How to prove prior express written consent if you get sued under TCPA

TCPA consent lawsuits can cost $500, $1,500 per call. Here's exactly what documents you need to prove prior express written consent and survive a motion.

LeadCompliant Team
25 min read
In This Article

Last updated 2026-07-09

Desk with consent form, pen, and laptop showing compliance data records
Desk with consent form, pen, and laptop showing compliance data records

TL;DR

Prior express written consent under TCPA is a signed, written agreement that authorizes autodialed or prerecorded calls or texts to a specific number, plus a disclosure that agreeing is not a condition of purchase. To prove it in court, produce the original opt-in record, a server-side timestamp, the exact disclosure language shown, the IP address, and an unbroken chain of custody for that data.

The Telephone Consumer Protection Act, 47 U.S.C. § 227, bars autodialed or prerecorded calls and texts to a cell phone without the called party's prior express written consent. That phrase carries weight. The FCC defined it in its 2012 order (FCC 12-21), effective October 16, 2013, and it has three parts you cannot skip. [1]

First, the consent has to be in writing. An oral "sure, go ahead" is worthless here. The order says the agreement must be signed by the consumer. A typed name on a web form, a checkbox on a screen, or an electronic signature all count as signatures under the E-SIGN Act (15 U.S.C. § 7001). A phone call recording alone does not. [2]

Second, the agreement has to authorize calls or texts to that specific number using an automatic telephone dialing system or an artificial or prerecorded voice. Fine print buried in terms of service that never mentions ATDS or prerecorded calls has gotten companies wrecked in court.

Third, the agreement has to carry a clear and conspicuous disclosure that the person is not required to sign, or agree to receive calls, as a condition of buying any property, goods, or services. The FCC's exact language from the 2012 order: the agreement must state that the person "is not required to sign the agreement (directly or indirectly), or agree to enter into such an agreement as a condition of purchasing any property, goods, or services." [1]

Miss one of those three and you do not have valid PEWC. You have exposure.

When a plaintiff sues, they claim they never consented or that your record is defective. Your whole defense rests on what you can produce. Courts want a complete, unbroken evidentiary package, not a spreadsheet row with a checked box and a phone number.

Here is what you need to have and be able to authenticate.

The opt-in record itself. A screenshot or database export is a start. It is not enough alone. You need the actual stored record from your CRM or lead platform showing the consumer's submitted data, the phone number they entered, and the consent language they saw when they hit submit.

The exact disclosure language shown at the time of opt-in. This is where companies fall apart. The landing page looked one way in 2022 and looks different today. If you cannot show exactly what the consumer saw when they clicked submit, you cannot prove they consented to anything. Save versioned screenshots of every opt-in form with the date each version went live. Archive the page HTML.

A timestamp with timezone. Courts ask when this happened. You need a server-side timestamp (UTC is fine, just document the conversion), not a client-side time a browser could have faked.

The IP address. The IP address links the opt-in event to a real internet session. Paired with a timestamp, it makes consent much harder to dispute. It does not prove identity. It proves a real connection submitted the form at that moment.

The lead source and any transfer documentation. If you bought the lead from a third party, you also need the vendor contract, their opt-in records, and evidence the consent specifically covered calls from your company or your category. General consent to "marketing partners" is getting attacked in court as insufficient. District courts have picked apart vague lead-gen consent language for years. [3]

A data retention log. You need to show the record has not been altered since creation. A hash-verified export, or a system that logs every modification, beats a plain CSV by a mile.

Evidence elementWhy it mattersCommon failure mode
Opt-in record with consumer's dataProves the person submitted consentRecord exists but cannot be tied to the called number
Exact disclosure language + form versionProves TCPA-compliant language was shownForm changed after opt-in; no version archive
Server-side timestampProves timing; links to call logOnly client-side timestamp stored
IP addressCorroborates a real sessionNot captured or stored; deletion applied too broadly
Lead source contractProves consent transferred legallyVendor contract silent on TCPA; generic consent only
Unaltered data with audit logProves chain of custodyCSV exported and re-imported with no integrity log

Keep the call records too: the called number, the dialer used, the campaign name, and the date and time of each contact. Those records let you match every call to a consent event.

Courts apply an evidentiary standard, not a compliance checklist. The defendant carries the burden of producing evidence of consent after the plaintiff makes a prima facie showing that they got an unwanted call. [4]

Judges look at two things: admissibility and weight. On admissibility, your consent record has to come in as a business record under Federal Rule of Evidence 803(6). You need a witness (usually a custodian of records or someone with knowledge of your data systems) who can testify the record was made at or near the time of opt-in, kept in the ordinary course of business, and that making such records is your regular practice. Without that foundation, the court can exclude your record entirely, and then you lose.

On weight, even if the record comes in, the judge or jury decides how convincing it is. A single-field database entry with no form version and no IP address looks thin. A full package (form screenshot, server log, CRM record, IP, timestamp, vendor contract) looks solid. That gap has literally been the difference between a win and a multi-million dollar settlement check. The $500 per violation statutory minimum for negligent violations, and $1,500 per violation for willful ones, means a plaintiff with 10,000 messages on a class basis is waving around $15 million in exposure before the case turns a year old. [5]

Some courts now scrutinize lead-gen consent specificity after the FCC's December 2023 order targeting so-called "consent farms," which required consent be one-to-one (specific to a single identified seller) rather than a blanket authorization to unnamed marketing partners. If your leads came from a comparison shopping site where dozens of companies received the same opt-in, your documentation is in a weak spot. [6]

TCPA prior express written consent: key numbers Statutory thresholds and deadlines every outbound team must know 500 $500 per violation (neglige… 1,500 $1,500 per violation (willf… 4 4-year federal statute of limitations 2,025 Jan 27, 2025: one-to-one consent rule effective Source: FCC (FCC 12-21, FCC 23-107); 28 U.S.C. § 1658; FCC Reassigned Numbers Database launch, 2021

Plenty of outbound teams buy leads. The vendor says "these are opted-in leads" and sends a file. That assurance is not consent documentation. It is a sales pitch.

To actually prove consent when a lead came from a third party, you need three things:

1. The vendor's opt-in records for each specific lead, ideally with every element above (timestamp, IP, form language). 2. A written agreement with the vendor that (a) represents they collected valid TCPA-compliant consent and (b) indemnifies you if they did not. 3. Proof the opt-in disclosure named your company, or named a category that clearly includes yours, as an entity that may call.

The FCC's one-to-one consent rule is the main hazard here. Under that rule, consent obtained for a group of unspecified sellers is no longer valid TCPA consent for an individual seller. [6] The practical effect is that lead-gen consent pages must name each seller. If your vendor is still running a generic "marketing partners" disclosure, every lead they send you is a potential lawsuit.

When you sue a lead vendor for indemnification (and you should, by contract), you will want to produce the same evidence: their opt-in records, the form language, the timestamps. If the vendor cannot produce those records in discovery, that hurts both of you.

For text message marketing, the documentation burden is identical. A double opt-in (where the consumer replies YES to a confirmation text) creates a second timestamp and a second record that is very hard for a plaintiff to dispute, and courts tend to view it favorably.

TCPA carries a four-year federal statute of limitations under 28 U.S.C. § 1658. That is your baseline. Some state TCPA analogues run longer, and some plaintiffs try to stack state claims. California's Invasion of Privacy Act, for one, does not get uniform treatment across courts.

The practical answer: keep consent records at least five years from the date of your last contact with that consumer under that consent. Five years covers the federal window and gives you a buffer.

This is harder than it sounds because of retention conflicts. GDPR and CCPA require you to delete personal data on request. If a European user opts in, later asks for deletion, and you wipe everything including the consent record, and then that person files a TCPA suit in the U.S., you have nothing to fight with. The accepted approach is to retain the minimum consent record (the fact of consent, the timestamp, the IP, the form version identifier) even after a deletion request, because that record is necessary for a legal defense. Write this into your privacy policy and retention policy.

For cold calling operations, the same logic holds. Keep records of any signed consent (including verbal consent logs, which are only valid for non-ATDS calls to landlines), the do-not-call requests you received, and the suppression lists you checked before each call. [7]

What is a 'litigation hold' and when do you need to put one in place?

A litigation hold (sometimes called a legal hold) is a formal internal instruction to stop deleting or modifying any records that could be relevant to pending or reasonably anticipated litigation. The moment a demand letter, a complaint, or even a credible threat of a TCPA suit lands, issue the hold. Same day.

Failing to preserve relevant evidence after notice can trigger spoliation sanctions. Spoliation means you destroyed, or failed to preserve, evidence. Courts can tell a jury to assume the missing evidence was bad for you. In a TCPA case where consent is your only defense, a spoliation inference can gut the whole thing even if the underlying consent was valid.

A basic litigation hold for a TCPA case covers all dialing records and call logs for the plaintiff's number, all consent records for that number, all email and CRM communications about that campaign, the dialer platform's records, and any lead vendor contracts and lead files tied to that contact. Issue the hold in writing to every department that touches those systems and document that they got it.

The Credit One Bank TCPA case is worth reading as a cautionary example of how evidence disputes compound liability. The credit one tcpa settlement reached $75 million partly because of how the consent and calling record disputes played out at the class certification stage. [8]

Yes. The FCC has said consumers can revoke consent at any time through any reasonable means, and courts have backed that up. The Eleventh Circuit in Schweitzer v. Comenity Bank (2016) held that a consumer's oral request to stop calling counted as valid revocation. [9]

This creates a real documentation problem. If the consumer revoked verbally on a call six months ago and you kept calling because the agent never logged it, a beautiful opt-in record from two years back does nothing for you. Courts have held that revocation, once communicated, strips your prior express written consent defense for every call after it.

What you do about it: log every revocation attempt (verbal, written, text reply of STOP, email unsubscribe), push that flag into your dialer suppression list fast (best practice is within 24 hours; the FCC's 2024 rules require honoring opt-outs within 10 business days), and document that the suppression happened before the next call. [1]

For SMS, a consumer sending STOP is a revocation. Your platform should suppress that number automatically. Texting it again, even once, is a new violation. The tcpa rules for text messages treat each message after revocation as a separate willful violation, meaning $1,500 per text.

Most TCPA defendants want to win early, either on a motion to dismiss (very hard, because the plaintiff only has to plead they got a call on their cell from an ATDS without consent) or on summary judgment (more realistic, where you produce undisputed evidence of valid consent).

On summary judgment under Federal Rule of Civil Procedure 56, you file a declaration from a records custodian, attach the consent record, attach the form screenshot with its version date, attach the call log, and argue there is no genuine dispute that the plaintiff consented. The plaintiff then has to come forward with specific evidence the consent was defective.

Defects plaintiffs love to attack: the disclosure did not specifically authorize ATDS calls; the consent covered a different number than the one called; the form screenshot you attached is from a different version than what was live on the opt-in date; the IP address geolocated to another country, suggesting the consumer never filled out the form; or the consent was revoked before the calls you are defending.

The strongest defense has a documentary answer to every one of those. The weakest defense is a declaration from your CEO swearing "we always get consent" with no underlying records.

If you are buying leads and your records are thin, ask whether settlement is cheaper than discovery. Discovery in a TCPA class action can run $500,000 to $1.5 million before trial. The cash app tcpa class action settlement shows the scale these cases reach when liability evidence is contested and a class gets certified. [10]

This is where small teams fall down: they think about documentation after the lawsuit, not before. Build the system now.

Start with your opt-in forms. Every form that captures a phone number for marketing has to show the TCPA disclosure above the submit button, not buried below it. The disclosure should name your company, say the person will receive autodialed calls or texts (list both if you do both), and say consenting is not a condition of purchase. The FCC's 2012 order (FCC 12-21) is the authoritative source for this language. [1]

Your CRM or marketing platform has to log these fields for every opt-in: full name, phone number as submitted, email as submitted, IP address, timestamp (server-side, UTC), form version identifier, the full disclosure text shown, the page URL, and the referring source. If your current platform cannot store all of that, you need a better platform or a supplemental data store.

Run a monthly audit. Pull 50 random consent records and verify every field is populated. Check that the form version on record matches an archived version of the actual page. If you use a tag manager or a CMS that changes forms often, set up automated version snapshots.

For third-party leads, require vendors to hand over the full consent record (with all the above fields) as a condition of payment. Any lead that shows up without a complete consent record goes into a suppression file, not a dialing queue.

LeadCompliant's free compliance kit includes a consent audit checklist and a sample TCPA disclosure template you can use to check your current forms against FCC requirements. Running that baseline check before your next campaign is a practical place to start.

Also keep a suppression list that ties into your do not call list scrubbing. TCPA consent and DNC registration are separate issues, but they interact. A consumer who gave you valid PEWC can still sit on the national DNC registry. Whether PEWC overrides DNC registration for autodialed calls has produced conflicting lower-court decisions, so the safe practice is to scrub against both. [7]

What are the most common reasons TCPA defendants lose the consent defense?

Nobody tracks this as a formal statistic, so the honest answer is anecdotal, drawn from published opinions and settlements. The pattern in case law is still pretty clear.

No retained records. The company made calls, logged them, captured the consents, then deleted the records after 18 months because nobody set a retention policy. No records in discovery means no defense.

Generic third-party consent. The opt-in said "I agree to be contacted by partners," not "I agree to be contacted by [Your Company Name]." The FCC's one-to-one rule makes this insufficient on its face. [6]

Altered or inconsistent records. The plaintiff's expert finds the database timestamp does not match the server log, or the form screenshot came from a version of the page that went live after the alleged opt-in date. Now the defendant looks like they fabricated records. It happens innocently when companies update forms without version control, but it looks terrible in litigation.

No revocation tracking. The consumer called to say stop calling in month two. The call never got logged. The company called four more times. The original opt-in is irrelevant, because the calls after revocation are the ones at issue.

Wrong number called. The consumer consented for one number and the company dialed a different one (a reassigned number, a forwarded line, a number the consumer had given up). The FCC runs a Reassigned Numbers Database callers are expected to check. [11] Skipping it removes the good-faith defense.

Every one of these is a systems problem, not a legal problem. Fix the system.

What is the FCC's reassigned numbers database and why does it matter for consent proof?

Even airtight consent fails if you called the wrong person. Phone numbers get recycled constantly. A consumer who gave you a number two years ago may have switched carriers or canceled service, and the same number now belongs to a stranger who never consented to anything.

The FCC launched the Reassigned Numbers Database (RND) in November 2021. Callers can query it before dialing to check whether a number has been reassigned since the date of consent. If you queried the database, found no reassignment, and called in good faith, you have a stronger defense for calls to reassigned numbers. If you never checked and you dialed a recycled number, your consent record for the old subscriber does not cover you. [11]

The database runs through FCC-authorized data users. Subscription costs and query formats are set by the FCC's third-party administrator. Check it before each campaign, more than when you first acquire a number, because reassignments happen every day.

For high-volume outbound, build RND checks into your pre-campaign scrub alongside your mobile phone do not call list and how do i get the do not call list processes. All three checks together give you layered protection.

Frequently asked questions

Under the E-SIGN Act (15 U.S.C. § 7001), an electronic signature is legally valid. That includes typing a name into a field, clicking a checkbox, or using a digital signature service. The act of signing has to be accompanied by the full TCPA-compliant disclosure language. A checkbox that just says 'I agree to terms' with no TCPA language does not create prior express written consent.

Does a voice recording of someone agreeing to calls count as written consent?

No. For autodialed or prerecorded calls to cell phones, the FCC's 2012 order (FCC 12-21) requires the consent to be in writing. A recorded verbal agreement may create prior express consent for some non-ATDS calls, but it does not satisfy the written requirement for robocall or ATDS campaigns. Do not rely on call recordings as PEWC documentation.

How specific does the TCPA disclosure language have to be?

The FCC's 2012 order requires the disclosure to clearly state that the consumer agrees to receive autodialed and/or prerecorded calls or texts, that agreeing is not a condition of purchase, and the caller must be identified. After the FCC's one-to-one consent rule, the specific seller making calls must be named. Generic 'marketing partners' language is no longer sufficient for individual seller consent.

Yes. The FCC and multiple circuit courts have held that consent can be revoked through any reasonable means, including a verbal request on a recorded call. The Eleventh Circuit's Schweitzer v. Comenity Bank (2016) decision confirmed this. If a consumer says stop calling me on a call, that is a revocation. You must log it, suppress the number, and stop all ATDS or prerecorded contact immediately.

Keep them at least five years from the date of the last contact under that consent. The federal TCPA statute of limitations is four years under 28 U.S.C. § 1658, and the extra year gives you a buffer for state-law claims and late-filed complaints. If a consumer submits a data deletion request, retain the minimum consent record (timestamp, IP, form version, and the fact of consent) for your legal defense, and document that practice in your privacy policy.

The FCC issued an order in December 2023 requiring that telemarketing consent name a single specific seller, not a broad category of 'marketing partners.' Lead-gen forms that deliver the same opt-in to multiple companies at once no longer create valid TCPA consent for any individual seller. If your leads come from comparison shopping sites or lead aggregators using a shared consent, your documentation is exposed to challenge under this rule.

What is a litigation hold and when does it apply in a TCPA case?

A litigation hold is a formal instruction to stop deleting or modifying any records relevant to pending or anticipated litigation. In a TCPA case, it must cover call logs, consent records, CRM data, dialer platform records, and lead vendor files. Issue it immediately on receiving a demand letter or complaint. Destroying records after that point can trigger spoliation sanctions, where courts instruct juries to assume the missing evidence was bad for you.

What is the FCC Reassigned Numbers Database and should I use it?

The Reassigned Numbers Database, launched by the FCC in November 2021, lets callers check whether a phone number has been reassigned to a new subscriber since a given date. If you have consent from the original subscriber but the number has since been reassigned, your consent does not cover the new subscriber. Checking the RND before each calling campaign is a best practice that supports a good-faith defense if a recycled-number claim comes up.

Does having a valid opt-in protect me from DNC claims too?

Not automatically. Prior express written consent and Do Not Call registration are separate TCPA protections. A consumer can give you valid PEWC and still sit on the National DNC Registry. For autodialed calls, PEWC generally takes precedence for the specific seller named in the consent. The safe approach is to scrub against both your consent database and the DNC registry before every campaign, and to document that you did.

A plaintiff typically makes a prima facie showing by testifying they did not sign up and do not recognize the opt-in form or website. After that, the burden shifts to the defendant to produce evidence of valid consent. If the defendant cannot produce authenticated records, the plaintiff's testimony alone can carry the case. Courts have dismissed consent defenses where the defendant's records were incomplete, unauthenticated, or internally inconsistent.

The same PEWC standard applies: written agreement, TCPA-specific disclosure, not a condition of purchase, and your company named. For SMS, a double opt-in (where the consumer replies YES to a confirmation text) creates a second server-side record that is very hard to dispute. Store the inbound reply message, the timestamp, and the outbound confirmation message alongside the original web opt-in record.

You must produce them in the format requested, typically as a database export, system-generated report, or certified business record. You will need a data custodian or IT witness to authenticate the records under Federal Rule of Evidence 803(6). If records were deleted before the litigation hold was issued, you may face a motion for sanctions. If they were deleted after the hold, you are looking at serious spoliation consequences including adverse inference instructions.

Can I rely on a contract clause with my lead vendor to avoid TCPA liability?

A contractual indemnification clause can shift the financial risk to your vendor if they provided defective consent records, but it does not protect you from the plaintiff's claim directly. You are still the party who made the call, and you are still liable to the plaintiff. The vendor's indemnification only matters if you can actually collect from them. Require vendors to keep their own consent records and carry adequate insurance.

Is there a TCPA safe harbor if I acted in good faith on bad consent data?

There is no explicit statutory safe harbor for good-faith reliance on third-party consent in the TCPA text. Good faith and reasonable reliance on vendor representations can reduce the likelihood of willful violation findings (and cut exposure from $1,500 to $500 per call). Documenting your vendor due diligence, your contract terms, and your RND checks builds the factual record that supports a non-willful characterization.

Sources

  1. Congress.gov, Electronic Signatures in Global and National Commerce Act (E-SIGN Act), 15 U.S.C. § 7001: Electronic signatures, including typed names and checkboxes on web forms, are legally valid under the E-SIGN Act
  2. Congress.gov, Telephone Consumer Protection Act, 47 U.S.C. § 227: TCPA statute text establishing the cause of action and the consent requirement for autodialed and prerecorded calls to cell phones
  3. FTC, National Do Not Call Registry: Information for Businesses: Do Not Call registry registration and TCPA prior express written consent are separate requirements; sellers must maintain suppression lists and honor DNC registrations
  4. FTC, Legal Library: Cases and Proceedings: Credit One Bank reached a $75 million TCPA settlement; referenced as an example of consent and evidence disputes at class certification stage
  5. U.S. Court of Appeals for the Eleventh Circuit, Schweitzer v. Comenity Bank (2016): Eleventh Circuit held that a consumer's oral request to stop calling constitutes valid revocation of prior express written consent under TCPA
  6. FTC, Legal Library: Cases and Proceedings: Cash App TCPA class action illustrates scale of exposure when liability is disputed and class certification is granted
  7. Congress.gov, 28 U.S.C. § 1658, Time Limitations on Civil Actions: Federal statute of limitations for TCPA claims is four years under 28 U.S.C. § 1658
  8. Legal Information Institute, Cornell Law School, Federal Rules of Evidence Rule 803: Business records including consent logs are admissible under FRE 803(6) if authenticated by a custodian who can testify the record was made in the ordinary course of business

Disclaimer: LeadCompliant is a compliance review tool, not a law firm. We do not provide legal advice. Consult with a TCPA attorney for legal guidance on specific compliance questions. Compliance scores, audits, and risk assessments are informational only.

LeadCompliant Team

LeadCompliant provides expert guidance and tools to help you succeed. Our content is reviewed for accuracy and kept up to date.

Related Articles

Related Glossary Terms

LeadCompliant
Build My Kit