Jornaya TCPA compliance: how LeadiD consent data actually works

Jornaya's LeadiD captures and stores consumer consent events for TCPA defense. Learn how it works, what it proves, and where it falls short.

LeadCompliant Team
25 min read
In This Article

Last updated 2026-07-09

Person at a sunlit desk reviewing documents related to TCPA compliance
Person at a sunlit desk reviewing documents related to TCPA compliance

TL;DR

Jornaya's LeadiD records a timestamped, third-party token the moment a consumer submits a lead form, capturing the consent language shown and the IP address used. That token becomes your primary evidence when a TCPA plaintiff claims they never consented. It does not guarantee immunity. It does shift the evidentiary burden hard in your favor.

What is Jornaya and what does it actually do for TCPA compliance?

Jornaya is a consumer journey intelligence company. Its flagship product, LeadiD, embeds a small JavaScript snippet into online lead-generation forms. When a consumer fills out and submits a form, LeadiD fires a server-side event that creates a unique token, records the timestamp down to the millisecond, captures the full text of the consent disclosure shown on the page, logs the IP address, and stores that record on Jornaya's servers [1].

The result is a third-party audit trail of the consent moment. Jornaya sits outside the publisher's system and outside the buyer's system. That matters enormously in litigation. When a plaintiff says 'I never agreed to be called,' you produce a record created by a neutral party showing exactly what language appeared on the screen, on what date, from what IP address.

That is the core of the product. Jornaya does not check whether the form met TCPA requirements before the token fires. It does not validate that the phone number entered belongs to the person who typed it. It records the event as it happened. Whether the consent language was legally sufficient is a separate question, and one Jornaya cannot answer for you.

The company was founded in 2011 and has processed billions of consent events, mostly in insurance, mortgage, education, and home services lead generation. Verisk acquired it in 2019 [2].

The Telephone Consumer Protection Act, codified at 47 U.S.C. § 227, requires 'prior express written consent' before you place an autodialed or prerecorded marketing call, or send an automated marketing text, to a cell phone [3]. The FCC's 2012 TCPA Order tightened that requirement. It eliminated the established business relationship exemption for marketing calls and demanded consent be written, signed (electronic signatures count), and specific to the seller making contact [8].

The statute sets damages at $500 per violation, trebled to $1,500 for willful violations, with no cap in a class action [3]. One lead buyer calling 10,000 people without adequate consent documentation faces exposure that can reach eight figures before a case ever sees a courtroom. That math is why TCPA class actions keep settling for millions. The UnitedHealthcare TCPA case settled for $2.5 million. The Credit One TCPA settlement ran higher.

Proof of consent is your only real defense. Revocation claims, wrong-number claims, and 'I never gave that website my information' claims all collapse if you can produce contemporaneous, third-party evidence that the specific consumer submitted a form with compliant consent language at a specific time. Without that evidence you are arguing your word against the plaintiff's word. Plaintiffs' attorneys know juries lean toward the consumer.

The 2024 FCC one-to-one consent rule (Report and Order, CG Docket No. 21-402) went further, requiring that consent name the specific seller rather than a broad category of partners [5]. That change matters for Jornaya users. The consent language captured in the LeadiD token must now identify your company by name, not describe 'marketing partners.' If the token captures weak language, it is evidence against you, not for you.

How does the LeadiD token work step by step?

Here is the actual sequence.

1. A publisher (the lead form owner) installs Jornaya's JavaScript snippet on the page. 2. A consumer lands on the page. Jornaya's script loads and starts observing the session. 3. The consumer fills in fields: name, phone number, email. 4. The consumer clicks Submit. At that moment, Jornaya's servers receive a signal and create the LeadiD token, a unique alphanumeric identifier. 5. Jornaya captures a server-side record of the page's consent disclosure, the full text visible at submission. 6. The token, timestamp, IP, and consent text land on Jornaya's servers, accessible via API. 7. The publisher passes the token along with the lead record to the buyer (you). 8. You store the token alongside your lead data. 9. If litigation arises, you retrieve the token via Jornaya's API or request a certified report, and produce it as evidence.

The whole process adds negligible latency to form submission, typically under 200 milliseconds on a modern form [1]. The token travels with the lead. So if you buy leads from an aggregator who in turn bought from a publisher, the token should still be present, though its evidentiary value depends on whether the chain of custody is clean.

One practical friction point comes up constantly. Lead buyers often receive leads without the token, because the publisher never implemented Jornaya or did not pass the field. If your lead source cannot supply a LeadiD token for every record, you have a consent documentation gap. Jornaya cannot fill it after the fact.

Key TCPA numbers every lead buyer must know Statutory figures from 47 U.S.C. § 227 and FCC rulemaking 500 Statutory damages per viola… (base) 1,500 Statutory damages per viola… (willful) 4 Years: federal statute of limitations 2,024 Year FCC one-to-one consent rule adopted Source: 47 U.S.C. § 227 (Cornell LII); FCC Report and Order FCC 12-21

What does Jornaya actually prove in a TCPA lawsuit?

A Jornaya record proves that a form submission event happened on a specific IP address at a specific time, that the page displayed specific consent language at that moment, and that a third party independent of both publisher and buyer logged it. This is where practitioners overstate the product, so be precise about it.

Courts have treated this kind of contemporaneous third-party record as meaningful evidence. In several defense motions, LeadiD records have supported dismissal or summary judgment by establishing that a consent event occurred [6].

What a Jornaya record does not prove: that the person who submitted the form owns the phone number you called. It does not prove the number entered was accurate. It does not prove the consumer read the disclosure. It does not prove the disclosure met TCPA's legal requirements. That last one is your lawyer's job.

So if a plaintiff argues 'someone else filled out that form using my number,' Jornaya shifts the burden but does not end the dispute. The plaintiff now has to explain how their IP address and email ended up on that form. That is a hard argument to make. It is not impossible.

The 2024 FCC one-to-one consent rule adds another wrinkle. A verified token capturing consent to 'marketing partners' may no longer be enough if your company is not named specifically in the disclosure [5]. Plaintiffs' attorneys are already raising this in 2025 cases. Check your publishers' consent language now, before a demand letter arrives. You can follow ongoing TCPA news to track how courts apply the new rule.

What does Jornaya cost, and is it worth the money?

Jornaya does not publish a pricing page. Based on industry reports and practitioner discussions, pricing is volume-based and negotiated directly with sales. For high-volume lead buyers (tens of thousands of leads a month), monthly fees run from a few hundred dollars to several thousand, depending on API call volume and reporting access. Smaller buyers sometimes get LeadiD data through their aggregators, who bundle the cost into the lead price.

Is it worth it? My honest view: yes, if you buy leads at any real volume and call cell phones. The math is simple. One TCPA class action settlement costs you six figures minimum in legal fees plus a settlement fund. A year of Jornaya access costs far less. The product does not erase your risk. It gives your defense attorney something to work with.

Where teams waste money is treating Jornaya as a substitute for reviewing consent language. The token proves the event. Your counsel still has to prove the event was legally sufficient. Companies that nail the integration but never audit the actual disclosure text on their publisher pages have a false sense of security. You need both: a verified record of the consent moment, and language that meets TCPA standards.

If you generate your own leads through your own web properties, implementation costs less because you control the page. If you buy from third parties, the question that matters is whether every publisher in your supply chain has Jornaya installed and passes the token with every lead. Many do not.

The main rival is ActiveProspect's TrustedForm, plus a smaller set of compliance platforms with consent archiving features. Here is a direct comparison on the dimensions that matter for TCPA defense.

FeatureJornaya LeadiDActiveProspect TrustedForm
Third-party tokenYesYes
Page capture at submissionYes (server-side)Yes (client-side, more detailed)
Certificate storage durationConfigurable, up to several yearsConfigurable, up to several years
IP address captureYesYes
Consent text captureYesYes
Real-time API validationYesYes
Pre-integrated publisher networkLarge (especially insurance/mortgage)Large (similar verticals)
Pricing modelVolume-based, negotiatedVolume-based, published tiers available
Court acceptanceCited in multiple defense cases [6]Also cited in defense cases [11]

The honest answer: TrustedForm and LeadiD are more alike than different. TrustedForm captures a more granular replay of user interaction on the form, field by field, which some defense attorneys find more compelling [11]. LeadiD's edge is publisher network depth in certain verticals and the brand recognition of being around longer.

For a buyer purchasing from a diverse mix of publishers, the practical question is which tool your publishers already have installed. Requiring both on the same form is overkill and adds friction. Pick the one your supply chain uses, and standardize on it.

Neither tool replaces a compliance review of the consent language itself. Both are evidence tools. Not consent drafting tools.

Jornaya does not dictate the consent language you use. It captures whatever is on the page at submission. This distinction trips people up constantly.

Consent language requirements come from the TCPA, the FCC's implementing regulations at 47 C.F.R. § 64.1200, and increasingly from state mini-TCPA laws [8]. The FCC's 2012 Order specified that prior express written consent for marketing calls must include 'an agreement, in writing, bearing the signature of the person called that clearly authorizes the seller to deliver or cause to be delivered to the person called advertisements or telemarketing messages,' and must identify the specific seller [8].

The 2024 FCC rule update goes harder: consent must name each seller individually. A disclosure that reads 'I consent to be contacted by insurance companies in our network' is now likely inadequate if your specific company name does not appear [5].

Compliant consent language for a lead form in 2025 should include the consumer's affirmative agreement (a checkbox they check, not pre-checked), the specific company name or names receiving consent, the contact methods covered (calls, texts, automated systems), a statement that consent is not a condition of purchase, and a reference to your privacy policy. The token captures whatever is on the page. If the page shows compliant language, the token is strong evidence. If the page shows vague language, the token documents an inadequate consent process.

Review your publishers' consent language at least quarterly. The one-to-one rule opened a wide compliance gap at many publishers who have not touched their forms since 2023.

How do you implement Jornaya LeadiD on your own lead forms?

If you own the lead form (you generate your own leads rather than buying them), implementation is straightforward.

1. Sign up with Jornaya and receive a Campaign Key, a unique identifier for your lead generation campaign. 2. Add Jornaya's JavaScript snippet to your form page, referenced in the page head or near the form element. 3. Add a hidden input field to your form to capture the LeadiD token the script generates at submission. 4. On submission, pass the token value through your lead processing pipeline and store it in your CRM or lead database alongside the phone number and other lead data. 5. Set up the Jornaya API connection so your team can pull token details (consent text, timestamp, IP) programmatically for compliance review or a legal response.

Jornaya's technical documentation provides the exact snippet and field names. A competent developer finishes the implementation in two to four hours on a standard web form. The harder part is changing your CRM and database schema to store and associate the token field reliably.

Some landing page builders like Unbounce and various lead management platforms have native or documented Jornaya integrations. Check before you build a custom one.

If you buy leads from third parties, the job is simpler in theory. Contractually require that every publisher in your supply chain have Jornaya (or an equivalent) installed and pass the token with every lead record. Then audit that requirement. Spot-check lead records to confirm tokens are present and valid. Contracts that require consent verification but are never audited give you false comfort and weak legal standing.

What are the biggest mistakes companies make with Jornaya?

The recurring errors cluster into a few categories, based on how lead buyers handle this in practice.

The biggest is buying leads without requiring the token. Teams sign up for Jornaya, assume they are protected, then call leads bought from publishers who never installed the tool. The token field in their CRM sits empty for 40 percent of records. In litigation, those empty records are your most vulnerable leads, and class action attorneys know to target them.

The second is not validating that the token is real. A lead vendor could generate a fake token or pass a recycled one from a different consumer. Jornaya's API includes a verification endpoint that confirms the token is genuine and matches the submitted data. If you are not running that check, you are trusting the vendor's integrity without testing it.

The third is assuming the consent language is fine because the publisher said so. Publishers have a financial incentive to sell leads, not to maintain legally compliant consent forms. The FCC's 2024 rule change [5] invalidated a huge number of forms using generic partner language. Your due diligence should include periodically visiting the actual submission page, clicking through as a consumer would, and reading what the disclosure says.

The fourth is poor data retention. If you get sued three years after calling a lead, you need the token still accessible and tied to the specific record. Align your Jornaya retention settings with your internal database retention policies. A token that expired or got purged is no defense at all.

LeadCompliant's free compliance kit includes a consent documentation checklist covering token storage, language auditing, and vendor contract requirements. Worth running through if you have not reviewed your setup recently.

Does Jornaya protect you against the 2024 FCC one-to-one consent rule?

No. Jornaya records the consent that was given. It does not fix consent that falls short of the rule. The FCC's 2024 Report and Order in CG Docket No. 21-402 requires that TCPA consent for marketing calls identify the specific seller, not a class of sellers. The rule was set to take effect in January 2025, though later legal challenges created uncertainty about implementation timing [5].

If the consent language on the page named 'up to 25 insurance providers,' the token captures that language, and that language may now be legally insufficient.

What Jornaya still gives you in the one-to-one world is valuable: proof the consumer submitted a form at all, proof of what language was shown, and a record you can use to argue good-faith reliance if the rule's status was legally uncertain at the time. The protection is thinner than under the pre-2024 framework, but it is not gone.

The practical response is to update your publishers' consent forms to name your company specifically, verify via the token that the updated language is what consumers actually see, and keep records showing when you made the change. If a consumer submitted a form after your language update and the token confirms the updated language was shown, you are far stronger than someone relying on old generic consent.

Courts are just starting to work through what the one-to-one rule means for existing consent records. The litigation landscape here will keep shifting through 2025 and 2026. Cases like the Truist Bank TCPA class action and the Cash App TCPA class action show what settlement exposure looks like when consent documentation fails.

How should small outbound teams use Jornaya without overspending?

If you are a small team calling fewer than 2,000 leads a month, full direct Jornaya API access may be more infrastructure than you need. Here is a tiered approach that keeps you covered without overspending.

First, if you buy leads from major aggregators in insurance, mortgage, or education, ask whether they already pass a Jornaya or TrustedForm token with every lead. Many do. Your cost is zero because the publisher or aggregator already paid for the integration. Your job is to store the token and know how to retrieve it.

Second, if you generate your own leads through paid search or social ads driving to landing pages, install Jornaya on those pages directly. At low volume the monthly cost is modest. The implementation is a one-time developer task.

Third, for any lead source that cannot provide a consent verification token, either stop buying from them or accept that those leads carry higher legal risk. Price that risk honestly. A lead without documented consent is worth less than a lead with it, no matter what the vendor charges.

Fourth, do not skip the consent language review just because you have the token. Use a resource like LeadCompliant's free TCPA compliance tools to check your disclosure text against current requirements before spending on third-party verification infrastructure.

Small teams skip this whole area because it feels like an enterprise problem. That is wrong. TCPA class actions have named companies with a few hundred employees. The statutory damages structure means plaintiff attorneys look for any company with a call volume large enough to make the math work, and 2,000 leads a month is well within that range. Look at what happened in the Albertsons/Safeway TCPA settlement. No organization is too big or too small to face exposure.

What should you do right now if you have been buying leads without Jornaya tokens?

Stop calling the records without documented consent. That sounds extreme. It is the legally defensible position. If you have a CRM full of leads with no consent verification token and no other contemporaneous consent record, every call adds potential TCPA liability.

For the existing records, your options are narrow. Suppress them entirely, or attempt to re-engage consent through a channel where you have clear legal standing (for example, an existing business relationship or a consumer who reached out to you directly). The second path is fact-specific and needs legal advice, not a compliance blog.

For going forward, require that any new lead purchase include a valid consent verification token. Add that requirement to your vendor contracts with a cure period and a termination right if the vendor does not comply. Build token validation into your lead intake so records without tokens get flagged or rejected automatically. Set a quarterly calendar reminder to visit your publisher pages and read the actual consent language.

Document everything. The date you made these changes, the communications with vendors, the updated contracts. If litigation arises over old records, showing the court you took remediation steps once you found the gap is relevant to willfulness, and willfulness is what drives the trebling of damages under the statute [3].

For an overview of what compliant text and call programs look like from the ground up, the articles on text message marketing and text messaging marketing cover the affirmative consent structure you should be building toward.

Frequently asked questions

Is Jornaya LeadiD accepted as evidence in TCPA lawsuits?

Yes. LeadiD records have been cited in TCPA defense filings and have supported summary judgment motions in multiple cases. Courts treat the token as contemporaneous third-party evidence of a consent event. It is not a guaranteed defense, but it is meaningful evidence that shifts the burden to the plaintiff to explain the gap between their claim and the token record.

What is the difference between Jornaya LeadiD and ActiveProspect TrustedForm?

Both capture a timestamped, third-party record of a consent form submission, including page text and IP address. TrustedForm offers a more detailed session replay of user interaction on the form. LeadiD has deep publisher network penetration in insurance and mortgage. For TCPA defense both are credible. Choose based on which tool your lead publishers already use.

No. Jornaya records whatever language was on the page at submission. It does not evaluate whether that language meets TCPA standards. Compliance with 47 U.S.C. § 227 and FCC regulations is your responsibility. A token capturing inadequate consent language is evidence of an inadequate process, not a defense.

Storage duration is configurable based on your account settings and contract. Jornaya offers retention periods that extend to several years. Since TCPA claims carry a four-year statute of limitations under 28 U.S.C. § 1658, configure retention for at least five years and confirm your internal database stores the token for the same period [10].

Can I use Jornaya for leads I generate through Facebook Lead Ads?

Facebook Lead Ads use a native form hosted inside Facebook's interface, so you cannot install Jornaya's JavaScript snippet directly on the form. Native Facebook lead forms are a known limitation. For TCPA compliance on Facebook Lead Ads, the primary consent mechanism is the form's disclaimer text, which you configure in Meta's Ads Manager. Document those form settings carefully.

What happens if a lead vendor passes me a fake or recycled Jornaya token?

Jornaya's API includes a validation endpoint that confirms a token is genuine and matches the associated data. If you are not running this validation on every inbound lead, you are trusting vendor integrity without checking it. Make API validation part of your lead intake process, and add contractual representations and warranties from vendors about token authenticity.

Not less useful, but it changes what the token needs to capture. The 2024 FCC rule requires consent to name the specific seller. If your publisher forms still show generic 'marketing partners' language, the token documents non-compliant consent. Update your disclosures to name your company specifically, then verify via token retrieval that the updated language appears correctly.

How much does Jornaya LeadiD cost per lead?

Jornaya does not publish per-lead pricing publicly. Industry practitioners report costs vary by volume and negotiated contract terms. High-volume buyers may pay fractions of a cent per token via API. Lower-volume buyers accessing tokens through aggregators may see the cost bundled into the lead price. Contact Jornaya directly for a quote based on your monthly lead volume.

Can Jornaya protect me if someone else entered a phone number on a form without the owner's knowledge?

This is the form fraud scenario. Jornaya records the IP address, timestamp, and submission data, but it cannot confirm the phone number belongs to the submitter. If a plaintiff credibly shows someone else entered their number, the Jornaya record may not stand on its own. Corroborating data such as matching email activity, geolocation, or browser fingerprinting strengthens the defense.

Do I need Jornaya if I only text, not call?

Yes. The TCPA's prior express written consent requirement applies to automated text messages to cell phones just as it applies to autodialed calls, per 47 U.S.C. § 227(b)(1)(A). Every consent-documentation benefit that helps in calling applies equally to texting. If you send marketing texts to leads generated online, document consent with a token just as you would for calls.

What contractual language should I use with lead vendors to require Jornaya compliance?

Your vendor contract should include a representation that every lead was generated with prior express written consent naming your company specifically, a requirement that a valid Jornaya or equivalent third-party token accompany every lead, an audit right to inspect publisher pages and token records, an indemnification clause covering TCPA liability from leads that lack compliant documentation, and a termination right for material breach of consent requirements.

How do I retrieve a Jornaya record if I get a demand letter?

Log into your Jornaya account portal or query their API using the LeadiD token stored in your CRM against the lead in question. Jornaya can also provide certified reports suitable for litigation. Have your legal counsel request the report and submit it through appropriate discovery or demand response channels. The record includes timestamp, IP, and the captured consent language from the submission page.

Is Jornaya required by law, or is it optional?

Jornaya is not required by any statute or FCC regulation. The TCPA requires that you obtain and document prior express written consent; it does not specify how. Jornaya is one method of creating that documentation. You could use other tools, internal logging systems, or recorded consent flows. Jornaya's advantage is third-party independence, which courts and opposing counsel find harder to challenge than self-created records.

Can I use Jornaya data to scrub against the Do Not Call registry?

No. Jornaya is a consent documentation tool, not a DNC suppression service. DNC scrubbing is a separate process: register with the FTC, access the National DNC Registry, and run your call lists against it before dialing. Consent and DNC compliance are separate legal requirements. You need both. A consumer can sit on the DNC registry even after submitting a form with valid consent.

Sources

  1. Jornaya, LeadiD Product Overview: LeadiD captures a timestamped, third-party token at form submission, recording IP address, consent text, and submission time.
  2. Verisk Analytics, Investor Relations / Press Release on Jornaya acquisition: Jornaya was acquired by Verisk in 2019.
  3. 47 U.S.C. § 227, Telephone Consumer Protection Act (Cornell LII): TCPA sets statutory damages at $500 per violation, trebled to $1,500 for willful violations, and requires prior express written consent for autodialed or prerecorded marketing calls to cell phones.
  4. WebRecon LLC, TCPA Litigation Statistics and Case Summaries: LeadiD records have been cited in TCPA defense filings and supported summary judgment motions in multiple federal cases.
  5. 47 C.F.R. § 64.1200, FCC Regulations Implementing TCPA (eCFR): FCC regulations at 47 C.F.R. § 64.1200 specify the consent requirements for automated marketing calls and text messages to wireless numbers, including that consent identify the specific seller.
  6. FTC, Telemarketing Sales Rule, 16 C.F.R. Part 310: The Telemarketing Sales Rule imposes additional consent and disclosure requirements for telemarketing calls that operate alongside TCPA requirements.
  7. 28 U.S.C. § 1658, General Federal Statute of Limitations (Cornell LII): Federal civil claims, including TCPA claims where no shorter period is specified, carry a four-year statute of limitations.
  8. ActiveProspect, TrustedForm Product Documentation: TrustedForm captures a session replay of form interaction including field-level activity, alongside timestamp, IP, and consent text, for TCPA compliance documentation.
  9. Squire Patton Boggs, TCPA Class Action Review (annual publication): TCPA class action settlements in lead generation cases routinely reach seven to eight figures, with defense costs adding substantially to the total exposure.

Disclaimer: LeadCompliant is a compliance review tool, not a law firm. We do not provide legal advice. Consult with a TCPA attorney for legal guidance on specific compliance questions. Compliance scores, audits, and risk assessments are informational only.

LeadCompliant Team

LeadCompliant provides expert guidance and tools to help you succeed. Our content is reviewed for accuracy and kept up to date.

Related Articles

Related Glossary Terms

LeadCompliant
Build My Kit