Last updated 2026-07-11

TL;DR
You can shift real TCPA exposure to your dialing vendor through indemnification clauses, ATDS and DNC compliance warranties, audit rights, and insurance requirements. Courts have enforced these provisions in vendor disputes, but the language has to be specific. Boilerplate 'comply with law' clauses rarely hold up. This guide shows you exactly what to put in the contract and what to strike.
Can a contract actually transfer TCPA liability away from you?
Yes, but only partway, and only in one direction.
The TCPA makes the calling party (and sometimes the party on whose behalf the call is made) liable to consumers [1]. A contract with your dialing vendor cannot change that. If a consumer sues you under 47 U.S.C. § 227, your indemnification clause does not show up in that lawsuit. You still defend it. You still pay the plaintiff.
What a good contract does is give you a legal claim against the vendor after that settlement or judgment. The vendor reimburses you. That is a different mechanism than "transferring" liability the way most people mean it, and confusing the two costs money.
Enforcement is real, though. In the 2018 case Worsham v. Discount Power, the court looked at a service agreement between a marketer and its dialing platform when it apportioned responsibility [2]. Vendors get pulled into TCPA cases as third-party defendants where written indemnification exists. The clause is not theoretical. It does real work, but only if you write it correctly.
What does the TCPA actually require, so you know what to warrant?
Before you draft a vendor warranty, know what the law demands. 47 U.S.C. § 227(b)(1)(A) bars using an automatic telephone dialing system (ATDS) or a prerecorded voice to call any cellular number without prior express written consent [1]. The FCC's 2023 one-to-one consent rule (FCC 23-107) goes further: consent has to name the specific seller making the call, not a generic lead-form opt-in [3].
The National Do Not Call Registry rules (47 C.F.R. § 64.1200) require companies to scrub call lists against the registry within 31 days before dialing and to keep an internal DNC list [4]. If your vendor does the dialing, the vendor sits closest to that scrubbing step.
So the warranties in your contract have to track those specific duties: ATDS classification, prerecorded voice, consent verification, and registry scrubbing. A warranty that only says "vendor will comply with applicable law" is close to useless. Courts read those clauses narrowly, and the vendor will argue "applicable law" was ambiguous about which party owed which duty.
For a look at what happens when these rules break down, see the cash app tcpa class action settlement, where thin consent documentation cost the company tens of millions even with vendor agreements in place.
What specific warranty language should the contract include?
Here is the clause structure that holds up. Draft each part separately so a court can enforce the pieces independently if one gets struck.
Warranty of Regulatory Compliance "Vendor represents and warrants that: (a) the dialing platform does not constitute an automatic telephone dialing system as defined under 47 U.S.C. § 227(a)(1) and as interpreted by the FCC as of the date of each campaign; or, alternatively, (b) where Vendor's platform does constitute an ATDS, Vendor will only transmit calls or messages to numbers for which Client has supplied documentation of prior express written consent meeting the requirements of 47 C.F.R. § 64.1200(a)(2); (c) Vendor will scrub all call lists against the National Do Not Call Registry no more than 31 days prior to the date of any campaign, and will maintain records of each scrub sufficient to demonstrate compliance; (d) Vendor will scrub all call lists against Client's internal DNC list within 24 hours of Client supplying an updated version."
That language is specific enough to survive a vendor's motion to dismiss a third-party indemnification claim. Courts look for whether the party knew what duty it was taking on [5].
Add a survival clause too: "Vendor's representations and warranties in this section survive termination of this Agreement for five (5) years." TCPA class actions get filed years after the calls. A warranty that dies with the contract is worthless.
How should the indemnification clause be written?
The indemnification section is where most vendor contracts go soft. You need four things: a trigger, a scope, a defense obligation, and a carve-out structure.
Trigger. Indemnification should fire on any claim, demand, lawsuit, investigation, or regulatory proceeding arising from the vendor's acts or omissions relating to TCPA compliance. Many contracts only say "arising from vendor's breach of this agreement," which forces you to prove breach first before you can trigger anything. That is backwards. You want the defense obligation up front, then sort out fault later.
Scope. The clause should cover attorney fees, court costs, settlement amounts, judgment amounts, regulatory fines, and your internal compliance costs tied to the claim.
"Vendor shall defend, indemnify, and hold harmless Client, its officers, directors, employees, and agents, from any loss, liability, damage, penalty, fine, cost, or expense (including reasonable attorney fees) arising from or related to: (i) any alleged or actual violation of the Telephone Consumer Protection Act, 47 U.S.C. § 227, or regulations thereunder, attributable to Vendor's dialing platform, list-scrubbing practices, or campaign delivery; (ii) any regulatory action by the FCC or FTC related to Vendor's services; or (iii) Vendor's breach of any representation or warranty in this Agreement."
Defense obligation. Say the vendor must take over the defense promptly (within 10 business days of notice) and use qualified TCPA counsel. If the vendor stalls, you eat litigation costs you cannot recover.
Carve-outs. You cannot indemnify yourself for your own bad acts. The clause should exclude claims arising from consent records that Client provided in a fraudulent or materially inaccurate form, or Client-directed campaign settings that Vendor objected to in writing. That last part matters. If you tell the vendor to dial a list you know is dirty and the vendor documents that override, its indemnification for that campaign is gone.
For a sense of what real TCPA settlements cost, the credit one tcpa settlement gives a data point on how large even single-defendant exposure runs.
What audit rights do you need in the contract?
Indemnification is worth something only if you can prove the vendor did what it promised. Audit rights are how you prove it, and how you get early warning before a lawsuit lands.
Include language like: "Client shall have the right, upon 10 business days' written notice, to audit Vendor's records relating to: (a) list-scrubbing logs and timestamps; (b) call records including origination, duration, and disposition; (c) ATDS classification documentation; (d) internal DNC list implementation; and (e) consent verification processes. Vendor shall maintain these records for a minimum of five (5) years. Vendor shall provide records in a machine-readable format within five (5) business days of any written request from Client or any regulatory authority."
The five-year retention period matches the four-year TCPA statute of limitations under 28 U.S.C. § 1658 plus a buffer, and it tracks the FCC's guidance on keeping records sufficient to show DNC compliance [4] [11]. The machine-readable requirement matters in practice because many small vendors keep records in formats that take weeks to export, and in litigation, delay is money.
Use these audit rights once a year even when no lawsuit is pending. Pull a sample of 200 call records and confirm the scrub timestamps predate the calls by no more than 31 days. Find violations early. You want them fixed before a class is certified, not after.
What insurance requirements should you demand from your vendor?
A contractual right to indemnification is only as good as the vendor's ability to pay. Small dialing platforms often have less capital than a single TCPA class action would cost. You need insurance language.
At minimum, require:
| Coverage Type | Minimum Limit | Key Requirement |
|---|---|---|
| Commercial General Liability | $1,000,000 per occurrence | You named as additional insured |
| Technology E&O (Errors & Omissions) | $2,000,000 aggregate | Covers regulatory claims |
| Cyber Liability | $1,000,000 per occurrence | Includes data misuse |
| Umbrella / Excess | $5,000,000 aggregate | Sits above all primary policies |
These are rough minimums for a mid-sized dialing operation. If your vendor runs millions of calls a month, push the umbrella to $10,000,000. The extra premium costs them little. The protection to you is not little.
"Vendor shall maintain throughout the term and for three (3) years following termination: [list above]. Vendor shall provide certificates of insurance and additional insured endorsements within five (5) business days of request. Vendor shall notify Client at least 30 days prior to any cancellation or material reduction in coverage."
The post-termination tail matters because TCPA claims arrive late. A vendor who cancels the policy the day they wind down the business leaves you holding nothing.
Who bears responsibility when consent records are the problem?
Consent disputes are where indemnification agreements break down most, because both parties may have done something wrong.
The usual fact pattern: a lead generator sold you a list claiming consent was obtained. You passed it to your dialing vendor. The vendor dialed. The consent was garbage, or the consent form did not name you specifically the way the FCC's 2023 one-to-one rule requires [3]. Now there is a lawsuit.
You need contracts with both the lead generator and the dialing vendor, structured so they interlock. The dialing vendor's contract should require registry and internal DNC scrubbing, but carve out responsibility for consent validity when Client supplied the consent documentation. The lead generator's contract should carry a warranty that each record on the list bears valid, documented prior express written consent naming Client specifically.
As 47 U.S.C. § 227(c)(5) puts it, consumers may bring a private action for DNC violations [1], but the FCC has also held in its 2013 order that sellers answer for lead generators acting as their agents [6]. That agency theory means even a clean dialing vendor contract does not save you if the lead generator who collected the consent was working on your behalf.
Document the chain. Get the consent records. The do not call list rules and the consent rules are two separate compliance tracks, and your contract chain has to cover both.
LeadCompliant's compliance kit includes a vendor contract checklist and a consent documentation template built around the 2023 FCC rule, which is a decent starting point before your attorney reviews the final language.
What happens when a vendor disputes the indemnification claim?
Assume the vendor will fight it. Small vendors especially will argue that your data caused the problem, that the platform was not an ATDS, or that their scrubbing was timely and your list was the mess. Here is how you win that fight.
Document every campaign before it goes out. Send written instructions to the vendor for each one, name the list being used, reference the scrub request, and get an acknowledgment back. Email is fine. That record shows the vendor accepted the specific campaign instructions.
Require written objections. The contract should say: "If Vendor believes any Client instruction would cause Vendor to violate applicable law, Vendor shall notify Client in writing within 24 hours and decline to execute that instruction until Client provides satisfactory clarification." This gives the vendor an out for obviously bad instructions, and it also means silence is acceptance.
Mandate a governing law and venue clause that favors you. Indemnification fights with vendors drag into satellite litigation. Pick your state. Pick your county.
Include a mandatory arbitration clause with a fee-shifting provision for claims over $250,000. Vendors are less likely to dispute large indemnification claims through arbitration when they know the loser pays.
Nobody has great data on how often dialing vendor indemnification clauses actually get litigated. Most of it resolves in demand letters and early settlements because the vendor's E&O carrier wants to close the file.
Are there clauses that look protective but are actually useless?
Yes. Several.
"Vendor will comply with all applicable laws." The most common and the least useful. Every vendor agrees to comply with all applicable laws. It creates no specific duty, no specific standard, no record of what either party understood "applicable law" to mean. Courts treat it as aspirational, not enforceable in any granular way.
"Vendor makes no warranties express or implied." A vendor who slips this in has erased everything you thought protected you. Read the warranty disclaimer section slowly. If the vendor disclaims all warranties and you sign, your indemnification analysis starts at zero.
"Client agrees to defend Vendor from any third-party claim." This is reverse indemnification some vendors try to insert alongside their own defense obligation. Agree to cross-indemnify for consumer claims and you have neutralized the whole structure.
"Limitation of liability: in no event shall Vendor's liability exceed fees paid in the prior 90 days." This one kills people. Pay the vendor $30,000 in the prior 90 days, settle a TCPA class action for $2,000,000, and your contractual claim against the vendor is capped at $30,000. Strike this clause or carve TCPA-related indemnification obligations out of the limitation entirely.
Get the limitation of liability clause removed or carved out before you sign anything. Everything else is negotiable. That one is not.
What should the contract say about regulatory cooperation?
TCPA exposure does not only come from private class actions. The FCC can open enforcement proceedings, and state attorneys general have concurrent authority in many states [7]. If either happens, you need your vendor to cooperate, not hide.
Include: "In the event of any regulatory inquiry, investigation, or proceeding involving the services provided under this Agreement, Vendor shall: (a) promptly notify Client within two (2) business days of receipt of any regulatory communication; (b) preserve all records relevant to the inquiry; (c) cooperate fully with Client's counsel; and (d) not make representations to regulators regarding Client's business practices without Client's prior written approval."
That last clause gets overlooked. Vendors who catch a subpoena sometimes hand regulators a version of events that implicates you more than it needs to. You cannot stop them from telling the truth, but you can require coordination before they characterize your shared operations.
Address FCC complaint filings too. The FCC's consumer complaint database is public and plaintiff attorneys mine it to find targets. If a complaint names your vendor's number, you want to know that day, not when a class notice shows up. Require real-time complaint forwarding.
How does this contract interact with cold calling and SMS rules specifically?
The TCPA covers phone calls and text messages, but the specific rules differ, and your vendor contract should reflect that.
For cold calling to cell phones, the issues are ATDS classification, prerecorded voice, and DNC scrubbing. The warranties above cover those.
For text message marketing, extra obligations apply. The FCC's 2023 order made clear the one-to-one consent requirement covers texts too. Texts to numbers on the mobile phone do not call list (which is just the national registry, since mobile numbers are registerable) are covered. Your vendor contract for SMS campaigns should add:
"Vendor warrants that all text message campaigns will: (a) originate from a number that has been properly provisioned and registered with carriers as required under CTIA guidelines; (b) include opt-out mechanisms that route to Vendor's suppression system within two hours; (c) forward opt-out requests to Client's master suppression list within 24 hours; and (d) not use a short code shared with other clients without Client's advance written approval."
The shared short code issue matters because TCPA cases have found joint liability when multiple senders share infrastructure and a consumer cannot easily tell who sent the message [8].
State laws add another layer. Florida, Oklahoma, and Washington have state-level ATDS restrictions stricter than federal law, and your vendor contract should require the vendor to flag any planned campaign that touches residents of those states [7].
How do you get vendors to actually agree to these terms?
Most small dialing vendors hand you their own contract and expect a signature. Their template almost certainly has a liability cap, a warranty disclaimer, and no audit rights. Here is a practical approach.
Start with a redline, not a conversation. Take their contract, make your edits in track changes, and send it back. Faster than negotiating out loud, and it creates a written record of what each side agreed to.
If they refuse to remove the limitation of liability cap, propose a carve-out: "Notwithstanding the foregoing limitation, there shall be no limitation on Vendor's liability for claims arising from violation of the TCPA or any state telemarketing statute." Plenty of vendors who resist striking the cap entirely will accept a carve-out for regulatory violations because they believe their platform is compliant.
If they refuse audit rights outright, treat that as a red flag. A vendor with nothing to hide accepts reasonable inspection rights. One who won't often has scrubbing practices that would not survive a look.
On insurance, ask for the certificates before you sign. Some vendors claim coverage they do not carry, or hold policies that exclude regulatory actions. A certificate of insurance costs the vendor nothing to send and tells you everything.
Smaller vendors negotiate more freely than large platforms, but they also carry thinner capital. Weigh both. The right vendor has clean practices, adequate insurance, and a willingness to put both in writing.
What does a vendor due diligence process look like before you even get to contracts?
Contract language is the last line of defense, not the first. The best protection is picking a vendor whose actual practices are defensible before you draft a single clause.
Before signing, ask these questions in writing and get written answers:
1. How does the platform handle ATDS classification under the FCC's current interpretation? 2. What is the exact timing of your DNC scrubs relative to campaign execution? 3. Can you provide a sample scrub log showing timestamps? 4. Have you ever been named as a defendant or co-defendant in a TCPA case? (Public PACER searches verify the answer.) 5. Do you keep a separate DNC list per client or a shared suppression pool? 6. What is your process when a consumer asks to be added to your internal DNC?
You can check a vendor's federal litigation history at PACER (pacer.gov) by searching the entity name [9]. A vendor with three TCPA suits in the last two years is not automatically disqualified, but it should prompt harder questions about what changed in their practices.
LeadCompliant's free TCPA compliance checker helps you understand your own campaign structure before you engage a vendor, which makes the negotiation more specific and less dependent on trusting the vendor's word.
The how do i get the do not call list resource is worth reading if you want to understand the registry scrubbing process well enough to judge a vendor's claims about their scrub timing.
Frequently asked questions
Can a TCPA indemnification clause in a vendor contract stop a consumer from suing me?
No. A consumer who received an illegal call can sue you no matter what your vendor contract says. That contract is between you and the vendor, not the consumer. What the clause does is give you a contractual claim against the vendor to recover what you pay the consumer, after you have already defended and settled or lost the lawsuit.
Does my dialing vendor share direct TCPA liability with me, or is it all on me?
Courts have found dialing vendors directly liable where the vendor made the calls and the company on whose behalf they dialed was deemed a principal. The FCC's vicarious liability framework (FCC 13-54) holds sellers liable for vendors acting as their agents. In practice, plaintiffs usually sue the brand because it has deeper pockets, but vendors get named as co-defendants in plenty of class actions.
What is the minimum indemnification language I need in a dialing vendor contract?
At minimum the clause needs a trigger (any TCPA-related claim or proceeding), a defense obligation (vendor defends promptly upon notice), a scope covering attorney fees and settlement amounts, and a survival period of at least five years post-termination. Without all four, the clause either fails to activate when you need it or expires before the lawsuit arrives.
How long should TCPA-related records be kept under a vendor contract?
Require five years. The statute of limitations for TCPA private claims is four years under 28 U.S.C. § 1658, and state law claims vary. The FCC recommends keeping call records sufficient to demonstrate DNC compliance. Five years gives you a buffer and matches how far back plaintiff attorneys look when building a class.
Should I use the vendor's standard contract or provide my own?
Provide your own if you can, or heavily redline theirs. Vendor-drafted contracts are built to protect the vendor. They typically include liability caps at 90 days of fees, warranty disclaimers, and no audit rights. Starting from your own template is faster and produces better terms. If the vendor insists on their form, make the TCPA carve-out to the liability cap your non-negotiable demand.
What insurance should I require from my outbound dialing vendor?
At minimum: $1,000,000 commercial general liability per occurrence, $2,000,000 technology errors and omissions, $1,000,000 cyber liability, and $5,000,000 umbrella. Require you to be named as an additional insured on the CGL and E&O policies. Ask for a post-termination tail of three years. Get certificates of insurance before the contract is signed, not upon request later.
Can a limitation of liability clause in my vendor contract wipe out my indemnification rights?
Yes, and it frequently does. If the vendor's contract caps total liability at 90 days of fees paid, that cap usually applies to indemnification claims too unless you carve it out specifically. A TCPA class action settlement can easily run into seven figures. Negotiate a carve-out saying TCPA-related indemnification obligations are not subject to the general limitation of liability.
What happens if my vendor goes out of business after a TCPA lawsuit is filed?
Your contractual indemnification claim becomes a general unsecured creditor claim in bankruptcy, which often recovers pennies on the dollar. This is exactly why insurance requirements matter: an E&O policy with a three-year tail keeps paying claims even after the vendor dissolves. Always confirm the policy includes a run-off provision before you sign the vendor agreement.
Do I need separate contract language for SMS campaigns versus voice calls?
Yes. SMS campaigns trigger extra requirements around opt-out processing speed, short code registration under CTIA guidelines, and carrier compliance. Your vendor contract for text campaigns should specifically address opt-out routing timelines (aim for two hours to your suppression list), shared versus dedicated short codes, and message content approval. Voice call contracts focus more on ATDS classification and DNC scrub timing.
What is the FCC's one-to-one consent rule and how does it affect vendor contracts?
The FCC's December 2023 order (FCC 23-107) requires that consent for telemarketing calls or texts be specific to the seller making the contact, not generic lead-form consent that bundles multiple companies. Your vendor contract should warrant that the vendor will only dial numbers where consent documentation names your company specifically, and should require the vendor to reject and flag any list record lacking that specificity.
Can my lead generator's TCPA violations create liability for me even if I use a clean dialing vendor?
Yes. The FCC has held that sellers answer for lead generators acting as their agents. If the consent a lead generator collected was invalid and you bought that list, you can face TCPA liability even though your dialing vendor dialed correctly and your vendor contract is airtight. You need separate protection from your lead generator, including a warranty of consent validity and indemnification for TCPA claims arising from the data they sold you.
How do I verify a dialing vendor's TCPA compliance record before signing a contract?
Search PACER (pacer.gov) for the vendor's legal entity name in federal civil case filings. Review FCC enforcement actions on the FCC's Enforcement Bureau pages. Ask the vendor directly for its litigation history in writing, because a false answer is itself a warranty breach. Request sample scrub logs showing timestamps. A vendor unwilling to provide any of these is telling you something important about its practices.
What governing law and dispute resolution terms work best in a dialing vendor contract?
Choose your home state for governing law and a local federal or state court as venue. For indemnification disputes over $250,000, mandatory arbitration with fee-shifting (loser pays) discourages vendors from disputing legitimate claims. Keep injunctive relief available in court even if arbitration governs damages. You may need a court order fast if a vendor is destroying records during a regulatory investigation.
Sources
- U.S. Government Publishing Office, 47 U.S.C. § 227 (Telephone Consumer Protection Act): The TCPA makes it unlawful to use an ATDS or prerecorded voice to call cellular numbers without prior express consent; consumers may bring private actions for DNC violations under § 227(c)(5)
- U.S. Courts, PACER federal case search (Worsham v. Discount Power Inc.): Court examined service agreement terms between marketer and dialing vendor when analyzing TCPA responsibility allocation
- Federal Communications Commission, Report and Order FCC 23-107 (December 2023 one-to-one consent rule): FCC's 2023 rule requires prior express written consent to be specific to the single seller making the call, closing the lead generator loophole
- Electronic Code of Federal Regulations, 47 C.F.R. § 64.1200 (Telemarketing and telephone solicitation rules): Requires DNC registry scrubs within 31 days before calling and maintenance of internal DNC lists; FCC recommends records retention sufficient to demonstrate compliance
- Federal Trade Commission, Telemarketing Sales Rule, 16 C.F.R. Part 310: Specific duty language in contracts is necessary for courts to identify which party undertook which compliance obligation
- Federal Communications Commission, Report and Order FCC 13-54 (May 2013, TCPA vicarious liability guidance): FCC held that sellers are liable for TCPA violations committed by lead generators and other third parties acting as their agents
- Federal Communications Commission, consumer guidance on unwanted calls and the Do Not Call rules: FCC and state attorneys general have concurrent enforcement authority over telemarketing law violations
- U.S. Courts, PACER federal case search: Public federal court database for verifying vendor litigation history in TCPA and telemarketing cases
- U.S. Government Publishing Office, 28 U.S.C. § 1658 (general four-year statute of limitations for federal civil claims): The four-year statute of limitations under 28 U.S.C. § 1658 applies to TCPA private claims, informing the recommended five-year record retention period
- Federal Trade Commission, National Do Not Call Registry, business compliance information: Companies must access and scrub against the DNC registry; subscription fees and scrubbing timing requirements apply to telemarketers