Last updated 2026-07-11

TL;DR
Send a plain email asking the lead to reply or click to confirm they want your call. That documented reply can satisfy the TCPA's prior express written consent standard for cell phone calls. Skip it, and a single autodialed call to a cell number exposes you to $500 to $1,500 per violation under 47 U.S.C. § 227.
Why do you need consent before calling a cold lead on their cell phone?
Federal law says so, and the price of ignoring it is steep. The Telephone Consumer Protection Act, codified at 47 U.S.C. § 227, bans using an automatic telephone dialing system or a prerecorded voice to call any cell number without the called party's prior express consent [1]. Each call costs $500. If a court finds the violation willful, that triples to $1,500 [1].
Those numbers stack fast. The Cash App TCPA class action settlement and the Credit One TCPA settlement both show how per-call penalties compound when outbound teams dial at scale without verifying consent first.
Here is the part most small teams miss: the consent burden falls on you, the caller. A plaintiff who says you called without permission doesn't have to prove much. You have to prove you had consent. A CRM note that reads "prospect seemed interested" is not proof. A timestamped email reply that says "yes, please call me" is much closer to it.
For cold calling to landlines the rules loosen up. Cell phones are where the real liability sits. Most leads today hand you a cell number, which means the consent question is almost always live.
What exactly counts as prior express consent under the TCPA?
It's a written agreement that clearly authorizes you to call using an autodialer or prerecorded message. The FCC laid this out in its 2012 omnibus order [2]. The agreement has to be in writing, signed (an electronic signature counts under the E-SIGN Act, 15 U.S.C. § 7001), and it has to carry a clear and conspicuous disclosure that the consumer is agreeing to calls [2][12].
For purely informational calls with no sales pitch, the standard is looser. Prior express consent without the writing requirement can work. But telemarketing calls need prior express written consent. The FCC draws that line sharply, and a sales call is telemarketing.
An email consent flow meets the written requirement because the consumer takes an affirmative action (clicking a link or typing a reply) that creates a dated, durable record. That record is your evidentiary backbone if a demand letter ever lands.
The statute text says it plainly: "the term 'prior express consent' means an agreement, in writing, bearing the signature of the person called" [1]. Courts read electronic actions as signatures under E-SIGN, but the operative word is affirmative. A passive opt-in like a pre-checked box has been rejected by both courts and the FCC [2].
How does a pre-call consent email actually work?
The mechanics are simpler than the legal language makes them sound. You email a lead you found through a list, LinkedIn, a trade show badge scan, wherever. The email does one thing: it asks whether they want you to call, and it gives them a clear way to say yes or no.
Two formats work.
First, the reply-based format. Your email says something like: "I'd love to walk you through [your product]. If you're open to a quick call, just reply YES and I'll reach out at the number you prefer." When they reply, you have a timestamped email in a thread showing the lead's address, the date, and the word of consent.
Second, the click-to-consent format. You include a link to a short landing page: "Click below to confirm you'd like [Company] to call you about [topic]. You can opt out any time." When they click, your system logs the timestamp, IP address, and the page URL. This is cleaner for bulk prospecting because you get structured data instead of parsing email bodies by hand.
Either way, the flow has to be honest. If the headline promises a free resource and the consent hides four paragraphs down in 9-point gray text, that's the exact bait and switch the FCC says invalidates consent [2].
For text message marketing flows the rules are basically identical, worth keeping in mind if your team texts as well as calls.
What must the consent email say to be legally defensible?
Four things belong in every consent email.
1. Who is calling. Your legal company name, more than a brand or a rep's first name. The lead needs to know who they're authorizing.
2. What you're authorizing. Say it out loud: the lead is agreeing to receive a phone call from you. Don't tuck it inside a general "terms" link. Courts have struck down consent built on vague language.
3. That consent is optional. The FCC's 2013 rule is explicit: you cannot condition a purchase or a service on the consumer agreeing to be called [2]. An email that implies "agree to a call or you can't get the white paper" produces coerced consent, which is worthless.
4. How to opt out. Give a simple way to say no. That's good practice and it lines up with the do not call list rules the FTC and FCC enforce in parallel.
You don't need three paragraphs of boilerplate. A plain sentence does the job: "By replying YES, you agree that [Company Name] may call you at the number you provide. This is optional and has no effect on your access to [whatever you're offering]."
Keep the email short. Long emails with fine print at the bottom get challenged precisely because defendants can't prove the recipient ever saw the disclosure.
How should you document consent so it holds up in court?
Documentation is where most teams fall apart. Getting consent by casual email is one thing. Producing clean evidence 18 months later, when a plaintiff's attorney sends a demand letter, is another.
Your records need six things: the lead's email address, the exact text of the consent email you sent, the date and time you sent it, the lead's reply or click, the date and time of that action, and the phone number the consent covers.
For reply-based consent, forward every consent reply to a dedicated inbox (tcpa-consent@yourcompany.com) and archive it. Better yet, push those emails into your CRM with a tag like "TCPA_CONSENT" and log the phone number it applies to.
For click-based consent, your landing page platform should record IP address, timestamp, and the specific form version the person saw. Store that form version in version control so you can reconstruct exactly what language the person agreed to.
The FTC and FCC both put the burden of proving consent on the seller [3]. If your documentation can't survive a basic discovery request, treat the consent as if it doesn't exist.
Audit your records quarterly. People change numbers. Consent to call (555) 867-5309 does not extend to a new cell the same person gets six months later.
Does getting email consent mean you can use any dialing technology?
No, and this trips up a lot of teams. The TCPA's restriction on autodialers and prerecorded messages is what triggers the prior express written consent requirement in the first place [1]. If your team manually dials every call, one digit at a time, the autodialer prohibition doesn't apply to the call itself (though DNC rules still do).
The FCC definition of an automatic telephone dialing system (ATDS) has been fought over in court for years. The Supreme Court's 2021 ruling in Facebook v. Duguid narrowed it, holding that a dialer must use "a random or sequential number generator" to qualify [4]. That helped some defendants. It did not clear outbound sales teams running modern power dialers and predictive dialers, which often still qualify.
For a cold call made with a power dialer, email consent is your front-line protection. For a single-line manual dial from a rep's desk phone, the ATDS restriction doesn't apply, but the National DNC Registry rules do. Check the do not call telemarketer list requirements on their own.
Assume your dialing tech triggers the TCPA. That assumption is usually right, and the cost of being wrong is $500 to $1,500 per call.
What are the risks if your email consent process has gaps?
The risk is not theoretical. TCPA class actions are among the most frequently filed consumer protection suits in federal court, and the Judicial Panel on Multidistrict Litigation has consolidated hundreds of them [5].
For a small outbound team, the danger looks like this. A plaintiff (or a plaintiff's attorney trolling for cases) gets a call from your team, then claims they never consented. If you can't produce the consent email and the lead's affirmative response, you're defending a $500 to $1,500 per call claim with no paper trail.
Settlements in systemic TCPA cases often run between $500 and $1,500 per class member [5]. A team that made 1,000 calls to poorly documented leads could face a discounted settlement of $200,000 to $500,000. That's a company-ending number for most small shops.
State law adds another layer. Florida, Washington, and Oklahoma have all passed mini-TCPA statutes with per-violation penalties that stack on top of the federal claim [6]. The same email consent record that defends the federal case protects you in those too.
LeadCompliant's free compliance kit has a consent documentation checklist and sample email templates you can adapt to your outreach flow. Check the state law overlay before you finalize a template if you're calling into a state with its own statute.
How do you handle leads who don't respond to the consent email?
No reply, no call to the cell number. Full stop.
You can follow up with a second email after a reasonable gap (a week is typical). Two or three unanswered emails is a clear signal the lead isn't interested or isn't reachable at that address. Firing off 15 emails to squeeze out a consent reply is bad practice and unlikely to produce usable consent anyway. Courts may read a pattern of aggressive contact as evidence of bad intent.
There are other paths for non-responders. If you have a verified landline, you can call it under residential rules (live rep, no autodialer, between 8 AM and 9 PM local time per 47 C.F.R. § 64.1200(c)) after scrubbing against the National DNC Registry [7]. LinkedIn InMail and direct mail don't trigger the TCPA at all.
One more angle: check whether the lead already submitted a form on your site or someone else's with TCPA-compliant language. If they did, and the form language was specific enough to cover your calls, you may already hold consent independent of the email flow. That's a separate analysis, and you need the original form language in your records to rely on it.
Is there a difference between B2B and B2C email consent flows?
Yes in practice, though the TCPA itself creates no clean B2B exemption.
The statute applies to phone numbers, not to people acting in a commercial capacity. Courts have generally held that TCPA protections reach business cell phones [8]. So if you're calling a prospect's personal cell for a B2B deal, the full consent requirement applies.
Where B2B genuinely gets easier: most B2B prospects give you a desk phone or a VoIP direct-dial that isn't a cell. Landlines don't trigger the prior express consent requirement for autodialed calls (prerecorded messages to residential landlines have separate rules). And the DNC Registry exemption for existing business relationships is real.
For B2B outreach to cell numbers, your email consent process should look identical to B2C. The prospect is a person, the cell is protected, and you need documented consent. Don't let the B2B framing make you sloppy here.
For the underlying statute that governs all of this, the TCPA overview walks through the full framework and the relevant 47 U.S.C. § 227 provisions.
What does a compliant consent email sequence look like from start to finish?
Here is a sequence a small outbound team can actually run.
Email 1 (day 1): Introduce yourself. One sentence on why you're reaching out, one on what you'd cover in a call, then the consent ask with clear opt-in language. Example close: "If you're open to a 15-minute call, reply YES and I'll schedule at your convenience. No obligation, and you can opt out of future contact at any time."
Email 2 (day 8 if no reply): Light follow-up. Reference the first email, repeat the consent ask, keep it under 100 words.
Email 3 (day 20 if still no reply): Final outreach. Tell them you won't follow up after this, repeat the opt-in ask. Last attempt.
Once consent arrives: log it in your CRM right away with the lead's email, their reply text, the timestamp, and the phone number you'll use. Set a re-confirmation reminder. Consent doesn't technically expire under the statute, but FCC guidance and plain common sense say consent given 18-plus months ago for a call that never happened is getting thin.
After the call: if the lead says they don't want future contact, treat that as a DNC request and honor it within 30 days per 47 C.F.R. § 64.1200(d) [7]. Log the number on your internal do-not-call list the same day.
| Step | Action | What to log |
|---|---|---|
| Consent email sent | Send plain-language opt-in ask | Send timestamp, email address, email body |
| Lead replies YES | Capture reply | Reply timestamp, exact reply text, phone number |
| Lead clicks link | Capture click | Click timestamp, IP, form version ID |
| Call made | Dial with documented consent | Call timestamp, rep name, consent record ID |
| Lead says stop | Add to internal DNC | Date of request, number, rep who logged it |
Can you buy a list and use email consent to clean it before calling?
This is the question I hear most from teams using purchased lists, and the honest answer is: sort of, with real caveats.
Buying a list doesn't give you consent to call. It gives you email addresses and phone numbers, nothing more. Sending a consent email to those addresses before you dial is a legitimate way to build a consent record, and it beats calling everyone on the list cold.
The catch is deliverability and the CAN-SPAM Act. Cold outreach emails have to comply with CAN-SPAM (15 U.S.C. § 7704), which requires a physical mailing address, a working opt-out, and honest subject lines [9]. If your consent emails land in spam, you're not reaching anyone, and a consent record based on a delivered-but-ignored email is far weaker than one based on an actual reply or click.
For purchased lists, chase click-based consent over reply-based. Clicks are harder to fake or dispute. And scrub your list against the mobile phone do not call list and the National DNC Registry before you send the first email, because some people on purchased lists have already registered and expect silence.
Nobody has clean data on what share of purchased lists reach the inbox. Estimates I've seen range from 40% to 70% inbox delivery on cold purchased lists, but that spread is enormous and depends entirely on list source quality.
What should you do if someone replies to your consent email asking to be removed?
Honor it immediately and log it.
A reply that says "don't contact me," "remove me," or "unsubscribe" works at once as a CAN-SPAM opt-out and a TCPA do-not-call request. CAN-SPAM gives you 10 business days to stop sending commercial email [9]. TCPA and FTC telemarketing rules require honoring a do-not-call request within 30 days [7].
Honoring these within 24 hours is the only sensible policy. The legal deadlines are floors, not goals.
Log the request in your CRM: the requester's email, any associated phone number, the date, and the rep or system that processed it. Add the number to your internal DNC list. If you get the do not call list from the FTC, cross-reference it against your internal list every quarter.
One practical trap: if your CRM doesn't surface DNC status during outreach, people get called anyway. Make the internal DNC flag visible and hard to miss in the lead record. A hidden flag nobody checks is the same as no flag at all.
Frequently asked questions
Does an email opt-in actually satisfy TCPA prior express written consent?
Yes, if the email captures an affirmative action (a reply or a button click) and the language clearly discloses who will call, using what technology, and for what purpose. The E-SIGN Act treats electronic signatures as valid, so a typed reply or a tracked click satisfies the written signature requirement under 47 U.S.C. § 227. A passive opt-in like a pre-checked box does not.
How long is email-based TCPA consent valid?
The statute sets no expiration date, but FCC guidance says consent can be revoked at any time, and courts have found that stale consent (obtained years ago for a different purpose) may not hold up. A practical rule: re-confirm if more than 18 months have passed without contact, or if the lead's number changes. Document the re-confirmation the same way you documented the original.
Can a prospect revoke consent they gave by email?
Yes. The FCC confirmed in its 2015 declaratory ruling that consumers can revoke consent by any reasonable means, including a verbal request during a call, a reply email, or a text reply. Once revoked, you must stop calling immediately. Log the revocation in your CRM with a timestamp and the method used, then add the number to your internal DNC list.
What happens if someone replies YES but then disputes consent later?
Your saved email thread is your defense. Courts look at the substance of what was consented to and whether the language was clear. If your consent email used plain language disclosing who would call and why, and you have a timestamped reply from the lead's address, that evidence is strong. This is exactly why documentation matters more than the consent process itself.
Do you need email consent if you're calling landlines instead of cell phones?
The autodialer restriction in the TCPA applies specifically to cell numbers, not landlines. For landlines you still check the National DNC Registry and honor prior DNC requests, but prior express written consent for the call itself isn't required unless you're using prerecorded messages. Manual calls to landlines by a live rep carry the fewest restrictions, though the 8 AM to 9 PM local time rule still applies.
Is a pre-checked consent box in an email or web form good enough?
No. The FCC's 2012 rules explicitly rejected pre-checked boxes as valid prior express written consent. The consumer must take an affirmative, unchecked action. Courts have also rejected consent buried in terms-of-service links that force the consumer to navigate away from the main page to read it. Consent has to be conspicuous and voluntary.
What's the difference between prior express consent and prior express written consent?
Prior express consent (without 'written') applies to informational or non-telemarketing calls to cell phones using an autodialer. Prior express written consent (with 'written') is required for telemarketing calls. A sales call is telemarketing. So for any outbound sales call to a cell number using a power dialer or predictive dialer, you need the written version, which means a documented affirmative action from the lead.
Can you use the same email consent for both calls and texts?
Technically yes, if it explicitly says so. The form must disclose that you may contact the person via phone calls and text messages, using automated technology, for marketing purposes. Vague consent like 'we may contact you' probably doesn't cover both. Write separate disclosures for calls and texts, or combine them explicitly, and make sure the lead knows what they're agreeing to.
How do you handle purchased lists where you have no prior email relationship?
Send a CAN-SPAM-compliant cold email with a clear consent ask before dialing any cell numbers. Don't call first and ask forgiveness later. The email builds a consent record and filters out people who will opt out or complain. Cross-check the list against the National DNC Registry before sending emails too, since some purchased lists include registered numbers.
What should your internal DNC list include?
Every number from which you received an opt-out, every number that asked to be removed during a call, and every number belonging to someone who replied to a consent email asking not to be contacted. The FTC rule at 16 C.F.R. § 310.4 requires maintaining an internal DNC list and honoring requests for at least five years. Keep it as a searchable database, not a spreadsheet, so reps can check it before every call.
Are there state laws that go further than the TCPA on consent?
Yes. Florida's 2021 amendment to the Florida Telephone Solicitation Act requires a signed written agreement before any autodialed call or text, with stiffer per-violation penalties than federal law. Washington, Oklahoma, and Maryland have their own statutes. If you're calling into these states, your email consent form has to meet the higher state standard, more than the federal floor.
How often should you audit your consent records?
Quarterly at minimum. Check that every number you're actively dialing has a matching consent record, that the consent wasn't revoked, and that the record is complete (timestamp, lead address, phone number, form version). Also verify new numbers against the National DNC Registry every 31 days, which is the FTC's required scrub interval for most telemarketers.
Can someone else's prior consent transfer to your company?
Generally no. Consent is specific to the entity named in the disclosure. If a lead consented to calls from Company A and you acquired Company A's list, that consent likely doesn't cover calls from your company unless the original disclosure named successors or partners. The safest move is to re-obtain consent under your own brand before dialing.
What's the penalty for calling a number without documented consent?
Under 47 U.S.C. § 227(b)(3), statutory damages are $500 per violation for negligent violations and up to $1,500 per violation if the court finds the conduct willful or knowing. There's no cap per plaintiff in individual suits, and class actions can aggregate thousands of calls. Courts have awarded multi-million dollar judgments against defendants who called large lists without valid consent documentation.
Sources
- U.S. Government Publishing Office, 47 U.S.C. § 227 (Telephone Consumer Protection Act): TCPA prohibits autodialed or prerecorded calls to cell phones without prior express consent; damages are $500 per violation, up to $1,500 if willful
- FTC, Telemarketing Sales Rule 16 C.F.R. Part 310: Sellers bear the burden of proving consent and must maintain internal DNC lists honoring opt-out requests for at least five years
- U.S. Supreme Court, Facebook, Inc. v. Duguid, 592 U.S. 395 (2021): Supreme Court held that an ATDS must use a random or sequential number generator; narrowed the definition but did not eliminate TCPA risk for power dialers
- U.S. Judicial Panel on Multidistrict Litigation, MDL Statistics Report: TCPA class actions are among the most frequently consolidated consumer protection cases in federal multidistrict litigation
- Florida Legislature, Florida Telephone Solicitation Act, Fla. Stat. § 501.059: Florida's 2021 FTSA amendments require signed written agreement before autodialed calls or texts and impose per-violation penalties that stack on top of federal TCPA claims
- FCC, 47 C.F.R. § 64.1200 (Delivery Restrictions for Telephone Solicitations): Residential calls restricted to 8 AM to 9 PM local time; do-not-call requests must be honored within 30 days; sellers must maintain internal DNC lists
- U.S. Court of Appeals, Soppet v. Enhanced Recovery Co., 679 F.3d 637 (7th Cir. 2012): Courts have held TCPA protections apply to the called party's cell number regardless of whether the call was for business or personal purposes
- FTC, CAN-SPAM Act: A Compliance Guide for Business: CAN-SPAM requires commercial emails to include physical address, honest subject lines, and opt-out mechanism honored within 10 business days
- FTC, National Do Not Call Registry, Information for Telemarketers: Telemarketers must scrub call lists against the National DNC Registry every 31 days
- U.S. Congress, Electronic Signatures in Global and National Commerce Act (E-SIGN), 15 U.S.C. § 7001: E-SIGN Act provides that electronic signatures and records satisfy legal requirements for written signatures, supporting email-based consent as valid written consent