Last updated 2026-07-11

TL;DR
On a live transfer, TCPA liability can land on the lead generator, the receiving company, or both. Consent has to follow the call through every hand-off. If the generator used illegal dialing or never got proper written consent, and the buyer knew or should have known, courts have held the buyer jointly liable. Getting this wrong costs $500 to $1,500 per call under 47 U.S.C. § 227.
What is a live transfer lead and why does TCPA compliance matter here?
A live transfer is what it sounds like. A vendor calls a consumer, confirms interest, then patches the call to your sales team in real time. The consumer never hangs up. Your rep picks up mid-conversation.
That hand-off feels clean operationally. The law does not treat it as a fresh start. The TCPA, 47 U.S.C. § 227, governs every outbound call or text to a wireless number made with an automatic telephone dialing system or a prerecorded message [1]. A live transfer from a vendor who used an ATDS to reach that consumer is still a call made with an ATDS, at least as far as the original dialing event goes.
Why does this matter to your team? You did not make the first call. You got a warm handoff. But the FCC and federal courts have said again and again that downstream beneficiaries of illegal calls can be held responsible if they directed the conduct, knew about it, or ratified it after the fact. A $1,500-per-call award adds up fast when you buy hundreds of transfers a week.
The tension is simple. The economics of live transfers push toward speed and volume. Compliance pushes toward verification and paperwork. Teams that ignore the second half of that equation show up as named defendants in class action complaints.
Who can be held liable on a live transfer call under the TCPA?
Three actors sit in almost every live transfer chain: the lead generator who dials the consumer, the aggregator or platform in the middle, and the end buyer whose sales team takes the call. Any of them can be a defendant. The facts decide which.
The FCC's 2013 TCPA Declaratory Ruling made vicarious liability official. Sellers can be liable under federal common law agency principles for calls placed by third parties on their behalf [2]. Actual authority, apparent authority, and ratification are all live theories. Courts have run all three in live transfer cases.
Direct liability hits whoever made the call with an ATDS or a prerecorded message without proper consent. That is usually the generator. If your vendor autodials 10,000 people to find 50 warm leads for you, and those 10,000 people never gave prior express written consent to get autodialed calls about your product, the generator owns direct exposure on every dial.
Vicarious liability hits you, the buyer, when you gave the generator a script, controlled how they dialed, or knew their practices were illegal and kept buying anyway. It also attaches when you accept transfers without ever asking how consent was obtained, or when you ratify the conduct by accepting and monetizing the leads.
Here is the anchor case. In *Campbell-Ewald Co. v. Gomez* (2016), the Supreme Court left vicarious TCPA liability intact as a doctrine [3]. In district court, buyers have lost motions to dismiss when plaintiffs alleged the buyer controlled vendor operations or ignored obvious red flags. You do not have to dial a single number to end up as a defendant.
The practical read: sloppy vendor consent is your problem too. Never touching the dialer does not protect you.
What consent is required before a live transfer can legally reach your sales team?
For telemarketing calls to cell phones using an ATDS, the TCPA requires "prior express written consent" [1]. That means a signed, written agreement (electronic signatures count) that clearly authorizes calls from the specific seller or a named list of sellers and includes the consumer's phone number.
The FCC's 2012 order, effective October 16, 2013, added the written consent requirement and killed the established business relationship exemption for autodialed marketing calls [4]. Consent has to identify the entity making the call. A generic "I agree to be contacted by our partners" buried in a website footer does not cover your company unless your company is named or the consumer is clearly told who will call.
This is where live transfer chains turn dangerous. Many generators collect consent for their own platform, then transfer calls to buyers who are never named in that consent. The consumer agreed to hear from "Home Improvement Network." Your roofing company is the one on the phone. Courts have found consent does not automatically ride down the chain.
What you need before a transfer reaches your team:
1. Written consent that names your company or a category your company clearly fits, obtained before the first dial. 2. A timestamp and the URL or source where consent was captured. 3. Language disclosing that calls may use an autodialer and that consent is not a condition of purchase.
Buying from an aggregator? Get a contractual representation that every transfer arrives with documented consent meeting those standards. A representation is worth nothing without audit rights to check it.
How does the FCC define "seller" liability for vendor-generated calls?
The FCC's 2013 Declaratory Ruling is the key regulatory text. It states that a seller "may be held vicariously liable under federal common law principles of agency for TCPA violations committed by third-party telemarketers" [2]. The ruling lists the factors courts should weigh. Did the seller give the vendor access to its systems, scripts, or customer data? Did the seller know the vendor was breaking the law? Did the seller benefit from the calls and fail to stop them once violations surfaced?
The ruling also handled "willful blindness." If you structure your buying to avoid knowing how leads get generated, that is not a defense. Courts treat deliberate ignorance as constructive knowledge. Buy 500 live transfers a day and never once ask your vendor how they get consent, and a plaintiff's attorney will argue you chose not to know.
On apparent authority, the FCC noted that if a vendor presents itself to consumers as calling on behalf of the seller, the seller may be bound even without a formal agency relationship. That matters for live transfers where the opening script says "I'm calling on behalf of [Your Company Name]." Hand a vendor your brand and your script, and courts will likely find apparent authority.
The reading is clean. More control over the vendor plus more of your brand in the consumer-facing script equals higher exposure. Act like an arms-length buyer who independently verifies consent, and your exposure drops.
What do courts actually do with live transfer TCPA cases?
Outcomes vary, but the patterns are clear.
In *Mantha v. QuoteWizard.com, LLC* (D. Mass. 2021), a federal court let a TCPA class action proceed against an insurance lead marketplace [5]. The plaintiff argued QuoteWizard's partners dialed him with an ATDS and no valid consent, and that QuoteWizard was vicariously liable as the downstream buyer. The court denied QuoteWizard's summary judgment motion on vicarious liability, finding genuine factual disputes over how much control the company had over its network. The case later settled.
That is a useful signal. Even well-funded companies with large legal teams cannot always get these cases tossed at summary judgment. Show any real control or knowledge of non-compliant dialing, and the case heads to a jury or to settlement.
For a sense of settlement scale, the cash app TCPA class action settlement and the credit one TCPA settlement both show how large these numbers run, even when defendants dispute liability.
Damages: the statute sets $500 per violation for negligent conduct and $1,500 per violation for knowing or willful conduct [1]. A class of 100,000 consumers at $500 each is $50 million before fees. Courts sometimes cut class damages on due process grounds, but that is far from guaranteed.
Small teams sometimes assume they are too small to attract a class action. Wrong. Plaintiffs' firms increasingly target mid-market companies precisely because they have thinner legal defenses and settle faster.
How should a live transfer buyer verify consent before accepting calls?
You cannot verify consent on a live call in real time. That is the operational reality. What you can do is build a pre-transfer system that runs before calls hit your queue.
Here is what the compliance layer should look like.
Contractual controls. Your vendor agreement has to require the generator to obtain prior express written consent naming your company or your disclosed category, retain consent records for at least four years (the federal statute of limitations for TCPA is four years under 28 U.S.C. § 1658, though some courts apply a two-year state period in certain circumstances), and give you audit access to consent records on demand.
DNC scrubbing. Every number coming through the network has to be scrubbed against the National Do Not Call Registry before the first dial [6]. If the generator is not scrubbing, every call to a registered number stacks another violation on top of the consent problem. See the do not call list guide for how registration works. Cell phones can and do appear on the DNC registry, so mobile phone do not call list scrubbing matters here too.
Consent token transfer. Ask your generator to pass a consent token or record ID with each transfer. That reference number lets you pull the stored consent record from their system. If they cannot do this, question whether real consent records exist at all.
Ongoing audits. Spot-check 5 to 10 percent of your incoming transfers each month. Call the consumers back and ask how they remember opting in. If they say they have no idea what they signed up for, or that they clicked something to get a gift card, your generator is using deceptive consent tactics and your audit just created a written record that you knew.
Internal flags. Track your Do Not Call complaints and opt-out requests. A sudden spike is an early sign your transfer source is producing non-consented contacts.
Does scrubbing the DNC list protect you from all TCPA liability on live transfers?
No. DNC scrubbing is necessary but not sufficient.
The National Do Not Call Registry protects consumers who registered their numbers [6]. Calling a registered number without an established business relationship or express invitation is a separate TCPA violation, carrying penalties up to $51,744 per call under current FTC rules [7]. So scrubbing the registry matters.
But TCPA liability for autodialed calls to cell phones does not depend on DNC status at all. A number that is nowhere near the DNC registry still cannot be autodialed for marketing without prior express written consent. These are two legal tracks running in parallel.
Practical version: a lead generator who scrubs the DNC list but collects sloppy consent has solved half the problem. A buyer who confirms the vendor scrubs the DNC but never checks the consent paperwork has a false sense of security.
The do not call telemarketer list piece covers how the registry works from the caller's side. The short version: registry scrubbing is table stakes. Consent documentation is the real exposure.
What contract terms should a live transfer buyer require from their vendor?
Your vendor contract is your first line of defense and your evidence in litigation. If a suit comes, the contract either shows you took reasonable steps or shows you ignored the obvious.
Required provisions:
Consent warranty. The vendor represents that every transferred consumer gave prior express written consent meeting 47 U.S.C. § 227(b) standards before being dialed, and that the consent names or clearly covers your company.
Record retention. Vendor keeps consent records, including opt-in source URL, timestamp, IP address, and disclosed dialer language, for at least four years.
Audit rights. You can request and receive consent records for any transferred consumer within 48 to 72 hours.
DNC compliance. Vendor warrants it scrubs against the National DNC Registry no less than every 31 days per FTC rules, plus any applicable state DNC lists [6].
Indemnification. Vendor agrees to indemnify, defend, and hold your company harmless for TCPA violations arising from their dialing or consent practices. This does not erase your exposure in litigation, but it shifts the financial burden after settlement.
Termination for cause. You can walk immediately, without penalty, on credible evidence of consent or dialing violations.
No reassigned numbers. Vendor warrants it runs a reassigned number database lookup before each dial. The FCC safe harbor for reassigned numbers requires callers to check the Reassigned Numbers Database [8]. If a number was reassigned and the new holder gets the call, that is a fresh violation.
If your vendor refuses any of these terms, the refusal tells you something. Legitimate high-quality generators have nothing to hide and every reason to document their practices.
How do state laws add to the federal TCPA compliance burden for live transfers?
Federal TCPA is the floor, not the ceiling. Several states have stacked extra requirements on top.
Florida. The Florida Telephone Solicitation Act (FTSA) created a state private right of action for autodialed calls and texts to Florida numbers, and for a stretch it covered calls made with any technology that dials automatically, even without a traditional ATDS [9]. Florida plaintiffs filed a huge wave of suits in 2021 and 2022 off that provision. A 2023 amendment now requires a single opt-in text before marketing texts begin, which narrowed the exposure, but Florida stays one of the highest-risk states for live transfer buyers.
California. The California Invasion of Privacy Act (CIPA) and related statutes create liability for recording calls without two-party consent. If your live transfer includes a recorded or monitored component, California's two-party consent rule applies to any call where any party is in California [10].
Washington, Oklahoma, and others. Multiple states run their own do-not-call registries, their own consent standards, or both. A federal DNC scrub does not cover state lists.
For a live transfer buyer, the takeaway is geographic. Know where your transferred consumers sit, and apply the most restrictive applicable law to each call. This is not theoretical. Florida and California together hold enormous consumer populations, and plaintiff's firms in both states are highly active in TCPA and TCPA-adjacent litigation.
If you do cold calling across multiple states, the compliance matrix is state by state.
What records should you keep to defend a live transfer TCPA claim?
If a suit lands, you need to prove consent existed and was properly obtained at the time of each call. Here is the documentation set.
| Record Type | What It Should Show | Retention Period |
|---|---|---|
| Consent record | Consumer name, number, timestamp, source URL, disclosed language, signature/click | 4+ years |
| Vendor contract | Consent warranties, audit rights, indemnification terms | Life of relationship + 4 years |
| DNC scrub logs | Date of scrub, database version, numbers checked | 4+ years |
| Reassigned number checks | Database query, result, date | 4+ years |
| Call logs | Date, time, duration, outcome, agent ID | 4+ years |
| Complaint and opt-out log | Every consumer complaint, DNC request, and how you handled it | 4+ years |
| Audit records | Your periodic spot-checks of vendor consent practices | 4+ years |
The four-year figure comes from the federal catch-all statute of limitations at 28 U.S.C. § 1658 [12]. Some courts apply a two-year state period for TCPA claims brought under state law, but holding records four years is the safer standard.
LeadCompliant's compliance kit includes a consent documentation template and a vendor audit checklist that map to these categories. Better to have a standardized format than to improvise when a complaint hits.
One thing practitioners often miss. Your internal opt-out log is the record that decides cases. If a consumer called to complain after a transfer and your agent noted it, that log is discoverable. It can show you had a system to block repeat contacts (good) or that you kept calling anyway (very bad).
What happens if you receive a live transfer for a number on the Do Not Call list or a prior complainer?
Stop the call. That is the answer.
If a consumer already asked not to be called and your vendor transferred them anyway, continuing compounds the violation. You do not get a clean slate just because the number arrived as a warm transfer. The original violation already happened the moment the consumer was autodialed without consent or in defiance of a prior opt-out.
For your own internal DNC list: under TCPA regulations, if a consumer tells you or your vendor not to call, that request has to be honored within 30 days and the number stays on your internal do-not-call list for at least five years [6]. If your vendor transfers a number that is already on your internal DNC list, you have a system failure and a possible knowing violation.
For National Registry numbers: if the number is on the federal DNC registry and the consumer has no established business relationship with you (generally a transaction within 18 months), the call was illegal before it ever reached your team [6].
Building a real-time DNC check into your call routing, run against both the federal registry and your internal list before a transfer connects, is one of the more effective technical controls a live transfer buyer can put in place. It will not catch everything, but it catches the obvious problems and shows a good-faith compliance effort.
You can see how to pull the registry through the FTC at how do i get the do not call list.
Can a good-faith reliance on your vendor ever shield you from TCPA liability?
Partly, and with real caveats.
There is no statutory safe harbor in the TCPA for buyers who relied on vendor representations in good faith. The FCC has declined to create one. What good faith does is affect the "willful or knowing" prong of damages. If a court or jury finds you genuinely believed your vendor had proper consent and took reasonable steps to verify it, you are more likely to land in the $500-per-violation bucket than the $1,500 one.
Good faith does not get you to zero. Negligent TCPA violations still carry the $500 minimum, and in a class of any real size, $500 per member is still ruinous.
What courts read as genuine good faith: written contracts with consent warranties, documented audits, prompt termination of vendors when violations surfaced, internal compliance training, and records showing you answered complaints fast. These do not eliminate liability. They move the needle on damages and settlement posture.
The inverse holds too. Buy transfers from a vendor, take consumer complaints about people who had no idea how they were contacted, and keep buying from the same vendor for another 12 months, and that pattern reads as willful blindness. Courts and juries get that pattern instantly.
This is also why text message marketing programs running alongside your live transfer pipeline need the same documentation discipline. One complaint thread can surface evidence that gets used across channels.
Frequently asked questions
If the lead generator gets sued for TCPA violations, does that protect the buyer?
No. The generator being sued does not insulate you. Both parties can be named as defendants in the same action. A plaintiff suing the generator can add the buyer as a co-defendant under vicarious liability theories if the buyer directed, benefited from, or knew about the illegal calls. Settling or losing a case does not prevent the remaining defendant from facing its own damages exposure.
Does the consumer's consent to talk to the lead generator count as consent to talk to the buyer?
Only if the consent form specifically named the buyer or identified a category the buyer clearly fits. Generic consent to "partners" or "affiliated companies" is legally risky. After the FCC's 2024 one-to-one consent ruling, as courts apply it, consent must be granted to one company at a time, not a list. Prior consent obtained under broader language may not protect calls made once that standard applies.
What is the TCPA statutory damage amount per call on a live transfer?
The TCPA sets statutory damages at $500 per violation for standard violations and $1,500 per violation for knowing or willful violations under 47 U.S.C. § 227(b)(3). Each call or text is a separate violation. On a class basis, these figures can reach hundreds of millions of dollars even for companies with moderate call volumes.
How long do consumers have to sue for a TCPA violation on a live transfer call?
The federal catch-all statute of limitations is four years under 28 U.S.C. § 1658, which most federal courts apply to TCPA claims. Some courts have applied state-law periods as short as two years depending on how the claim is framed. Retain all consent and call records for at least four years from the date of each call to be safe.
Does the FCC's 2024 one-to-one consent rule apply to live transfers?
Yes, and it directly targets the comparison shopping and lead gen model. The FCC's 2024 order requires that prior express written consent for telemarketing calls identify a single seller, not a group of partners or affiliates. A consent form that captures consent for one company only covers calls from that company. Live transfer buyers not named in the consent form cannot rely on it. Courts are still working through how this applies to consent collected before the rule.
Can I use a blanket indemnification clause to fully transfer TCPA risk to my vendor?
Contractually, yes. Practically, it depends on whether your vendor can pay. A vendor indemnification clause means the vendor agrees to cover your losses, but if the vendor is a small LLC that dissolves after a class action, that promise is worthless. Indemnification is one layer of protection, not a substitute for vetting your vendor's actual compliance practices and financial capacity.
What is a reassigned number and why does it matter for live transfer compliance?
A reassigned number is one a wireless carrier moved from one consumer to another. If your vendor got consent from the old owner and then calls the new owner, that call lacks consent. The FCC created the Reassigned Numbers Database to help callers check whether a number changed hands since consent was collected. Failing to check the database before dialing is a compliance gap the FCC has specifically flagged.
Do I need to scrub live transfer numbers against state do-not-call lists in addition to the federal registry?
Yes, if you are calling consumers in states that maintain their own DNC lists. Several states, including Indiana, Texas, and Wyoming among others, have their own registries with separate requirements. Federal DNC scrubbing only covers the national list. If your vendor generates leads from consumers in states with independent registries, both lists apply. Your vendor contract should require state-list scrubbing where applicable.
Is a live transfer considered a cold call under the TCPA?
It depends on whether prior express written consent was obtained before the first dial. If a consumer filled out a form and consented to be contacted, the call is not a cold call in the legal sense. If the generator dialed without any prior relationship or consent, the initial dial is effectively a cold call regardless of what happens after. See the legal definition of a cold call for how courts draw this line.
What should I do if a consumer transferred to my team says they never agreed to be called?
First, honor the opt-out immediately and document it. Second, request the consent record from your vendor within 48 hours. If your vendor cannot produce it, treat that as a contract breach and a signal the consent was either fabricated or deficient. Third, audit the volume of transfers from that vendor to estimate how many other calls carry the same problem. That audit, uncomfortable as it is, beats discovering the scope during discovery in a lawsuit.
How does vicarious TCPA liability apply if I use multiple aggregators stacked between me and the generator?
Each layer of the chain can be a defendant. Courts have found vicarious liability even when the end buyer has two or three intermediaries between themselves and the dialer, especially when the buyer's brand appeared in the consumer-facing script or the buyer had contractual controls flowing down the chain. More layers do not dilute liability. They complicate the fact pattern and can make it harder for any party to claim they did not know what was happening upstream.
What is the best way for a small team to audit their live transfer vendor for TCPA compliance?
Start with a written request for 20 to 30 random consent records from the past 90 days. Each record should show the opt-in URL, timestamp, IP address, and the exact disclosure language the consumer saw. Then visit those URLs yourself and read the disclosure. If the consent form does not name your company or use language that specifically covers autodialed calls, you have a documentation problem. Do this quarterly, not once.
Sources
- Cornell Law School / Legal Information Institute, 47 U.S.C. § 227 (TCPA full text): TCPA statutory text establishing $500/$1,500 per-violation damages and the prior express consent requirement for autodialed calls to wireless numbers
- Supreme Court of the United States, Campbell-Ewald Co. v. Gomez, 577 U.S. 153 (2016): Supreme Court decision leaving vicarious TCPA liability intact as a legal doctrine
- U.S. District Court, District of Massachusetts, Mantha v. QuoteWizard.com LLC, Case No. 1:19-cv-12235 (2021): Federal court denying summary judgment on vicarious TCPA liability for a lead marketplace, finding genuine factual disputes about vendor control
- FTC, Telemarketing Sales Rule and National Do Not Call Registry compliance guidance: FTC rules requiring DNC registry scrubbing no less than every 31 days and honoring internal do-not-call requests for five years
- Federal Register, FTC civil penalty inflation adjustments for the Telemarketing Sales Rule: Current FTC civil penalty of up to $51,744 per violation for calling numbers on the National Do Not Call Registry
- Florida Legislature, Florida Telephone Solicitation Act, Fla. Stat. § 501.059: Florida FTSA creating a state private right of action for autodialed calls and texts to Florida numbers, amended in 2023
- California Legislature, California Invasion of Privacy Act, Cal. Penal Code § 632: California two-party consent requirement for recorded calls where any party is in California
- Cornell Law School / Legal Information Institute, 28 U.S.C. § 1658 (Federal Statute of Limitations): Four-year federal catch-all statute of limitations applicable to TCPA claims in federal court