Lead vendor contract clauses that protect you from TCPA liability

TCPA suits can cost $500, $1,500 per call. These lead vendor contract clauses shift liability, require consent proof, and protect your business before you dial.

LeadCompliant Team
24 min read
In This Article

Last updated 2026-07-09

Two professionals reviewing a lead vendor contract at a conference table
Two professionals reviewing a lead vendor contract at a conference table

TL;DR

Buy leads and dial them, and TCPA liability can land on you even when the vendor caused the mess. The right clauses shift that risk back. You want a consent warranty that names your company, indemnification that survives termination, DNC scrubbing obligations, audit rights, and consent records the vendor must hand over in 72 hours. Skip them and you stand alone in court.

Why does your lead vendor's contract matter for TCPA liability?

The FCC and the courts hold the party who initiates or authorizes a call responsible under the Telephone Consumer Protection Act, 47 U.S.C. § 227 [1]. You dialed. You texted. So you're on the hook, even when the lead vendor faked a consent record or lied about getting permission.

Statutory damages run $500 per violation for negligent violations and up to $1,500 per violation for willful ones [1]. Class actions have settled in the tens of millions. The cash app tcpa class action settlement and the credit one tcpa settlement show how fast those numbers stack once a company contacts big lists without airtight consent.

The vendor relationship does not insulate you. Courts have found that a company cannot launder liability through a third party when it kept control over how leads were contacted or failed to verify the consent it relied on. FTC guidance and later FCC rulings both say downstream callers bear responsibility for the consent claims they accept [2].

A solid contract does two jobs. It creates an obligation the vendor must meet, so a breach gives you recourse. And if a plaintiff or the FCC comes after you, the contract is proof you took reasonable steps to comply. That matters for the willfulness analysis that decides whether damages triple.

What should an indemnification clause look like in a lead vendor contract?

Indemnification is the clause that says: if your mess causes my lawsuit, you pay for it. Most vendor contracts have one. Almost none have one that actually works for the buyer.

A strong indemnification clause needs four things.

It has to be specific. Generic language covering "any breach of this agreement" is a starting point, but you want the clause to name the TCPA, state telemarketing laws, and DNC violations out loud. Courts sometimes read broad indemnification clauses narrowly. Don't let a judge decide the general language was never meant to cover a $14 million TCPA class action.

It has to cover third-party claims, not only your direct losses. If a class of consumers sues you, your defense costs and any settlement need to be covered. Push for language like: "Vendor shall indemnify, defend, and hold harmless Buyer from any third-party claims, damages, fines, penalties, and reasonable attorney fees arising out of Vendor's breach of its representations regarding consumer consent."

It has to survive termination. Consent disputes surface months or years after a campaign ends. If the indemnification expires when the contract does, it's nearly worthless for long-tail TCPA exposure.

And it has to sit behind money that exists. A shell LLC with no assets promising to indemnify you for millions means nothing. Require the vendor to carry errors and omissions or general liability coverage at a stated minimum (often $1 million per occurrence, $2 million aggregate for vendors moving real lead volume), and to name you as an additional insured.

This is the most important clause in the contract and the one vendors fight hardest. Push through the resistance.

A consent warranty is a contractual promise that every lead has given the legally required consent for the exact type of contact you plan to make. Since 2013, FCC rules have required "prior express written consent" for autodialed or prerecorded calls and texts to cell phones for telemarketing [3]. The consent must be clear and conspicuous, include the phone number to be called, and never be a condition of purchase.

The FCC's one-to-one consent rule, adopted in its December 2023 order, tightened this further. A consumer's consent to hear from "marketing partners" on a lead gen site is no longer enough [4]. Consent has to name your company, or you cannot rely on it. That rule gutted the model of aggregators who sold the same consent record to dozens of buyers.

Your consent warranty clause should require the vendor to warrant, in writing, that:

  • Each lead has provided TCPA-compliant prior express written consent that names your company (or trade name) as a potential caller.
  • The consent was obtained through a disclosure that meets FCC requirements: not buried in terms of service, not pre-checked, not bundled with unrelated consents.
  • The vendor holds records of when, where, and how consent was obtained for each lead and will produce them within 72 hours of a request.
  • The consent is still valid at delivery, meaning the consumer has not revoked it.

That last point matters. Consent can be revoked by any reasonable means at any time, per the FCC's 2015 declaratory ruling [5]. A vendor sitting on a year-old list is potentially selling you consent that's already dead.

For text message marketing campaigns, the requirements apply with equal force. Running SMS? Make the warranty say "text messages" out loud, more than voice calls.

TCPA exposure at a glance Key numbers every lead buyer should know before signing a vendor contract 500 $500 per call/text (neglige… TCPA violation) 1,500 $1,500 per call/text (willf… TCPA violation) 249M 249M+ registered DNC numbers nationwide 4 4-year federal statute of limitations Source: 47 U.S.C. § 227; FTC DNC Data Book FY2023; 28 U.S.C. § 1658

A vendor's verbal promise that leads are consented is worth nothing in court. Documentation is the whole game.

The contract should require the vendor to retain, for at least five years (some attorneys push longer given TCPA's four-year limitations period under 28 U.S.C. § 1658 [6]), the following for each lead:

  • The URL or app screen where consent was collected.
  • A timestamp accurate to the second, with time zone.
  • The IP address of the device that submitted the form.
  • The exact disclosure language shown to the consumer at the moment of consent.
  • A screenshot or capture of the opt-in form as it looked on the date of collection, because vendors update their sites and the old disclosure vanishes.

Require production inside a fixed window. Seventy-two hours is reasonable, triggered by any consumer complaint or legal demand. Contracts that say "records will be available upon request" with no deadline are easy to stall.

A vendor who won't agree to these terms is telling you something. Walk. The ones who resist are usually the ones whose consent collection is weakest.

Build your own verification layer on top. When a lead comes in, ping it with a confirmation text or email that double-confirms the contact's info and intent. Now you have a consent record that doesn't live or die on the vendor's paperwork.

Should lead vendor contracts address DNC scrubbing?

Yes. Plenty of buyers skip this clause because they figure they'll scrub on their own end. You should scrub on your end. You should also make the vendor deliver pre-scrubbed leads.

Here's why. The FTC's National Do Not Call Registry holds over 249 million registered numbers as of fiscal year 2023 [7]. Calling a registered number can violate both the Telemarketing Sales Rule and the TCPA. Even if you scrub before you dial, buying leads already on the DNC burns your money and tells you the vendor's list hygiene is bad across the board.

The contract should require scrubbing against the National DNC Registry within 30 days before delivery. That tracks the 31-day rule, since registrations take effect within 31 days and callers must scrub within that window [11]. Require scrubbing against relevant state DNC lists too, because states like Florida (whose Telemarketing Act carries its own list and its own penalties) and Indiana run their own registries [8].

For the broader picture, see the guides on the do not call list and on mobile phone do not call list registrations.

Add a warranty that no delivered lead sits on your company-specific internal DNC list. If a consumer once told your company to stop calling, any vendor who somehow spins up a fresh lead from that same person is handing you a trap.

What audit rights should you have over a lead vendor?

An audit right lets you inspect the vendor's compliance practices instead of taking their word for it. Most vendors accept a limited audit right when you frame it fairly.

At minimum, the contract should give you the right to:

  • Request and receive complete consent documentation for any individual lead within 72 hours.
  • Run an annual audit of the vendor's consent collection practices, directly or through a designated third party.
  • Review a sample of opt-in forms and disclosures actually live on the vendor's lead gen properties.
  • Access logs showing which scrubbing vendor was used and the dates lists ran against the DNC Registry.

For higher-volume deals (say, more than 5,000 leads a month), negotiate a live or screen-share walkthrough of the consent flow before any campaign starts. Watching the real opt-in page render on mobile, with the disclosure as the consumer actually sees it, catches problems no document review will.

If a vendor claims their consent process is proprietary and off-limits, that's a deal-breaker in my view. There's no honest reason to hide a compliant consent flow. The ones who hide it are hiding a problem.

Audit rights are only worth what you do with them. Set a real schedule: review consent records for a random 1 to 2 percent sample each quarter. If something looks off, pull a bigger sample and write down what you found. That paper trail matters if litigation follows.

How should a lead vendor contract handle representations about how consent was obtained?

The consent warranty covers the legal standard. You also want representations about the mechanics, how the consent was actually gathered. These catch a wider band of vendor misconduct.

Require written reps that:

  • Leads were not collected through deceptive ads, fake prizes, or misleading landing pages that hide what the consumer is signing up for.
  • No pre-checked consent boxes were used. Pre-checked boxes do not create valid TCPA consent under FCC rules [3].
  • Consent was not a mandatory condition of some unrelated free service. Conditioning consent invites factual disputes you don't want.
  • The person who submitted the form holds the phone number provided. Appended or purchased numbers the consumer never typed cannot carry consent.

That last one deserves a moment. Some vendors collect a name and email, then append a phone number from a data broker. The consumer never gave that number to anyone. Calling it under the banner of "consent" is exactly the practice the FCC targets in enforcement. The vendor's rep that the number came straight from the consumer, paired with the IP and timestamp record, gives you something to stand on when the question comes up.

What happens if a lead vendor breaches these contract terms?

Spell out the consequences, or enforcement turns into a negotiation you might lose.

Liquidated damages earn their keep here. If the vendor delivers a lead that lacks compliant consent and you catch a TCPA claim over it, the statutory exposure is $500 to $1,500 per call or text [1]. The contract can set a per-lead fee (say, $1,000 per non-compliant lead discovered or claimed against) as liquidated damages. Courts enforce liquidated damages clauses that reflect a reasonable estimate of actual harm, not a penalty. Given TCPA exposure, $1,000 per lead is easy to justify.

Termination rights matter too. Give yourself the right to walk immediately, without penalty, if the vendor materially breaches the consent warranties or blows the documentation deadline. Without that, you can be stuck taking risky leads while the dispute drags.

Chargeback rights are fair to ask for. Discover a batch missing documentation, and you should be able to return it for a full refund instead of eating dead inventory.

Name the governing law and the dispute mechanism. If you're in California and the vendor is somewhere else, say which state's law controls and whether disputes go to arbitration or court. TCPA cases often stack state law claims on top, and a clear forum clause heads off an expensive fight over jurisdiction.

Are there specific clauses for ATDS and prerecorded call compliance?

If you use an autodialer or predictive dialer, or send texts through automated systems, the TCPA's autodialer rules (the ATDS rules) apply on top of the general consent requirements.

The Supreme Court's 2021 decision in Facebook v. Duguid narrowed the ATDS definition to systems that use a random or sequential number generator to produce or store numbers, then dial them [9]. That was a real win for callers, but it did not end liability. Prerecorded voice calls to cell phones still require prior express written consent no matter how the dialer works [1].

Your vendor contract should include a rep that leads came from consent flows disclosing the possible use of automated dialing or prerecorded messages. The FCC requires the consent disclosure to specifically authorize autodialed or prerecorded calls. Generic permission to "contact" a consumer is not enough [3].

For teams doing serious cold calling or cold call outreach with predictive dialers, the ATDS analysis adds a compliance layer the vendor's consent records have to speak to.

If your platform functions as an ATDS under any plausible reading, require the vendor to rep that opt-in forms carried explicit language like: "by submitting this form, you consent to receive autodialed calls and/or prerecorded messages at the number you provide."

What does a compliant lead vendor contract clause checklist look like?

Here's the working summary of provisions a well-protected buyer should have. Use it as your baseline before you sign anything.

ClauseMinimum StandardBetter Standard
Consent warrantyStates leads have "prior express written consent"Names your company specifically per FCC 2023 one-to-one rule
Consent documentationAvailable on requestDelivered within 72 hours, retained 5+ years
DNC scrubbingNational registry within 31 daysNational + state registries + internal DNC, within 30 days of delivery
IndemnificationCovers third-party TCPA claimsCovers defense costs, settlements, fines, survives termination
InsuranceVendor carries E&O or GLMinimum $1M per occurrence, buyer named as additional insured
Audit rightsRecords available on requestAnnual audit right + 72-hour record delivery + sample reviews
Termination rightStandard breach provisionsImmediate termination on consent breach, no penalty
Liquidated damagesNone (common)Per-lead fee tied to TCPA statutory exposure
ATDS/prerecorded disclosureGeneral consent languageExplicit authorization of automated/prerecorded contact
Governing lawNot specified (risky)Buyer's state law, clear forum clause

The tools and checklists at LeadCompliant help you spot gaps in agreements you've already signed, and the free compliance kit covers this exact checklist in a ready-to-use format.

Notice the pattern in the "better standard" column. It's specificity. Every clause that fails in litigation fails because it was too vague to enforce.

Can you reduce your exposure by verifying leads yourself before calling?

Yes, and do it no matter what your vendor contract says. The vendor's breach does not erase your TCPA liability. It just gives you a path to recover from the vendor after the fact.

Before any outbound campaign, run the list through the National DNC Registry yourself. FTC and FCC rules require callers to check the registry no more than 31 days before calling a number [11]. Your own date-stamped scrub log is independent evidence of good-faith compliance.

For cell numbers, check your own internal DNC list for prior revocations. The do not call telemarketer list obligations apply to both inbound revocation requests and your purchased lists.

A phone validation step catches disconnected or reassigned numbers before you dial. The FCC's Reassigned Numbers Database, created under its 2018 order, lets callers check whether a number has been reassigned to a new consumer since the consent was given [10]. Calling a reassigned number is calling someone who never consented, even if the original subscriber did.

Keep your own copies of the consent documentation the vendor provided for every lead you contact. Don't rely on the vendor to hold the only copy. If they fold or go quiet, you need your own records to defend yourself.

What should you do if you already have a vendor contract without these protections?

Stop panicking and start amending. Contracts aren't frozen, and most vendors negotiate amendments when the alternative is losing your business.

Send a written amendment request adding, at minimum, the consent warranty, the documentation requirement, and the indemnification clause. Frame it as a compliance update, not an accusation. Reputable vendors read the environment and accept reasonable terms.

If the vendor refuses any meaningful consent warranty, that's your clearest signal to find a different one. The refusal tells you exactly what their consent practices look like.

While you negotiate, slow or pause outreach on lists from that vendor until you've verified a sample of the consent records yourself. Pull 20 to 30 records at random and check them against the criteria above: timestamp, IP, URL, disclosure language. If records are missing or thin, treat the list as high-risk.

Document every attempt to get the warranty in writing. If litigation follows and you're arguing good faith, showing that you asked for compliance documentation and the vendor refused helps establish you were the reasonable party.

For exposure beyond federal rules, the state laws section covers mini-TCPA statutes in Florida, Texas, Oklahoma, and others that stack extra requirements on the federal baseline.

Frequently asked questions

Can I be sued under the TCPA for calls made from a lead vendor's list even if I didn't generate the consent?

Yes. The TCPA holds the party that initiates or authorizes the call responsible, regardless of who collected the consent. If you dialed the number, you are the caller under 47 U.S.C. § 227 and you bear primary liability. Your contract with the vendor decides whether you can recover from them afterward, but it does not stop a plaintiff from suing you first.

The FCC adopted a one-to-one consent rule in its December 2023 order, with an effective date targeted for early 2025. It requires that consumer consent for telemarketing name the specific company making contact, not a class of "marketing partners." Lead gen sites that collected blanket consent for multiple unnamed buyers can no longer support compliant outreach. Your contract must now warrant that consent names your company.

The TCPA's federal statute of limitations is four years under 28 U.S.C. § 1658, so records should be kept at least that long. Many compliance attorneys recommend five years to buffer for state law claims with different limitation periods. Your contract should require the vendor to retain consent records for at least five years and produce them within 72 hours of any request.

Prior express written consent is the FCC's standard for telemarketing calls and texts to cell phones using automated systems. Under 47 C.F.R. § 64.1200(f)(9), it requires a signed written agreement authorizing autodialed or prerecorded contact, with a clear disclosure that consent is not a condition of purchase. Your contract should use this exact phrase so the warranty maps to the legal standard, not some vaguer notion of permission.

Do I need to scrub leads for the DNC list even if the vendor says they already did?

Yes. FTC rules require callers to scrub against the National DNC Registry no more than 31 days before calling. Running your own scrub protects you if the vendor's was outdated or incomplete, and it creates your own date-stamped compliance record. Treat vendor scrubbing as a first pass that saves wasted spend. Your own scrub is the legal compliance layer.

Can I require a lead vendor to name me as an additional insured on their liability policy?

Yes, and you should. Requiring the vendor to carry errors and omissions or general liability insurance and to name you as an additional insured means you can claim directly on their policy if a TCPA suit arises from their data. This matters most when the vendor is a small shop without obvious assets to satisfy an indemnification claim. Get a certificate of insurance every year.

What is a reasonable liquidated damages clause for non-compliant leads?

A common approach ties the per-lead fee to TCPA statutory exposure of $500 to $1,500 per non-compliant lead. Courts enforce liquidated damages clauses when the amount reflects a reasonable forecast of actual harm rather than a penalty. Since each call or text to a non-consenting consumer carries at least $500 in statutory damages, a $1,000 per-lead clause is defensible and easy to justify.

How does the reassigned numbers database affect my lead vendor obligations?

The FCC's Reassigned Numbers Database lets callers verify whether a phone number was reassigned to a new subscriber since the consent event. Calling a reassigned number means calling someone who never consented, even if the original holder did. Your contract should require leads to be checked against the database before delivery, or at minimum give you the right to check and return any lead where the number was reassigned.

Send a written demand citing the specific clause requiring production within your agreed window (72 hours is standard). If they still refuse, document the non-response and notify your legal counsel immediately. The vendor's refusal to produce records is itself a contract breach that strengthens your indemnification claim against them. Preserve every communication about the refusal as evidence.

Yes. Florida's Telemarketing Act, Indiana's Telephone Privacy Law, and several other states run their own DNC registries and consent rules that go beyond federal TCPA rules. Your contract should require scrubbing against all applicable state registries for numbers with a state area code and should represent that consent collection met state law requirements where the leads were generated.

Does a vendor contract protect me if the FCC or FTC brings an enforcement action instead of a private lawsuit?

Only partly. A strong contract is evidence of good-faith compliance, which matters in agency penalty analysis, but FCC and FTC enforcement runs against the caller directly and is not resolved by private indemnification agreements. Your best protection against agency action is your own documented compliance practices, not vendor representations.

What if I buy leads through a lead marketplace or aggregator rather than directly from a generator?

The same requirements apply, and the risk is often higher because there are more links in the consent chain. A marketplace usually does not originate consent; it resells from multiple generators. Require the marketplace to warrant that every underlying generator obtained compliant consent naming your company and that it can produce documentation from the original source, more than from its own records.

Can an audit right in a vendor contract actually help me in a TCPA lawsuit?

It helps two ways. Exercising audit rights before litigation lets you catch and stop using bad data, potentially preventing violations. And a court record showing you had audit rights and used them is evidence of reasonable compliance measures. Willful TCPA violations, the ones that triple damages, require showing the caller knew or should have known about the violation. Documented oversight counters that argument.

Is an indemnification clause enough protection, or do I need additional steps?

Indemnification is necessary but not enough. It is a recovery mechanism after harm, not a prevention mechanism. Pair it with pre-campaign consent verification, your own DNC scrubbing, use of the FCC's Reassigned Numbers Database, and employee training. Indemnification protects your balance sheet if a lawsuit happens. The other steps reduce the chance a lawsuit happens at all.

Sources

  1. U.S. House of Representatives / Office of the Law Revision Counsel, 47 U.S.C. § 227 (TCPA): TCPA statutory damages are $500 per violation, up to $1,500 for willful violations; liability attaches to the party who makes or initiates the call
  2. FTC.gov, Federal Trade Commission (lead generation and telemarketing guidance): FTC guidance holds downstream callers responsible for the consent claims they accept from lead generators
  3. Electronic Code of Federal Regulations, 47 C.F.R. § 64.1200 (FCC TCPA rules): Prior express written consent is required for autodialed or prerecorded telemarketing calls to cell phones; pre-checked boxes do not constitute valid consent
  4. Federal Register, FCC Report and Order (One-to-One Consent Rule, December 2023): FCC December 2023 order requires consumer consent to name the specific company making contact, closing the lead generator loophole for bundled consents
  5. U.S. House of Representatives / Office of the Law Revision Counsel, 28 U.S.C. § 1658: Four-year federal statute of limitations under 28 U.S.C. § 1658 applies to TCPA claims
  6. FTC.gov, National Do Not Call Registry Data Book FY 2023: The National Do Not Call Registry has over 249 million registered numbers as of fiscal year 2023
  7. Florida Attorney General, Florida Telemarketing Act (Fla. Stat. § 501.059): Florida maintains its own state DNC registry and telemarketing law with separate penalties from the federal TCPA
  8. U.S. Supreme Court, Facebook, Inc. v. Duguid, 592 U.S. 395 (2021): Supreme Court in Facebook v. Duguid (2021) held that an ATDS must use a random or sequential number generator to store or produce numbers; narrowed the definition of autodialer under TCPA
  9. FTC.gov, Telemarketing Sales Rule, 16 C.F.R. Part 310: FTC Telemarketing Sales Rule requires callers to scrub against the National DNC Registry no more than 31 days before calling a number

Disclaimer: LeadCompliant is a compliance review tool, not a law firm. We do not provide legal advice. Consult with a TCPA attorney for legal guidance on specific compliance questions. Compliance scores, audits, and risk assessments are informational only.

LeadCompliant Team

LeadCompliant provides expert guidance and tools to help you succeed. Our content is reviewed for accuracy and kept up to date.

Related Articles

Related Glossary Terms

LeadCompliant
Build My Kit