Last updated 2026-07-09

TL;DR
When a vendor sends calls or texts on your behalf and violates the TCPA, you can still be sued. Indemnification clauses in vendor contracts shift that financial risk back to the party who caused the violation. A strong clause covers statutory damages ($500, $1,500 per message), defense costs, and class action exposure. Without one, both parties often pay.
Why does vendor TCPA liability land on you even if you didn't make the call?
The Telephone Consumer Protection Act, 47 U.S.C. § 227, holds the entity that "initiates" or "causes" a call or text responsible.[1] Courts and the FCC have repeatedly found that a business can be vicariously liable for its vendor's TCPA violations, even when the vendor was an independent contractor acting without explicit authorization for the specific conduct at issue.[2]
The FCC made this plain in its 2013 Declaratory Ruling (FCC 13-54), which stated that sellers "may be held vicariously liable under federal common law principles of agency for TCPA violations committed by third-party telemarketers."[2] That ruling didn't require the seller to have micromanaged the call. Apparent authority, ratification, or just having a vendor dial on your behalf can be enough.
So here's the practical problem. You hire a lead generation vendor. They scrub their own list, they claim to have consent, they send 500,000 texts. If their consent records are garbage, the class action names you and them. You wrote one check to the vendor. Plaintiffs' attorneys see your company name on the marketing materials and your pockets too.
The only contractual tool that addresses this head-on is indemnification.
What is a TCPA indemnification clause and what should it actually say?
An indemnification clause is a contract provision where one party (the indemnitor) agrees to pay the losses of the other party (the indemnitee) if a specific category of harm occurs. In the TCPA context, it's the vendor promising to cover your legal costs and any damages if their calls or texts trigger a lawsuit.
A clause that says "each party shall indemnify the other for its own acts" sounds balanced but is nearly useless in practice. You want something specific. A strong clause has four components.
First, it names TCPA and analogous state laws explicitly. Vague language like "all applicable laws" creates ambiguity courts love to exploit. Name 47 U.S.C. § 227, the FCC's regulations at 47 C.F.R. Part 64, and relevant state telemarketing statutes by name.[3]
Second, it covers the full range of damages. TCPA statutory damages run $500 per negligent violation and $1,500 per willful violation, per call or text.[1] In a class of 100,000 people, that's $50 million to $150 million in exposure before attorney fees. Your indemnification must cover statutory damages specifically, more than "actual damages."
Third, it includes defense costs from day one. Litigation is expensive before any verdict. A clause that only kicks in "upon final judgment" leaves you funding your own defense for two or three years while the case resolves. You want the vendor to pay defense costs as they arise, or at minimum to reimburse them promptly.
Fourth, it should cover class action scenarios without a damages cap that's lower than realistic class exposure. Some vendor contracts cap indemnification at the total contract value, say $20,000 on a $20,000 lead-gen deal. That's meaningless against a class action where statutory damages alone could reach eight figures.
What does TCPA statutory damage exposure actually look like in a vendor scenario?
TCPA class actions regularly settle in the tens of millions. The Cash App TCPA class action settlement reached $15 million.[4] Credit One Bank settled TCPA claims for $12.5 million.[5] These weren't fringe cases with unusual facts. They involved commonplace outbound communications where consent documentation was disputed.
The math is brutal at scale. A vendor who sends 200,000 texts without proper express written consent[6] faces up to $300 million in statutory damages at the $1,500 willful rate. Even at $500 per message, that's $100 million. Very few businesses survive class certification on a case that size without settling.
Below is a breakdown of typical exposure tiers by message volume, at both damage rates.
| Messages sent | $500/msg (negligent) | $1,500/msg (willful) |
|---|---|---|
| 10,000 | $5,000,000 | $15,000,000 |
| 50,000 | $25,000,000 | $75,000,000 |
| 200,000 | $100,000,000 | $300,000,000 |
| 1,000,000 | $500,000,000 | $1,500,000,000 |
Even at volumes small outbound teams run, say 10,000 texts through a vendor, the statutory max is $5 million to $15 million. That number is why class action plaintiffs' firms exist. The indemnification clause is what determines who actually absorbs that hit.[1]
Which party is responsible for TCPA compliance: you or the vendor?
Legally, both of you can be on the hook. Contractually, you decide the split before anything goes wrong.
The FCC's 2013 Declaratory Ruling and later case law treat the "seller" (the company whose product or service is being marketed) as potentially liable alongside the telemarketer.[2] Courts look at whether the seller had the right to control the telemarketer, whether the seller ratified the conduct after the fact, and whether apparent authority existed. If your vendor uses your brand name, your product talking points, or your customer data, a court may find enough of a connection to hold you liable.
Contracts don't change the statute. A plaintiff can still name you regardless of what your vendor agreement says. What the indemnification clause does is give you a right to be made whole by the vendor after the fact, or to compel the vendor to defend you from the start if the clause includes a duty to defend.
The duty to defend is a separate and often more valuable right than the duty to indemnify. Indemnification pays after the outcome is determined. Defense duty means the vendor must hire your lawyers (or pay your lawyers) from the moment a claim is filed. Push hard for this in any vendor contract that involves outbound calls or texts at scale.
For a broader look at cold calling compliance obligations and how they layer with TCPA, that context helps when you're deciding how hard to negotiate on vendor terms.
What's a mutual vs. one-sided indemnification clause, and which should you ask for?
Mutual indemnification means each party covers the other's TCPA-related losses caused by its own conduct. One-sided means only the vendor covers you, regardless of fault allocation.
What you can actually get depends on your bargaining position. If you're a Fortune 500 client, you can often demand one-sided vendor indemnification. If you're a 10-person sales team with a $15,000 annual contract, the vendor will insist on mutual language.
Mutual indemnification is fine as long as it's genuinely fault-based. The key phrase is "arising out of or resulting from [vendor's] acts or omissions." That ties indemnification to the vendor's specific conduct. If a class action alleges the vendor sent texts without valid consent, and the vendor was the one who collected that consent, the mutual clause still routes liability to them.
Watch for mutual clauses that try to shift vendor compliance failures back to you. Language like "client represents and warrants that all marketing lists provided comply with TCPA" is an attempt to make you the indemnitor for consent problems, even if the vendor was the one building or purchasing those lists. Don't sign that unless you actually control the list and its consent provenance.
For teams using text message marketing, the consent question is especially sharp. Express written consent is required for autodialed or prerecorded marketing texts, and whoever collected that consent should bear the indemnification obligation for its validity.[6]
How do you handle indemnification when the vendor collects consent on your behalf?
This is the highest-risk scenario and also the most common one in lead generation. The vendor runs ads, collects opt-ins, and passes you a list. You call or text that list. If the consent was invalid, you made the illegal contact.
The FCC requires "express written consent" for autodialed telemarketing calls and texts, meaning the consumer must clearly agree to receive automated messages from your company specifically.[6] A generic opt-in that doesn't name you, or that buried consent language in a 4,000-word terms page, often fails that test.
When the vendor is collecting consent, your indemnification clause must include a representation and warranty that the consent records meet 47 C.F.R. § 64.1200(f)(9)'s requirements, a covenant to maintain those records for at least four years (the TCPA statute of limitations[7]), an obligation to produce records on demand if litigation arises, and indemnification specifically for claims arising from defective consent.
You should also require audit rights. If you can't inspect the vendor's consent records before a lawsuit forces the issue, you're flying blind. Some vendors will resist audit rights, but any reputable consent-collection vendor should have no problem showing you the opt-in flow, the timestamp logs, and a sample of records.
LeadCompliant's compliance kit includes a vendor consent audit checklist that covers these record requirements, which can save time when you're reviewing multiple lead vendor agreements at once.
For context on what proper consent records need to contain, the FCC's rules and the TCPA statute together set the floor.
Should the indemnification clause include a damages cap, and how low is too low?
Vendors almost always try to cap indemnification. You will almost always want a higher cap than they offer. Here's how to think about it.
A cap equal to 1x or 2x the annual contract value is probably too low if you're doing meaningful volume. If you're paying a vendor $50,000 a year and they send 100,000 texts, a $50,000 or even $100,000 cap covers almost nothing against statutory exposure that could reach $50 million at $500 per message.
Reasonable positions, depending on the vendor's size and your volume: a cap of 5x to 10x the annual contract value for indemnification of third-party claims, with no cap on defense costs, or alternatively a cap tied to the vendor's actual insurance policy limit (more on insurance below).
Some larger vendors will agree to uncapped indemnification for claims arising from their own willful misconduct or fraud. That's a meaningful carve-out given that $1,500-per-message willful damages are what drive the worst settlements.
One honest note: if you're a small client and the vendor is a large SaaS platform, you're unlikely to get uncapped indemnification. The negotiation reality is that you might need to accept a cap and make up for it with stronger insurance requirements and tighter consent representations.
What insurance requirements should go alongside the indemnification clause?
An indemnification clause is only as good as the vendor's ability to pay. A vendor that can't cover a $10 million settlement isn't providing real protection no matter what the contract says.
For any vendor sending outbound calls or texts on your behalf, ask for two things in the vendor agreement: (1) a minimum commercial general liability policy, and (2) a technology errors and omissions or "cyber liability" policy that explicitly covers TCPA-related claims. Some carriers now offer standalone TCPA compliance insurance.
Minimum limits to ask for: $1 million per occurrence and $2 million aggregate for CGL, and at least $1 million for E&O. For high-volume vendors (500,000+ messages annually), push for $5 million. These are rough market norms, not regulatory requirements.
Require the vendor to name you as an additional insured on the policy, and require 30-day notice of cancellation or material change. Collect a certificate of insurance (ACORD 25 form) at contract signing and annually thereafter. A vendor who can't produce this within a week of your request is a warning sign.
Insurance doesn't replace indemnification, and indemnification doesn't replace insurance. They work together. The insurance pays. The indemnification clause is the legal mechanism by which you compel the vendor to tender the claim to their insurer and cooperate in your defense.
What red flags in vendor contract language should you watch out for?
A few provisions show up in vendor paper that quietly strip your TCPA protection. Know them before you sign.
Limitation of liability clauses that exclude "indirect, incidental, special, or consequential damages" often purport to exclude statutory damages. Courts are split on whether TCPA statutory damages count as "consequential" damages, but you don't want to litigate that question in the middle of a class action. Carve out TCPA statutory damages explicitly from any limitation of liability.
Indemnification that only covers "negligence" misses willful violations, which carry the higher $1,500-per-message rate and are what courts often find when a vendor ignores DNC scrubbing. Make sure your indemnification covers both negligent and willful TCPA violations.
Choice of law clauses that pick an unfavorable state can weaken your rights. Some states have stronger interpretations of vendor liability and consent. If the vendor wants Delaware or Texas law, understand what you're giving up under your state's rules.
Arbitration clauses don't directly affect your indemnification rights but they affect how you enforce them. A mandatory individual arbitration clause against your vendor means you can't consolidate claims or get a quick injunction. This is negotiable on big contracts.
For teams worried about do not call list scrubbing failures specifically, vendor agreements should state plainly who owns the scrubbing obligation and carry the indemnification for failures to honor DNC registrations.
How do courts actually interpret TCPA indemnification clauses in litigation?
Courts generally enforce indemnification clauses as written, which means vague language hurts you. If a clause says "comply with all applicable laws," a court will often find it doesn't create an affirmative duty to indemnify for a specific TCPA class action unless the clause also explicitly assigns financial responsibility for resulting claims.
In practice, TCPA class actions almost always settle before any indemnification clause is tested to a final ruling. The real fight is over whether the vendor is required to (a) assume your defense, (b) contribute to a settlement, and (c) not assert cross-claims against you. All three depend on clause drafting.
One instructive pattern: in cases where businesses have tried to hold lead generators liable under indemnification clauses after TCPA settlements, the disputes often turn on whether the lead generator knew their consent collection was deficient. If the vendor represented compliance and was later found non-compliant, courts have generally been receptive to indemnification enforcement. If the buyer had warning signs and pressed forward anyway, courts are less sympathetic.
The takeaway is that your indemnification clause needs to be paired with actual due diligence. Document that you required the vendor to represent TCPA compliance, that you reviewed their consent process, and that you had no reason to believe they were violating the statute. That record strengthens your indemnification position dramatically if litigation happens.
For a real-world sense of how these settlements play out financially, the cash app tcpa class action settlement and the credit one tcpa settlement show what happens when consent and vendor oversight failures compound.
What should a basic TCPA indemnification checklist for vendor agreements include?
Here's a plain checklist for reviewing or drafting vendor contracts that involve outbound calls or texts.
Scope of covered claims: TCPA (47 U.S.C. § 227) named explicitly. State telemarketing and mini-TCPA statutes named if you operate in Florida, Oklahoma, Maryland, Washington, or other states with independent statutes.[3] Both class and individual claims covered.
Damage types covered: Statutory damages ($500 negligent, $1,500 willful per violation). Defense costs as incurred, not after final judgment. Attorney fee awards (TCPA allows fee-shifting in some circuits). Regulatory fines from FCC enforcement.
Consent and list obligations: Vendor represents express written consent meets 47 C.F.R. § 64.1200(f)(9). Vendor maintains records for at least four years. Vendor provides records on demand within 10 business days. Vendor scrubs against the National DNC Registry and any state registries.[8]
Duty to defend: Vendor tenders defense within 30 days of written notice. Vendor has no right to settle claims that impose obligations on you without your written consent. You retain the right to your own counsel at vendor's expense if there is a conflict of interest.
Insurance: CGL minimum $1M/$2M. E&O minimum $1M. You named as additional insured. Certificate of insurance provided at signing and annually.
Cap considerations: Cap set at minimum 5x annual contract value or vendor's insurance limit, whichever is higher. Willful misconduct and fraud are uncapped.
Audit rights: Right to inspect consent records, call/text logs, and scrubbing logs on 10 days' notice.
If you're not sure where to start, LeadCompliant's one-time compliance kit includes a vendor agreement review template covering these items, which you can use as a starting point before attorney review.
For context on the cold call rules that govern what vendors are actually allowed to do, that background shapes what obligations are realistic to impose on them.
Do you still need an attorney to review this, or can you do it yourself?
Honest answer: you need an attorney for any contract where the potential liability is material to your business. This article is not legal advice. It's a framework for knowing what questions to ask and what to push for before you bring in counsel.
That said, many small outbound teams sign vendor agreements without any legal review, and they're entirely unaware that the clause they signed caps indemnification at $10,000 or excludes statutory damages. Reading this article and doing a 30-minute pass through your vendor contracts using the checklist above will put you ahead of most of your competitors on knowing what you actually have.
When you do bring in an attorney, a TCPA-specialized communications or regulatory lawyer will cost $300 to $600 per hour at regional firms and $600 to $900 at larger ones. A contract review focused specifically on TCPA risk allocation typically runs 2 to 5 hours. That's $600 to $4,500. Compare that to the $5 million minimum statutory exposure floor on a 10,000-message class action and the math is obvious.
If your vendor refuses to negotiate indemnification at all, that's itself useful information. Reputable vendors who run clean programs are generally willing to stand behind their work contractually. Reluctance to indemnify for TCPA violations is a signal about how confident they are in their own compliance.
Frequently asked questions
Can I be sued for TCPA violations if my vendor made the calls without my direct knowledge?
Yes. The FCC's 2013 Declaratory Ruling found that sellers can be vicariously liable for their vendors' TCPA violations under agency principles, including apparent authority and ratification. If the vendor was marketing your product, used your brand, or operated with your implied authorization, you can face the same statutory exposure, $500 to $1,500 per call or text, as the vendor itself.
What's the difference between a duty to indemnify and a duty to defend?
Indemnification means the vendor reimburses your losses after a judgment or settlement. Defense duty means the vendor must pay your legal fees from day one of a claim, before any outcome is determined. The duty to defend is often more valuable because TCPA class actions can take two to four years to resolve, with substantial legal costs accumulating the entire time. Always negotiate for both in vendor agreements.
How long should a vendor be required to keep consent records under TCPA?
The TCPA has a four-year statute of limitations under 28 U.S.C. § 1658, so consent records should be kept at least four years from the date of the last contact made under that consent. Your vendor agreement should require retention for the full four-year period and obligate the vendor to produce those records within 10 business days of a litigation hold or your written request.
What happens if the vendor's indemnification cap is lower than the actual settlement?
You absorb the difference. If your vendor's indemnification caps at $100,000 and the class action settles for $2 million, you're on the hook for $1.9 million unless the vendor's insurance covers more or you can void the cap under a fraud or willful misconduct carve-out. This is exactly why the cap negotiation matters and why it should be tied to insurance limits, more than contract value.
Does an indemnification clause protect me from FCC enforcement actions, more than private lawsuits?
A well-drafted clause can cover FCC fines, but only if it explicitly names regulatory fines as a covered category. FCC TCPA enforcement penalties can reach $10,000 per violation under 47 U.S.C. § 503(b). Private lawsuits are more common, but FCC actions do happen, particularly for egregious robocall campaigns. Make sure your clause covers 'regulatory fines and penalties' alongside private litigation damages.
What express written consent standard applies to outbound texts and calls under TCPA?
For autodialed or prerecorded telemarketing calls and texts, 47 C.F.R. § 64.1200(f)(9) requires a written agreement (including electronic signatures) that clearly authorizes the caller to contact the consumer at that specific number using an autodialer or prerecorded voice, for marketing purposes. The agreement must not be a condition of purchase. Whoever collected consent should warrant its validity in the vendor contract.
Are mutual indemnification clauses standard in the industry, or should I always push for one-sided protection?
Mutual clauses are the most common starting position in vendor paper. One-sided protection (vendor indemnifies you with no reciprocal obligation) is achievable mainly for large clients or when the vendor performs all the outreach. For small teams, mutual fault-based indemnification tied to each party's specific acts is the realistic target. The key is ensuring 'your acts or omissions' language is precise so compliance failures trace back to whoever caused them.
What states have their own TCPA-equivalent laws that should be named in the indemnification clause?
Florida's Telephone Solicitation Act, Oklahoma's Telephone Solicitation Act, Maryland's Telephone Consumer Protection Act, Washington's Commercial Electronic Mail Act, and Texas's Business and Commerce Code Chapter 305 are examples of state mini-TCPA laws with independent private rights of action and their own per-violation penalties. If you operate in or target residents of these states, name these statutes explicitly in your indemnification clause alongside the federal TCPA.
Can a vendor's limitation of liability clause override the indemnification clause?
It can if the contract drafts them inconsistently. Many vendor contracts include a general limitation of liability that excludes indirect or consequential damages, and a separate indemnification clause, without specifying which controls in a conflict. Courts apply rules of construction that may let the limitation clause swallow the indemnification. To prevent this, add explicit language stating that the indemnification obligations survive and are not limited by the general liability cap.
What should I ask a vendor to prove before I start using their leads or contact lists?
Ask for a sample of consent records showing timestamp, source URL, opt-in language presented to the consumer, and IP address. Ask for a description of their DNC scrubbing process and frequency. Ask whether consent was obtained for your specific company name or generically. Request their TCPA compliance policy in writing. If they can't produce any of this within a few days, treat that as a serious red flag before you start sending any messages.
How does arbitration in a vendor agreement affect my ability to enforce indemnification?
Mandatory arbitration means you enforce indemnification through an arbitration proceeding rather than in court. That's generally fine for indemnification disputes between you and the vendor. The bigger issue is if the arbitration clause includes a class action waiver that affects the underlying TCPA claims you're being indemnified against. Consumer-facing arbitration clauses are a separate topic, but in the B2B vendor agreement, focus on whether the arbitration process gives you a fast path to compel defense cost payment.
Is TCPA indemnification enforceable if I knew or suspected the vendor's consent records were weak?
Courts look at knowledge and due diligence when evaluating indemnification enforcement. If you had red flags and ignored them, a court may find you assumed the risk or that you ratified the vendor's non-compliant conduct, weakening your indemnification claim. This is why documenting your due diligence (consent audits, written representations, insurance certificates) is important. It supports your position that you reasonably relied on the vendor's compliance warranties.
How often should I review vendor agreements for TCPA indemnification adequacy?
At minimum, review when the agreement renews, when the vendor changes its product or outreach methodology, when there's a relevant FCC rule change, and any time you significantly increase message volume. The FCC's rules have evolved meaningfully through orders in 2012, 2015, and 2023, and vendor contracts drafted before a rule change may not cover new consent or revocation requirements. An annual check is a reasonable default for active vendors.
Sources
- Cornell Legal Information Institute, 47 U.S.C. § 227 (TCPA statute text): TCPA statutory damages are $500 per violation for negligent violations and up to $1,500 per willful or knowing violation, per call or text
- National Conference of State Legislatures, State Telemarketing Laws: Multiple states including Florida, Oklahoma, Maryland, and Washington have independent telemarketing statutes with private rights of action and per-violation penalties separate from the federal TCPA
- U.S. District Court, N.D. California, Cash App TCPA Class Action Settlement: The Cash App TCPA class action settlement reached $15 million, illustrating the scale of liability in consumer-facing text message disputes
- U.S. District Court filing, Credit One Bank TCPA Settlement: Credit One Bank settled TCPA claims for $12.5 million in a case involving disputed consent documentation for outbound contact
- FCC, 47 C.F.R. § 64.1200, Delivery Restrictions for Telephone Solicitations: 47 C.F.R. § 64.1200(f)(9) defines express written consent and requires a written agreement clearly authorizing autodialed or prerecorded telemarketing calls to a specific number, which cannot be a condition of purchase
- Cornell Legal Information Institute, 28 U.S.C. § 1658 (General statute of limitations): The general federal statute of limitations under 28 U.S.C. § 1658 is four years, which courts apply to TCPA claims, making four-year record retention the minimum standard
- FTC, National Do Not Call Registry (consumer and business information): Telemarketers are required to scrub call lists against the National DNC Registry before making calls and must access updated registry data at least every 31 days
- FCC, 47 U.S.C. § 503(b), Forfeiture penalties: FCC forfeiture penalties under 47 U.S.C. § 503(b) can reach $10,000 per violation for TCPA-related enforcement actions against carriers and telemarketers
- Restatement (Third) of Agency, American Law Institute, Sections 2.01, 2.03 (apparent authority): Federal courts apply common law agency principles, including apparent authority and ratification, when determining seller liability for vendor TCPA violations