TCPA compliance documentation investors want during due diligence

Investors demand specific TCPA records before closing. Here's the exact documentation list, why each item matters, and what gaps cost you at the table.

LeadCompliant Team
23 min read
In This Article

Last updated 2026-07-11

Two professionals reviewing compliance documentation folders during a due diligence meeting
Two professionals reviewing compliance documentation folders during a due diligence meeting

TL;DR

Investors reviewing a company with outbound sales or marketing operations will ask for TCPA consent records, DNC scrub logs, a written compliance policy, complaint and litigation history, and vendor contracts showing who eats the liability. Thin or missing documentation routinely triggers price cuts, escrow holdbacks, or dead deals. The statute is 47 U.S.C. § 227, and per-violation exposure runs up to $1,500.

Why do investors care about TCPA compliance at all?

TCPA liability hides. It sits off the balance sheet until due diligence drags it into the light. A buyer acquiring a company with a sloppy consent program doesn't just inherit the business, it inherits every call and text that went out without proper authorization, potentially back four years under the statute of limitations. [1] For a small company, that exposure can be larger than the purchase price.

The Telephone Consumer Protection Act, 47 U.S.C. § 227, lets private plaintiffs sue for $500 per negligent violation and $1,500 per willful violation. [2] Class actions are the usual vehicle. The Cash App TCPA class action settlement and the Credit One TCPA settlement both crossed $9 million, and neither company was a tiny startup.

To an investor, TCPA exposure is an unbooked liability. They want to quantify it, price it, or kill the deal. That's the whole dynamic. Your job heading into a fundraise or acquisition is to make that exposure small and well documented, in that order.

What is the TCPA and which communications does it actually cover?

The TCPA is a federal law from 1991, expanded heavily through FCC rulemaking since. It restricts autodialed calls, prerecorded voice messages, and text messages sent to cell phones without prior express consent. It also covers calls to residential landlines using artificial or prerecorded voices. [2]

The FCC's 2012 rule tightened the consent standard for telemarketing, requiring "prior express written consent" instead of the older oral standard. [3] That single change fueled most of the litigation wave investors now worry about. Companies that fixed their opt-in forms in 2012 and 2013 sit in a very different spot from companies that never touched them.

Here's the practical test. If your sales team dials from any platform that stores numbers and dials them automatically, or if you send bulk SMS, the TCPA almost certainly applies. The definition of an autodialer has been fought over in court since the Supreme Court's 2021 Facebook v. Duguid ruling, but no investor will let you rest your whole compliance posture on that ambiguity. [4]

For cold calling and cold call programs, the rules stack: TCPA consent, the FTC's Telemarketing Sales Rule, and the FCC's calling-hour and abandonment-rate rules all run at once.

What TCPA documentation do investors typically request in a data room?

A serious buyer or institutional investor wants every category below. Not every company has every item. A gap is a data point, and sophisticated acquirers price gaps.

1. Consent records and audit trails This is the category that matters most. Investors want proof that everyone contacted gave prior express written consent where it was required. That means the exact text of the disclosure at capture, the timestamp and IP address of each opt-in, the lead source or landing page URL, and ideally a screenshot or version-controlled archive of the form. [3] These records live at the contact level. A policy document asserting that consent was obtained is not the same thing.

2. DNC scrub logs and scrub frequency records Investors want confirmation that the company scrubs against the National Do Not Call Registry at least every 31 days, the FTC's requirement. [10] Scrub logs should show the date of each scrub, the list version used, and the vendor or system that ran it. If the company keeps its own internal do not call telemarketer list of people who asked to be removed, those records carry equal weight.

3. Written TCPA compliance policy A formal written policy signals maturity. It should cover which channels need consent, how consent is captured and stored, who owns compliance, how opt-outs get processed, calling-hour limits, and how consumer complaints are handled. Investors read the absence of a written policy as a yellow or red flag depending on call volume.

4. Vendor and lead-gen contracts If the company buys leads from third parties or dials through an outsourced platform, those contracts matter. Investors hunt for indemnification clauses where the vendor warrants that leads were collected with compliant consent. They also check whether the company did any diligence on those vendors. Weak or missing indemnification language is real exposure.

5. Complaint and litigation history Every prior TCPA demand letter, regulatory complaint, BBB complaint about calling practices, and any lawsuit. Investors will search PACER regardless. [6] Walking in with a pre-organized log that shows how each complaint resolved demonstrates control. Getting caught having hidden something is far worse than the complaint itself.

6. Employee and agent training records Proof that the people actually dialing or texting were trained on TCPA rules, including dated sign-off sheets or LMS completion records. This is thin at most small companies. Investors doing serious diligence still ask.

TCPA financial exposure: key figures investors use Reference numbers drawn from the statute and public settlements $500 Per negligent violation (st… $1,500 Per willful violation (stat… $9M Cash App TCPA settlement (approx.) $12.5M Credit One TCPA settlement (approx.) Source: 47 U.S.C. § 227 (violations); FTC National Do Not Call Registry FY2023 data (registry size); public settlement records (settlement amounts)

Consent records are not created equal, and investors who've been through TCPA litigation know the difference. A minimum viable consent record has four things: the disclosure language (exactly what the consumer agreed to), the date and time, the source, and a way to tie the record to the specific person contacted. If any of those four is missing across a meaningful share of contacts, your disclosure schedule has to say so.

The FCC's 2012 rules require that prior express written consent include "a written agreement bearing the signature of the person called" that clearly authorizes the calls and discloses that consent is not a condition of purchase. [3] A digital signature counts as written. A checked box counts. A pre-checked box does not. Investors burned in prior TCPA cases will ask specifically about checkbox design.

Consistency over time is the tell. A company that shows clean consent records going back three years is in far better shape than one that started collecting them the week after a demand letter landed. The four-year statute of limitations [1] means your records need to cover that full window, more than the recent vintage.

Retention is the other common gap. The FCC doesn't set an exact retention period, but plaintiffs' attorneys reach back four years. Five-year retention is the common industry practice. If older records were purged, disclose it.

What does a DNC compliance gap look like to an investor?

The National Do Not Call Registry holds over 249 million active numbers as of the FTC's FY2023 report. [10] Calling even a handful of them can spawn class exposure. Investors want to verify the company accessed the Registry lawfully (paid subscriber, through the FTC's system), scrubbed on the 31-day cycle, and kept logs proving it.

Here's the gap I see most. A small company uses a dialer or CRM that claims to scrub but can't produce the actual logs. A vendor saying "we do DNC scrubbing" on a sales call protects you from nothing. The documented scrub is the protection. If you can't export a date-stamped log showing each run, the investor has to assume the scrubs may not have happened right.

Companies leaning only on the federal registry sometimes forget that 13 states run their own do not call list registries with separate registration and scrub duties. [10] If the company operates nationally, state-level DNC documentation matters too.

For companies that sell leads or run affiliate programs, the mobile phone do not call list question gets messy, because wireless numbers have been registerable since 2003. Investors want confirmation that cell numbers in the database were scrubbed against the full registry, not a landline subset.

What does a good TCPA compliance policy document include?

A written policy is a one-to-four page document, not a manifesto. It has to cover enough that an outside reader understands what the company does to stay compliant, without being so vague it says nothing.

Here's what investors look for: scope (which channels and business units are covered), consent requirements by channel (voice vs. SMS vs. prerecorded), calling-hour rules (8 a.m. to 9 p.m. in the called party's local time, per FCC rules [8]), opt-out processing (how requests are handled and how fast), the DNC scrub schedule, complaint handling, and a named compliance owner.

A policy that names a specific person as owner reads better than one that says "management is responsible." Investors want a throat to choke. A policy last touched five years ago, predating the FCC's 2023 one-to-one consent rule, reads as stale.

The FCC's 2023 order, effective January 2025, tightened the written-consent standard hard. It requires consent on a per-seller basis rather than through a broadly worded third-party lead-gen form. [9] A policy that doesn't reflect this tells an investor the company stopped paying attention.

How do vendor contracts and lead-gen agreements affect TCPA due diligence?

This is where small companies get hurt worst. They buy leads from a list broker or affiliate network, the leads were collected under a consent form the company never saw, and now the exposure is theirs.

Investors reviewing vendor contracts want three things. A representation and warranty from the vendor that leads were collected with TCPA-compliant consent, including the specific disclosure language. An indemnification clause that shifts liability to the vendor if that representation turns out false. And an audit right letting the company inspect the vendor's consent records on request.

Most commodity lead-gen contracts have none of these. That's a negotiation, and investors know it's hard to retrofit. What they want to see is that the company tried. Even a short addendum or an email where the vendor confirms the consent standard beats nothing.

Dialer and SMS platform agreements matter too. If the platform caps damages at one month of fees, the company is self-insuring every dollar of TCPA exposure above that line. Investors note it. The contract architecture between a company and its tech vendors tells a story about how seriously compliance was taken.

How should prior TCPA complaints and demand letters be presented?

M&A attorneys give one piece of standard advice here: disclose everything, and present it with context. An investor who finds a demand letter in discovery that wasn't in the data room stops trusting everything else they were shown. The complaint is rarely the deal killer. The concealment is.

A good complaint log includes the date received, the nature of the complaint (FTC, FCC, attorney demand letter, BBB, litigation), how it resolved (dismissed, settled, no action), and the dollar amount of any settlement. If settlements carried confidentiality agreements, buyer's counsel needs to review whether those can be disclosed.

For demand letters, note whether the company changed anything in response. A demand letter that led to a process fix signals a company that learns. A run of demand letters with no documented response signals a recurring problem nobody solved.

Litigation is searchable on PACER. [6] Good buyers run the search before close. Companies that disclosed only the cases they knew would surface anyway get dinged hard. Proactive, organized disclosure is the posture that pays.

What does TCPA exposure look like in financial terms during a deal?

The math is brutal and simple. A company that sent 500,000 texts over two years without fully documented consent isn't facing a theoretical risk. It's facing a plaintiff's attorney who multiplies $500 to $1,500 by every text and files for the full number.

Settlement ranges swing on consent record quality, willfulness, and class size. The Credit One TCPA settlement reached $12.5 million. [11] The Cash App settlement ran about $9 million. [12] Mid-market companies in financial services and real estate have settled for $1 million to $5 million on programs that felt routine at the time.

Investors handle this a few ways. A price cut equal to a multiple of estimated exposure. An escrow holdback released only if no TCPA claims appear within a defined window post-close. A representation and warranty insurance policy that covers TCPA-specific risk (these exist, they're expensive, and they need solid documentation to bind). Or a specific seller indemnity for pre-close TCPA claims. None of these are good for the seller's net proceeds. Proper documentation before the deal always costs less than any of these remedies.

A company with clean consent records, live DNC scrub logs, a current written policy, and a clean complaint history sails through TCPA diligence. That combination is rare enough that it becomes a positive signal about how the whole company is run.

What should a company do to prepare TCPA documentation before a fundraise or sale?

Start six to twelve months before a planned transaction. Some gaps can't be fixed retroactively, but you can stop digging and document what you've fixed.

Audit your consent records first. Pull a random sample of 200 to 300 contacts and verify that each has a complete, stored consent record. The share with clean records is your baseline. Below 90%, that's a material gap.

Review your DNC scrub logs. Confirm they exist, are date-stamped, and prove the 31-day cycle. If your dialer vendor runs the scrubbing, get written confirmation and a log export. Update your lead-gen vendor contracts to add consent representations and indemnification language wherever you can.

Draft or update your written TCPA policy to match current FCC rules, including the 2023 one-to-one consent requirement. [9] Name an owner. Date the document.

LeadCompliant's compliance kit has templates for consent records, DNC scrub logs, and a baseline policy you can adapt. Reasonable place to start if you're building from scratch.

Build a complaint log covering every demand letter and regulatory complaint the company ever got, including the ones that went nowhere. Add context. Run your own PACER search on the company name and key executives before your buyer does.

The target is a data room where the TCPA section reads as one coherent story. Here's our program. Here's our documentation. Here are the gaps we know about and what we did about them. That story is worth more than a flawless program with no paper behind it.

Are there specific FCC rules or case outcomes investors reference during diligence?

Yes. Sophisticated buyers point to specific standards to benchmark your program. The ones that come up:

The FCC's 2012 Report and Order (FCC 12-21) set the prior express written consent standard for telemarketing calls and texts. [3] If your consent forms predate 2012 and were never updated, that's a known gap.

The FCC's 2023 Report and Order on one-to-one consent (FCC 23-107) took effect January 27, 2025. [9] It bans getting one broad consent that covers multiple sellers. Each company gets its own consent. Lead-gen programs that relied on the old multi-seller model are exposed for contacts made after that date.

Facebook v. Duguid, 592 U.S. 395 (2021), narrowed the definition of an automatic telephone dialing system, requiring the device have capacity to generate random or sequential numbers. [4] That reduced some dialer exposure. Investors won't let you use it as a blanket defense, because courts still split on how Duguid applies to modern dialers.

47 U.S.C. § 227(b)(3) is the private right of action that lets plaintiffs sue for $500 per violation without proving actual damages. [2] The text reads: "A person or entity may, if otherwise permitted by the laws or rules of court of a State, bring in an appropriate court of that State... an action to recover for actual monetary loss from such a violation, or to receive $500 in damages for each such violation, whichever is greater."

Know these reference points and you can answer diligence questions directly instead of looking lost when a buyer's counsel cites them.

Does TCPA documentation matter for SaaS and tech deals, more than outbound sales teams?

Yes, and it catches founders off guard. If a SaaS company sends any transactional or promotional texts or calls to users, even through a platform like Twilio, it can be a covered entity under the TCPA. No call center required. Account notifications, trial conversion calls, renewal reminders, and abandoned-cart texts all fall under the statute when they hit cell phones by automated means.

For SaaS deals, investors read the terms of service and the consent language at signup. Does the signup flow clearly disclose that the user may get automated calls or texts? Is that disclosure tied to purchase? Most SaaS flows bury communication consent inside a general terms-of-service checkbox, which courts have found insufficient for TCPA purposes.

Text message marketing compliance applies as much to a B2B SaaS product messaging its users as it does to a consumer lender. Operating in B2B doesn't remove exposure, because the TCPA protects the individual cell phone number, not the business purpose behind the call or text.

Running a software company and this never crossed your mind? Check your messaging flows before a deal process starts. The fix is usually an updated consent disclosure in onboarding, which is cheap. Retroactive exposure is the hard part.

Frequently asked questions

The TCPA statute of limitations for private suits is four years under 28 U.S.C. § 1658. Investors and their counsel want records covering that full lookback. Common practice is five-year retention for a buffer. If records from the early part of that window were purged or never existed, that's a disclosure item for the data room, not something to quietly leave out.

It gets priced in, one way or another. Buyers respond with an escrow holdback, a purchase price reduction, a specific seller indemnity for pre-close TCPA claims, or in serious cases they walk. The size of the response tracks the scale of the gap, the company's call and text volume, and how much revenue those contacts drove. There's no penalty-free way to present large undocumented consent gaps.

Do DNC scrub logs need to come from a specific system or vendor?

No specific system is required, but the logs must be exportable, date-stamped, and show scrubs on at least a 31-day cycle per FTC rules. Whether scrubbing happens in-house or through a dialer vendor, the company needs to produce the actual log, more than a vendor's word that scrubbing occurred. A vendor confirmation email is supporting evidence, not a replacement for the log.

Can representation and warranty insurance cover TCPA liability?

Some R&W policies include TCPA coverage, but underwriters need strong underlying documentation to bind it. A company with thin consent records, no written policy, and a complaint history will struggle to get TCPA coverage included, or will pay a steep premium. Good documentation doesn't just satisfy investors directly. It makes the R&W insurance process smoother and often cheaper.

The FCC's 2023 order, effective January 27, 2025, requires prior express written consent on a per-seller basis. Old multi-seller consent forms naming a broad category of partners no longer meet the standard. Investors closing deals in 2025 and later check whether the company's consent program was updated for this rule. Contacts reached through the old broad-consent model after January 2025 are fresh exposure.

What should a company do if it discovers a TCPA compliance gap during deal prep?

Stop the activity creating the gap first. Then document what you found, when you found it, and what you changed. Courts and buyers both respond better to companies that caught and fixed problems than to companies that never noticed. Retroactive consent isn't really possible, so the focus moves to quantifying past exposure honestly and showing the fix. Sellers who self-disclose with context fare better than those whose gaps surface in diligence.

Does buying leads from a third party transfer TCPA liability to that vendor?

Not automatically. Buyers of leads can still be directly liable if those leads weren't collected with proper consent, because the TCPA puts liability on the party making the call or sending the text, not the party that collected the consent. A strong indemnification clause helps shift the economic hit after the fact, but it doesn't erase the company's primary exposure. The real protection is verifying the consent standard before you buy.

What size company does TCPA due diligence actually apply to?

Any company with outbound calling or texting, any size. Investors in seed-stage companies sometimes skip it when call volume is tiny, but at Series A and beyond, anyone dialing more than a few hundred contacts a month, or any company being acquired, will face these questions. The statute has no volume exemption. A small company that sent 50,000 texts without proper consent carries real exposure even on modest revenue.

How does TCPA documentation interact with state-level telemarketing laws during diligence?

Thirteen states run their own do-not-call registries separate from the federal list, and some states set stricter consent standards than the federal TCPA. California's analog under the Invasion of Privacy Act and Florida's Mini-TCPA are two common sources of extra exposure that sophisticated buyers probe. A company operating nationally needs documentation covering state-level compliance, more than federal, especially for California and Florida contacts.

What role do employee training records play in TCPA due diligence?

They're supporting evidence of a real compliance program rather than a paper one. Training records show that the people actually dialing and texting were told the rules. They rarely drive a deal on their own, but their absence alongside other gaps reinforces a story of lax compliance. A simple annual sign-off sheet or an LMS completion record clears the bar, and clearing it strengthens the whole package.

Are there specific items that reliably flag a TCPA problem during diligence?

Yes. The clearest flags: no stored consent records at the contact level, DNC scrub logs that can't be produced, consent forms with pre-checked boxes or no disclosure that consent isn't required for purchase, vendor contracts with no consent warranties, a compliance policy last updated before 2022, and undisclosed demand letters. Any one of these is a yellow flag. Several together suggest systemic exposure.

How should a company document opt-out processing to satisfy investor review?

Keep a log of every opt-out request, the date received, the channel it came through (text reply, verbal on a call, web form), and the date the number was suppressed across all active systems. The FTC's TSR requires honoring do-not-call requests within a reasonable period; standard practice is suppression within 24 hours for digital requests. The log proves opt-outs are honored in practice, more than in policy.

What is the easiest way to start building TCPA documentation if the company has almost nothing today?

Start with a consent audit on a sample of your existing contact list. Document what you find. Then build a simple DNC scrub schedule and export your first log this week. Write a one-page compliance policy naming an owner and covering the basics. Those three steps take days and give you a foundation. LeadCompliant offers free checkers and a compliance kit with templates that can shorten this for teams building from scratch.

Sources

  1. Cornell Law School Legal Information Institute, 28 U.S.C. § 1658: The general federal statute of limitations for private civil actions is four years, which courts apply to TCPA private suits.
  2. U.S. Code, 47 U.S.C. § 227, Telephone Consumer Protection Act: Per-violation damages of $500 for negligent violations and $1,500 for willful violations; private right of action language quoted from statute.
  3. Supreme Court of the United States, Facebook Inc. v. Duguid, 592 U.S. 395 (2021): Narrowed the ATDS definition to require capacity to generate random or sequential numbers, reducing some dialer exposure.
  4. Public Access to Court Electronic Records (PACER), U.S. Courts: PACER allows public search of federal court filings, enabling buyers to independently verify litigation history.
  5. Electronic Code of Federal Regulations, 47 C.F.R. § 64.1200, FCC calling-hour restrictions: FCC rules prohibit telemarketing calls before 8 a.m. or after 9 p.m. in the called party's local time.
  6. Federal Trade Commission, National Do Not Call Registry and Telemarketing Sales Rule, 16 C.F.R. Part 310: The Registry held over 249 million active numbers in the FTC FY2023 report; the TSR requires scrubbing against the Registry at least every 31 days and honoring do-not-call requests; 13 states maintain separate registries.
  7. U.S. District Court, Credit One Bank TCPA class action settlement, public court records: Credit One TCPA class action settlement reached approximately $12.5 million, illustrating the financial scale of TCPA class exposure.
  8. U.S. District Court, Cash App (Block Inc.) TCPA class action settlement, public court records: Cash App TCPA settlement of approximately $9 million illustrates exposure for technology companies with automated communications.

Disclaimer: LeadCompliant is a compliance review tool, not a law firm. We do not provide legal advice. Consult with a TCPA attorney for legal guidance on specific compliance questions. Compliance scores, audits, and risk assessments are informational only.

LeadCompliant Team

LeadCompliant provides expert guidance and tools to help you succeed. Our content is reviewed for accuracy and kept up to date.

Related Articles

Related Glossary Terms

LeadCompliant
Build My Kit