Last updated 2026-07-09

TL;DR
TCPA-compliant web form consent needs a clear, written disclosure that names the company making calls or sending texts, describes the automated dialing or prerecorded messages, states the number being consented to, and tells the consumer they don't have to consent to buy anything. The FCC's one-to-one consent rule, effective January 27, 2025, also requires each seller be named individually on the form.
What does TCPA consent language on a web form actually have to say?
The consent has to be clear and conspicuous, written, and given before you make the first autodialed or prerecorded call or text to that person's cell phone. That comes straight from 47 U.S.C. § 227(b)(1)(A), which bars using an automatic telephone dialing system or prerecorded voice to call a cellular number without "prior express written consent of the called party." [1]
The FCC spelled out what "written consent" means in its 2012 omnibus TCPA order (FCC 12-21). Four things have to happen at once. The consumer gets a clear and conspicuous disclosure that they'll receive autodialed or prerecorded calls. The disclosure states that consent isn't a condition of purchase. The consumer takes an affirmative step to sign (a checked box or typed signature counts). And the disclosure comes before consent is obtained. [2]
So the form has to do all four. Most web forms miss at least one.
The usual failure is a consent block hidden inside a terms-of-service link. Courts have said over and over that this doesn't clear the "clear and conspicuous" bar.
What is the exact word-for-word consent language that satisfies TCPA?
No agency publishes a mandatory template. The FCC sets the legal standard. Your lawyers write the specific words. But the requirements are precise enough that you can build a reliable block. Here's a fully compliant example based on the statute and FCC guidance, then a breakdown of every phrase and why it's there.
---
Example compliant consent block:
"By submitting this form, I authorize [COMPANY NAME] to contact me at the phone number provided above using automated dialing technology, prerecorded voice messages, and/or SMS text messages for [PURPOSE, e.g., 'marketing and informational purposes related to its products and services']. I understand that my consent is not required as a condition of purchasing any goods or services. Message and data rates may apply. I may revoke this consent at any time by replying STOP to any text message or by contacting [COMPANY NAME] at [CONTACT METHOD]."
---
Now walk through every element.
"By submitting this form": This creates the affirmative action the FCC requires. The consumer does something, specifically clicking Submit, and that act is the signature. A pre-checked checkbox doesn't meet this standard on its own. [2]
"I authorize [COMPANY NAME]": You have to name the seller. A generic reference to "our partners" no longer cuts it. The FCC's December 2023 order (FCC 23-107) tightened this hard: as of January 27, 2025, each seller receiving consent must be identified individually and by name on the form. [3] If you're a lead generator passing data to three buyers, all three get named. This is the rule that broke most lead-gen consent forms overnight.
"at the phone number provided above": The number being consented to has to be identifiable. If the consumer typed their number into a field on the same page, referencing that field is enough. Some attorneys prefer to echo the actual number in the consent text with a JavaScript auto-fill, which makes it harder for a plaintiff to claim they didn't know which number was in play.
"using automated dialing technology, prerecorded voice messages, and/or SMS text messages": Name all three methods if you plan to use all three. Leave out "prerecorded voice messages" and then drop a voicemail, and that's a separate TCPA violation. Don't list only the channels you think you'll use today. List everything your platform might touch.
"I understand that my consent is not required as a condition of purchasing any goods or services": Not optional. The FCC explicitly requires this language. Word it differently if you want, but the meaning has to be there, and it has to be readable without clicking anywhere. [2]
"Message and data rates may apply": The CTIA Messaging Principles and Best Practices require this disclosure for SMS programs, and most wireless carriers enforce it. It's a CTIA requirement rather than a TCPA statutory one, but leaving it out creates carrier problems that can shut down your number. [4]
Revocation language: The FCC's 2024 one-to-one order also codified a consumer's right to revoke consent by any reasonable means. The statute and case law recognized this right for years, but the 2024 rules made it explicit that companies can't contractually restrict how a consumer revokes. [3] A STOP instruction plus a non-SMS revocation path (phone, email, web) is what plaintiff attorneys look for when they build a case.
How has the FCC's 2024 one-to-one consent rule changed the required language?
The FCC issued Report and Order FCC 23-107 in December 2023, and the one-to-one consent rule took effect January 27, 2025. [3] It changed two things that hit web form language directly.
First, the "logically and topically associated" requirement. Consent has to be for calls and texts from a seller whose products or services relate to the content of the page where consent is collected. A mortgage lead form can't bury consent for an auto insurance company in the fine print. The form's content and the company calling have to match.
Second, the one-to-one seller rule. Before this, a single consent block could say "our trusted partners" and name 50 companies in a linked PDF. Courts were already skeptical of that. The new rule just prohibits it. Each company that will contact the consumer must be named individually in the disclosure visible on the form. [3]
For lead generators, the operational fallout is real. You either collect separate, named consents for each buyer, or you limit consent to one buyer at a time. Many generators moved to a model where the consumer picks a specific company from a list, and only that company's name shows up in the consent text.
Getting this wrong costs money per call or per text: up to $500 per negligent violation and $1,500 per willful violation. [1] The TCPA math adds up fast.
Where exactly on the form does the consent language have to appear?
"Clear and conspicuous" is the statutory phrase, and it means the disclosure has to be hard to miss without actively looking away. The FCC and courts have drawn practical lines.
The consent text has to be visible without scrolling or clicking. A link to a terms-of-service page doesn't satisfy the requirement. Language below the Submit button, where the consumer might click before their eyes get there, has been found insufficient in multiple cases. The FTC's guidance on effective digital disclosures makes the same point: a disclosure hidden behind a link or below the fold isn't clear and conspicuous. [5] Courts weigh the physical proximity of the consent block to the submit action, the font size next to surrounding text, and whether color or styling buries it.
Put the consent block directly above or immediately next to the Submit button. Font size should be at least as large as the form label text, ideally the same as all other body copy. No gray on white. Don't italicize the block so it reads as an afterthought.
Some legal teams like "just above the button" placement with a checkbox that has to be clicked before Submit activates. Don't pre-check it. Pre-checked boxes aren't an affirmative act under the FCC's written consent standard. [2]
If your form spans multiple pages, the consent has to appear on the page where the consumer submits their phone number, or on a final confirmation page that loads before the data goes out. Consent language after the fact, in a confirmation email, does nothing.
What proof of consent do you need to keep, and for how long?
This is where most small teams get hurt. You need a complete, timestamped record of what language the consumer saw and what they did. More than a database row saying "consented: true." You need to reproduce the exact form the consumer saw, at the moment they saw it.
The minimum record captures: the consumer's name, the phone number consented, the date and time (with timezone), the IP address of the device, the URL of the page where consent was collected, and an archived copy or screenshot of the form as it appeared that day. If your form language changes, keep version history so you can prove what the consumer saw.
How long? The TCPA's statute of limitations is four years under 28 U.S.C. § 1658 for federal claims. Keep consent records at least five years to give yourself a buffer. [6] Some states run longer, so if you operate heavily in a place like California, check state law too.
LeadCompliant's compliance kit includes a consent-record checklist that walks through exactly what fields to log at form submission, which is the cleanest way to keep things from slipping through.
Storing this in your CRM isn't enough if the CRM doesn't capture form version and IP. Most CRMs grab the lead data and skip the consent metadata. You usually need a separate Jornaya or TrustedForm-style certificate, or a custom logging setup, to capture the full evidentiary record.
Do you need different consent language for calls versus texts?
Both calls using an ATDS and text messages to cell phones require prior express written consent under 47 U.S.C. § 227(b)(1)(A). [1] Same legal standard. The practical difference: the CTIA (the industry body for wireless carriers) has its own Messaging Principles that add SMS-specific requirements, and carriers can deactivate your short code or toll-free number if you break them. [4]
For SMS, your consent language should also include:
- Message frequency or an approximation ("Message frequency varies" or "Up to 4 messages per month")
- A HELP keyword and where to get help
- A STOP keyword for opt-out
- The "message and data rates may apply" statement
For voice calls with prerecorded messages, the message itself has to identify the caller by name and give a callback number per 47 C.F.R. § 64.1200(b). [7] The web form consent doesn't cover that. The call itself carries those disclosures.
Run both channels? List both in the consent block, like the example above. Getting SMS-only consent and then calling is a clear violation. The reverse, getting call-only consent and then texting, is just as bad.
Teams doing text message marketing at any scale should also know that state laws, especially Florida (FTSA) and Oklahoma, passed their own TCPA-style statutes with consent rules stricter than the federal baseline.
What makes a consent form legally invalid?
Courts and the FCC have been consistent about the failure modes. Here's what actually gets companies sued.
| Defect | Why it fails | Common example |
|---|---|---|
| Pre-checked checkbox | No affirmative act by the consumer | "I agree to be contacted" box already checked |
| Consent buried in T&S link | Not clear and conspicuous | "By submitting you agree to our terms" with hyperlink |
| Consent after Submit button | Consumer may not see it before acting | Fine print below the form's submit area |
| Generic partner language | Violates one-to-one consent rule (post-Jan 2025) | "Our trusted partners may contact you" |
| Missing no-purchase-required statement | Explicit FCC requirement omitted | Consent block with no opt-out language |
| Wrong phone number consented | Number not identifiable on the form | No reference to which number field applies |
| Consent not captured in records | No proof you obtained it | Lead stored without timestamp, IP, or form version |
The credit one TCPA settlement and the cash app TCPA class action settlement both turned, at least in part, on whether adequate consent was documented. Plaintiffs' attorneys know exactly which fields to hunt for in discovery. Incomplete logging means you negotiate from a weak spot.
One defect that doesn't automatically sink consent: minor typos or formatting errors in the consent text, as long as the meaning stays clear and all required elements are present. Courts look at substance.
Can you use a single consent form for multiple sellers or lead buyers?
Before January 27, 2025, this was a gray area many lead generators lived in. After FCC 23-107, it's not gray anymore. A single consent can't authorize calls or texts from multiple sellers at once. [3] Each seller gets individual, named consent.
That doesn't mean a separate form per seller. It means the consent block on your form has to name every seller who'll contact the consumer. Three buyers for a lead? All three names appear in the block. The consumer reads all three, takes an affirmative action (checks a box, clicks submit), and you have named consent for all three.
The harder problem is when you don't know at form time which buyers will purchase the lead. Dynamic lead routing makes this messy. The cleanest fix most compliance attorneys recommend is a marketplace-style interface: show the consumer a list of companies, let them opt into specific ones, and route data only to those. Lead value drops some. So does your litigation exposure.
If your form sends leads to more than one buyer and those buyers aren't all named on the form today, you have a compliance gap worth fixing before a plaintiff's attorney finds it. The do not call list and mobile phone do not call list issues stack on top: even with valid TCPA consent, you still check DNC registries before calling.
How do you handle TCPA consent for embedded or third-party forms?
A lot of lead generation runs through embedded forms, co-registration widgets, or forms hosted on affiliate publisher pages instead of the company's own domain. TCPA liability follows the call, not the form. If your company makes the call or sends the text, your company needs valid consent, no matter who hosted the form. [8]
This matters enormously in practice. An affiliate runs a web form, collects leads, sells them to you, and the form's consent language doesn't name your company? You don't have valid TCPA consent, even if the consumer checked every box on the affiliate's form. You weren't named.
The safest approach for embedded or third-party forms:
1. Require affiliates to use consent language you've approved, which includes your company's name. 2. Get contractual representations from affiliates that their form language is compliant and that they'll hand over consent records on request. 3. Independently verify a sample of leads with a certificate service that records the consent event (Jornaya LeadiD or ActiveProspect TrustedForm are common choices). 4. Don't assume that because a lead vendor says "TCPA compliant" in their pitch, the leads actually carry valid consent for your specific company.
Courts have found companies vicariously liable for calls made on their behalf when they knew or should have known the consent was defective. "We bought the leads from a vendor" is not an airtight defense if you didn't take steps to verify. [8]
How does TCPA consent interact with cold calling rules?
The TCPA's written consent requirement applies to autodialed and prerecorded calls to cell phones, and to any call to a residential line using prerecorded messages. [1] It doesn't technically apply to a human agent manually dialing a number. That's why some outbound teams argue their dialers don't meet the ATDS definition, a debate that got complicated after the Supreme Court's 2021 decision in Facebook, Inc. v. Duguid, which narrowed the ATDS definition to systems that use a random or sequential number generator. [9]
But don't confuse ATDS consent with DNC consent. Even if your system isn't an ATDS under the narrowed definition, calling a number on the National Do Not Call Registry without an established business relationship or written consent is still a separate TCPA violation under 47 U.S.C. § 227(c). [1] Web form consent can establish that permission too, but the form language should expressly authorize calls, not only texts.
Teams doing cold calling or running a cold call program with manual dialers still carry the DNC obligation. You scrub against the National DNC registry. How to get that list is covered in the how do i get the do not call list guide. And you keep an internal DNC list to honor company-specific opt-out requests.
What are the TCPA penalties for using defective consent language?
The statute sets the floor. Under 47 U.S.C. § 227(b)(3), a consumer recovers the greater of actual damages or $500 per violation. Willful or knowing? That triples to $1,500 per violation. [1] One violation is one call or one text. Text 10,000 people with defective consent and that's up to $5 million in statutory damages before any multiplier, up to $15 million if a court finds willfulness.
These numbers are why TCPA class actions are so common and so lucrative for plaintiffs' attorneys. The class mechanism means even a modest per-violation amount piles up fast. The plaintiff doesn't have to prove actual harm, which lowers the bar to sue.
The FCC can also issue forfeiture orders under 47 U.S.C. § 503(b), which cap per-violation fines at $22,021 as of 2024 adjustments, but the FCC usually goes after large-scale violators rather than small businesses. [10] State attorneys general can bring their own enforcement under state TCPA analogues and the federal law's parens patriae provision.
Because the FTC isn't the primary enforcer here (the FCC is, for the TCPA), companies sometimes underestimate the risk. The risk is real and growing. TCPA suits stay among the most-filed consumer protection class actions year after year.
What should a TCPA-compliant consent form checklist look like?
Run every form you use against this before it goes live.
Language requirements:
- Company name(s) spelled out in full, individually, not as a class [3]
- Phone number consented to is identifiable from the form
- Automated dialing technology or ATDS language included
- Prerecorded voice message language included (if you use it)
- SMS/text message language included (if you use it)
- Purpose of contact stated
- "Not a condition of purchase" statement present
- STOP instruction and at least one non-SMS revocation path
- HELP instruction (for SMS programs)
- Message frequency disclosure (for SMS programs)
- "Message and data rates may apply" (for SMS programs) [4]
Placement requirements:
- Visible without scrolling
- Appears before or adjacent to the submit action
- Font size at least as large as surrounding body text
- No gray-on-white or otherwise low-contrast text
- Checkbox unchecked by default (if a checkbox is used)
Record-keeping requirements:
- IP address captured at submission
- Timestamp with timezone
- Form version archived
- Page URL logged
- Certificate from a third-party consent verification service (recommended)
You can download a printable version of this checklist as part of the LeadCompliant compliance kit, which also includes a form audit template and a sample consent language library.
Frequently asked questions
Does a checked "I agree" box on a web form satisfy TCPA written consent?
Only if the box is unchecked by default and the consumer manually checks it. Pre-checked boxes don't constitute an affirmative act under the FCC's written consent standard. The checkbox also has to be adjacent to the consent disclosure, not the general terms of service. A standalone unchecked checkbox with clear consent language next to it, placed above the Submit button, satisfies the affirmative action requirement.
Can consent language just say 'our partners may contact you' after the FCC's 2024 rule?
No. The FCC's December 2023 order (FCC 23-107), effective January 27, 2025, requires each seller to be named individually in the consent disclosure. A generic reference to partners or a linked list of companies doesn't satisfy the one-to-one consent requirement. Every company that will call or text the consumer must appear by name in the visible consent block.
What is prior express written consent under the TCPA?
Prior express written consent is defined by FCC regulation as an agreement, in writing, that bears the signature of the person called, and clearly authorizes the seller to deliver calls or texts using an automatic telephone dialing system or prerecorded voice to a specified phone number, and that states the consumer is not required to consent as a condition of purchase. An electronic signature or form submission qualifies as a signature under the E-SIGN Act.
How long do you have to keep TCPA consent records?
At minimum, keep consent records for five years. The TCPA's federal statute of limitations is four years under 28 U.S.C. § 1658, so you need records that outlast any potential claim. Some states have longer limitations periods. The records should include the exact form language seen, the IP address, a timestamp with timezone, and the phone number consented to.
Does TCPA consent on a web form cover both calls and texts?
It covers whichever channels are disclosed in the consent language. If the form names automated calls, prerecorded messages, and SMS texts, consent covers all three. If it only mentions calls, you don't have consent to text. List every channel you plan to use. Adding a channel later requires you to collect new consent.
Does a consumer have to check a box, or can clicking Submit be enough?
Clicking Submit can be enough as long as the consent disclosure is clearly visible directly above or adjacent to the Submit button, and the submission act is clearly tied to the consent in the language itself, such as 'By submitting this form, I authorize...' A checkbox adds a layer of proof that the consumer took a distinct affirmative action, which is why many compliance attorneys prefer it, but it isn't strictly required by the statute.
Can consent language be in a pop-up or modal box?
It can, but it creates risk. If the modal can be dismissed without reading it, or if the consent is only visible inside the modal and not on the main form page, a plaintiff can argue it wasn't clear and conspicuous. If you use a modal, the consumer should have to actively scroll through and confirm they've read the consent, with the Submit action tied directly to that confirmation step.
What happens if the phone number changes after consent is collected?
TCPA consent is tied to the specific number the consumer provided at the time of consent. If a consumer ports a number to a new carrier, or if a carrier reassigns a released number to a new subscriber, consent from the original subscriber doesn't transfer to the new one. The FCC's reassigned numbers database exists to help companies identify recycled numbers before calling them.
Is TCPA consent valid if it was collected by an affiliate or third-party lead generator?
Only if your company is named in the consent language the affiliate used. If the affiliate's form didn't name your company specifically, you don't have valid consent for your calls or texts, regardless of what the affiliate tells you. Get contractual representations from affiliates, require your approved consent language, and use a third-party certificate service to verify the consent event.
Do B2B calls to business phone numbers need the same TCPA consent?
The TCPA's written consent requirement primarily targets calls to residential lines and cell phones. Autodialed or prerecorded calls to business landlines generally don't require prior express written consent under the TCPA, though DNC rules still apply. However, if a businessperson gives a cell phone number as their business contact, that number is still a cellular number and the full TCPA consent requirement applies.
Does the consent language need to name every prerecorded message topic?
No specific FCC rule requires listing every message topic. The purpose of contact should be described in general but honest terms, such as 'marketing and informational messages about our services.' Courts have looked unfavorably on consent language that is so vague it is meaningless, but you don't need a message-by-message list. The description should accurately reflect how you will actually use the contact.
Can a consumer revoke TCPA consent, and does your form need to say so?
Yes, consumers can revoke TCPA consent at any time by any reasonable means, and the FCC's 2024 order codified this right explicitly. Your form doesn't legally require a revocation statement, but including one is strong best practice and reduces the risk that a consumer argues they didn't know how to opt out. Best practice is to include a STOP instruction for texts and at least one non-SMS revocation method.
Is a hyperlink to a consent disclosure in the form sufficient?
No. Courts have consistently held that a hyperlink to a terms-of-service page or consent disclosure doesn't satisfy the FCC's clear and conspicuous standard. The consent text has to be readable on the page itself, without clicking, scrolling, or navigating away. A link to additional detail is fine, but the core consent language must be visible inline.
What is the FCC's 'logically and topically associated' requirement for consent?
Under FCC 23-107 (effective January 2025), the content of the web page where consent is collected must be logically and topically related to the seller's products or services. A health insurance lead form cannot collect valid consent for an unrelated debt settlement company. The business reason for contact must match the context in which the consumer is filling out the form.
Sources
- U.S. Code, 47 U.S.C. § 227, Telephone Consumer Protection Act (statute text via Cornell LII): TCPA prohibits autodialed or prerecorded calls to cell phones without prior express written consent; provides $500 per violation, trebled to $1,500 for willful violations
- FCC, Rules and Regulations Implementing the Telephone Consumer Protection Act, Report and Order FCC 12-21 (2012): FCC established four requirements for prior express written consent: clear and conspicuous disclosure, not a condition of purchase, affirmative consumer act, and disclosure before consent
- FCC, Report and Order FCC 23-107, One-to-One Consent Rule (December 2023): FCC's one-to-one consent rule, effective January 27, 2025, requires each seller to be named individually in the consent disclosure and consent to be logically and topically related to the website content
- FTC, Business Center Guidance on Advertising and Marketing (including digital disclosure guidance): FTC guidance establishes that clear and conspicuous disclosures must be visible without scrolling, in readable font, and not buried in linked terms documents
- U.S. Code, 28 U.S.C. § 1658, federal four-year statute of limitations (Cornell LII): Federal catch-all statute of limitations for civil actions is four years, establishing the minimum record-retention window for TCPA consent records
- FCC, 47 C.F.R. § 64.1200, Delivery Restrictions for Telephone Solicitations (eCFR): 47 C.F.R. § 64.1200(b) requires prerecorded voice messages to identify the caller by name and provide a callback number during the message itself
- FCC, In re Dish Network LLC, Declaratory Ruling FCC 13-54 (vicarious liability under the TCPA): FCC held that companies can be vicariously liable under federal common law agency principles for TCPA violations by third parties acting on their behalf
- Supreme Court of the United States, Facebook, Inc. v. Duguid, 592 U.S. 395 (2021) (opinion via Cornell LII Supreme Court collection): Supreme Court narrowed the ATDS definition to systems that use a random or sequential number generator to store or produce numbers to be dialed
- U.S. Code, 47 U.S.C. § 503, FCC forfeiture penalty authority (Cornell LII): FCC can assess forfeiture penalties up to $22,021 per TCPA violation under 47 U.S.C. § 503(b) as adjusted for inflation
- FTC, National Do Not Call Registry: National DNC Registry maintained by the FTC; separate from TCPA written consent, DNC rules apply even when valid consent exists
- FCC, Reassigned Numbers Database (consumer and industry information): FCC operates a reassigned numbers database to help callers identify phone numbers that have been disconnected and reassigned to new subscribers