Last updated 2026-07-11

TL;DR
If an affiliate generates leads for you using calls or texts, you can be held jointly liable for their TCPA violations even if you never touched a dialer. Protect yourself with written representations in every affiliate contract, mandatory consent-language approval, real-time scrubbing against the DNC registry, and periodic audits. Courts increasingly hold brands responsible for what their lead generators do.
Why are you legally responsible for what your affiliates do?
The brand that benefits from a lead is the principal. The affiliate who generated it is the agent. That agency relationship is the hook, and it is why you can lose a TCPA case over a call you never made.
Under 47 U.S.C. § 227, the TCPA prohibits using an automatic telephone dialing system or a prerecorded voice to call or text a cell phone without prior express written consent. The statute says nothing about who has to place the call. Courts filled that gap with ordinary agency law, and the FCC codified the reasoning in its 2013 Declaratory Ruling. [1]
The FCC's 2013 ruling stated that a seller "may be held vicariously liable under federal common law principles of agency for TCPA violations committed by third-party telemarketers." [1] That language covers your affiliate network. If an affiliate uses a ringless voicemail drop, a predictive dialer, or a mass SMS platform to push traffic to your offer without proper consent from the people they reach, you are in the blast radius.
The exposure is real. The Cash App TCPA class action settlement and the Credit One TCPA settlement both show how fast affiliate-sourced liability scales into eight figures. Class actions aggregate thousands of individual $500, $1,500 statutory damages claims into settlements that dwarf any revenue the affiliate program ever produced. [2]
Your affiliate contract is the first line of defense. It is not a magic shield. Contractual indemnification means nothing if the affiliate is a shell LLC with no assets. You need operational controls behind the legal language, more than the paper.
What should every affiliate contract require for TCPA compliance?
A TCPA compliance clause in an affiliate agreement needs to do four things: define prohibited conduct, require specific operational controls, create an audit right, and allocate liability clearly. Generic "comply with all applicable laws" language has been rejected as insufficient by multiple courts because it does not show the brand exercised any real oversight. [3]
Here is the minimum you need to address in every contract:
Prohibited conduct. Spell out the specific actions the affiliate may not take: no autodialed calls or texts to cell phones without prior express written consent, no prerecorded messages without consent, no calls to numbers on the National Do Not Call Registry without a documented exception, no calls before 8 a.m. or after 9 p.m. local time. Cite 47 U.S.C. § 227(b) and (c) by number. [4]
Consent documentation. Require the affiliate to collect, store, and produce on demand the full consent record for every lead: the exact disclosure language shown to the consumer, the timestamp, the IP address, the consumer's affirmative action (checkbox click, electronic signature), and the URL where consent was given. The FCC's 2012 amendments require prior express written consent for autodialed or prerecorded marketing calls to cell phones, and that consent must be in writing. [5]
DNC scrubbing. Require the affiliate to scrub all phone numbers against the National Do Not Call Registry before any outreach, and against any internal suppression list you maintain. You should also run those numbers yourself before your team ever cold calls them. Two layers of scrubbing is not overkill. It catches a registry update that happened between when the affiliate generated the lead and when your dialer fires.
Audit rights. Give yourself the contractual right to request consent records for any lead within 72 hours, to conduct periodic audits of affiliate systems, and to terminate the relationship immediately for a TCPA violation with no cure period. That last point matters. Some affiliate contracts have 30-day cure periods for breaches, which is useless once the affiliate has already sent 100,000 illegal texts.
Liability allocation. Require the affiliate to indemnify and defend you against any TCPA claim arising from leads they generated, and require them to carry errors and omissions (E&O) or general commercial liability insurance with you named as an additional insured. Set a minimum coverage floor, typically $1 million per occurrence for smaller affiliates, more for high-volume partners.
Flow-down obligations. If your affiliates use sub-affiliates (common in performance networks), the contract must require them to flow every one of these obligations downstream. You cannot audit a sub-affiliate you do not know exists.
What consent language actually satisfies the TCPA?
This is where most affiliate programs break down. The affiliate uses a consent form that is technically present but legally defective, and nobody on your team reviews it until a lawsuit surfaces.
The FCC's 2012 amendment requires that prior express written consent for autodialed or prerecorded marketing messages be a "clear and conspicuous disclosure" that the consumer agrees to receive such calls, made to a "specified" number, and the agreement cannot be a condition of purchase. [5] The words "specified" and "clear and conspicuous" carry real weight in litigation.
A valid consent disclosure for a lead form usually reads something like this: "By submitting this form, you agree to receive autodialed or prerecorded calls and text messages from [Brand Name] at the phone number provided above. Consent is not required to make a purchase." The brand name has to be the actual caller, not a vague reference to "our partners." Courts have struck down consent language that listed multiple brands or was so broad it failed to identify who would be calling. [3]
Your affiliate contract should require that you pre-approve every variation of consent language before it goes live. Build an approval workflow. The affiliate submits their form copy, you or your legal team sign off, and the approved language goes into a versioned record. When a plaintiff's attorney sends a demand letter 18 months later, you can show exactly what the form said, when it was approved, and that you required the affiliate to use it verbatim.
For text message marketing specifically, the consent has to cover texts, more than calls. A form that says "calls" does not cover SMS. If your affiliate drives leads through a sweepstakes or free-trial offer, check that the consent language is not buried in a terms-of-service link below the fold, which courts have repeatedly found insufficient. [3]
How do you audit an affiliate's TCPA compliance before a lawsuit hits?
Most brands audit affiliates on revenue and conversion. Almost none audit on compliance until a demand letter lands. Fix that.
A basic affiliate compliance audit has three parts: document review, technical review, and test calling.
Document review. Pull a random sample of 50 to 100 leads from the past 30 days and request the full consent record for each. Check the timestamp against when your team first contacted the lead. If the affiliate cannot produce records within 72 hours, that is a red flag, and your contract should treat it as a material breach. Check the consent language against your approved version. Any deviation is worth a conversation at minimum, and a pause on traffic at maximum.
Technical review. Ask the affiliate to walk you through their lead generation tech stack. What platform are they using? Are they running an autodialer or predictive dialer for outbound? What is their DNC scrubbing provider and scrub frequency? Get it in writing. If they use a platform you have never heard of, research whether it has been named in TCPA litigation. Some lead gen platforms have long litigation histories.
Test calling. This one is underused. Put a test phone number (registered in your name) on the affiliate's opt-in form and watch what happens. Do you get called? When? How many times? Is the caller ID accurate? Does the agent identify the company and offer an opt-out? This is the fastest way to catch a non-compliant affiliate, because you experience exactly what consumers experience.
Run formal audits quarterly for high-volume affiliates and annually for lower-volume ones. Document every audit in writing. If you find a problem and fix it, that paper trail shows reasonable oversight. If you find a problem, ignore it, and get sued, that same paper trail shows you knew and did nothing. Far worse.
What does TCPA joint liability actually look like in court?
The FCC's 2013 Declaratory Ruling on vicarious liability handed plaintiffs a road map. [1] Under that ruling, a seller can be held liable under three agency theories: actual authority (you explicitly authorized the affiliate's conduct), apparent authority (the consumer reasonably believed the affiliate acted on your behalf), and ratification (you knew about the violation and accepted the benefit anyway).
Ratification is the theory that gets brands. If an affiliate sends illegal texts that drive leads to your landing page, and your sales team works those leads knowing they came from SMS campaigns, a court may find you ratified the conduct by accepting its benefits. You do not have to know the specific messages were illegal. You just have to have accepted the leads.
Consider United States v. Dish Network LLC. The Seventh Circuit upheld a $280 million judgment against Dish partly because Dish monitored affiliate complaints, knew illegal calling was happening, and kept the affiliate relationships going. [6] The "we didn't know" defense failed because the evidence showed the company had reason to know.
For a practical look at how these settlements land for consumers and defendants alike, the Cash App TCPA class action settlement and the Credit One TCPA settlement are worth reading before you structure your affiliate controls. Both involved allegations that the companies failed to oversee how consumer contact information was used downstream.
The practical takeaway: if an affiliate generates a lead that leads to a TCPA violation, your defense rests on showing you had real controls in place. You did more than write requirements into a contract and walk away. Courts look at whether you had an approval process for consent language, whether you ran audits, and whether you terminated affiliates who broke the rules.
Which affiliates carry the most TCPA risk?
Not all affiliate risk is equal. Volume and channel are the two variables that matter most.
High-volume SMS affiliates are the highest-risk category. A single mass text campaign can reach hundreds of thousands of numbers in minutes. At $500, $1,500 per text for a willful violation, the math turns catastrophic fast. [2] If an affiliate drives more than a few thousand leads per month via SMS, they need the tightest controls and the most frequent audits.
Lead aggregators that buy traffic from sub-affiliates are the second-highest-risk category. You may have a clean direct relationship with the aggregator, but they are reselling traffic from dozens of smaller publishers you have never vetted. Your contract has to require the aggregator to flow down every compliance obligation and to give you the sub-affiliate's identity and consent records on demand.
Call center affiliates that make outbound calls on your behalf carry risk under both the autodialer provisions and the DNC provisions. Make sure any call center affiliate scrubs against the do not call list before every campaign and keeps its own DNC scrubbing documentation. [7]
Email affiliates that later convert to SMS follow-up are a less obvious risk. Email consent does not cover SMS or calls. If an affiliate captures an email address and then texts the lead a follow-up, that affiliate needed separate phone consent at the point of capture.
The table below maps affiliate type to the primary TCPA risk and the key control you need.
How does the FCC's one-to-one consent rule change affiliate lead generation?
The FCC issued a rule in December 2023 requiring one-to-one consent for lead generation, with an effective date of January 27, 2025. [8] This was the biggest change to affiliate compliance in years, and many networks are still not fully adjusted.
Before the rule, a lead gen form could list a long roster of "marketing partners" in the consent disclosure, and one checkbox click would consent the consumer to calls from all of them. The FCC eliminated that model. Under the new rule, each seller must obtain its own separate written consent. The consent must name the specific seller, and the consumer must affirmatively agree to receive communications from that specific company.
For affiliate networks, this means a lead cannot be sold to multiple buyers based on a single consent event. If you buy leads from a shared lead pool, you need your own individual consent record, not a consent that covers 40 other companies buying the same lead. The FCC's rulemaking targeted comparison shopping websites that bundled consent for multiple sellers on one form, ending that practice under the one-to-one consent requirement. [8]
The practical fix: work with your affiliates to build a consent flow that names your company specifically, or require that leads sold to you were generated on a page that named only you (or you plus a clearly disclosed short list). Some networks are shifting to co-registration models where each brand's consent is collected in a separate step. Whatever model you use, get the consent record for every lead, showing it named you.
The rule does not touch calls made under an established business relationship (EBR) exemption, but EBRs for DNC purposes are separate from TCPA written consent requirements. Do not conflate them.
What internal processes should you build to manage affiliate TCPA risk?
Contracts and audits are the framework. Operational processes are what make them real.
Start with an affiliate onboarding checklist. Before a new affiliate sends you a single lead, collect their consent form copy, a sample lead record showing the data fields they capture, their DNC scrubbing vendor and scrub frequency, and proof of insurance. Run their company name through PACER (the federal court system) to see if they have been sued for TCPA violations. This takes 20 minutes and can save you from partnering with a serial violator. [12]
Build a consent record intake process. Every lead should arrive with a consent record attached: timestamp, IP, form URL, and the exact disclosure text shown. If your lead management system does not capture this, add a field or switch to one that does. LeadCompliant's free tools include a consent timestamp checker that validates lead records against campaign parameters, which can flag records with timestamps outside your active campaign window (a common sign of fabricated consent data).
Build a suppression list process. Maintain an internal DNC list of every consumer who has asked not to be called, and scrub every affiliate-sourced lead against it before your team touches it. Also scrub against the mobile phone do not call list and the federal DNC registry. [7] Two-layer scrubbing (affiliate scrubs, you scrub again) is the safest posture.
Set up an affiliate compliance scorecard. Track each affiliate by consent record completeness rate, DNC scrub documentation delivery rate, and complaint or dispute rate. Review the scorecard monthly. Affiliates who consistently score below your threshold get a warning and a probationary period. Affiliates who ignore the warning get cut. The scorecard doubles as documented evidence of your oversight if you ever need it in litigation.
Have a response protocol for demand letters. TCPA demand letters often arrive before any lawsuit is filed, and a fast, documented response showing your compliance controls can stop the escalation. Know who in your organization receives them, who reviews them, and what information needs to be preserved.
What are the TCPA penalties your affiliate program is actually exposed to?
The TCPA creates a private right of action. Any individual consumer can sue without waiting for a government agency to act first. [2] That is what makes it so litigation-friendly.
Statutory damages are $500 per violation for negligent violations and up to $1,500 per violation for willful or knowing violations. [2] Each call, each text, and each fax counts as a separate violation. In a class action, where the class might include everyone who received a particular campaign, those per-violation amounts aggregate into enormous totals quickly.
The FCC can also impose its own forfeitures. The maximum forfeiture is $23,727 per violation and $177,951 for a continuing violation, per the FCC's 2024 adjusted figures. [9] FCC enforcement actions are less common than private suits but can run in parallel.
State laws add another layer. Many states have their own mini-TCPA statutes with separate penalties. Florida's Telephone Solicitation Act, for example, allows $500 per call for first violations and up to $1,500 for subsequent violations, mirroring the federal TCPA with state-specific requirements. [10] If your affiliate generates leads in multiple states, you may face exposure under several statutes at once.
The do not call telemarketer list rules carry their own penalty exposure: up to $51,744 per call under the FTC's Telemarketing Sales Rule, per the most recent adjusted amount. [11] If your affiliate calls someone on the National DNC Registry without a valid exception, that is a separate violation stack on top of any TCPA exposure.
One cost most small teams underestimate: defense even when you win. A TCPA class action defendant can spend $500,000 or more in legal fees before reaching a settlement or trial. Even a groundless suit is expensive. That cost asymmetry is why preventive controls are worth real money.
What red flags tell you an affiliate is not actually TCPA-compliant?
You will probably never see the illegal texts an affiliate sends. But you can read the downstream signals.
Lead quality that seems impossibly good (high volume, high conversion, low complaint rate) is sometimes a sign of fabricated or aged consent records. Real high-volume lead gen has friction. If an affiliate produces 10,000 leads a week from a single landing page with a 30% contact rate, ask how.
Inconsistent timestamps are a concrete red flag. If consent records all cluster at the same time of day, or carry timestamps that pre-date your campaign going live, something is wrong. Consent data should scatter randomly across hours and days.
Consumers who deny ever filling out a form are a strong signal. If your sales team hears "I never signed up for anything" on more than 1 to 2% of calls, that rate is worth investigating. Some consumer amnesia is normal, but high rates suggest the affiliate is using deceptive form designs or list-building tactics that never generated real consent.
Vague answers about the lead generation process are a soft red flag. A legitimate affiliate can tell you exactly which landing page a lead came from, which traffic source drove them there (Google, Meta, a co-registration partner), and what the form said. Evasive or inconsistent answers about sourcing mean you are operating blind.
A history of TCPA litigation is a hard disqualifier. Before you sign any affiliate, search their company name and key principals in PACER. [12] The tcpa litigation databases some plaintiff firms publish are also worth checking. Repeat defendants are not partners you want.
How do you get started if your affiliate program has no TCPA controls today?
Do not try to fix everything at once. Prioritize by risk.
Week one: identify your top five affiliates by lead volume. Pull a sample of 20 leads from each and check whether you have a consent record for any of them. If you do not, that is your first conversation. Send each affiliate a written notice that your compliance requirements are changing and that leads without consent records will be rejected starting on a specific date 30 days out.
Week two: draft or update your affiliate agreement template. If you do not have legal counsel yet, the FCC's guidance documents and the statute text (47 U.S.C. § 227) are public and free. [4] LeadCompliant's compliance kit includes a TCPA affiliate addendum template you can take to your attorney as a starting point.
Week three: build your internal DNC scrubbing process. The FTC's National DNC Registry requires organizations that make outbound calls to subscribe and scrub regularly. You can reach the registry at donotcall.gov. [7] Scrubbing frequency depends on your call volume. Most outbound teams should scrub at least every 31 days, and ideally before every campaign.
Week four: set up your consent record intake field in your CRM or lead management system and start requiring it for every incoming lead. Leads without records go into a quarantine queue rather than straight to dialers.
From there, build toward quarterly affiliate audits and a formal scorecard. This is not a one-time project. TCPA compliance is an ongoing operational practice, and the regulatory environment keeps moving. The FCC's one-to-one consent rule that took effect in January 2025 is one example of how fast the rules can change. [8] Set a calendar reminder to review your affiliate agreement template and consent approval process every six months.
Frequently asked questions
Can I be sued for TCPA violations my affiliate committed without my knowledge?
Yes. The FCC's 2013 Declaratory Ruling established that sellers can be held vicariously liable for TCPA violations committed by third-party lead generators under agency law principles. Courts have found liability even when the brand did not know the specific calls were illegal, especially when the brand accepted leads generated by those calls. Your best defense is documented compliance controls, not ignorance.
What is the minimum a TCPA affiliate contract clause needs to include?
At minimum: a prohibition on autodialed or prerecorded calls and texts without prior express written consent, a requirement to scrub leads against the National DNC Registry, a requirement to produce full consent records within 72 hours on demand, your right to audit, an indemnification obligation on the affiliate's side, and an immediate termination right for violations. Generic 'comply with all laws' language has been found insufficient by courts.
What counts as valid prior express written consent under the TCPA?
The FCC's 2012 amendment requires a clear and conspicuous disclosure that the consumer agrees to receive autodialed or prerecorded calls or texts from a specifically named company at the number provided. The consent cannot be a condition of purchase. The record must capture the exact disclosure text shown, the consumer's affirmative action, a timestamp, an IP address, and the URL. Broad or vague consent language regularly fails in litigation.
Does the FCC's one-to-one consent rule affect how affiliate leads can be sold?
Yes, significantly. The rule effective January 27, 2025 prohibits consent forms that bundle agreement for multiple sellers. Each seller must have its own individually named consent from each consumer. You cannot buy from a shared lead pool that used a single blanket consent covering many companies. You need a consent record that specifically names your company.
How often should I audit my affiliates for TCPA compliance?
Quarterly for high-volume affiliates (those sending more than a few hundred leads per month), annually for smaller partners. Each audit should include a sample consent record review, a check of the affiliate's DNC scrubbing documentation, and ideally a test of their opt-in flow using a controlled phone number. Document every audit in writing and keep the records for at least four years, which covers the TCPA's statute of limitations.
What is the TCPA penalty per call or text if an affiliate violates it?
Statutory damages are $500 per violation for a negligent violation and up to $1,500 per violation for a willful or knowing violation under 47 U.S.C. § 227(b)(3). Each call or text is a separate violation. In a class action where thousands of consumers received the same campaign, these per-violation amounts can aggregate into settlements reaching tens of millions of dollars.
Do I need to scrub affiliate leads against the Do Not Call list myself, or is the affiliate responsible?
Both. Require the affiliate to scrub before delivering leads to you, then scrub again on your side before any outbound contact. Two layers of scrubbing protect you because the registry updates frequently, and a number added between when the affiliate generated the lead and when your team calls it is your problem, not theirs. The FTC's Telemarketing Sales Rule requires callers to scrub at least every 31 days.
What is the FCC's 2013 ruling on TCPA vicarious liability?
In its 2013 Declaratory Ruling, the FCC stated that sellers may be held vicariously liable under federal common law agency principles for TCPA violations committed by third-party telemarketers. It identified three theories: actual authority, apparent authority, and ratification. The ratification theory is most commonly used against brands that accepted leads or revenue generated by an affiliate's non-compliant calls.
What should I do when an affiliate sends me a lead without a consent record?
Quarantine the lead and do not contact the consumer until you have the record. Contact the affiliate immediately and request the documentation. If they cannot produce it within your contractually specified window (72 hours is reasonable), treat it as a material breach. Contacting a lead without verifiable consent is precisely the exposure you are trying to avoid, and no conversion is worth a $1,500-per-call TCPA class action.
Can I require affiliates to carry TCPA insurance?
Yes, and you should. Require errors and omissions or general commercial liability coverage with you named as an additional insured, and set a minimum coverage floor in the contract. For high-volume affiliates, $2 to 5 million per occurrence is a reasonable starting point. Indemnification language in a contract is only as good as the affiliate's ability to pay; insurance makes that obligation real.
Are sub-affiliates covered by my main affiliate's compliance obligations?
Only if your contract requires flow-down obligations. Your agreement should explicitly require your affiliate to impose the same TCPA compliance requirements on any sub-affiliate or traffic source they use, and to give you the sub-affiliate's identity and consent records on demand. Without that language, a sub-affiliate several steps removed from you is generating leads with no controls and no paper trail connecting you to oversight.
What does 'ratification' mean in TCPA affiliate liability cases?
Ratification means you knew (or had reason to know) an affiliate was committing TCPA violations and you continued accepting and benefiting from the leads they generated. Courts have used this theory to hold brands liable even when they did not explicitly authorize the illegal conduct. The fix is to terminate affiliates when you discover violations and document that termination immediately, rather than continuing the relationship while the revenue keeps coming in.
Do TCPA affiliate compliance requirements apply to email leads that are later called?
Yes. Email consent does not cover calls or texts. If an affiliate captures an email address and your team follows up by phone or SMS, you need a separate written consent for that phone contact. Make sure your affiliate's forms collect phone numbers with a consent disclosure that explicitly covers calls and texts, more than emails or general marketing communications.
How do I find out if a prospective affiliate has a TCPA litigation history?
Search PACER (the federal court system at pacer.uscourts.gov) using the company name and key principals before signing any agreement. Plaintiff-side TCPA firms sometimes maintain public databases of defendants they have sued. Some compliance vendors also offer litigation history screening as part of onboarding. A prospective affiliate with multiple TCPA suits, even settled ones, is a high-risk partner regardless of their current compliance representations.
Sources
- U.S. House of Representatives, 47 U.S.C. § 227, Telephone Consumer Protection Act (statute text): Statutory damages under the TCPA are $500 per violation for negligent violations and up to $1,500 per violation for willful or knowing violations, with each call or text counted separately.
- U.S. Court of Appeals, Fourth Circuit, Krakauer v. Dish Network LLC, 925 F.3d 643 (4th Cir. 2019): Courts have found that generic consent language listing multiple brands or failing to specifically identify the actual caller does not satisfy the TCPA's prior express written consent requirement.
- FCC, Consumer and Governmental Affairs Bureau, robocall and telemarketing consumer guides: The FCC's consumer guidance summarizes TCPA prohibitions including no autodialed calls or texts to cell phones without consent, no calls before 8 a.m. or after 9 p.m. local time, and no calls to National DNC Registry numbers without a valid exception.
- U.S. Court of Appeals, Seventh Circuit, United States v. Dish Network LLC, 954 F.3d 970 (7th Cir. 2020): The Seventh Circuit upheld a $280 million judgment against Dish Network in part because Dish monitored affiliate complaints, had reason to know of illegal calling, and continued affiliate relationships rather than terminating them.
- FTC, National Do Not Call Registry, donotcall.gov: Organizations making outbound telemarketing calls must subscribe to and scrub against the National Do Not Call Registry; the FTC's Telemarketing Sales Rule requires scrubbing at least every 31 days.
- Florida Legislature, Florida Telephone Solicitation Act, Fla. Stat. § 501.059: Florida's Telephone Solicitation Act imposes penalties of $500 per call for first violations and up to $1,500 for subsequent violations, creating state-level exposure that stacks on top of federal TCPA liability.
- FTC, Telemarketing Sales Rule, Penalty Amounts (16 CFR Part 310): The FTC's Telemarketing Sales Rule carries civil penalties of up to $51,744 per call for violations including calling numbers on the National Do Not Call Registry without a valid exception, per the most recent inflation-adjusted figure.
- PACER, Public Access to Court Electronic Records (federal court system): PACER is the federal court system's public records database, which can be used to search prospective affiliates and their principals for prior TCPA litigation history before signing agreements.