Last updated 2026-07-09

TL;DR
To tag TCPA consent status in HubSpot, create custom contact properties that record consent type (express written, prior business relationship, none), the exact date and source of that consent, and the phone number it covers. Store this data before any outbound call or text. Without a retrievable consent record, you have no defense if a $500-to-$1,500-per-violation TCPA lawsuit lands.
Why does TCPA consent tagging in HubSpot matter so much?
The Telephone Consumer Protection Act, 47 U.S.C. § 227, makes it illegal to place certain calls or send texts to a mobile number without the right level of consent. The FCC and private plaintiffs both enforce it. Private plaintiffs are the real threat. Anyone whose number you called or texted can sue you, and there is no cap on the number of plaintiffs in a class action.
The per-violation statutory damages are $500 for a negligent violation and $1,500 for a willful one. [1] Send 10,000 texts without proper consent and that math turns into a number that ends companies. TCPA settlements routinely land in the millions. Small outbound teams underestimate the exposure because the violations compound one text at a time.
HubSpot is where most small outbound sales teams live. Contacts, dials, and text threads all run through it. If your consent data is not attached to the contact record, it might as well not exist. When a plaintiff's attorney sends a litigation hold notice, the first thing they want is your consent records. 'We had it in a spreadsheet somewhere' does not hold up.
Tagging consent in HubSpot is not a legal solution by itself. Nothing here is legal advice. But a well-structured property set is the practical foundation that makes every other compliance process work: scrubbing against the do not call list, gating your dialers, and producing records if you ever need to defend a call.
What does TCPA actually require you to document?
The statute draws a hard line between calls made with an autodialer or prerecorded voice and calls made by a live agent dialing by hand. [1] For autodialed or prerecorded calls and texts to mobile numbers, you need prior express written consent. For purely informational calls to residential lines (not mobile, not telemarketing), the bar is lower. The FCC's 2012 TCPA omnibus order tightened this, requiring written consent for marketing calls and killing the established business relationship exemption for autodials to cell phones. [3]
Here is what a defensible consent record needs to contain:
- The exact phone number the consent covers. Consent to call one number does not transfer to another.
- The date and time the consent was given.
- The method: web form, signed paper form, verbal on a recorded call, double opt-in SMS.
- The specific disclosures shown or read to the consumer at the time. The FCC requires that prior express written consent include a 'clear and conspicuous disclosure' that the consumer will receive autodialed calls/texts, and an agreement that is 'not made a condition' of any purchase. [3]
- Who collected it and from what source (your own landing page, a lead vendor, a list purchase).
If you bought leads, you almost certainly do not have valid TCPA consent for autodialed calls unless the vendor obtained it properly and transferred it to you specifically. That is its own problem, covered under text message marketing.
For live-agent cold calling to business numbers, the consent requirements differ and the DNC rules take over instead. You still need to know which number type you are calling before you dial.
Which HubSpot properties should you create for TCPA consent tracking?
HubSpot does not ship with TCPA-ready consent fields. The native 'legal basis for processing' field is a GDPR tool, and it does not map cleanly to TCPA categories. You need to build a custom property group.
Go to Settings > Properties > Contact Properties > Create Property Group. Name it 'TCPA Compliance' so it is easy to find and export.
Here are the properties to create inside that group:
| Property Label | Field Type | Notes |
|---|---|---|
| TCPA Consent Status | Dropdown | Options: Express Written, Prior Express (non-marketing), Established Business Relationship (EBR), No Consent, Revoked |
| TCPA Consent Date | Date | Exact date consent was captured |
| TCPA Consent Source | Single-line text | e.g., 'Web form: /get-quote page v2' |
| TCPA Consent Phone Number | Single-line text | The specific number covered; copy from the Phone Number field at consent time |
| TCPA Consent Method | Dropdown | Options: Web Form, Verbal (Recorded), Paper Signature, SMS Double Opt-In, Third-Party Lead |
| TCPA Consent Revocation Date | Date | Filled if consumer opts out |
| TCPA Opt-Out Channel | Dropdown | Options: SMS STOP, Verbal Request, Email Request, DNC Registration |
| TCPA Consent Record ID | Single-line text | Reference ID linking to your consent storage system (e.g., LeadID, session ID, recording file name) |
That last field is the one most teams skip. The actual consent artifact, the form submission record, the call recording, the signed PDF, has to live somewhere retrievable. The Record ID is what ties the HubSpot contact to that external proof. If you ever face a TCPA lawsuit, you need both the metadata (in HubSpot) and the artifact (wherever you store files).
Set 'TCPA Consent Status' as required for any contact in your calling or texting workflows. HubSpot lets you make enrollment in a sequence or workflow conditional on a property value. Use that.
How do you set consent status automatically when leads come in?
Manual data entry is where compliance programs die. Your team will not remember to fill consent fields on every record, especially at volume. Wire the data collection into the lead intake process itself.
For web forms built in HubSpot: Add a TCPA disclosure and checkbox to every form that generates a contact who might receive calls or texts. The checkbox cannot be pre-checked. The disclosure text should name your company, say autodialed calls or texts may result, and confirm it is not a purchase condition. [3] When the form submits, use a HubSpot workflow to set 'TCPA Consent Status' to 'Express Written,' 'TCPA Consent Date' to 'Today,' and 'TCPA Consent Source' to the form name.
For third-party leads: Every lead that comes through a vendor or list should land with 'TCPA Consent Status' defaulting to 'No Consent' until you verify it. Set that default in your import template. Then run a verification step before any contact enters a calling workflow. If the vendor claims consent, get the documentation and store it. The FCC's one-to-one consent rule, adopted December 2023, aimed to require that lead-gen consent name the seller specifically. [4] The rule was vacated by the Eleventh Circuit in early 2025, so the old standard controls again, but the safer practice is to treat vendor leads as requiring your own consent collection.
For inbound calls where the consumer calls you: Verbal consent on a recorded line is valid. Build a workflow trigger off your call logging: if 'Call Direction' is 'Inbound' and the call was recorded, flag the record for a rep to confirm and update 'TCPA Consent Method' to 'Verbal (Recorded)' within 24 hours.
For SMS double opt-in: If you run a tool like Twilio, Salesmsg, or Kixie alongside HubSpot, set up a webhook or native integration that pushes the confirmed opt-in event back to HubSpot and stamps the consent fields automatically. Do not rely on someone manually updating the record after seeing a STOP or HELP reply.
How do you handle consent revocation and opt-outs in HubSpot?
Revocation is where many teams get burned. Under the TCPA, consumers can revoke consent 'at any time and through any reasonable means.' [1] The FCC's 2024 revocation order set a 6-month deadline for the rule to take effect and requires callers to honor a revocation across all channels within 10 business days. [5]
In HubSpot, that means four things.
First, any STOP reply from an SMS tool needs to flow back and set 'TCPA Consent Status' to 'Revoked' and fill 'TCPA Consent Revocation Date.' Most SMS platforms integrated with HubSpot can trigger a workflow on STOP replies. Test it. Actually send a STOP from a test number and confirm the contact record updates.
Second, if someone calls your main line and says 'do not call me again,' your rep needs a fast way to flag it. Build a contact quick action in HubSpot that sets the revocation fields in two clicks. Do not make the rep dig through a property group buried four levels deep.
Third, DNC registrations. If someone registers on the National Do Not Call Registry, you have 31 days before you are obligated to honor it. [6] But if they tell you directly, that revocation is immediate. Cross-reference your list against the mobile phone do not call list at least every 31 days for active calling campaigns.
Fourth, build a HubSpot workflow that excludes any contact with 'TCPA Consent Status' = 'Revoked' or 'No Consent' from every calling sequence and SMS enrollment. Make this an active suppression list, not a one-time filter. It should update in real time as revocations come in.
Enrolling someone in a sequence the day after they revoked is exactly the kind of thing that turns a single lawsuit into a willful-violation allegation. That triples the damages.
What HubSpot workflows actually gate your callers from contacting non-consented records?
Creating the properties is step one. Enforcing them is step two. Properties that exist but are not connected to workflow logic give you a false sense of security.
Here is the structure that works.
Gating workflow for sequences: Create an active list called 'TCPA Approved for Outbound.' Membership criteria: TCPA Consent Status is any of Express Written, Prior Express, or EBR, AND TCPA Consent Revocation Date is unknown (blank). Any sequence that does outbound calling or texting should have enrollment filters that require membership in this list. HubSpot sequences allow contact-based enrollment filters. Use them.
Gating workflow for manual tasks: This one is harder. A rep can manually call anyone from their phone, and no software fully stops that. What you can do is create a task view or required field that prompts the rep to confirm consent before logging a call. HubSpot's required-fields-on-activities feature (available on some tiers) can force the rep to confirm a consent acknowledgment before a call is logged. Not bulletproof, but it is a procedural checkpoint.
Alert workflow for new contacts without consent status: When a new contact is created and 'TCPA Consent Status' is unknown, trigger an internal email or Slack notification to whoever owns that record. Give them 48 hours to classify it before it can enter any outreach queue. This keeps 'unknown' from becoming the quiet default that lets non-consented contacts slip through.
Audit list: Build a saved contact view filtered to 'TCPA Consent Status is unknown OR TCPA Consent Date is unknown' and assign someone to review it weekly. The goal is zero unknowns in your active pipeline. Dormant contacts can wait.
How should you handle legacy contacts imported before you had consent tracking?
This is the question nobody wants to face, and almost every team has to.
You have 4,000 contacts imported from a CSV two years ago. No consent data. Some have been called. Some have not. What do you do?
Option one, the most defensible, is to treat them all as 'No Consent' for autodialed calls and texts until you re-establish consent. You can only reach them via live-agent manual dials where you have a business relationship, and only for non-mobile numbers that are not on the DNC. What those distinctions mean is spelled out under cold call outreach.
Option two is a re-consent campaign. Send a one-time, manually triggered email (email is not covered by TCPA) asking them to opt in to calls or texts. Anyone who clicks the opt-in link gets their consent fields stamped. Anyone who does not stays in 'No Consent.'
Option three is going back to the original source. If these contacts came from a web form you built, check your form submission logs. If HubSpot's form data is intact, you may be able to show they submitted a form with a disclosure. Pull the form version history to confirm what disclosure language existed at submission time.
Do not set every legacy contact to 'Express Written' to make the problem go away. That is exactly the kind of thing that becomes Exhibit A in a TCPA case. Courts look hard at whether consent documentation is credible, and blanket relabeling reads as fabrication.
For the imports you genuinely cannot trace, a bulk classification of 'No Consent' with a note in the record ('Legacy import pre-[date], source unknown') is honest and defensible.
What should your consent records actually look like for a legal hold?
Imagine a TCPA demand letter hits your inbox tomorrow. Your attorney asks: 'For contact X, can you show me exactly when, how, and with what disclosure they consented to receive your calls?'
A good HubSpot record answers that in about 90 seconds. Here is what that record looks like in practice.
In the TCPA Compliance property group: Consent Status = Express Written. Consent Date = 2024-03-15. Consent Source = 'Web form: /demo-request v3 (deployed 2024-01-10).' Consent Phone Number = +1 (555) 867-5309. Consent Method = Web Form. Consent Record ID = HS-FORM-29471-SESSION-882910.
In your external storage (S3 bucket, versioned Google Drive files, your form platform's submission log): the actual submission record showing the checkbox was checked, the IP address, the timestamp, and the exact disclosure text shown on that form version.
Those two things together, the HubSpot metadata and the artifact, are your defensible paper trail. The Record ID is the thread that connects them.
HubSpot's data export tool pulls all contact properties to CSV. That export, combined with your artifact archive, is what you hand to legal. If you cannot produce it cleanly, the settlement math gets ugly fast. Public TCPA class action settlements for mid-size companies have run from the low millions into the tens of millions depending on class size and willfulness findings. [7]
LeadCompliant's free compliance kit includes a consent record template and a HubSpot property import file that sets up the full property group described here. Worth grabbing before you do this by hand.
How do consent rules differ for B2B versus B2C contacts in HubSpot?
B2B calling lives in a grayer zone than B2C, and it changes how you tag records.
The TCPA's prior express written consent requirement for autodialed calls applies to calls to mobile numbers regardless of whether the contact is a business person. A sales VP's cell phone is a mobile number. If you are texting or autodialing her cell, you need consent. [1]
Where B2B gets more room is with calls to business landlines. TCPA restrictions on autodialers to residential landlines do not apply the same way to business lines. The National DNC Registry also does not protect business numbers. [6] So for B2B campaigns targeting desk phones at company main numbers, the consent bar is lower, though not zero.
In HubSpot, tag your contacts with a 'Contact Type' property (if you do not already have one) that separates Individual Consumer from Business Contact. Then your TCPA gating workflows can treat them differently: stricter for mobile and consumer, somewhat looser for verified business landlines.
Still tag consent for B2B mobile contacts exactly as you would for B2C. The number type drives the regulatory risk, not the industry or job title of the person. Getting this wrong is how TCPA exposure creeps into a B2B sales operation that thought it was immune.
One more thing: even if a business line is exempt from TCPA autodialer restrictions, it may sit on a state DNC list or fall under state mini-TCPA laws like Florida's FTSA or Oklahoma's TCPA, which carry their own consent requirements. Check state law for wherever your contacts are located.
How do you audit your HubSpot consent setup to find gaps before a lawsuit does?
An audit is not a one-time event. Run it quarterly at minimum. Here is a checklist you can work through inside HubSpot in about two hours.
1. Pull the active list 'Contacts enrolled in any calling or SMS sequence in the last 90 days.' Export to CSV. How many have a blank TCPA Consent Status? Any blank is a potential violation.
2. Cross-reference consent dates against enrollment dates. If a contact entered a calling sequence before their consent date was logged, that is a red flag. Either the consent predated HubSpot (document that) or they were called without recorded consent.
3. Check your opt-out handling. Pull all contacts with 'TCPA Consent Status = Revoked' and verify none received a call or text after their revocation date. HubSpot's Activity timeline on a contact record shows all logged calls and emails with timestamps. Spot-check 20 revoked records.
4. Review new lead sources from the last quarter. New vendor, integration, or form? Confirm that source has a consent tagging workflow attached.
5. Test your SMS STOP workflow. Send a STOP from a test number. Does the contact record update? Does the contact get suppressed from active sequences? Time how long it takes. The FCC's 10-business-day standard is the outer limit. Faster is better. [5]
6. Confirm your do not call telemarketer list scrub is current. HubSpot does not scrub against the DNC automatically. That takes an integration with a scrubbing service, and it needs to run before every campaign, not once at import.
Document the results. A dated audit log showing you found and fixed gaps is evidence of a good-faith compliance effort, which matters if a willfulness question ever comes up.
What are the most common HubSpot TCPA tagging mistakes and how do you fix them?
Teams make the same handful of mistakes over and over. Here they are, bluntly.
Mistake one: Using HubSpot's GDPR consent field instead of building TCPA properties. GDPR's 'legal basis for processing' and TCPA's consent categories do not map to each other. GDPR compliance does not equal TCPA compliance. Build separate properties.
Mistake two: Setting a default value of 'Express Written' on new contact imports. This is wishful thinking written into your database. Defaults should be 'No Consent' or left blank, with a required-field workflow that forces classification.
Mistake three: Logging consent for a contact's email address but not for the specific phone number. TCPA consent is number-specific. If a contact gives you a new cell number, that new number needs its own consent event.
Mistake four: Not versioning your web forms. If your disclosure language changes, contacts who converted before the change fall under the old disclosure. HubSpot Forms keeps some version history, but it is not bulletproof. Save a dated copy of every form version with its disclosure text in an external document. Reference the version in the 'TCPA Consent Source' field.
Mistake five: Relying on HubSpot's unsubscribe for TCPA opt-outs. HubSpot's email unsubscribe is for CAN-SPAM, not TCPA. A contact who unsubscribes from marketing emails has not necessarily revoked TCPA consent, and vice versa. Someone who texts STOP has revoked TCPA consent but is still email-marketable. Keep these systems distinct.
Mistake six: No process for what happens when a contact record is merged. HubSpot merges can lose properties from the secondary record depending on field settings. Check what happens to TCPA fields after a merge. If the merged record loses its consent date, that is a problem.
Fix all six before your next campaign. If you want a pre-built checklist and HubSpot property import file, LeadCompliant's free compliance kit has both.
How do you prove consent if you relied on a third-party lead vendor?
Third-party lead consent is probably the single most litigated TCPA issue for outbound sales teams. The reason is simple: vendors often claim they obtained consent, and that consent frequently has problems. The disclosure named a different company. The checkbox was buried. The form used dark patterns. Or the data was sold three times over and the chain of consent is broken.
Under the TCPA, the burden of proving consent falls on the caller. [1] If a plaintiff says they never consented, you have to prove they did. 'The vendor told us they had consent' is not proof.
In HubSpot, for vendor leads, create a sub-category of the 'Third-Party Lead' consent method with a required field for 'Vendor Consent Documentation Reference.' That reference should point to a file containing the vendor's consent certification, the URL of the page where consent was obtained (go check that URL yourself and screenshot it), and the lead timestamp.
Before any third-party lead enters a calling workflow, someone needs to have reviewed that documentation. Build that review step into your lead intake SOP, beyond your HubSpot workflow.
The FCC's one-to-one consent rule, adopted December 2023, would have required that consent specifically name the company calling. The Eleventh Circuit vacated the rule in January 2025 before it took effect. [4] Even so, the direction of the law and of plaintiff-side argument is clear. Build toward that standard now. It is better compliance and a better defense posture.
To get the national DNC list and compare it against your vendor leads before calling, see how do i get the do not call list.
Frequently asked questions
Does HubSpot have built-in TCPA consent fields?
No. HubSpot's native legal basis field is designed for GDPR, not TCPA. To track TCPA consent properly, you need a custom property group with fields for consent status, consent date, source, the specific phone number covered, method of consent, revocation date, and a record ID linking to your stored consent artifact. Plan for about an hour to build the full property set.
What is prior express written consent under the TCPA?
Prior express written consent is the highest consent tier the FCC requires for autodialed or prerecorded telemarketing calls and texts to mobile numbers. Per the FCC's 2012 TCPA order, it must include a clear disclosure that autodialed calls or texts may result, the consumer's signature (electronic counts), and a statement that consent is not a condition of purchase. A checked web form checkbox with the right disclosure language meets this standard.
Can I use HubSpot workflows to block calls to non-consented contacts?
Yes, and you should. Create an active list with membership criteria requiring a valid TCPA Consent Status and no revocation date. Make enrollment in any calling or SMS sequence conditional on membership in that list. You can also build alert workflows that flag new contacts lacking consent classification. This does not stop a rep from manually dialing, but it gates your automated and sequence-based outreach.
How long do I need to keep TCPA consent records?
The TCPA's four-year statute of limitations is the minimum floor (47 U.S.C. § 227). Keep consent records for at least four years from the last contact with a number. Some attorneys recommend five years as a buffer. HubSpot does not auto-delete contact properties, so as long as the contact record exists, the fields persist. Your external artifacts (form logs, recordings) should have a matching retention policy.
What happens if a contact gives consent and then the phone number is reassigned?
Phone number reassignment is a real TCPA trap. If a consumer's number is reassigned to a new person and you call using the old consent, you have called someone without consent. The FCC addressed this through its Reassigned Numbers Database, which launched in 2021. Scrub your calling list against the database before campaigns. Subscription pricing varies by query volume and starts low for small teams.
Is verbal consent on a recorded call valid TCPA consent for texts and autodialed calls?
Verbal consent on a recorded call can count as prior express written consent if the recording captures the required disclosures and the consumer's clear agreement. The FCC has confirmed that electronic signatures and verbal agreements on recorded calls meet the written requirement. Store the recording, note the call date and file reference in HubSpot's consent fields, and confirm the disclosure language said exactly what the rules require.
What is the difference between TCPA consent and CAN-SPAM compliance in HubSpot?
CAN-SPAM governs commercial email. TCPA governs calls and texts. They are separate laws with separate rules and separate opt-out mechanisms. A contact who unsubscribes from your HubSpot marketing emails has exercised a CAN-SPAM opt-out, not a TCPA revocation. Keep your email subscription status and TCPA consent status in separate fields. Conflating them creates gaps in both directions.
How often should I scrub my HubSpot lists against the national DNC registry?
The FTC requires that you scrub against the National DNC Registry at least every 31 days for active calling campaigns. HubSpot does not perform DNC scrubbing natively. You need an integration with a third-party scrubbing service. Run the scrub before each new campaign launch and on a monthly refresh for ongoing campaigns. Calls to registered numbers without a valid exemption carry $500 to $1,500 per-call exposure.
What should my web form TCPA disclosure actually say?
At minimum: 'By submitting this form, you agree that [Company Name] may contact you at the phone number provided using autodialed or prerecorded calls or texts. Consent is not a condition of purchase. Reply STOP to opt out.' The checkbox must be unchecked by default. Keep a versioned copy of the exact disclosure language with the date that form version went live, so you can prove what any given contact saw.
Can a text message STOP reply automatically update HubSpot?
Yes, if your SMS platform integrates with HubSpot. Tools like Salesmsg, Kixie, and Twilio have HubSpot integrations that can trigger contact property updates on inbound STOP replies. You configure a webhook or native action to set TCPA Consent Status to 'Revoked' and fill the revocation date. Test the integration with a real STOP from a test number before relying on it for compliance.
Do TCPA consent rules apply to B2B sales calls?
They apply to any call to a mobile number, including a business contact's cell phone. TCPA does not distinguish by the caller's or recipient's industry. If you are autodialing or texting a mobile number, you need consent regardless of whether it belongs to a consumer or a VP of Procurement. Restrictions on autodials to traditional business landlines are less strict, but state mini-TCPA laws in states like Florida may add requirements.
What is the FCC's 10-business-day revocation rule and does it affect HubSpot workflows?
The FCC's 2024 revocation order requires callers to honor opt-out requests within 10 business days across all channels. If someone emails you to stop calling, texts STOP, or says it on a call, you have at most 10 business days to suppress them. Your HubSpot workflows need to suppress revoked contacts from all sequences, not only the channel they used to opt out. Same-day handling is the safe standard.
What evidence do courts look for in TCPA consent disputes?
Courts look for the specific form or recording where consent was given, the exact disclosure language shown at consent time, the timestamp and IP address of a web submission, and documentation that the consenting party owned the number then. HubSpot property data alone is not enough. You need the underlying artifact. Cases like ACA International v. FCC and many district court rulings have turned on the quality and credibility of the caller's documentation.
Should I use HubSpot's communication subscription types instead of custom TCPA fields?
HubSpot's subscription types manage email and, in some integrations, SMS opt-in status for their own communication tools. They are useful but not sufficient for TCPA documentation, because they do not capture consent date, method, disclosure version, or the specific phone number covered. Use subscription types for operational suppression alongside a dedicated TCPA property group that captures the full audit trail a regulator or plaintiff's attorney would demand.
Sources
- Cornell Legal Information Institute, 47 U.S.C. § 227 (Telephone Consumer Protection Act, full statute text): $500 per violation for negligent violations, $1,500 for willful violations; prior express written consent required for autodialed/prerecorded calls to mobile numbers; caller bears the burden of proving consent
- Federal Trade Commission, business guidance on telemarketing and the TCPA private right of action: The FCC enforces the TCPA alongside a private right of action for consumers; TCPA class action settlements routinely reach the millions
- U.S. Court of Appeals for the Eleventh Circuit, Insurance Marketing Coalition v. FCC (2025), and FCC one-to-one consent Report and Order (2023): FCC one-to-one consent rule adopted December 2023 would have required lead-gen consent to name each seller specifically; the Eleventh Circuit vacated the rule in January 2025 before it took effect
- Federal Trade Commission, National Do Not Call Registry (consumer and business information): Telemarketers must honor DNC registrations within 31 days; business numbers are not covered by the residential DNC registry
- Federal Trade Commission, Telemarketing Sales Rule business guidance: Sellers must scrub calling lists against the national DNC registry every 31 days; TCPA class action settlements for mid-size companies have ranged from the low millions to the tens of millions
- Federal Communications Commission, Reassigned Numbers Database program homepage: The FCC Reassigned Numbers Database launched in 2021 to help callers avoid contacting people who inherited a number and never consented
- Federal Trade Commission, Complying with the Telemarketing Sales Rule: Sellers must scrub calling lists against the national DNC registry every 31 days for active campaigns
- Federal Communications Commission, consumer guides on unwanted calls and texts: TCPA applies to calls and texts using autodialers or prerecorded messages regardless of whether the recipient is a consumer or business person, so long as the number is a mobile number
- U.S. Court of Appeals for the D.C. Circuit, ACA International v. FCC, 885 F.3d 687 (D.C. Cir. 2018): D.C. Circuit ruling that reshaped the autodialer definition and consent documentation standards in TCPA litigation