Last updated 2026-07-11

TL;DR
Dialer vendors rarely volunteer strong TCPA warranties. You have to negotiate indemnification, scrubbing representations, consent-data portability, and audit rights into the contract yourself. The statutory penalty runs $500 to $1,500 per violation under 47 U.S.C. § 227, so one bad batch call can wipe out a year of revenue. This guide covers every clause worth fighting for.
Why does your dialer vendor contract matter for TCPA liability?
Your dialer vendor is tangled up in your TCPA risk whether the contract says so or not. The Telephone Consumer Protection Act, codified at 47 U.S.C. § 227, puts liability on the party that "initiates" or "makes" a call, and courts keep asking whether a platform provider shares that exposure based on how much operational control it has [1].
The practical problem is simple. Your vendor controls things you cannot see. It decides whether the system counts as an automatic telephone dialing system (ATDS) under the statute. It decides whether numbers get scrubbed against the National Do Not Call Registry before a call goes out. It decides how consent records are stored and whether they survive when you move to a different platform. Those are liability decisions dressed up as technology decisions.
Settlements in TCPA class actions routinely run into eight figures. The Cash App TCPA class action settlement reached $15 million, and the Credit One TCPA settlement topped $12.5 million. Both involved allegations that the defendant kept calling after consent was revoked or after numbers were reassigned, exactly the kind of failure a competent dialer should catch. If your contract does not pin those failures on the vendor that caused them, you eat the loss.
Negotiating a vendor contract is tedious and most founders skip it. Don't skip it.
What is a TCPA compliance warranty and what should it actually say?
A warranty in a software contract is a written promise that something is true or stays true. A TCPA compliance warranty is the vendor's promise that its platform meets specific legal standards and keeps meeting them as the law moves.
Most vendor contracts bury this in a thin one-liner: "Vendor will comply with applicable law." That line is close to useless. It names no laws, no features, and nobody who pays when compliance breaks.
A warranty worth signing covers at least four things.
1. A representation that the dialing system's architecture has been checked against the current FCC definition of an ATDS, including the Supreme Court's 2021 ruling in Facebook, Inc. v. Duguid (141 S. Ct. 1163), which narrowed the ATDS definition to systems that use a random or sequential number generator [2]. Get the vendor to represent, in writing, that their system does not meet that definition (if they claim it doesn't) or that it is built to run inside consent-required use cases.
2. A representation that the vendor scrubs outbound numbers against the National Do Not Call Registry at a frequency that meets or beats the FCC's rule of no more than 31 days between scrubs, per 47 C.F.R. § 64.1200(c)(2) [3].
3. A representation about consent data: how it is stored, for how long, in what format, and whether you can export it. The FCC's December 2023 one-to-one consent rule (FCC 23-107) requires consent be specific to a single seller, which means every consent record needs to be yours, portable, and auditable [4].
4. A promise to notify you inside a defined window (30 days is reasonable to ask for, 90 days is common) whenever the platform changes in a way that affects TCPA compliance status.
Get all four in the contract body. Not in a linked "compliance policy" the vendor can rewrite whenever it likes.
What indemnification language should you push for?
Indemnification is the clause that decides who actually pays when a lawsuit lands. Standard vendor contracts indemnify you for third-party IP claims and data breaches. TCPA exposure is almost never covered by default, and that gap is the whole ballgame.
Here is what to ask for and what you will realistically get.
Ask for: the vendor indemnifies you for any TCPA claim that comes directly from a defect in its platform, including failure to honor Do Not Call scrubbing, failure to transmit caller ID accurately (a separate TCPA obligation under 47 U.S.C. § 227(e)), or any ATDS classification that results from system architecture the vendor never disclosed [1].
Expect pushback. The realistic outcome at most small-to-mid SaaS dialers is a mutual indemnification clause where each party covers claims arising from its own actions. That is still worth having. It creates a written record of which party owned which function.
Deal-breaker language to strike: watch for clauses that void the vendor's indemnification the moment you configured any part of the campaign. Vendors love to argue the customer "uploaded the list" or "set the dial rate" and therefore owns all the liability. That is often unfair when the vendor's own scrubbing engine failed. Tie indemnification to the specific technical function at fault, not to who touched the settings.
Watch the caps too. Many SaaS contracts cap total vendor liability at the fees you paid in the prior 12 months. Pay $800 a month for your dialer and that cap is $9,600. A $9,600 cap is a joke against a $500-per-call statutory penalty on a 10,000-call batch. Push the cap to at least 3x to 5x your annual contract value, or fight for a separate TCPA carve-out with a higher ceiling.
Nobody has clean data on what share of vendors will agree to elevated caps. In practice, mid-market vendors ($50K+ ARR) negotiate more than self-serve SaaS products where the contract is basically click-wrap.
Which scrubbing and DNC representations matter most?
DNC scrubbing is where a lot of real TCPA violations start. The rules are not complicated. The operational details are easy to botch, and vendors differ a lot in how they handle them.
The FCC requires scrubbing your call lists against the national do not call list no more than 31 days before a call [3]. Your contract should confirm the vendor does this automatically, not as an optional add-on, and that it keeps proof of scrubbing with timestamps you can pull on demand.
Beyond the federal list, you need representations about state DNC registries. States including Indiana, Texas, and Wyoming run their own registries with different rules and separate subscriptions [5]. Ask the vendor to name, in writing, which state lists they scrub against. If they only do federal, that is your gap to close with a third-party scrub before the list goes up.
Number reassignment is the related trap. The FCC's Reassigned Numbers Database (RND) lets callers check whether a number moved to a new consumer since the prior consent was captured, and safe harbor from liability for reassigned-number calls depends on querying it [6]. Ask the vendor whether they hit the RND and at what point in the call flow. Many don't by default.
For SMS the scrubbing rules track the voice rules, but the consent bar is higher: express written consent is required before you send a marketing text to a mobile number, per 47 C.F.R. § 64.1200(a)(2) [3]. If your dialer also handles text message marketing, the warranty should treat SMS as its own line item.
You can use the free DNC checker at LeadCompliant to verify individual numbers before a campaign. That is a spot-check tool, not a replacement for contractual scrubbing duties on the vendor's side.
How should you handle consent data ownership and portability?
This one gets ignored until it turns into a disaster. Your consent records are evidence. In a TCPA suit, your ability to produce a timestamped, source-identified consent record for every called number is often the line between a fast dismissal and a seven-figure settlement.
Here's the problem. Most dialer vendors store consent metadata inside their own platform. Cancel your subscription, switch vendors, or watch the vendor fold, and that data can vanish or lock up where you can't reach it.
Get explicit language in the contract that says:
- Consent records are your data, not the vendor's
- You can export all consent records in a standard format (CSV with defined fields: phone number, timestamp, source URL or call recording reference, IP address where applicable) at any time, not only at termination
- The vendor retains consent data for at least 4 years (the federal limitations period for TCPA claims is 4 years under 28 U.S.C. § 1658, and plaintiff attorneys treat that as the practical window [9])
- The vendor gives you a 90-day data access window after the contract ends
The FCC's 2023 one-to-one consent rule raises the stakes here. Under FCC 23-107, lead generators and callers have to get consent that names the specific seller, so generic "I agree to be contacted by partners" language no longer holds up [4]. Every consent record has to tie to your company by name. Your vendor's intake form and CRM need to capture that, and the record has to be yours to keep.
What audit rights should your contract give you?
Audit rights are what make a warranty real. A warranty with no audit right is just a promise you get to sue over after the damage is done. An audit right lets you catch a problem before it becomes a lawsuit.
At minimum, push for:
- The right to request scrubbing logs for any campaign, with a 10 business day turnaround
- Access to system architecture documentation good enough to evaluate ATDS status under current FCC guidance
- Notice within 30 days of any material change to the platform's dialing engine, number storage, or consent-management components
- The right to run or commission an independent technical audit once a year at your expense (you pay the cost, the vendor provides access)
Vendors sometimes resist full technical audits on IP-protection grounds. A fair compromise is letting your counsel or a named compliance consultant review documentation under NDA. Write that fallback into the contract.
If the vendor refuses any audit rights at all, treat it as a red flag. A vendor that allows zero oversight is a vendor that can't prove compliance, and you will be the one defending the suit.
For teams running high-volume cold calling campaigns, the FCC's 2015 TCPA Omnibus Order (FCC 15-72) said flatly that callers carry the ultimate responsibility for establishing consent, even when they lean on third-party platforms [8]. Audit rights are how you actually carry that responsibility.
How do you handle vendor liability limits and mutual responsibility clauses?
Almost every vendor contract caps their exposure with a limitation of liability clause. That is standard and not unreasonable on its own. The problem starts when the cap makes the warranty worthless.
| Liability Cap Structure | What It Means for You |
|---|---|
| Cap = 1x prior month fees | A $1,000/mo tool caps at $1,000 against a $500/call TCPA penalty |
| Cap = 12x prior month fees | More reasonable; equals annual contract value |
| Cap = 3-5x annual contract value | Meaningful for mid-sized campaigns |
| Uncapped for gross negligence or willful misconduct | Best practice; rare but worth asking |
| TCPA carve-out with separate higher cap | Ideal; isolates TCPA risk from general liability |
The mutual responsibility clause is the companion issue. You need the contract to split who owns what. A clean allocation reads like this: the vendor owns platform-level scrubbing, ATDS architecture, and consent record storage. You own the accuracy of the lists you upload, the consent you collect before upload, and any campaign configuration you choose.
When responsibility is fuzzy, plaintiff attorneys go for the deeper pocket, which is usually you, the company that made the calls. A written allocation does not erase your liability. It gives you a contractual basis to pull the vendor into the defense and shift part of the cost.
One practical note. Get the vendor's general counsel to sign off on the compliance warranty section specifically, more than the sales rep. A warranty the sales team agreed to but legal never reviewed is harder to enforce.
What questions should you ask a dialer vendor before you sign?
Before you negotiate a single line, get answers to factual questions about how the platform works. These are not trick questions. Any competent vendor answers them without stalling. Evasion or vagueness on any of them is information in itself.
1. Is your system classified as an ATDS under the current FCC interpretation after Facebook v. Duguid? If not, how does the architecture avoid that classification [2]?
2. How often do you scrub against the National DNC Registry, and can you show me scrubbing logs from a recent campaign?
3. Do you scrub against state DNC registries? Which ones?
4. Do you query the FCC Reassigned Numbers Database before calls? At what stage in the call process [6]?
5. Where are consent records stored? Can I export them at any time? In what format?
6. What happens to my data if I cancel? How long do you keep it and under what conditions?
7. Have you been named in a TCPA lawsuit in the past 3 years, as a defendant or a third-party defendant? (It's a fair business question. They don't have to answer, but the answer tells you plenty.)
8. Will you put a compliance warranty in the contract itself, not a linked policy page?
A vendor that answers these clearly and in writing before you sign is a vendor you can hold accountable later. The answers also give you the factual basis for the warranty language you propose.
If you're comparing multiple dialers for a new cold call program, scoring them on these eight points is faster than reading full feature matrices.
What does a realistic negotiation process look like for a small team?
Small teams have no procurement department. You are probably running this yourself, maybe with outside counsel on the final language. Here is a realistic sequence.
Step 1: Request the vendor's standard contract and compliance policy before the sales call ends. Read both before you talk price so you show up with specific questions instead of vague worry.
Step 2: Send a written list of your required contract changes before any redline exchange. Call it a term sheet or a list of business terms. It signals you are serious and lets the vendor flag non-starters early, which saves everyone time.
Step 3: Redline the contract with your own language for each warranty clause. No lawyer? The FCC's published guidance and the statute itself at 47 U.S.C. § 227 give you the technical standards to cite [1]. Name the regulation. Don't settle for "applicable law."
Step 4: Escalate to the vendor's legal or compliance team if the sales team can't approve changes. Most can't. Legal usually can.
Step 5: If the vendor refuses all negotiation on warranty and indemnification, price the risk. A $200/month dialer with zero warranty protection is not automatically cheaper than a $400/month dialer that gives you real contractual protection. The monthly difference is noise next to a $500,000 TCPA settlement.
The LeadCompliant compliance kit includes a pre-built vendor contract checklist covering the clauses described here, so you can start from a working redline instead of a blank page.
One more thing. Update the contract when the law changes. The FCC's one-to-one consent rule took effect in January 2025 [4]. If your vendor contract was last touched in 2022, it almost certainly ignores that requirement. Set a calendar reminder to review vendor contracts every time the FCC issues a major TCPA order.
Are there any recent FCC rules or court decisions that change what you should ask for?
Yes, several. The compliance ground shifted hard between 2021 and 2025, and those changes decide which warranty language matters most right now.
Facebook, Inc. v. Duguid (2021): the Supreme Court narrowed the ATDS definition, ruling that a system qualifies only if it uses a random or sequential number generator to store or produce telephone numbers [2]. That was a real win for callers using predictive dialers with pre-loaded lists. The practical effect is uneven, though. Some courts still find ATDS status based on other system traits, and the FCC has signaled it may propose new rules to close the gap. Your warranty should ask the vendor to describe the architecture in technical terms, more than assert "we are not an ATDS."
FCC One-to-One Consent Rule (FCC 23-107, effective January 2025): the FCC ruled that a consumer's consent must be specific to one named seller [4]. Lead generators who collected "consent to be contacted by multiple partners" can no longer pass that consent downstream. This is arguably the biggest operational shift since the 2015 Omnibus Order. Your contract needs to say that consent records you import must be one-to-one specific, and the vendor should flag or reject records that miss that bar.
FCC Reassigned Numbers Database (2021 implementation): the FCC built the RND so callers can check whether a number changed hands since consent was captured [6]. Safe harbor from liability for calls to reassigned numbers depends on consulting it. The rules live at 47 C.F.R. § 64.1600. Ask your vendor to confirm RND querying is part of the standard workflow, or negotiate it as a required feature.
State mini-TCPA laws: Florida's Mini-TCPA (SB 1120, effective July 2021), Oklahoma's, and others run stricter than the federal statute, with different ATDS definitions and per-call damages that can top the federal floor [5]. If your vendor claims compliance with "applicable law," make them name the specific states they analyzed and confirm the system meets those standards.
The TCPA page on this site keeps a running summary of recent FCC orders you can reference when you update contract language.
What should you do if your vendor will not negotiate warranty terms at all?
Some vendors, mostly self-serve SaaS products, will tell you the contract is non-negotiable. Sometimes that's true. Sometimes it's a negotiating position.
If the vendor genuinely won't budge on any warranty language, you have three real options.
Option one: compensate with your own controls. If the vendor won't warrant DNC scrubbing, you run a third-party scrub on every list before upload and document it. If the vendor won't warrant consent data portability, you keep your own parallel consent database outside the vendor platform. It adds overhead. It also protects you.
Option two: negotiate the price down to reflect the risk transfer. If the vendor takes no contractual responsibility for TCPA failures, they are shifting all that risk to you, and that has economic value. A 20-30% price cut is a fair ask in exchange for a click-wrap contract with no warranty. You probably won't get it, but it frames the conversation honestly.
Option three: walk. For high-volume teams the risk of a no-warranty dialer is not theoretical. Make 50,000 calls a month with a vendor whose scrubbing engine has an undiscovered bug, and the exposure at $500 per call is $25 million before any trebling for willful violations. At that volume, contract quality is a hard selection criterion, not an afterthought.
The do not call telemarketer list rules mean your own scrubbing discipline has to be airtight no matter what the vendor gives you. But disciplined manual scrubbing does not replace a vendor warranty. They cover different parts of the risk.
Frequently asked questions
What is the minimum TCPA warranty I should accept from a dialer vendor?
At absolute minimum, get a written representation that the vendor scrubs against the National DNC Registry at least every 31 days, a statement on whether the system qualifies as an ATDS under the post-Facebook v. Duguid definition, and a clause confirming you own your consent data and can export it any time. Anything less and you are absorbing risk the vendor should own by contract.
Can my dialer vendor be held liable for TCPA violations caused by their platform?
Possibly, but it turns on facts and jurisdiction. Courts have found platform providers liable when they exercise enough operational control over the dialing process. In practice, the primary defendant is almost always the company that initiated the calls. A vendor indemnification clause doesn't erase your liability, but it creates a contractual right to have the vendor cover losses caused by their own technical failures.
How often does a dialer vendor legally need to scrub against the DNC list?
The FCC requires scrubbing no more than 31 days before any call, per 47 C.F.R. § 64.1200(c)(2). So if you upload a list today, it should have been checked against the current registry within the last 31 days. Monthly automated scrubbing is the industry standard. Ask your vendor to show you scrubbing timestamps, more than confirm the policy exists.
What happened in Facebook v. Duguid and how does it affect my vendor contract?
In Facebook, Inc. v. Duguid (2021), the Supreme Court ruled that an ATDS must use a random or sequential number generator to produce or store numbers, 141 S. Ct. 1163. That narrowed the ATDS definition sharply. Your vendor should be able to represent in writing whether their system meets that technical definition, because ATDS classification drives consent requirements and liability exposure.
What is the FCC one-to-one consent rule and when did it take effect?
FCC Order 23-107 requires that consumer consent to be contacted be specific to one named seller. It took effect in January 2025. Generic "consent to be contacted by partners" language no longer protects callers. Your vendor contract and intake forms need to reflect this: every consent record should name your company specifically and tie to a single-seller consent event.
How long should I require my vendor to retain my consent records?
Ask for at least 4 years. The federal statute of limitations for TCPA claims is generally 4 years under 28 U.S.C. § 1658. Some state claims run different periods. You want to produce a timestamped consent record for every number called during that window. Also require that records stay accessible to you for 90 days after termination, whatever the retention policy says.
Does a dialer vendor need to query the FCC Reassigned Numbers Database?
Not legally required, but querying the RND provides a safe harbor from TCPA liability for calls to numbers reassigned after consent was obtained. The FCC implemented RND procedures starting in 2021, codified at 47 C.F.R. § 64.1600. Ask your vendor whether they query the RND by default. If not, build that gap into your own scrubbing workflow.
What liability cap should I negotiate with a dialer vendor?
Push for at least 3x to 5x your annual contract value, or a separate TCPA-specific carve-out with a higher cap. The default cap in most SaaS contracts equals one month of fees, which is meaningless against a $500-per-call TCPA penalty. Vendors on mid-market contracts above $50K annually generally negotiate cap levels more readily than self-serve products.
Should I ask whether my dialer vendor has been sued under TCPA before?
Yes. It's a fair business question. A vendor named as a defendant or third-party defendant in TCPA litigation has a demonstrated compliance gap you should understand before signing. Ask about the past 3 years. How they respond, whether transparent or evasive, tells you as much as the answer itself.
What should I do if a vendor says its contract is non-negotiable?
Take it seriously but test it. Ask specifically for changes to the TCPA warranty and indemnification sections. Self-serve SaaS products rarely negotiate; mid-market vendors usually will with enough deal size. If they truly won't budge, compensate with your own controls: third-party DNC scrubbing before every upload, your own parallel consent database, and documented campaign audits you run independently.
Are state DNC registries covered by a standard vendor scrubbing warranty?
Usually not. Most vendor contracts reference the federal National DNC Registry only. States including Indiana, Texas, and Wyoming maintain separate registries with their own rules and subscriptions. Ask the vendor to specify in writing which state registries they scrub. If it's federal-only, you handle state DNC compliance separately, either manually or through a third-party scrubbing service.
Does the TCPA apply to text messages sent through a dialer platform?
Yes. The FCC has read 47 U.S.C. § 227 to cover text messages since 2003. Marketing texts to mobile numbers require express written consent under 47 C.F.R. § 64.1200(a)(2). If your dialer handles SMS, your warranty should address text-specific compliance separately from voice, including consent standards, opt-out processing, and DNC scrubbing for mobile numbers.
How does a TCPA compliance warranty differ from a standard SaaS service warranty?
A standard SaaS warranty covers uptime, functionality, and data security. A TCPA compliance warranty covers specific regulatory requirements: ATDS architecture, DNC scrubbing frequency, consent data standards, and number reassignment checking. They are completely different legal territories. Make sure TCPA compliance is addressed explicitly in its own section, not assumed to be covered by a general compliance clause.
What is the penalty for a TCPA violation and why does it matter for vendor contracts?
Under 47 U.S.C. § 227(b)(3), the statutory penalty is $500 per violation. Willful or knowing violations can be trebled to $1,500 per call or text. Class actions multiply those numbers by thousands of affected consumers. A single bad batch campaign can generate millions in exposure, which is exactly why the split of responsibility between you and your dialer vendor has to be explicit and enforceable in writing.
Sources
- Cornell Law School LII, 47 U.S.C. § 227: TCPA imposes liability on parties who initiate or make calls; statutory penalty is $500, $1,500 per violation
- Cornell Law School LII, Facebook, Inc. v. Duguid, 141 S. Ct. 1163 (2021): ATDS definition requires use of random or sequential number generator to store or produce telephone numbers
- FCC, 47 C.F.R. § 64.1200 (eCFR): Organizations must scrub call lists against the National DNC Registry no more than 31 days before any call; express written consent required for marketing texts to mobile numbers
- National Conference of State Legislatures, State Telemarketing Laws: States including Indiana, Texas, and Wyoming maintain separate DNC registries with distinct rules and subscription requirements
- FCC, Reassigned Numbers Database (public site): FCC created the Reassigned Numbers Database in 2021; safe harbor from TCPA liability for reassigned-number calls depends on consulting the RND; codified at 47 C.F.R. § 64.1600
- FTC, National Do Not Call Registry: The National DNC Registry lets consumers block telemarketing calls and underpins real-world DNC scrubbing obligations
- Cornell Law School LII, 28 U.S.C. § 1658: Federal statute of limitations for TCPA claims is generally 4 years under the general federal statute of limitations
- FTC, Telemarketing Sales Rule, 16 C.F.R. Part 310: FTC Telemarketing Sales Rule imposes DNC obligations parallel to FCC TCPA rules; relevant to vendor compliance scope
- FCC, Consumer help center on unwanted calls and texts: FCC consumer guidance on TCPA protections for voice calls and texts; relevant to ATDS and consent standard explanations