What is TCPA compliance for lead generation?

TCPA (Telephone Consumer Protection Act) compliance means obtaining proper consent before contacting consumers via phone or text. For lead generation, this requires documented one-to-one consent where the consumer agrees to be contacted by a specific company, not just a general opt-in.

What are the penalties for TCPA violations?

TCPA violations carry penalties of $500-$1,500 per call or text. Class action lawsuits commonly result in settlements of $5 million to $75+ million. Individual lawsuits can cost $50,000-$500,000. The financial risk of non-compliance far exceeds the cost of proper lead sourcing.

What changed with TCPA lead generation rules in 2025?

The FCC's one-to-one consent rule took effect January 2025, requiring lead generators to obtain consent for each specific company that will contact the consumer. Blanket consent forms listing multiple companies are no longer sufficient. This makes verified, compliant lead providers more important than ever.

How do I verify my lead provider is TCPA compliant?

Ask for: documented consent records with timestamps, the exact disclosure language shown to consumers, proof that one-to-one consent is collected for your company specifically, DNC scrubbing documentation, and a written compliance guarantee. Reputable providers like LeadsHunt provide all of this.

TCPA Compliance for Lead Buyers: The 2026 Guide

Key Takeaways:

The FCC's one-to-one consent rule (effective January 2025) requires consumers to consent to contact from each specific company, not a blanket list of sellers
TCPA violations carry penalties of $500-$1,500 per call or text, and class action lawsuits regularly result in multi-million dollar settlements
Lead buyers share liability with lead generators if consent was not properly obtained
Every lead provider you work with should provide clear documentation of their consent process
Maintaining your own compliance records is essential, even when buying from a trusted provider

If you buy leads for your business, TCPA compliance is not optional. It is not a nice-to-have. It is the difference between building a profitable operation and facing a lawsuit that could bankrupt your company.

The Telephone Consumer Protection Act has been around since 1991, but recent regulatory changes, particularly the FCC's one-to-one consent rule that took effect in January 2025, have fundamentally changed how lead buying works. Many businesses that were fully compliant two years ago are now exposed to significant legal risk.

This guide breaks down what you need to know as a lead buyer in 2026, what has changed, and exactly what steps to take to protect your business.

What Is the TCPA?

The Telephone Consumer Protection Act is a federal law that regulates telemarketing calls, auto-dialed calls, pre-recorded voice messages, and text messages. It was originally passed in 1991 to address consumer complaints about unwanted telemarketing.

Key TCPA provisions:

Prior express written consent is required before making telemarketing calls or texts using an automatic telephone dialing system (ATDS) or prerecorded voice
Prior express consent (not necessarily written) is required for non-telemarketing auto-dialed calls
Do Not Call (DNC) list compliance is mandatory for all telemarketing calls
Calling time restrictions limit calls to between 8 AM and 9 PM in the consumer's time zone
Caller identification must be provided on all telemarketing calls

Why lead buyers should care

You might think TCPA liability falls on the lead generator, not the buyer. That is incorrect. Under TCPA case law, the company that makes the call or sends the text is liable, even if a third party collected the consent. If you call a lead and the consent was not properly obtained, you are on the hook.

The 2025 One-to-One Consent Rule: What Changed

The FCC's one-to-one consent rule, which took effect on January 27, 2025, is the most significant change to lead buying compliance in decades. Here is what it means.

Before January 2025:

A consumer could fill out a form on a lead generation website and consent to be contacted by "up to 10 companies" in a single checkbox. This blanket consent model was the backbone of the shared lead industry.

After January 2025:

Each consumer must provide consent to be contacted by each specific company individually. A single checkbox covering multiple sellers is no longer sufficient for TCPA consent.

What this means in practice:

Lead forms must name your company specifically. Generic consent language like "I agree to be contacted by our partners" is not enough
Each company needs its own consent. If a lead is sold to 5 buyers, the consumer must have separately consented to each one
The consent must be clear and conspicuous. Buried fine print does not qualify
Logical relationship required. The consent must relate to the topic the consumer inquired about

Impact on shared leads

This rule fundamentally disrupts the traditional shared lead model. It is much harder for lead generators to obtain valid consent for multiple buyers from a single form submission. Some lead generators have adapted by showing consumers a list of companies and requiring them to select each one individually. Others have shifted to exclusive lead models where consent is obtained for one company only.

If you are buying shared leads, ask your provider exactly how they obtain one-to-one consent for your specific company. If they cannot explain it clearly with documentation, you are at risk.

TCPA Penalties and Real Consequences

The financial exposure from TCPA violations is staggering.

Statutory penalties:

Violation Type	Penalty Per Violation	Notes
Negligent violation	$500 per call/text	Applied when the caller did not intend to violate the law
Knowing/willful violation	$1,500 per call/text	Treble damages for intentional violations
DNC violation	$500-$1,500 per call	Penalties for calling numbers on the Do Not Call registry

Why the math is terrifying

Consider a scenario where you buy 200 leads per month and call each lead 5 times. That is 1,000 calls per month. If those leads were not properly consented and a class action is filed, your exposure is:

Negligent: 1,000 calls x $500 = $500,000 per month of violations
Willful: 1,000 calls x $1,500 = $1,500,000 per month of violations

And class actions often cover months or years of calling activity.

Recent enforcement examples

TCPA lawsuits are not theoretical. Thousands are filed every year, and settlements regularly reach millions of dollars. Industries that rely heavily on lead generation, including mortgage, solar, roofing, and financial services, are among the most frequently targeted.

The plaintiffs' bar actively monitors lead generation websites and uses test submissions to identify companies making non-compliant calls. This is a sophisticated, well-funded legal industry specifically targeting TCPA violations.

What Documentation to Require from Lead Providers

As a lead buyer, you need to verify that every lead you purchase was generated with proper TCPA consent. Here is exactly what to request from your lead providers.

Essential documentation:

1. Consent language

Request a copy of the exact consent language displayed to the consumer at the time they submitted their information. This should include:

Your company name specifically
Clear statement that the consumer agrees to be contacted
Disclosure of the contact methods (calls, texts, emails)
Disclosure of automated or prerecorded call technology if used

2. Consent capture proof

Your provider should be able to produce a record for each individual lead showing:

The consumer's name and contact information
The exact date and time consent was given
The URL of the page where consent was given
The IP address of the consumer
A screenshot or archive of the consent form as it appeared
The specific consent language the consumer agreed to

3. Lead source transparency

Understand exactly where and how leads are generated:

What advertising platforms are used (Google, Facebook, etc.)
What landing pages collect consumer information
Whether any sub-affiliates or third-party sources are involved
How the lead is transmitted to you (real-time API, email, etc.)

4. Compliance certifications

Ask whether the provider:

Has been audited for TCPA compliance
Carries errors and omissions (E&O) insurance
Has faced any TCPA-related legal actions
Will provide contractual indemnification for compliance failures

TCPA Compliance Checklist for Lead Buyers

Use this checklist to evaluate your current compliance posture and any new lead providers you consider working with.

Compliance Area	Requirement	Status
One-to-one consent	Lead forms name your company specifically	Required
Written consent	Consumer provides express written consent (e-signature, checkbox)	Required
Consent documentation	Provider can produce consent proof for each individual lead	Required
Clear disclosure	Consent language is clear, conspicuous, and not buried in fine print	Required
Contact method disclosure	Consumer is told they may receive calls, texts, and/or emails	Required
ATDS disclosure	Consumer is informed that automated dialing technology may be used	Required if applicable
DNC scrubbing	Leads are checked against the National Do Not Call Registry	Required
Internal DNC list	Your company maintains its own internal Do Not Call list	Required
Calling hours	Calls are placed only between 8 AM-9 PM in the consumer's time zone	Required
Caller ID	Your business name and callback number are displayed	Required
Opt-out mechanism	Consumers can easily request to stop receiving calls/texts	Required
Record retention	Consent records are stored for at least 5 years	Strongly recommended
Provider contract	Written agreement includes compliance guarantees and indemnification	Strongly recommended
Regular audits	Periodic review of provider compliance and consent documentation	Strongly recommended
Staff training	Sales team is trained on TCPA requirements and opt-out handling	Strongly recommended

Do Not Call (DNC) Requirements

TCPA compliance goes beyond consent. You must also comply with Do Not Call regulations.

National Do Not Call Registry

The FTC maintains the National DNC Registry. Before calling any lead, you should scrub the number against this registry. Numbers must be checked at least every 31 days.

Exception: If a consumer has provided prior express written consent to be contacted by your specific company, you may call them even if they are on the National DNC Registry. However, the consent must be valid under the one-to-one consent rule.

Company-specific DNC list

You are required to maintain your own internal DNC list. When any consumer requests not to be called again, you must:

Add them to your internal list within a reasonable time
Honor the request for at least 5 years
Apply the list across all calling campaigns
Train all staff to properly handle DNC requests

State-level DNC laws

Many states have their own DNC requirements that may be stricter than federal rules. Some states require registration as a telemarketer, additional disclosures, or different calling hour restrictions. Check the specific requirements for every state where you do business.

Best Practices for Lead Buyers in 2026

1. Work with reputable, transparent providers

The best protection is working with lead providers that take compliance seriously. LeadsHunt provides full consent documentation for every lead, generates leads through compliant advertising channels, and offers exclusive lead delivery that simplifies the consent process.

2. Audit your lead sources quarterly

Do not assume your provider remains compliant. Review consent language, test the lead forms yourself, and request updated compliance documentation at least quarterly.

3. Use a compliant dialing platform

Your phone system or dialer should support:

DNC list integration (both national and internal)
Time zone awareness for calling hour compliance
Call recording for documentation purposes
Opt-out tracking and enforcement

4. Train your team

Every person who makes calls or sends texts needs to understand:

How to identify themselves and the company properly
How to handle opt-out requests immediately
When it is and is not appropriate to call
What to do if a consumer seems confused about why they are being contacted

5. Document everything

Keep records of:

Lead source and consent proof for every lead you purchase
All call attempts (date, time, duration, outcome)
All opt-out requests and how they were processed
DNC scrub dates and results
Staff training dates and materials

6. Consult with a TCPA attorney

If lead buying is a significant part of your business model, invest in a relationship with an attorney who specializes in TCPA compliance. The cost of legal guidance is a fraction of the cost of a single lawsuit. Laws evolve, and having expert counsel keeps you ahead of changes.

How Different Industries Are Affected

The one-to-one consent rule impacts every industry that relies on purchased leads, but some are more affected than others.

Mortgage and financial services: Among the most heavily targeted industries for TCPA lawsuits. Mortgage lead buyers and business loan lead buyers must be especially vigilant about consent documentation.

Solar: The solar lead industry has seen significant TCPA litigation due to aggressive telemarketing practices. Compliance is non-negotiable.

Roofing and home services: Roofing leads generated through storm chasing or door-to-door canvassing face unique TCPA considerations around in-person vs. telephone solicitation.

Credit repair: Credit repair leads involve sensitive financial information, and regulators pay close attention to how these consumers are contacted.

Personal loans: Personal loan leads are subject to both TCPA and additional financial services regulations.

For a data-driven comparison of lead costs and performance across all these industries, see our Cost Per Lead Benchmarks by Industry guide.

The Advantage of Exclusive Leads for Compliance

The one-to-one consent rule has made exclusive leads significantly easier to keep compliant compared to shared leads. Here is why:

With exclusive leads, the consumer consents to contact from one specific company. The consent form names your business, the consumer checks a single box, and the compliance trail is clean and straightforward.

With shared leads, the provider must obtain separate, valid consent for each buyer. This is more complex, harder to document, and creates more opportunities for compliance failures. Each additional buyer added to the consent flow increases legal risk.

This compliance advantage is one of the key reasons many lead buyers have shifted to exclusive leads since the one-to-one consent rule took effect.

Frequently Asked Questions

Am I liable for TCPA violations if I bought leads from a provider?

Yes. The company that makes the call or sends the text bears primary TCPA liability, regardless of who generated the lead. If you call a consumer and valid consent was not properly obtained, you are exposed to statutory penalties of $500-$1,500 per call. This is why verifying your lead provider's consent process and maintaining documentation is critical for your protection.

What changed with the FCC's one-to-one consent rule in 2025?

Before January 2025, a single consumer consent form could authorize contact from multiple companies. The new rule requires consumers to provide consent to each individual company that will contact them. This means lead forms must name your specific company, and blanket consent covering a list of sellers is no longer valid. The change most significantly impacts shared lead models where multiple buyers received leads from a single form.

Can I still buy shared leads and remain TCPA compliant?

Technically yes, but it requires more diligence. Your lead provider must demonstrate that the consumer specifically and individually consented to contact from your company, not just a group of unnamed partners. Ask for documentation of exactly how one-to-one consent is obtained for your company. If the provider cannot show this clearly, do not buy those leads.

How long should I keep TCPA consent records?

There is no specific TCPA record retention requirement, but the statute of limitations for TCPA claims is 4 years. We strongly recommend retaining consent records for at least 5 years. Store the consumer's name, contact information, the date and time of consent, the URL of the consent page, the consumer's IP address, and the exact consent language they agreed to.

What happens if a consumer on my lead list is on the Do Not Call registry?

If the consumer provided valid prior express written consent to your specific company, you may contact them even if they are on the National DNC Registry. However, if they later request to be placed on your internal DNC list, you must honor that request. Always scrub your call lists against both the National DNC Registry and your internal DNC list before making any calls.

Do TCPA rules apply to text messages?

Yes. The TCPA applies to text messages (SMS and MMS) the same way it applies to phone calls. You need prior express written consent before sending marketing texts using automated technology. Informational texts (appointment reminders, delivery notifications) have different consent requirements, but any text promoting your product or service requires the same level of consent as a telemarketing call.

How do I handle a consumer who asks to stop being contacted?

Immediately. When a consumer requests that you stop calling or texting, add them to your internal DNC list and cease all contact. Train your team to process these requests in real time during calls and to handle opt-out keywords (STOP, UNSUBSCRIBE, etc.) in text messages automatically. Document every opt-out request with the date, time, and method of request.

Protect your business while growing your pipeline. LeadsHunt generates TCPA-compliant, exclusive leads across roofing, solar, mortgage, business loans, credit repair, and personal loans. Every lead includes full consent documentation and is sold to one buyer only. Contact our team to learn more about our compliance standards.