Last updated 2026-07-11

TL;DR
The FCC's one-to-one consent rule, effective January 27, 2025, requires that each seller obtain its own written consent from a consumer before sending robocalls or robotexts. A single checkbox naming multiple companies no longer works. Your privacy policy must name your company as the specific consenting party, describe exactly how you'll contact people, and cannot bundle consent with a purchase.
What is the FCC one-to-one consent rule and when does it apply?
The FCC adopted a Report and Order on December 13, 2023, that rewrote how lead generators and sellers can share TCPA consent. [1] The rule amends 47 CFR 64.1200 to require that prior express written consent be obtained by one seller at a time. A consumer has to affirmatively agree to hear from your company specifically, not from a list of 'marketing partners' or 'affiliated brands.'
The effective date was January 27, 2025. [1] Any consent you collect on or after that date has to meet the new standard. Consent you collected before that date under the old bundled model sits in a legal gray zone worth discussing with your attorney.
The practical problem this fixes, from the FCC's perspective, is the comparison-shopping website model. A consumer visits a mortgage or insurance site, checks a box consenting to contact from 'our partners,' and then gets calls from dozens of sellers who all claim valid consent. The FCC called this practice a 'lead generator loophole' in the 2023 order. [1]
For outbound sales teams running their own lead generation, the rule bites in two specific places. Your website opt-in forms have to name you and only you as the party obtaining consent. And if you buy leads from a third party, you now carry real risk if that vendor's consent process didn't satisfy one-to-one requirements for your company. Read up on the full scope of tcpa obligations behind this rule before you touch a single policy document.
What exactly does your privacy policy need to say under the new rule?
The TCPA's written consent standard under 47 USC 227(b)(1) has always required that a consumer authorize a specific communication. [2] What the 2023 FCC order adds is an explicit ban on selling or assigning one blanket consent to multiple sellers.
Your privacy policy is not the consent mechanism itself. Consent happens at the point of data collection, usually your web form. But your policy defines what you do with the data you collect, and that document has to be consistent with, and cross-referenced from, your consent language.
Here is what the policy needs to cover to stay aligned with the rule.
Your company's identity. The policy has to identify your legal entity as the specific party authorized to make calls and send texts. 'We' is not enough if your website runs under a parent company, affiliate, or DBA. Name the entity. Spell out the legal name.
The communication methods covered. The policy has to state plainly that you make autodialed calls, prerecorded calls, or text messages, whichever apply. 'We may contact you' does not meet the specificity the FCC described in its 2023 order. [1]
The numbers you will contact. The one-to-one requirement is specifically about calls and texts to cellular numbers. Your policy should say consent covers contact to the mobile number the consumer provided.
The subject matter of the calls or texts. Your consent language, and the policy it references, has to describe what you'll be calling about. 'Marketing purposes' is too broad. 'Offers related to [product or service category]' is the floor.
No conditioning on purchase. 47 USC 227(b)(1)(B) bars making consent to autodialed calls a condition of buying goods or services. [2] Your policy should say this clearly, and your forms have to back it up with an unchecked, optional checkbox.
How consumers can revoke consent. This has been a TCPA requirement for years. The one-to-one rule raises the stakes on getting it right. Your policy has to describe the revocation path in plain language, whether that's texting STOP, calling a toll-free number, or submitting a web form.
What language should the actual consent disclosure say?
The FCC hasn't mandated word-for-word language, but its order describes the required elements clearly enough that you can build acceptable disclosure text from them. [1]
A compliant disclosure block on your web form might read like this, and your privacy policy should mirror it:
'By submitting this form, I authorize [Your Legal Company Name] to contact me at the phone number I provided above using an automatic telephone dialing system or prerecorded voice, and by text message, regarding [specific product or service]. I understand my consent is not a condition of purchase. I can revoke my consent at any time by texting STOP or calling [number].'
That's the template. The legal elements buried in there are your specific company name, the word 'authorize,' identification of autodialing or prerecorded technology, the specific subject matter, the 'not a condition of purchase' statement, and a revocation path.
Your privacy policy's consent section should reproduce these elements in policy form. Past tense and third person are fine, but every element still has to appear. Something like: 'When a user submits a contact form on our website, [Your Legal Company Name] obtains express written consent to contact that user at the mobile number provided using automated calling technology or text messages regarding [product category]. Consent is not required to make a purchase. Users may revoke consent at any time.'
One more thing. The FCC's 2023 order says consent must be 'logically and topically' related to the website where it is obtained. [1] If your website is about health insurance but your form's fine print also grants consent for mortgage calls, that's the exact loophole the rule was built to close.
How do you update your privacy policy document step by step?
Here is a sequence a small team can run without a full legal overhaul, though an attorney review of the final output is worth the cost.
Step 1: Audit your current forms and landing pages. Find every place on your website or third-party landing pages where you collect phone numbers. Screenshot the current consent language. If the consent block names partners, affiliates, or 'companies we work with,' that language is now a liability under the 2023 order. [1]
Step 2: Identify every entity that would be using the consent. If your holding company runs three brands, each brand needs its own consent disclosure. One checkbox does not cover three entities.
Step 3: Rewrite the consent disclosure at the point of collection first. The privacy policy follows the disclosure, not the other way around. Fix the form first, then update the policy to match.
Step 4: Update the policy's 'how we contact you' section. Add specific language about autodialing, texts, and the subject matter of communications. Strip out any language that references sharing consent with partners.
Step 5: Add a consent revocation section if you don't have one. The FCC and the TCPA both require a clear revocation path. Describe it plainly.
Step 6: Update your 'data sharing' section. If you sell or share leads, this section has to explain that each downstream seller must obtain its own separate consent. If you're the downstream buyer, you cannot lean on the upstream seller's consent.
Step 7: Date your policy. Every privacy policy should carry a 'last updated' date. Courts and regulators read policy version history to judge whether a company acted in good faith.
Step 8: Archive the old version. Keep it. If you get sued over calls made before January 27, 2025, you'll want documentation of what your policy said at the time.
For teams that want a structured checklist, LeadCompliant's free compliance kit walks through each step with specific language templates for both the consent form and the policy document.
Does this rule apply to text message marketing as well as calls?
Yes. The one-to-one consent requirement applies to any communication covered by 47 USC 227(b)(1), which reaches calls and texts made using an automatic telephone dialing system or an artificial or prerecorded voice to a cellular number. [2] The FCC has treated SMS as equivalent to calls for TCPA purposes since 2003.
For text message marketing, the practical effect is that your opt-in keyword flows, web form SMS checkboxes, and any third-party SMS consent you've purchased all have to meet the one-to-one standard. A consumer who texts a keyword to join your list should get a clear confirmation message that names your company specifically.
The CTIA's messaging guidelines also require that your privacy policy URL appear in the opt-in confirmation message. [3] That ties your consent flow directly to your policy. So if the policy is vague or names multiple parties, your whole SMS program has an exposed flank.
One nuance. Peer-to-peer texting where a human types each message may fall outside the ATDS definition, depending on the platform. The Supreme Court's 2021 ruling in Facebook v. Duguid narrowed ATDS to systems with a random or sequential number generator. [4] But if your platform sends bulk texts with any degree of automation, assume the TCPA and the one-to-one rule apply, and build your consent accordingly.
What happens if you buy leads from a third-party vendor after the rule took effect?
This is where the rule hurts small outbound teams most. Before January 27, 2025, many teams assumed a lead vendor's attestation ('this lead consented to receive calls from our marketing partners') transferred liability protection to the buyer. The FCC's 2023 order shut that door. [1]
Under the new standard, if you buy a lead and call it, you are the seller who needed one-to-one consent. If the vendor's form named the vendor but not your company, the consent is invalid for your use. Full stop.
Ask lead vendors three specific questions before you sign anything.
First: Does your consent disclosure name my company specifically, or does it name a category of companies or your own company as an intermediary? If the answer is anything other than 'we name your company,' the consent doesn't satisfy the rule.
Second: Can you provide the consent record for each lead, including a timestamp, the IP address, the exact disclosure language shown, and the form URL? The FCC's order says consent must be documented. [1] A vendor who can't produce this is a red flag.
Third: How do you make sure the disclosure was actually presented to the consumer before form submission, not buried in a footer link?
If a vendor can't answer all three cleanly, the safe move is to hold off on those leads until you have your own re-consent mechanism in place. Getting a consumer to re-opt-in through a confirmed opt-in text or a brief recorded inbound call is a legitimate way to reset the consent clock.
The financial stakes are real. TCPA damages run $500 to $1,500 per violation, and class actions over bad consent have settled in eight figures. The cash app tcpa class action settlement and the credit one tcpa settlement show how fast these cases scale when the consent record is thin.
How does the one-to-one rule interact with the National Do Not Call Registry?
The DNC Registry and the one-to-one consent rule run on parallel tracks, but they cross in ways that matter. The DNC Registry, maintained by the FTC under 16 CFR Part 310, bars telemarketing calls to registered numbers absent an established business relationship or express written consent. [5] The FCC's TCPA rules layer on top, governing the technology used to make the call.
A consumer who gives one-to-one consent under the new FCC rule has, in effect, also provided the express written consent that exempts them from DNC protections for your calls. But the consent has to satisfy both frameworks at once, and the FCC's stricter specificity requirement is now the higher bar.
If you're running an outbound cold calling program, scrub against the DNC Registry no matter how a lead came in. A consumer can consent to calls and still sit on the DNC list, and how those two facts fit together involves some genuinely unsettled law. The safest posture is to honor DNC registrations for anyone who hasn't given you a fresh, direct, one-to-one consent that post-dates their DNC registration.
For how to pull and use registry data, see our guide on the do not call list and how to get the do not call list for your scrubbing workflow.
What records do you need to keep to prove consent was obtained correctly?
The FCC's 2023 order does not set an exact retention period for consent records, but the TCPA's four-year statute of limitations under 28 USC 1658 sets your practical floor. [6] Keep consent records for at least four years from the date of collection. Many attorneys recommend five, given the fights over when the clock starts.
For each consent record, capture and keep the consumer's name and phone number, the date and time of consent, the URL of the page where consent was given, the exact text of the disclosure shown at the time of consent, the IP address of the device used, and, if consent was verbal on a recorded inbound call, a copy of the recording.
Here is why the URL matters. The order's 'logically and topically related' requirement means you need to prove more than that the consumer clicked a button. You need to prove the button sat on a page contextually related to your specific product. [1] If your lead vendor's form lived on a generic 'free quotes' page with no subject-matter specificity, that's a gap in the record.
Store these fields on the lead record in your CRM, not in a separate spreadsheet. If litigation comes, the ability to pull a complete consent record in under an hour, with the exact disclosure language and a screenshot of the form, is the difference between a quick dismissal and expensive discovery.
A table of what to capture:
| Data Point | Why It Matters | Retention Period |
|---|---|---|
| Date and time of consent | Establishes consent pre-dates the call | 5 years minimum |
| Form URL | Proves topical/logical relationship | 5 years minimum |
| Exact disclosure text shown | Documents one-to-one specificity | 5 years minimum |
| IP address | Links consent to a real user session | 5 years minimum |
| Consumer phone number | Ties record to the called number | 5 years minimum |
| Seller name in disclosure | Proves one-to-one requirement met | 5 years minimum |
Can you use a single opt-in form for multiple brands or products?
No. Not one checkbox for one consent. The FCC's order is explicit that consent must be granted to one seller at a time. [1] Multiple brands or products can share the same web page, but each needs its own separate, unchecked checkbox with its own company-specific disclosure language.
If you run a multi-brand website, each brand's consent block has to name that brand's legal entity. Stacking them under a single 'I agree to be contacted by [Parent Company] and its brands' checkbox is exactly the bundled consent the rule kills.
There is one clean case where a single consent covers multiple touchpoints. If you're getting consent for one company to contact a consumer by both phone and text, that's one seller and two channels, and a single disclosure can cover both. But it has to name both channels explicitly.
For businesses that run affiliate programs or refer leads between entities, the downstream entity still needs its own direct consent from the consumer. You can facilitate that re-consent through an email, a landing page, or a recorded inbound call, but the downstream entity cannot inherit the upstream consent.
What are the penalties if your privacy policy or consent language is non-compliant?
Under 47 USC 227(b)(3), a consumer can sue for $500 per violation or actual damages, whichever is greater. [2] If a court finds the violation was willful or knowing, that trebles to $1,500 per call or text. Each call and each text is a separate violation.
Class actions are the real financial threat. A company that makes 100,000 non-compliant robocalls faces theoretical statutory exposure of $50 million at $500 per call, before trebling. Courts have discretion to cut class-wide awards, and the FCC can issue its own forfeiture penalties under 47 USC 503(b), which run up to $23,727 per violation as of 2024 after inflation adjustment. [7]
Privacy policy defects tend to surface in TCPA litigation as evidence that the company knew or should have known its consent process was broken. A plaintiff's attorney who can show that your policy never mentioned autodialing, or named multiple parties in a bundled consent, uses that to argue willfulness and push toward the $1,500 treble figure.
The FCC can also open forfeiture proceedings for systematic violations. The agency has raised TCPA enforcement activity since 2021, including a focus on lead generator consent practices tied to the concerns that drove the 2023 order. [1]
State laws can pile on. Florida's Telephone Solicitation Act, Illinois's ATDS statute, and Washington State's version of the TCPA all carry their own penalty structures that can run alongside federal TCPA claims. Our state laws hub covers these in detail.
Does the rule apply to B2B calls and texts, or only to consumers?
The TCPA's core restrictions in 47 USC 227(b)(1) apply to calls and texts made to any cellular number, whether the called party is a consumer or a business employee. [2] There is no categorical B2B exemption.
The enforcement landscape looks different, though. Most TCPA class actions involve consumer lists. B2B calls to mobile numbers are technically covered, but the FCC's 2023 consent order aims mainly at consumer-facing lead generation in industries like insurance, mortgage, and education.
For B2B outbound teams using automated dialing or prerecorded messages to reach prospects on work cell phones, the safest posture is to apply the same consent standards you'd use for consumer calls. A gated content download with a compliant consent disclosure is the cleanest mechanism. A cold call to a known direct mobile number using a manual dialer and a live agent carries far less risk than an automated blast to a purchased list. But 'less risk' is not 'no risk.'
What should you do right now if your forms and policy aren't updated yet?
The rule has been in effect since January 27, 2025. If you haven't updated your forms and policy, you've been collecting non-compliant consent for months, and you should treat calls made on that basis as carrying real litigation risk.
Here is the priority order for right now.
Pause any outbound programs that rely on third-party lead consent you haven't verified against the one-to-one standard. The risk of calling into a non-compliant list is not worth whatever pipeline those leads represent.
Update your web forms today. The form fix is a 30-minute task if you have access to your CMS. The benefit is immediate, because every new lead from this point forward carries a clean consent record.
Update your privacy policy to match the new form language within the same week. A mismatch between what your form says and what your policy says is itself an evidentiary problem in litigation.
Run a one-time audit of any leads you received from third-party vendors after January 27, 2025. Request their consent records. If the records don't name your company specifically in the disclosure, reach out to those leads through a non-autodialed channel first to get fresh consent.
Document the audit. A written record showing you found the gap and took corrective action is evidence of good faith, and that matters if you end up in front of a regulator or in litigation over pre-fix calls.
LeadCompliant offers a free one-time compliance kit with a checklist version of these steps, plus a mobile phone do not call list scrubbing checklist and a consent record template. A structured tool lowers the chance you skip a step under time pressure.
Frequently asked questions
When did the FCC one-to-one consent rule take effect?
The FCC adopted the one-to-one consent rule in its December 13, 2023 Report and Order, and the rule became effective on January 27, 2025. Any consent collected on or after that date must satisfy the new one-to-one standard. Consent collected before that date under a bundled model sits in a gray zone, and whether it stays valid for ongoing calls is a question for your attorney.
Does the FCC one-to-one consent rule apply to text messages?
Yes. The rule applies to any communication covered by 47 USC 227(b)(1), which includes texts sent via an automatic telephone dialing system to a cellular number. Your SMS opt-in flows must name your company specifically as the sender. A keyword opt-in that routes through a multi-seller lead gen platform does not satisfy the rule unless your company is identified in the disclosure.
Can one privacy policy cover consent for multiple affiliated brands?
No, not under a single checkbox. The FCC's one-to-one rule requires that each seller obtain its own specific consent. If you run multiple brands, each brand needs its own separately labeled and unchecked consent checkbox, with each checkbox's disclosure naming that brand's legal entity. A shared parent company checkbox that rolls in affiliated brands is the exact model the 2023 FCC order prohibits.
How long do I need to keep consent records under the TCPA?
The TCPA's statute of limitations is four years under 28 USC 1658, which sets your practical minimum retention period. Most compliance attorneys recommend five years. For each lead, retain the date and time of consent, the form URL, the exact disclosure text shown, the consumer's phone number, and the IP address. Store these on the lead record in your CRM, not in a separate spreadsheet.
What if I buy leads from a vendor who says they already have consent?
After January 27, 2025, a vendor's general consent (one that names the vendor or 'marketing partners' rather than your company specifically) does not satisfy the one-to-one rule for your calls. You need to verify that the vendor's disclosure named your company by name. If it didn't, either skip those leads or run a re-consent campaign through a non-automated channel before making any autodialed calls or texts.
Does the consent disclosure have to say 'automatic telephone dialing system' specifically?
The FCC doesn't mandate those exact words, but the disclosure has to make clear that automated calling technology or prerecorded messages may be used. Language like 'using automated means' or 'by autodialer and prerecorded voice' is generally accepted. The key is that a reasonable consumer reading the disclosure understands they're agreeing to automated contact, not a personal phone call from a sales rep.
What does 'logically and topically related' mean for my consent form?
The FCC's 2023 order says consent must be logically and topically related to the website where it is obtained. If your site is about auto insurance, your consent form should only seek consent for auto insurance calls. You cannot use an auto insurance site's form to also grab consent for mortgage or health insurance calls. The subject matter of the page and the subject matter of the consent have to match.
Is consent required to be a separate unchecked checkbox, or can it be part of the terms of service agreement?
Burying consent to autodialed calls in your terms of service is almost certainly non-compliant. The FCC and courts have held that consent must be clear and unambiguous. A consumer clicking 'I agree to the terms of service' does not constitute knowing authorization to receive robocalls or robotexts. The consent should be a standalone, unchecked opt-in checkbox with a clear disclosure directly next to it.
How do I handle consent revocation requests under the new rule?
Your privacy policy must describe a clear revocation mechanism. Accepting STOP texts for SMS, a toll-free opt-out number, and a web form submission are all common and accepted methods. Once a consumer revokes consent, you have to stop calling or texting them within a reasonable time, and the FCC has indicated 'reasonable' means promptly, not after your next sending cycle. Document every revocation with a timestamp.
Does the one-to-one rule change anything for established business relationship (EBR) exemptions?
The EBR exemption mainly applies to the National DNC Registry under FTC rules, not to the TCPA's autodialing restrictions. Under the TCPA, an EBR alone does not authorize autodialed calls or texts to cell phones; you still need express written consent for those. The one-to-one rule doesn't eliminate the EBR concept, but it doesn't create a carve-out from the one-to-one consent requirement either.
What's the penalty for a single non-compliant robocall under the TCPA?
Under 47 USC 227(b)(3), a consumer can sue for $500 per violation or actual damages, whichever is greater. If a court finds the violation was willful or knowing, that trebles to $1,500 per call or text. The FCC can also issue administrative forfeiture penalties up to $23,727 per violation (2024 inflation-adjusted figure). Class actions are where total exposure becomes existential for small teams.
Do I need to update my privacy policy even if I only do manual cold calling, no automated dialing?
If you truly use a human to manually dial each number with no automated assistance, the TCPA's autodialer restrictions may not apply, especially after the Facebook v. Duguid Supreme Court ruling in 2021. But DNC Registry rules still apply to all telemarketing calls. And if there's any chance your dialing technology could be characterized as an ATDS, update your policy anyway. The cost is low and the downside risk of not updating is high.
Can I get in trouble for what my privacy policy says, even if my consent form is correct?
Yes. Plaintiff attorneys in TCPA cases routinely pull privacy policy versions to look for inconsistencies between what the policy says and what the form says. If your form correctly names one seller but your policy still says you share data with 'marketing partners,' that inconsistency gets used to argue the consent process was misleading. The form and the policy have to tell the same story.
What is the best way to re-consent an existing list that may have been collected under old bundled consent language?
The cleanest re-consent method is non-automated outreach: a personal email with a one-click opt-in link, or a live agent call that is recorded and includes a verbal consent disclosure. Do not send an automated text asking for re-consent, since sending that text is itself potentially a TCPA violation if the original consent was invalid. Once re-consent is obtained through a clean channel, document it as a new consent record with a fresh timestamp.
Sources
- FCC, In the Matter of Rules and Regulations Implementing the Telephone Consumer Protection Act of 1991, Report and Order, FCC 23-107 (Dec. 13, 2023), available via the Federal Register: The FCC adopted the one-to-one consent rule on December 13, 2023, effective January 27, 2025, requiring each seller to obtain its own prior express written consent and prohibiting bundled consent from lead generators.
- 47 USC 227 (Telephone Consumer Protection Act), Cornell Law School Legal Information Institute: 47 USC 227(b)(1) prohibits autodialed or prerecorded calls to cellular numbers without prior express consent; 227(b)(1)(B) prohibits conditioning consent on a purchase; 227(b)(3) establishes $500 per violation damages trebling to $1,500 for willful violations.
- Facebook, Inc. v. Duguid, 592 U.S. 395 (2021), Supreme Court of the United States: The Supreme Court in Facebook v. Duguid narrowed the ATDS definition to systems that use a random or sequential number generator, potentially excluding some peer-to-peer texting platforms from TCPA coverage.
- FTC, Telemarketing Sales Rule, 16 CFR Part 310: The FTC's Telemarketing Sales Rule governs the National Do Not Call Registry and prohibits telemarketing calls to registered numbers absent an established business relationship or express written consent.
- 28 USC 1658, Cornell Law School Legal Information Institute: 28 USC 1658 establishes a four-year statute of limitations for civil actions arising under federal statutes, which courts apply to TCPA claims.
- FCC, Forfeiture Policy Statement and Amendment of Section 1.80 of the Commission's Rules, 47 USC 503(b), Cornell Law School Legal Information Institute: The FCC can impose forfeiture penalties under 47 USC 503(b), which are adjusted for inflation; the per-violation maximum was approximately $23,727 as of 2024.
- 47 CFR 64.1200, Electronic Code of Federal Regulations: 47 CFR 64.1200 implements the TCPA's restrictions on autodialed and prerecorded calls, including the prior express written consent requirement as amended by the FCC's 2023 one-to-one consent order.
- FTC, National Do Not Call Registry, donotcall.gov: The National Do Not Call Registry is maintained by the FTC and prohibits telemarketing calls to registered numbers; businesses must scrub against the registry before making outbound telemarketing calls.