Last updated 2026-07-09

TL;DR
The FCC's one-to-one consent rule, adopted December 2023 and originally set for January 27, 2025, requires TCPA consent for robocalls and robotexts to name each seller individually. One shared checkbox covering dozens of partners no longer works. A federal court stayed the rule in early 2025, but lead buyers who relied on aggregated consent still carry the exposure.
What is the one-to-one consent rule?
The one-to-one consent rule is an FCC requirement that any prior express written consent collected for robocalls or robotexts under the TCPA must name the specific company doing the calling or texting. One consumer. One consent. One seller named.
Before this rule, a single web form (say a quote-comparison site for insurance or mortgage leads) would list dozens of partners in a buried disclosure. The consumer checked a box agreeing to be contacted by "our partners," and that one checkbox got sold or shared across a wide network. The FCC's December 2023 Report and Order closed that loophole. The order says consent must be "logically and topically associated" with the website where it is obtained, and each seller must be individually identified. [1]
The rule amends the TCPA's existing consent framework under 47 U.S.C. § 227, which already required prior express written consent before sending robotexts or making robocalls to cell phones using an automatic telephone dialing system. [2] The one-to-one rule does not invent a new consent standard. It tightens who that consent can cover and bans the bundled, multi-party model the lead generation industry built its economics around.
The practical effect is simple to state and expensive to absorb. If your company's name is not on the form the consumer completed, you do not have TCPA-compliant consent to call or text that number.
What FCC order created this rule and when does it take effect?
The FCC adopted the one-to-one consent rule on December 13, 2023, as part of a broader Report and Order targeting what the agency called "lead generator loopholes." [1] The rule was originally scheduled to take effect January 27, 2025.
The timeline got complicated fast. In January 2025, the Eleventh Circuit Court of Appeals stayed the rule in Insurance Marketing Coalition v. FCC, finding the petitioners had raised serious questions about whether the FCC exceeded its authority under the TCPA when it added the "logically and topically associated" requirement. [3] As of mid-2025, the rule is stayed pending further court review. It is not currently enforceable at the federal level.
The stay does not mean the risk evaporated. A few things stay true regardless.
The FCC has signaled its enforcement intent clearly. If the stay lifts or the Eleventh Circuit upholds the rule, companies with non-compliant consent pipelines face immediate exposure on any post-effective-date calls.
Some state attorneys general and private plaintiffs already argue that bundled multi-party consent falls short of existing pre-rule TCPA standards. The one-to-one rule is the FCC reading the statute the way it thinks the statute already reads.
Building your lead acquisition around a rule the FCC wants enforced, and which may survive appeal, beats betting everything on the stay holding forever. [4]
How did the old "shared consent" model work, and why did the FCC target it?
The aggregated consent model worked like this. A consumer visits a comparison website shopping for auto insurance or a personal loan. The page carries a fine-print disclosure listing anywhere from ten to two hundred companies by name, or sometimes just "our marketing partners" with no list at all. The consumer checks one box to get a quote and, by doing so, supposedly consents to contact from every company on that list.
The lead generator then sells that consumer's data to one or many of those partners. Each partner calls or texts claiming valid TCPA consent. The consumer gets five calls in an hour from different insurance agents, all pointing back to the same one checkbox.
The FCC found this model failed the "prior express written consent" standard in two ways. Consent obtained alongside consent to contact hundreds of sellers gives a consumer no real choice. And a website selling mortgage leads has no topical connection to a company selling solar panels, so bundling both into one disclosure breaks the "logically and topically associated" standard. [1]
FCC Chairwoman Jessica Rosenworcel, in statements accompanying the order, described the practice as one of the primary drivers of illegal robocall volume in the country. The FCC receives millions of robocall complaints a year, and a meaningful share traces back to lead generation funnels using this model. [5]
See also how TCPA enforcement has evolved around these consent gaps.
How does the one-to-one consent rule change lead buying specifically?
Lead buying changes at the root. Under the old model, you bought a list of "consented" contacts from a generator and called or texted all of them. The generator's form did the consent work for you. That model is the exact target of this rule.
Under one-to-one consent, a lead is TCPA-compliant for your company only if your company's name appeared on the form the consumer completed. Four consequences follow.
You cannot buy a shared lead and assume you have consent. A lead sold to four buyers does not hand each buyer independent consent. Each buyer needs its own consent event.
Lead generators must build company-specific flows. Either your name appears on the generator's form, or the generator builds a separate, individualized consent flow for each downstream buyer. That is hard and expensive at scale.
The economics of aggregation break. An aggregator's model depends on selling the same lead to multiple buyers. If each buyer needs individual consent, the aggregator either builds separate consent events per buyer (less volume) or charges a lot more for exclusivity.
Real-time consent verification stops being optional. Buying leads in weekly bulk batches without being able to check what the consent form actually said, and when, is real exposure. The companies that survive this shift will have direct integrations with their sources and access to the actual consent records.
Here is the contrast between the two models:
| Feature | Pre-rule shared consent | One-to-one consent |
|---|---|---|
| Who is named in consent | Multiple or generic "partners" | Your company specifically |
| How many buyers can use one consent | Unlimited in practice | One |
| Lead cost | Lower (shared economics) | Higher (exclusive or near-exclusive) |
| Consent record you need to retain | Generator holds it | Your company must be able to produce it |
| TCPA exposure if form text is vague | Moderate (pre-2025 environment) | High (FCC has declared this non-compliant) |
For more on what contact lists need separate handling, see our guide to the do not call list and mobile phone do not call list rules.
Does the rule apply to text messages as well as phone calls?
Yes. The TCPA covers both calls and texts to cell phones when an automatic telephone dialing system is used, or when a prerecorded or artificial voice is used. [2] The one-to-one requirement applies to both channels equally.
For text message marketing, the impact may hit harder because SMS lead programs run at very high volume, with automated sends firing the second a consumer completes a web form. If that form does not name your company, every one of those texts is a potential TCPA violation.
Statutory damages under 47 U.S.C. § 227(b)(3) are $500 for each negligent violation and $1,500 for each willful one. [2] In a high-volume SMS program, even a modest list of improperly consented numbers produces liability that funds a plaintiff attorney's whole year. Class actions aggregating thousands of recipients into one suit are the standard enforcement vehicle. The Cash App TCPA class action settlement and the Credit One TCPA settlement show how quickly those per-text damages stack up.
What counts as valid one-to-one consent under the new rule?
The FCC's order does not dictate exact form language. But between the order's text and the existing consent rules under 47 C.F.R. § 64.1200, valid prior express written consent for marketing calls and texts must do six things. [6]
1. Be in writing (a checked box on a digital form qualifies if it is recorded with a timestamp and IP address). 2. Clearly authorize the named company to contact the consumer using an automatic telephone dialing system or prerecorded voice. 3. Include the phone number being authorized for contact. 4. Disclose that consent is not a condition of purchase. 5. Be logically and topically associated with the subject matter of the website where collected. 6. Name your company specifically, not a class of partners. [1]
The "logically and topically associated" piece is the least litigation-tested, which is part of why the Eleventh Circuit granted the stay. Honor it anyway. A home services lead form probably cannot generate valid consent for a financial product company, even if both names sit on the same page.
Companies building their own intake forms have it easier. You control the form, you name your company, you keep the record. The companies in the worst trouble are the ones who bought consent in bulk and never read what the consumer actually agreed to.
What should lead buyers do right now, given the Eleventh Circuit stay?
The stay tempts people to do nothing. Wrong read.
Here is what I would do running compliance for a mid-size outbound team buying leads from third parties.
Audit your current consent chain. Get the actual form language from every lead source. Not a summary. Not a verbal confirmation from the account rep. The actual disclosure text the consumer saw, with a screenshot or a URL that resolves to the live form. If your name is not on it, you have a problem, stay or no stay.
Renegotiate lead generator contracts now. While everyone else waits to see what the courts do, you hold the negotiating position. Push generators to build dedicated consent flows that name your company. Some will do it. Others will lose your business to a competitor who asks the same thing.
Build a consent record retention system. Whatever the final rule outcome, being able to produce a timestamped, IP-logged consent record for any number you contact is your best defense. When a plaintiff attorney sends a demand letter, your first question back should be, "Would you like to see the signed consent record?" That ends a lot of cases early.
Scrub against the DNC list. Consent and DNC compliance are separate jobs. A consumer who gave valid one-to-one consent but later registered on the do not call telemarketer list is still protected. Check both.
LeadCompliant's free compliance kit includes a consent audit template and a lead source questionnaire you can send to generators to check your exposure fast. Grab those while you restructure the pipeline.
For teams doing any cold calling, the cold call rules interact with consent rules in ways worth reviewing on their own.
What happens if a lead buyer uses non-compliant consent and gets sued?
The TCPA is a strict liability statute across many of its applications. You do not have to know you broke it. If you sent a robotext to someone without valid consent, the violation happened whether or not you read the consent form.
Statutory damages run $500 to $1,500 per call or text. [2] Text 50,000 people without proper one-to-one consent and the exposure before any trebling is $25 million. Treble damages for willful violations push it to $75 million. These are not hypothetical figures. The Credit One TCPA settlement reached $75 million. Both the FCC and private plaintiffs bring these cases.
One thing matters enormously in TCPA litigation: whether you can show "reasonable reliance" on consent provided by a third party. Courts have allowed this defense in some cases, but it requires that you actually reviewed the consent language, confirmed it met TCPA standards, and kept records showing you did the work. Buying a list and never checking the form destroys the defense.
An honest caveat. Nobody has clean data on what share of TCPA suits stem specifically from multi-party consent versus no consent at all. But plaintiff attorneys have said plainly in public filings that lead generation funnels are a primary target, because the call volume makes class certification easy.
How do lead generators need to change their forms and flows?
Generators face the harder operational problem. A publisher running a comparison form for ten competing insurance companies cannot list all ten names on one disclosure and meet the one-to-one standard. Four options.
Option 1: Single buyer per form session. Show the consumer one potential buyer at a time, get explicit consent for that buyer, then offer more options in sequence. Conversion drops. Volume drops. Consent is clean.
Option 2: Named list with buyer-specific confirmation. List specific partners and make the consumer affirmatively select which ones can contact them. This is closer to what the FCC likely envisions and keeps some of the comparison-shopping experience.
Option 3: Sell exclusively. Generate the lead with consent naming one buyer, sell it to that buyer only, charge a premium for exclusivity. Some generators are already moving here.
Option 4: Exit the market. Smaller generators without the technical budget to rebuild their flows may find the math no longer works and shut down. That is already happening in some segments.
For generators trying to understand how how do I get the do not call list requirements interact with their scrubbing obligations before delivery, that is a separate workflow worth setting up.
Does the rule affect B2B leads or only consumer leads?
The TCPA's prior express written consent requirement applies whenever you contact cell phones. A business purpose does not create a categorical exemption. A business owner's cell phone is still a cell phone.
That said, TCPA cases involving B2B outreach are generally harder to bring as class actions. The plaintiff population is less uniform, and business recipients often have a harder time showing they lacked an established business relationship. The litigation risk for pure B2B outreach to direct-dial business lines (not cell phones) is lower.
For teams doing any volume to cell phones in a B2B context, which is common now that decision-makers use cell phones as their main business number, the consent analysis still applies. If you use an ATDS or a prerecorded voice, you need consent. The one-to-one rule tightens what counts as valid consent for those contacts.
What is the "logically and topically associated" requirement and why did a court question it?
This phrase comes from the FCC's December 2023 order and adds a second constraint on top of the named-seller requirement. The FCC said consent must be logically and topically associated with the website where it is obtained. [1] In plain terms, a consumer filling out a home loan inquiry form should not end up with consent flowing to a pest control company, even if that company's name sits in the fine print.
The Eleventh Circuit's stay in Insurance Marketing Coalition v. FCC focused partly on this requirement, asking whether the FCC has statutory authority to bolt a topical-association condition onto the TCPA's consent standard when the statute's text says nothing about it. [3] This is an administrative law question about agency rulemaking power, and it is the kind of argument gaining traction in federal courts since the Supreme Court's 2024 Loper Bright decision cut back judicial deference to agencies. [10]
What the challenge does not dispute is the core one-to-one principle. Most legal observers think the named-seller requirement has a stronger textual footing in the statute than the topical-association gloss does. So even if topical association loses in court, the requirement that your specific company name appear on the form is likely to survive.
That distinction matters in practice. A form that names your company but happens to live on a tangentially related comparison site is probably safer than a form that never names you at all.
What records do you need to retain to prove one-to-one consent?
TCPA consent records are your defense, and the burden is on you, not the plaintiff, to produce them. Courts generally put the burden of proving consent on the defendant once a plaintiff shows they got a call or text. [4]
For each consumer contact, you should be able to produce:
- The URL of the form page where consent was collected
- A screenshot or archived version of the full form language the consumer saw, including disclosure text
- The date and time of the consent event (timestamp)
- The IP address of the consumer at the time of consent
- The phone number the consumer entered
- Your company's name as it appeared in the disclosure
- For purchased leads: written confirmation from the generator that this data was captured and can be provided
The TCPA does not spell out an exact retention period. But given a four-year federal statute of limitations and the chance of state-level claims with longer windows, keeping consent records for at least five years from the date of last contact is a sensible standard.
A tool that captures, stores, and makes these records searchable by phone number is not a luxury. It is the difference between a demand letter that costs $5,000 to resolve and one that costs $500,000.
Frequently asked questions
Is the one-to-one consent rule currently in effect?
As of mid-2025, the rule is stayed by the Eleventh Circuit Court of Appeals in Insurance Marketing Coalition v. FCC. It was originally set to take effect January 27, 2025. The stay pauses federal enforcement of the specific rule, but the FCC's underlying intent is clear and the litigation risk from non-compliant consent has not gone away. Treat the rule as directionally controlling regardless of how the stay resolves.
Can I still buy leads from aggregators under the new rule?
Yes, but only if the aggregator's consent form names your company specifically. A lead sold to you that names you in the disclosure is compliant. A shared lead where multiple buyers claim the same consent, with your company buried among dozens of generic "partners," is exactly what the rule targets. Buying those leads after the rule takes effect (if the stay lifts) creates per-call or per-text TCPA exposure of $500 to $1,500.
What is the TCPA penalty for violating the one-to-one consent rule?
The underlying TCPA penalty is $500 per negligent violation and $1,500 per willful violation under 47 U.S.C. § 227(b)(3). Each non-compliant call or text is a separate violation. In a class action, even 10,000 contacts at $500 each equals $5 million in statutory damages. Actual TCPA settlements in lead-generation cases have reached eight figures.
Does the one-to-one consent rule apply to email marketing?
No. The TCPA regulates telephone calls and text messages, not email. Email marketing is governed mainly by the CAN-SPAM Act, which has a different consent framework. [7] The one-to-one rule only affects robocalls, prerecorded voice calls, and automated texts to cell phones. If your only channel is email, this rule does not apply, though you still need to honor unsubscribe requests and other CAN-SPAM obligations.
How does the one-to-one consent rule interact with the National Do Not Call Registry?
They are separate obligations. DNC registry compliance requires you to scrub phone numbers against the national registry regardless of consent status. One-to-one consent governs who you can reach with robocalls and robotexts. A consumer can give valid one-to-one consent and still be on the DNC registry, which limits how you contact them. You need both: consent for the type of communication and compliance with DNC rules for the number. [9]
What is "prior express written consent" under the TCPA?
It is the FCC's term for the consent you must obtain before sending marketing robocalls or robotexts to cell phones. It requires a written agreement (electronic counts) that clearly authorizes the specific company to call or text, includes the phone number, discloses the use of automated dialing or prerecorded messages, and states that consent is not a condition of purchase. The one-to-one rule adds the requirement that the named company be yours specifically. [6]
If I have an established business relationship with someone, do I still need one-to-one consent?
An established business relationship provides some exemption from the National Do Not Call Registry for voice calls to residential landlines, but it does not substitute for prior express written consent for robocalls or robotexts to cell phones. The cell phone consent requirement is stricter. If you use an automatic telephone dialing system or prerecorded voice to reach a cell phone for marketing, you need prior express written consent regardless of your business relationship.
How do I verify that a lead I purchased has valid one-to-one consent for my company?
Request the actual consent record from the generator: the form URL, the form text the consumer saw, timestamp, IP address, and your company's name as it appeared in the disclosure. Do not accept a verbal assurance or a summary. If the generator cannot produce the record, or your company's name does not appear in the disclosure text, you do not have valid one-to-one consent. Build this into your lead source contracts as a required data delivery field.
What happens to leads already purchased before the rule took effect?
This is genuinely unsettled. The stay complicates it, but once and if the rule takes effect, the safer read is that prospective contacts made after the effective date need compliant consent regardless of when you bought the lead. Using an old bundled-consent list for new outreach after the effective date would likely be treated as a violation. Old leads with non-compliant consent should probably be retired or re-consented.
Can a lead generator get consent on my behalf without putting my company name on the form?
No, not under the one-to-one rule. The whole point is that your company must be named. A generator cannot obtain consent for an unnamed class of future buyers and then assign it to you. The consent must identify you specifically at the moment the consumer provides it. Some generators build flows where the form dynamically inserts the specific buyer's name based on which campaign is active, which is one compliant approach.
Does the one-to-one consent rule apply to ringless voicemail?
The FCC treats ringless voicemail, which drops a prerecorded message straight into voicemail without ringing the phone, as a call under the TCPA that requires prior express consent to cell phones. The FCC confirmed this interpretation in 2023. [8] If ringless voicemail is a TCPA call requiring prior express consent, the one-to-one rule applies to it too. This is one of the murkier corners of the law and worth watching for further FCC guidance.
Do state laws add additional requirements on top of the FCC's one-to-one consent rule?
Yes. Several states have laws that parallel or exceed the TCPA. Florida's Telephone Solicitation Act has its own consent and calling-hours rules. [11] California's consumer protection statutes add layers for residents. The one-to-one rule is a federal floor, not a ceiling. Even if the stay holds and the federal rule never takes full effect, state attorneys general in aggressive states can enforce state-law analogues that effectively require similar practices.
Is manual dialing exempt from the one-to-one consent rule?
Prior express written consent for marketing calls to cell phones is only required under the TCPA when an automatic telephone dialing system is used, or a prerecorded or artificial voice is used. Truly manual dialing, a human physically dialing each number without predictive or automated help, does not trigger the prior express written consent requirement, though the National Do Not Call Registry still applies. The catch is that most high-volume outbound operations run on technology that may qualify as an ATDS. [12]
Sources
- Cornell Legal Information Institute, 47 U.S.C. § 227, Telephone Consumer Protection Act: Statutory damages under the TCPA are $500 per negligent violation and up to $1,500 per willful violation; prior express written consent is required for robocalls and robotexts to cell phones.
- Eleventh Circuit Court of Appeals, Insurance Marketing Coalition Ltd. v. FCC, No. 24-10277 (2025), stay order: The Eleventh Circuit granted a stay of the FCC's one-to-one consent rule in January 2025, finding petitioners raised serious questions about the FCC's authority to impose the logically and topically associated requirement.
- Federal Trade Commission, National Do Not Call Registry (agency homepage and consumer guidance): The FTC receives millions of robocall complaints annually, a significant portion traceable to lead generation funnels.
- Electronic Code of Federal Regulations, 47 C.F.R. § 64.1200, Delivery restrictions: FCC regulations implementing the TCPA specify the elements required for prior express written consent for marketing calls and texts, including written agreement, disclosure of automated dialing, and that consent is not a condition of purchase.
- FTC, CAN-SPAM Act: A Compliance Guide for Business: Email marketing is governed by CAN-SPAM, not the TCPA; the one-to-one consent rule does not apply to email.
- FTC, National Do Not Call Registry (business guidance): Sellers must scrub numbers against the National Do Not Call Registry regardless of whether they hold consent; DNC compliance and TCPA consent are independent obligations.
- Supreme Court of the United States, Loper Bright Enterprises v. Raimondo, 603 U.S. 369 (2024): The Supreme Court's 2024 Loper Bright decision limits judicial deference to agency statutory interpretations, which is the legal backdrop for the Eleventh Circuit's skepticism of the FCC's rulemaking authority in the one-to-one consent case.
- Florida Legislature, Florida Telephone Solicitation Act, Fla. Stat. § 501.059: Florida's Telephone Solicitation Act imposes state-level consent and calling restrictions that may parallel or exceed the FCC's one-to-one consent rule for Florida residents.
- FTC, Telemarketing Sales Rule, 16 C.F.R. Part 310: The Telemarketing Sales Rule governs additional telemarketing conduct obligations that interact with TCPA consent requirements for outbound sales teams.