TCPA compliant leads: what they are and how to get them

TCPA compliant leads require prior express written consent before autodials or texts. One violation can cost $500, $1,500 per call. Here's exactly how to get it right.

LeadCompliant Team
22 min read
In This Article

Last updated 2026-07-11

Hands reviewing compliance forms at a desk, illustrating TCPA compliant lead documentation
Hands reviewing compliance forms at a desk, illustrating TCPA compliant lead documentation

TL;DR

A TCPA compliant lead has given prior express written consent to be contacted by autodialer or prerecorded message, with a clear disclosure naming the seller. Without that consent, each call or text risks a $500 statutory penalty, tripled to $1,500 for willful violations under 47 U.S.C. § 227. Buying a list and dialing does not make leads compliant.

What makes a lead 'TCPA compliant' in the first place?

A TCPA compliant lead is a person who agreed, in writing, to receive autodialed calls, prerecorded messages, or marketing texts at a specific number. That agreement has to meet a precise standard the FCC set in its 2012 rulemaking and codified alongside 47 U.S.C. § 227. [1]

The statute treats consent as something that comes before the call, not after. [2] For marketing calls, the 2012 FCC rules went further. The consent has to be in writing, signed (electronic signatures count), and it has to carry a clear and conspicuous disclosure that the person agrees to receive autodialed or prerecorded calls from a named company at a named number. [3]

Here's what that means at your desk. A lead who filled out a generic web form without seeing an explicit consent disclosure is not compliant for autodialed marketing calls. The form has to tell them, in plain language, that they're agreeing to exactly those calls from exactly your company.

Handwritten or verbal consent doesn't cut it for marketing. You need something you can produce in court. A screenshot of the form, the timestamp, the IP address, and the exact consent language shown at submission. That audit trail is the line between a defensible lead and a lawsuit waiting to happen.

For the full statute, see our TCPA law guide and the plain-English TCPA breakdown.

What does the TCPA actually require for calling or texting a lead?

The TCPA at 47 U.S.C. § 227(b)(1) bars using an automatic telephone dialing system (ATDS) or an artificial or prerecorded voice to call any cell phone without prior express consent. [2] It also covers residential landlines when you send a prerecorded telemarketing message. The FCC has read text messages as "calls" under the statute for years, so SMS and MMS are fully in scope. [4]

Non-marketing calls (appointment reminders, fraud alerts, informational stuff) need only prior express consent, and that can be oral. Commercial calls need the higher bar: prior express written consent. That gap shapes how you build a lead funnel.

Here is the threshold breakdown:

Contact typeConsent required
Marketing call or text to cell phone via ATDSPrior express written consent
Non-marketing informational call to cell phone via ATDSPrior express consent (oral acceptable)
Marketing prerecorded call to residential landlinePrior express written consent
Manual live call to cell phone (no ATDS)No TCPA consent required, but DNC rules still apply
Marketing text (SMS/MMS)Prior express written consent

One thing teams get wrong: the ATDS definition is contested. The Supreme Court's 2021 ruling in Facebook v. Duguid narrowed what counts as an ATDS, but many state laws fill the gap with their own definitions, and plaintiffs still argue that specific dialers qualify. [5] Don't assume your tech is safe just because it isn't a classic random-number generator.

See our TCPA 2025 update for what changed after Facebook v. Duguid and the FCC's later one-to-one consent rule.

This is the change that gutted a huge share of leads people had treated as compliant.

Before, a single consent form could list a dozen companies or say "and our marketing partners" and cover a whole roster of sellers. Lead aggregators built entire businesses on that. Someone fills out a mortgage quote form, consents to contact from "our network of lenders," and suddenly 15 companies can call.

The FCC's December 2023 order (FCC 23-107) closed it. Starting January 27, 2025, prior express written consent has to be given one-to-one: one consent, one seller. [6] The form has to name your specific company. You can't piggyback on another company's consent. You can't buy a list where consent was captured for someone else.

This hit lead generation companies hardest. Aggregators who sold shared leads had to rebuild their capture process from scratch. Buyers of those leads had to pause dialing or eat the legal risk of using pre-January-2025 shared consents.

What it means for your team: if you buy from a lead gen vendor, verify the leads were captured after January 27, 2025, on a form that named your company. Vendor assurances don't count. Ask for the actual consent language. Ask how consents are stored and for how long.

For a wider look at the shifting rules, see telemarketing rules news.

TCPA violation cost structure Statutory damages per violation under 47 U.S.C. § 227 $500 Standard violation (per cal… $1,500 Willful/knowing violation (… $53k FTC TSR civil penalty (per violation) Source: U.S. Code, 47 U.S.C. § 227 [2]

How much does a TCPA violation actually cost?

The TCPA gives every person you call a private right of action. Anyone you contact without proper consent can sue. Damages run $500 per violation for negligent violations and $1,500 per violation for willful or knowing ones. [2] The statute sets no damages cap, and federal courts allow class actions.

That per-call figure turns catastrophic fast. Call 10,000 people without valid consent and you're looking at $5 million to $15 million in exposure before plaintiffs' attorney fees.

Real cases show the math. UnitedHealthcare reached a $2.5 million settlement over alleged TCPA violations. See our coverage: [unitedhealthcare to pay $2.5m for alleged tcpa violations.] The Cash App TCPA class action settlement and the Truist Bank TCPA class action settlement show even large banks get dragged into multi-million dollar resolutions. The Albertsons/Safeway TCPA settlement shows it reaches retail too.

Small companies are not safe. Plaintiffs' attorneys take these on contingency and target small and mid-size operations because they settle fast. A company that made 50,000 calls to unconsented numbers can catch a demand letter with eight-figure theoretical exposure and settle for several hundred thousand just to dodge litigation costs.

This risk is not hypothetical. TCPA lawsuit filings in federal court have stayed high for over a decade.

How do you actually get TCPA compliant leads through your own forms?

Building your own lead capture is the safest path because you own the consent language, the timestamp, and the audit trail. Here's what a defensible in-house consent form needs.

First, the disclosure has to be clear and conspicuous. It can't hide in a privacy policy link. It has to sit near the submit button, in readable font, in a color that shows against the background. The FCC treats "clear and conspicuous" as meaning a reasonable person would actually see it and understand it. [3]

Second, the language has to name your company and describe the type of communication. Something like: "By clicking Submit, I agree that [Your Company Name] may contact me at the number provided using an autodialer or prerecorded messages about [specific product/service]. I understand this is not a condition of purchase. Message and data rates may apply. I can opt out by texting STOP."

Third, log everything. Timestamp, IP address, the exact form version shown, and where possible a session replay or screenshot of the page at submission. If a consent dispute reaches litigation two years later, the server log is your primary evidence.

Fourth, don't condition consent on the sale. The TCPA requires that consent not be a condition of purchase. [3] If someone can't get a quote unless they check the box, that's a problem.

Fifth, keep suppression lists for anyone who revokes. Revocation has to be honored promptly. The FCC's 2024 rules set a standard for opt-out speed (for texts, within a reasonable time, which the FCC has read as within 10 business days, though honoring it immediately is the smart move). [6]

Can you buy TCPA compliant leads from a vendor, and how do you vet them?

Yes, you can buy third-party leads that are TCPA compliant, but most purchased lists are not. The burden of proof sits on you as the caller, not the vendor.

Courts have generally rejected "the vendor told me it was compliant" as a defense. In Mais v. Gulf Coast Collection Bureau, the court found that a defendant's reliance on a creditor's claim of consent did not insulate it from liability. [7] You have to verify what you're buying, more than take a warranty in a contract.

Here's what to ask any lead vendor:

1. Can you show me the exact consent language displayed to each lead? Not a template. The version live at capture. 2. Does the consent name my company, or does it reference "partners"? After January 2025, partner-consent language fails the FCC's one-to-one rule. 3. What is the timestamp and IP address for each consent record? Can you export those with the lead file? 4. How long do you retain consent records, and can I get a copy? 5. Have these leads been scrubbed against the National Do Not Call Registry within the last 31 days? [8] 6. Have any of these leads filed TCPA complaints or revoked consent?

If a vendor can't answer questions 1 through 4, walk away. A contract warranty that "leads are TCPA compliant" is close to worthless when you can't produce the actual consent record under challenge.

For leads you're unsure about, send a permission confirmation text first, before autodialing, and only proceed if they engage. That's not a legal requirement. It's a reasonable way to cut risk.

What is the National Do Not Call Registry and how does it interact with TCPA consent?

The National DNC Registry (run by the FTC under the Telemarketing Sales Rule, 16 C.F.R. Part 310) and the TCPA's consent rules are related but separate. [8] A lead can give you TCPA consent to autodial and still sit on the DNC Registry. A lead can be off the registry and still need TCPA consent for autodialed calls.

Here's how they connect. If a consumer gave you prior express written consent to call, that consent generally clears the DNC prohibition for your calls, since DNC only blocks calls the consumer hasn't agreed to. But the consent has to be specific to your company. You can't borrow someone else's consent to override the registration.

For your outbound process, scrub against the DNC Registry every 31 days at minimum. The TSR requires you to access the registry at least every 31 days before calling numbers on your list. [8] Registry access runs $80 per area code and $437 total across all area codes as of the FTC's 2024 fee schedule, with the first five area codes free. Numbers given to you directly with explicit permission to call fall outside DNC restrictions under the express written consent and established business relationship rules.

The interaction between the federal list, state DNC lists, and TCPA consent is where small teams trip. Our DNC list scrubbing overview walks through the scrubbing process.

The TCPA statute sets no expiration date for consent. The FCC hasn't drawn a bright line either. That gap creates real uncertainty.

Nobody has clean data on this. The closest guidance comes from FCC enforcement actions and court decisions, which suggest consent doesn't expire on a clock but can be revoked by the consumer at any time. [6] Courts have found that badly stale consent, paired with a changed relationship, can undercut a consent defense, but there's no three-year or five-year rule that applies cleanly.

In practice, most compliance-focused teams treat consent as valid until revoked, then re-confirm if a lead has gone dark for 18 to 24 months. That's a business judgment call, not a statutory one.

What is clear: revocation is effective the moment it happens. Under the FCC's 2024 rules, a consumer can revoke through any reasonable means, and you have to honor it. [6] Once someone says "stop calling me" or texts STOP, you can't send them marketing again, no matter what the original consent said.

Keep your suppression lists current. A lead who revoked six months ago is still revoked. Call them again and it's a willful violation, which triggers the $1,500 per-call exposure.

The TCPA existing business relationship article covers whether a prior customer relationship stands in for fresh consent (short answer: it's complicated and often doesn't).

Does the TCPA apply to B2B leads and business phone numbers?

This is one of the most common questions from outbound sales teams, and the honest answer is: it depends.

The TCPA's cell phone prohibition has no carve-out for business cell phones. Autodial a cell phone and the owner can sue under the TCPA whether or not the number is used for business. [9] Plenty of small business owners run their business off a personal cell. Calling those with an autodialer needs consent.

The B2B exemption that does exist is narrow. The FCC has indicated that autodialed calls to business landlines (not cells) don't trigger the same TCPA liability, because the cell phone prohibition targets personal cell phones. That exemption is not absolute, and it doesn't cover prerecorded voice calls to businesses.

For AI-generated calls, the FCC's February 2024 Declaratory Ruling found that AI-generated voices are "artificial" voices under the TCPA, B2B or B2C. [10] See our TCPA B2B exemption and AI calls piece for the full breakdown.

The safe posture for any B2B team dialing cell phones (which is most of them, given how business runs now) is to treat those leads like consumer leads and get the same consent. The liability is real, even where courts have been more lenient in pure business-to-business fact patterns.

What records do you need to keep to prove your leads are compliant?

When a TCPA lawsuit lands, your defense lives or dies on documentation. TCPA claims carry a four-year statute of limitations under 28 U.S.C. § 1658, so retain consent records for at least that long. [11]

For each lead contact, store the original consent form (the version captured, not a current template), the timestamp of consent, the IP address of the submitting device, the specific phone number consented for, the exact disclosure language shown at the time, and the submission confirmation. If consent came through a third-party vendor, store the vendor's certification and any consent documentation they hand over.

For outbound dialing logs, keep the date and time of each call or text, the number called, the agent or system that started it, whether it was answered, and any opt-out or stop requests.

Suppression lists have to be in a format you can query. If someone opted out, you need to show when they opted out and that no calls followed. Courts have looked for exactly that.

LeadCompliant's free compliance kit includes a consent record template and a call log structure you can drop into your CRM. That's the foundation every small outbound team should have before its first autodialed call.

For a full audit process, see our TCPA guidelines for outbound teams.

What are the biggest mistakes teams make when building TCPA compliant lead lists?

Watch enough TCPA litigation and the same patterns keep showing up.

Mistake one: buying lists without checking consent provenance. A vendor says "TCPA compliant" and the buyer treats that as proof. It isn't. Ask for actual consent records.

Mistake two: running outdated consent forms after the FCC's one-to-one consent rule took effect January 27, 2025. Any form that referenced "marketing partners" or an open-ended list of sellers no longer counts as consent for your calls.

Mistake three: skipping regular DNC scrubs. The 31-day scrub cycle is a requirement, not a suggestion. Miss it and that's an independent violation on top of any TCPA issue.

Mistake four: treating texts as safer than calls. The FCC has consistently ruled that text messages are "calls" under the TCPA. [4] Same consent standard. Teams that comply carefully on voice but run loose on SMS get burned.

Mistake five: no suppression list process. Every opt-out has to be honored immediately and recorded permanently. Calling a number that opted out is evidence of a willful violation.

Mistake six: assuming a past business relationship covers autodialing. The established business relationship exception under the TCPA is narrow and does not reach cell phone autodialer calls. [9] See our TCPA existing business relationship article.

Mistake seven: not documenting the consent form version. If your form changed over time, you need to know which version a given lead saw. Courts have asked for that exact level of detail.

For SMS marketing specifically, see our text message marketing compliance guide.

Frequently asked questions

Prior express written consent is an agreement, in writing and signed (electronic signatures count), that clearly authorizes a specific named company to contact the signer at a specific phone number using an autodialer or prerecorded voice for marketing. The consent must disclose that agreeing is not a condition of purchase. The FCC codified this standard in its 2012 TCPA rulemaking at 47 C.F.R. § 64.1200(f)(9).

A truly manual call, where a human physically dials each digit with no autodialer involvement, does not trigger the TCPA's cell phone prohibition. But you still have to comply with the National DNC Registry and TSR rules. The catch is that many dialers, even click-to-dial systems, may qualify as an ATDS under some courts' readings, so the 'manual dial' defense is riskier than it sounds.

How do I verify that a purchased lead is TCPA compliant?

Ask the vendor for the exact consent language shown to the lead, the timestamp, the IP address, and the phone number consented for. Verify the consent names your company specifically (required after January 2025 under the FCC's one-to-one consent rule). Confirm the number against the DNC Registry. A vendor who can't provide consent records for individual leads is selling you exposure, not leads.

Does the TCPA cover text messages the same way it covers phone calls?

Yes. The FCC has ruled that text messages are 'calls' under the TCPA. Marketing texts to cell phones via an autodialer need the same prior express written consent as marketing voice calls. The $500 to $1,500 per-violation damages structure applies to texts too. Every outbound SMS campaign needs a documented consent trail.

The TCPA sets no automatic expiration date for consent. It stays valid until the consumer revokes it. That said, courts have questioned very stale consent in specific contexts, and many compliance teams refresh consent after 18 to 24 months of no contact as a precaution. Once someone revokes, it is effective immediately and stays permanent until they consent again.

The FCC's December 2023 order (FCC 23-107) requires that prior express written consent for marketing calls or texts be obtained one-to-one: one consent grants permission to one named seller only. It took effect January 27, 2025. Forms that said 'and our partners' or listed multiple companies no longer satisfy this requirement for any individual seller on that list.

What is the TCPA statute of limitations, and how long should I keep consent records?

TCPA claims have a four-year federal statute of limitations under 28 U.S.C. § 1658. Some state TCPA analog claims may run on different periods. Keep all consent records, call logs, and suppression list data for at least four years from the date of the contact, more than the date of consent capture.

Are B2B leads exempt from the TCPA?

Partially. Autodialed calls to business landlines generally sit outside the TCPA's cell phone prohibition, but calling a business owner's cell phone, even for B2B purposes, still triggers the statute. AI-generated voice calls to any number, including business lines, are covered under the FCC's February 2024 ruling. There is no clean, broad B2B exemption for cell phone outreach.

Stop calling or texting that number immediately. Under the FCC's 2024 rules, consumers can revoke consent through any reasonable means, including saying 'stop calling me' out loud or texting STOP. Contact after revocation is treated as a willful violation, carrying $1,500 per-call exposure. Add them to your suppression list the same day and keep that record permanently.

Do I need to scrub my leads against the DNC Registry even if I have written consent?

If you hold prior express written consent from the individual consumer to contact them specifically, the DNC Registry prohibition generally does not apply to those calls. But run scrubs anyway as a verification step, because your consent records may have gaps. Scrub every 31 days as required by the TSR for any numbers not covered by documented individual consent.

What is the TCPA penalty for calling someone on the Do Not Call list?

A call to a number on the National DNC Registry without consent or an established business relationship can violate both the TCPA and the FTC's Telemarketing Sales Rule. TCPA statutory damages are $500 per call, or $1,500 for willful violations. The FTC can also seek civil penalties up to $53,088 per TSR violation under its 2024 penalty adjustment.

Can an established business relationship substitute for TCPA written consent?

For autodialed calls or texts to cell phones, no. The established business relationship exception applies in a narrow context under the DNC rules for telemarketers, but it does not override the TCPA's prior express written consent requirement for autodialed marketing calls to cell phones. Courts have generally rejected the EBR defense in the cell phone autodialer context.

What should a TCPA-compliant opt-in form actually say?

It should clearly state the company name that will make contact, that the contact may use an autodialer or prerecorded message, the purpose of the contact, that consent is not a condition of purchase, and how to opt out. The disclosure must sit near the submit button, be visible, and use readable text. After January 2025, it must name your specific company, not 'partners.'

What's the difference between TCPA compliance and DNC compliance?

The TCPA (47 U.S.C. § 227) governs use of autodialers and prerecorded messages, requiring prior express consent for marketing calls. DNC compliance (under the FTC's TSR and state DNC lists) prohibits calling registered numbers regardless of dialing method. Both can apply to the same call. You can violate one without the other, but a clean outbound program has to satisfy both.

Sources

  1. FCC, 2012 TCPA Omnibus Declaratory Ruling and Order (FCC 12-21): FCC 2012 rulemaking established prior express written consent requirement for marketing calls to cell phones via ATDS
  2. U.S. Code, 47 U.S.C. § 227, Telephone Consumer Protection Act: Statutory basis for TCPA prohibitions, $500 per-violation damages, $1,500 for willful violations, and prior express consent requirement
  3. FCC, 47 C.F.R. § 64.1200, Delivery restrictions: Regulatory definition of prior express written consent, clear and conspicuous disclosure requirement, and prohibition on conditioning consent on purchase
  4. U.S. Supreme Court, Facebook Inc. v. Duguid, 592 U.S. 395 (2021): Supreme Court narrowed ATDS definition; equipment must use random or sequential number generation to qualify under federal TCPA
  5. FCC, Report and Order FCC 23-107 (December 2023), One-to-one consent rule and revocation standards: FCC 23-107 established one-to-one consent requirement effective January 27, 2025, and set standards for consumer revocation of consent
  6. Mais v. Gulf Coast Collection Bureau, 768 F.3d 1110 (11th Cir. 2014): Court finding that reliance on a third party's representation of consent does not shield caller from TCPA liability
  7. FTC, National Do Not Call Registry, Telemarketing Sales Rule 16 C.F.R. Part 310: TSR requires telemarketers to scrub against DNC Registry at least every 31 days; registry access fees and exemptions
  8. FCC, Declaratory Ruling on AI-Generated Voice Calls (February 2024): FCC ruled that AI-generated voices constitute 'artificial voices' under the TCPA regardless of B2B or B2C context
  9. U.S. Code, 28 U.S.C. § 1658, Statute of Limitations: Four-year federal statute of limitations applicable to TCPA claims
  10. FTC, Telemarketing Sales Rule, Civil Penalty Amounts: FTC civil penalty authority for TSR violations, adjusted to $53,088 per violation in 2024

Disclaimer: LeadCompliant is a compliance review tool, not a law firm. We do not provide legal advice. Consult with a TCPA attorney for legal guidance on specific compliance questions. Compliance scores, audits, and risk assessments are informational only.

LeadCompliant Team

LeadCompliant provides expert guidance and tools to help you succeed. Our content is reviewed for accuracy and kept up to date.

Related Articles

Related Glossary Terms

LeadCompliant
Build My Kit