Privacy policy language required for TCPA compliant websites

Exact TCPA privacy policy language your website needs in 2024: consent disclosures, opt-out rights, and the clauses that survive FCC scrutiny. 140-char guide.

LeadCompliant Team
26 min read
In This Article

Last updated 2026-07-11

Hands typing on laptop keyboard at wooden desk with morning window light
Hands typing on laptop keyboard at wooden desk with morning window light

TL;DR

A TCPA-compliant website privacy policy must name every company that may contact the visitor, describe the exact communication methods (calls, texts, autodialer), include a clear revocation-of-consent mechanism, and mirror the consent language shown at the point of capture. Miss any one element and you can void consent entirely, exposing yourself to $500 to $1,500 per message in statutory damages.

What does TCPA actually require from a website privacy policy?

The TCPA does not use the phrase "privacy policy" anywhere in its text. That matters. The TCPA, 47 U.S.C. § 227, cares about one thing: whether a consumer gave prior express written consent before receiving autodialed or prerecorded calls and texts to a cell phone. The privacy policy matters because it is the document most companies use to carry the disclosures that make that consent valid.

The FCC's 2012 order implementing 47 C.F.R. § 64.1200 tightened the consent standard hard. Written consent now has to include "a clear and conspicuous disclosure" that the person is authorizing calls or texts using an automatic telephone dialing system or an artificial or prerecorded voice, and that agreeing is not a condition of any purchase [1]. Most sites bury that disclosure inside the privacy policy. That is why its exact wording gets fought over in court constantly.

Think of the privacy policy as the foundation and the opt-in form as the house on top of it. Vague foundation language, and the whole thing falls over when a plaintiff pushes. Courts have repeatedly held that a privacy policy hidden in a footer link, with no clear disclosure at the point of consent capture, fails the "clear and conspicuous" standard [2].

So the TCPA does not mandate a privacy policy on paper. But any business capturing consent through a web form effectively cannot meet the statute without one that says very specific things.

The FCC's 2012 order [1] and later guidance give you a template. Your opt-in form and the linked privacy policy, read together, need to cover all of these.

Who will contact you. The disclosure has to name the specific seller or sellers who may call or text. "You may be contacted by our partners" is not enough. The 2023 FCC one-to-one consent ruling (FCC 23-107) went further and held that a single consent form cannot blanket-authorize calls from an open list of third-party sellers [3]. Name each seller, or the consent is void for that seller.

What technology will be used. The words "autodialer," "automatic telephone dialing system," or "prerecorded voice" have to appear. "We may contact you by phone" does not clear the bar.

What number will be called. The consumer has to be agreeing to receive contacts at the specific number they typed into that form.

That consent is not a purchase condition. Non-negotiable. If checking the consent box is required to buy your product, you have a problem no matter how clean the disclosure reads.

How to revoke consent. Since the FCC's 2024 revocation order (effective January 27, 2025), you must honor opt-out requests made through any reasonable means, including a spoken request during a call [4]. Your privacy policy should list every revocation method you support (reply STOP to texts, email a named address, call a specific number) and state that you honor revocations promptly, within 10 business days at the outer limit.

Here is a clause that covers the bases. "By submitting your phone number above, you expressly consent to receive autodialed or prerecorded marketing calls and text messages from [Company Name] at the number provided. Consent is not required to purchase any good or service. You may revoke this consent at any time by replying STOP to any text, calling [number], or emailing [address]."

That clause belongs on the form itself. The privacy policy then cross-references it and expands on data handling, retention, and the full list of third-party categories that receive the number.

Does the privacy policy itself need to be linked at the point of consent capture?

Yes, and where you put the link matters as much as what it says. Courts and the FTC have both signaled that a footer link alone is not enough notice when you are capturing consent for autodialed communications [2]. The link should sit in the same visual block as the consent disclosure, ideally as a hyperlink on the words "Privacy Policy" inside the disclosure sentence itself.

The Ninth Circuit in Van Patten v. Vertical Fitness Group (2017) held that consent must be "knowing" to count under the TCPA [5]. A consumer who checks a box without ever seeing the privacy policy link cannot really have read the terms. It is a thin argument. Courts have run with it anyway.

The setup that holds up best is simple. The opt-in checkbox or button sits above a two- or three-sentence disclosure. That disclosure hyperlinks to the privacy policy and to any separate terms of service. The privacy policy then carries a dedicated "Telephone Communications" or "SMS and Call Consent" section that restates and expands on the form-level language.

One more thing. Do not gate the privacy policy behind a login or a PDF download. It has to be a crawlable, publicly readable HTML page. If a plaintiff's attorney goes looking and cannot find it, that alone looks bad.

TCPA statutory damages at a glance Per-violation exposure under 47 U.S.C. § 227(b)(3) and related state laws $500 Federal TCPA, standard viol… $1,500 Federal TCPA, willful viola… $500 Florida FTSA, per violation $50M Example 100k-text exposure… Source: Cornell LII, 47 U.S.C. § 227; Florida Statute § 501.059 (2023)

The FCC's December 2023 order (FCC 23-107), effective January 27, 2025, is the biggest shift in TCPA consent practice in over a decade [3]. Before it, a lead-gen form could grab one consent that supposedly covered calls from dozens of "marketing partners." That approach is dead now.

The rule makes consent "one-to-one": a single consent form can authorize calls from only one seller. If you generate or aggregate leads and sell them downstream, each buyer has to be named on the consent form, or the consent is worthless for that buyer. This hits privacy policy language directly, because the policy is where the list of "affiliated companies" or "marketing partners" used to live.

Under the old model, a policy might say: "We may share your information with our marketing partners, a list of which can be found at [link], who may contact you." Dead language. The capture form itself must name each company, and the privacy policy has to describe the scope of that consent accurately without stretching it past what the form said.

For first-party callers, companies dialing their own leads, the change is smaller. You still need the one-to-one disclosure, but the only name on it is yours. The real operational pain lands on everyone in the lead-gen supply chain, who now has to rebuild their consent forms or stop leaning on web-sourced consent for third-party dialing.

See the FCC's official summary of FCC 23-107 for the full rule text [3].

How should the privacy policy handle SMS and text message consent separately from voice calls?

The TCPA covers both calls and texts to cell phones, so one disclosure can cover both if it says so explicitly [6]. In practice, regulators and carriers treat SMS differently enough that separate policy sections are worth the effort.

Start with the carriers. The CTIA, the wireless industry trade group, publishes Messaging Principles and Best Practices that carriers enforce at the network level [7]. They can block traffic from numbers that violate those principles, no court order needed. CTIA guidance wants SMS consent disclosures to state the program name, message frequency, a data rates notice ("Message and data rates may apply"), and the STOP/HELP commands. None of that lives in the TCPA. Omit it and your SMS traffic can get blocked before anyone files a lawsuit.

Second, web-collected SMS consent should trigger a double opt-in confirmation text. Not a TCPA requirement, but it builds a record that the right person submitted the form from that number. Without it, your only proof is a form submission log, and plaintiffs routinely argue somebody else typed in their number.

Your SMS section should spell out: what program the consumer is joining, roughly how many messages per month, that message and data rates may apply, how to opt out (STOP), how to get help (HELP or a named contact), and that opt-outs get honored within one message cycle. For the operational side, see text message marketing.

For voice, the policy should say whether you use an autodialer, a predictive dialer, or prerecorded messages, because the consent threshold shifts across them. Prerecorded calls require written consent. Purely manual calls to non-cell numbers can rely on a lower standard.

What TCPA privacy policy language has courts rejected?

A handful of patterns keep losing in litigation. Learn them and stay off the list.

Buried checkbox with a generic reference. "By submitting, you agree to our Terms and Privacy Policy," linked to a 6,000-word document somewhere in the footer. Courts across multiple circuits have found this insufficient, because the consumer is never specifically told they are agreeing to autodialed calls. The disclosure has to make that consequence visible without sending the user hunting for it [2].

Unlimited third-party authorization. After FCC 23-107, authorizing an open-ended list of "partners" destroys consent for every seller on the list [3].

Pre-checked boxes. A pre-checked box is not affirmative consent under the FCC's written consent standard. The consumer has to take a step: check an empty box, or click an "I agree" button tied to the TCPA disclosure.

No revocation mechanism. Since the 2024 revocation order, failing to offer and honor a clear opt-out path is its own violation, separate from the original consent question [4].

Inconsistency between the form and the policy. If the form says "calls from XYZ Company" and the policy says "calls from XYZ and its affiliates," a plaintiff argues the consumer only agreed to the narrower scope. Keep the two identical, or have the policy expand on the form in a way the consumer could actually have read before submitting.

Inadequate consent documentation has cost real money. See the cash app tcpa class action settlement for what defective consent processes look like when they land in front of a judge.

Does your privacy policy need to address the National Do Not Call Registry?

Yes, and most companies skip this section entirely. The National Do Not Call Registry, run by the FTC, blocks most telemarketing calls to registered numbers no matter what TCPA consent you hold [8]. Your privacy policy should say you honor DNC registrations and describe your scrubbing process at a high level.

Two reasons this pays off. First, some state attorneys general read privacy policies during telemarketing complaint investigations. A policy that says nothing about DNC compliance reads like a company that never thought about it. Second, when a consumer on the do not call list sues you, a policy that described a DNC compliance process, and records showing you followed it, is useful evidence.

The language does not need to be long. Something like: "We maintain an internal do-not-call list and scrub all call lists against the National Do Not Call Registry before initiating outbound telemarketing calls. To be added to our internal do-not-call list, contact us at [address/email/phone]." That covers it.

For high-volume outbound teams, the DNC-TCPA intersection is where a lot of lawsuits actually start. The do not call telemarketer list obligations sit apart from TCPA consent rules, and a good privacy policy acknowledges both frameworks exist.

How should privacy policy language handle data retention and consent records?

Consent records are your main defense in a TCPA lawsuit. The FTC's Telemarketing Sales Rule requires businesses to keep evidence of consent and telemarketing transactions for 24 months [9]. The TCPA does not set a retention period, but courts apply a 4-year statute of limitations to TCPA claims under 28 U.S.C. § 1658, so you want records reaching back at least that far.

Your privacy policy should state: how long you keep consent records, what those records include (timestamp, IP address, form version, the phone number submitted, the exact disclosure text shown at the time), and who can access them internally.

This is defense preparation, not decoration. If a plaintiff claims they never consented and you can produce a timestamped server log showing their IP submitted the form at 2:47 PM on a given date, alongside the exact disclosure that was live on the page that moment, your attorney has something real to work with. If you only kept form submissions for 90 days, you are exposed.

Version-control your consent forms too. The policy should note that disclosures get archived when updated, so for any lead you can pull the exact language in effect when they submitted. Tools that do this automatically earn their cost for any team running serious outbound volume.

LeadCompliant's compliance kit includes a consent record retention template and a list of required data fields. It is a reasonable starting point before you build your own system.

Are there state law requirements that go beyond the federal TCPA language?

Several states have passed their own laws demanding privacy policy language on top of what the TCPA and FCC rules require. Match your policy to where your leads come from.

Florida (FTSA). The Florida Telephone Solicitation Act, amended in 2021 and revised in 2023, sets its own written consent requirements for calls and texts using auto-dialers, and Florida plaintiffs use its private right of action constantly [10]. Florida-facing sites should have consent forms and policy language that specifically reference consent to auto-dialer use under Florida law, on top of federal law.

California (CCPA/CPRA). California's Consumer Privacy Act requires privacy policies to disclose the categories of personal information collected, why it is used, and the consumer's rights to opt out of sale or sharing. A phone number used for telemarketing is personal information under the CCPA, so if you collect California residents' numbers for outbound calling, your policy needs a CCPA section covering that data category [11].

Washington, Oklahoma, and Indiana have all passed state-level TCPA analogs in recent years with different private-right-of-action provisions. Check your state attorney general's website for current guidance.

Write your federal TCPA consent language first, then bolt on state-specific addenda for the states where your leads mostly originate. One privacy policy can handle this with clearly labeled sections: "California Residents," "Florida Residents," and so on.

StateLawKey addition beyond federal TCPA
FloridaFTSAWritten consent for auto-dialers; $500/call private right of action
CaliforniaCCPA/CPRAPhone number category disclosure; opt-out of sale rights
WashingtonWATAConsent required for automated texts; no prerecorded exemptions
IndianaIndiana TCPA (IC 24-5-14)5-year statute of limitations vs. federal 4-year

How often should you update your TCPA privacy policy language?

Review it every January, and again any time the FCC or a federal court drops major TCPA guidance. That is the honest rule. The FCC has issued significant TCPA orders in 2012, 2015, 2021, 2023, and 2024, roughly one every two to three years, and the pace has picked up.

The January 2025 effective date for the one-to-one consent rule (FCC 23-107) caught a lot of companies flat-footed, because they had not touched their privacy policies since 2020 or earlier [3]. Those companies now hold invalid consent for every lead captured through a multi-seller form, and the exposure stacks at $500 to $1,500 per text or call.

Set the calendar reminder. Every January, pull the FCC's TCPA guidance [1] and the FTC's Telemarketing Sales Rule page [9] to check for new orders. If you keep outside counsel for compliance, put them on retainer to flag rule changes as they happen, rather than reviewing documents only when you ask.

When you update, version it. Keep the old version live at a dated URL (for example, /privacy-policy-2023-01-01). That is what lets you prove, in litigation, exactly what a consumer agreed to on the day they gave you their number. A privacy policy with real version history is one of the cheapest forms of TCPA insurance you can buy.

What does a TCPA-compliant privacy policy section actually look like?

Here is a full model section you can adapt. This is not legal advice, and counsel should review it before you publish. It reflects current FCC requirements as of January 2025 [1][3][4].

---

Telephone and Text Message Communications

*Consent.* By providing your telephone number and submitting the form on [specific page URL or form name], you expressly consent to receive marketing calls and text messages, including messages sent using an automatic telephone dialing system or an artificial or prerecorded voice, from [Legal Entity Name] at the number you provided. You are not required to provide this consent as a condition of purchasing any goods or services from us.

*SMS program details.* If you enrolled in [Program Name], you can expect approximately [X] messages per month. Message and data rates may apply.

*Revocation.* You may revoke your consent at any time by: (1) replying STOP to any text message you receive from us; (2) calling us at [phone number]; or (3) emailing [email address]. We will honor your revocation within [timeframe, no more than 10 business days for calls, within one message cycle for texts]. Revoking consent does not affect the lawfulness of any communications made before we received your revocation.

*Records.* We retain records of your consent, including the timestamp, IP address, and the exact disclosure language you reviewed, for a minimum of five years.

*Do Not Call.* We honor registrations on the National Do Not Call Registry. To add your number to our internal do-not-call list, contact us at [address].

---

That section belongs under a clearly labeled heading in the main body of your privacy policy, not in a footnote or a click-to-expand accordion. For outbound cold calling and cold call use cases where voice consent is the main concern, make sure "automatic telephone dialing system" appears verbatim. That phrase is exactly what courts look for when they decide whether the disclosure was legally adequate.

The TCPA gives consumers a private right of action, and that is the real engine behind the litigation. 47 U.S.C. § 227(b)(3) says a person may "bring in an appropriate court of that State... an action to recover for actual monetary loss from such a violation, or to receive $500 in damages for each such violation, whichever is greater" [6]. Willful violations let a court treble that to $1,500 per call or text.

In a class action, those numbers move fast. A company that sends 100,000 texts under a defective consent form faces roughly $50 million in exposure at $500 per text, or $150 million if the court finds willfulness. The credit one tcpa settlement shows what large-scale TCPA exposure looks like when it actually resolves.

Defective consent language is one of the two most common paths to TCPA class certification. The other is calling numbers on the Do Not Call Registry. Because the flaw is identical across every contact made with the same broken form, certification comes easier here than in most statutory claims.

The single most cost-effective move for most outbound teams is fixing web consent forms and privacy policy language before scaling call or text volume. A proper consent audit costs a few thousand dollars. Getting it wrong at scale costs millions.

Frequently asked questions

No. A privacy policy alone cannot create consent. Consent has to come from an affirmative act by the consumer, like checking an unchecked box or clicking an agree button, at the point of data capture. The privacy policy supports consent by carrying the required disclosures, but a consumer who never saw or clicked anything about phone contact has not consented, no matter what the policy says.

No. The FCC's written consent standard requires an affirmative act, and a pre-checked box is not affirmative. Courts and the FCC have both been clear on this. The consumer has to manually check the box or take an equivalent action. A pre-checked box means any contacts made under that consent are legally the same as contacts made with no consent at all.

The consent has to cover the specific phone number the consumer submits on the form. Generic language like "the number on file" is weaker than "the number you provided in the field above." Courts look for evidence the consumer knew which number they were authorizing. The form should display or reference the number field directly inside the disclosure text.

The rule, effective January 27, 2025, means a single consent form can authorize calls or texts from only one named seller. Privacy policies that described consent as covering a list of marketing partners, or any unnamed affiliates, no longer support valid consent for those third parties. Any policy written before 2025 with broad third-party language needs rewriting, and the matching consent forms need restructuring.

Not legally, as long as one disclosure covers both and explicitly names both methods. But CTIA carrier guidelines for SMS require extra disclosures (program name, message frequency, STOP/HELP instructions, data rates notice) that do not apply to voice calls. In practice, most compliance attorneys recommend separate paragraphs for SMS and voice within the same consent section, so each medium's requirements are clearly met.

What revocation language does my privacy policy need after the FCC's 2024 order?

The FCC's 2024 revocation order, effective January 27, 2025, requires you to honor opt-out requests made through any reasonable means, including a spoken request during a call. Your policy should list at least three revocation channels (STOP reply for texts, a phone number, an email address) and state the timeframe for each. For texts, revocation should be immediate. For calls, honoring within 10 business days is the safe standard.

Is a mobile phone number treated differently than a landline in a privacy policy consent disclosure?

The TCPA's strongest protections apply to cell phones. Autodialed or prerecorded calls to residential landlines have protections too, but the statutory damages and consent requirements peak for cell numbers. Your privacy policy does not need to distinguish by number type in the consent text, but operationally you must scrub cell versus landline before using an autodialer, because the consent standard differs. See the mobile phone do not call list rules for that distinction.

The FTC's Telemarketing Sales Rule requires 24 months of record retention. The TCPA's statute of limitations is 4 years under 28 U.S.C. § 1658. To be safe, keep timestamped consent records, including the IP address, the form version, and the exact disclosure text shown, for at least 5 years. Your privacy policy should state this retention period, so consumers and courts can see your compliance process is systematic.

Does my privacy policy need to mention the National Do Not Call Registry?

Not strictly required by the TCPA, but a DNC section strengthens your compliance posture considerably. State attorneys general and plaintiffs' attorneys both read privacy policies during investigations. A policy that acknowledges DNC obligations and describes your scrubbing process signals a systematic compliance program, which bears on whether a violation was willful, and that distinction decides whether damages run $500 or $1,500 per contact.

The FCC requires disclosures to be "clear and conspicuous" but sets no font size. Courts have found disclosures in light gray text, smaller than the surrounding copy, or requiring scroll to see, are not clear and conspicuous. As a practical standard, use the same font size as your body text, place the disclosure immediately above or below the submit button, and keep enough color contrast to pass basic readability.

The TCPA's prior express written consent standard for autodialed and prerecorded calls to cell phones requires written consent, which the FCC defines to include electronic consent captured through a website form. Verbal consent over the phone does not meet the written standard for those call types. Your privacy policy governs web-collected consent. For phone-collected consent, you need a separate recorded consent process and storage mechanism.

Courts and plaintiffs treat inconsistency as a red flag. If the form limits consent to calls from your company and the policy extends it to affiliates, a plaintiff argues the consumer only authorized the narrower scope. The mismatch also dents your credibility as a defendant. Keep the language identical between the form disclosure and the policy, or have the policy state that the form disclosure controls for the specific program described.

Do B2B websites need TCPA-compliant privacy policy language for phone consent?

Generally yes. TCPA protections attach to the phone number, not the purpose of the relationship. If someone submits a cell phone number on a B2B lead form, that cell number carries TCPA protections even in a business context. The residential subscriber exemption for some landline rules does not save you on cell numbers. Most compliance attorneys recommend using the same consent language for B2B web forms as for B2C.

How should I handle privacy policy language if I buy leads from a third party?

Under the post-2025 one-to-one consent rule, you can only call or text a purchased lead if that lead's consent form specifically named your company. Relying on a lead vendor's generic privacy policy, or a consent form that listed dozens of partners, is no longer sufficient. Before buying leads, get a representation from the vendor that your company was named on the specific form the lead completed, and keep that documentation.

Sources

  1. FTC, Complying with the Telemarketing Sales Rule: Disclosures must be made in a clear and conspicuous manner before the consumer consents; buried or hard-to-find disclosures do not satisfy the standard
  2. U.S. Court of Appeals, Ninth Circuit, Van Patten v. Vertical Fitness Group (2017): Ninth Circuit held that TCPA consent must be knowing; a consumer who did not see a conspicuous disclosure cannot be said to have knowingly consented
  3. Cornell Law School Legal Information Institute, 47 U.S.C. § 227 (TCPA): 47 U.S.C. § 227(b)(3) provides $500 per violation, trebled to $1,500 for willful violations; the statute creates a private right of action
  4. FTC, National Do Not Call Registry: The National Do Not Call Registry prohibits most telemarketing calls to registered numbers; businesses must scrub lists against the registry
  5. FTC, Telemarketing Sales Rule, 16 C.F.R. Part 310: The Telemarketing Sales Rule requires businesses to retain records of consent and telemarketing transactions for 24 months
  6. Florida Legislature, Florida Telephone Solicitation Act (FTSA), Fla. Stat. § 501.059: Florida FTSA, amended 2021 and 2023, requires written consent for autodialed calls and texts to Florida residents and provides a private right of action at $500 per violation
  7. California Attorney General, California Consumer Privacy Act (CCPA): CCPA requires privacy policies to disclose categories of personal information collected, including phone numbers, and consumers' rights to opt out of sale or sharing
  8. Cornell Law School Legal Information Institute, 28 U.S.C. § 1658 (statute of limitations): Federal claims arising under statutes enacted after 1990, including TCPA claims, carry a 4-year statute of limitations under 28 U.S.C. § 1658

Disclaimer: LeadCompliant is a compliance review tool, not a law firm. We do not provide legal advice. Consult with a TCPA attorney for legal guidance on specific compliance questions. Compliance scores, audits, and risk assessments are informational only.

LeadCompliant Team

LeadCompliant provides expert guidance and tools to help you succeed. Our content is reviewed for accuracy and kept up to date.

Related Articles

Related Glossary Terms

LeadCompliant
Build My Kit