Last updated 2026-07-09

TL;DR
TCPA compliance language is the written disclosure on your forms, sites, and messages that proves a consumer gave prior express written consent to receive autodialed or prerecorded calls and texts. The FCC requires it to name the seller, describe the message type, identify the phone number, state consent is not a purchase condition, and give an opt-out. Miss one element and the consent is legally worthless.
What is TCPA compliance language and why does every word matter?
TCPA compliance language is the specific wording you put in front of a consumer before you call or text them with an autodialer or prerecorded voice. It is the paper trail that proves you got real, informed consent. Without it, every autodialed or prerecorded message you send is presumed to violate 47 U.S.C. § 227, the Telephone Consumer Protection Act.
The stakes are not abstract. The TCPA sets statutory damages at $500 per negligent violation and up to $1,500 per willful violation, with no cap on class actions [1]. One bad batch of 50,000 texts can equal $75 million in exposure. Courts have held again and again that consent language with missing or ambiguous elements is no consent at all. The burden of proving consent sits entirely with the caller, never the consumer.
So the words you use, where you put them, and how a consumer interacts with them are compliance decisions before they are marketing decisions.
What does the FCC actually require in a TCPA consent disclosure?
The FCC codified "prior express written consent" in 47 C.F.R. § 64.1200(f)(9) [2]. For autodialed or prerecorded calls and texts to a cell phone, the rule says the agreement must be written (electronic signatures count under E-SIGN) and must do three things:
1. Be signed by the person being called 2. Expressly authorize the specific seller to deliver calls or texts using an automatic telephone dialing system or a prerecorded voice 3. Clearly disclose that the consumer is not required to sign, or to agree to receive messages, as a condition of buying any property, goods, or services
The FCC's 2012 order implementing the rule said the disclosure must include "the telephone number to which the signatory authorizes such calls to be made" [2]. That matters. A generic opt-in that never identifies the consented number has been challenged in court.
Here are the four elements in plain English. Name the company. Describe what you will send (autodialed texts, prerecorded calls, or both). State the phone number being consented. Say consent is not a purchase condition. Miss one and plaintiff's counsel will find it.
One wrinkle: for live, manually dialed calls to cells, the standard drops to "prior express consent," no written form required. Most teams collect written consent for everything anyway, so they never have to argue that line under litigation pressure.
What does compliant TCPA consent language actually look like?
Here is a template that covers the FCC's required elements. Treat it as a starting point, not legal advice, and have counsel review the final wording for your use case.
---
Web form checkbox (not pre-checked):
"By checking this box and submitting my phone number above, I authorize [Company Name] to contact me at the number provided using automated dialing technology or prerecorded voice messages about [describe: quotes, promotions, account updates, etc.]. I understand that my consent is not a condition of any purchase. Message and data rates may apply. I can opt out at any time by replying STOP."
---
Look at what that language does. It names the specific company. It ties consent to the number provided above. It names the technology, automated dialing or prerecorded voice. It carves out the purchase condition. It gives an opt-out path. Five jobs, one sentence block.
Lead generation forms raise the bar. In late 2024 the FCC adopted a "one-to-one" consent model, meaning a lead gen form could not bundle consent for a list of sellers under one checkbox. Each seller had to get consent on its own [3]. That rule drew legal fire and the Eleventh Circuit vacated it before the January 2025 effective date, so confirm the current status before you build forms around it [3].
SMS marketing carries a second layer. CTIA guidelines and the carriers also want a clear program description, a message frequency disclosure, and opt-out and help keywords. Those run parallel to TCPA rules, not instead of them. Our piece on text message marketing covers how the layers stack.
What are the required elements of a TCPA-compliant opt-out notice?
Opt-out language is the other half of the job. Getting consent matters. Honoring revocation matters just as much. The TCPA gives consumers the right to revoke consent through any reasonable means, a reading the FCC formalized in its 2023 declaratory ruling [4].
For SMS programs, carriers require that STOP (and variants like STOPALL, UNSUBSCRIBE, CANCEL, END, QUIT) trigger an immediate opt-out plus one confirmation text. A common confirmation reads:
"You've been unsubscribed from [Company Name] messages. No more messages will be sent. Reply START to resubscribe."
For phone calls, the FCC requires interactive voice response systems to honor opt-out requests during the call and to process them within a reasonable time [4]. The FCC's 2023 declaratory ruling made clear consumers can revoke consent verbally on a call, by text, or in writing, and callers cannot force a specific revocation method by contract [4].
This is where most teams slip. They make opting out of texts easy but ignore a spoken request mid-call, or they bury a 30-day processing window in the terms. Both are trouble. When a court or the FCC reviews a complaint, they ask whether the contact actually stopped, not whether you technically had a mechanism on paper.
How should TCPA consent language appear visually on a webpage or form?
The FCC's rules require consent to be unambiguous, and courts read that word through the eyes of an ordinary consumer looking at your page. Several cases have turned on how the consent language looked, not what it said.
What courts have rewarded:
- The checkbox is unchecked by default. A pre-checked box is not valid TCPA consent because the consumer never affirmatively acted [5].
- The consent language sits right next to the checkbox, not inside a hyperlinked terms document a scroll away.
- The font is readable. Courts have flagged type below 12pt as a factor in whether consent was clear and conspicuous.
- The disclosure is visible without extra clicks on both desktop and mobile.
The FTC, which enforces telemarketing rules under the TSR, has called out fine-print consent in enforcement actions, and TCPA plaintiffs borrow the same arguments [5]. A blunt test: if a consumer could sign up without their eyes ever crossing the consent language, your form is exposed.
Third-party lead forms (co-registration, aggregators) are the danger zone because you often cannot control what the page looks like. Insist on reviewing the live form URL before you buy, and save that review. Courts have found that buying leads where the consent language was buried or missing puts liability on the buyer for the calls that follow [5].
What TCPA language is required in the actual text messages you send?
Past the intake form, the messages themselves need certain elements. CTIA carrier guidelines, enforced at the network level, can get your short code or 10DLC number suspended if you skip them. Here is what belongs where:
| Element | Required in | Notes |
|---|---|---|
| Program / brand name | Initial welcome message | Must identify sender |
| Message frequency | Welcome message | "Up to 4 msgs/month" |
| "Msg & data rates may apply" | Welcome message | Standard carrier requirement |
| STOP opt-out instruction | Welcome message + periodic reminders | Must respond to STOP |
| HELP instruction | Welcome message | Must respond with contact info |
| Opt-out confirmation | Triggered by STOP reply | One message, then silence |
The statute itself does not spell out these message elements. The mandate comes from FCC rules on abandoned calls, the TSR, and CTIA operating guidelines [6]. In practice, skipping them invites carrier suspension and hands plaintiffs evidence that your program was never properly disclosed.
One issue shows up in complaint after complaint: sending messages after a STOP reply. Courts treat each post-opt-out message as a separate willful violation, so $1,500 each [1]. A sending system that does not process STOP replies in real time is a live liability. Even a 24-hour lag has produced lawsuits.
Does TCPA compliance language differ for B2B outreach versus consumer calls?
The TCPA attaches to the phone number, not the job title of the person holding it. Call a cell phone and the same prior express consent rules apply whether the owner runs a one-chair dental office or a Fortune 500 division.
The real B2B difference lives on landlines. Autodialed or prerecorded calls to business landlines generally need only prior express consent (the lower, non-written standard), not written consent, unless the call falls under the TSR as a commercial solicitation [7]. And because business landlines are not personal cell phones, the DNC protections built for residential lines do not reach them.
Most B2B sales teams calling cell phones are exposed and have no idea. The number looks like a business contact pulled off LinkedIn, but if it is a cell and they run it through a predictive dialer, they need written consent or a genuinely manual process that uses no ATDS. What counts as an ATDS shifted after Facebook v. Duguid in 2021, where the Supreme Court held the term covers only equipment that uses "a random or sequential number generator" [11]. The definition narrowed. The litigation did not vanish.
For how fast the numbers add up in real cases, see the UnitedHealthcare $2.5M TCPA settlement and the Albertsons/Safeway settlement.
What are the most common mistakes in TCPA consent language?
Read enough public complaints and settlement filings and the same errors repeat.
1. Vague identification of the caller. "You may be contacted by our partners" does not name the specific seller the rule requires. After the FCC's 2024 one-to-one guidance (now vacated, status in flux [3]), this drew even more scrutiny.
2. No phone number reference. "I agree to be contacted" with no tie to the number on the form is weaker than it looks. Plaintiffs argue the consumer only meant email, or some other channel.
3. Consent buried in terms of service. Courts have rejected consent reachable only through a hyperlink, especially when the submit button never referenced it [5].
4. Pre-checked boxes. Not valid. Ever.
5. No opt-out stated. The FCC and CTIA both want a clear opt-out path. Leaving it out reads like a program built to trap people.
6. Mixing calls and texts without saying so. Want to call and text? Say both. If the language only mentions text messages, you likely have no TCPA cover for calls, and the reverse holds too.
7. Reusing a form after a rebrand or acquisition. Named-seller consent does not travel. Buy a book of leads and their forms named that company, not yours.
Settlements like the Credit One Bank TCPA case and the Truist Bank settlement usually trace back to a structural consent failure like these, not one rogue agent dialing at random.
How do state laws change what TCPA consent language must say?
Federal TCPA is a floor, not a ceiling. Several states have their own telemarketing and privacy laws that add disclosures or raise the bar.
California's CCPA and CPRA require businesses that sell or share personal data through their calling or texting to disclose that in the privacy policy, and sometimes at the point of collection [8]. If your lead form takes a phone number that then goes to buyers, California residents should arguably see a data-sharing disclosure separate from the TCPA consent.
Florida's Telephone Solicitation Act (FTSA), as amended in 2021, created a private right of action covering autodialed texts to Florida numbers. It requires prior express written consent for "unsolicited telephonic sales calls," and the damages track federal TCPA [9].
Washington runs its own automatic dialing statute (RCW 80.36.400) with a separate private right of action. Oklahoma, Texas, and others have their own telemarketing statutes on the books.
Here is the practical read. Call or text nationally and your consent language needs to clear the strictest state on your list. For most consumer-facing businesses that is California or Florida. Adding California and Florida disclosures to one national form beats maintaining a stack of state-specific versions.
How do you document and store TCPA consent records?
The burden of proof falls on the caller. You need to show, at the time of contact and for years after, exactly what consent language the consumer saw, when they submitted it, from what IP address, and on what device.
Minimum records to keep:
- The exact consent disclosure text at the time of opt-in (version-controlled, so you know what any form said on any date)
- The opt-in timestamp (UTC, not local time)
- The IP address of the submitting device
- The phone number submitted
- Any later opt-out events and their timestamps
Keep records at least four years, the federal statute of limitations for TCPA claims under 28 U.S.C. § 1658. Some practitioners hold five years for margin. California's CCPA limitation period is shorter, but the state can look further back on audit.
Buy leads from a third party and you need their consent documentation for every lead you contact. "The vendor said it was consented" is not a defense. Courts have found companies liable when they could not produce the actual record [5]. LeadCompliant's compliance kit runs pre-contact checks and keeps consent audit logs, which helps once you are handling any real volume.
Store records so they export to a spreadsheet or PDF fast. TCPA cases move quickly at discovery, and your legal team will need the files within days.
What TCPA language protects you on prerecorded voicemail drops?
Ringless voicemail (RVM), where a message lands in the voicemail box without the phone ringing, has drawn heavy TCPA litigation. The FCC has not issued one definitive ruling classifying all RVM as calls, but the weight of case law treats them as calls when they use ATDS equipment or deliver a prerecorded voice [10].
If you send prerecorded voicemail, your consent language has to authorize prerecorded voice messages specifically, more than "calls." Language that only says "autodialed texts" does not cover a voicemail drop.
The FCC requires prerecorded commercial messages to state the business name and telephone number at the start and end of the message [4]. That is a disclosure inside the message itself, separate from the consent you collected upfront. Both are required.
One more thing. DNC rules apply to prerecorded calls the same way they apply to live ones. If the number sits on the National Do Not Call Registry and you have no established business relationship or written consent, the prerecorded message violates the TCPA no matter how clean your consent language was elsewhere.
What should TCPA compliance language look like for cold outreach to purchased lists?
This is the hardest spot for outbound teams. You bought a list, those people never touched your company, and you want to call or text them. What is the compliance picture?
For autodialed or prerecorded calls or texts to cell phones, you need prior express written consent from those specific people to your specific company. A vendor calling them "opted-in leads" is only as good as the records they can produce. No form language, no timestamp, no IP means no consent.
For live, manually dialed calls to cell phones, you need prior express consent, which can be implied in narrow cases (an existing customer relationship, a number posted publicly for business). Hard to lean on for a cold list.
For calls to residential landlines, the DNC Registry rules govern. If a number is registered and you have no established business relationship (within 18 months of a purchase or 3 months of an inquiry) or written consent, calling is a violation [7].
Honest take: purchased lists for autodialed or prerecorded outreach to cell phones are nearly impossible to use in a fully compliant way unless the vendor collected written consent naming your company. Most did not. Use purchased lists for manual-dial, human-only outreach or for direct mail, and build your own consent-based database for the automated channels. The Cash App TCPA settlement and Kaiser TCPA settlement show what happens when big companies fail this test.
What should you do right now to audit your existing TCPA language?
A checklist you can run today:
1. Pull every intake form, landing page, and checkout flow that collects a phone number. Screenshot each with the consent language visible.
2. Check each against the four required elements: named company, technology description, phone number reference, purchase-not-required statement.
3. Confirm the checkbox is unchecked by default, sits next to the consent text, and is not buried in a linked terms document.
4. Read your SMS welcome message for STOP, HELP, frequency, and data-rate disclosures.
5. Test your opt-out. Text STOP right now. What happens, and how fast?
6. Review your lead vendor contracts. Do they warrant the specific consent language? Do they indemnify you if consent turns out defective? If not, that is a commercial and legal conversation to have this week.
7. Confirm your retention policy covers at least four years of consent records with the fields listed above.
LeadCompliant's free TCPA consent checker and compliance kit walk this same audit and flag common gaps before they turn into complaints. Worth running even if you think your forms are clean.
For updates as the rules move, bookmark our TCPA news hub and watch the Eleventh Circuit and FCC on the one-to-one consent fight.
Frequently asked questions
Does TCPA consent language need to be in writing for every type of call?
No. Prior express written consent (the stricter standard) is required for autodialed or prerecorded calls and texts to cell phones. For live, manually dialed calls to cell phones, prior express consent without a written form is technically enough. For residential landline calls, the DNC rules do most of the work. In practice, collecting written consent for all channels is the safer default since it meets the highest standard across the board.
Can I copy TCPA consent language from a competitor's website?
You can use another company's language as a model, but copying it verbatim is risky for two reasons. Their language may not be compliant. And your consent must name your specific company, so a form that names someone else is not valid consent for your calls. Use any template as a structural reference, have counsel review it, and customize it with your company name and the exact communications you plan to send.
What happens if my TCPA consent language is missing the 'not a condition of purchase' statement?
The consent is likely invalid under 47 C.F.R. § 64.1200(f)(9), which explicitly requires that statement. Without it, any autodialed or prerecorded call or text made in reliance on that consent is a potential TCPA violation. Each violation can cost $500 to $1,500 in statutory damages, and class actions aggregate those amounts across every contact made.
How long do I need to keep TCPA consent records?
The federal statute of limitations for TCPA claims is four years under 28 U.S.C. § 1658. Keep records at least that long. Many teams hold five years for margin. Records should include the exact consent language shown, the timestamp, the IP address, the phone number, and any later opt-out events. Courts have rejected verbal or reconstructed consent records.
Does a consumer checking a box on a mobile app count as TCPA prior express written consent?
Yes, if the form meets every requirement. Electronic signatures satisfy the written consent requirement under the E-SIGN Act (15 U.S.C. § 7001). The checkbox must be unchecked by default, the consent language must be visible and adjacent, and all four required elements must be present. Mobile forms often fail on font size and on how far the disclosure sits from the checkbox.
If a consumer gives consent and then revokes it verbally on a call, is that revocation valid?
Yes. The FCC's 2023 declaratory ruling confirmed consumers can revoke TCPA consent through any reasonable means, including verbally during a call. Callers cannot contractually limit revocation to a specific method. Once a verbal revocation comes in, you must stop contacting that number. Continued contact after a verbal opt-out is treated as willful, which raises the penalty to $1,500 per violation.
Can one consent form cover calls from multiple companies?
This was the target of the FCC's 2024 one-to-one consent rule, which said a single checkbox could not bundle consent for multiple sellers, so each seller needed its own consent. The Eleventh Circuit vacated that rule before it took effect in January 2025, so its enforcement status is unsettled. Check the latest FCC and court rulings before designing lead gen forms around multi-seller consent.
What TCPA language do I need inside the actual text messages, beyond the intake form?
CTIA and carrier guidelines require the initial welcome message to include your brand name, message frequency, 'Msg & data rates may apply,' STOP opt-out instructions, and a HELP response option. An opt-out confirmation must follow any STOP reply with one message and then silence. These run parallel to your intake form consent; both must be met for a compliant SMS program.
Does TCPA apply to B2B text messages sent to business phone numbers?
TCPA protections attach to the number, not the person's business status. If you are texting a cell phone number (even one from a business card or LinkedIn profile), TCPA applies. Autodialed or prerecorded texts require prior express written consent. Live manual outreach to a true business landline has a lower consent threshold, but most 'business' numbers in sales databases are cell phones.
What is the difference between TCPA consent language and a privacy policy?
They are different documents doing different jobs. TCPA consent language is the specific disclosure at the point of opt-in that authorizes a particular company to make automated or prerecorded contact. A privacy policy explains data collection and use broadly. TCPA consent cannot be buried inside a privacy policy and called valid; it must be a clear, affirmative, specific disclosure at the moment of data collection.
Are there TCPA safe harbor provisions that protect companies even if their consent language is imperfect?
There is a limited safe harbor for calls to reassigned numbers under the FCC's Reassigned Numbers Database, if you check the database before calling. There is no broad safe harbor for defective consent language. The FCC and courts have not created a good-faith carve-out for forms that miss required elements. The real protection is language that meets all four required elements from day one.
How do state laws like Florida's FTSA change what my consent language must include?
Florida's FTSA requires prior express written consent for unsolicited telephonic sales calls using an autodialer to Florida numbers, with its own private right of action. California's CCPA may require disclosures about data sharing at the point of collection if that data is sold. Have your consent language reviewed against the strictest state on your calling list. National campaigns usually end up governed by California or Florida in practice.
What should I do if I purchased leads and cannot verify the consent language used?
Do not use those leads for autodialed or prerecorded calls or texts to cell phones. Request the actual consent records from the vendor. If they cannot produce them, your options are manual-dial, human-only outreach, which lowers but does not erase risk, or scrubbing those leads from your automated campaigns entirely. 'The vendor assured me it was compliant' is not an accepted legal defense in TCPA litigation.
Sources
- Cornell LII, 47 U.S.C. § 227 (TCPA statute text): TCPA statutory damages are $500 per violation for negligent violations and $1,500 per willful violation, with no cap on class actions
- FCC, 47 C.F.R. § 64.1200 (FCC rules implementing TCPA): Prior express written consent requires a signed agreement naming the seller, authorizing autodialed or prerecorded contact, identifying the phone number, and stating consent is not a condition of purchase
- FTC, Telemarketing Sales Rule compliance guidance: Pre-checked boxes do not constitute valid consent; consent buried in hyperlinked terms without adjacent disclosure is insufficient; buying leads without consent records makes the buyer liable
- FTC, National Do Not Call Registry information: Established business relationships cover purchases within 18 months or inquiries within 3 months; business landlines do not receive DNC protections that apply to residential lines
- California Attorney General, CCPA regulations overview: California CCPA/CPRA requires businesses sharing personal data (including phone numbers) with third parties to disclose that fact at or before the point of collection
- Florida Legislature, Florida Telephone Solicitation Act (FTSA), Section 501.059 F.S.: Florida FTSA as amended in 2021 requires prior express written consent for autodialed texts to Florida numbers and creates a private right of action mirroring federal TCPA damages
- Supreme Court of the United States, Facebook v. Duguid, 592 U.S. 395 (2021): Facebook v. Duguid narrowed the ATDS definition to equipment that uses a random or sequential number generator, reducing but not eliminating TCPA exposure for predictive dialers
- Cornell LII, Electronic Signatures in Global and National Commerce Act, 15 U.S.C. § 7001: E-SIGN Act establishes that electronic signatures satisfy written consent requirements, making web form checkboxes valid as TCPA written consent