TCPA compliance requirements for lead generation call centers in 2026

Every TCPA rule lead gen call centers must follow in 2026: consent standards, the 1-to-1 consent rule, DNC scrubbing, fines up to $1,500/call, and what changed.

LeadCompliant Team
24 min read
In This Article

Last updated 2026-07-09

Call center agents at desks with headsets in late afternoon office light
Call center agents at desks with headsets in late afternoon office light

TL;DR

In 2026, lead generation call centers must get prior express written consent from each consumer before calling or texting with an autodialer, and that consent must name your company specifically. The FCC's one-to-one consent rule took effect January 27, 2025. Violations cost $500 to $1,500 per call. This guide covers every requirement, what changed, and how to stay compliant.

What is the TCPA and why does it govern lead gen call centers?

The Telephone Consumer Protection Act, 47 U.S.C. § 227, passed in 1991 and gives the FCC authority to restrict automated calls and texts to cell phones, residential landlines, and fax machines. [1] It is the federal law behind almost every robocall lawsuit you have seen in the past decade.

Lead generation lives inside the TCPA because the business model touches three things the statute regulates directly: autodialers, prerecorded voice messages, and text messages to mobile numbers. Buy leads, call them with a dialing system, and you are covered. Whether you know it or not.

The statute creates a private right of action. Any person who gets a prohibited call or text can sue, and class actions certify easily because the violation looks identical across every call record. Plaintiffs' attorneys work on contingency. That combination is why TCPA suits regularly generate eight-figure settlements. Recent examples include a $2.5 million payment by UnitedHealthcare see the full story: [unitedhealthcare to pay $2.5m for alleged TCPA violations] and multimillion-dollar class settlements at major banks see: [credit one TCPA settlement].

The FCC issues rules under 47 U.S.C. § 227(b) for autodialed and prerecorded calls, and under § 227(c) for the Do Not Call registry. Both sets apply to most outbound lead generation.

What changed for lead gen call centers: the 2025 one-to-one consent rule

The biggest rule change in years took effect January 27, 2025. The FCC's December 2023 order amended 47 C.F.R. § 64.1200 to require that prior express written consent for marketing calls and texts come from one seller at a time. [2]

Before this, a consumer could check a single box on a comparison-shopping site and consent to calls from dozens of companies at once. That box was the whole business model behind third-party lead generation. The FCC called it a "consent farm" practice and killed it.

The rule now requires three things for valid consent under the one-to-one standard:

1. The consent names one seller specifically in the consent language. 2. The consumer's agreement is logically and topically related to the website or interaction where they gave it. 3. The consent still meets the prior express written consent standard: a clear and conspicuous disclosure, a checkbox or similar affirmative action, and the consumer's signature (electronic is fine).

Buying leads from a third party? You need to verify that the consent form the vendor used names your company by name. Consent that names "our marketing partners" or lists 50 companies does not satisfy this rule as of January 27, 2025. [2] That gap will generate most TCPA litigation in 2026.

For the latest regulatory developments, the tcpa news section of LeadCompliant tracks FCC orders and notable court decisions as they drop.

Prior express written consent is defined at 47 C.F.R. § 64.1200(f)(9). The rule text describes it as "an agreement, in writing, bearing the signature of the person called that clearly authorizes the seller to deliver or cause to be delivered to the person called advertisements or telemarketing messages using an automatic telephone dialing system or an artificial or prerecorded voice." [12]

Here is what you actually need to build:

  • A written agreement: a web form checkbox, a paper form, or a documented recorded verbal agreement counts. Oral consent alone does not clear this bar for marketing messages.
  • An electronic signature: under E-SIGN and FCC guidance, clicking "I agree," texting a keyword, or checking a box all work, as long as the consumer takes that action and the box is not pre-checked.
  • Clear and conspicuous disclosure: the consent language has to be easy to read and out in the open. The FCC has rejected consent buried in hyperlinked terms the consumer never saw.
  • The consumer cannot be required to consent as a condition of buying anything. That is explicit in the rule.

For lead gen, the cleanest path is a standalone consent field on your own web form, or a verified opt-in flow where the vendor sends proof that the form used your company's name. Keep that proof. You will need it if you get sued.

One practical note. The "signature" requirement sounds formal, but electronic consent handles it without trouble. What trips companies up is the disclosure language and the one-to-one naming requirement. Review your consent forms or vendor contracts against both.

Do the TCPA rules apply to texts as well as calls?

Yes. Text messages sent via an autodialer to mobile numbers get treated the same as calls under 47 U.S.C. § 227(b)(1)(A). [1] The same prior express written consent requirement applies.

For a closer look at what makes text campaigns compliant, see our guide to text message marketing.

The main practical differences between calls and texts:

  • Opt-out mechanics: for texts, the FCC requires you to honor a STOP or equivalent opt-out within a reasonable time. Industry standard and FCC guidance both point to honoring it immediately. After an opt-out, you may send one confirmatory message and nothing else.
  • Documentation: every outbound text campaign should log the consent date, the method of consent, and the exact disclosure language shown at the time. If you send through a platform, confirm it stores that data.
  • P2P exemptions do not save lead gen: some teams argue that manual, one-at-a-time texts from a rep's phone dodge the TCPA. The FCC's autodialer definition has been contested since the Supreme Court's 2021 Facebook v. Duguid decision, but the safe move for any volume texting is to treat it as ATDS-covered.

For text messaging mechanics in more detail, see text messaging marketing.

What are the TCPA calling time restrictions and frequency rules?

The FCC's rules at 47 C.F.R. § 64.1200(c)(1) ban telephone solicitations before 8 a.m. or after 9 p.m. local time at the called party's location. [3] This applies to both residential and wireless numbers.

A few things trip up call centers here:

  • Time zone scrubbing: if your dialer does not verify the consumer's time zone before dialing, you will call people at 6 a.m. or 10 p.m. their time. Use the area code plus zip code for the lookup, not the area code alone, because area codes no longer map cleanly to geography.
  • No federal cap on call frequency: the TCPA sets no maximum number of calls per day or week. But repeated calls after a consumer asks you to stop can trigger harassment claims under state law, and some states (Florida, for one) go further.
  • Call-specific exemptions: purely informational calls from a non-profit, calls with prior express consent for non-marketing purposes, and certain emergency calls follow different rules. If there is any marketing content in the call, treat it as a marketing call.

Several states set their own calling hours above the federal floor. Florida's Mini-TCPA (FTSA), enacted in 2021, and Washington state's rules are the most aggressive. Always check the state of the consumer, more than federal law.

How does the national Do Not Call registry apply to lead gen operations?

The National Do Not Call (DNC) Registry, run by the FTC under 16 C.F.R. Part 310, bans telemarketing calls to registered numbers unless the caller has an established business relationship or written permission from the consumer. [8]

The FCC mirrors this at 47 C.F.R. § 64.1200(c)(2), which makes DNC compliance a TCPA issue as well as an FTC one. [3]

For lead gen call centers, the core obligations are:

  • Registration: you pay to access the DNC registry and scrub your call lists. As of the current FTC schedule, the fee is $70 per area code per year, with a cap for full national access (around $19,600 per year, but verify at donotcall.gov since fees adjust). [4]
  • Scrub frequency: you must scrub against a version of the DNC list no older than 31 days. Monthly scrubs are the industry minimum.
  • Company-specific DNC: separately, you maintain your own internal DNC list. If a consumer tells you, your vendor, or anyone acting on your behalf not to call, you add them to your internal list and honor the request within 30 days.
  • Safe harbor: the FCC gives a limited safe harbor if you can show written procedures, trained personnel, a company-specific DNC list, monthly scrubs, and an unintentional violation. This is not a get-out-of-jail-free card. It is a defense courts weigh.

If you want to see what happens when DNC scrubbing fails, the albertsons safeway TCPA settlement is a useful case study.

What are the TCPA penalties per call in 2026?

Under 47 U.S.C. § 227(b)(3), a person who gets a prohibited call or text can recover the greater of actual damages or $500 per violation. [1] If the court finds the violation willful or knowing, it can triple that to $1,500 per violation.

The FCC also has its own civil forfeiture authority under 47 U.S.C. § 503(b). The FCC can assess fines in the tens of thousands of dollars per violation (this base figure adjusts annually for inflation, so verify the current amount at fcc.gov). [5]

What makes these numbers brutal in practice is multiplication. A call center that dials 50,000 numbers without proper consent does not face one $500 fine. It faces 50,000 separate violations, each worth $500 to $1,500. That is $25 million to $75 million in exposure before anyone certifies a class.

Class actions are the real risk. Plaintiffs' attorneys build classes from call records, which come out easily in discovery. Settlements in the $1 million to $76 million range are common. The cash app TCPA class action settlement and the truist bank TCPA class action settlement show how fast these numbers scale across a class.

Willfulness is the multiplier you want to avoid. Courts often find it when a company got cease-and-desist letters, complaints, or prior TCPA demands and kept calling anyway.

TCPA penalty exposure by violation type (2026) Statutory per-violation amounts under 47 U.S.C. § 227(b)(3) $500 Standard violation (per cal… $1,500 Willful or knowing violation (per call/text) $24k FCC civil forfeiture base (per violation, approx.) $20k DNC registry annual access, full national list (approx.) Source: 47 U.S.C. § 227, U.S. Code (Cornell LII)

What records do you need to keep to defend a TCPA claim?

If you get sued, the first thing your attorney asks for is your consent records. Can't produce them? You lose. It is that simple.

Here is what to retain, and for how long:

  • Consent documentation: the date, time, IP address, form URL, consent language shown, and the specific consumer action for each lead. Keep these at least four years. The federal statute of limitations for TCPA claims is four years under 28 U.S.C. § 1658, though some courts have applied a two-year period. Four years is the safer retention target. [10]
  • Call logs: date, time, duration, number called, agent ID, and campaign ID for every outbound call.
  • DNC scrub records: which list version you used, the date you pulled it, and the results. Store the scrub logs, more than the scrubbed list.
  • Opt-out records: every STOP reply, every verbal opt-out request, and when you honored it.
  • Third-party vendor contracts: if you buy leads, your contract should say the vendor is responsible for obtaining compliant consent and indemnifying you if consent is defective. These contracts matter in litigation.

Cloud storage is fine. The goal is pulling records on demand. If your dialer or CRM does not automatically log what you need, fix that before you start a campaign, not after.

LeadCompliant's compliance kit includes a consent record template and a vendor contract checklist you can use to audit your current setup.

How do you vet third-party lead vendors for TCPA compliance in 2026?

Third-party lead generation is the highest-risk part of the picture. You cannot outsource your TCPA liability to a vendor. Courts have held callers responsible for violations where the caller directed or controlled the lead generation activity, even if they never touched the consent form. [6]

Here is a due diligence process that actually works:

First, get the consent language in writing. Ask for a screenshot of the real web form the consumer sees, with the disclosure visible. If the vendor refuses or gives you a generic description instead of the actual form, walk away.

Second, confirm your company name appears in that consent. Since January 27, 2025, blanket consent to "our marketing partners" is not enough. Your name needs to be there.

Third, ask for a sample lead record showing what gets captured at opt-in: IP address, timestamp, form URL, user agent string. If they cannot produce a sample with those fields, their documentation will not hold up in court.

Fourth, get an indemnification clause. Your contract should require the vendor to indemnify you and cooperate in your defense if their consent process turns out to be defective. Not bulletproof, but it creates a path to recover costs.

Fifth, run spot checks. Pull 20 random leads from each vendor and verify the consent record matches the claimed form and timestamp. A few hours of spot checking per quarter is worth it.

Vendors who resist any of these steps are a red flag. The legitimate ones have clean systems and welcome the audit.

What autodialer (ATDS) rules apply after Facebook v. Duguid?

In April 2021, the Supreme Court decided Facebook, Inc. v. Duguid, 592 U.S. 395 (2021), narrowing the definition of an automatic telephone dialing system. [7] The Court held that an ATDS must have the capacity to use a random or sequential number generator to store or produce numbers to be called, not merely the ability to dial stored numbers automatically.

Plain terms: if your dialer works from a curated contact list and does not generate numbers randomly, it may not be an ATDS under the federal definition. That matters because the autodialer restriction in 47 U.S.C. § 227(b)(1)(A) applies only to calls made with an ATDS.

A few caveats you cannot ignore:

  • State law does not follow this definition. Florida's FTSA uses a broader "automated system" standard that catches list-based dialers. Several other states have similar language.
  • Prerecorded and artificial voice calls stay regulated no matter what dialer you use. Even if your system is not technically an ATDS post-Duguid, a prerecorded voice still needs prior express consent for non-emergency marketing calls under § 227(b)(1)(B).
  • The FCC is still working on updated ATDS guidance. Do not assume the Duguid reading is permanent policy.

Bottom line. Duguid gave list-based predictive dialers some room at the federal level, but it does not erase your exposure for prerecorded calls or state autodialer rules.

What state-level TCPA-equivalent laws affect lead gen call centers in 2026?

Federal TCPA is the floor. States build higher. In 2026, the states with the most significant added requirements for outbound call centers are:

StateKey ruleNotable difference from federal TCPA
FloridaFTSA (Fla. Stat. § 501.059)Broader autodialer definition, $500/call private right of action, no ATDS-narrowing from Duguid
WashingtonRCW 80.36.390Covers landlines too; no established business relationship exception for cells
CaliforniaCCPA + state DNC (Bus. & Prof. Code § 17590)Opt-out rights, broad definition of "solicitation," CCPA consent overlap
TexasBus. & Com. Code § 305.001State DNC list, separate from federal
Oklahoma15 O.S. § 775AState-maintained DNC list

Florida is the biggest litigation threat after the federal TCPA. [9] The FTSA's private right of action and broad autodialer definition have produced a wave of class actions since 2021. If you call Florida numbers, you need Florida-specific controls.

The legal landscape varies enough that a local practitioner earns their fee. If you call heavily into any one state, that state's specific rules belong in your compliance documentation.

How should a lead gen call center structure a TCPA compliance program?

A compliance program is not a policy document that sits in a folder. It is a set of operational controls that fire every time a call goes out. Here is a reasonable minimum for a small-to-mid-size call center:

Consent intake controls: every lead source has a documented consent standard. Before a vendor goes live, someone reviews the consent form and signs off. Changes to vendor forms trigger re-review.

DNC scrubbing workflow: automated monthly scrubs against the federal registry and your internal DNC list. Your dialer should block any number on either list before the call starts, not after.

Agent training: every agent making outbound calls gets trained on what they can and cannot say, how to handle opt-out requests, and how to log issues. Document the training and refresh it at least annually.

Monitoring and QA: listen to a sample of calls each week. Watch specifically for agents pushing continued contact on someone who hesitated or said stop. One documented verbal opt-out that went ignored is a live TCPA claim.

Incident response: when a demand letter or a TCPA complaint lands, you need a written escalation process. Who gets notified? Who pulls the records? Who decides whether to settle? No process means worse decisions under pressure.

A compliance kit with templates for these five areas cuts setup time. LeadCompliant offers a free TCPA compliance kit at leadcompliant.com covering consent documentation, DNC scrub logs, and vendor due diligence checklists.

For teams worried about active suits, seeing how courts evaluate compliance programs in the kaiser TCPA settlement claim deadline case gives useful context on what documentation actually gets examined.

What should you do if you receive a TCPA demand letter?

First, do not ignore it. A demand letter is more than a negotiating tactic. It is documented evidence that you had notice of a potential violation. Every call you make after receiving it could be painted as willful if it relates to the practice the letter names.

Second, preserve everything. Lock down all call logs, consent records, DNC scrub reports, and dialer configurations for the period in the letter. Spoliation of evidence is a separate problem you do not want stacked on top of a TCPA claim.

Third, pull the records for the specific number named. What does your consent documentation show? What does your call log show? Clean records make your defense much stronger. No consent documentation is a serious problem.

Fourth, get a TCPA attorney involved before you respond. These letters often come from plaintiffs' attorneys who file quickly. Your response (or non-response) can affect both whether a suit gets filed and how it moves. The tcpa lawyer Kentucky page shows how regional practitioners approach these cases.

Fifth, size the exposure honestly. If your records are weak and the claim covers 10,000 calls, the math on settlement versus defense costs gets real fast. Many demand letters settle well below statutory exposure when the responding party has good records and answers promptly.

Nobody has great data on average settlement amounts for smaller pre-suit demand letters, because most never become public cases. What is clear from public settlements is that willful violations at large call volumes produce the biggest outcomes.

Frequently asked questions

Does the TCPA apply to B2B lead generation calls?

Mostly yes. The TCPA's restrictions on autodialed and prerecorded calls apply to any wireless number, including business cell phones. Calls to a business landline are generally not covered by § 227(b)(1)(A), but if the number is a cell phone or the call has a prerecorded element, federal rules still apply. State laws may go further and cover all business calls.

Can I still buy leads from third-party lead generators in 2026?

Yes, but only if you verify the consent form named your company specifically. Since January 27, 2025, blanket consents covering "marketing partners" do not satisfy the FCC's one-to-one consent rule. Ask every vendor for the actual consent form, confirm your name appears in it, and get a contractual indemnification clause. Buying leads with defective consent is the fastest way to inherit TCPA liability.

Keep consent records, call logs, and DNC scrub documentation at least four years. The general federal statute of limitations for civil claims under 28 U.S.C. § 1658 is four years, and courts apply that to many TCPA claims. Shorter retention schedules create gaps that are very hard to defend if a suit is filed near the end of the window.

What counts as an established business relationship (EBR) under the TCPA?

Under FCC rules, an EBR exists if the consumer made a purchase within the past 18 months, or submitted an inquiry or application within the past three months. An EBR lets you skip the federal DNC registry, but it does not override a consumer's specific request not to be called. An explicit opt-out always beats the EBR.

Does the TCPA apply to ringless voicemail drops?

The FCC has treated ringless voicemail as a "call" subject to TCPA restrictions, though no finalized rulemaking addresses it specifically. Informal FCC guidance leans toward treating RVMs as prerecorded voice messages requiring prior express consent. Courts have split on this. Treat ringless voicemail as TCPA-covered until the FCC issues definitive guidance.

What is the safe harbor for TCPA DNC violations and how does it work?

The FCC's safe harbor at 47 C.F.R. § 64.1200(c)(2)(i) protects callers who had written DNC procedures, trained personnel, maintained an internal DNC list, accessed the national registry within 31 days, and made the call unintentionally. All conditions must be met. The safe harbor is a defense, not a shield. A court still evaluates whether your procedures were actually followed.

Yes. The FCC confirmed in 2015 that consumers can revoke prior express consent at any time through any reasonable means. Once a consumer revokes consent verbally, in writing, or by texting STOP, you must stop contacting them for marketing purposes. The FCC's 2024 order added that callers must honor revocations within a reasonable time, and you may send one final confirmatory text.

How does Facebook v. Duguid (2021) affect call centers using predictive dialers?

The Duguid decision narrowed the federal ATDS definition to systems that use a random or sequential number generator. List-based predictive dialers working from a curated contact list may not be ATDSs under federal law. But prerecorded voice calls still require consent regardless of dialer type, and Florida's FTSA plus several other state laws use broader definitions that capture list-based systems anyway.

What are the TCPA penalties for a first-time violation?

Statutory damages are $500 per violation for a first-time or unintentional violation. Courts can triple this to $1,500 per violation if the defendant acted willfully or knowingly. The statute has no formal "first offender" discount. What matters is whether the violation was knowing. Even a first-time violation at scale, say 20,000 calls without proper consent, creates $10 million to $30 million in exposure before settlement.

Do I need to register with the FTC to access the national DNC list?

Yes. Organizations that make telemarketing calls must register at donotcall.gov and pay a fee to access registry data. As of recent FTC fee schedules, the cost is about $70 per area code per year, with an annual cap for full national access. You must re-scrub your calling list against a registry version no more than 31 days old before each campaign.

Prior express consent (oral or written) is enough for informational, non-marketing calls and texts. Prior express written consent is required for marketing calls and texts made with an autodialer or prerecorded voice. Written consent must include a clear disclosure, an affirmative consumer action (not a pre-checked box), and must not condition a purchase on the consumer's agreement to receive marketing communications.

Does the how to stop robocalls page help consumers understand their rights against lead gen callers?

Yes, the consumer-facing view is useful context for compliance teams. Knowing what rights consumers understand they have, including DNC registration, filing complaints with the FCC, and private lawsuits, helps compliance officers read the real-world enforcement environment. See the how to stop robocalls guide for the consumer perspective.

There are limited exemptions for healthcare calls, mainly for messages that are not marketing-focused and that meet HIPAA requirements. The FCC exempted certain non-commercial healthcare calls, such as appointment reminders and prescription notifications, from the prior express written consent requirement in 2015. But calls that generate leads for healthcare products or insurance plans are marketing calls and require full prior express written consent.

What is the FCC's 2024 lead generation ruling and when did it take effect?

The FCC issued its one-to-one consent order in December 2023, amending 47 C.F.R. § 64.1200 to require that marketing consent name one seller at a time and stay logically related to the website where it was given. The rule took effect January 27, 2025. This is the most significant TCPA rule change for lead generators in over a decade and ends the multi-party consent form model that most lead aggregators relied on.

Sources

  1. U.S. Code, 47 U.S.C. § 227, Telephone Consumer Protection Act: TCPA restricts automated calls and texts to cell phones; private right of action allows $500-$1,500 per violation
  2. Code of Federal Regulations, 47 C.F.R. § 64.1200, FCC TCPA implementing rules: FCC rules define prior express written consent, establish 8am-9pm calling hours, and set DNC safe harbor requirements
  3. FTC, National Do Not Call Registry, donotcall.gov: Telemarketers must register and pay to access the DNC registry; fee is approximately $70 per area code per year
  4. Supreme Court of the United States, Facebook, Inc. v. Duguid, 592 U.S. 395 (2021): ATDS definition requires capacity to use random or sequential number generator; list-based dialers may not qualify at federal level
  5. FTC, Telemarketing Sales Rule, 16 C.F.R. Part 310: FTC's TSR governs the national DNC registry and prohibits deceptive telemarketing practices
  6. Florida Legislature, Florida Telephone Solicitation Act, Fla. Stat. § 501.059: Florida FTSA uses broader autodialer definition than federal TCPA post-Duguid; $500 per call private right of action
  7. U.S. Code, 28 U.S.C. § 1658, statute of limitations for federal civil claims: General four-year federal statute of limitations supports retaining TCPA consent records for at least four years
  8. Electronic Code of Federal Regulations, 47 C.F.R. § 64.1200(f)(9), definition of prior express written consent: Prior express written consent defined as written agreement bearing signature clearly authorizing autodialed or prerecorded marketing messages

Disclaimer: LeadCompliant is a compliance review tool, not a law firm. We do not provide legal advice. Consult with a TCPA attorney for legal guidance on specific compliance questions. Compliance scores, audits, and risk assessments are informational only.

LeadCompliant Team

LeadCompliant provides expert guidance and tools to help you succeed. Our content is reviewed for accuracy and kept up to date.

Related Articles

Related Glossary Terms

LeadCompliant
Build My Kit