Maintaining compliance when scaling lead generation

TCPA fines hit $500, $1,500 per call or text. Learn how to keep lead gen compliant: consent rules, DNC scrubbing, reassigned numbers, and state law traps.

LeadCompliant Team
26 min read
In This Article

Last updated 2026-07-09

Compliance manager reviewing call logs at a standing desk in morning light
Compliance manager reviewing call logs at a standing desk in morning light

TL;DR

Every lead you buy, call, or text carries legal exposure if consent wasn't captured right. The TCPA allows $500, $1,500 per violation, and class actions against lead generators have settled in the tens of millions. This guide covers consent architecture, list hygiene, vendor vetting, state-law overlays, and the daily routines that keep outbound teams out of court.

Why does lead generation compliance keep getting harder?

The rules were written for a company calling its own customers. They weren't written for a lead that passed through three vendors before it hit your dialer. Every hand-off is a spot where consent can degrade, expire, or turn out to have never existed at all.

The Telephone Consumer Protection Act (47 U.S.C. § 227) makes the caller, the seller, and often the lead aggregator responsible for whether a consumer actually agreed to be contacted [1]. Courts keep extending liability up the chain. That matters because a lead gen deal usually involves a publisher who captures the lead, a network that buys and resells it, and a brand that makes the call or sends the text. If any link in that chain has a consent problem, the person who dialed the number is the one who gets sued.

The FCC keeps sharpening the edges. Its January 2024 rule, effective January 27, 2025, requires consent for robocalls and robotexts on a "one-to-one" basis, so a single opt-in form can no longer deliver consent to a list of unrelated companies [2]. That one change wiped out most of the shared-consent model the industry leaned on for a decade.

Stack the state mini-TCPAs in Florida, Oklahoma, Washington, and others on top of that. Now you have a compliance surface that's genuinely hard to manage without a documented system.

The TCPA requires "prior express written consent" before you use an autodialer or a prerecorded voice to call or text a cell phone for marketing. The consumer has to get a clear disclosure, agree to be contacted by a specifically named company, and the agreement can't be a condition of buying anything. Miss any piece and the consent is defective.

The statute lives at 47 U.S.C. § 227(b) [1]. The definition of "prior express written consent" sits in the FCC's rules at 47 C.F.R. § 64.1200, which spell out the clear-and-conspicuous disclosure, the named-company requirement, and the no-condition-of-purchase rule [3].

For lead gen, "specifically identified" is the load-bearing phrase. The FCC's 2024 one-to-one rule closed the loophole that let one checkbox deliver consent to dozens of companies buried in fine print or a hyperlinked partner page [2]. Now each company that will contact the consumer has to be named, and each name has to be logically and topically related to what the consumer signed up for.

Buying leads instead of generating them yourself? You need a written representation from the vendor that consent named your company specifically. A blanket indemnification clause won't save you. You cannot outsource TCPA liability by pointing at a vendor contract. In Gomez v. Campbell-Ewald Co., 768 F.3d 871 (9th Cir. 2014), the court confirmed a company using a third-party marketer can still be directly liable.

For texts, the TCPA compliance framework is worth reading in full, because a text carries the same legal weight as a call and the per-message math adds up fast.

One-to-one consent means a consumer can only consent to be contacted by companies named individually on the form they actually saw, about topics related to what they signed up for. One checkbox can no longer hand your number to a marketplace of unrelated sellers. The FCC's order (FCC 23-107) took effect January 27, 2025.

The order amended 47 C.F.R. § 64.1200 to require that consent identify the specific seller and that the message content be "logically and topically associated" with the site or interaction where consent was given [2].

This killed co-registration. Fill out a form for a mortgage quote and you can consent to contact from mortgage companies. You cannot, through that same click, consent to calls from an auto insurer, a home warranty vendor, and a solar installer.

For lead buyers, three things follow:

  • Your company name has to appear on the consent form the consumer saw, not in a scroll-down partner list.
  • The topic of the form has to match what you sell.
  • Consent captured before January 27, 2025 that didn't meet the one-to-one standard can't carry a call made after that date.

Lead networks that never updated their consent architecture are still open for business, and they're selling non-compliant leads today. The only way to know is to see the consent record: the URL of the page, a screenshot or archived copy of the form language, the timestamp, and the IP address of the person who submitted it. If your vendor can't produce that for every lead, you have your answer.

The lead generation compliance news section tracks the enforcement actions and FCC rulemaking that shape how this rule gets read.

TCPA: key numbers every lead gen team must know Statutory thresholds, penalties, and operational deadlines 500 Per-violation damages (negl… 1,500 Per-violation damages (will… 52k Max FTC civil penalty per DNC violation (2023) 595 RND annual access cost (base package, USD) Source: 47 U.S.C. § 227; FTC Telemarketing Sales Rule; FCC Reassigned Numbers Database; FTC Civil Penalty Adjustments, 2023

How do you vet a lead vendor for TCPA compliance?

Start with the consent record. Before a single lead touches your dialer, you should be able to see an unedited copy of the opt-in form the consumer saw: the disclosure language, the date and time, the IP address, and your company name exactly as it appeared. If the vendor can't hand that over, stop right there.

Then ask about scrubbing. A compliant vendor runs every record against the National Do Not Call Registry before delivery, flags wireless numbers, and checks the Reassigned Numbers Database (RND) the FCC launched in 2021 [11]. The RND is the only authoritative source for whether a number got reassigned to a new consumer after the original consent. Miss a reassignment and you may be calling someone who never opted in, which is a clean TCPA violation.

Ask for a sample contract. Look for these clauses:

ClauseWhy it matters
Consent representation and warrantyVendor warrants each lead meets the FCC one-to-one standard
Audit rightsYou can request consent records at any time
IndemnificationVendor covers your defense costs if their lead causes a suit
Reassigned number scrubVendor confirms an RND check at or before delivery
DNC scrub recencyNational DNC checked within the required 31-day window

A vendor who fights these clauses is telling you something. Good vendors have clean data and don't mind proving it. Bad vendors have bad data and need you not to look.

B2B is a different animal. The express-written-consent requirement mostly bites on calls to wireless numbers and on calls using an autodialer or prerecorded voice. A live agent dialing a business landline with no recorded component has more room, but state laws and the business's own opt-outs still apply. See the b2b lead generation platforms gdpr compliance guide for how this crosses into international obligations.

How does DNC scrubbing work in a lead generation workflow?

You scrub every dialing list against the National Do Not Call Registry no more than 31 days before each call. Registered numbers are off-limits for telemarketing unless you have an established business relationship or written consent. You also keep an internal DNC list, honor opt-outs, and store those requests for at least five years. State registries add their own rules on top.

The federal framework sits in the FTC's Telemarketing Sales Rule at 16 C.F.R. Part 310 and the FCC's rules at 47 C.F.R. § 64.1200(c) [5]. The 31-day scrub window is the part teams blow most often.

That window is not optional. Pull a scrubbed list on day one and run the campaign for 45 days, and the records you dial on days 32 through 45 were never scrubbed inside the window. Re-scrub.

Your internal DNC is separate. Every consumer who tells you to stop goes on it within 30 business days (10 business days under stricter state rules), and you honor that for at least five years [5]. Buying from several vendors? You need one centralized internal DNC that every campaign checks before dialing, not a scatter of lists.

State DNC obligations stack another layer. Florida runs its own list independent of the federal registry, with its own registration and scrubbing rules [6]. Indiana, Texas, and others do too. Running national means knowing which states keep their own lists and whether you're registered to reach them.

For text opt-out mechanics, the sms opt-in rules require every program to give a clear way out, honor it fast, and never text someone again who opted out of that program.

What is the reassigned numbers database and do you have to use it?

The Reassigned Numbers Database is the FCC's central record of numbers that were permanently disconnected and may have been handed to a new consumer. Querying it isn't strictly mandatory. But a clean query result buys you a safe harbor against a TCPA claim from the new subscriber, and skipping it leaves you with no defense at all.

The FCC launched the RND in 2021 under 47 C.F.R. § 64.1202 [11]. Callers who contact a reassigned number can face TCPA liability to the new subscriber even with valid consent from the old one.

The safe harbor works like this: query the RND before each campaign, get a "no" response showing the number hasn't been reassigned since the consent date, and keep that documentation. With it, you have a strong defense against a suit from an angry new subscriber. Without it, you're exposed.

As of 2024, RND access starts around $595 per year for the base query package, with higher fees for bigger volumes [11]. That's small money next to a single TCPA settlement. Most serious compliance-minded dialer platforms now build RND queries into the pre-dial step. If yours doesn't, ask why.

Nobody has good data on what share of outbound calls actually land on a reassigned number. The FCC's estimates around the RND's creation put tens of millions of numbers reassigned each year, but the real rate for any given list depends on how old the leads are and where they came from.

What are the TCPA penalties for lead generation violations?

The TCPA allows $500 per violation for negligent violations and $1,500 per violation for willful or knowing ones, under 47 U.S.C. § 227(b)(3) [1]. Every call and every text is its own violation. A campaign that sends 10,000 non-compliant texts faces up to $5 million in statutory damages before a court even weighs actual damages or an injunction.

Class actions are the real threat. A class of 50,000 consumers with a $500 statutory claim each hits a theoretical $25 million. Reported TCPA class settlements have run from roughly $5 million to over $75 million, with several past $20 million. Public examples include a $40 million settlement in the Papa John's texting case (2013) and a $75.5 million settlement involving Capital One (2014).

There is no cap. The statute doesn't limit aggregate damages in class actions, which is what makes TCPA exposure so lopsided against the original conduct. A company that sent 100,000 texts without proper consent faces theoretical damages that could pass its annual revenue.

The FTC and FCC can also impose civil penalties for DNC violations. The FTC's maximum civil penalty per violation was $51,744 as of 2023, adjusted for inflation each year [7]. State attorneys general have their own authority to bring TCPA actions under 47 U.S.C. § 227(g), and they use it.

The TCPA penalties and lawsuits page keeps a current breakdown of recent enforcement and what it tells you about where regulators are looking.

The consent form is the most important document in your whole compliance system. Get it wrong and nothing downstream fixes it.

On forms you control, the one-to-one rule means every company that will contact the consumer has to be named in the disclosure. The disclosure has to be clear and conspicuous, which the FCC reads to mean it can't be buried in dense text, hidden behind a hyperlink, or dropped below the submit button. The consumer has to see it before they click.

A compliant disclosure reads something like this: "By submitting this form, you agree to receive marketing calls and texts using automated technology from [Your Company Name] at the number provided. Consent is not a condition of purchase. Message and data rates may apply. Reply STOP to opt out." That's the core. Have your counsel review it, but those pieces need to be there.

For text programs, the sms opt-in form guide covers the placement, font size, and proximity rules regulators zero in on. The sms double opt-in approach, where the consumer replies to a confirmation text before any marketing goes out, isn't legally required. It does build a strong evidentiary record that pays off in litigation.

Store consent records indefinitely, or at minimum five years past your last contact with the consumer. The record needs the verbatim form language the consumer saw, not a version you think was live. So archive every form version whenever you change it.

Real estate lead gen has its own wrinkle: the consent language has to say a real estate professional specifically may contact the consumer. Generic financial-services consent isn't specific enough. The real estate text message marketing guide covers the sector details.

What state laws create extra compliance burdens for lead generation?

Florida, California, Washington, Indiana, and Oklahoma each add requirements on top of federal law. The most common trap is a broader definition of automated dialing than the federal standard, so a system that isn't a federal ATDS can still trigger a state statute. Running national means applying the strictest state's rules to everyone.

Florida's mini-TCPA (Florida Telephone Solicitation Act, Fla. Stat. § 501.059), revised in 2021, covers any call or text made with an "automated system for the selection or dialing of telephone numbers" and reaches both live and automated calls [6]. That's broader than the federal ATDS standard the Supreme Court narrowed in Facebook v. Duguid (2021) [10]. A dialer that isn't a federal ATDS can still trip Florida's law if it automates any part of number selection or dialing. Florida also runs a state DNC list and allows $500 per violation.

Washington's Commercial Electronic Mail Act (RCW 19.190) covers commercial texts specifically and has been used in class actions against lead generators [12]. Oklahoma and Indiana keep their own telemarketing statutes with their own timing, disclosure, and registration rules.

California's Consumer Privacy Act (CCPA), and its CPRA amendment, layers a separate set of duties on any business collecting data from California residents [8]. Under CCPA, consumers can opt out of the sale of their personal information, which changes how lead data moves between vendors. Buy or sell leads involving California residents and you need a CCPA-compliant data processing agreement with your vendors.

Here's the short map of the states that add the most:

StateKey statuteNotable addition vs. federal TCPA
FloridaFla. Stat. § 501.059Broader ATDS definition, state DNC list, $500/violation
CaliforniaCal. Civ. Code § 1798.100 (CCPA)Data sale opt-out, consumer rights requests
WashingtonRCW 19.190Commercial text law, per-message damages
IndianaIC 24-4.7State DNC registration required
Oklahoma15 O.S. § 775AState DNC list, prior express consent for texts

For national campaigns, the safest move is to apply the strictest state standard to your whole list instead of juggling state-by-state variations. Florida-standard consent language and RND scrubbing for everyone, more than Florida numbers.

What operational processes keep a lead generation program compliant day to day?

Compliance isn't a project you finish. It's a set of checks that repeat on a schedule: daily, monthly, and annually. The daily layer protects each campaign, the monthly layer catches drift, and the annual layer keeps your vendors honest.

The daily and per-campaign layer: scrub the dialing list against the National DNC Registry within 31 days of each call, check your internal DNC, query the Reassigned Numbers Database, and confirm every record has a consent record that names your company and meets the one-to-one standard.

The monthly layer: review and archive the current version of every consent form, check whether any vendor changed its consent language (which means re-confirming it still complies), read any new FCC or FTC guidance, and audit call recordings or text logs for campaigns that drew complaints.

The vendor layer: re-audit your lead vendor contracts each year, verify consent records are still reachable and complete for leads you bought in prior years, and drop vendors who can't show one-to-one compliance.

Documentation is the line between a survivable audit and a disaster. When a plaintiff's attorney sends a litigation hold, you need to produce the consent record for any specific phone number within days. If your consent records live in a vendor portal you no longer access, you can't produce them. Download and store them yourself.

LeadCompliant's free compliance kit includes a pre-campaign checklist, a vendor vetting questionnaire, and a consent form audit template you can adapt. Run them before every new campaign, not after the first demand letter shows up.

For teams using SMS to nurture leads, the marketing text message service guide and the text message marketing software review cover the platform controls that make this easier to hold at scale.

Consent doesn't have a statutory expiration date, which is exactly why aging leads cause so much litigation. The case law says consent must be "prior" to the contact, and courts read that to mean old consent for one purpose may not cover a different message, or a different company, years later. The practical fix is a lead aging policy with hard cutoffs.

Neither the TCPA nor the FTC's Telemarketing Sales Rule guidance under 16 C.F.R. Part 310 sets an expiration date [3]. The risk is interpretive, not statutory.

Most compliance attorneys treat leads over 90 days with extra scrutiny and leads over 12 months as needing re-consent before contact. The 90-day mark isn't a rule; it's a conservative standard built on the argument that someone who showed interest over a year ago no longer reasonably expects your call.

Reassignment compounds the problem. A number that was valid 18 months ago could have been reassigned twice since. Without an RND query at the time of each campaign, you have no way to know.

Aging also raises the question of whether the original form still complies. A form from 2023 that met the then-current standard but fails the 2025 one-to-one test may not carry a contact made after January 27, 2025 [2]. Plaintiff firms are already filing on exactly that theory.

So write the policy down: leads over 90 days get a re-consent touchpoint before any automated dialing sequence. Leads over 12 months either get an aggressive re-consent campaign or get retired. Retiring stale leads costs almost nothing next to defending a class action built on them.

What should you do if you receive a TCPA demand letter or lawsuit?

Stop contacting that person immediately, preserve everything, and pull the consent record for the specific number before you do anything else. Any contact after the letter arrives is a fresh violation. Deleting records can trigger sanctions. And a clean, timestamped consent record naming your company is the difference between a strong position and a real problem.

Stop the contact first. Teams under pressure sometimes keep a campaign running while legal reviews the letter. Don't. Every touch after receipt is a separate potential violation and it will show up in the complaint.

Preserve everything. Issue a litigation hold: no deleting call logs, dialing lists, consent records, vendor contracts, or campaign config files. Spoliation in TCPA cases has produced adverse jury instructions and sanctions.

Pull the consent record for the number named in the letter. Complete, timestamped, properly worded, naming your company? Your position is strong. Missing it? Your exposure is real and you want a TCPA-experienced attorney now. This is not a job for general business counsel.

Size up the plaintiff honestly. Plenty of TCPA demand letters come from serial litigants who file dozens or hundreds of cases a year. Spotting that pattern doesn't make the suit frivolous, but it does shape settlement strategy. There's a whole cottage industry of people who fill out lead forms specifically to manufacture claims. The right answer is still clean consent records, not an assumption that every plaintiff acts in bad faith.

For tracking case outcomes and enforcement trends, tcpa news today is a solid way to stay current.

Frequently asked questions

Yes, if you'll contact that lead with an autodialer or send it marketing texts. Under the TCPA and the FCC's 2025 one-to-one rule, consent has to name your company specifically, not a generic list of partners. A vendor's indemnification clause is no substitute for actual proof of consent. Request and store the consent record for every lead before you dial.

The FCC's December 2023 order (FCC 23-107) requires prior express written consent for marketing robocalls and robotexts to name the specific seller, not a shared list of companies. It took effect January 27, 2025. It ended the co-registration model where one checkbox delivered consent to dozens of unrelated businesses. Each company has to be named on the form the consumer actually saw.

How often do I have to scrub my call list against the National DNC Registry?

The FTC's Telemarketing Sales Rule requires scrubbing against the National Do Not Call Registry no more than 31 days before each call. If a campaign runs longer than 31 days, re-scrub the list. You also have to keep an internal DNC list and honor opt-outs. State DNC registries in Florida, Indiana, and others add their own scrubbing requirements.

What is the Reassigned Numbers Database and is it legally required?

The Reassigned Numbers Database (RND), launched by the FCC in 2021, tracks numbers that were permanently disconnected and may have been reassigned to new consumers. Querying it isn't strictly mandatory, but callers who query it and get a clean response gain a safe harbor against TCPA claims from new subscribers. Access costs roughly $595 per year for base query volume. Skipping it is real exposure for any volume dialer.

The TCPA's prior express written consent requirement applies to calls using an autodialer or a prerecorded voice. A purely manual call from a live agent to a cell phone isn't covered by that specific provision. But the National DNC Registry, state laws, and your internal DNC still apply no matter how the call is made. Florida's mini-TCPA reaches any automated selection or dialing technology, which may capture more systems than the federal standard.

Does the TCPA apply to B2B lead generation?

The TCPA applies to calls to wireless numbers whether the number belongs to a business or an individual. A call to someone's cell for a B2B sale still needs TCPA-compliant consent if it uses an autodialer or prerecorded voice. Calls to business landlines with a live agent have more room, but DNC obligations and state telemarketing laws still apply. GDPR and CCPA add separate requirements for international or California business contacts.

The TCPA sets no retention period, but the practical standard is five years minimum, based on the four-year statute of limitations for TCPA claims (28 U.S.C. § 1658) plus a buffer. Store the verbatim form language the consumer saw, the timestamp, the IP address, and your company name exactly as it appeared in the disclosure. Archive every version of a consent form whenever you change it.

What happens if a lead vendor sold me non-compliant leads?

You're still the primary target of a TCPA suit, because you made the call or sent the text. Your indemnification clause against the vendor is a separate civil claim you can pursue, but it doesn't shield you from the plaintiff. Courts have consistently held that brands can't outsource TCPA liability to third-party lead generators. That's why vetting consent records before you buy matters more than any contract clause.

What are the TCPA penalties per text message?

The TCPA allows $500 per text for negligent violations and $1,500 per text for willful or knowing ones, under 47 U.S.C. § 227(b)(3). There's no aggregate cap in class actions. A campaign of 100,000 non-compliant texts carries theoretical maximum exposure of $50 million to $150 million. Large TCPA class settlements have run from $5 million to over $75 million for text and call campaigns.

Does Florida's telemarketing law apply to my company if I'm not based in Florida?

Yes. Florida's Telephone Solicitation Act applies based on where the called party is, not where the caller is. If you're calling or texting a Florida resident's number, the statute applies. Florida's definition of automated technology is broader than the federal ATDS standard, covers texts, and allows $500 per violation. Companies running national campaigns should apply Florida-standard practices to all Florida numbers regardless of their own state.

How do I handle consumers who previously consented but now want to be removed?

Honor the request right away and add the number to your internal DNC within the required window: 30 business days under federal rules, 10 business days under stricter state laws. Remove them from all active campaigns. If you run multiple dialers or platforms, the suppression has to reach all of them. Keep the internal DNC record for at least five years. Failing to honor an opt-out is its own TCPA violation.

What should a compliant SMS opt-in form include?

At minimum: your company name specifically identified, a clear description of the type and frequency of messages, disclosure that message and data rates may apply, an opt-out mechanism (reply STOP), a privacy policy link, and a statement that consent isn't a condition of purchase. The disclosure has to sit above or right next to the submit button, not in footnotes or behind a hyperlink. The FCC's one-to-one rule requires your specific company name, not a generic partner disclosure.

Are leads older than 90 days still legally usable?

There's no statutory 90-day expiration. The practical risk is that older leads are likelier to involve reassigned numbers and consent forms that no longer meet current FCC standards. Many compliance attorneys treat leads over 90 days as needing an RND re-query before dialing. Leads generated before January 27, 2025 under a shared-consent model may not meet the FCC's current one-to-one standard for calls made today, regardless of age.

Yes, and it's a strongly recommended practice even though it isn't legally required. A double opt-in, where the consumer replies YES to a confirmation text before any marketing goes out, creates a second timestamped record that the consumer confirmed consent and still held that number at that time. That's useful in litigation because it shows the number wasn't reassigned and intent was clear. It also cuts false opt-ins from typos.

Sources

  1. U.S. Government, 47 U.S.C. § 227 (TCPA statute text): TCPA prohibits ATDS calls to cell phones without prior express written consent and allows $500–$1,500 per violation
  2. FCC, 47 C.F.R. § 64.1200 (implementing rules for TCPA): Prior express written consent definition including clear and conspicuous disclosure and no condition-of-purchase requirement
  3. FTC, Telemarketing Sales Rule, 16 C.F.R. Part 310: National DNC Registry scrubbing required within 31 days of each call; internal DNC must be maintained for 5 years; requests honored within 30 business days
  4. Florida Legislature, Florida Telephone Solicitation Act, Fla. Stat. § 501.059: Florida's mini-TCPA uses a broader automated technology definition than federal law and imposes $500 per violation; has a state DNC list
  5. FTC, Civil Penalty Inflation Adjustments: FTC maximum civil penalty per DNC violation was $51,744 as of 2023, adjusted annually for inflation
  6. California Attorney General, California Consumer Privacy Act: CCPA gives California residents the right to opt out of sale of personal information, affecting lead data transfers between vendors
  7. FTC, National Do Not Call Registry: National DNC Registry maintained by FTC; telemarketers must access and scrub against it no more than 31 days before calling
  8. Supreme Court of the United States, Facebook, Inc. v. Duguid, 592 U.S. 395 (2021): Supreme Court narrowed the federal ATDS definition in 2021, but state laws like Florida's still use broader definitions
  9. FCC, 47 C.F.R. § 64.1202, Reassigned Numbers Database rules: Safe harbor available to callers who query the RND and receive a response indicating no reassignment since the consent date
  10. Washington State Legislature, Commercial Electronic Mail Act, RCW 19.190: Washington's commercial electronic mail and text law has been used in class actions against lead generators

Disclaimer: LeadCompliant is a compliance review tool, not a law firm. We do not provide legal advice. Consult with a TCPA attorney for legal guidance on specific compliance questions. Compliance scores, audits, and risk assessments are informational only.

LeadCompliant Team

LeadCompliant provides expert guidance and tools to help you succeed. Our content is reviewed for accuracy and kept up to date.

Related Articles

Related Glossary Terms

LeadCompliant
Build My Kit