How to prove consent as an affirmative TCPA defense

TCPA consent defense requires written records, timestamps, and matching numbers. Learn the exact evidence stack that wins or loses these cases in court.

LeadCompliant Team
24 min read
In This Article

Last updated 2026-07-11

Person reviewing paper consent documents at desk alongside open laptop for TCPA compliance
Person reviewing paper consent documents at desk alongside open laptop for TCPA compliance

TL;DR

To win a TCPA consent defense, produce written proof made at the time: a signed disclosure, the exact number the consumer gave, a timestamp, and a clear description of the calls or texts authorized. Once a plaintiff shows a call was made, the burden shifts to you. No documented proof means no defense, even when consent actually happened.

Consent is an affirmative defense. That means you carry the weight of proving it, not the other way around. The Telephone Consumer Protection Act, 47 U.S.C. § 227, bars using an automatic telephone dialing system or a prerecorded voice to call or text a cell phone without the called party's prior express consent [1]. Consent is not a loophole. It is a statutory carve-out, and the caller owns the burden.

The FCC has said the same thing over and over. The party claiming consent has to prove it. In its 2012 omnibus ruling the Commission wrote, "We continue to conclude that the creditor or other caller has the burden of proof" on consent [2]. That one sentence has sunk more TCPA defenses than any factual dispute ever has.

So what does a real consent defense look like? Three things have to line up: proof consent was actually given, proof it covered the exact kind of message you sent, and proof it applied to the exact number you called. Miss one and the defense is incomplete. Courts do not grade on effort.

There are two tiers of consent, and the tier you need depends on what you send. Get the tier wrong and your paperwork does nothing for you.

Telemarketing calls or texts need prior express written consent (PEWC). The FCC's 2012 rule, codified at 47 C.F.R. § 64.1200(a)(2), requires a written agreement with the consumer's signature, the phone number calls may go to, and a clear line saying that agreeing to the calls is not a condition of buying anything [10]. Electronic signatures count.

Informational calls that sell nothing, like appointment reminders or fraud alerts, need prior express consent without the written part. Courts and the FCC treat the two categories very differently. Defendants who dress up a sales pitch as an "informational" message have lost cases on that mistake alone.

Here is the quick comparison:

Call/Text TypeConsent Standard RequiredForm Required
Telemarketing/promotionalPrior express written consentSigned written agreement
Non-telemarketing informationalPrior express consentAny reasonable evidence
Emergency/EASNoneN/A
Calls to residential landlinesPrior express consentAny reasonable evidence

This classification is where clean programs come apart in litigation. Label a message "informational" but pack it with a promotional offer, and a court reads it as telemarketing. Your lower-tier consent record then covers nothing.

Courts are specific about what they want to see, and "we got consent somewhere" is not on the list. A viable consent defense usually needs all five of these pieces together.

First, the consent record itself. For PEWC that is the actual signed disclosure, whether paper, a digital form submission, or a click-to-agree. The disclosure has to name or clearly describe your company (or the companies that may call) and state that consent covers autodialed or prerecorded calls and texts [10].

Second, a timestamp. Courts want to know when consent was given, ideally to the second, with the timezone noted. Consent captured before a number changed hands is worthless if you cannot show you had the number at the time.

Third, the source IP address or device identifier for web opt-ins. Federal courts want this because it ties the consent event to a specific session. Without it, you cannot rebut a plaintiff who swears they never filled out the form.

Fourth, proof the number in your record matches the number you dialed. Sounds obvious. It gets hard fast once numbers are ported, reassigned, or fat-fingered on entry. Reyes v. Lincoln Automotive Financial Services and a long line of similar rulings hold that consent from one person does not carry over to a new subscriber of the same number [3].

Fifth, proof consent was not revoked. A consumer can revoke at any time by any reasonable means. The FCC's 2015 order held that once revocation lands, the caller has to honor it promptly [4]. If a plaintiff texted "STOP" or emailed asking you to stop, and you called anyway, no original opt-in record saves you.

TCPA consent defense: the numbers that matter Key thresholds and costs under 47 U.S.C. § 227 and FCC rules 500 Statutory damages per viola… (standard) 1,500 Statutory damages per viola… (willful) 4 Years to retain consent records (SOL) 35 Phone numbers reassigned an… (millions) Source: 47 U.S.C. § 227 [1]; FCC 2012 Omnibus Order [2]; FCC RND [6]; 28 U.S.C. § 1658 [8]

The burden shifts the moment the plaintiff makes a prima facie case, and that shift decides most summary judgment motions.

The plaintiff shows three things: the defendant used an ATDS or prerecorded voice, called a cell phone, and had no consent. Once that is in, the burden moves to you. You have to come forward with actual evidence of consent. A court will not assume it existed because you say so.

In Van Patten v. Vertical Fitness Group, the Ninth Circuit held that defendants must demonstrate prior express consent by producing records showing the plaintiff voluntarily gave his number in connection with the subject matter of the calls [5]. An employee testifying about what the opt-in process "usually looked like" rarely carries the day on its own.

The paper trail beats the practice. A company can run an honest opt-in program and still lose because nobody archived the records. Courts decide on evidence, not intentions.

At class certification, consent records cut the other way too. If every class member's consent situation is different, the plaintiff may fail to certify. That is a litigation tactic rather than a merits defense, and it only works if you actually kept the individual consent records.

Prior express written consent is a written agreement, signed by the person called, that clearly authorizes marketing calls or texts by ATDS or prerecorded voice to a stated number. The FCC's 2012 rule, codified at 47 C.F.R. § 64.1200 and effective October 16, 2013, spells this out [10].

Four elements are not optional:

1. A signature (wet ink or a valid e-signature under E-SIGN) 2. The specific phone number authorized 3. The name of the seller or company that may call 4. A statement that consent is not required as a condition of purchase

That last one, the "not a condition of purchase" line, wrecks a surprising number of forms. Put the opt-in checkbox on a required checkout screen with no way to finish the purchase without it, and the consent fails even if the box starts unchecked.

Lead generation forms need extra care. The FCC has held that consent to one company does not transfer to another just because the form buried some fine print about "marketing partners." Several district courts have found vague partner lists do not amount to PEWC for any specific downstream caller. If you bought leads, you probably do not have valid consent unless the original form named your company.

Implied consent is real, but it is narrow and only shows up in a few factual situations. Do not build a marketing program on it.

The classic case is giving your number inside an existing business relationship. Hand your cell number to a hospital for billing, and that hospital likely has implied consent to contact you about the bill. The FCC has treated a consumer as having given "prior express consent to be contacted at the number provided" when the number was handed over to a company as part of a transaction [2]. That consent covers the relationship, not unrelated marketing.

Implied consent does not cover cold outreach. Scraped a number off a website? Bought a list? Pulled it from a data aggregator? No implied consent. None. Courts are consistent here.

For cell phone calls and texts sent by ATDS, anything promotional almost always needs explicit written consent under the 2012 rule. Implied consent now matters mostly for informational messages inside an existing relationship, and even there, careful teams get written consent anyway. The litigation risk of leaning on implied consent is not worth it.

What happens when a phone number has been reassigned?

When a number gets reassigned, your old consent record is worthless against the new subscriber. That is the whole problem in one sentence. The U.S. reassigns roughly 35 million numbers a year, a figure the FCC cited while building the Reassigned Numbers Database [6].

Here is how it plays out. You have documented consent from Consumer A. Consumer A ports away. The number goes to Consumer B, who never agreed to anything. Consumer B sues. Your record shows Consumer A said yes, which does you no good. Courts have generally held that consent from the original subscriber does not shield you from the new one.

The FCC launched the Reassigned Numbers Database (RND) in 2021 to help. Check the RND before you call, get a "not reassigned" result, and you get a safe harbor for that specific call [6]. It is not airtight. The database is only as fresh as the porting data carriers submit. It is still the best documented protection available for this risk.

Checking the RND on every dial is not trivial at scale. For high-risk consumer segments, or any list older than 90 days, build it into the workflow anyway. For more on running clean call lists, see how the do not call list interacts with your scrubbing obligations.

Some courts, including the Sixth Circuit in Grigorian v. FCA, have allowed limited "reasonable reliance" on prior consent in reassignment cases. Those protections are thin and vary by circuit. Do not design your compliance program around them.

Revocation is one of the hottest areas in TCPA litigation right now. The FCC's 2015 order held that consumers may revoke consent at any time through any reasonable means [4]. Newer FCC rules that took effect April 11, 2025 added detail: for texts, a "STOP" reply has to be honored, and callers must give a simple, clear way to opt out [7].

What "any reasonable means" has meant in practice: an oral revocation on a call, an email to customer service, a written letter, a reply text, a box checked in an online account. Courts have upheld all of them. The burden is on the caller to process the revocation fast, and plenty of defendants have lost on the narrow question of how many calls slipped through after a valid opt-out.

This is really an operations problem wearing a legal costume. Your CRM has to log opt-out events and suppress the number before the next dial cycle runs. A 48-hour gap between receiving an opt-out and suppressing it means every call in that window is a possible violation. Statutory damages run $500 per call, up to $1,500 for willful violations [1].

To see what revocation failures cost at scale, the cash app tcpa class action settlement and credit one tcpa settlement show what happens when the problem reaches class-action size.

What documents should you keep and for how long?

Keep consent records at least four years, and longer if you can. No single federal statute sets a TCPA retention period, so this is a practical answer rather than a statutory one.

The TCPA's statute of limitations is four years under 28 U.S.C. § 1658, the general federal catch-all [8]. Any consent record you cannot produce for a contact made in the past four years is a liability gap, plain and simple. A few state analogs have shorter windows, several have longer ones, so defaulting to four years nationally is reasonable.

Here is the checklist that builds a defensible consent file:

  • The opt-in form or agreement, verbatim, as it appeared when consent was given (not the current version)
  • A screenshot or archived HTML of the form with the disclosure language visible
  • The submission timestamp (UTC, or local time with the timezone noted)
  • The IP address of the submission
  • The specific phone number entered
  • The consumer's name and email, if collected
  • Any double opt-in confirmation message
  • Every opt-out or revocation event, with timestamps

If your consent comes through a third-party lead generator, you also need their documentation, because you have to prove their form met TCPA standards. This is where lead buyers get burned. You relied on someone else's form language, the lead provider folds, and now you cannot produce the original consent in litigation.

LeadCompliant's free compliance kit includes a consent documentation checklist and a form audit template, so you can check your records before a suit lands rather than after.

The defenses fail in the same few places over and over. Here are the patterns that show up most.

Generic or vague disclosure language. Forms that say "we may contact you" without naming autodialed calls, texts, or prerecorded messages miss the FCC's specificity requirement. Consent has to match the method you used.

Consent obtained through a deceptive flow. Trick a consumer into checking a box, or pre-check the box for them, and many courts throw out the consent. Pre-checked boxes are a particular loser.

Buried or unreadable disclosures. Font size matters. In Sellers v. JustAnswer LLC and similar cases, courts found that disclosures hidden inside dense terms of service a reasonable person would never read do not count as clear and conspicuous consent.

Consent that does not survive assignment. If Company A got the consent and then sold the lead or account to Company B, Company B generally cannot ride on Company A's record. The FCC has said transferability has to be expressly authorized in the disclosure.

Missing or incomplete records. The most common failure by far. The consent probably existed. The company just cannot prove it four years later because nobody archived it right.

No double opt-in for texts. The TCPA does not require it, but a double opt-in creates a confirmation message proving the consumer held the phone at opt-in time. That is a big evidentiary edge for cheap.

For a wider look at exposure in cold calling, the consent standard for outbound sales calls to cell phones follows these same rules.

Third-party leads are the single biggest gray area for outbound sales teams. You buy a list. The lead generator swears the contacts opted in. You call. One of them files suit.

The question a court will ask is narrow: did this consumer consent to calls from you, specifically? Not from the lead generator. Not from "marketing partners." From you.

The FCC addressed this head-on in its one-to-one consent rule, adopted in December 2023. The rule required consent on a per-seller basis, so one form could not bundle consent for a stack of sellers at once [7]. A lead gen form that said "I consent to be contacted by companies in our partner network" would not provide valid PEWC for any one company in that network. Watch the timing: a federal court vacated this specific one-to-one provision in January 2025 before it took effect, so its status is unsettled and worth checking with counsel before you rely on it either way. The underlying PEWC standard from the 2012 rule still applies.

Whatever happens with the one-to-one rule, the FCC's stated position is clear. The Commission has said prior express written consent must identify the specific seller to which consent is given [2].

Practically, if you use third-party leads, do one of three things: make sure the original consent form named your company, have the lead provider send a fresh consent confirmation that names you, or get new consent yourself before any ATDS calls or texts. The third option is operationally hard and legally the cleanest.

The same consent requirements apply to your SMS follow-up. See text message marketing for the specifics.

What practical steps can you take right now to strengthen your consent defense?

Ask yourself one question: if a suit landed tomorrow, what would your consent file actually contain? Work backward from that.

Audit your opt-in forms. Pull the live form language and check it against the FCC's four PEWC elements: signature, phone number, named seller, not-a-condition-of-purchase language. Missing any one? The form is deficient. Fix it this week.

Check your retention system. Can you pull a consent record from 18 months ago that includes the IP address, timestamp, and the form version in use back then? Many CRMs log the opt-in event but never archive the form itself. Version-control your forms and store a rendered snapshot with every consent event.

Scrub against the National Do Not Call Registry before every campaign. TCPA and DNC obligations stack. A consumer on the do not call telemarketer list who also claims no TCPA consent gives you double exposure. You can register for access to the registry through the FTC [9].

Build opt-out suppression into the tech stack, more than the policy. A policy that says "honor opt-outs within 24 hours" is worthless if the system cannot technically do it.

For texts, run double opt-in. Send a confirmation message right after signup and require a reply. Archive those replies. This is the cheapest strong insurance you can buy for a text consent defense.

Refresh consent on any list older than 12 months. Consent does not expire by statute, but a judge is warmer to a record from six months ago than one from three years ago, especially when the consumer claims they do not remember signing up.

LeadCompliant's free tools include a cold call compliance checker and a consent form language auditor that flags disclosure gaps before they turn into litigation.

Frequently asked questions

The caller does. Once a plaintiff shows an ATDS or prerecorded call reached their cell phone, the burden shifts to the defendant to prove prior express consent existed. The FCC said plainly in its 2012 Omnibus Order that the creditor or other caller has the burden of proof on consent. Generic claims or employee testimony about general practices rarely carry it.

No. For telemarketing calls or texts using an ATDS, the TCPA requires prior express written consent under the FCC's 2012 rule, effective October 2013. Verbal consent, even captured on a call recording, does not meet the written standard for promotional messages. Verbal consent can work for non-telemarketing informational calls, but the line between those categories gets litigated hard.

Yes. The FCC held in its 2015 Omnibus Order that consumers may revoke consent through any reasonable means at any time. An oral revocation on a live call qualifies. The trouble for callers is operational: you have to log that revocation right away and suppress the number before the next dial. Calls after a valid revocation are potential violations at $500 to $1,500 each.

The TCPA sets no retention period, but the federal statute of limitations under 28 U.S.C. § 1658 is four years. Keep consent records at least four years from the last contact tied to that consent. Retention should include the form itself (more than the event log), the timestamp, the IP address, and the specific number provided.

Partly. The FCC has recognized that a consumer who voluntarily gives their phone number during a business transaction gives implied consent to be contacted about that transaction. But it is narrow. It does not reach unrelated promotions, and it does not meet the written consent standard for telemarketing calls made with an ATDS. Get written consent even from existing customers to be safe.

It turns entirely on whether the original opt-in form named your company. The FCC's 2012 PEWC standard requires a named seller, and courts have rejected blanket "marketing partners" language as consent for any specific downstream caller. If you cannot produce the original form naming your company, the consent defense will likely fail. The status of the FCC's separate one-to-one rule is unsettled after a January 2025 court ruling.

Double opt-in is a two-step process: a consumer subscribes, then confirms by replying to a confirmation message. The TCPA does not require it. But it creates a record proving the consumer controlled the phone at opt-in time, which is persuasive in court. For text campaigns especially, double opt-in is the most cost-effective evidence you can build.

You lose the consent defense for calls to the new subscriber. Courts consistently hold that consent from the original number holder does not transfer. The FCC established the Reassigned Numbers Database in 2021, and callers who check it and get a "not reassigned" result receive a safe harbor for that specific call. For old lists, checking the RND before dialing is the main practical fix.

Courts have been skeptical of pre-checked boxes, and FCC guidance points to consent as an affirmative act by the consumer. Several district courts have found pre-checked boxes insufficient because they do not reflect a voluntary choice. Best practice is an unchecked checkbox or a separate affirmative action for the TCPA consent, kept apart from general terms of service acceptance.

The legal standard is the same. Texts sent by ATDS to cell phones need the same prior express written consent as ATDS calls for telemarketing, under 47 U.S.C. § 227(b)(1) and the FCC's 2012 rule. The FCC's 2025 updates added requirements for honoring STOP replies and providing clear revocation mechanisms in text programs. Text campaigns need the same documented consent stack as call campaigns.

Specific enough to name the seller. The FCC's 2012 PEWC rule requires the written consent to identify the seller who may call. The Commission's 2023 one-to-one rule pushed this further by barring bundled partner-network consent, but a federal court vacated that provision in January 2025, so its future is uncertain. The named-seller requirement from the 2012 rule still stands.

Generally no, unless the original disclosure expressly authorized transfer to successors or assigns, and even then courts look at it closely. The FCC ties consent to the specific relationship between the consumer and the named company. If Company A is acquired by Company B and Company B starts calling, those calls need fresh consent unless the original disclosure covered successors and the acquisition was disclosed.

The TCPA provides $500 in statutory damages per violation, meaning per call or text. Courts may treble it to $1,500 per violation for willful or knowing conduct under 47 U.S.C. § 227(b)(3). In class actions, per-violation damages multiply across every class member contact, which is why TCPA class settlements often reach tens of millions of dollars even for short campaigns.

It helps but rarely stands alone. Courts want the screenshot paired with a database record showing the consumer submitted that form, with the timestamp and IP address. A screenshot without a matching submission record can be attacked as proof of what the form looked like, not that the plaintiff completed it. Archive submissions with database-level timestamping for the strongest evidentiary weight.

Sources

  1. Cornell Law School LII, 47 U.S.C. § 227 (TCPA statute text): TCPA prohibits ATDS or prerecorded calls to cell phones without prior express consent; sets $500 per violation and $1,500 for willful violations
  2. Reyes v. Lincoln Automotive Financial Services, 2nd Circuit (2017): Consent from one subscriber does not transfer to a new subscriber of the same number; number reassignment defeats a prior consent defense
  3. Van Patten v. Vertical Fitness Group, 9th Circuit (2017), 847 F.3d 1037: Defendants bear the burden to demonstrate prior express consent by producing records showing plaintiff voluntarily provided his number in connection with the subject matter of the calls
  4. FCC, Reassigned Numbers Database: FCC established the Reassigned Numbers Database in 2021; callers who check the RND and receive a not-reassigned result receive a safe harbor for that specific call; approximately 35 million numbers reassigned annually
  5. Cornell Law School LII, 28 U.S.C. § 1658 (federal four-year statute of limitations): General federal four-year statute of limitations applies to TCPA claims; consent records should be retained at least four years from date of last contact
  6. FTC, National Do Not Call Registry (telemarketer registration site): FTC administers the National Do Not Call Registry; sellers must scrub against the registry before outbound telemarketing calls
  7. FCC, 47 C.F.R. § 64.1200 (implementing regulations for TCPA): Specifies technical requirements for prior express written consent including the four mandatory elements: signature, phone number, named seller, not-a-condition-of-purchase language; effective October 16, 2013
  8. FTC, Telemarketing Sales Rule (TSR) main page: The TSR governs outbound telemarketing, including Do Not Call obligations and record retention that overlap with TCPA consent practices

Disclaimer: LeadCompliant is a compliance review tool, not a law firm. We do not provide legal advice. Consult with a TCPA attorney for legal guidance on specific compliance questions. Compliance scores, audits, and risk assessments are informational only.

LeadCompliant Team

LeadCompliant provides expert guidance and tools to help you succeed. Our content is reviewed for accuracy and kept up to date.

Related Articles

Related Glossary Terms

LeadCompliant
Build My Kit