How to evaluate a compliance vendor before signing a contract

TCPA violations cost up to $1,500 per call. Here's the exact checklist to vet any compliance vendor before you hand over your data or sign anything.

LeadCompliant Team
23 min read
In This Article

Last updated 2026-07-11

Two people reviewing compliance vendor contract documents at a conference table
Two people reviewing compliance vendor contract documents at a conference table

TL;DR

Before you sign, confirm the vendor scrubs against the official National Do Not Call Registry, carries errors-and-omissions insurance, writes data-freshness SLAs into the contract, and hands over third-party audit results on request. TCPA statutory damages run $500 to $1,500 per violation. A weak vendor isn't a budget line. It's a lawsuit waiting to happen.

Why does picking the wrong compliance vendor hurt so much?

The math is brutal. Under 47 U.S.C. § 227, every call or text that violates the TCPA carries a statutory floor of $500, and a court can treble that to $1,500 per violation if it finds the conduct willful. [1] A modest campaign that touches 500 wrong numbers can put you on the hook for $750,000 before anyone even talks about certifying a class. And courts have said, again and again, that hiring a vendor does not shield the calling party. You placed the call. You sent the text. You own the outcome.

Here's the problem with treating compliance tooling like you'd treat a CRM. A bad CRM costs you deals. A bad compliance vendor costs you a federal lawsuit. The TCPA has produced some of the largest consumer-protection settlements on record, and small teams are not insulated. The Cash App TCPA class action settlement and the Credit One TCPA settlement both involved companies with real legal teams and real budgets. Neither walked away cheap.

So the evaluation framework matters. Not because every vendor is dishonest. Because the burden of proof sits with you, not with them.

What should you check about a vendor's data sources?

Start here: ask where their data comes from, and get the answer in writing. If the sales rep can't give you a named source, no one at that company has thought hard about the product.

For DNC scrubbing, the only authoritative source for the National Do Not Call Registry is the FTC's own data, pulled through the Registry's official download portal. [2] Any vendor that can't name this as their primary source for residential DNC records is already a problem. They can supplement with state DNC lists (more on that below), wireless suppression data, litigator lists, and internal reassigned-number records. The federal registry is the floor everything else sits on.

The FCC's Reassigned Numbers Database (RND) created a specific obligation: check the RND before you call, so you don't reach a consumer who inherited a number from someone who gave consent. [3] A vendor who doesn't bring up the RND during the product walkthrough either doesn't include it or is betting you won't ask. Ask.

Beyond that, push on these:

  • How often is your DNC data refreshed? The FTC requires organizations that access the registry to download fresh data at least every 31 days. [2] Some vendors refresh weekly or daily. Fresher is better.
  • Do you include state-level DNC lists? Several states run their own registries with rules that sometimes reach further than federal law. [4] If your campaigns touch Florida, Indiana, or Texas, this is not optional.
  • Where does your litigator list come from? These are compilations of serial TCPA plaintiffs and their known numbers. No government version exists. They're commercial products built from court records, so ask how often they update and where new entries come from.
  • How do you handle wireless numbers? The TCPA restricts autodialed and prerecorded calls to cell phones without prior express consent. [1] Your vendor needs a wireless identification layer.

Get all of it in the contract, more than the sales deck.

There's a real difference between a software vendor that happens to scrub DNC lists and a compliance vendor that actually tracks the rules. You want the second one. Test for it directly.

Ask what changed with the FCC's one-to-one consent rules adopted in December 2023. [5] Those rules require consent for each individual seller rather than one blanket opt-in covering a dozen companies. If the rep gives you a blank look, they are not watching the regulatory calendar the way you need them to.

Ask them to explain the difference between an ATDS (Automatic Telephone Dialing System) as the Supreme Court defined it in Facebook v. Duguid (2021) and the broader FCC standard it replaced. [6] You don't need lawyers on the call. You need people who know what the current law looks like. Duguid narrowed the ATDS definition hard, and any vendor still selling you 2019-era risk models hasn't updated their thinking.

Then ask about state law. The California Consumer Privacy Act added data rights that touch SMS marketing and how you hold contact lists. [7] Florida's Mini-TCPA (Fla. Stat. § 501.059) covers intrastate calls with its own consent rules. [8] A vendor who says "we handle federal compliance" and then goes quiet on state law is telling you exactly where the gaps are.

One honest caveat. Nobody has perfect state-law coverage, and any vendor who claims they do is overselling. What you want is a vendor who names the states they cover, names the ones they don't, and tells you what to do in between.

What contract terms actually protect you?

The contract is where the real evaluation happens. A vendor who won't negotiate the terms below isn't a compliance partner. They're a data reseller who will disclaim every dollar of liability the moment you get sued.

Here's what matters.

Data accuracy SLA. Specify a minimum accuracy rate for suppression coverage and what the vendor owes you when they miss it. Industry talk generally lands around 97 to 99% for DNC scrub accuracy, but nobody publishes a universal standard. Get a number in the contract, with a remedy attached.

Indemnification clause. Will the vendor indemnify you for claims arising from errors in their data? Most won't accept unlimited indemnification, and that's fair. But a vendor that refuses any indemnification is telling you it has no confidence in its own product.

Liability cap. Related to the above. Some vendors cap liability at the contract value. On a $5,000-a-year subscription, that cap is worthless against $500-per-call exposure. Push for a cap that scales with your actual call-volume risk.

Data retention and deletion terms. CCPA and other state privacy laws set limits on how long you can hold consumer data. [7] The vendor's practices have to line up with your own obligations.

Audit rights. You should have the right to request documentation proving the vendor pulls current data from authoritative sources. If they won't grant it, walk.

Termination clause. How long does it take to leave, and do you get your data back on the way out? A vendor that makes exit hard is a vendor that doesn't want its product tested over time.

How do you compare compliance vendors side by side?

Below is a side-by-side of the dimensions that separate a credible vendor from one cutting corners. Use it as a working checklist before any sales call.

Evaluation dimensionStrong vendorWeak vendor
DNC data sourceNames FTC registry, refreshes ≤31 days, state lists included"Proprietary database" with no named source
Reassigned Numbers DatabaseIncluded or offered as add-onNot mentioned or "not necessary"
Litigator listNamed source, stated refresh frequencyBundled with no detail
State law coverageLists covered states explicitlyClaims blanket coverage
Errors-and-omissions insuranceCan provide certificateNo E&O or refuses to disclose
IndemnificationPartial indemnification negotiableZero indemnification, full disclaimer
Audit rightsContractual right to documentationNo audit rights
Regulatory updatesNamed process for tracking FCC/FTC rule changes"We stay current" with no specifics
Exit termsData portability, 30-day outLong lock-in, no data return
Third-party auditSOC 2 or equivalent availableSelf-certified only

This isn't every possible criterion, but it covers the dimensions where weak vendors are easiest to spot.

For a sense of how seriously regulators treat this: the FTC has secured multimillion-dollar settlements for DNC violations, and its public enforcement record shows the "we used a vendor" defense has not historically cut penalties for the originating caller. [9]

Key TCPA thresholds every compliance buyer should know Statutory figures from 47 U.S.C. § 227 and FTC pricing as of 2024 $500 TCPA damages per violation (base) $1,500 TCPA damages per willful violation (trebled) $79 DNC Registry access per area code / year $18k DNC Registry national file cap / year Source: 47 U.S.C. § 227; FTC National DNC Registry pricing (Citations 1, 2)

What insurance should a compliance vendor carry?

Almost nobody asks this on a vendor call. It's one of the most diagnostic questions you can raise.

Ask for a certificate of insurance, and ask specifically about errors-and-omissions (E&O) coverage, also called professional liability. E&O covers claims arising from mistakes in the vendor's service, which is exactly what you'd face if their scrub missed a number and that number turned into a TCPA claim.

A general liability policy does not cover this. Say the letters E and O out loud and make sure that's what the certificate names.

Ask about cyber liability too. If a vendor holds your contact lists and gets breached, your data is in it. State breach notification laws (all 50 states have them now) can put obligations on you even when the breach happened inside the vendor's systems. [10]

If a vendor claims E&O but can't produce a certificate within a business day, assume the coverage is thin or lapsed. Real insurance is easy to document.

How do you know if a vendor actually understands the do not call rules?

Give them a hypothetical: your rep calls a consumer, the consumer says "stop calling me," and hangs up. What are your obligations, and how does the vendor's product help you meet them?

The right answer runs through internal DNC lists. Under 16 C.F.R. § 310.4(b)(1)(iii), telemarketers must keep their own internal DNC list and honor opt-out requests within a reasonable time, which the FTC reads as 30 days. [11] The product should make it trivial to add a number to your internal suppression file and scrub against it at the moment of dialing.

You can read more about the federal registry mechanics in our piece on the do not call list. For pulling the list yourself, see how do I get the do not call list.

A vendor who only talks about the national registry and ignores internal DNC management is handing you half a product. Both lists matter. Cell phones are included, which still surprises callers who think the wireless world is somehow separate. It isn't. The mobile phone do not call list rules follow the same federal framework.

One more probe: do they check the do not call telemarketer list for business-to-business calls? B2B is more permissive under the TCPA, but state laws and industry-specific rules can still apply, and a good vendor knows the line.

What red flags should make you walk away immediately?

Some things are disqualifying. No negotiation.

They can't name their data sources. If the rep can't tell you where the DNC data comes from, nobody at that company has thought carefully about the product.

They guarantee you won't get sued. No legitimate vendor promises this. Rules change, data has gaps, and litigation risk is never zero. A vendor selling immunity is selling something that does not exist.

They pressure you with urgency. "Sign by Friday or the price doubles" is a vendor optimizing for close rates, not for your protection.

They can't produce a real contract. Some outfits in this space run on click-wrap terms with no negotiation and liability caps buried in the fine print. If your attorney can't review a real MSA, that's your answer.

They have no verifiable track record. Ask for references from companies in your industry. Ask if they've ever been part of an FTC or FCC investigation, on any side. A vendor that gets defensive about basic due diligence is telling you something.

They conflate consent management with DNC scrubbing. These are different jobs. Consent management tracks whether someone opted in. DNC scrubbing checks whether someone sits on a suppression list. A vendor who blurs them either doesn't understand the product or wants to upsell you a bundle by pretending one tool does both.

For teams running cold calling or systematic cold calls, this infrastructure matters from day one. Getting it right upfront costs a fraction of defending a single TCPA class action.

What questions should you ask on the vendor demo call?

Walk into the demo with a written list. These questions separate informed buyers from everyone else:

1. Show me the data flow: where does a phone number enter your system, what checks run, and what output do I get back? 2. What's your refresh cycle for federal DNC data, and can you show me a timestamp on your last pull? 3. Do you include the Reassigned Numbers Database? If yes, show me where it shows up in your API response or report. 4. Which state DNC registries do you cover? Give me the full list. 5. What happens when your data is wrong and someone sues me? Walk me through your indemnification stance. 6. Can you send your E&O insurance certificate before I sign? 7. How do you track regulatory changes, and how do you notify customers when something moves? 8. Show me the contract language on liability cap, data accuracy SLA, and termination rights. 9. Do you offer a litigator list? How is it built and how often is it updated? 10. If I need to exit in six months, what does that process look like and what data do I get back?

Record the answers, with permission. A vendor who answers well on the call and then delivers a contract that contradicts every answer is the norm, not the exception. The demo is the start of due diligence, not the end.

At LeadCompliant we've built a free TCPA compliance kit and several free checker tools that teams run alongside vendor vetting, so you can cross-reference what a vendor claims against your own read of what the law actually requires.

How do you handle compliance if you can't afford a paid vendor?

Real question, real answer. Not every outbound team has budget for a full platform, and some tools are genuinely expensive next to the scale of a small team.

Here's what you can do without spending much.

Access the National DNC Registry directly. The FTC sells access to telemarketers by area code. [2] As of 2024, it's $79 per area code per year, capped around $18,295 for the full national file. That's real data from the authoritative source, and for a team dialing a limited geography it's cheaper than most platforms.

Build your own internal suppression list. This costs nothing but discipline. Every opt-out request goes into a spreadsheet or CRM field, and you scrub against it before every campaign. You have to do this anyway under 16 C.F.R. § 310.4(b)(1)(iii). [11] Most CRMs automate it with a simple workflow.

Use the FCC's Reassigned Numbers Database directly. It's available via API. [3] There's a cost, but for low-volume callers it can beat a full vendor subscription.

For SMS, document consent at every touchpoint. The consent record is your main defense in a TCPA claim. A timestamp, a source, and the opt-in language captured in your database cost nothing extra and often decide whether a claim gets dismissed or settled. Text programs carry their own TCPA rules around short codes, long codes, and consent language. [12]

The honest trade-off: DIY is more work and leaves more room for human error. A good vendor cuts that error rate and watches the FCC docket so you don't have to. High call volume usually favors a vendor. A few hundred calls a month, and the direct-access route holds up fine.

What should the final contract review look like?

Once you've narrowed to one vendor and have a draft in hand, run it through this before you sign.

Have an attorney read the indemnification and liability sections. This isn't optional if your call volume means anything. An hour of attorney time is trivial against the risk.

Check that the SLA is specific. "Commercially reasonable efforts" to keep data accurate is not an SLA. It's a waiver dressed up as a promise. You want a number: 98% accuracy on DNC scrubs, or whatever the actual commitment is.

Read the auto-renewal terms. Plenty of vendor contracts renew automatically with a price bump and demand 60 to 90 days notice to cancel. Miss that window and you're locked in another year.

Make data ownership explicit. Your contact lists are your property. The contract should say so plainly and spell out what happens to your data if the vendor folds or gets acquired.

Get the regulatory update process in writing. If the FCC redefines ATDS again, or a new state law lands, what does the vendor owe you in notice and product changes? Put it in the contract, not in a rep's verbal assurance.

Then sign only when you're satisfied, not because the quarter is closing or the rep is calling daily. Compliance is a bad place to let urgency beat diligence. TCPA damages run $500 to $1,500 per call. [1] That math makes patience cheap.

Frequently asked questions

Does using a compliance vendor protect me from TCPA liability?

Not automatically. Courts have consistently held that the entity that placed the call or sent the text carries primary TCPA liability, regardless of what vendor it used. A vendor can lower your risk with accurate data and solid consent infrastructure, but it can't transfer your legal exposure. The best vendors offer partial indemnification for errors in their data. None can fully insulate you.

How often should a compliance vendor refresh their DNC data?

Federal law requires telemarketers to download fresh National DNC Registry data at least every 31 days. A vendor refreshing less often than that is creating unnecessary exposure. Many credible vendors refresh weekly or daily. Ask for a timestamp on their last pull during the demo, and make the refresh cycle a specific contractual commitment, not a verbal promise.

What is the Reassigned Numbers Database and why does it matter for vendor selection?

The FCC's Reassigned Numbers Database (RND) tracks phone numbers that were disconnected and reassigned to new subscribers. Calling a reassigned number can be a TCPA violation if the prior subscriber consented but the new one didn't. The FCC established the RND in 2018 and issued guidance on the obligation to check it. Any vendor that doesn't include RND access is missing a meaningful risk layer.

Should I ask for references from a compliance vendor?

Yes, and ask for references from companies in your industry at a similar call volume. Enterprise references mean little if you're a 10-person outbound team. Ask those references directly: did the vendor flag them when regulations changed, was the data accurate, and how did the vendor respond when something broke? The answer to that last question is the most informative one you'll get.

What's the difference between a DNC scrubbing vendor and a consent management vendor?

DNC scrubbing checks whether a number appears on a suppression list, whether that's the National Do Not Call Registry, a state list, or a litigator list. Consent management tracks whether an individual affirmatively opted in to your communications and stores proof. These are separate problems. Some platforms handle both. Many don't. Buying one when you need both leaves a gap.

Is errors-and-omissions insurance actually standard for compliance vendors?

It's common among established vendors but far from universal. Smaller or newer vendors often carry only general liability, which does not cover claims arising from data errors. Always ask for a certificate specifying E&O (professional liability) coverage before signing. If a vendor can't produce one within 24 hours, treat it as a red flag about the maturity of the whole operation.

What TCPA changes in 2023 and 2024 should a vendor already know about?

The FCC adopted one-to-one consent rules in December 2023, requiring TCPA consent to name each individual seller rather than covering multiple companies through a shared opt-in page. The effective date shifted amid litigation. Any vendor still running a one-consent-covers-all model is behind. Ask specifically how their product handles one-to-one consent documentation and whether their consent templates have been updated.

Can a compliance vendor help with state-specific rules like Florida's Mini-TCPA or California's CCPA?

Some can, and the better ones name the specific states they cover rather than claiming blanket multi-state compliance. Florida's Mini-TCPA (Fla. Stat. § 501.059) has its own consent and timing rules. California's CCPA creates data rights that touch your contact lists. Ask each vendor for a written list of the states their product explicitly covers, and separately pin down what you handle in the gaps.

How much does a typical compliance vendor cost?

Pricing varies widely and is rarely transparent. Small-team DNC scrubbing tools start around a few hundred dollars a month. Full platforms with consent management, RND access, litigator lists, and API integrations can run several thousand a month. For comparison, direct FTC access to the National DNC Registry costs $79 per area code per year, capped around $18,295 for the full national file. The right answer depends on call volume and program complexity.

What should I do if a compliance vendor makes errors that lead to a violation?

Document everything immediately: the error, the dates, the data involved, and any messages where you raised the issue. Then call an attorney before any public statement or settlement talk. If the vendor has an indemnification clause, notify them of the claim in writing. Your ability to recover from the vendor depends entirely on what the contract says, which is why negotiating those terms before signing matters so much.

Is there a certification or accreditation I should look for in a compliance vendor?

No official government certification exists for TCPA compliance vendors. SOC 2 Type II certification (from AICPA) is a meaningful signal about data security and operational controls, but it says nothing about legal compliance accuracy. Look for vendors whose leadership can cite specific FCC orders by number, who track FTC enforcement actions, and who publish transparent methodology on their data sources. Regulatory knowledge beats any badge.

How do I know if my current vendor is still adequate after a regulatory change?

Set a calendar reminder to review the relationship every six months, or whenever a major FCC or FTC action publishes. Ask your vendor in writing whether recent rule changes (name the specific rule) are already in their product. If the answer takes more than a week or comes back vague, that tells you something. The regulatory environment moves. Your vendor's product needs to move with it.

What happens to my data if a compliance vendor is acquired or shuts down?

Without explicit contract language, your data can become an asset of the acquiring company or fall under the acquirer's privacy practices, which may differ from what you agreed to. Always negotiate a termination clause that guarantees data return or deletion on exit and sets a timeline. Bankruptcy is messier, but a data return clause still gives you a legal basis to recover your lists or confirm they were deleted.

Do I need a compliance vendor for outbound SMS as well as voice calls?

Yes. The TCPA applies to both. Text messages to cell phones require prior express written consent under 47 U.S.C. § 227 and the FCC's implementing regulations. DNC registry rules apply to text marketing too. Some platforms cover both channels. Others are voice-only. If your program includes SMS, verify explicitly that the vendor's scrubbing and consent tools cover text as well as calls.

Sources

  1. Cornell LII, 47 U.S.C. § 227 (TCPA statutory text): TCPA statutory damages of $500 per violation, trebled to $1,500 for willful violations
  2. FTC, Complying with the Telemarketing Sales Rule (National Do Not Call Registry guidance): Telemarketers must download fresh National DNC Registry data at least every 31 days; area code access costs $79 per year
  3. National Consumer Law Center: Multiple states maintain their own Do Not Call registries with rules that can exceed federal requirements
  4. Supreme Court of the United States, Facebook, Inc. v. Duguid (2021): The Supreme Court narrowed the ATDS definition under the TCPA in Facebook v. Duguid (2021)
  5. California Attorney General, California Consumer Privacy Act (CCPA): CCPA imposes data rights obligations including deletion that affect how contact lists can be maintained
  6. Florida Legislature, Fla. Stat. § 501.059 (Florida Telemarketing Act / Mini-TCPA): Florida's Mini-TCPA has its own intrastate consent requirements and damages provisions for unsolicited calls
  7. FTC, News and Events (Do Not Call enforcement actions): The FTC has secured large settlements for DNC violations; using a vendor has not historically reduced penalties for the originating caller
  8. National Conference of State Legislatures, Security Breach Notification Laws: All 50 states have data breach notification laws that may impose obligations on businesses when a vendor holding their data is breached
  9. FTC, Telemarketing Sales Rule (16 C.F.R. Part 310): Telemarketers must maintain an internal DNC list and honor opt-out requests; the FTC interprets the reasonable time limit as 30 days

Disclaimer: LeadCompliant is a compliance review tool, not a law firm. We do not provide legal advice. Consult with a TCPA attorney for legal guidance on specific compliance questions. Compliance scores, audits, and risk assessments are informational only.

LeadCompliant Team

LeadCompliant provides expert guidance and tools to help you succeed. Our content is reviewed for accuracy and kept up to date.

Related Articles

Related Glossary Terms

LeadCompliant
Build My Kit