 U.S.C. § 227 [1]; FTC National DNC Registry [5]; FCC 12-21 [2]

How do you vet a third-party lead vendor before you buy?

Most compliance failures with purchased leads happen before the first call. You bought from a vendor who said the leads were 'TCPA compliant' and you took their word. That is not a defense in court.

Ask these questions before you sign any lead purchase agreement.

First, ask for a sample consent record. Not a description of their process. An actual record, with the timestamp, IP address, page URL, and the exact consent language the consumer saw. If they stall or send a generic screenshot, walk.

Second, ask how old the leads are. Consent has no statutory expiration under federal TCPA, but courts have increasingly found consent can go 'stale' when too much time passes or the consumer's circumstances change. The FCC set no bright-line age limit. Practically, anything over 90 days with no engagement is risky for cold outreach, and some TCPA attorneys treat 30 days as a working limit for purchased cell-phone leads.

Third, ask how they handle revocations. If a consumer told the previous caller to stop, that revocation travels with the number. Under 47 U.S.C. § 227(b)(1), any reasonable method of opting out has to be honored [1]. A real vendor scrubs revocations before sale.

Fourth, verify DNC registration. The FTC's National Do Not Call Registry covers any number on the list for telemarketing, consent or no consent. You check every purchased number against the registry before dialing see how to [get the do not call list]. Cell phones can sit on the DNC registry too, which most callers forget see [mobile phone do not call list].

Fifth, get a compliance attestation in the contract. More on that next.

What should a lead purchase contract say to protect you from TCPA liability?

Your contract with a lead vendor is your first line of defense in litigation. It won't immunize you from a consumer suit, because you are the caller and the statute reaches you directly. What it can do is shift the financial hit to the vendor and give you a contribution claim if you get sued.

At minimum, put these terms in writing.

A consent warranty. The vendor warrants that each record was collected with prior express written consent under 47 U.S.C. § 227 and the FCC's rules, that the consent names your company (or was collected in a way that satisfies the one-to-one consent rule), and that consent was not a condition of receiving any service.

An indemnification clause. If you get sued because a lead's consent documentation turns out to be fabricated or defective, the vendor covers your damages, legal fees, and settlements.

A data retention obligation. The vendor keeps the original consent record (timestamp, IP address, page URL, consent language) for at least four years, matching the TCPA's statute of limitations [1], and produces it to you within 48 hours of a litigation hold request.

A scrubbing representation. The vendor scrubbed the list against the National DNC Registry within 31 days before delivery, and pulled any numbers on an internal do-not-call list.

Audit rights. You can pull a sample of consent records at any time.

None of this is standard boilerplate a vendor hands you. You add it. A vendor who refuses these terms is telling you exactly how they collected the data.

Do you still need to scrub purchased leads against the Do Not Call Registry?

Yes, always. Consent and DNC status run on separate tracks. A consumer can give valid consent and still be on the Do Not Call Registry. The registry covers telemarketing calls to residential numbers and, in practice more and more, to cell phones [5]. You check the registry before any telemarketing call, whether or not you hold consent.

The FTC runs the National Do Not Call Registry through its telemarketer portal. Access costs $72 per area code per year as of 2024, with the first five area codes free [5]. You scrub within 31 days before any call. A number that wasn't on the list last month might be on it today.

Plenty of states stack their own do-not-call rules on top of the federal registry. Florida runs its own DNC list with its own private right of action. Texas, Indiana, and several others do too. If your purchased list spans multiple states, you need state-level scrubbing on top of the federal registry.

The do not call list rules bind you even if you think you have an established business relationship. The EBR exemption, which once cleared calls to customers within 18 months of a transaction, does not override an explicit DNC request from that customer [5].

For outbound sales teams working purchased lists across states, the cleanest setup is a real-time scrubbing API that runs every record through the federal DNC, your internal DNC, and any state lists before the dial goes out.

The FCC adopted its one-to-one consent rule in December 2023, with an effective date of January 27, 2025 [4]. The rule amended 47 C.F.R. § 64.1200 to require that prior express written consent for marketing calls name a single seller, not a category or group of sellers. The FCC's order said consent must be 'logically and topically associated' with the website where it's obtained, so a consumer on a home insurance comparison site can only consent to home insurance sellers, not to unrelated verticals.

That breaks the traditional shared-lead model at the foundation. A publisher who collected one consent and sold that same record to fifteen mortgage companies, five insurers, and three solar vendors now has a problem on every one of those sales. Each sale after the first arguably breaks the rule.

So you have to ask your vendor more than whether consent was obtained. You ask whether the consumer's consent on that specific form named your company, or at least your product category, on a site topically tied to what you sell.

The rule got challenged. The Eleventh Circuit vacated part of it in early 2025, in Insurance Marketing Coalition v. FCC, which left real uncertainty about implementation [11]. As of mid-2025, the FCC signaled it would revisit the rule. Nobody has good data yet on how courts will treat leads collected during the contested window. The safe move right now is to hold the one-to-one standard as the goal even with enforcement temporarily softened, because that standard tracks how courts already read consent validity.

If you're building a cold calling or SMS program on purchased leads, LeadCompliant's free compliance kit includes a vendor questionnaire template built around the one-to-one requirements.

What records do you need to keep to defend a TCPA claim about a purchased lead?

The TCPA's statute of limitations is four years from the date of the call under 28 U.S.C. § 1658 [1]. So you keep records for at least four years after the last call to any given number. Courts have sanctioned defendants who couldn't produce consent documentation because they never preserved it.

For each purchased lead you contact by autodialer or prerecorded message, retain:

  • The original consent record as received from the vendor (timestamp, IP, page URL, consent language, consumer identifying information)
  • The date you received the lead from the vendor
  • Your DNC scrub logs, showing the record was checked against the registry within 31 days before the call
  • Your internal DNC list check
  • The call log itself (date, time, number called, method used, call outcome)
  • Any opt-out or stop requests from that number, and when you honored them
  • The lead purchase contract and any vendor compliance attestations

If you run a cold call or text platform, make sure it logs calls and texts automatically and lets you export that data in a format a court can read. Plenty of smaller teams use CRMs that don't retain enough detail. That gap will hurt you in discovery.

Store all of it somewhere backed up and controlled by your company, not solely by the vendor or a platform you might stop paying for.

Can you use ringless voicemails or prerecorded messages with purchased leads?

Treat ringless voicemails like autodialed calls. RVMs land directly in a consumer's voicemail without the phone ringing, and there has been heavy litigation over whether they count as 'calls' under the TCPA. The Ninth Circuit held in Trim v. Reward Zone USA (2023) that ringless voicemails delivered via ATDS technology are calls under 47 U.S.C. § 227 [6]. Most compliance practitioners now require the same prior express written consent for an RVM as for a regular autodialed call.

Prerecorded or artificial voice messages to cell phones require prior express written consent, period, no matter how the call is delivered. The statute spells this out [1]. There is no prerecorded-call exception for a business relationship or a lead purchase.

Prerecorded telemarketing calls to residential landlines also require prior express written consent. The old opt-out-during-the-message safe harbor still runs for landline calls under an established business relationship, but it does nothing for cell phones.

So if you're buying leads to drop prerecorded messages or ringless voicemails, you need consent documentation that explicitly authorizes 'prerecorded or artificial voice messages.' General consent language may not cover it if it never names the method.

What about text message compliance when using purchased leads?

SMS marketing sent with an autodialer or short code triggers the TCPA the same way voice calls do [1]. The FCC has long treated text messages as 'calls' under 47 U.S.C. § 227(b)(1)(A). The consent requirement is identical: prior express written consent naming your company, for that method of contact.

For text message marketing, purchased leads are especially dangerous because SMS engagement data is easy to measure, and plaintiffs' attorneys use it to build class definitions. Blast a text campaign to 50,000 purchased leads without valid individual consent and you have written a textbook TCPA class action.

A few text-specific rules apply. The CTIA's short code monitoring program requires opt-in documentation for short code campaigns. Carriers shut down short codes for TCPA violations, which can knock your entire SMS channel offline no matter what happens in court. P2P texting platforms that claim to dodge ATDS classification sit in a gray area. Courts have not settled whether every such platform escapes autodialer status, and betting your consent strategy on that argument is a bet most compliance practitioners won't make.

For TCPA compliance across voice and text on purchased lists, the answer stays the same: document the consent, scrub the DNC, and don't use channels the consent form never mentioned.

What is the safest practical process for a small sales team buying leads?

Most small outbound teams can't afford full-time counsel reviewing every lead purchase. Here is a process that holds up in court without freezing your operation.

Before you buy: Send the vendor a written questionnaire asking for (a) a sample consent record with timestamp and IP, (b) a copy of the consent form text consumers saw, (c) confirmation of DNC scrubbing frequency, and (d) a signed compliance attestation. Buying more than a few hundred leads? Get the contract terms above in writing.

Before you dial: Run every number through the National DNC Registry and your internal DNC list. Most modern dialer platforms do this automatically. Do not skip it even if the vendor says they already scrubbed. Their scrub date and your dial date might be weeks apart.

When you dial: Use human-dialed calls where you're unsure about ATDS consent. ATDS is the trigger for the strictest consent rules. A genuine manual dial to a non-cell landline carries lower risk, though it's not risk-free if the number is on the DNC list.

When someone opts out: Log it to your internal DNC list immediately and honor it within the call. Under the FCC's rules, a consumer can revoke consent at any time by any reasonable means [8]. You cannot force them through a specific channel.

LeadCompliant's free compliance kit has a pre-call checklist and a vendor questionnaire template you can use today.

Audit quarterly: Pull a random sample of 50 leads from each vendor, request their consent records, and confirm the documentation is complete. This is the kind of due diligence that matters in court if you ever get sued.

None of this replaces advice from a TCPA attorney if you run a high-volume program. But it is the baseline that separates teams who get sued and lose from teams who get sued and have a defense.

Are there specific lead generation niches where TCPA purchased-lead risk is highest?

Yes. A handful of verticals draw outsized TCPA litigation because plaintiffs' attorneys have pegged them as having systematic consent problems.

Mortgage and insurance leads are the most litigated purchased-lead categories. The shared-lead aggregator model was built in these verticals, and the one-to-one consent rule aims right at it. Buying mortgage or auto insurance leads from an aggregator that sells the same lead to multiple buyers? Assume the consent structure is being challenged and demand specific documentation.

Solar and home improvement have seen a wave of TCPA suits over the last three years, partly because the high ticket size draws aggressive lead-gen tactics and partly because the sales model leans hard on outbound calls to cold leads.

Debt collection and credit repair carry extra risk. Consumers in financial stress land on the DNC registry more often, dispute consent more often, and work with plaintiff's attorneys more often.

Student loan and education verticals have drawn FTC enforcement on consent on top of TCPA exposure.

None of this means you can't buy leads in these verticals. It means you hold vendors here to a higher documentation standard, not a lower one, because the litigation environment is meaner.

Frequently asked questions

Does buying a 'TCPA-compliant' lead list actually protect me from lawsuits?

No. A vendor's claim that leads are 'TCPA compliant' is a marketing statement, not a legal shield. You are the caller. The statute reaches you directly. If the consent documentation is defective, the consumer can sue you regardless of what the vendor promised. What a proper compliance program and a strong indemnification contract do is give you a defense and a financial claim against the vendor, not immunity from being named in a suit.

The statute sets no expiration date, but courts have found consent can go stale. Practically, most compliance practitioners treat purchased cell-phone lead consent as actionable for 30 to 90 days from collection, depending on whether the consumer has shown any subsequent engagement. After that, the risk of calling a number that has changed hands or where the consumer no longer recognizes the consent rises sharply.

Can I rely on 'established business relationship' as a substitute for consent with purchased leads?

No. The FCC eliminated the established business relationship exemption for autodialed and prerecorded calls to cell phones in its 2012 order, effective October 16, 2013. EBR still applies in limited ways to residential landlines for telemarketing, but not to calls or texts to cell phones. Purchased leads by definition have no EBR with you anyway, since the consumer has had no prior transaction with your company.

Under the FCC's one-to-one consent rule effective January 2025, consent given to one company does not automatically extend to companies that bought the lead from that company. The consent must name you specifically or your category on a topically relevant site. The rule faced legal challenge, but courts have been moving this direction on their own. Bundled or third-party-transferred consent is the most common TCPA vulnerability in purchased-lead programs.

What is the TCPA penalty per call or text for a purchased lead without valid consent?

47 U.S.C. § 227(b)(3) sets statutory damages at $500 per violation for negligent violations and $1,500 per violation for willful or knowing violations. Each call or text is a separate violation. A campaign of 10,000 calls with bad consent creates $5 million to $15 million in potential statutory exposure before attorney fees or class multiplier effects.

Do I need to scrub purchased leads against the Do Not Call Registry even if I have consent?

Yes. Consent and DNC status are separate. A consumer can give valid express written consent and still sit on the National Do Not Call Registry. The DNC rules apply to telemarketing calls regardless of consent. You must scrub every number within 31 days before calling. The FTC charges $72 per area code per year for registry access, with the first five area codes free.

Can I text purchased leads if I have their phone number and 'general' consent?

No. Autodialed or mass text messages to cell phones require prior express written consent that specifically authorizes text messages, names your company, and includes a statement that consent is not a condition of purchase. General consent to 'be contacted' or consent to a different channel does not cover outbound SMS. This is one of the most common mistakes small teams make when they buy lists and drop them into a texting platform.

What records should I keep to defend a TCPA claim about a purchased lead call?

Keep the original consent record (timestamp, IP address, page URL, consent language), your DNC scrub logs, the call log with date, time, number, and method, any opt-out requests and when you honored them, and the lead purchase contract with vendor representations. The TCPA statute of limitations is four years, so retain everything for at least that long after the last contact with any given number.

What contract terms should I require from a lead vendor to reduce my TCPA exposure?

At minimum: a consent warranty stating each record meets 47 U.S.C. § 227 requirements; an indemnification clause covering damages, fees, and settlements from consent defects; a data retention obligation requiring the vendor to keep consent records for four years and produce them within 48 hours of a litigation hold; a representation that records were scrubbed against the National DNC Registry within 31 days before delivery; and audit rights. Vendors who refuse these terms are a signal, not a negotiating position.

Does the TCPA apply differently to manual calls versus autodialed calls on purchased leads?

Yes, significantly. The strictest consent requirement, prior express written consent, applies to calls and texts made with an Automatic Telephone Dialing System (ATDS) or using a prerecorded or artificial voice. Genuinely manual calls, where a human dials each number individually with no automated assistance, face a lower TCPA burden, though DNC rules and state law still apply. Most sales teams using predictive or power dialers are using ATDS technology and need full written consent.

Are ringless voicemails to purchased leads covered by the TCPA?

Courts increasingly say yes. The Ninth Circuit in Trim v. Reward Zone USA (2023) held that ringless voicemails delivered via ATDS technology are 'calls' under 47 U.S.C. § 227. Most compliance practitioners now treat RVMs the same as autodialed calls, requiring prior express written consent that specifically authorizes prerecorded or artificial voice messages. Do not treat RVM campaigns as a consent workaround.

Which lead generation verticals have the highest TCPA purchased-lead litigation risk?

Mortgage, auto and home insurance, solar, home improvement, debt settlement, credit repair, and education/student loan verticals have the highest concentration of TCPA purchased-lead suits. These categories relied heavily on the shared-lead aggregator model that the FCC's one-to-one consent rule targets. If you buy leads in these verticals, hold vendors to a higher documentation standard and get indemnification in writing.

The FCC's December 2023 order, effective January 27, 2025, requires that TCPA consent identify a single seller, not a bundled group of companies or categories. A consumer's consent on a lead-gen form that lists 'up to 50 marketing partners' no longer satisfies the rule. The Eleventh Circuit vacated part of the rule in early 2025, creating temporary uncertainty, but the court trend toward specific named-seller consent predates the rule and is unlikely to reverse.

Can I add purchased leads to my existing customer database and call them the same way I call existing customers?

No. Existing customers have a relationship with you, and in some cases that relationship supports a call to a landline under the EBR exemption. Purchased leads have no relationship with you. Adding them to the same database and calling them the same way ignores the consent gap entirely. Treat purchased leads as a separate population that needs fresh, valid, documented consent before any autodialed or prerecorded contact.

Sources

  1. U.S. House of Representatives, Office of the Law Revision Counsel, 47 U.S.C. § 227: TCPA statutory text: $500 per violation, $1,500 for willful violations; prior express written consent required for autodialed calls to cell phones; four-year statute of limitations under 28 U.S.C. § 1658
  2. Supreme Court of the United States, Campbell-Ewald Co. v. Gomez, 577 U.S. 153 (2016): TCPA class actions survive even when defendant offers complete statutory relief before class certification; suits do not resolve cheaply
  3. Federal Trade Commission, National Do Not Call Registry Information for Telemarketers: National DNC Registry access costs $72 per area code per year (first five area codes free); must scrub within 31 days before calling; EBR does not override explicit DNC request
  4. U.S. Court of Appeals, Ninth Circuit, Trim v. Reward Zone USA LLC, No. 22-55517 (2023): Ninth Circuit held ringless voicemails delivered via ATDS technology constitute 'calls' under 47 U.S.C. § 227 and require prior express written consent
  5. FTC, Telemarketing Sales Rule, 16 C.F.R. Part 310: Telemarketing Sales Rule applies to outbound telemarketing calls and imposes do-not-call and consent obligations in addition to TCPA requirements
  6. U.S. District Court, Northern District of California, Cash App TCPA Class Action Settlement, Case No. 3:22-cv-02873: Cash App settled a TCPA class action for $18 million over alleged unauthorized text messages (reported in public court filings)
  7. FCC, Code of Federal Regulations 47 C.F.R. § 64.1200: FCC implementing rules for TCPA including written consent requirements, opt-out obligations, and definition of prior express written consent
  8. U.S. Court of Appeals, Eleventh Circuit, Insurance Marketing Coalition v. FCC, No. 24-10277 (2025): Eleventh Circuit vacated part of the FCC's one-to-one consent rule in early 2025, creating enforcement uncertainty during the contested period
  9. U.S. Code, 28 U.S.C. § 1658 (Time limitations on civil actions): Federal four-year statute of limitations that governs the TCPA private right of action; each call or text is a separate violation for statutory damages calculation

Disclaimer: LeadCompliant is a compliance review tool, not a law firm. We do not provide legal advice. Consult with a TCPA attorney for legal guidance on specific compliance questions. Compliance scores, audits, and risk assessments are informational only.

LeadCompliant Team

LeadCompliant provides expert guidance and tools to help you succeed. Our content is reviewed for accuracy and kept up to date.

Related Articles

Related Glossary Terms

LeadCompliant
Build My Kit