IVR consent capture for prerecorded calls: TCPA legal requirements

TCPA requires prior express written consent before sending prerecorded calls. Learn exactly what IVR consent capture must include to hold up in court.

LeadCompliant Team
26 min read
In This Article

Last updated 2026-07-11

Person taking notes during a phone call, representing IVR consent capture compliance review
Person taking notes during a phone call, representing IVR consent capture compliance review

TL;DR

Under 47 U.S.C. § 227 and the FCC's 2012 rules, you need prior express written consent before placing a prerecorded or artificial-voice call to any number for marketing. An IVR can capture that consent, but only if it discloses the prerecord nature, names your company, and gets an affirmative keypress or voice response. Miss one element and the whole consent is void.

What does the TCPA actually require before you play a prerecorded message?

You need prior express written consent before any marketing prerecorded call goes out. That is the rule. The Telephone Consumer Protection Act, codified at 47 U.S.C. § 227, prohibits initiating any call to a residential or wireless number using an artificial or prerecorded voice for marketing without "prior express written consent" of the called party. [1] That phrase has a specific legal meaning. Having a phone number, a prior business relationship, or a checkbox buried in your privacy policy does not cut it.

The FCC tightened the definition in its 2012 rulemaking, which took effect October 16, 2013. Before that date, an "established business relationship" could substitute for written consent on residential lines. That exemption is gone. Now every marketing prerecorded call needs written consent obtained before the call goes out. No exceptions for existing customers. [2]

Informational or non-marketing prerecorded calls to residential lines get an easier standard: "prior express consent," which does not have to be in writing. But the moment your message promotes a product or service, you are in written-consent territory. Most compliance teams draw a hard line and treat everything as marketing to skip the debate.

The statute text at 47 U.S.C. § 227(b)(1)(B) says it plainly: calls to residential lines using an artificial or prerecorded voice are prohibited unless the call is made "with the prior express consent of the called party." [1] Courts read that narrowly.

Prior express written consent has four required elements, and an IVR can capture all four if you build it deliberately. The FCC defined the term in 47 C.F.R. § 64.1200(f)(9): (1) a written agreement, which includes electronic form; (2) a clear and conspicuous disclosure that the consumer authorizes the seller to deliver prerecorded messages; (3) a statement that consent is not a condition of purchase; and (4) the consumer's signature, which the FCC says can be electronic, digital, a keypress, or a voice recording. [2]

Here is how each element maps to an IVR flow.

Element one, written agreement. An IVR creates a record when a caller presses a key or speaks a response. That keypress, combined with your call recording and a timestamp tied to the caller's ANI (Automatic Number Identification), qualifies as an electronic record under the E-SIGN Act and satisfies the "written" requirement. [3]

Element two, clear and conspicuous disclosure. The IVR script has to read the disclosure out loud, in plain language, before the consumer agrees. Short disclosures that reference "terms and conditions" without reading them fail. Courts have found disclosures buried in fine print or read too fast to be insufficient. [4]

Element three, not a condition of purchase. The IVR must say, somewhere in the flow, that agreeing to receive prerecorded calls is not required to buy anything or get a service. Short sentence. Legally mandatory.

Element four, signature equivalent. The consumer presses a specific key (or speaks a recorded affirmative response) after hearing the full disclosure. Pressing any key to advance a menu, before the disclosure is read, does not count. The affirmative action comes after the disclosure, and your system has to log the sequence.

Skip any one of these four and the consent is void. Courts do not give partial credit.

What specific language must the IVR script include?

The FCC has never published an approved script, which drives compliance teams crazy. What regulators and courts look for is whether a reasonable consumer hearing the IVR would understand they are agreeing to receive automated prerecorded marketing calls from a named company.

Here is what the script needs to cover, in plain terms:

1. Name the company. Not a brand or DBA alone. Identify the legal entity or the specific company placing the calls. If a lead generator is collecting consent for sellers, each seller should be named, or at minimum the consent should describe the category of callers and give consumers a real way to see the full list. [5]

2. Describe the call type. Say "automated prerecorded calls" or "prerecorded messages." "Future communications" or "follow-up calls" is not enough.

3. Provide the phone number being consented to. If you are collecting consent for a number the consumer just gave you, confirm it back to them in the IVR.

4. State that consent is not required to purchase. Non-negotiable.

5. Solicit an affirmative response. Something like: "Press 1 to agree, or stay on the line and we will not contact you by prerecorded call." Keep the opt-out path easy.

A script that does all five is much harder to attack in litigation. A script that says "By continuing, you agree to our terms" and plays a menu is a lawsuit waiting to happen.

One more thing: read the disclosure at a pace a human can follow. There is real litigation risk in disclosures delivered at chipmunk speed, and some plaintiffs' attorneys specifically test IVR systems for exactly this.

TCPA prerecorded call penalty tiers Statutory damages per violation under 47 U.S.C. § 227(b)(3) $500 Standard violation (per cal… $1,500 Willful or knowing violation (per call) $5M Example: 10,000-call campai… $15M Example: 10,000-call campai… Source: 47 U.S.C. § 227, Cornell Law School LII

Yes, and the distinction matters a lot. For wireless numbers, the TCPA restricts both autodialed calls and prerecorded calls. [1] The prior express written consent requirement applies to prerecorded marketing calls to cell phones the same way it applies to residential lines. Cell phones add a second layer: if you use an autodialer to deliver the prerecorded call, you need written consent for the autodialer use too. In practice, if you are blasting prerecorded messages, you are almost certainly using an autodialer, so the requirements merge.

For landlines, the written consent requirement is specific to marketing. Informational calls to landlines (appointment reminders, payment alerts, school notifications) historically needed only express consent, not written consent. The FCC has signaled interest in tightening these rules, and several state laws go further than the federal floor. [6]

The table below shows the consent tier by call type and line type.

Call TypeLandlineWireless (Cell)
Marketing prerecordedPrior express written consentPrior express written consent
Informational prerecordedPrior express consent (oral OK)Prior express written consent
Live agent, manual dialNo TCPA consent requiredPrior express consent if ATDS used
Emergency callsNo consent requiredNo consent required

When your IVR collects consent for a number the consumer provides, you often do not know at capture time whether it is a cell or a landline. So collect written consent for every number. Treating each one as wireless is conservative but defensible, and it costs you nothing.

Store enough to reproduce the exact consent event four years later. The TCPA does not specify a retention period, but litigation reality sets the standard. The statute of limitations for a TCPA claim is four years under 28 U.S.C. § 1658. [7] That means you need to produce a consent record at least four years after the call. Courts have awarded summary judgment against defendants who could not produce the specific consent record for the specific number called, even when the defendant claimed a valid consent program existed.

A defensible IVR consent record includes:

  • Timestamp (date, time, timezone) of the consent event
  • ANI or phone number that called in, or the number confirmed by the consumer during the IVR
  • Which specific IVR script version was played (version-control your scripts)
  • Which keypress or voice response was recorded
  • The audio file or a verbatim transcript of the disclosure played
  • A session ID or call ID that ties the record together

Store these in a system that resists tampering and produces reliable exports. A CRM note that says "called in, agreed" is not enough. You need the actual audio or a transcript, plus the metadata.

When a plaintiff's attorney sends a litigation hold letter or a pre-suit demand, the consent record for the disputed number is often the entire case. Have it, and you may get the case dismissed early. Fail to produce it, and you are settling. The cash app tcpa class action settlement shows how costly weak records get once a class is certified.

LeadCompliant's free compliance kit includes a consent record template and an IVR checklist you can run against your current scripts before your next campaign.

The same handful of mistakes show up over and over in TCPA litigation. None of them are surprising in hindsight, and all of them are easy to miss under launch pressure.

Mistake one: consent buried in a long IVR menu. If a consumer presses 1 to reach customer service and, somewhere in that call, a consent disclosure gets read with no specific affirmative response required, that is not valid consent. The consumer pressed a key to reach a human, not to consent.

Mistake two: batch consent for multiple sellers. A single IVR consent that says "you agree to be contacted by our partners" without naming the partners does not create valid written consent for each seller. The FCC has addressed this. Its 2023 one-to-one consent rule (set for January 2025 implementation, though courts and the agency have wrestled with the effective date) pushed toward requiring consent to name each seller individually. [5] Even before that rule, courts applying the 2012 standard found vague partner references insufficient.

Mistake three: no opt-out path. The IVR has to make declining easy. If the only way to end the call is to hang up, with no clear keypress to reject the consent, some courts have found the consent coercive or invalid.

Mistake four: using old consent for new call types. You collected consent in 2021 for prerecorded calls about product A. In 2024 you start calling about product B. The original consent may not cover the new purpose, depending on how specifically your disclosure described the content of future calls.

Mistake five: no version control. Your IVR script changes, but you cannot prove which version a specific consumer heard. When a plaintiff challenges the adequacy of the disclosure, you need to show exactly what played on the date of capture.

The credit one tcpa settlement shows what happens when consent documentation is weak at scale.

As of mid-2025, the one-to-one consent rule is not in effect at the federal level, but the practical standard behind it still applies. The FCC adopted the rule in December 2023, requiring that prior express written consent for telemarketing calls identify the specific seller making the calls, so consent obtained through a lead generator or third-party IVR covers only one seller at a time. [5] The intent was to close the "consent farms" loophole where a single consumer checkbox got sold to dozens of sellers.

The effective date got contested. The FCC set January 27, 2025. An Eleventh Circuit order in January 2025 vacated the one-to-one consent provision, holding it exceeded the FCC's statutory authority under the Loper Bright framework. [8] So the rule is dead for now, but the ground is unsettled.

Practical takeaway: even without the vacated rule, the pre-existing FCC standard still requires that the consenting party know which company will be calling. If your IVR captures consent for a seller network with no identification of the callers, you are already on shaky ground under the 2012 rules. The vacated 2023 rule just would have spelled that out. Courts applying the existing rules have reached similar conclusions in individual cases.

If you are in lead generation and your IVR collects consent you then sell or transfer to buyers, get real legal counsel before your next campaign. This corner of the law is genuinely unstable, and getting it wrong is expensive. The TCPA allows $500 per call in statutory damages, and $1,500 per call if the violation is willful. [1] A 10,000-call campaign with bad consent is a $5 million to $15 million exposure.

For teams running their own outbound cold calling campaigns, the rules are simpler: your IVR captures consent for your company's calls, you name your company, you follow the four elements.

Yes, but only if the disclosure explicitly names text messages. A consent that says "prerecorded calls" does not automatically extend to SMS. To cover both with one IVR consent, the script needs to say something like "automated prerecorded calls and text messages."

The TCPA's text rules largely mirror the call rules. The FCC has treated SMS as a "call" under the statute since 2003. [2] Prior express written consent is required for marketing texts, same as for marketing prerecorded calls. The consent must describe the nature of the communications being consented to, and a disclosure mentioning only calls does not reach texts.

If your IVR captures consent for a campaign that might include both calls and texts, draft the script to cover both. It costs nothing extra and closes a coverage gap. For more on SMS-specific consent, see text message marketing.

One extra point for texts: CTIA guidelines and most carrier terms require a clear opt-out in text messages (typically STOP), separate from whatever consent mechanism you used at capture. That is a carrier-level requirement stacked on top of the TCPA floor.

The abstract requirements only click when you see them sequenced. So here is a compliant flow, step by step.

Step one: the consumer dials in or gets connected to your IVR. At the start of the interaction, before any consent language, the IVR identifies your company by legal name.

Step two: the IVR delivers the disclosure at a normal speaking pace. A compliant version: "[Company Legal Name] would like your permission to contact you at [number] using automated prerecorded calls and text messages about [description of products/services]. Agreeing is not required to make a purchase or receive service."

Step three: the IVR solicits an affirmative response. "Press 1 to agree and continue. Press 2 or stay on the line if you do not agree."

Step four: if the consumer presses 1, your system logs the timestamp, the ANI, the script version, and the audio. If they press 2 or do nothing, no consent is recorded and no marketing calls go out.

Step five: your system stores the record in a searchable database keyed by phone number, tied to a campaign ID. When a call goes out, your dialer checks for a valid consent record before placing it.

Step six: if a consumer later revokes consent, that revocation gets logged with a timestamp and the number drops from future campaign files. The TCPA lets consumers revoke consent at any time, through any reasonable means. [9]

That flow is not complicated. It is mostly a scripting and systems integration problem. The expensive part is building the logging infrastructure and keeping it alive across campaigns. Teams that skip the logging are the ones who end up in arbitration unable to prove consent.

Revocation is legally simple and operationally annoying. A consumer can revoke prior express written consent at any time, and the revocation can arrive through any reasonable channel: a verbal request to a live agent, a text reply of STOP, an email, a web form, or a letter. [9] The FCC clarified in 2015 that callers cannot restrict revocation to a single method. You cannot tell a consumer "you must call our hotline to opt out" and then ignore a STOP text.

Once a consumer revokes, you have a reasonable time to process it. The FCC has not attached a specific number of hours to "reasonable time," which leaves ambiguity. Industry practice is to process revocations within one business day, and some compliance teams target same-day for any revocation that lands before a calling window opens. Since automated systems can update records in minutes, courts may not look kindly on "processing delays" measured in days.

For IVR-captured consent, your architecture should let a revocation from any channel update the same database your dialer queries before placing calls. Store consent in one system and revocations in another that never feeds back to the dialer, and you will call people who opted out. That is a willful violation under the TCPA, which triples the damages. [1]

Checking numbers against the do not call list is a separate but related obligation. A consumer on the National DNC Registry who never gave you consent should not be in your IVR consent flow at all. And a consumer who gave IVR consent but later registers on the DNC raises a question of whether DNC registration counts as revocation. The safe answer: treat it as revocation and stop calling.

What are the penalties for TCPA violations involving prerecorded calls?

47 U.S.C. § 227(b)(3) sets the base penalty at $500 per violation, with willful violations carrying up to $1,500 per call. [1] Each individual call or text counts as a separate violation. There is no cap in the statute, which is why TCPA class actions can produce nine-figure judgments and settlements.

The statute lets private plaintiffs sue, state attorneys general sue on behalf of residents, and the FCC bring its own enforcement actions. In practice, private class action litigation drives most TCPA enforcement. Plaintiffs' attorneys run automated systems that scan for violations, and they regularly test IVR flows to collect evidence of defective consent.

FCC enforcement tends to target the biggest violations. The agency has issued multi-million dollar forfeitures against robocall operators. Individual companies making prerecorded calls with facially defective consent programs are more likely to face private litigation than an FCC action.

Across major public settlements, TCPA cases involving prerecorded calls and disputed consent have settled around $10 to $50 per class member, with total settlement funds running from a few hundred thousand dollars to several hundred million depending on call volume. [4] These are settlement figures. They do not reflect the full statutory exposure, which runs higher.

The do not call telemarketer list obligations stack on top of consent requirements. Calling a DNC-registered number without consent is a separate violation that compounds your exposure.

Are there state law requirements that go beyond the federal TCPA for IVR consent?

Yes. Several states have passed their own telephone solicitation and consent laws that go past the TCPA. Florida's Telephone Solicitation Act, effective July 1, 2021, prohibits automated calls and texts for solicitation without prior express written consent, covers calls to any number (not only wireless), and lets any Florida resident sue. [6] Florida's law set off a surge of litigation against companies using automated systems.

California's rules also deserve a flag. The California Consumer Privacy Act intersects with consent practices because consent records may count as personal information subject to data subject access requests. If a California consumer asks to see your consent records for their number, you may have to produce them.

Other states with meaningful additions to the federal floor include Washington, Texas, and Oklahoma, each with specific rules around automated calls and consent documentation. The state-level trend runs toward stricter, not looser.

For any company with a national calling program, checking federal compliance alone is not enough. You need a state-by-state assessment, or at minimum a check of the highest-risk states where your call volume is heaviest. This is where a compliance attorney earns the fee.

The LeadCompliant compliance kit includes a state law summary table that flags the states with materially stricter consent rules. Reasonable starting point before you bring in counsel.

Frequently asked questions

Does a verbal agreement over the phone count as prior express written consent for prerecorded calls?

No. The FCC's definition of prior express written consent requires a written or electronic agreement with a consumer signature or equivalent, such as a keypress or voice recording that the system logs as an affirmative response. A verbal "yes" on a recorded line satisfies prior express consent for informational calls but not the written consent standard required for marketing prerecorded calls. [2]

The TCPA does not specify a retention period, but the four-year federal statute of limitations under 28 U.S.C. § 1658 effectively sets the floor. Keep consent records for at least four years from the date of the last call made under that consent. Many legal teams recommend five years as a buffer. Records should include the timestamp, phone number, script version played, and the consumer's affirmative response. [7]

You can list multiple companies in the consent disclosure, but each company must be identified clearly enough that a consumer knows who will be calling. Vague references to 'partners' or 'affiliates' are consistently challenged in litigation. The FCC's 2023 one-to-one consent rule would have required individual seller identification, and even though the Eleventh Circuit vacated that rule in early 2025, existing FCC guidance still requires the consumer to know who is calling. [5][8]

What happens if a consumer calls my IVR but hangs up before the consent keypress?

No consent is created. The affirmative keypress or voice response must occur after the full disclosure is read. A call that ends before that point leaves no valid consent record, and the number should not be added to your calling list for prerecorded messages. Your system should only write a consent record when the affirmative step is logged, not when the call is answered.

The TCPA's restrictions apply to the party initiating the outbound call or message. If a consumer calls your IVR, that inbound call is not a TCPA violation. The issue is whether the IVR consent you capture during that inbound call is valid for the outbound prerecorded calls you make later. The inbound interaction is how you collect consent; the outbound call is where the legal requirement bites. [1]

Yes. The FCC confirmed in 2015 that consumers can revoke consent through any reasonable means, including a STOP text, a verbal request to a live agent, an email, or a web form. You cannot limit revocation to a single channel. Once a consumer revokes, calls under that consent must stop promptly. Same-day processing is the practical standard most compliance teams follow to avoid placing calls after a revocation. [9]

It can be, but only if the IVR reads a clear, conspicuous disclosure and the consumer takes an affirmative action after hearing it. Calling about a billing question and pressing a key to reach an agent does not create marketing prerecorded call consent. The consent disclosure must stand apart from the main purpose of the call, and the keypress that creates consent must be tied to the disclosure, not to moving through the menu.

Not necessarily separate, but the IVR disclosure must explicitly name each communication type you plan to send. A disclosure that says only 'automated prerecorded calls' does not cover SMS. If you plan to use both channels, the script should say 'automated prerecorded calls and text messages.' One disclosure covering both is legally sufficient if both are named and the consumer affirmatively agrees.

What is the penalty for placing a prerecorded marketing call without valid IVR consent?

The TCPA sets statutory damages at $500 per call for standard violations and up to $1,500 per call for willful or knowing violations. [1] There is no statutory cap, which means a large calling campaign with defective consent can expose a company to millions in liability. Courts also allow class certification, which multiplies individual $500 violations across all affected consumers.

Does having a consumer on my contact list from a previous transaction give me consent to send prerecorded calls?

No. The established business relationship exemption for residential landlines was eliminated by the FCC effective October 16, 2013. [2] Prior transactions create no implied consent for marketing prerecorded calls. You need affirmative prior express written consent, collected through a compliant mechanism like an IVR, web form, or written document, before placing any marketing prerecorded call regardless of prior relationship.

The FCC does not require a human voice. An automated IVR can read the disclosure. What matters is that the disclosure is intelligible, delivered at a pace a reasonable consumer can follow, and contains all required elements before the affirmative keypress is solicited. An automated voice reading a legally sufficient script at a normal pace satisfies the requirement. A sped-up disclosure read by an automated voice has been challenged in litigation.

Yes, in several states. Florida's Telephone Solicitation Act (effective July 1, 2021) requires prior express written consent for automated calls to any number, not only wireless, and expands the private right of action. [6] California, Washington, Texas, and others add requirements beyond the federal floor. If your campaigns reach multiple states, a state-level review is necessary, not optional.

Does the TCPA apply to B2B prerecorded calls, or only consumer calls?

The TCPA's wireless number restrictions apply regardless of whether the recipient is a business or a consumer. If you are calling a cell phone, the consent requirements apply even for B2B outreach. For landline business numbers, the TCPA's residential line restrictions technically do not apply, but state laws and FCC rules on deceptive practices can still create exposure. Most compliance teams require consent for cell numbers universally.

Talk to a TCPA defense attorney immediately. Inability to produce a consent record is one of the strongest fact patterns for a plaintiff and one of the weakest for a defendant. Do not destroy any records that might be relevant. Preserve everything in the relevant campaign and calling system. Courts have awarded sanctions for spoliation in TCPA cases. The absence of a record is not always fatal, but it changes the litigation calculus significantly.

Sources

  1. U.S. Code, 47 U.S.C. § 227, Telephone Consumer Protection Act: TCPA prohibits prerecorded marketing calls without prior express written consent; $500 per violation, $1,500 for willful violations
  2. FCC, 2012 TCPA Rulemaking (FCC 12-21), 47 C.F.R. § 64.1200: FCC eliminated the established business relationship exemption for residential prerecorded calls effective October 16, 2013; defined prior express written consent at 47 C.F.R. § 64.1200(f)(9)
  3. U.S. Code, 15 U.S.C. § 7001, Electronic Signatures in Global and National Commerce Act (E-SIGN): E-SIGN Act provides legal validity for electronic signatures and records, supporting IVR keypress as equivalent to a written signature
  4. FTC, National Do Not Call Registry Data Book FY 2023: TCPA class action settlement value context; robocall complaint volumes used as proxy for enforcement activity
  5. Florida Legislature, Florida Telephone Solicitation Act, Fla. Stat. § 501.059: Florida's Telephone Solicitation Act, effective July 1, 2021, requires prior express written consent for automated solicitation calls and texts to any number, not only wireless
  6. U.S. Code, 28 U.S.C. § 1658, four-year federal statute of limitations: Four-year statute of limitations applies to TCPA claims, setting the practical minimum for consent record retention
  7. U.S. Court of Appeals, Eleventh Circuit, Insurance Marketing Coalition v. FCC, January 2025: Eleventh Circuit vacated the FCC's one-to-one consent rule in January 2025, finding it exceeded the FCC's authority under the Loper Bright framework
  8. FTC, Telemarketing Sales Rule, 16 C.F.R. Part 310: Telemarketing Sales Rule requirements that interact with TCPA consent obligations for outbound marketing calls

Disclaimer: LeadCompliant is a compliance review tool, not a law firm. We do not provide legal advice. Consult with a TCPA attorney for legal guidance on specific compliance questions. Compliance scores, audits, and risk assessments are informational only.

LeadCompliant Team

LeadCompliant provides expert guidance and tools to help you succeed. Our content is reviewed for accuracy and kept up to date.

Related Articles

Related Glossary Terms

LeadCompliant
Build My Kit