Last updated 2026-07-10

TL;DR
Under the TCPA, a company can be sued for illegal calls or texts a third-party vendor or lead generator makes on its behalf. Courts apply standard agency law: actual authority, apparent authority, and ratification each create liability. You never have to touch the dialer to owe $500 to $1,500 per violation.
What does vicarious liability actually mean under the TCPA?
Vicarious liability means you pay for someone else's conduct. Under the TCPA (47 U.S.C. § 227), it works like this: a lead generator, dialer vendor, or call center makes an illegal call on your behalf, and your company gets named in the lawsuit and pays the damages, even though you never touched the phone system.[1]
The statute never uses the phrase "vicarious liability." The Federal Communications Commission filled that gap in its 2013 Declaratory Ruling, which confirmed that federal common law agency principles decide who is on the hook. The FCC wrote that "a seller may be held vicariously liable under federal common law principles of agency for violations of either section 227(b) or section 227(c) that are committed by third-party telemarketers."[2]
For outbound sales teams, that is the scariest sentence in TCPA law. You hire a vendor. The vendor auto-dials someone on the Do Not Call list. Suddenly your company is a co-defendant in a class action. Courts have held companies responsible for millions of dollars over calls their outsourced call centers made without the company knowing the specifics.
The idea isn't new to the TCPA. It mirrors how an employer can answer for an employee's torts. What makes TCPA vicarious liability so dangerous is the per-call math: $500 per negligent violation, up to $1,500 per willful violation, with no cap once a class of thousands of plaintiffs shows up.[1]
How did the FCC establish vicarious liability under the TCPA?
The FCC's 2013 Declaratory Ruling (In re DISH Network, LLC, 28 FCC Rcd 6574) is the foundational document.[2] DISH had hired third-party retailers to sell its satellite TV subscriptions. Those retailers made millions of calls that broke the TCPA and the National Do Not Call Registry rules. DISH argued it wasn't responsible because it didn't make the calls. The FCC rejected that argument flat.
The commission held that liability attaches under three agency theories. Actual authority: the seller explicitly told the third party to make the calls. Apparent authority: the third party reasonably appeared to consumers to speak for the seller, even without specific authorization for the conduct. Ratification: the seller learned about the illegal calls and kept the benefit anyway, without objecting.[2]
The ruling also spelled out what does not create liability. A seller with no knowledge of a vendor's illegal calling, who takes reasonable steps to prevent violations and doesn't knowingly benefit from them, has a far stronger defense. That "reasonable steps" language is what every compliance program should be built around.
Courts since 2013 have run with this framework. The Ninth Circuit in Jones v. Royal Administration Services (2017) and the Eleventh Circuit in Cordoba v. DIRECTV (2019) both treated apparent authority and ratification as live theories for plaintiffs. Vendors who use your brand name, your scripts, or your approved marketing materials can create liability without ever getting explicit permission for the specific illegal act.[3]
What are the three agency theories courts use to assign TCPA blame?
The three theories are practical, not academic. Each one points to a different compliance gap you need to close.
Actual authority is the plain one. You told your vendor to call a list, and that list held numbers on the National DNC Registry or people who never gave prior express consent. You directed the conduct. Plaintiffs prove this easily when they surface internal emails or contracts showing the seller ran the dialing program.
Apparent authority is trickier and shows up more in litigation. It arises when a consumer reasonably believes the third party acts for your company because of what your company did. If your vendor uses your name when answering calls, works from scripts you approved, or sends consumers to your website, a court can find apparent authority even when your contract calls the vendor an "independent contractor."[2] That label protects nothing on its own. Courts look at the real relationship, not the paperwork's word for it.
Ratification is the sneaky one. You didn't authorize the calls upfront, but you found out about the illegal conduct later and kept taking leads or revenue without stopping it. Silence reads as consent here. If your vendor tells you they're generating leads through aggressive autodialing and you keep cutting checks, a court can find you ratified the conduct.
A fourth idea, control, threads through all three. Courts keep asking one question: did the seller control, or have the right to control, the manner and means of the calls? The more operational control you exercise over a vendor's dialing program, the harder it gets to disclaim liability.[3]
| Agency Theory | What triggers it | Common evidence in discovery |
|---|---|---|
| Actual authority | You directed the calls | Contracts, emails, approved call lists |
| Apparent authority | Consumer reasonably believed vendor spoke for you | Scripts, brand use, consumer-facing materials |
| Ratification | You accepted benefit after learning of violations | Continued payments, no remediation after notice |
| Control | You controlled how calls were made | Call monitoring, script approval, oversight records |
Can you really be sued for calls your vendor made without telling you?
Yes. And it happens regularly.
Apparent authority and ratification both let liability attach without the seller having directed, or even known about, the specific illegal calls when they happened. The clearest example is the DISH situation itself: the FCC found DISH's retailers created apparent authority by presenting themselves as DISH-authorized dealers, even on calls DISH never specifically approved.[2]
In Campbell-Ewald Co. v. Gomez (U.S. Supreme Court, 2016), the Navy's contracted marketing firm sent text messages that allegedly broke the TCPA. The case turned on mootness, but the underlying premise, that a company can face TCPA liability for a vendor's texts, went undisputed.[4]
For a smaller outbound team, it plays out like this. You hire a lead generation company to find prospects. They buy lists, autodial numbers without proper consent, and hand the leads to your closers. The people who got those calls join a class action. Because the lead generator used your name and your landing pages, plaintiffs argue apparent authority. Because you kept buying leads after a complaint or two surfaced, plaintiffs argue ratification. Your contract calling the lead gen shop an "independent contractor" doesn't end the inquiry.
The credit one tcpa settlement and cash app tcpa class action settlement show how fast TCPA exposure compounds when the defendant had only indirect involvement in the dialing. Neither case needed the company to have personally worked the autodialer.
What can sellers do to reduce vicarious TCPA exposure?
The FCC's DISH ruling handed sellers a rough roadmap for beating vicarious claims. The commission listed factors courts weigh when deciding whether a seller took adequate steps to prevent violations.[2] Build your program around those factors and you build your defense.
Written contracts matter. Your vendor agreement should say the vendor must comply with the TCPA, must not use autodialers or prerecorded messages without consent, must honor Do Not Call requests, and must indemnify you for violations it causes. A clause doesn't insulate you completely. It is evidence that you didn't authorize the illegal conduct.
Audit your vendors. Blind trust is a liability. At a minimum, read the consent language your lead generator uses to capture numbers. If they collect cell numbers and claim prior express written consent for autodialed marketing calls, you should see the exact opt-in language on the form. You should know their list-hygiene process and whether they scrub against the National DNC Registry before dialing.[5]
Terminate and document. When a consumer complains that your vendor called them illegally, write down the complaint and your response. If the pattern holds, end the relationship. Paying a vendor after you know about violations is textbook ratification.
Train your own team on what they can do directly. Your in-house cold calling and cold call programs need their own DNC scrubbing, consent verification, and calling-hour controls. The infrastructure you build for your own reps tells a court you take the TCPA seriously across the board.
Tools like the LeadCompliant compliance kit help you document vendor requirements and build the internal audit trail that becomes a paper defense if you ever get named. The free checkers are a starting point for finding the most obvious gaps in your consent and DNC processes.
Does using an independent contractor instead of an employee protect you?
No. This is one of the most common misconceptions in outbound sales compliance.
The TCPA draws no line between employees and independent contractors when it applies agency principles. The test is whether the principal had the right to control the agent's conduct, not what the relationship is called. Courts keep rejecting the argument that stamping "independent contractor" on a services agreement settles the agency question.[3]
The Restatement (Third) of Agency, which courts cite in TCPA cases, asks whether the principal manifested that the agent should act on its behalf and whether the agent accepted. That analysis is factual. A court looks at real behavior. Did you approve the vendor's scripts? Did you supply the contact lists? Did you monitor call performance? Did consumers interact with your brand during the call? Every one of those facts points toward agency, no matter what the contract says.[10]
What actually helps is pairing a clear contract with genuine operational separation. If your vendor makes its own calls about which lists to use, what scripts to write, and how to handle DNC opt-outs, you have a stronger case that they were truly independent. The more you run the day-to-day dialing, the weaker that case gets.
How do courts calculate damages in vicarious TCPA cases?
The TCPA gives consumers a private right of action with statutory damages of $500 per violation for ordinary violations and $1,500 per willful or knowing violation.[1] There's no cap on total damages when many plaintiffs are involved, which is why TCPA class actions climb into eight figures fast.
In a vicarious case, every call or text the vendor made counts as a potential violation. If a lead generator placed 100,000 autodialed calls without proper consent and your company is found vicariously liable, the exposure is $50 million at the standard rate or $150 million if the court finds willfulness. These are not hypothetical numbers. The DISH litigation involved tens of millions of calls, and one federal and state enforcement action ended in a $280 million judgment in 2017.[6]
For smaller outbound teams, the numbers are lower but still business-ending. A vendor who makes 10,000 illegal calls and names your company as a co-defendant puts $5 million to $15 million on the table before settlement talks even start.
One nuance. Courts have discretion to raise or lower statutory damages, but that discretion is narrow. To treble damages to $1,500, most courts want actual knowledge that the conduct broke the TCPA, more than recklessness. Plaintiff attorneys know the math cold. The math is what drives the settlement demand letters into your inbox.
What is ratification, and why is it the hardest liability theory to avoid?
Ratification says this: you didn't authorize the bad act, but you adopted it after the fact by taking the benefit or failing to disown it once you knew.
In TCPA terms, it usually surfaces when a company gets complaints, a cease-and-desist letter, or even news coverage about a vendor's calling, and does nothing. Continued commission payments or continued lead purchases after that knowledge often satisfy a court on ratification.[2]
The trap for small teams is that ratification can happen passively. You never have to say "keep calling." Inaction does the work. A plaintiff's attorney subpoenas your payment records and your email. If your ops manager got a complaint from a consumer, forwarded it to the vendor, and left the campaign running, that trail marks the moment you gained knowledge, and everything after it becomes ratified conduct.
The defense is simple to state and hard to skip: act promptly on notice. Investigate. Stop paying for leads from the bad campaign. Put the vendor on written notice that the conduct must stop. Document all of it. Do those things and you break the ratification chain. Skip them and you've handed plaintiffs a gift.
How does the FCC's 2024 one-to-one consent rule affect vicarious liability?
The FCC issued a rule in December 2023 requiring "prior express written consent" to be obtained on a one-to-one basis, so a single form can no longer authorize calls from a stack of sellers.[7] The compliance date has shifted in litigation, but the rule directly tightens the lead generation ecosystem that produces most vicarious liability exposure.
Before this rule, a common lead gen play was to collect a phone number on a comparison-shopping website, bury a consent clause covering a long list of sellers in the fine print, and sell that lead to dozens of companies at once. Courts already looked sideways at that model under the TCPA. The FCC's rule aims to make it explicitly noncompliant.
For vicarious liability, this matters because consent your lead generator collected on your behalf is worthless if it never named you. If you buy leads from a list broker or aggregator, and those leads came from the old blanket consent model, you carry live TCPA exposure right now.
The practical move is to audit every lead source and demand documentation of the exact consent language shown to the consumer and when. If the vendor can't produce it, you're buying risk, not leads. The do not call list scrubbing and consent verification you do upfront costs less than any settlement.
Review how you handle text message marketing too, since the one-to-one consent rule reaches text campaigns as much as voice calls.
What should a vendor agreement include to protect against vicarious TCPA claims?
A vendor agreement won't erase vicarious liability, but a well-drafted one gives you evidence of two things courts care about: you didn't authorize the illegal conduct, and you took reasonable steps to prevent it. Those are the two pillars of the DISH ruling's defense framework.[2]
At a minimum, your vendor agreement should include the following.
A TCPA compliance warranty. The vendor warrants that all calls and texts comply with the TCPA, the Telemarketing Sales Rule, state analogues, and FCC regulations, including the one-to-one consent requirement.[8]
A consent documentation requirement. The vendor must keep and produce, on your request, records showing the consent obtained for each number it contacts for you. Records should include the date, time, the exact consent language shown, and how the consumer opted in.
A DNC scrubbing requirement. The vendor must scrub all outbound lists against the National DNC Registry at least every 31 days, and against your own internal DNC list before every campaign.[5] See how do i get the do not call list for specifics on registry access.
An audit right. You can inspect the vendor's calling practices, consent records, and DNC scrubbing logs at any time with reasonable notice.
Indemnification. The vendor indemnifies and defends you against any TCPA claim arising from calls or texts it makes on your behalf.
A termination-for-cause clause tied to TCPA violations. A single verified violation is grounds for immediate termination. This one matters for the ratification defense: you need to be able to show you didn't ratify by staying in the relationship after learning of violations.
None of this replaces the work of actually vetting the vendor. The contract is your paper trail, not a shield on its own.
Are there real cases where companies paid for their vendor's TCPA violations?
Yes, plenty. Here are a few that come up over and over in compliance discussions.
In Krakauer v. Dish Network (4th Cir., 2019), a federal jury awarded $61 million in damages against DISH for calls its third-party retailer made to people on the National DNC Registry. DISH argued it didn't make the calls. The Fourth Circuit upheld the verdict, finding the retailer acted as DISH's agent.[6]
In Campbell-Ewald Co. v. Gomez (U.S. Supreme Court, 2016), the government contractor that sent text messages for the U.S. Navy faced TCPA exposure even while acting under government direction. The Court's analysis confirmed that agency relationships create shared exposure.[4]
In Abante Rooter & Plumbing v. Alarm.com (N.D. Cal., 2018), the court found a home security company could face vicarious liability for calls its authorized dealers made, on an apparent authority theory. The dealers used the company's brand materials, and the company took the benefit of their sales.
The pattern is consistent across these cases. A company at the top of the distribution chain benefits from aggressive outbound calling done by someone lower in the chain, and when that calling breaks the TCPA, the party pocketing the benefit shares the liability. The do not call telemarketer list violations often generate the plaintiff class, because the National DNC Registry leaves a clean, documented record of who should never have been called.
For the mobile phone do not call list specifically, cell phones carry extra risk. Autodialed calls to cell phones require prior express consent regardless of DNC status, so two separate TCPA violations can stack on a single call to a cell number on the registry.
How should outbound teams structure their compliance program to minimize vicarious risk?
The FCC handed you the framework in the DISH ruling. Courts filled in the details over a decade of litigation. Here's what a working program looks like in practice.
Vet vendors before you sign. Before you engage any lead generator, list broker, or call center, ask for documentation of their consent collection. Ask to see a live example of the opt-in form. Ask how they scrub for DNC. Ask what they do when a consumer sends a revocation. If they can't answer those questions clearly, walk away.
Contract terms that shift the burden. Use the clauses in the previous section. Don't bury them in a 40-page MSA nobody reads. Flag them for your ops manager, and make sure a specific person owns vendor compliance.
Ongoing monitoring. Spot-check a sample of leads every month. Call back a handful of numbers and ask consumers how they heard about you and what they agreed to. If people keep saying "I never signed up for this," that's an early signal your vendor's consent practices are broken.
A clear internal DNC process. Your own do not call list management has to be airtight. Every opt-out request, received by your team or your vendor, goes into a suppression list that feeds all future campaigns, immediately for the individual requester and within your monthly registry refresh cycle for the broader lists.
A complaint triage process. When a complaint arrives claiming illegal contact, one named person owns the response within 24 hours, and the process is documented. If the complaint points at a vendor, that vendor gets written notice the same day.
Annual training. Everyone who touches outbound campaigns should know the basics: what an autodialer is, what prior express written consent means, what the calling-hour rules are (8 a.m. to 9 p.m. local time), and what happens when someone says stop.[9]
LeadCompliant's free compliance checkers and one-time compliance kit help smaller teams build this documentation trail without a full-time compliance attorney on payroll. The goal is a paper record a court can read and conclude: this company took reasonable steps.
Frequently asked questions
Can I be held liable for TCPA violations if my vendor made the calls?
Yes. The FCC's 2013 DISH Network ruling confirmed that sellers face vicarious TCPA liability under standard agency principles. If your vendor had actual authority, had apparent authority, or you ratified the conduct by accepting leads after learning of violations, you share the legal exposure. Calling the vendor an independent contractor in your contract does not automatically protect you.
What is the difference between actual authority and apparent authority under TCPA agency theory?
Actual authority means you explicitly authorized the vendor to make the calls. Apparent authority means the consumer reasonably believed the vendor acted on your behalf based on your own conduct, like the vendor using your brand name or your approved scripts, even if you never approved the illegal act. Courts find apparent authority more often than most sellers expect.
Does a strong vendor contract fully protect me from vicarious TCPA liability?
No, but it helps. A contract with TCPA compliance warranties, consent documentation requirements, and DNC scrubbing obligations is evidence you didn't authorize illegal calls and took reasonable preventive steps. Courts treat that as part of the defense, not as an absolute shield. You still have to monitor vendor conduct and act on complaints.
What is ratification under the TCPA, and how do I avoid it?
Ratification means you accepted the benefit of illegal calls after learning about them without stopping the conduct. It's passive: continued payments or lead purchases after a complaint can be enough. To avoid it, build a complaint triage process, put vendors on written notice immediately when violations surface, and terminate the relationship if violations persist.
How much can vicarious TCPA liability cost a company?
Statutory damages run $500 per call for standard violations and $1,500 per call if the court finds willful conduct. A vendor who makes 10,000 illegal calls puts $5 million to $15 million of exposure on the table. The Krakauer v. Dish Network verdict was $61 million. There is no statutory cap in class actions.
Does the FCC's 2024 one-to-one consent rule change vicarious liability for lead buyers?
Yes. The rule requires prior express written consent to name the specific seller, rather than a broadly worded list of companies. Leads collected under old blanket consent forms are now legally problematic. Lead buyers who purchase from aggregators without verifying one-to-one consent carry direct TCPA exposure on top of any vicarious exposure. The compliance date has moved in litigation, so track current FCC guidance.
Can I avoid vicarious liability by putting an indemnification clause in my vendor contract?
Indemnification means your vendor promises to cover your legal costs and damages if its violations land you in court. That helps if the vendor is solvent and honors the clause. It does not stop you from being sued and named in a class action. You still eat legal defense costs, and if the vendor goes bankrupt or fights the clause, you're exposed anyway.
How does apparent authority create TCPA liability even when I didn't approve the specific calls?
If you give your vendor your brand materials, approve its scripts, and send consumers to your website, courts may find you created the appearance that the vendor spoke for you. When that vendor then makes illegal calls, consumers reasonably believed they dealt with your company. The FCC confirmed this theory applies to TCPA cases in the 2013 DISH ruling.
What should I audit in my lead generation vendors to reduce TCPA exposure?
Request and read the actual opt-in form consumers see, including the exact consent language. Confirm the vendor scrubs against the National DNC Registry at least every 31 days. Ask how it handles revocation requests. Spot-check a sample of leads monthly by verifying consent records. Document all of this so you have an audit trail if litigation arrives.
Is vicarious TCPA liability different for text message campaigns versus voice calls?
The legal framework is the same: agency principles from the FCC's 2013 ruling apply to both. In practice, the one-to-one consent rule makes text campaigns especially sensitive, because every autodialed or prerecorded text to a cell requires prior express written consent, and that consent must name the specific sender. A vendor texting for you without proper consent creates the same vicarious exposure as illegal calls.
Do small businesses face the same vicarious TCPA liability risk as large companies?
Yes, the legal framework doesn't scale with company size. Plaintiffs' attorneys often target small companies because settlements come faster and easier. The practical difference is survivability: a large company can absorb a multi-million dollar settlement, and a small business usually can't. Small outbound teams have more reason to take vicarious liability seriously, not less.
What steps reduce the risk of ratification after a vendor sends illegal calls?
Act the moment you learn of violations. Send written notice to the vendor naming the problem and requiring it to stop. Pause or suspend lead purchases from the affected campaign. Document every step. If the vendor doesn't comply or violations recur, terminate. Courts look at the speed and seriousness of your response to decide whether you ratified the conduct.
What happened in the Dish Network TCPA case and what did it establish?
In Krakauer v. Dish Network (4th Cir. 2019), a jury awarded $61 million for calls Dish's third-party retailers made to people on the National DNC Registry, and the Fourth Circuit upheld it. The FCC's 2013 DISH ruling separately established the three-theory agency framework for vicarious TCPA liability. Together they confirmed that sellers who benefit from third-party telemarketing can be fully liable for those vendors' violations.
How often should I re-audit vendors to maintain a vicarious liability defense?
At a minimum, audit consent documentation and DNC scrubbing annually, and any time a consumer complaint points at a specific vendor. If you change your product, your target audience, or your marketing materials, audit right away, because the consent and apparent authority picture changes with those updates. A quarterly spot-check of a sample of leads is a reasonable baseline for active lead-buying programs.
Sources
- U.S. Code, 47 U.S.C. 227, Telephone Consumer Protection Act (via Cornell Legal Information Institute): Statutory damages of $500 per violation, up to $1,500 for willful violations, and private right of action under the TCPA
- FCC, In re DISH Network LLC, Declaratory Ruling, 28 FCC Rcd 6574 (2013): FCC confirmed sellers may be vicariously liable for third-party telemarketers under federal common law agency principles including actual authority, apparent authority, and ratification
- Ninth Circuit Court of Appeals, Jones v. Royal Administration Services, Inc. (2017): Apparent authority and ratification are viable TCPA liability theories; independent contractor label does not resolve agency question
- U.S. Supreme Court, Campbell-Ewald Co. v. Gomez, 577 U.S. 153 (2016): Agency relationships between government contractors and principals confirmed as relevant to TCPA liability analysis; vendor exposure acknowledged
- FTC, National Do Not Call Registry, business compliance guidance: Telemarketers must scrub call lists against the National DNC Registry at least every 31 days
- Fourth Circuit Court of Appeals, Krakauer v. Dish Network, L.L.C., 925 F.3d 643 (4th Cir. 2019): Federal jury awarded $61 million against Dish Network for DNC violations committed by third-party retailers acting as Dish's agents
- FCC, Report and Order and Further Notice, CG Docket No. 21-402, one-to-one consent rule (2023): FCC rule requires prior express written consent to be obtained one-to-one, naming the specific seller; blanket consent covering multiple sellers is targeted for elimination
- FTC, Telemarketing Sales Rule, 16 CFR Part 310: TSR establishes requirements for telemarketers that overlap with TCPA obligations and apply to sellers who hire third-party call centers
- FCC, consumer guides on unwanted calls and texts: FCC guidance on consumer rights and telemarketer obligations under the TCPA, including calling hour restrictions of 8 a.m. to 9 p.m. local time
- American Law Institute, Restatement (Third) of Agency (2006): Agency principals are bound by agent conduct within actual or apparent authority; courts cite this Restatement in TCPA vicarious liability analysis