TCPA consent obtained via chatbot: is it valid?

Chatbot TCPA consent can be valid, but the FCC's 2024 one-to-one consent rule changes everything. Learn exactly what your chatbot disclosure must say.

LeadCompliant Team
23 min read
In This Article

Last updated 2026-07-11

Hands on a laptop keyboard beside a smartphone on a wooden desk in warm office light
Hands on a laptop keyboard beside a smartphone on a wooden desk in warm office light

TL;DR

Chatbot consent for TCPA-regulated calls and texts can be legally valid, but only if it meets the same express written consent standards as any other digital opt-in: clear disclosure of autodialer use, the specific seller named, and an affirmative consumer act. The FCC's 2024 one-to-one consent rule, effective January 27, 2025, tightened this significantly.

You need prior express written consent before you send autodialed or prerecorded marketing calls or texts to a cell phone. That standard comes from 47 U.S.C. § 227(b)(1)(A) and the FCC's implementing rules at 47 C.F.R. § 64.1200 [1]. No shortcuts.

The FCC's regulation defines prior express written consent as "an agreement, in writing, bearing the signature of the person called that clearly authorizes the seller to deliver or cause to be delivered to the person called advertisements or telemarketing messages using an automatic telephone dialing system or an artificial or prerecorded voice." The regulation also says the written agreement must include the telephone number to which calls or texts may be sent [2].

Three things fall out of that definition. The consent has to be in writing, but the FCC treats electronic records as satisfying that under the E-SIGN Act. The consumer has to clearly authorize the specific seller. And the seller has to be identified before the consumer acts, not buried in a terms-of-service link after the fact.

A chatbot is just a channel. It is not legal or illegal on its own. What matters is whether the interaction produces a record that hits all of those elements. If your chatbot collects a phone number and shows a compliant disclosure above a submit button, and the consumer types an affirmative reply or clicks, you have a written electronic agreement. If the chatbot grabs a phone number with no disclosure at all, you have nothing worth keeping.

Yes. The FCC addressed electronic records in its 2012 order updating the prior express written consent rules, and the agency has never required a wet-ink signature or a traditional paper form [3]. The E-SIGN Act, 15 U.S.C. § 7001, treats electronic signatures and records the same as paper ones under federal law, and that includes the TCPA [9]. So a consumer typing "yes" or clicking a button in a chatbot window is legally the same as signing a paper form, as long as the underlying disclosure meets the substantive requirements.

The hard part is documentation. A paper form is a physical artifact you can hold up. A chatbot forces you to capture and store the full session transcript, the exact disclosure text that was displayed, the timestamp, the IP address, and the phone number the consumer entered. Courts and the FCC have said again and again that the burden of proving consent sits with the caller, never the consumer [4]. If your logging system stores only the phone number and not the full conversation context, you cannot prove what disclosure the consumer actually saw.

Session recording is not optional. It is the evidence. Treat it that way from day one.

This is the change that caught most teams off guard. In December 2023, the FCC issued a Report and Order (FCC 23-107) that took effect January 27, 2025 [5]. The rule requires that prior express written consent name the specific seller who will contact the consumer. One broad disclosure covering a network of lead buyers, affiliates, or marketing partners no longer works.

Before this rule, a lead generation chatbot commonly said something like "By submitting your number you agree to be contacted by our partners about products and services." Plenty of practitioners considered that compliant. Under the 2025 rule, that exact disclosure is invalid. Each seller has to be named in the consent, and the consumer has to affirmatively consent to each one, one at a time.

That shift hits chatbot deployments in a few specific ways. If you are a lead buyer purchasing chatbot-sourced leads from a third-party generator, you need to verify that the disclosure the consumer saw named your company specifically. If you are the chatbot operator selling leads to multiple buyers, you need either a separate disclosure and opt-in action for each buyer, or you stop selling to parties who were not named at the time of consent. The FCC order also requires that consent be "logically and topically associated" with the website or chatbot where it is obtained, so a financial services chatbot cannot collect consent for home improvement calls [5].

The FCC built this rule to close the lead generation loophole that let a single opt-in flood consumers with calls from dozens of unrelated companies. The rule does not ban chatbot consent. It just requires each seller relationship to be disclosed and accepted on its own.

TCPA chatbot consent: key thresholds and penalties Federal standards as of January 27, 2025 500 Minimum penalty per violati… (negligent) 1,500 Maximum penalty per violati… (willful) 5 Recommended consent record… (years) 1 Sellers that can share one blanket consent (post-J… Source: FCC 47 C.F.R. § 64.1200; 47 U.S.C. § 227 [1][2]

There is no single FCC-approved script, but the requirements are specific enough that you can build one yourself. Your disclosure has to do several jobs before the consumer submits a phone number.

It must identify the seller by legal name. Not a brand name if the legal entity is different, and not a vague phrase like "our partners." After January 27, 2025, only named sellers can use that consent [5].

It must say the consumer is agreeing to receive calls or texts using an automatic telephone dialing system or prerecorded messages. The statute uses that language for a reason. Courts have found that generic wording like "you may be contacted" fails the specificity requirement.

It should state that consent is not a condition of buying anything. The FCC's 2012 rule flat-out requires this statement [2].

It needs to reference that the consumer's phone number is being submitted for this purpose.

A workable disclosure reads something like: "By clicking Submit, you agree that [Company Legal Name] may contact you at the phone number provided using automated dialing technology or prerecorded messages for marketing purposes. Consent is not required to make a purchase."

Keep it above the button. Never below. Courts have thrown out disclosures placed after the action the consumer takes, because a consumer cannot have agreed to something they had not yet read. This is a layout decision with legal consequences.

Case law on chatbot-specific consent is still young, but courts apply the same validity tests they use for web forms and landing page opt-ins. The question in every case is whether the consumer had clear and conspicuous notice of what they were agreeing to before they acted.

In Berman v. Freedom Financial Network, the Ninth Circuit held in 2022 that an opt-in disclosure was unenforceable because it was not clear and conspicuous, even though it was technically on the page [6]. The court looked at font size, placement, and whether a reasonable consumer would have noticed it. Berman was an arbitration case, not a chatbot case, but the clear-and-conspicuous standard it set applies directly. A chatbot that buries the disclosure in a wall of text inside a small chat window has the exact same problem.

Courts have also scrutinized whether the consumer's affirmative action was actually tied to the consent. Say a consumer is chatting with a bot about scheduling an appointment, and the consent language shows up somewhere else in the session without being connected to a specific action. That consumer can argue they never agreed to marketing calls at all. The consent has to be unambiguous, meaning the consumer's act (clicking, typing, submitting) has to be clearly tied to the disclosure.

Plaintiffs' attorneys hunt for exactly this disconnect. If your chatbot asks for a phone number as step one, collects it, then shows the disclosure as step three, you have a sequencing problem. The disclosure has to come first and gate the submission, not trail behind it.

The FTC's Telemarketing Sales Rule and FCC guidance both put the burden of proving consent on the company making the call or sending the text [4][11]. In practice, you have to be able to reconstruct the exact consent experience a specific consumer had on a specific date.

Minimum records for each chatbot consent event:

Record elementWhy it matters
Full chat transcriptShows the exact disclosure text the consumer saw
Timestamp (UTC)Proves consent predates the contact
IP addressTies the session to a specific device/location
Phone number submittedMust match the number you are calling
Disclosure version hash or screenshotProves the live disclosure matched your records
Source URLRequired for "logically and topically associated" showing
Session IDLinks all elements together

Store these records for at least four years. That matches the longest limitations period plaintiffs have argued applies to TCPA claims, though the statute itself sets no retention period. Some defense attorneys push for five years.

If you use a third-party chatbot vendor, get it in writing that they retain and can produce session-level logs. Do not assume this is standard. Many platforms keep conversation data for 30 to 90 days by default, which is useless for TCPA defense. Change those settings before you go live. Your vendor contract should spell out their log retention obligations.

Does it matter if the chatbot is AI-powered versus a simple decision-tree bot?

From a pure TCPA consent standpoint, the underlying technology does not change the legal test. The FCC evaluates the consent record, not the architecture that generated it. Whether a large language model or a simple if-then flow collected the phone number, the same disclosure requirements apply.

That said, AI-powered chatbots bring new practical risks. A generative bot might phrase the consent disclosure differently every session, or it might answer a consumer's questions about consent in ways that create ambiguity. If a consumer asks your AI bot "do I have to agree to this?" and the bot says something misleading, you have a real problem. Keep consent disclosure language locked and hard-coded. Do not let the AI rephrase it. Ever.

AI bots also create documentation headaches. If the model generates a slightly different disclosure each time based on conversational context, you cannot point to a single canonical disclosure text. Version control and hashing matter more, not less, with AI-powered flows.

For TCPA purposes, the safest chatbot design uses a hard-coded, static consent block that appears at a fixed point in every relevant flow, no matter how the AI handles the rest of the conversation. The consent moment is too legally sensitive to let a model improvise.

Yes, and consumers have broad rights to revoke consent in any reasonable manner. The FCC clarified this in a 2015 declaratory ruling and reinforced it in later orders. A consumer can revoke by texting STOP, calling in, emailing, or even saying so verbally on a recorded call [7].

The practical implication for chatbot-collected consent is that your revocation handling has to work across every channel, more than the chatbot. If a consumer texts STOP to a number, that revocation applies to all marketing messages from your company to that number, regardless of the channel they used to opt in. Siloing revocation data by channel is a common mistake with real legal exposure.

The FCC's 2024 rules also addressed revocation. Companies must honor opt-out requests within a reasonable time, which the FCC's 2024 revocation order set at no more than 10 business days after the request [7]. For SMS, the CTIA guidelines call for honoring STOP within one message cycle [10].

Document every revocation as carefully as you document every consent. The record that proves you honored a revocation fast is as important as the record that proves you had consent to begin with.

TCPA statutory damages are $500 per violation for negligent violations and up to $1,500 per violation for willful or knowing ones [1]. Each individual call or text to a number without valid consent is a separate violation. Class actions stack these up fast.

The Cash App TCPA class action settlement and the Credit One TCPA settlement both show how quickly these cases scale. Credit One Bank agreed to pay $75 million to resolve allegations involving millions of calls. Cash App's settlement involved similar class-wide claims. Neither case was about a chatbot specifically, but both show what happens when consent recordkeeping fails at scale.

For smaller companies, even a few hundred calls without provable consent can create six-figure exposure. Add the plaintiff's attorney fees and costs on top. Defense costs alone, even for meritless claims, routinely run $50,000 to $150,000 before any judgment. That is the number that actually kills small outbound teams, not the jury verdict most of them never see.

The single best protection against all of it is a clean, retrievable consent record for every contact. Not a policy document saying you collect consent. The actual per-consumer record.

How do you audit your existing chatbot for TCPA compliance?

Start with the disclosure itself. Pull up the live chatbot flow and walk through it as a consumer would. Write down where the disclosure appears in the flow, whether it comes before or after the phone number field, how large the text is, whether it names your company specifically, whether it mentions autodialing and prerecorded messages, and whether it says consent is not a purchase condition.

If any of those are missing or out of order, fix them before anything else.

Next, test your logging. Submit a test phone number through the chatbot, then check your backend logs to confirm every element in the records table above got captured. If your vendor's dashboard will not show you full transcripts, contact them today. If they cannot produce session-level logs at all, that is a vendor problem you need to solve or work around with a middleware logging layer.

Then check your post-January 27, 2025 exposure. If you share chatbot-sourced leads with any third party, confirm the disclosure the consumer saw named that party specifically. If it did not, those leads are compromised under the new FCC rule.

LeadCompliant has a free consent audit checklist that walks each of these steps with a printable worksheet, which beats building your own from the raw regulatory text.

Check your text message marketing compliance separately from your call compliance. The consent your chatbot collects may be fine for calls but formatted wrong for SMS under CTIA guidelines, or the reverse. Technically the same standard, evaluated differently in practice.

Are there state law requirements on top of the federal TCPA for chatbot consent?

Yes, and several states have piled on requirements above the federal floor. Florida, Oklahoma, and Washington all amended their telemarketing statutes in 2021 and 2022 with stricter consent or registration rules [8]. California's Automatic Renewal Law adds disclosure obligations for subscription products marketed digitally, which can overlap with chatbot flows.

Florida's Telephone Solicitation Act (FTSA), effective July 2021, added a private right of action and initially created confusion because it looked like it covered peer-to-peer texting and even one-to-one messages with no ATDS involved. Florida courts have since narrowed that reading, but the statute still draws heavy litigation.

Here is the practical point: complying with the federal TCPA is necessary but not enough. If you run outbound campaigns into specific states, read that state's telemarketing law. This matters most for chatbot-sourced leads, where you often do not know the consumer's state at the time of collection. A phone number's area code is not a reliable state indicator for mobile numbers.

If your chatbot sits on a landing page that targets consumers nationwide, the safest move is to apply the strictest applicable standard across the board rather than juggle state-specific disclosures based on IP geolocation.

What should you do if someone claims they never consented through your chatbot?

Pull the record first, before you respond to anything. Locate the session log for that consumer's phone number, verify the transcript, timestamp, and disclosure version, and confirm the submission event is in your database.

If you have a complete record, you are in a defensible position. Respond to any demand letter or complaint with the documentation. Do not destroy or alter records once a consumer has raised a dispute, ever, because that creates spoliation exposure on top of the underlying TCPA issue.

If you do not have a complete record, or the record shows the disclosure was deficient, talk to a TCPA defense attorney before you respond. Do not send a form denial. Do not admit anything in writing. The pre-litigation demand letter stage is often where these cases settle or disappear, and your response sets the tone for everything that follows.

For ongoing cold calling and outbound SMS programs, build a process for handling these disputes before they happen. Know who pulls the records, who reviews them, and who talks to the consumer. Having that protocol documented in advance makes the handling faster and less likely to add exposure through delay.

Frequently asked questions

Is a chatbot opt-in valid for TCPA purposes without a human reviewing the consent?

Yes. Nothing requires a human to review or approve each consent event. What matters is that the automated system produces a record meeting all FCC requirements: named seller, disclosure of autodialing or prerecorded messages, a statement that consent is not a purchase condition, and an affirmative consumer act. Fully automated chatbot consent collection is fine as long as the documentation is complete and retrievable.

The rule applies to all lead generation contexts where prior express written consent is claimed, including chatbots. It took effect January 27, 2025. Any chatbot collecting consent for multiple sellers or a lead buyer network must now name each seller and require individual opt-in actions for each. Blanket "our partners" language no longer satisfies the standard under FCC 23-107.

No. Typing a phone number into a chatbot is not consent by itself. The consumer also has to see a clear disclosure, before that action, that names the seller and describes autodialed or prerecorded contact. The disclosure must precede the submission, not follow it. Courts have rejected consent claims where the disclosure came after the consumer submitted the number.

The TCPA specifies no retention period. Most TCPA defense attorneys recommend keeping consent records for at least four to five years, covering the longest limitations period plaintiffs have argued applies. The full session transcript, disclosure version, timestamp, IP address, and phone number should all be included. Many chatbot platforms default to much shorter retention windows, so you have to configure this manually.

Prior express written consent is the stricter standard for autodialed or prerecorded marketing calls and texts to cell phones. It requires a signed (including electronic) agreement that identifies the seller, authorizes autodialed or prerecorded contact, and includes the phone number. Prior express consent (without the "written" qualifier) applies to informational or transactional autodialed calls to cell phones, with a lower documentation threshold.

A single chatbot disclosure can cover both calls and texts if it explicitly mentions both. The FCC does not require separate opt-ins for each channel. Your disclosure should say something like "automated telephone calls or text messages" so both are covered. If your disclosure names only one channel, consent for the other is not established.

Does a consumer have to say "yes" explicitly in a chatbot to give valid TCPA consent?

Not necessarily. The FCC requires an affirmative act but does not mandate a specific word. Clicking a clearly labeled submit button after reading a compliant disclosure is an affirmative act. Typing a phone number into a submission field that immediately follows a compliant disclosure is generally treated the same. What is not valid: passively viewing a chatbot with no submission action, or a disclosure that requires opt-out rather than opt-in.

If you buy leads where the consumer used a chatbot to opt in, are you covered?

Only if the disclosure the consumer saw named your company specifically, which has been required since January 27, 2025 under FCC 23-107. For leads generated before that date, apply the prior standard but verify the disclosure was otherwise complete. For leads generated after, require the lead generator to hand over the session transcript showing your company was named. Do not assume compliance without seeing the actual record.

Can an AI-generated chatbot response accidentally invalidate a consent?

Yes, if the AI rephrases or omits the consent disclosure, or answers consumer questions about consent in a misleading way. That is why consent disclosure language in AI chatbots should be hard-coded and never subject to LLM generation. Keep the consent block static and displayed at a fixed point in the flow. The AI can handle everything else, just not the legal disclosure.

Without a session transcript, you cannot prove what disclosure the consumer saw, which means you cannot prove valid consent. That leaves you exposed to the TCPA's statutory damages of $500 to $1,500 per call or text. At that point, defense cost alone may exceed what any reasonable settlement would cost. Missing logs turn a defensible case into a settlement-or-lose situation.

The TCPA's prior express written consent requirement applies to autodialed or prerecorded calls and texts to cell phones, whether the recipient is a business or a consumer. If you call a business prospect on their personal cell phone using an autodialer, the same standard applies. The B2B context does not create a blanket exemption. Calls to landlines for non-marketing purposes have a somewhat different framework.

Are there any safe harbors if you relied in good faith on a chatbot consent that later turns out to be invalid?

The TCPA has a limited safe harbor for calls to numbers reassigned after consent was given, but there is no broad good-faith defense for relying on deficient consent. Courts have generally rejected the argument that a company should escape liability because it thought its consent process was compliant. Getting the process right before you call is the only real protection.

The TCPA does not specifically require a privacy policy link in the consent disclosure. But several state privacy laws and the FTC's general deceptive practices framework may require it, especially if you collect data that will be shared with third parties. Including a privacy policy link is good practice, though its absence does not by itself invalidate TCPA consent.

Sources

  1. Cornell Law School LII, 47 U.S.C. § 227 (TCPA statute text): TCPA statutory damages are $500 per violation, up to $1,500 for willful violations; applies to autodialed or prerecorded calls to cell phones without prior consent
  2. Electronic Code of Federal Regulations, 47 C.F.R. § 64.1200: FCC definition of prior express written consent, including requirement that the agreement identify the seller and state that consent is not a condition of purchase
  3. FCC, In the Matter of Rules and Regulations Implementing the TCPA (2012 Report and Order, CG Docket No. 02-278): FCC established prior express written consent rules in 2012, accepting electronic records as satisfying the written requirement
  4. FCC, Stop Unwanted Robocalls and Texts (consumer guidance): Burden of proving consent rests on the caller, not the consumer
  5. FCC, Report and Order FCC 23-107, In the Matter of Rules and Regulations Implementing the TCPA (One-to-One Consent Rule): FCC 2024 one-to-one consent rule effective January 27, 2025, requiring each seller to be named individually and consent to be logically and topically associated with the website where obtained
  6. U.S. Court of Appeals, Ninth Circuit, Berman v. Freedom Financial Network LLC (2022): Ninth Circuit held an online consent disclosure unenforceable because it was not clear and conspicuous, applying a reasonable consumer standard to font size and placement
  7. FCC, Declaratory Ruling and Order, CG Docket No. 02-278 (2015 TCPA Omnibus Order) and 2024 revocation order: FCC clarified consumers may revoke TCPA consent through any reasonable means, and 2024 rules require honoring revocation within no more than 10 business days
  8. Florida Legislature, Florida Telephone Solicitation Act, Fla. Stat. § 501.059: Florida's 2021 FTSA amendment created a private right of action for automated telemarketing contact violations, going beyond the federal TCPA floor
  9. Cornell Law School LII, Electronic Signatures in Global and National Commerce Act (E-SIGN Act), 15 U.S.C. § 7001: E-SIGN Act treats electronic signatures and records as equivalent to paper ones for purposes of federal law, supporting electronic chatbot consent as valid written consent
  10. CTIA, Messaging Principles and Best Practices: CTIA guidelines require honoring SMS STOP opt-out requests within one message cycle
  11. FTC, Telemarketing Sales Rule, 16 C.F.R. Part 310: Telemarketing Sales Rule places record-keeping obligations on sellers and requires maintenance of consent documentation

Disclaimer: LeadCompliant is a compliance review tool, not a law firm. We do not provide legal advice. Consult with a TCPA attorney for legal guidance on specific compliance questions. Compliance scores, audits, and risk assessments are informational only.

LeadCompliant Team

LeadCompliant provides expert guidance and tools to help you succeed. Our content is reviewed for accuracy and kept up to date.

Related Articles

Related Glossary Terms

LeadCompliant
Build My Kit