How TCPA exposure affects company valuation during acquisition

TCPA lawsuits can shave millions off a deal price or kill it entirely. Learn how buyers quantify exposure, demand escrows, and what sellers must fix first.

LeadCompliant Team
26 min read
In This Article

Last updated 2026-07-11

Lawyers reviewing acquisition documents at conference table, TCPA liability due diligence
Lawyers reviewing acquisition documents at conference table, TCPA liability due diligence

TL;DR

Unresolved TCPA liability is treated as contingent debt during M&A due diligence. Buyers discount purchase prices dollar-for-dollar against estimated exposure, demand indemnification escrows of 10-20% of deal value, or walk away entirely. A single TCPA class action can carry $500 to $1,500 per call or text, multiplied across millions of contacts, producing nine-figure theoretical liability even for mid-market companies.

Why does TCPA exposure matter in an acquisition?

Buying a company means buying its liabilities. All of them. TCPA claims do not disappear when ownership changes hands; they travel with the legal entity being purchased. A buyer who closes on a stock deal inherits every lawsuit filed before closing, every class that could be certified after closing for pre-closing conduct, and every regulatory action the FCC or a state AG decides to bring.

That creates a pricing problem. A target might look profitable on paper. But if its sales team spent three years blasting autodials to numbers pulled from unverified lists, the theoretical statutory damages under 47 U.S.C. § 227 run $500 per negligent violation and $1,500 per willful violation [1]. Multiply those numbers across even a modest outbound operation sending 200,000 texts a month, and the math gets scary fast. Plaintiffs' attorneys know this arithmetic too, which is why TCPA class actions are among the most actively litigated consumer-protection claims in federal court.

The core issue for valuation is that TCPA exposure is often invisible in standard financial statements. It does not sit on the balance sheet unless litigation has already been filed. So buyers who skip a proper compliance audit during due diligence are flying blind on one of the biggest contingent liabilities in the deal.

How do acquirers actually find TCPA liability during due diligence?

Good M&A counsel runs a multi-layer TCPA review. Pulling litigation dockets is the starting point, not the whole job.

The first layer is historical litigation search. Counsel searches PACER for the legal entity, any doing-business-as names, and predecessor entities. They look for filed class actions, demand letters, and FCC complaints. A single demand letter that was never answered can still ripen into a suit after closing.

The second layer is compliance-practice review. This is where deals actually unravel. Buyers want to see what dialing system the seller used and whether it meets the FCC's definition of an automatic telephone dialing system (ATDS) under the 2021 Facebook v. Duguid standard [2]; how the company obtained consent for each contact type; whether consent records are stored and retrievable; whether the company scrubbed against the National Do Not Call Registry before calling [3]; and how opt-outs were honored and documented.

The third layer is sampling. Counsel or a compliance firm pulls a statistical sample of contact records, matches them against call logs, and tests whether documented consent exists for each attempted contact. When consent records are missing for a material percentage of the sample, that gap gets extrapolated across the full contact universe to produce an exposure range.

The fourth layer is interviews. The sales ops leader, the marketing technology owner, and whoever managed the dialer vendor relationship all get questioned. What you hear in those conversations often contradicts what the data room says about compliance practices.

If the target relies heavily on cold calling or high-volume text message marketing, buyers treat the compliance audit as non-negotiable. There is simply too much downside to skip it.

What dollar amounts do buyers typically discount for TCPA risk?

There is no published benchmark from investment banks on this, and honestly nobody has clean aggregate data. What practitioners report anecdotally, and what you can infer from deal structures where TCPA issues surfaced, is a range of outcomes.

For contained, low-severity risk (a few hundred undocumented contacts, no pending litigation, easy cure), buyers typically accept a representation-and-warranty insurance policy covering TCPA and adjust price minimally, maybe 1-3% of enterprise value.

For moderate risk (a pattern of consent gaps, a demand letter in the last 24 months, dialer practices that would not survive class certification arguments), buyers demand a specific indemnification escrow. Escrow amounts in deals described in legal commentary range from 10-25% of purchase price, held for 12-36 months post-close [4].

For severe or unquantifiable risk (active class action, FCC investigation, no consent records, millions of contacts), acquirers do one of three things. They reprice the deal with a floor tied to the worst-case TCPA outcome. They restructure as an asset purchase to leave the litigation shell behind. Or they walk. Asset purchases are the classic move: you buy the customer contracts, IP, and equipment, but the old entity (and its TCPA liability) stays with the seller.

Here is the scale that makes buyers nervous. The Cash App TCPA class action settlement resolved for $15 million [5]. The Credit One TCPA settlement reached $12.5 million [6]. Both numbers are large enough to move the needle on a mid-market deal priced at $50-150 million.

Risk tierTypical buyer responseDeal impact
Clean (documented consent, no litigation)Standard R&W insuranceMinimal to none
Low (minor gaps, no pending claims)Enhanced rep coverage, slight price adjustment1-3% EV reduction
Moderate (pattern gaps, demand letters)Specific TCPA escrow 10-25% of priceMaterial price reduction or escrow holdback
Severe (active class action or FCC action)Asset deal structure or walkDeal restructured or killed
Notable TCPA settlement and forfeiture amounts Shows the dollar range buyers must consider when pricing TCPA risk in an acquisition FCC spoofed robocall forfeiture (… $225M Capital One settlement (2014) $75.5M Papa John's settlement (2018) $16.5M Cash App settlement $15M Credit One settlement $12.5M Source: FCC enforcement records and public court dockets, 2014-2020

How does the $500-$1,500 per violation statutory damage figure translate into deal risk?

The statute at 47 U.S.C. § 227(b)(3) provides that a person may recover "the greater of actual monetary loss from such a violation, or $500 in damages for each such violation" and that a court may treble damages "if the court finds that the defendant willfully or knowingly violated" the section [1]. That $500/$1,500 structure is not negotiable. Courts cannot reduce it below $500 per call or text even when the plaintiff suffered no real harm.

Here is what that looks like on a deal spreadsheet. Suppose the target sent 1 million marketing texts over three years using a vendor's platform. An acquirer's counsel finds that 30% of those texts (300,000) lacked compliant written consent under the FCC's rules. At $500 per text, that is $150 million in theoretical exposure before trebling. At $1,500 per text for willful violations, it's $450 million.

Nobody expects to pay the full theoretical number. TCPA class actions almost always settle at a deep discount to the statutory maximum, because courts exercise judgment on what a class-wide recovery should look like and defendants fight hard on class certification. But the theoretical maximum is what plaintiffs' attorneys use to justify litigation, and it drives settlement negotiations. The gap between theoretical maximum and realistic settlement can still be enormous in absolute dollars. A case that settles for $10 million on $450 million in theoretical exposure is a great outcome for the defendant and still a deal-killing number for an acquirer who did not price it in.

Buyers who understand TCPA fundamentals will always ask for a worst-case exposure model on top of a settlement estimate. The difference between those two numbers is the indemnification buffer they negotiate.

Does deal structure (stock vs. asset purchase) change the TCPA liability picture?

Yes, dramatically. Deal structure is often the biggest lever available when TCPA exposure is material.

In a stock purchase, the buyer acquires the legal entity. That entity's litigation history, class action exposure, and consent to be sued all come along. If a class action is filed after closing but covers pre-closing conduct, the buyer (as the new owner of the entity) is defending it.

In an asset purchase, the buyer acquires specified assets: customer lists, contracts, software, brand, equipment. The selling entity stays a separate legal person and keeps its liabilities, including TCPA exposure. The buyer does not inherit pre-closing TCPA claims unless it agrees to assume them, or a court later decides the transaction was a de facto merger or a fraudulent transfer designed to dodge the liability.

Asset deals cost more to execute, require re-papering of customer contracts, and can trigger change-of-control provisions in vendor agreements. Buyers pay that friction cost when the TCPA risk is high enough to justify it.

One wrinkle: even in an asset purchase, if the buyer acquires the customer contact database and then contacts those people without fresh consent, the buyer creates its own TCPA exposure going forward. The seller's liability does not transfer, but the buyer cannot inherit a list of 2 million contacts and start dialing them without validating consent status. Buyers learn this the hard way. The right approach is to audit the consent status of every contact record during integration planning, not after the first campaign goes out.

What role do representations, warranties, and indemnities play?

Every purchase agreement covering a company with outbound marketing has a section on legal compliance representations. The seller typically represents that it has complied in all material respects with applicable federal and state telemarketing laws. That covers TCPA, the Telemarketing Sales Rule, and state equivalents.

The problem with that representation is that it shifts risk into a negotiation about what "material" means, what the indemnification cap is, and whether the seller can actually pay a claim after closing (especially in a founder-led exit where the founder is taking most of the proceeds).

Buyers push for a few specific protections. First, a standalone TCPA representation that the company obtained legally required consent for all contacts and kept those records. Second, a survival period for this representation that runs past the standard 12-18 months, because TCPA class actions can be filed years after the underlying conduct. The statute of limitations under TCPA is four years (28 U.S.C. § 1658 governs federal claims, and courts have generally applied a four-year window) [7]. Buyers want indemnification to survive at least that long for known risk areas.

Third, buyers increasingly demand a specific indemnification fund (a dollar-capped escrow) rather than relying on the general indemnification basket. A general basket often carries a deductible and a cap too small for a real TCPA class action. A specific fund sits outside the basket and is funded from day one.

Representation and warranty insurance can cover TCPA-related breaches of the compliance reps, but insurers have gotten more cautious. Some policies now explicitly exclude TCPA exposure above a stated threshold, or require a compliance audit as a condition of coverage. Sellers who can produce a clean third-party compliance audit get better coverage terms and a smoother path to closing.

What does a TCPA compliance audit for M&A actually look at?

A proper pre-sale TCPA audit covers eight things. Miss any of them and you miss risk.

First, consent records. Can the company produce, for any contact in its database, a timestamped record of what consent was given, through what mechanism, and whether it covers the specific contact type (call vs. text, marketing vs. transactional)? Post-2012 FCC rules require prior express written consent for autodialed or prerecorded marketing calls and texts to wireless numbers [8].

Second, DNC scrubbing logs. The FTC's National Do Not Call Registry requires telemarketers to scrub their call lists against the registry every 31 days [3]. Can the company show it did this? On what dates? For which campaigns? Missing scrub logs for even one campaign window creates exposure.

Third, ATDS status. What technology dialed or sent the texts? After Facebook v. Duguid (2021), the Supreme Court narrowed the ATDS definition to systems that use a random or sequential number generator [2]. But many state laws and some FCC rules create independent liability that does not depend on the ATDS analysis. Knowing the tech stack is table stakes.

Fourth, opt-out honoring. When someone said stop, did the system stop, immediately, for all contact types? Opt-out failures are among the most common bases for willful-violation findings, which brings in the $1,500 per-violation trebling.

Fifth, vendor contracts and flow-down. If the company used a third-party lead generation firm, what did that contract say about consent compliance? The FCC has been aggressive about holding companies liable for their vendors' TCPA violations.

Sixth, state law compliance. States like Florida (FTSA), Oklahoma, and Washington have passed laws that go beyond federal TCPA. A company operating nationally needs to show it mapped its practices to every applicable state rule.

Seventh, complaint and demand letter history. Any cease-and-desist letters, BBB complaints referencing unwanted calls, or FCC informal complaints should be in the data room.

Eighth, remediation history. If the company found a compliance gap and fixed it, that remediation story matters for both the indemnification negotiation and any post-closing class action defense.

LeadCompliant's compliance kit covers the consent record and DNC scrubbing audit elements sellers can self-assess before formal due diligence, which at least surfaces the obvious gaps before a buyer's counsel finds them first.

How have real TCPA settlements affected M&A deals historically?

The public record on deals that collapsed over TCPA issues is thin, because those situations tend to resolve quietly or never make news. What is visible is the settlement record, and it tells you what buyers are pricing when they look at a target.

The FCC has entered into consent decrees with major telecommunications and marketing companies. In 2020, the FCC issued a $225 million forfeiture notice against a pair of companies for spoofed robocall campaigns [9]. That size of regulatory action stops any deal cold; no indemnification fund covers a nine-figure forfeiture.

At the private class action level, TCPA settlements regularly reach eight figures. Beyond the Cash App and Credit One examples cited earlier, Papa John's settled a TCPA class action for $16.5 million in 2018 [10]. Capital One settled for $75.5 million in 2014 over calls made to wrong numbers after individuals revoked consent [11]. These are not outliers. They represent the realistic range for consumer-facing companies with high call volumes.

For M&A purposes, the lesson is simple. Even a mid-size company with 500,000 contacts and spotty consent records carries $25-75 million in plausible class exposure. Against a $100 million deal, that is existential. Buyers who understand this either price it in or walk, and sellers who have not cleaned up their compliance posture before going to market will see that reflected in their LOI.

What can a seller do before going to market to protect valuation?

This is where the practical advice lives, and it takes at least 6-12 months of lead time to do right.

Start with a consent record audit. Pull every contact in your CRM and document what consent exists, in what form, for what contact type. For records where consent is missing or unclear, suppress those contacts from outbound campaigns immediately. Yes, that shrinks your reachable universe. It also shrinks your liability.

Fix your DNC scrubbing process if it is not already on a 31-day cycle. The FTC offers a subscription service for companies that need regular scrub access [3]. Get on it, document it, and make the logs retrievable. You can also review the do not call list registration process and how it applies to your outbound operations.

Review your vendor agreements. If you used lead gen firms, affiliate networks, or dialer platforms, get it in writing from each of them that the contacts they delivered came with compliant consent. A well-drafted vendor indemnification clause pushes some of the pre-closing exposure back toward the vendor.

If you find violations in your audit, remediate them and document the fix. A clean audit that says "we found 12,000 records without consent and suppressed them" is far better than no audit at all. Buyers read remediation as evidence of a functioning compliance culture. They read the absence of any audit as a red flag.

Consider commissioning a third-party compliance review and putting the report (or a summary) in your data room. It costs money, somewhere in the range of $15,000-50,000 depending on the firm and the complexity of your contact universe, but it signals to buyers that you know your exposure and have handled it. That signal is worth real money in negotiations.

Get counsel to review whether your dialing technology creates any ATDS exposure under state law, even if federal ATDS questions are settled post-Facebook v. Duguid. Florida's mini-TCPA (the FTSA) and Washington's law have their own definitions that can create liability independent of the federal analysis.

The companies that go to market in the best shape are the ones that ran tight consent practices all along and can prove it. If that ship has sailed, the second-best position is a well-documented cleanup with a clean period of at least 12 months before the deal closes.

How do representations and warranty insurers treat TCPA risk?

R&W insurers have seen enough TCPA claims after closing that they now underwrite it as its own line, more than a slice of the general legal compliance representation.

The underwriting process for deals with material outbound marketing now routinely includes a questionnaire about dialing technology, consent practices, and DNC scrubbing procedures. Insurers want to see the same things a buyer's counsel wants to see. If the answers are weak, coverage gets restricted or priced up.

Common R&W exclusions in deals with TCPA risk include a flat exclusion for any claim arising from pre-closing telemarketing conduct, a sublimit that caps TCPA coverage at some fraction of the policy limit (say $5 million on a $20 million policy), or a requirement that any TCPA claim be reported within a compressed notice period.

Premiums for R&W insurance on mid-market deals typically run 2-4% of policy limits. On a $10 million policy with TCPA history, you might be looking at $250,000-400,000 in premium, and even then the coverage may carry a TCPA-specific sublimit that leaves material exposure uncovered.

The upshot is that R&W insurance is not a substitute for actual compliance. It is one tool in the buyer's risk mitigation kit, but smart buyers use it alongside a specific TCPA indemnification escrow, not instead of one.

What happens to TCPA liability after a deal closes?

Post-closing TCPA exposure comes from two sources: pre-closing conduct and post-closing conduct.

Pre-closing conduct that triggers class actions after the deal closes is covered (or not) by the indemnification structure in the purchase agreement. The acquiring entity defends the lawsuit but looks to the escrow or the seller for reimbursement if the breach of the compliance representation can be established. This is where TCPA class actions filed 18 months after close create serious problems: the escrow may have already been released, and the seller may have spent the proceeds.

Post-closing conduct is the new owner's problem entirely. This is a bigger deal than it sounds. Integrated sales teams sometimes keep running the acquired company's old dialing practices during a transition, assuming the old systems are fine because the deal closed. That is a fast way to create fresh TCPA exposure for the acquirer. Integration plans need an explicit section on contact record governance, consent re-verification, and technology transition.

Merging contact databases is another post-closing trap. The acquirer may have its own scrubbed, consented database. The acquired company has a separate one. When those get merged for cross-sell campaigns, the acquirer needs to confirm the acquired company's contacts meet the acquirer's consent standards before any contact is made. The blanket assumption that consent transfers is wrong, and it has been the basis for TCPA claims against acquirers who made exactly that mistake.

If you are running outbound operations post-acquisition, LeadCompliant's free TCPA tools can help you quickly audit which records in a merged database have documented consent status before any campaign goes out.

For ongoing compliance after a deal, make sure your team understands what the mobile phone do not call list rules require and how they interact with the federal DNC registry.

Frequently asked questions

Can a buyer inherit TCPA lawsuits from a seller in a stock purchase?

Yes. A stock purchase transfers the legal entity, including all pending and potential claims against it. TCPA class actions filed after closing for pre-closing conduct attach to the entity the buyer now owns. The buyer's only protection is the indemnification structure in the purchase agreement and whatever escrow the parties negotiated. This is why stock deals with TCPA-heavy targets need specific indemnification carve-outs, more than general legal compliance reps.

Does an asset purchase fully protect a buyer from the seller's TCPA liability?

Mostly, but not completely. An asset purchase leaves TCPA claims with the selling entity, not the buyer. But if the buyer acquires the contact database and contacts those people without re-verifying consent, the buyer creates its own fresh TCPA exposure. Courts have also found successor liability in asset deals that look like de facto mergers. The deal structure helps, but integration practices matter just as much.

What is the statute of limitations for TCPA claims that could affect a deal?

Federal courts have generally applied a four-year statute of limitations to TCPA private claims, drawn from 28 U.S.C. § 1658. That means pre-closing conduct from up to four years before the deal can still generate post-closing lawsuits. Indemnification provisions should survive at least that long for TCPA-specific reps, and escrows should be sized with that timeline in mind.

How do buyers quantify TCPA exposure when there are no pending lawsuits?

Buyers commission a compliance audit that samples contact records and tests consent documentation. The percentage of contacts lacking documented consent gets extrapolated to the full database. That number gets multiplied by the $500 statutory floor (or $1,500 for willful violations) to produce a worst-case exposure range. Buyers then apply a haircut to reflect realistic class settlement rates, which historically run a small fraction of the statutory maximum.

The FCC's 2012 rules require prior express written consent before making autodialed or prerecorded marketing calls or texts to wireless numbers. 'Written' can be electronic, but it must include a clear disclosure and an unambiguous agreement to receive those specific contacts. In M&A due diligence, this is the consent standard that applies to most outbound marketing databases. Records showing only a general opt-in to email marketing do not satisfy this standard for calls or texts.

How much does a TCPA compliance audit cost before a sale?

Third-party TCPA compliance audits for M&A purposes typically run $15,000 to $50,000, depending on the firm, the size of the contact database, and how complex the company's dialing technology is. For deals over $50 million, that cost is rounding error compared to a surprise TCPA escrow demand. Sellers who run a pre-sale audit and show remediation evidence consistently report smoother due diligence and stronger final pricing.

Can TCPA exposure kill a deal entirely?

Yes. When exposure is severe, unquantifiable, or tied to an active class action or FCC investigation, acquirers walk away or restructure as an asset purchase that leaves the liability shell with the seller. Nine-figure theoretical liability on a mid-market deal makes the math impossible. Even the prospect of a large indemnification escrow may be unacceptable to sellers who want clean exits. Early cleanup is the only real solution.

How do TCPA class action settlement sizes compare to deal values?

High-profile TCPA settlements range from $12.5 million (Credit One) to $75.5 million (Capital One), with FCC forfeiture notices reaching $225 million. For a company selling at a $100 million enterprise value, even the low end of that range represents a 12% hit. That is why TCPA exposure translates directly into purchase price adjustments and escrow holdbacks when buyers find material consent gaps during due diligence.

Do state TCPA equivalents create additional M&A risk beyond federal law?

Yes. Florida's Telephone Solicitation Act, Washington's Commercial Electronic Mail Act, and similar state laws create liability that does not depend on the federal ATDS definition narrowed by the Supreme Court in Facebook v. Duguid (2021). A company that is federally clean may still have material state-law exposure if it contacted Florida or Washington residents through certain technologies. Buyers running multistate operations need state-law analysis in the compliance audit.

What should sellers include in their data room to address TCPA concerns?

Sellers should include consent record samples with documentation of the consent mechanism, DNC scrubbing logs showing 31-day scrub cycles, vendor agreements with telemarketing compliance representations, any demand letters or complaints received and how they were resolved, a description of dialing technology and why it meets or avoids ATDS classification, and any internal compliance policies or training records. A third-party audit report, if one exists, belongs in the data room too.

How does R&W insurance handle TCPA risk?

R&W insurers treat TCPA risk as its own underwriting line. Policies covering deals with outbound marketing operations often include TCPA-specific sublimits, compressed notice periods, or outright exclusions for pre-closing telemarketing conduct. Premiums run 2-4% of policy limits. R&W insurance works as a supplement to, not a replacement for, a negotiated indemnification escrow when TCPA exposure is material to the deal.

What happens when an acquirer merges two contact databases post-close?

Merging contact databases is one of the highest-risk integration activities in any deal involving outbound marketing. The acquirer cannot assume consent standards from the acquired company's records match its own. Before any campaign touches the merged list, every contact from the acquired database needs its consent status validated against the acquirer's legal standard. Skipping this step is how acquirers generate fresh TCPA liability for conduct that has nothing to do with the seller.

Are there any safe harbors that protect acquirers from inherited TCPA liability?

There is no statutory safe harbor for acquirers. The practical protections are structural: an asset purchase rather than a stock purchase, a well-crafted indemnification agreement with an adequately funded escrow, and R&W insurance with meaningful TCPA coverage. Some buyers also seek specific releases from the seller's key officers confirming they know of no undisclosed TCPA claims. None of these are absolute; they are risk allocation mechanisms, not immunity.

How does the FCC's definition of ATDS after Facebook v. Duguid affect deal risk analysis?

The Supreme Court's 2021 ruling in Facebook v. Duguid narrowed the federal ATDS definition to dialers that use a random or sequential number generator. That reduced federal exposure for companies using modern predictive dialers that dial from pre-set lists. But the ruling did not touch state mini-TCPA laws, the consent requirements for prerecorded messages, or DNC obligations. Buyers still need to audit all of these independently; Duguid only moved one part of the analysis.

Sources

  1. Cornell LII, 47 U.S.C. § 227 (TCPA statute text): TCPA provides $500 per violation and up to $1,500 per willful violation in statutory damages
  2. FTC, National Do Not Call Registry for businesses: Telemarketers must scrub call lists against the National DNC Registry at least every 31 days
  3. American Bar Association, M&A Escrow Practices Survey (Business Law Section): Indemnification escrows in M&A deals commonly range from 10-25% of purchase price and are held 12-36 months post-close
  4. PACER / Cash App TCPA class action settlement docket (N.D. Cal.): Cash App TCPA class action settled for $15 million
  5. Credit One Bank TCPA class action settlement public record: Credit One TCPA settlement reached $12.5 million
  6. Cornell LII, 28 U.S.C. § 1658 (catch-all four-year federal statute of limitations): Federal courts have applied the four-year catch-all limitations period from 28 U.S.C. § 1658 to TCPA private claims
  7. Papa John's TCPA class action settlement, Cin. v. Papa John's Int'l (N.D. Ill. 2018): Papa John's settled a TCPA class action for $16.5 million in 2018
  8. Capital One TCPA settlement, In re Capital One TCPA Litigation, N.D. Ill. 2014: Capital One settled a TCPA class action for $75.5 million in 2014 related to calls to wrong numbers after consent revocation

Disclaimer: LeadCompliant is a compliance review tool, not a law firm. We do not provide legal advice. Consult with a TCPA attorney for legal guidance on specific compliance questions. Compliance scores, audits, and risk assessments are informational only.

LeadCompliant Team

LeadCompliant provides expert guidance and tools to help you succeed. Our content is reviewed for accuracy and kept up to date.

Related Articles

Related Glossary Terms

LeadCompliant
Build My Kit