If you purchase leads for a law firm, call center, or lead aggregation business, the Telephone Consumer Protection Act should be at the top of your compliance checklist. TCPA violations carry statutory damages of $500 per call or text, and that figure jumps to $1,500 per violation when the contact is deemed willful. In class-action litigation, these numbers add up to eight- and nine-figure settlements with alarming regularity.
The critical point most lead buyers overlook: liability does not stop with the lead seller. If you purchase a lead that lacks proper consent and then call or text that consumer, you are jointly liable for the violation. The consumer does not care where you got the number. The FCC does not care either. The only thing that matters is whether adequate consent existed at the time of contact.
This guide breaks down exactly what TCPA compliance means for lead buyers, what records you should demand from every provider, how the FCC's recent one-to-one consent rule changes the landscape, and how to spot providers who may be putting your business at risk.
What Is the TCPA and Why It Matters for Lead Buyers
The Telephone Consumer Protection Act was enacted in 1991 to address growing consumer frustration with unsolicited telemarketing calls. Over the past three decades, it has been amended and interpreted through FCC rulings to cover modern communication channels including text messages, prerecorded calls, and calls made using automatic telephone dialing systems (ATDS).
At its core, the TCPA requires that businesses obtain express written consent before contacting consumers using automated or prerecorded means for marketing purposes. This applies to any call or text that promotes a product or service, and it very much includes the initial outreach that happens when an attorney or intake specialist contacts a lead for the first time.
For lead buyers, the TCPA creates a chain of liability that flows from the lead generator through every party that eventually contacts the consumer. Courts have consistently held that the party placing the call bears primary responsibility for ensuring proper consent, regardless of whether a third-party lead provider assured them the lead was compliant. In practical terms, this means the "I bought it in good faith" defense does not hold up in court.
Key takeaway: If you buy a lead and contact the consumer without verifiable express written consent, you are exposed to $500-$1,500 in statutory damages per contact. In a class action, this exposure can reach millions of dollars across thousands of leads.
Recent enforcement trends confirm that the FCC and plaintiffs' attorneys are specifically targeting the lead generation industry. In 2024 and 2025, several major lead generators faced enforcement actions for inadequate consent practices, and the downstream buyers who used those leads were named as co-defendants. The message is clear: the regulatory environment is tightening, and lead buyers must take an active role in verifying compliance rather than relying on their providers' assurances.
What "Express Written Consent" Actually Means
The term "express written consent" has a specific legal definition under TCPA regulations, and it is more demanding than many lead buyers realize. To satisfy the requirement, the consent must meet all of the following criteria:
- Clear and conspicuous disclosure. The consent language must be easy to find and easy to understand. It cannot be buried in the middle of a lengthy terms of service document or hidden behind a hyperlink in small print. The consumer must encounter the consent disclosure in a way that is plainly visible during the normal flow of form submission.
- Specific identification of parties. The consent must name the specific companies or parties that will be contacting the consumer. Under the FCC's updated rules, a blanket reference to "our marketing partners" is no longer sufficient. The consumer must know who will be reaching out.
- Description of contact methods. The disclosure must state that the consumer may receive calls, text messages, or both, and that these contacts may be made using automated dialing technology or prerecorded messages.
- Voluntary agreement. Consent cannot be a condition of purchasing a product, receiving a service, or completing a transaction. The consumer must have the option to proceed without granting consent. This is often implemented through an unchecked checkbox that the consumer must actively select.
- Written or electronic signature. The consumer must provide a signature, which in the digital context typically means actively checking a consent box, clicking a clearly labeled button, or providing an electronic signature. Passive consent, such as simply visiting a website or filling out a form without an explicit consent action, does not qualify.
Why this matters to buyers: When you review a lead provider's consent process, ask to see the actual form the consumer completed. If the consent language is vague, bundled with other agreements, or lacks specific party identification, the leads generated through that form may not have valid consent under current FCC rules.
What to Demand from Your Lead Provider
Every lead you purchase should come with a verifiable consent record. This is not optional, and it is not something you should take on faith. A reputable lead provider will deliver structured consent documentation with every lead, and they should be able to produce the full record upon request for any lead in their system.
Here are the specific fields that a TCPA-compliant consent record should include:
| Field | Description |
|---|---|
| Lead ID | A unique identifier that ties the consent record to the specific lead. This allows you to look up the consent documentation for any individual consumer contact. |
| Timestamp (ISO 8601) | The exact date and time the consumer submitted the form, formatted in ISO 8601 (e.g., 2026-02-15T14:30:00Z). This establishes when consent was granted and whether it was active at the time of contact. |
| IP Address | The consumer's IP address at the time of form submission. This is a critical piece of evidence that corroborates the consent was provided by a real person and can help identify fraudulent submissions. |
| User Agent | The browser and device information of the consumer at the time of submission. Together with the IP address, this creates a digital fingerprint of the consent event. |
| Consent Text Hash (SHA-256) | A cryptographic hash of the exact consent language the consumer agreed to. This proves that the consent language has not been altered after the fact and provides an immutable record of what the consumer was shown. |
| Third-Party Disclosure Flag | A boolean indicator confirming that the consumer was explicitly informed their information would be shared with third parties. This is essential for any lead that will be sold or distributed to buyers. |
| Opt-Out Status | The current status of the consumer's consent, including whether they have revoked permission. A lead with a revoked consent status must never be contacted. |
If your current lead provider cannot furnish these records, or if they only provide a subset of these fields, you should treat that as a serious compliance gap. The burden of proof in a TCPA case falls on the caller to demonstrate that consent existed. A lead without a complete consent record is, from a legal standpoint, a lead without consent.
The FCC's One-to-One Consent Rule
In January 2025, the FCC's one-to-one consent rule took effect, and it represents the most significant change to TCPA lead generation compliance in years. Under the previous framework, a consumer could provide consent on a single form that authorized contact from multiple companies, typically listed as "our partners" or linked through a lengthy list of affiliated entities. That era is over.
The one-to-one consent rule requires that a consumer's express written consent be given to a single, identified seller for each transaction. In practice, this means:
- No more blanket partner lists. Lead forms can no longer include a long roster of companies that might contact the consumer. Consent must be specific to each party.
- Each buyer needs individual consent. If a lead is going to be sold to three different law firms, the consumer must provide separate consent for each firm. This can be accomplished through multi-select interfaces, separate consent checkboxes, or sequential consent flows.
- Topical relevance required. The consent must be logically related to the interaction the consumer is having. A consumer seeking bankruptcy information cannot be consented to receive calls about personal injury services through the same form.
- Comparison shopping exceptions are narrow. While the FCC acknowledged that consumers sometimes want to hear from multiple providers, the comparison shopping exception requires that the consumer actively selects which companies may contact them, rather than being opted into all of them by default.
For lead buyers, this rule has profound implications. Leads generated through old-style forms with blanket consent language are no longer compliant. When evaluating a lead provider, ask them directly: how does your consent flow work under the one-to-one rule? Can you show me that the consumer specifically consented to being contacted by my organization or by the specific entities I represent?
Providers who have adapted to this rule will have redesigned their forms to capture individual consent for each downstream buyer. Providers who have not adapted are selling leads that carry significant legal risk.
Red Flags in Lead Purchasing
Not every lead provider takes compliance seriously. Some cut corners to maximize volume, and the liability for their shortcuts falls squarely on the buyers who contact those leads. Here are the warning signs that a lead provider may not be operating in compliance with TCPA requirements:
- No consent documentation provided. If your provider delivers leads without any attached consent records, or tells you the records are "available upon request" but makes the process difficult, that is a major red flag. Compliant providers proactively deliver consent data with every lead.
- Vague or generic consent language. Ask to see the actual consent text from their forms. If it says something like "by submitting this form, you agree to be contacted" without specifying who will contact them, how, and for what purpose, the consent likely does not meet current standards.
- No timestamp or IP address records. These are fundamental elements of a consent record. A provider who cannot produce timestamps and IP addresses either is not collecting them or is not retaining them, both of which indicate a lack of compliance infrastructure.
- Provider cannot explain their consent process. A compliant lead generator will be able to walk you through their entire consent flow in detail: what the form looks like, where the consent language appears, how the consumer interacts with it, and how the consent record is stored. If your provider is evasive or vague when asked these questions, proceed with caution.
- No opt-out mechanism or tracking. Ask your provider how they handle consumers who revoke consent. If they do not have a documented opt-out process with tracking and SLA commitments, leads from that provider may include consumers who have already asked not to be contacted.
- Prices that seem too good to be true. Compliance infrastructure costs money. Lead providers who invest in proper consent recording, data retention, opt-out tracking, and one-to-one consent flows have higher operating costs. A provider significantly undercutting the market on price may be cutting corners on compliance.
The 10-Day Opt-Out SLA
Under current FCC rules, when a consumer revokes consent to be contacted, that revocation must be honored within 10 business days. This applies to both the original lead seller and any buyer who has purchased the lead. The 10-day window is not a grace period for additional contacts; rather, it is the maximum time allowed for processing the opt-out through your systems.
The practical implications for lead buyers are significant:
- You need a system for receiving opt-out notifications. Whether through your lead provider's API, email alerts, or a shared dashboard, you must have a reliable mechanism for learning when a lead has opted out.
- Your CRM must be able to suppress contacts. When an opt-out is received, your systems must prevent any further calls, texts, or automated outreach to that consumer. This requires integration between your opt-out tracking and your dialer or outreach platform.
- Contacting an opted-out consumer is a willful violation. If a consumer revoked consent and you contact them outside the 10-day processing window, the per-violation penalty increases from $500 to $1,500 because the contact is considered willful or knowing.
- Documentation matters. You should maintain your own records of when opt-out notifications were received and when they were processed. In the event of a dispute, this documentation demonstrates good-faith compliance.
For a deeper look at opt-out requirements and implementation best practices, see our FCC Opt-Out Compliance Guide.
How The Legal Center Ensures Compliance
At The Legal Center, TCPA compliance is not an afterthought or an add-on feature. It is the foundation of how our platform was built. Every lead generated through our system includes a complete, verifiable consent record, and our infrastructure is designed to meet or exceed every current regulatory requirement.
- Full consent record with every lead. Every lead delivered through our platform includes a Lead ID, ISO 8601 timestamp, IP address, user agent, consent text hash, third-party disclosure flag, and opt-out status. No exceptions.
- SHA-256 consent hashing. The exact consent language presented to each consumer is cryptographically hashed at the time of submission. This provides tamper-proof evidence of what the consumer agreed to, ensuring the consent record cannot be altered after the fact.
- 7-year consent record retention. While the TCPA statute of limitations is four years, we retain complete consent records for seven years. This provides a substantial buffer for delayed claims and protects both our company and our buyers.
- 10-day opt-out SLA with automated tracking. When a consumer revokes consent, our system logs the revocation with a deadline timestamp and propagates the opt-out to all downstream buyers. We track compliance with the 10-day SLA at the system level, ensuring no opted-out consumer falls through the cracks.
- Built for one-to-one consent. Our lead generation forms were designed from the ground up to comply with the FCC's one-to-one consent rule. Consumers provide consent to specific, identified parties, and that consent is recorded individually for each authorized contact.
- Transparent audit trail. Our buyers can access consent records for any lead at any time through our portal or API. If a TCPA claim arises, you have immediate access to the documentation you need to demonstrate compliance.
Frequently Asked Questions
Both the lead seller and the lead buyer can be held liable for TCPA violations. Courts have consistently ruled that the party making the call or sending the text bears primary liability, even if they purchased the lead from a third party. If the consent record attached to a lead is inadequate, the buyer who contacts that consumer is exposed to statutory damages of $500 to $1,500 per violation. This is why verifying consent documentation before contacting any lead is not just best practice but a legal necessity.
The TCPA statute of limitations is four years, so consent records should be retained for at least that duration. However, industry best practice is to retain consent records for five to seven years to account for delayed claims, discovery periods in ongoing litigation, and state-level variations in statutes of limitations. At The Legal Center, we retain complete consent records for seven years as standard practice.
Express consent is verbal or implied permission, such as providing a phone number on a business card or during a conversation. Express written consent is a higher legal standard that requires a signed written agreement, including electronic signatures, where the consumer clearly authorizes contact via calls or texts. For telemarketing and lead generation, the TCPA requires express written consent, which must include a clear disclosure that the consumer agrees to receive calls or texts, that these may be made using automated systems, and that consent is not a condition of purchase. Simply providing a phone number on a web form does not constitute express written consent.
Yes, absolutely. Consumers can revoke consent at any time through any reasonable means, including replying STOP to a text message, calling to request removal, submitting an online opt-out form, or sending an email. Under FCC rules effective since 2025, businesses must honor opt-out requests within 10 business days. Importantly, the method of revocation does not need to match the method of consent. A consumer who consented via a web form can revoke that consent by calling your office. Continuing to contact a consumer after they have revoked consent exposes the caller to the full $500-$1,500 per-violation penalty, and such contact is likely to be deemed willful.