Last updated 2026-07-11

TL;DR
Advertisers who buy pay-per-call leads can be held liable under the TCPA for calls their affiliates made, even without direct involvement. The FCC's 2013 vicarious liability ruling means consent failures, DNC violations, and autodialer use by a publisher flow back to the advertiser. Statutory damages run $500 to $1,500 per call, and class actions make that math terrifying fast.
What is pay per call and why does TCPA liability land on advertisers?
Pay per call is a performance marketing model where publishers (affiliates, lead generators, media buyers) drive inbound or outbound calls to an advertiser and get paid per connected call. The advertiser gets a warm lead. The affiliate does the calling. Sounds clean from a compliance standpoint, right? It is not.
The Telephone Consumer Protection Act, 47 U.S.C. § 227, does not care who physically dialed the number [1]. What matters is who authorized the call, who benefited from it, and whether the person called gave prior express written consent. When a consumer gets an unwanted robocall from an affiliate promoting your insurance product, your mortgage offer, or your home services company, you are the one with the brand relationship. You are the one the plaintiff's attorney wants to find.
The FCC made this explicit in its May 2013 ruling (FCC 13-54), which applied standard agency-law principles to TCPA liability. The commission said a company whose product or service is being sold can be liable when an affiliate makes calls on its behalf, if the advertiser had actual authority, apparent authority, or ratified the affiliate's conduct after the fact [2]. You do not have to hand the affiliate a dialer and say "go call these numbers." If you accepted the calls, paid the affiliate, and did nothing when you learned the method was questionable, that ratification alone can attach liability.
Here is the part that genuinely surprises founders running small outbound teams. They think TCPA is a call center problem. Something for the guys making robocalls all day. In pay per call, it reaches every node in the chain, and the advertiser is the node with the money.
What does the FCC's vicarious liability standard actually say?
The FCC's 2013 declaratory ruling (In the Matter of the Joint Petition Filed by DISH Network LLC, FCC 13-54) is the controlling authority [2]. The commission refused to limit TCPA liability to the entity that physically placed the call. It told courts to look at federal common law agency principles instead, which opens three paths to liability for an advertiser.
1. Actual authority: The advertiser explicitly told or contracted with the affiliate to make calls in a certain way. 2. Apparent authority: The advertiser held the affiliate out in a way that made consumers reasonably believe the affiliate was acting on the advertiser's behalf. 3. Ratification: The advertiser knew or should have known about the affiliate's calling practices and accepted the benefit anyway.
Ratification is the one that catches people off guard. An affiliate sends you 400 calls. You pay. Six months later you learn those calls used a prerecorded voice to numbers on the National Do Not Call Registry. A court can find ratification even though you never signed off on the method. Willful ignorance buys you nothing.
The DISH ruling also confirmed that TCPA violations carry strict liability for actual damages or statutory damages of $500 per violation, trebled to $1,500 for willful or knowing violations [1]. In a network running thousands of calls a day, the exposure builds faster than most advertisers realize. Usually they realize it when the complaint arrives.
What TCPA rules do affiliates most commonly break that expose advertisers?
Four failure patterns show up again and again in pay-per-call programs. Learn them, because each one becomes your problem the moment you accept the call.
Using an automatic telephone dialing system (ATDS) without consent. The TCPA prohibits using an ATDS to call mobile phones without prior express written consent [1]. Many affiliate lead generators use predictive dialers to connect prospects before transferring the call to the advertiser's queue. If the consumer did not give written consent that meets FCC standards, that call is a violation. Every single one.
Using prerecorded or artificial voice messages. Some publishers drop a prerecorded message with a prompt to press 1 to speak with an agent. That is a separate violation class under 47 U.S.C. § 227(b)(1)(B) for residential lines and (b)(1)(A)(iii) for mobile numbers [1]. The consent standard for prerecorded calls is stricter: express, in writing, and specific to receiving that type of message.
Calling numbers on the National DNC Registry. The FTC's National Do Not Call Registry [3] protects residential numbers where consumers opted out of telemarketing. Publishers chasing volume sometimes skip do not call list scrubbing or run a stale suppression file. The FCC and FTC share enforcement authority, and the per-call penalty structure means a DNC violation compounds just like a consent violation.
Fabricating or reusing consent records. The "lead" the publisher sells you may have come from a consent flow that disclosed nothing, named a different advertiser, or was copy-pasted from another campaign. The FCC's December 2023 one-to-one consent order (FCC 23-107) tightened this, requiring that written consent name the specific seller making the calls [4]. Generic forms that say "by submitting, you agree to be contacted by our partners" no longer clear the bar for advertiser-specific calls.
How does the FCC's one-to-one consent rule change things for lead buyers?
The FCC's one-to-one consent order (FCC 23-107, adopted December 2023) is the biggest shift in consent rules since 2012 [4]. It aims straight at the model pay-per-call networks depend on: a consumer fills out one lead form, and that form's consent gets sold to dozens of advertisers.
The rule says prior express written consent under the TCPA must go to one seller at a time, and that consent must be "logically and topically associated" with the website where it was collected. You cannot import consent from a third-party aggregator form that listed 47 "marketing partners" in a checkbox. Each advertiser needs its own consent.
A quick note on timing. The FCC set the effective date at January 27, 2025, then the Eleventh Circuit vacated the one-to-one portion of the rule in January 2025 (Insurance Marketing Coalition v. FCC), so the strict one-to-one requirement is not currently in force nationwide. The direction of travel is clear anyway, and plaintiffs' attorneys still attack shared-consent forms under the existing named-entity standard. Build to the tighter rule and you are covered either way.
The practical implication holds regardless of the appeal. You need to know exactly how the affiliate captured consent for every lead before that lead triggers a call on your behalf. Get the actual consent record, the URL it was captured on, the timestamp, the IP address, and the disclosure language shown to the consumer. Not a certification. The record itself.
What liability exposure in dollars should advertisers actually plan for?
The statutory damage structure under 47 U.S.C. § 227(b)(3) is $500 per violation, trebled to $1,500 per willful or knowing violation [1]. Courts have generally treated each call as one violation.
Say an affiliate drives 2,000 calls a month. If 15% of those calls carry a consent or DNC defect (a rough figure, but not unreasonable given how loose many networks run), that is 300 violations a month. At $500 each, $150,000 in exposure per month before trebling. At $1,500 each, $450,000. Per month.
Class actions multiply this. Once a plaintiff's attorney certifies a class of, say, 50,000 consumers who received similar calls, the math turns existential for a small company. The cash app tcpa class action settlement and the credit one tcpa settlement both show how fast these cases climb into eight figures.
A few published data points worth knowing:
| Case / Context | Settlement / Award | Calls / Class Size |
|---|---|---|
| DISH Network (benchmark case) | $280M FTC/state judgment | Millions of calls |
| Monitronics (dealer/affiliate) | $28M | ~500,000 class |
| Sunrun (solar affiliate liability) | $18.9M | ~31,000 class |
| Keller Williams affiliate | $40M proposed | Undisclosed |
These are not outliers. They are what happens when an advertiser lets affiliates run unchecked for months or years. The Monitronics and Sunrun cases are instructive because in both, the defendant argued the affiliate was an independent contractor, not an agent. Courts rejected that and applied vicarious liability anyway [5][6].
Nobody has clean data on the average cost of a TCPA class settlement across all industries. The honest read: between the treble-damage provision, class certification risk, and reputational damage, most defendants settle well before trial [11].
Can advertisers contractually shift TCPA liability to affiliates?
Yes, with real limits. You can require affiliates to indemnify you for TCPA violations arising from their calling practices. A well-drafted affiliate agreement should include:
- A representation that the affiliate obtained prior express written consent meeting FCC standards, including named-seller disclosure.
- An obligation to maintain consent records (call logs, lead form captures, timestamps, IP addresses) for at least four years.
- The right for you to audit those records on demand.
- An indemnification clause covering your defense costs and any judgment or settlement arising from their calls.
- A provision letting you terminate the affiliate and stop accepting calls the moment you have reason to believe their consent practices are deficient.
Here is the honest part. Indemnification only works if the affiliate can actually pay. Most pay-per-call affiliates are small operations. Some are one-person shops with no real assets. When a class action lands and the plaintiff's attorney names both you and the affiliate, your indemnification clause is a piece of paper against a defendant who cannot cover the exposure.
The contract is necessary but not sufficient. It lowers your risk and documents that you took compliance seriously, which matters in a willfulness analysis. It does not replace controls on the front end.
For smaller teams getting their affiliate agreements in shape, LeadCompliant's compliance kit includes template contract language covering TCPA representations and DNC scrubbing obligations. Use it as a starting framework, and have an attorney review anything before you sign it. This is not legal advice.
What operational controls actually reduce advertiser liability in pay per call?
Contracts protect you after something goes wrong. Operational controls stop it from going wrong. Here is what the compliance-serious advertisers do differently.
Pre-qualify affiliates before the first call. Ask every new publisher to explain their consent capture flow in writing. Get a screenshot or recording of their lead form, including all disclosures. If they cannot show you how consent is captured, do not activate them.
Require real-time consent data delivery. The affiliate should pass the consent record (timestamp, IP, URL, disclosure text shown) with every call or lead. Do not accept batch spreadsheets at month-end. Real-time delivery lets you spot anomalies before exposure compounds.
Scrub against the National DNC Registry yourself. Do not outsource this entirely to the affiliate. Download the registry files directly from the FTC [3] or use a third-party scrubbing service, and run every phone number the affiliate passes through your own suppression stack before accepting the call. If a number sits on the do not call telemarketer list, you want to catch it before someone else does.
Set call volume caps and spot-audit recordings. Capped volumes limit your exposure if an affiliate turns bad. A sample of 50 recordings per month per affiliate catches consent-flow problems before a plaintiff's attorney does.
Build an internal suppression list. Any consumer who asks not to be called again, from any channel, goes on an internal DNC list that blocks all your affiliates. The FCC requires honoring internal DNC requests within a reasonable time, generally no later than 30 days from the request [7]. Maintain that list across the whole enterprise, not per-brand.
Watch for call-stamping patterns. Sequential last-four digits, a geographic cluster with no business reason, numbers that appear on public robocall complaint databases. Those are red flags for lead fabrication. Fabricated leads mean fabricated consent.
Does it matter whether the calls are inbound or outbound in pay per call?
Yes, a lot. The TCPA liability framework changes with call direction, and this distinction gets muddled in pay-per-call discussions all the time.
Outbound calls made by affiliates carry the full weight of TCPA restrictions: ATDS and prerecorded-voice rules for mobile numbers, DNC rules for residential numbers, and the consent requirements above. Highest-risk scenario for advertisers, full stop.
Inbound calls generated by affiliate advertising are different. When a consumer sees an ad and calls a number voluntarily, that consumer is initiating contact. The TCPA does not restrict inbound calls the way it restricts outbound autodialed or prerecorded calls. The consumer's act of calling is itself meaningful for consent purposes.
Inbound is not risk-free, though. If the affiliate drove that inbound call using a text message blast to purchased numbers, the text itself may violate the TCPA before the call happens [8]. If the affiliate used a prerecorded outbound call to prompt the inbound callback (the press-1-to-speak model), that outbound prerecorded call is a violation. You, receiving the connected call, can still face vicarious liability for that upstream conduct.
For cold calling teams that run their own outbound alongside pay per call, the rules stack. A consumer who opts out via a callback from an affiliate campaign still needs suppression from your own dialing.
The safest inbound model is one where the affiliate drives calls entirely through non-autodialed methods: paid search, display, organic content, email to a properly consented list. The call itself is inbound. No TCPA issue on the call leg. The risk is narrower and easier to control.
What does prior express written consent need to look like for pay per call?
The FCC defines prior express written consent for autodialed or prerecorded calls in 47 C.F.R. § 64.1200(f)(9) [9]. It requires a written agreement, including electronic signature, that:
- Is signed by the person to be called.
- Clearly and conspicuously discloses that the person agrees to receive autodialed or prerecorded calls at the number provided.
- Names the specific entity that will be making the calls.
- Is not a condition of purchase.
In pay per call, the affiliate's lead form must say something like: "By clicking Submit, I agree to be contacted by [Your Company Name] using automated telephone technology at the number I provided, even if my number is on a Do Not Call Registry. This consent is not required to purchase any goods or services."
Generic language saying "our partners" or "marketing companies" does not meet the named-entity requirement [4]. A checkbox buried below the fold that the user never saw does not work. A pre-checked box does not work.
For calls to residential landlines by a live agent without an ATDS, the bar is lower: the number just cannot be on the National DNC Registry, and the company needs an established business relationship or explicit permission [7]. But most affiliate call flows involve some form of automated dialing or queuing, so the written-consent standard governs most realistic scenarios.
If you are a mobile phone do not call list registrant who got a call anyway, the gap between required disclosure and actual practice is exactly why those complaints get filed.
What should an advertiser's affiliate compliance audit look like?
An audit is not a one-time checkbox. It repeats. Here is a workable structure for a small team.
Onboarding audit (before first call accepted):
- Collect and review the affiliate's lead form URL and full disclosure text.
- Confirm the form names your company specifically.
- Confirm the form uses a compliant electronic signature mechanism.
- Review the affiliate's privacy policy for consistency with the consent disclosure.
- Confirm the affiliate keeps consent records for four years.
- Ask who their data sources are if they use purchased lists.
Monthly operational audit:
- Pull a random sample of 50 to 100 call recordings or call records.
- Cross-reference numbers called against the National DNC Registry [3].
- Cross-reference against your internal suppression list.
- Request a sample batch of raw consent records (10 to 20 leads) to verify the real-time data matches what the affiliate claims.
- Review complaint volumes. Rising complaints are a leading indicator of a consent problem.
Triggered audit (when a red flag appears):
- A consumer complaint alleging they never consented.
- A demand letter or lawsuit naming you.
- A spike in call volume with no matching increase in your marketing spend.
- Any affiliate subcontracting to another publisher without your knowledge.
The FTC's business guidance is blunt about this: companies with documented compliance programs and audit histories fare meaningfully better in enforcement than those with no records at all [10]. You may not dodge the lawsuit, but documented due diligence changes the willfulness calculus.
For teams without a compliance setup yet, LeadCompliant offers a one-time compliance kit covering affiliate contract templates, consent audit checklists, and a DNC scrubbing walkthrough. A practical starting point before you bring in outside counsel.
What are the biggest myths about advertiser liability in pay per call?
A handful of misconceptions circulate in pay-per-call communities. Each one is worth killing directly.
Myth: "We didn't make the call, so we can't be liable." Wrong. The FCC's 2013 vicarious liability ruling demolished this argument [2]. Courts have held advertisers liable even when a separately incorporated affiliate made every call.
Myth: "The affiliate's indemnification clause protects us." Partly true, mostly insufficient alone. Indemnification only works if the affiliate can pay. It also does not stop you from being named in a lawsuit and spending real money on defense.
Myth: "Our calls are inbound, so we're fine." Inbound is lower risk, not zero risk. If the affiliate used an autodialed text blast or prerecorded outbound call to generate that inbound call, you inherit exposure for the upstream violation.
Myth: "We got a consent certification from the affiliate, which is enough." A certification is a contractual promise, not a compliance record. If it turns out false and a class action follows, you will wish you had the actual underlying consent records.
Myth: "TCPA cases settle for small amounts, so the risk is manageable." Some do. Many do not. The treble provision plus the class vehicle means a single affiliate running 5,000 non-compliant calls a month at $1,500 per call equals $7.5M in statutory exposure a month, before attorney fees. The math scales badly.
Myth: "We can just scrub once at the start of a campaign." The FTC's Telemarketing Sales Rule requires scrubbing against a database no more than 31 days old before each call [7]. A scrub from three months ago does nothing for calls made today.
What happens if you get a TCPA demand letter or lawsuit tied to an affiliate's calls?
First move: do not panic, and do not settle on the spot. Here is a realistic sequence.
Within the first 48 hours, preserve everything. Do not delete call records, affiliate contracts, consent data, or communications with the affiliate. A litigation hold applies from the moment you receive a credible claim.
Get outside counsel who handles TCPA defense involved fast. This is not a job for general business counsel. TCPA plaintiff's attorneys are specialists. Your defense should be too.
Pull the underlying call records and consent data for the specific consumer who complained. If the consent record exists, is valid, and meets FCC standards, that is your defense. If it does not, your attorney needs to know immediately to plan settlement strategy.
Notify your affiliate in writing that a claim has been made. Demand they preserve their records and start the indemnification process under your contract. In writing, with a timestamp.
If the demand comes from an attorney representing a class, the stakes jump. Individual TCPA claims rarely reach trial because the defendant pays $500 to $1,500 to make it go away. Class claims can lock you into years of litigation and millions in defense costs before any settlement talk.
For context on how these resolve, the Sunrun case (affiliate-generated solar calls) settled for $18.9M in 2023 [6]. That is a company with real resources. A small advertiser facing similar exposure without a compliance program on record negotiates from a much weaker spot.
The best outcome from a demand letter is clean consent records, a solid affiliate contract, and documented audit history. The second-best is a narrow claim, an affiliate with assets, and indemnification that actually covers you. The worst is none of those things existing.
Frequently asked questions
Can an advertiser be sued for TCPA violations even if an affiliate made the calls?
Yes. The FCC's 2013 vicarious liability ruling (FCC 13-54) confirmed advertisers can be liable for affiliate calls under agency-law principles: actual authority, apparent authority, or ratification. Ratification alone, meaning you accepted the leads and paid the affiliate without checking their methods, can be enough to attach liability under 47 U.S.C. § 227.
What is prior express written consent in the context of pay per call?
It is a written agreement, including electronic signature, where the consumer agrees to receive autodialed or prerecorded calls from a specifically named company at a provided phone number, and acknowledges consent is not required for a purchase. The agreement must name your company specifically, more than "our partners" or a list of third parties, under 47 C.F.R. § 64.1200(f)(9).
Does the FCC's one-to-one consent rule apply to pay per call advertisers?
It was set to take effect January 27, 2025, then the Eleventh Circuit vacated the one-to-one portion in Insurance Marketing Coalition v. FCC (January 2025), so the strict version is not currently in force. Plaintiffs still attack shared-consent forms under the existing named-entity standard, so pay-per-call advertisers should build to the tighter rule regardless.
How much can a TCPA violation cost per call in a pay per call case?
Statutory damages under 47 U.S.C. § 227(b)(3) are $500 per violation. For willful or knowing violations, courts can treble that to $1,500 per call. In a class action, those per-call figures multiply across every similarly situated consumer. Published pay-per-call TCPA settlements have ranged from roughly $19 million to over $40 million depending on call volume and class size.
What should an affiliate contract include to protect the advertiser from TCPA liability?
At minimum: a representation that the affiliate obtained prior express written consent meeting current FCC standards, an obligation to keep consent records for four years, your right to audit those records, an indemnification clause covering defense costs and judgments arising from the affiliate's calls, and a termination right if you have reason to believe their consent practices are deficient. Indemnification only works if the affiliate can actually pay.
Is inbound pay per call TCPA-safe for advertisers?
Lower risk, not risk-free. If a consumer dials in voluntarily after seeing a display ad or search result, that inbound call is not an autodialed call and does not trigger TCPA restrictions on the call leg. But if the affiliate generated that inbound call by sending an outbound autodialed message or prerecorded prompt, the advertiser can still face vicarious liability for the upstream violation.
How often do you need to scrub call lists against the National DNC Registry?
The FTC's Telemarketing Sales Rule requires scrubbing against DNC Registry data no more than 31 days old before each call. A scrub from 60 or 90 days ago does not protect you for calls made today. Both advertisers and affiliates should keep current registry access and run numbers through suppression before any outbound campaign touches them.
What records should an advertiser keep to defend a TCPA claim in pay per call?
Keep the actual consent record for each lead: the timestamp, IP address, URL of the form where consent was captured, and the exact disclosure language shown to the consumer. Also retain call logs, affiliate contracts with compliance representations, DNC scrub logs, and any audit correspondence with the affiliate. Four years is the practical retention period given the TCPA's statute of limitations.
Can a pay per call advertiser face liability for text messages sent by affiliates?
Yes. Text messages to mobile numbers using an ATDS fall under 47 U.S.C. § 227(b)(1)(A)(iii) and require the same prior express written consent as autodialed calls. If an affiliate sends an SMS blast to drive inbound calls to your program and those texts lack valid consent, the vicarious liability framework applies to you as the advertiser benefiting from those messages.
What is ratification under TCPA vicarious liability and how do advertisers accidentally trigger it?
Ratification means you accepted the benefit of an affiliate's calls after the fact, even without authorizing the specific method. If you received call traffic, paid the affiliate, and later learned their consent practices were deficient but kept the relationship going, courts can find ratification. The cleanest way to avoid it is to terminate affiliates promptly when you discover a compliance problem and document that decision.
Do pay per call advertisers need to maintain their own internal Do Not Call list?
Yes. FCC rules require companies engaged in telemarketing to maintain an internal DNC list and honor opt-out requests, generally within 30 days. Any consumer who tells your company, or any affiliate acting on your behalf, that they do not want to be called again must be added to that list. All your affiliates should scrub against it before they generate calls for your account.
What is the difference between TCPA liability and FTC Telemarketing Sales Rule liability in pay per call?
The TCPA (enforced by the FCC and through private lawsuits) covers autodialed calls, prerecorded messages, and the National DNC Registry, with $500 to $1,500 statutory damages per call. The FTC's Telemarketing Sales Rule covers a broader set of deceptive and abusive telemarketing practices, including call abandonment rates and caller ID spoofing. Both can apply at once, and TSR civil penalties can reach $51,744 per violation.
How does a pay per call advertiser know if an affiliate is using an autodialer?
Ask for a written description of their call generation technology. Request call detail records showing the originating system. Listen to recorded calls for signs of a predictive dialer, like a brief silence or click before an agent speaks. If the affiliate generates thousands of calls per day per agent, that pattern fits automated dialing. When in doubt, contractually require disclosure of all dialing technology used in your campaigns.
Sources
- U.S. Congress, 47 U.S.C. § 227 (Telephone Consumer Protection Act, full statute text): Statutory damages of $500 per violation, trebled to $1,500 for willful violations; prohibition on ATDS calls to mobile numbers without prior express written consent
- FTC, National Do Not Call Registry (donotcall.gov): The National Do Not Call Registry allows consumers to opt out of telemarketing calls; telemarketers must scrub against registry data no more than 31 days old
- FTC, press releases (Monitronics International telemarketing settlement): Monitronics settled for $28 million after its dealers made millions of calls to DNC-registered numbers; advertiser held liable for dealer conduct despite independent contractor arguments
- Sunrun TCPA class settlement filings (federal court docket): Sunrun agreed to an $18.9 million TCPA class settlement arising from affiliate-generated solar sales calls; vicarious liability applied to the advertiser for affiliate calling practices
- FTC, Complying with the Telemarketing Sales Rule (business guidance): Telemarketers must scrub against DNC data no more than 31 days old before each call; companies must maintain internal DNC lists and honor opt-out requests
- FCC, 47 C.F.R. § 64.1200, Restrictions on Telephone Solicitation (Code of Federal Regulations): Prior express written consent requirements for autodialed and prerecorded calls, definition of written agreement including electronic signature, and prohibition on conditioning consent on purchase
- FCC, 47 C.F.R. § 64.1200(f)(9), definition of prior express written consent: Prior express written consent must be a signed written agreement disclosing that the signatory authorizes calls using an automatic telephone dialing system or prerecorded voice, names the entity making the calls, and is not required as a condition of purchase
- FTC, Complying with the Telemarketing Sales Rule (business guidance): FTC guidance notes that companies with documented compliance programs and audit records fare better in enforcement actions; TSR civil penalties can reach $51,744 per violation