Last updated 2026-07-11

TL;DR
One website banner can cover TCPA and CCPA, but the laws want opposite things. TCPA needs an affirmative opt-in (prior express written consent) before autodialed or prerecorded calls and texts to cell phones. CCPA needs disclosure plus an opt-out for data sale and sharing. Build two separated modules in one banner, never a single merged checkbox.
What does TCPA consent actually require from a website banner?
TCPA needs an affirmative, written opt-in before you autodial or send a prerecorded message to a cell phone. On a banner, that means naming your company, saying you'll call or text or both, and telling the user consent isn't required to buy anything. A checkbox the user actively checks counts as the signature.
The statute lives at 47 U.S.C. § 227. It bars using an automatic telephone dialing system or a prerecorded voice to call or text a cell phone without the called party's prior express consent [1]. For marketing specifically, the FCC's 2013 rules under 47 C.F.R. § 64.1200 raised the bar to "prior express written consent." The consumer has to sign (electronically is fine) an agreement that clearly authorizes those contact methods [2].
The piece most teams miss is the purchase-condition rule. If your banner says "by submitting, you agree to receive marketing texts" and the only way to get your free trial is to submit that form, you've made consent a condition of the purchase. The FCC prohibits that outright [2].
The FCC's December 2023 order closed what it called the lead generator loophole. Starting January 27, 2025, one banner cannot authorize calls from multiple unrelated sellers at once [3]. Each seller has to be identified on its own, and the consent has to be one-to-one: one consumer, one named company, per consent event. If you run a lead form that syndicates to multiple buyers, that change breaks the model you were probably using.
So the banner job is short. Name yourself. Say exactly what you'll send. Give a real opt-out that costs the user nothing.
What does CCPA require from a consent banner?
CCPA doesn't make you get opt-in consent before collecting most data. It makes you disclose what you collect and why, then give California residents the right to opt out of the sale or sharing of that data. On a banner, that usually means a clear notice on first visit plus a working "Do Not Sell or Share My Personal Information" link.
The California Consumer Privacy Act, amended by the CPRA in 2020, governs how businesses collect, use, and share personal information from California residents [4]. Three things typically trigger banner obligations:
1. You sell or share personal information (including to ad networks or lead buyers). You need a "Do Not Sell or Share" link that's easy to find, usually in your footer and ideally surfaced in the banner [4].
2. You run cookies or tracking tech that counts as a "sale" or "share." The California Privacy Protection Agency (CPPA) treats many standard ad-tech setups (Google Analytics with data sharing on, the Meta Pixel with audience targeting enabled) as sharing under CCPA [5].
3. You collect data from minors. For 13-to-15-year-olds, you need opt-in consent before selling or sharing their data. Under 13 falls under COPPA, a separate federal framework.
The CPPA started enforcing CPRA amendments in March 2024 after court delays pushed the date back [5]. Fines run up to $2,500 per unintentional violation and $7,500 per intentional violation, and each affected consumer counts separately [4]. That math gets ugly fast.
CCPA does not require a cookie wall or a pop-up for everyone. But if your site uses tracking tech that sells or shares data, you need a clear, reachable opt-out before that data starts flowing.
Can one banner realistically handle both TCPA and CCPA?
Yes. Think of the banner as two modules that happen to sit together, not one checkbox that tries to do both jobs. A single combined checkbox fails both laws. Two separate disclosures, opt-in for TCPA and opt-out for CCPA, work fine in the same visual flow.
The two laws point in opposite directions. TCPA consent is a positive act: the user agrees to receive something. CCPA opt-out is a negative right: the user refuses a data practice you'd otherwise run by default. Merge them into one box that reads "I agree to receive marketing messages and consent to data sharing" and you break both rules. The FCC wants TCPA consent unambiguous and specific, and CCPA wants the opt-out presented clearly, not buried inside a consent flow [2][4].
A layered design is what actually holds up:
- Layer 1 (CCPA): a site-wide data notice that loads on first visit, explains what you collect, carries the "Do Not Sell or Share" opt-out, and links to your privacy policy. This fires for every visitor, far beyond people filling out a form.
- Layer 2 (TCPA): a consent disclosure attached to a specific lead form or call-to-action. Here you put your company name, the description of autodialed or prerecorded calls and texts, and the line that consent isn't required to buy.
The layers can live in the same banner. They just have to read as two separate things: one about tracking, one about being contacted.
For teams running outbound text message marketing or cold call programs, fixing this architecture before you collect a single lead is far cheaper than fixing it after a complaint lands.
What specific language does a TCPA-compliant consent disclosure need?
There's no mandatory FCC script. But the required elements are settled through rulemaking and case law. A compliant disclosure names the seller, says contact may come by autodialer or prerecorded voice, gives the number, states consent isn't a purchase condition, and captures an affirmative signature.
Here's the full checklist [2][6]:
- The name of the company (or each company listed individually, after the 2025 one-to-one rule) that will contact the consumer
- That contact may use an automatic telephone dialing system or a prerecorded or artificial voice
- The phone number(s) calls or texts may go to
- That consent is not a condition of buying any goods or services
- A signature (an electronic submission, a checkbox check, or a typed name) that shows agreement
Example language that hits those elements: "By submitting this form, you agree that [Company Name] may contact you at the number above using autodialed or prerecorded calls or texts for marketing purposes. Consent is not required to make a purchase. Reply STOP to opt out at any time."
That's an illustration of structure, not legal advice. Get an attorney to review your version. Context changes the rules: mortgage lenders, healthcare companies, and political groups all pick up extra requirements.
Courts look hard at whether the disclosure is "clear and conspicuous" [6]. Eight-point gray font below the submit button, buried under a paragraph of marketing copy? You'll struggle to defend it. Readable text, near the button, with the user taking an active step to agree? Much stronger. Pre-checked boxes are worthless under the FCC's framework.
How does the FCC's 2024 one-to-one consent rule change lead gen forms?
It's the biggest shift to TCPA consent mechanics in over a decade. The FCC's Report and Order, released December 2023 and effective January 27, 2025, requires that prior express written consent for marketing calls and texts go to one seller at a time, on a form that makes that seller's identity clear [3]. Blanket "our partners" consent is dead.
Before this rule, lead gen sites used one checkbox to authorize contact from a broad list of partners, sometimes dozens of companies. That's now unlawful. The FCC's order named consent farms directly: operations that collected blanket consent without the consumer having any real idea who would call [3].
What it means day to day:
- Run your own form and only your team calls? You're mostly fine. Just put your company name on the form.
- Buy leads from third parties? Confirm each lead's consent specifically named your company. A lead that agreed to "our partners" does not cover you.
- Publish and collect leads for multiple buyers? You now need separate forms per buyer, or a real-time consent mechanism that captures a named, one-to-one agreement with each buyer before the lead is sold.
The credit one tcpa settlement and the cash app tcpa class action settlement both show how expensive weak or missing consent records get. Building the architecture right upfront costs a rounding error next to defending a class action.
For teams doing outbound cold calling or dialing purchased lists, due diligence on consent documentation is now a core process, not a legal afterthought.
What records do you need to keep to prove consent?
In a TCPA suit, you carry the burden of proving consent. So documentation isn't optional. You store the exact language the consumer saw, a timestamp, a session or IP identifier, the phone number they gave, and the source URL. A boolean "consented: yes" flag with no text version behind it is close to useless in court.
For TCPA, keep [2][6]:
- The exact consent language live when they opted in (not today's revised version)
- A timestamp of the consent event
- The IP address or session ID tied to it
- The phone number the consumer provided
- The source URL (which form, which page)
The FTC's Telemarketing Sales Rule requires sellers to keep compliance records for 24 months [7]. Many teams keep them longer, especially if your sales cycle means you might not call someone for six to twelve months after opt-in. Given the TCPA's four-year statute of limitations, four-plus years is a safer target.
For CCPA, you need to answer consumer requests within 45 days and show your opt-out actually works. Your consent management platform (CMP) has to log opt-out events and push them downstream: your CRM, your email platform, any data brokers you've shared with [4].
The approach that holds up is a server-side record. Write a timestamped entry for every consent and opt-out event to a database you control, not a cookie on the user's browser. Browser cookies get cleared. A server record doesn't.
Building from scratch? LeadCompliant's free compliance kit includes a consent documentation checklist and a banner audit template showing exactly which fields your records need.
Does CCPA apply to your website even if you're not a California company?
Yes, if California residents use your site and you clear one threshold. CCPA covers any for-profit business collecting personal information from California residents that hits at least one of these: over $25 million in annual gross revenue, buying or selling data on 100,000 or more consumers or households a year, or drawing 50% or more of annual revenue from selling personal data [4].
The revenue threshold pulls in national companies headquartered in Texas or Florida just the same. And if you have a website, you almost certainly have California visitors.
The "selling or sharing" trigger is easier to hit than people expect. Under CCPA, "sharing" includes making data available to a third party for cross-context behavioral advertising, even when no money changes hands [4]. Run retargeting pixels or push audiences to Google or Meta, and that's sharing under the statute.
Below the thresholds, CCPA technically doesn't reach you. But the California attorney general and the CPPA are active, and neighboring states copied the model. Virginia's CDPA, Colorado's CPA, and Connecticut's CTDPA all carry similar opt-out requirements and are in effect now [8]. A banner built to CCPA standards generally satisfies those laws too. So there's a real case for building it right even if you're under the California line today.
What are the biggest mistakes companies make with combined consent banners?
From publicly available enforcement cases and FCC complaint data, the errors cluster into five buckets. Pre-checked boxes, vague company names, stale stored language, opt-outs that don't stop the data, and banners that break on mobile.
Pre-checked boxes are the big one. The FCC's regulations require an affirmative act for TCPA consent [2]. A box already checked when the page loads isn't consent, it's an opt-out dressed up as an opt-in. Courts have been consistent.
Vague company identification is second. "You may be contacted by our partners" names nobody. After January 27, 2025, that's a flat violation of the one-to-one rule [3].
Third is failing to store the language version. If your banner changes and a consumer agreed to an older version, your records have to show what they actually saw. Platforms that store only a yes/no flag leave you defending a case blind.
Fourth is a CCPA opt-out that doesn't actually stop data. The user clicks "Do Not Sell," your CMP records it, and your Salesforce instance keeps syncing to a data broker because nobody wired up the integration. The consumer exercised the right. The sale continued. That's an intentional violation at $7,500 per consumer [4].
Fifth, and underrated: mobile. Banners get designed on desktop and then fall apart on phones. The opt-out button drops below the fold, the text turns unreadable, the form won't render. The CPPA hasn't cited mobile rendering by name, but FCC cases apply "clear and conspicuous" in ways that quietly demand visibility across devices [6].
For what bad documentation costs in practice, see the credit one tcpa settlement, and remember that clean do not call list records matter as much as the banner itself.
How should you handle consent for both calls and texts on the same form?
Calls and texts can share one consent disclosure on the same form. The FCC treats both under the same ATDS framework, and "prior express written consent" applies to each [1][2]. You don't need separate boxes for calls versus texts. Some companies use two checkboxes to give people a choice, which is good practice but not required.
What you do need: the language has to mention both methods if you plan to use both. "You agree to receive autodialed calls" doesn't cover texts, and the reverse is also true. The disclosure has to match how you'll actually contact them.
For cold call programs specifically: calling landlines with a live agent and no autodialer sits under the looser "prior express consent" standard, not the written one. But most modern dialers qualify as ATDSs under current FCC guidance, and the safe play is to treat everything as needing written consent and document it that way.
One practical note. If you offer both a web form and a separate SMS keyword (like "text DEMO to 55555"), your keyword opt-in flow has to carry the same disclosure elements. Text-based opt-ins are valid under TCPA, but the requirements don't vanish just because the channel changed [2].
How do you test whether your consent banner is actually compliant?
Test it, because a banner that looks right to a developer can be broken in production. Run this sequence: browse as a fresh visitor, submit a test lead and read the stored record, click the opt-out and trace it downstream, compare your language against the regulation, and confirm your CMP honors the Global Privacy Control signal.
First, open your site in incognito as a new visitor. Does the banner appear? Is the CCPA opt-out link visible without scrolling, on both desktop and mobile? Does closing the banner without acting register as consent anywhere in your system? It shouldn't.
Second, submit a test lead with a dummy phone number and read what lands in your consent database. Timestamp there? Source URL? The exact disclosure text version? If your system only logs "opted in: true," that's not enough.
Third, click "Do Not Sell or Share" and trace what happens. Does the opt-out reach your ad platforms? Your CRM? If you feed a data broker or lead buyer, does it stop sending that consumer's data? Test end to end, more than the frontend.
Fourth, line your current disclosure up against the elements in 47 C.F.R. § 64.1200(a)(2): company name, ATDS description, no-purchase-condition statement, affirmative signature [2]. Any element missing and the consent is legally deficient.
Fifth, check whether your CMP honors the Global Privacy Control (GPC) signal. As of 2024, the CPPA has confirmed businesses must honor GPC opt-out signals from browsers like Firefox and Brave [5]. No GPC support means a gap, even if your "Do Not Sell" link works.
LeadCompliant's free TCPA consent checker flags common disclosure-text problems in seconds, a useful first pass before a full legal review.
What do courts and regulators look for when reviewing consent banners?
FCC enforcement and private TCPA litigation come down to three questions. Was the consent clear and conspicuous? Did the consumer take an affirmative step? And can you produce the record? Miss any one and the consent falls apart.
Clear and conspicuous. Courts weigh font size, placement relative to the submit button, contrast, and whether a reasonable consumer would have understood what they agreed to [6]. The standard comes straight from FCC regulations and has invalidated disclosures that were technically present but practically invisible.
Affirmative step. The statute at 47 U.S.C. § 227(b)(1) and the FCC's rules both require an agreement that clearly authorizes contact [1][2]. Courts reject "browsewrap" consent, where a user is deemed to consent just by visiting, as too thin for TCPA. You need a positive act, typically a form submission with an unchecked-by-default box.
Producible records. In litigation the defendant carries the burden of proving consent. If your records don't show what the consumer saw, when, and what they did, you're defending a case with no evidence. Courts have ruled against defendants who could describe a consent process but couldn't produce the specific record for the plaintiff [9].
For CCPA, the CPPA looks at whether your opt-out actually functions and whether your privacy policy tells the truth about your data practices. Its first enforcement sweep in 2023 and 2024 went after companies with non-functional "Do Not Sell" links and inaccurate policies [5].
The tcpa basics article covers how the statute works and what exposure looks like before consent problems turn into lawsuits.
Do you need a consent banner even if you only collect email addresses?
For TCPA, no. TCPA covers phone calls and text messages. Collect only email and never call or text, and TCPA doesn't touch that collection [1]. You'd still need a privacy policy and CAN-SPAM compliance for email marketing, but that's a different framework [10].
For CCPA, yes, if you clear the coverage thresholds. Email addresses are personal information under CCPA. Share that data with an email service provider, an ad network, or any third party for advertising, and CCPA's disclosure and opt-out rules apply [4].
The practical rule for a small outbound team: if your form collects a phone number, assume TCPA applies and write the disclosure accordingly. If you have California users and hit the thresholds, assume CCPA applies and add the opt-out. Building both into the form on day one costs almost nothing. Retrofitting after a complaint is expensive and disruptive.
For teams worried about mobile phone do not call list obligations, remember that consent given on your site can be revoked anytime, and revocations have to be honored quickly. A banner isn't a one-time fix. It's the start of an ongoing consent management process.
Frequently asked questions
Can a single checkbox cover both TCPA consent and CCPA opt-in?
No. TCPA requires an affirmative opt-in for marketing calls and texts, while CCPA requires an opt-out right for data sale and sharing. Combining them into one checkbox mixes two different legal mechanisms. You need a separate TCPA consent disclosure (opt-in) and a separate CCPA opt-out mechanism, even if they appear in the same banner or form flow.
Does a cookie consent banner satisfy TCPA requirements?
No. A cookie banner addresses data collection and tracking under CCPA, GDPR, or similar laws. It does nothing to establish TCPA prior express written consent for autodialed or prerecorded calls and texts. TCPA consent requires specific language naming the company, describing the contact methods, stating that consent isn't a purchase condition, and capturing an affirmative electronic signature.
How long do I need to keep TCPA consent records?
The FTC's Telemarketing Sales Rule requires a minimum of 24 months for records that demonstrate compliance, including consent records. Most compliance attorneys recommend keeping TCPA consent records for at least four years to cover the TCPA's four-year statute of limitations, plus some buffer for cases where the clock starts later than the initial contact.
What is the FCC's one-to-one consent rule and when did it take effect?
The FCC's December 2023 Report and Order requires that prior express written consent for marketing calls and texts name a single, specific company per consent event. A consumer cannot be shown a list of dozens of 'partners' and deemed to have consented to all of them at once. The rule took effect January 27, 2025, and directly affects lead generation forms and data brokers that aggregate consent.
Does CCPA apply to outbound call center operations?
CCPA applies to the data you collect and share, not specifically to the act of calling. If your call center collects personal information from California residents during calls, and you share that data with third parties or use it for behavioral advertising, CCPA's disclosure and opt-out requirements apply to those data practices. The calling itself is governed by TCPA and state telemarketing laws.
What happens if a consumer revokes TCPA consent after opting in on your website?
You must honor the revocation promptly. The FCC's 2015 rules clarified that consumers can revoke consent through any reasonable means, and the caller must honor it within a reasonable time. A 2024 FCC order set a specific deadline: calls and texts must stop within 10 business days of a revocation request. Continuing to contact someone after revocation exposes you to per-call violations at up to $1,500 each.
Do pre-checked consent boxes satisfy TCPA requirements?
No. Courts and the FCC are consistent on this: a pre-checked box is not an affirmative act and does not establish prior express written consent under TCPA. The consumer must take an active step to indicate agreement. Using pre-checked boxes and then calling or texting people leaves you without valid consent records if you're sued or investigated.
What is the Global Privacy Control signal and do I have to honor it for CCPA?
The Global Privacy Control (GPC) is a browser-level signal that tells websites a user opts out of sale and sharing of their data. The California Privacy Protection Agency confirmed in 2024 that businesses subject to CCPA must honor GPC signals as a valid opt-out request. If your consent management platform doesn't recognize GPC, you have a compliance gap even if your 'Do Not Sell' link works correctly.
How much can a company be fined for a bad consent banner under CCPA?
CCPA fines run up to $2,500 per unintentional violation and $7,500 per intentional violation, with each affected California consumer counting as a separate violation. A non-functional 'Do Not Sell' link affecting 10,000 California users could theoretically generate $25 million in fines for unintentional violations or $75 million for intentional ones. The CPPA began active enforcement in early 2024.
If I buy leads, do I need to verify that the consent banner on the lead source site was compliant?
Yes. After the FCC's January 2025 one-to-one rule, your company must be specifically named in the consent disclosure the lead saw. Buying a lead that consented to 'partner companies' no longer covers you. You need documentation from the lead source showing the exact consent language the consumer saw, that your company was named, and when the consent event occurred. Due diligence on lead vendors is now a compliance requirement, not a nicety.
Can a website consent banner also cover calls to landlines?
Yes, with a caveat. Calls to landlines using a live agent (no autodialer, no prerecorded message) require only 'prior express consent,' which is a lower bar than the written consent required for cell phones. However, most modern dialers meet the ATDS definition under current FCC guidance, so the safe approach is treating all calling as requiring written consent and documenting it through your banner or form accordingly.
Do small businesses under the CCPA revenue threshold still need a consent banner?
CCPA technically applies only to businesses meeting certain thresholds: over $25 million in revenue, processing data on 100,000-plus consumers, or deriving 50% of revenue from data sales. Below those thresholds, CCPA doesn't apply. But Virginia, Colorado, Connecticut, and several other states have similar privacy laws now in effect, and building a compliant banner now costs almost nothing compared to retrofitting after those state laws grow stricter.
What is the difference between 'prior express consent' and 'prior express written consent' under TCPA?
Prior express consent (unwritten) covers non-marketing calls to cell phones using an ATDS, such as account alerts or delivery notifications. Prior express written consent is the higher standard required for telemarketing calls and texts: it must be in writing (including electronic), name the company, describe the contact methods, and include the no-purchase-condition statement. Marketing calls without written consent, regardless of how they're documented, violate FCC regulations.
Sources
- U.S. Code, 47 U.S.C. § 227 (Telephone Consumer Protection Act): TCPA prohibits using an ATDS or prerecorded voice to call or text a cell phone without prior express consent; the statute text is at 47 U.S.C. § 227(b)(1)
- FCC, 47 C.F.R. § 64.1200 (TCPA Implementing Regulations): FCC regulations require prior express written consent for telemarketing calls and texts, including an agreement that clearly authorizes contact and states consent is not a condition of purchase
- FCC, Consumer and Governmental Affairs Bureau, TCPA rulemaking on the lead generator loophole (CG Docket No. 02-278, Dec. 2023): FCC's December 2023 order requires one-to-one consent for marketing calls and texts, effective January 27, 2025, closing the 'lead generator loophole' that allowed single consent to authorize multiple unrelated sellers
- California Attorney General, California Consumer Privacy Act (CCPA) Official Resources: CCPA covers businesses with revenue over $25 million or processing data on 100,000-plus consumers; fines are $2,500 per unintentional and $7,500 per intentional violation per consumer
- California Privacy Protection Agency (CPPA), official agency site and rulemaking updates: CPPA confirmed businesses must honor the Global Privacy Control browser signal as a valid CCPA opt-out; CPRA enforcement began March 2024 after court delays
- FTC, Telemarketing Sales Rule, 16 C.F.R. Part 310: FTC's Telemarketing Sales Rule requires sellers to retain records demonstrating compliance, including consent records, for a minimum of 24 months
- IAPP, U.S. State Privacy Legislation Tracker: Virginia CDPA, Colorado CPA, and Connecticut CTDPA are all in effect with similar opt-out requirements to CCPA, making multi-state banner compliance necessary for most national businesses
- FTC, CAN-SPAM Act Compliance Guide for Business: CAN-SPAM governs commercial email separately from TCPA and CCPA; email-only data collection does not trigger TCPA consent requirements