All Articles

Multistate AG CIDs Are the New TCPA Enforcement Vector – Troutman's April Playbook Tells You What to Do in the First 72 Hours

By Alex Paddington In Category Compliance 8 sources
Multistate AG CIDs Are the New TCPA Enforcement Vector – Troutman's April Playbook Tells You What to Do in the First 72 Hours

The civil investigative demand that lands on a lead generator’s general counsel in 2026 is no longer a single-state nuisance. It is the leading edge of a coordinated multistate process that compresses years of prior enforcement architecture – federal class actions, FCC orders, FTC consent decrees – into a parallel set of state-level inquiries that move faster, cost more, and arrive without the procedural protections of contested litigation. The first seventy-two hours after that CID hits the inbox determine whether an operator settles as a one-state outlier or gets pulled into a multistate. Most general counsel offices do not know how to triage the choice. This is the present-tense enforcement playbook; the forward-looking Know Your Agent identity framework covered separately addresses the 2027-and-beyond agent-identity layer that pairs with TCPA consent rather than the current state-AG escalation cycle.

A Civil Investigative Demand Is Not a Lawsuit, and That Is the Problem

The phone calls that reach in-house counsel on a Monday morning in 2026 sound the same. A package arrives – sometimes federal express, sometimes electronic delivery through a state AG e-filing portal – with a cover letter from an assistant attorney general’s office. Inside is a civil investigative demand: a compulsory process, signed by the AG or a designee, demanding documents, written responses, and in some states deposition testimony, on a thirty- or forty-five-day clock. There is no complaint. There is no plaintiff. There is no docket number in any court. Most general counsel offices treat the document the way they would treat a subpoena from private litigation – assign an associate, calendar the deadline, draft a partial response, negotiate an extension. That posture is the single most expensive mistake a lead generator’s compliance function can make in 2026.

The reason it is the wrong posture is that a CID is not adversarial litigation in the traditional sense. It is a one-way regulatory inquiry that builds an evidentiary record without the target’s participation in framing the questions. Every document produced in response to a CID becomes part of the investigative file. Every written response becomes a sworn statement that will be evaluated against the operator’s other public records – its FCC filings, its registered-agent filings in each state, its consent disclosures, its lead-broker contracts. The CID does not have to result in a lawsuit. It can result in an Assurance of Voluntary Compliance, an Assurance of Discontinuance, or a consent decree negotiated under settlement-privilege protections that nonetheless become public-record documents on the AG’s website. The settlement is the public-records timestamp on the operator’s compliance posture. Once it is filed, every subsequent state AG examining the operator starts from the assumption that the settled conduct happened.

Troutman Pepper Locke’s April 2026 Regulatory Oversight analysis, “Navigating Multistate State AG Investigations: From First CID to Final Settlement,” lays this out with more precision than most operators have seen in trade press. The piece, published as part of the firm’s State Attorneys General practice, treats the CID not as a litigation event but as the opening move in a regulatory negotiation that runs months to years and that has its own protocol. The protocol matters because it differs in material ways from the protocol an experienced civil litigator would default to. Time pressure is real but the underlying clock is the AG’s investigative interest, not a court-imposed schedule. Settlement leverage runs differently because there is no judge to whom the target can appeal procedural overreach. Document scope is broader because a CID’s reach is set by the AG’s enabling statute, not by Federal Rule of Civil Procedure 26.

What Troutman makes explicit is that the multistate dimension changes the calculus further. A single-state CID is a manageable matter. A coordinated multistate CID – five, ten, fifteen states arriving in close succession with parallel document demands – is a structural inflection point. The operator is not negotiating with one AG’s office; it is negotiating with a coalition organized through the National Association of Attorneys General’s Center for Consumer Protection, working off shared templates, sharing document productions through joint-defense-like arrangements, and converging on a settlement framework that has to satisfy the most aggressive state in the coalition. The single-state response posture does not scale to that environment, and the operators who have learned this lesson have learned it expensively.

This analysis covers what changed about state AG enforcement in 2025 and 2026 to make the multistate CID the dominant TCPA threat vector for lead generators, the eleven separate state Do-Not-Call registries that most lead-gen vendors quietly skip, the Texas SB 140 expansion of telephone solicitation to SMS that took effect September 1, 2025, the Operation Robocall Roundup task force that put 51 AG offices on the same enforcement footing, the Rising Eagle Capital judgment lineage that frames operator personal liability, and the Monday-morning moves that put the first seventy-two hours of a CID response on a defensible footing before external counsel arrives.

Why the Federal Vacuum Created the Multistate Vector

The state AG-led enforcement environment of 2026 is not a continuation of long-running trend lines. It is a response to two specific federal contractions, and understanding the contractions is necessary to understand why the multistate CID has become the leading edge of TCPA risk.

The first contraction is doctrinal. Federal courts have been narrowing the scope of TCPA private-right-of-action claims since the Supreme Court’s Facebook v. Duguid decision in 2021 redefined the autodialer definition. Subsequent circuit splits on what counts as an automatic telephone dialing system, on whether prerecorded-voice claims survive the Duguid analysis, on the texts-versus-calls doctrinal divide, and on Article III standing in TCPA cases have produced an environment in which federal class-action TCPA litigation is harder to certify, slower to prosecute, and less reliably profitable for the plaintiffs’ bar than it was through the late 2010s. The volume of new federal TCPA filings has not collapsed – there were thousands of new cases filed in 2025 – but the leverage that a single high-profile case used to exert on industry compliance has eroded as defendants have learned the procedural pathways to dismissal.

The second contraction is regulatory. The FCC’s 2025-2026 “Delete, Delete, Delete” initiative – a deregulatory campaign launched under Chairman Brendan Carr – has rolled back significant portions of the agency’s TCPA implementing rules. The Eleventh Circuit’s January 2025 vacatur of the FCC’s one-to-one consent rule, combined with the FCC’s own subsequent withdrawals of pending rulemaking, has produced an environment in which the federal regulatory baseline is moving downward rather than upward. For lead generators, that creates a curious asymmetry. The compliance cost of keeping pace with the prior federal baseline remains real – most operators built their consent flows, retention policies, and call-record architectures around rules that are now being unwound – but the marginal return on continuing to invest in federal-baseline compliance has fallen because the rules are receding.

State attorneys general have read this environment correctly and acted on it. The argument they have made publicly, in press releases and amicus briefs over the past eighteen months, is that the federal retreat has left consumers exposed and that state-level enforcement is the constitutional and political backstop. The argument is not novel – federal-state preemption fights have been part of consumer protection law for decades – but the operational expression of it is new. State AGs are not merely filing more lawsuits in state court; they are using the CID process aggressively, coordinating across state lines through NAAG infrastructure, and pursuing a category of defendant – telecom intermediaries and lead aggregators – that federal TCPA litigation has historically struggled to reach because of jurisdictional and pleading complexities. The CID lets a state AG investigate without first establishing standing or pleading specific harm. The multistate CID lets the AG’s office carry the investigative record from one state into related inquiries in others. The result is an enforcement vehicle that is faster than federal litigation, cheaper for the AGs to run, and harder for operators to predict because it does not show up on PACER.

Wiley Rein’s 2025 alert, “State AG Robocall Enforcement Trends: Targeting of VoIP Service Providers Continues With Coordinated AG Scrutiny of Intermediate Providers,” documented an early version of this pattern. The alert, focused on telecom intermediates, traced how the AGs’ theory of secondary liability – that VoIP carriers and intermediate providers can be held responsible for transmitting illegal calls when they have notice and fail to act – had been spreading from California’s Bonta administration into a coordinated multistate posture. The 2026 environment is a maturation of that pattern. The AGs are no longer focused only on intermediate carriers; they are working their way back up the value chain to the lead aggregators and consent farms that supply the calls in the first place.

Operation Robocall Roundup and the December 2025 Inflection Point

The single event that compressed the state AG enforcement transition into a coordinated multistate posture was Operation Robocall Roundup, the December 2025 task force action organized through the National Association of Attorneys General. The operation was unusual in scope and structure. Fifty-one state and territorial AG offices participated – effectively every U.S. AG office. The task force issued warning letters to a named set of intermediate VoIP and wholesale carriers, including Inteliquent, Bandwidth, Lumen Technologies, and Peerless Network, demanding that the carriers cease transmitting traffic from operators identified as illegal robocallers. The December 2025 Regulatory Oversight analysis of the operation, “AGs Demand End to Unlawful Robocalls Through Operation Robocall Roundup,” framed it as the first true multistate enforcement operation directed at the upstream layer of the call-transmission stack.

The structural significance of Operation Robocall Roundup is not the warning letters themselves. Warning letters from one AG to a carrier had been a feature of state telemarketing enforcement for at least a decade. The structural significance is the coordination architecture. Fifty-one offices working from a shared template, with a shared evidentiary file, against a named set of targets simultaneously, established the operational protocol that has been deployed against subsequent target categories. The protocol works. It produces faster compliance from targeted carriers because the cost of resisting fifty-one parallel inquiries is dramatically higher than the cost of resisting one. It produces evidence-sharing efficiencies that lower the per-state investigative cost. And it produces public-relations dynamics – a coordinated press release from fifty-one AGs lands harder than a release from any single office – that put political pressure on targets to settle rather than litigate.

For lead generators, the relevance of Operation Robocall Roundup is twofold. The direct relevance is that the carrier-level enforcement is being followed by parallel enforcement at the lead-aggregator level. The same coordination architecture that produced the December 2025 carrier letters has been deployed in CID form against several lead-aggregation companies in late 2025 and early 2026, according to Troutman’s State Attorneys General Monitor coverage and trade-press reporting that has been intermittent but consistent. The indirect relevance is that the carrier-level enforcement is changing the upstream environment in ways that affect lead-gen operators directly. Carriers under multistate AG scrutiny are tightening their know-your-customer posture and dropping accounts that produce complaint patterns that draw AG attention. Lead-gen operators whose call traffic flows through carriers that are themselves under enforcement pressure are seeing accounts terminated, traffic disrupted, and per-minute pricing adjusted in ways that compress operating margins regardless of the operator’s own compliance posture.

The Troutman State Attorneys General Monitor April 16, 2026 issue covered the recent multistate posture in more granular detail. The reporting is dense – the Monitor runs as a periodic intelligence product for clients of the firm – but the through-line is that the multistate enforcement coordination has become the default operating mode for telemarketing-related AG action, not the exceptional mode. Operators who built their compliance posture around the assumption that state AG enforcement would arrive serially, one state at a time, are working from an outdated model.

The Eleven State DNC Registries Most Lead-Gen Vendors Skip

Underneath the multistate enforcement architecture sits a concrete operational fact that most lead-gen general counsel offices do not fully grasp until a CID forces them to: the federal Do-Not-Call Registry is not the complete list. Eleven states maintain separate state-level DNC registries with distinct legal bases, separate enrollment populations, and separate scrubbing requirements. The states are Colorado, Florida, Indiana, Louisiana, Massachusetts, Missouri, Oklahoma, Pennsylvania, Tennessee, Texas, and Wyoming. Each registry operates under its own state telemarketing or consumer-protection statute, with its own definition of covered entities, covered calls, and covered carve-outs. Most lead-gen vendors quietly skip the eleven state lists and scrub only against the federal registry, on the implicit theory that federal coverage is sufficient. It is not.

A multistate CID will, in nearly every recent example, request scrubbing records for the federal registry and for each applicable state registry separately. The records have to demonstrate that the operator scrubbed against the right registry, on the right cadence, against the right population of outbound contact attempts. An operator that produces clean federal scrubbing records but no state-level scrubbing records is not in a defensible position; the absence of state-level scrubbing records is itself a documented compliance gap. The CID response that says “we scrub against the federal registry and rely on the federal preemption framework” is not a defense in 2026, because the controlling state statutes in each of the eleven registry states do not yield to federal preemption on the scrubbing question. The federal Telemarketing Sales Rule sets a floor; the state statutes set additional obligations on calls into those states.

The operational implication is direct. A lead-gen operator running outbound calling – whether self-generated, vendor-supplied, or aggregated – needs documented scrubbing against twelve registries (federal plus eleven state), with retention records demonstrating the scrubbing cadence, the population of numbers scrubbed, and the disposition of numbers identified as registered. The retention requirement varies by state. Some states require retention for the duration of the calling campaign plus a statutory period. Some require longer retention tied to the underlying consent record. Some require retention indexed to the consumer’s state of residence at the time of the call rather than at the time of consent capture. Operators who have built DNC scrubbing infrastructure around the federal registry alone have a documented compliance gap that is visible the moment a multistate CID lands.

The eleven-registry list itself is not stable. State legislatures move in and out of registry maintenance – Indiana and Tennessee have historically been the most active enforcement states; Wyoming and Oklahoma have smaller registry populations but stricter statutory penalties; Massachusetts has been increasing the scope of its registry through legislative amendments since 2023. Compliance has to be maintained dynamically, not as a one-time configuration. The DNC compliance requirements governing this layer are not static, and the operators who treat them as a 2018 spreadsheet item rather than a continuous compliance function are the operators who fail the first document request in a multistate CID.

There is also a layer below the registries that matters for CID exposure: state-specific call-time restrictions. Several of the eleven registry states impose calling-hour windows that are tighter than the federal 8 a.m. to 9 p.m. local-time rule. Documentation of compliance with state-by-state call-time restrictions is a recurring CID document request, and operators whose call-record systems do not preserve the consumer’s local time at the moment of dial will have difficulty producing the records the CID demands. The fix is not complicated, but it has to be implemented before the CID arrives; building the call-time-attribution layer mid-response is not a viable path.

Texas SB 140 and the SMS Expansion

The Texas Senate Bill 140 expansion is the second concrete operational fact that has changed the lead-gen compliance environment in 2026. Effective September 1, 2025, SB 140 amended the Texas Business and Commerce Code’s definition of “telephone solicitation” to include text messages – SMS and MMS – sent for telemarketing purposes. The amendment was technical in form but operationally consequential. Before SB 140, Texas AG enforcement of state telemarketing law was largely confined to voice calls. After SB 140, the same enforcement architecture – registration requirements for telephone solicitors, no-call list scrubbing, time-of-day restrictions, statutory damages – applies to SMS sent into Texas.

The Texas AG has been one of the most active state AG offices on telemarketing enforcement for the past decade. Its enforcement docket includes the Rising Eagle Capital matter and several intermediate-carrier actions. With SB 140 in effect, the office now has statutory authority to apply that enforcement architecture to the SMS lead-gen channel, which has been the primary growth channel for performance-marketing-driven consent-based lead generation since 2022. The implication for operators is direct: an SMS campaign sent to Texas residents now requires the same registration, scrubbing, time-of-day, and consent-documentation posture as a voice campaign, and the CID document requests reflect that.

What makes the Texas SB 140 change particularly significant in the multistate context is the precedent it sets. Several other state legislatures have introduced or are preparing similar amendments. The states most likely to follow include Florida, where the Florida Telephone Solicitation Act has already been litigated as covering SMS in some readings; Oklahoma, where state telemarketing statute coverage of SMS has been a subject of pending legislative attention; and California, where the political environment under AG Bonta has favored statutory expansion. The pattern matters because the state AG enforcement architecture is well-positioned to expand into each new state-level SMS-coverage statute without significant retooling. The investigative protocols, document templates, and settlement frameworks the AGs use for voice telemarketing transfer to SMS with minor adjustments.

For lead-gen operators running SMS campaigns at scale, the practical step is to treat SMS as functionally equivalent to voice for compliance-architecture purposes. The same consent capture and documentation requirements that apply to outbound voice now apply, in Texas at minimum and in additional states by year-end 2026, to outbound SMS. The same retention obligations under TCPA consent documentation standards apply. The same DNC-scrubbing obligations apply. Operators who built their SMS compliance around a thinner footprint – relying on opt-out language and the absence of voice-channel scrubbing requirements – have a documented compliance gap that becomes visible on the first multistate CID document request that asks for SMS records in parallel with voice records.

The Rising Eagle Capital Lineage and Personal Liability

The Rising Eagle Capital Group docket is the leading precedent that frames the personal-liability dimension of state AG telemarketing enforcement, and it sits underneath the multistate CID environment as a baseline reference for what an aggressive enforcement outcome can look like. The matter began as a multistate civil enforcement action – Texas, Arkansas, Indiana, Michigan, Missouri, North Carolina, North Dakota, and Ohio – against an operation that the AGs characterized as having placed billions of illegal robocalls. The case was litigated in the Southern District of Texas. In 2023, the court entered a judgment of more than $122 million, naming the operation’s principals individually as well as the corporate entities, and found multiple violations of state and federal telemarketing statutes. The May 2025 contempt order in the same docket reinforced the post-judgment compliance obligations and signaled that the court was prepared to use contempt sanctions against principals who failed to meet the judgment’s terms.

Two features of the Rising Eagle docket matter for current operators. The first is the personal-liability finding. The court did not treat the corporate veil as a meaningful protection against state AG telemarketing claims. The principals were named individually, the judgment ran against them individually, and the contempt order reached them individually. This is consistent with a broader pattern in state telemarketing enforcement – many state little-FTC and consumer-protection statutes authorize personal liability for officers and directors involved in the violating conduct – but the Rising Eagle judgment is the largest and most-cited example. For lead-gen operators whose corporate structure relies on holding companies, intermediate operating entities, and principals who hold equity but disclaim operational control, the lineage is a warning. A multistate CID document request will probe the operational-control question aggressively, and the answers the operator gives in the CID response will be evaluated against the Rising Eagle framework.

The second feature is the post-judgment compliance posture. The May 2025 contempt order arose because the judgment’s compliance terms – which required the operation to implement specific consent-capture, retention, and audit procedures – were not being met. The contempt finding underscored that an AVC, AOD, or consent decree is not a one-time event; it is a multi-year compliance obligation that the AG’s office actively monitors. Operators who settle a multistate CID with the expectation that the settlement closes the matter will discover that the matter remains open through the audit period and that violations of the settlement terms can produce penalties significantly larger than the original violation would have. The posture during a multistate negotiation has to account for the post-settlement compliance burden, not just the headline financial number.

The California AG’s prior litigation against telecommunications carriers over their role in transmitting “billions of illegal robocalls” – a matter prosecuted under AG Bonta – sits in a parallel lineage. The California posture differs from the Texas-led Rising Eagle posture in target selection (California has focused more on intermediate carriers, Texas more on lead-gen operators) but converges on the same enforcement theory: that operators and carriers who facilitate large-scale illegal calling can be held to large statutory damages, with personal liability where the conduct is severe enough. The two lineages together – Rising Eagle and the California carrier suits – frame the maximum-exposure scenario that a multistate CID can escalate into if the response is mishandled.

The First Seventy-Two Hours: A Triage Protocol

The triage protocol for the first seventy-two hours after a multistate CID arrives is the operational core of Troutman’s April 2026 piece, and it deserves restating in operator-facing terms because most general counsel offices do not work from a written protocol. The protocol that follows is consistent with Troutman’s published guidance and adapts it for the lead-gen operator’s specific compliance footprint. It is not legal advice for any specific matter; it is a practitioner-grade framework that should be customized with external counsel.

Hour zero to twelve: containment and external counsel engagement

The first action upon receipt of a CID is a litigation hold notice. The hold has to cover all documents responsive to the CID’s document categories, on the operator’s systems and on the systems of any third-party vendors handling lead data, call records, consent records, or financial records related to the conduct under inquiry. The hold notice has to go to every employee with custody or control of responsive documents, with explicit instructions on the suspension of automatic deletion or retention-policy purges. Failure to issue a timely hold is one of the most common preventable mistakes; the AG’s office will, in the response phase, ask whether a hold was issued and when, and the answer becomes part of the record.

The second action is engagement of external counsel with state AG investigation experience specifically. This is not the same skill set as TCPA class-action defense or general regulatory counsel. The AG investigation specialty is concentrated in a small number of firms – Troutman Pepper Locke, Wiley Rein, Cozen O’Connor, Venable, Davis Wright Tremaine, and a few others – and the firms that hold the relationships with the relevant AG offices have material advantages in the negotiation. The selection should be made within the first twelve hours, not the first week. The window matters because the firms that lead this practice have limited capacity and an operator who waits to engage may find that the firm with the strongest relationship with the issuing AG is already conflicted on a related matter.

The third action is preservation of the CID itself in its delivered form, with the original metadata, the cover letter, the document categories, and the named individuals at the AG’s office. The CID is the foundational document in the matter; any later disputes about scope, deadlines, or requested categories will be resolved against the CID’s text, and the original delivery establishes what was demanded.

Hour twelve to thirty-six: scope analysis and parallel CID detection

The scope analysis is the work of identifying what the CID actually demands and what it does not. CIDs are typically broad, with document categories that read as overinclusive. The work is to map each demanded category to the operator’s actual systems, identify what is responsive, identify what is non-responsive but might appear responsive, and identify what may be subject to privilege or other production limitations. This work is best done with external counsel, not in-house alone, because the scope-analysis output drives the document-collection plan and the negotiation positions on extension and modification.

The parallel-CID detection is the work of identifying whether the multistate dimension is already operating. A CID from Indiana that arrives on Monday is unlikely to be alone if the underlying conduct affects multiple states; CIDs from Texas, Florida, and other registry states may be in transit or about to arrive. The detection methods include direct outreach by external counsel to AG offices in the states most likely to be coordinating, monitoring of AG public-record systems for related filings, and review of any communications the operator’s customer service or compliance functions have received from state AG offices in the prior thirty days. Many multistate CIDs are preceded by informal contacts – a complaint forwarded from one AG to another, a carrier-level inquiry, a regulatory-agency notification – and reconstructing those contacts is part of understanding the multistate footprint.

Hour thirty-six to seventy-two: document collection scoping and Monday move list

The document-collection scoping is the work of estimating the volume and complexity of responsive documents and aligning the production plan with the CID deadline. For a lead-gen operator running outbound at scale, the responsive document set typically includes: call records and call-detail data; SMS records and platform logs; consent records linked to each call or SMS; DNC scrubbing logs; lead-source documentation including buyer agreements and affiliate contracts; vendor agreements with carrier and intermediate-carrier counterparties; financial records demonstrating revenue from the conduct under inquiry; complaint logs; and internal communications about compliance posture. The volume is typically large – millions of records in a moderate-sized operator’s case – and the production has to be structured for AG review, with clear indexing, document numbering, and metadata preservation.

The Monday move list – the set of operational steps the operator should be running in parallel with the formal CID response – is the part of the protocol that distinguishes operators who emerge from the matter in better compliance shape from those who emerge weaker. The list includes:

  • Confirm which state DNC registries the operator is currently scrubbing against, with documentation of the scrubbing cadence and the registries covered. If any of the eleven state registries are not in the current scrubbing set, the gap has to be acknowledged in the response and remediated immediately.
  • Document call-record retention policies against each state’s statutory requirements. If the retention policy is shorter than any applicable state statute, the gap has to be acknowledged and the policy adjusted forward.
  • Pre-assign external counsel for each state in which a CID may arrive. The pre-assignment is operationally important because once a CID arrives in a new state, the engagement timeline compresses to days; having a relationship in place reduces the engagement-cost compression.
  • Audit the consent-capture flow for the TCPA consent documentation standard. The audit will identify gaps in disclosure language, retention completeness, and lead-source attribution that will become CID document requests.
  • Audit call recording for state-by-state recording-law compliance. Recording-law violations are a frequent secondary CID category and are easier to fix before the CID’s recording-related document request lands.
  • Review the operator’s arbitration clause posture for related private-litigation exposure. While the CID itself is not subject to private-action defenses, the underlying conduct may produce parallel private litigation, and the arbitration posture affects the multi-front defense strategy.
  • Confirm registered-agent and service-of-process records in each of the eleven registry states. The CID will arrive at the registered agent; if the agent records are stale, the operator may receive the CID late, which compresses the response timeline.

The Monday move list is not a substitute for the formal CID response. It is the parallel work that makes the formal response defensible, and it is the work that distinguishes the operators who become outliers in a multistate from the operators who become coalition targets.

The settlement vehicles that resolve multistate CIDs deserve a separate treatment because they differ in operational consequence and because the differences are not always understood. The three primary vehicles are the Assurance of Voluntary Compliance, the Assurance of Discontinuance, and the consent decree.

Assurance of Voluntary Compliance

The AVC is the most common settlement vehicle in state AG telemarketing matters. It is a contractual agreement between the AG’s office and the target, executed without filing a complaint, that documents the AG’s findings, the target’s commitments to specified compliance measures, and any monetary component. The AVC is a public record but not a court order. Its enforceability runs through state contract law and the AG’s enabling statute. Violation of an AVC typically produces a follow-on enforcement action that treats the AVC violation as a separate predicate, often with stipulated penalties.

For an operator considering an AVC settlement, the operational consequences include: the AVC’s compliance terms become the operator’s regulatory baseline for the AVC’s duration (typically three to seven years); the AVC’s findings establish a public record that other state AGs can reference in their own assessments; the AVC’s audit provisions typically require periodic compliance certifications, retention of records for the AVC’s duration, and the AG’s right to request supplemental document productions. The financial component varies widely – AVCs in telemarketing matters have settled at amounts ranging from low six figures for single-state matters to tens of millions for multistate matters with complex remedial provisions.

Assurance of Discontinuance

The AOD is similar to the AVC in structure but is the term used in some states (notably New York, Massachusetts, and a few others) for the same instrument. The substantive provisions are typically equivalent. The procedural pathway and the enforcement mechanism are the same. Multistate settlements that include AOD-using states and AVC-using states are typically captured in a single coordinated settlement document that uses both terms or that uses each state’s local term in the state-specific schedule of the agreement.

The consent decree is the more formal vehicle, used when the AG’s office has filed a complaint and the parties settle the litigation through a court-entered judgment. The consent decree carries the additional weight of judicial enforcement – violations are sanctionable through contempt – and is the vehicle the AGs prefer when the conduct is severe or when the target has a history of non-compliance with prior AVCs. The Rising Eagle docket’s $122 million judgment was a consent-decree-adjacent vehicle (a default-and-summary-judgment lineage rather than a negotiated decree, but the post-judgment compliance terms operate similarly).

For multistate CIDs that escalate to litigation, the consent decree is the typical settlement vehicle. The negotiation differs from AVC negotiation because the court’s role introduces additional procedural protections for the target – but also because the public record is more complete, the enforcement is harder, and the post-settlement compliance burden is heavier.

The selection between vehicles is largely the AG coalition’s decision, with the target’s input on form rather than substance. Targets who push back hard on the litigation pathway can sometimes negotiate AVC resolution even where the AGs initially preferred consent-decree treatment, but the leverage runs heavily toward the AG side because the alternative for the target is contested litigation in eight to fifteen jurisdictions in parallel, which most operators cannot sustain.

The Approaches That Will Underperform This Cycle

Three responses to the multistate CID environment are visible in operator behavior and each will produce worse outcomes than its proponents expect.

The first is the federal-only compliance posture. The argument runs that the federal TCPA and TSR set the controlling baseline, that state-level requirements are largely duplicative, and that compliance with federal rules is sufficient for any reasonable enforcement scenario. The argument was defensible in 2018. It is wrong in 2026, because the controlling enforcement vehicle is the multistate CID and the multistate CID’s document requests are organized around state-specific compliance obligations that are not preempted. An operator running federal-only compliance will be unable to produce state-specific scrubbing records, state-specific retention records, or state-specific consent disclosures, and the absence of those records is itself the documented compliance gap that drives the settlement posture. The federal-only operator becomes the outlier the multistate coalition uses as the settlement template.

The second is the litigate-everything posture. The argument runs that AGs are overreaching, that the CID process is procedurally vulnerable, and that an aggressive litigation defense will deter further enforcement. The argument has surface appeal but underestimates the asymmetry of the litigation cost. The AGs’ offices have institutional capacity to litigate the matter for years; the lead-gen operator does not. Even where the operator’s legal positions are defensible on the merits, the cost of contested litigation in eight to fifteen jurisdictions in parallel – discovery disputes, motion practice, depositions, joint-defense coordination – is rarely consistent with the operator’s enterprise value. The litigate-everything operator typically settles on worse terms than the operator who entered the negotiation with a defensible compliance posture and a willingness to remediate.

The third is the single-state-settlement posture. The argument runs that resolving the first CID quickly with the issuing AG produces a clean record that subsequent states will respect. The argument misunderstands the multistate coordination architecture. A single-state settlement does not bind the other states in the coalition; it documents the operator’s posture in a way that the other states will reference in their own settlements, typically demanding terms equal to or stricter than the first settlement’s terms. The single-state operator who settles fast on what looks like favorable terms will see the next state’s CID arrive within weeks, asking for terms that incorporate the first settlement plus additional state-specific provisions. The compounded settlement burden is typically larger than the burden of negotiating a coordinated multistate resolution from the start.

The pattern across the three is the same: each underestimates the multistate coordination architecture and overestimates the operator’s leverage in a single-front response posture.

The Strategic Reframe: Three Principles for the Multistate Era

The right response to the multistate CID environment starts from a different premise. The state AG enforcement architecture is the dominant TCPA risk vector for lead generators in 2026, and the operator’s compliance posture has to be designed for that architecture rather than for the federal architecture that preceded it. Three principles flow from that premise.

Principle one: design for state-by-state evidentiary production from the start

The operator’s compliance architecture should treat documentation as the primary deliverable, not the secondary deliverable. Every consent capture, every scrubbing event, every call record, every SMS log, every retention disposition, every vendor interaction has to be captured in a form that can be produced to a state AG on a thirty-day clock. The standard is not “we comply” but “we can prove we comply, on each state’s specific requirements, with records the AG’s office will accept.” Operators who design backward from the production standard build compliance architectures that hold up in CID response. Operators who design forward from the regulatory text and treat documentation as an afterthought build architectures that fail at the document-request step.

Principle two: maintain a multistate exposure map continuously, not reactively

The operator should maintain, as a continuous compliance function, a map of its outbound calling and SMS volume by state, mapped against each state’s registry, retention, time-of-day, and consent requirements. The map should be updated quarterly at minimum, with attention to legislative and regulatory changes in each state. The map’s purpose is to identify exposure before a CID arrives, not to scramble to identify exposure after. The eleven registry states are the primary focus, but secondary states with significant volume – California, New York, Illinois, New Jersey – also warrant attention because their enforcement environments are aggressive even where they do not maintain separate registries.

Principle three: pre-position external counsel relationships in the priority enforcement states

The operator should maintain working relationships with external counsel in the priority enforcement states – Texas, California, Indiana, Tennessee, Massachusetts, Florida, at minimum – so that a CID arriving in any of those states can be triaged with engaged counsel within hours, not days. The pre-positioning matters because the firms that hold the relevant AG relationships are concentrated in a small number of practices, because the engagement-conflict landscape evolves, and because the best counsel for a Texas CID is typically not the same as the best counsel for a Massachusetts CID. The relationship maintenance – periodic check-ins with the firms, occasional matter assignments to keep the engagement current, understanding of each firm’s current AG relationship status – is itself a compliance function that lead-gen operators have historically underinvested in.

What Operators Should Be Doing in the Next Ninety Days

The multistate CID environment is mature. Operation Robocall Roundup is eighteen months old. Texas SB 140 is seven months in effect. Troutman’s April 2026 navigation guide is the public articulation of a protocol that the AGs have been running against operators since at least mid-2025. The operators who are still running compliance against the federal-only baseline are not in a defensible posture; the operators who are running against state-by-state baselines are in a defensible posture but are working against an enforcement architecture that has accelerated faster than most compliance functions have.

The next ninety days are the planning window for any operator that has not yet completed a compliance architecture redesign for the multistate environment. The work that needs to happen in that window includes: an audit of current scrubbing posture against all twelve registries (federal plus eleven state); an audit of consent-capture and retention against each state’s controlling statute; an audit of call recording and call-time compliance against state-by-state requirements; an audit of SMS compliance against the post-SB-140 Texas baseline and the comparable expansions in other states; engagement of external counsel for AG investigation specialty in the priority enforcement states; and a review of corporate structure and individual-officer exposure against the Rising Eagle precedent.

The work is not glamorous. It is record-keeping, system instrumentation, and counsel relationships. It is also the work that determines whether the operator’s enterprise value is preserved through the next eighteen months of enforcement activity or compressed by a multistate settlement that the federal-only-compliance operator was unable to anticipate. The operators who complete this work in the next ninety days will be the operators who, when a CID arrives, can produce the records, control the scope, and negotiate from a defensible posture. The operators who delay will be the operators who become the next multistate template.

Key Takeaways

The civil investigative demand is not a lawsuit, and that is the problem. A CID is a one-way regulatory inquiry that builds an evidentiary record without the target’s participation in framing the questions, and the resulting AVC, AOD, or consent decree becomes a public-records timestamp on the operator’s compliance posture that subsequent state AGs will reference.

The federal TCPA enforcement vacuum – the Duguid doctrinal narrowing of private rights of action, the FCC’s 2025-2026 “Delete, Delete, Delete” rule rollbacks – has created an enforcement gap that state AGs have moved to fill, with the multistate coordination architecture organized through the National Association of Attorneys General Center for Consumer Protection as the operational vehicle.

Operation Robocall Roundup, the December 2025 51-state AG task force action, established the multistate enforcement protocol that has been deployed in CID form against lead-aggregation operators in late 2025 and 2026, and the protocol’s coordination efficiency makes it materially harder to defend against than serial single-state enforcement.

Eleven state Do-Not-Call registries operate beyond the federal registry – Colorado, Florida, Indiana, Louisiana, Massachusetts, Missouri, Oklahoma, Pennsylvania, Tennessee, Texas, and Wyoming – and lead-gen operators who scrub only against the federal list have a documented compliance gap that becomes visible on the first multistate CID document request.

Texas SB 140, effective September 1, 2025, expanded “telephone solicitation” under Texas state telemarketing law to include SMS, bringing SMS lead-gen campaigns into Texas under the same registration, scrubbing, and consent architecture that previously governed only voice campaigns, and similar amendments are pending in other states.

The Rising Eagle Capital Group lineage – a $122 million-plus judgment in the Southern District of Texas (2023) followed by a May 2025 contempt order – frames the personal-liability dimension of state AG telemarketing enforcement, and the corporate-veil arguments lead-gen operators have historically relied on do not consistently survive state little-FTC and consumer-protection statutes.

The first seventy-two hours of multistate CID response determine the matter’s trajectory. Hour zero to twelve covers litigation hold and external counsel engagement; hour twelve to thirty-six covers scope analysis and parallel-CID detection; hour thirty-six to seventy-two covers document-collection scoping and the parallel Monday move list of operational remediations.

Three approaches will underperform: the federal-only compliance posture (becomes the multistate settlement template); the litigate-everything posture (cost-asymmetric and rarely consistent with operator enterprise value); the single-state-settlement posture (does not bind other coalition states and typically produces a compounded settlement burden).

The next ninety days are the planning window for any operator that has not completed a compliance architecture redesign for the multistate environment. The next one hundred and eighty days are the build window. The operators who complete the work in those windows will run the next eighteen months of enforcement activity from a defensible posture; the operators who delay will become the next template.

Frequently Asked Questions

What is a civil investigative demand and how does it differ from a subpoena?

A civil investigative demand is a pre-litigation compulsory process used by state attorneys general to obtain documents, written responses, and in some states deposition testimony from a target without first filing a lawsuit. It differs from a litigation subpoena in three important ways. First, it is issued unilaterally by the AG’s office under the office’s enabling statute, not by a court, so the procedural protections that apply to subpoenas under the Federal Rules of Civil Procedure or state analogs apply only loosely if at all. Second, it builds an evidentiary record before any complaint is filed, meaning the target’s responses become part of the investigative file regardless of whether litigation later results. Third, it carries its own enforcement mechanism – refusal to comply typically produces a separate enforcement action by the AG’s office, which can be more aggressive than the underlying matter that prompted the CID. The combined effect is that the CID is a more powerful investigative tool than a subpoena and one for which most general counsel offices have less prior experience.

Why are state attorneys general taking the lead on TCPA enforcement instead of the FCC or FTC?

Two converging factors. The federal TCPA private-right-of-action framework has narrowed since the Supreme Court’s 2021 Facebook v. Duguid decision, with subsequent circuit splits limiting plaintiff-side leverage and reducing the deterrent effect of federal class-action TCPA litigation. At the same time, the FCC’s 2025-2026 “Delete, Delete, Delete” rule-rollback initiative has reduced the federal regulatory footprint, including the Eleventh Circuit’s January 2025 vacatur of the FCC’s one-to-one consent rule. State AGs have argued publicly that the federal retreat leaves consumers exposed and that state-level enforcement is the constitutional and political backstop. They have backed that argument with operational coordination through the National Association of Attorneys General, producing a multistate enforcement architecture that is faster than federal litigation, cheaper for the AGs to run, and harder for operators to predict.

What is Operation Robocall Roundup and why does it matter for lead generators?

Operation Robocall Roundup is an December 2025 multistate enforcement initiative organized through NAAG’s Center for Consumer Protection. Fifty-one state and territorial AG offices participated. The operation’s first public action was a coordinated set of warning letters to intermediate VoIP and wholesale carriers, including Inteliquent, Bandwidth, Lumen Technologies, and Peerless Network. The operation matters for lead generators because the same coordination architecture – shared evidentiary files, common document templates, simultaneous action across all participating offices – has been deployed against lead-aggregation operators in subsequent multistate CIDs in late 2025 and 2026. The operation established the multistate protocol as the AGs’ default operating mode for telemarketing enforcement, replacing the prior pattern of serial single-state action.

Which states maintain Do-Not-Call registries beyond the federal list?

Eleven states operate separate state-level DNC registries with distinct legal bases and scrubbing requirements: Colorado, Florida, Indiana, Louisiana, Massachusetts, Missouri, Oklahoma, Pennsylvania, Tennessee, Texas, and Wyoming. Each registry operates under its own state telemarketing or consumer-protection statute, with its own definition of covered entities, covered calls, and covered carve-outs. Lead generators making outbound calls into any of those states need documented scrubbing against both the federal registry and the applicable state registry, with retention records demonstrating scrubbing cadence, the population of numbers scrubbed, and the disposition of numbers identified as registered. Operators who scrub only against the federal registry have a documented compliance gap that becomes visible on the first multistate CID document request.

What did Texas SB 140 change about telemarketing law?

Effective September 1, 2025, Texas SB 140 amended the Texas Business and Commerce Code’s definition of “telephone solicitation” to include text messages – SMS and MMS – sent for telemarketing purposes. Before SB 140, Texas state-law enforcement of telemarketing rules was largely confined to voice calls. After SB 140, the same enforcement architecture – registration requirements for telephone solicitors, no-call list scrubbing, time-of-day restrictions, statutory damages – applies to SMS sent into Texas. The Texas AG, one of the most active state AG offices on telemarketing enforcement, can now apply that enforcement architecture to the SMS lead-generation channel. The amendment matters in the multistate context because it sets a precedent that other state legislatures are following – Florida, Oklahoma, and California are among the states with introduced or pending similar amendments – and the state AG enforcement architecture transfers cleanly from voice to SMS as new state statutes take effect.

What is the Rising Eagle Capital Group docket and why is it the leading personal-liability precedent?

Rising Eagle Capital Group is the robocall operation that became the subject of a multistate civil enforcement action in the Southern District of Texas, with eight participating state AGs (Texas, Arkansas, Indiana, Michigan, Missouri, North Carolina, North Dakota, and Ohio). In 2023, the court entered a judgment of more than $122 million, naming the operation’s principals individually as well as the corporate entities, and finding multiple violations of state and federal telemarketing statutes. A May 2025 contempt order in the same docket reinforced post-judgment compliance obligations and signaled judicial willingness to use contempt sanctions against principals. The matter is the leading personal-liability precedent because the court did not treat the corporate veil as meaningful protection – the judgment ran against the principals individually – and because state telemarketing statutes typically authorize personal liability for officers and directors involved in the violating conduct. For lead-gen operators with corporate structures that rely on holding companies and intermediate operating entities, the Rising Eagle docket frames the maximum-exposure scenario.

The three vehicles resolve state AG investigations with different procedural pathways. An Assurance of Voluntary Compliance is a contractual agreement between the AG’s office and the target, executed without filing a complaint, that documents findings, compliance commitments, and any monetary component. An Assurance of Discontinuance is the term used in some states (notably New York and Massachusetts) for the same instrument, with substantively equivalent provisions. A consent decree is a more formal vehicle used when the AG has filed a complaint and the parties settle through a court-entered judgment, which carries judicial-enforcement weight and contempt-sanction availability. Multistate settlements typically use AVC and AOD vehicles in their respective states, captured in a coordinated settlement document. Consent decrees appear in matters that have escalated to litigation, and the post-settlement compliance burden is typically heavier than the AVC/AOD equivalent because court enforcement is more direct.

What should an operator do in the first twelve hours after receiving a multistate CID?

Three actions in the first twelve hours. First, issue a litigation hold notice covering all documents responsive to the CID’s document categories, on the operator’s systems and on third-party vendor systems. The hold has to suspend automatic deletion or retention-policy purges, and the timing of the hold becomes part of the response record. Second, engage external counsel with state AG investigation specialty experience – not general TCPA defense counsel and not general regulatory counsel. The relevant practice is concentrated in a small number of firms with established AG relationships, and the engagement should be made within twelve hours rather than within a week to avoid conflict-availability problems. Third, preserve the CID itself in its delivered form with original metadata, cover letter, document categories, and named individuals at the AG’s office. The CID is the foundational document and any later disputes about scope or deadlines will be resolved against its text.

How can an operator detect whether a CID is part of a multistate coalition?

The detection methods include direct outreach by external counsel to AG offices in states most likely to be coordinating – typically the most active enforcement states (Texas, California, Indiana, Tennessee, Massachusetts) and any states named in the CID as recipients of related complaints. Monitoring of AG public-record systems for related filings is a parallel method, though many CIDs are not docketed publicly until after the response period closes. Reconstruction of any prior contacts the operator’s customer service or compliance functions have received from state AG offices in the prior thirty days is useful because many multistate CIDs are preceded by informal contacts – complaints forwarded between AG offices, carrier-level inquiries, or regulatory-agency notifications. The reconstruction work should be done with external counsel because the contacts may be relevant to the response.

Why does the federal-only compliance posture fail in the multistate environment?

The controlling enforcement vehicle in 2026 is the multistate CID, and the multistate CID’s document requests are organized around state-specific compliance obligations that are not preempted by federal law. State Do-Not-Call registries, state retention statutes, state call-time restrictions, state recording laws, and state telephone solicitor registration requirements operate alongside the federal Telemarketing Sales Rule and TCPA, with the federal rules setting a floor rather than a ceiling. An operator running federal-only compliance will be unable to produce state-specific scrubbing records, state-specific retention records, or state-specific consent disclosures when the CID document request asks for them. The absence of those records is itself the documented compliance gap that drives the settlement posture, and the federal-only operator becomes the multistate coalition’s settlement template – with terms that subsequent investigations will reference.

What is the practical consequence of an AVC for an operator’s ongoing operations?

An AVC’s compliance terms become the operator’s regulatory baseline for the AVC’s duration, typically three to seven years. The terms usually include: specific consent-capture, retention, and audit procedures; periodic compliance certifications; the AG’s office’s right to request supplemental document productions; and stipulated penalties for AVC violations. The financial component varies by matter – single-state AVCs in telemarketing matters have settled at amounts ranging from low six figures; multistate AVCs with complex remedial provisions have run into tens of millions. The post-settlement compliance burden is significant: the operator has to demonstrate compliance with the AVC’s terms throughout the duration, and AVC violations produce follow-on enforcement actions that treat the violation as a separate predicate. The operational implication is that AVC settlement is not a one-time event; it is a multi-year compliance obligation.

What does the next twelve to eighteen months look like for state AG TCPA enforcement?

The trajectory is for continued expansion of the multistate coordination architecture, with three specific developments to expect. First, additional state legislatures are likely to follow Texas SB 140 with their own SMS-coverage statutory amendments – Florida, Oklahoma, and California are the most likely near-term candidates – bringing more SMS lead-gen activity under state-level enforcement reach. Second, the Operation Robocall Roundup model is likely to be deployed against additional target categories, with lead-aggregation companies, consent farms, and high-volume affiliate networks as the most exposed cohorts. Third, the AVC-and-consent-decree settlement framework is likely to incorporate increasingly stringent post-settlement audit provisions, drawing on the Rising Eagle contempt-order lineage to make post-settlement violations more costly. For lead-gen operators, the practical implication is that the multistate enforcement environment will intensify rather than stabilize over the next eighteen months, and the compliance architecture work that is defensible today may not be sufficient by the end of 2027.

Sources

Tier 1: Primary Government and Regulatory Sources

  1. Federal Trade Commission, “National Do Not Call Registry,” accessed April 28, 2026 – https://www.donotcall.gov/

  2. Federal Communications Commission, “Stop Illegal Robocalls,” FCC Consumer Guide, accessed April 28, 2026 – https://www.fcc.gov/spoofed-robocalls

  3. National Association of Attorneys General, “Center for Consumer Protection,” accessed April 28, 2026 – https://www.naag.org/issues/consumer-protection/

  4. Texas Legislature Online, “SB 140 (89R) Bill History and Text,” 89th Regular Session, accessed April 28, 2026 – https://capitol.texas.gov/BillLookup/History.aspx?LegSess=89R&Bill=SB140

  5. Indiana Office of the Attorney General, “Do Not Call List,” accessed April 28, 2026 – https://www.in.gov/attorneygeneral/consumer-protection-division/do-not-call/

  6. Tennessee Public Service Commission / Tennessee Regulatory Authority, “Tennessee Do Not Call Program,” accessed April 28, 2026 – https://www.tn.gov/tpuc/consumer-resources/do-not-call-program.html

  7. Florida Department of Agriculture and Consumer Services, “Florida Do Not Call Program,” accessed April 28, 2026 – https://www.fdacs.gov/Consumer-Resources/Do-Not-Call

Tier 2: Established Industry Research and Trade Press

  1. Troutman Pepper Locke, “Navigating Multistate State AG Investigations: From First CID to Final Settlement,” Regulatory Oversight Blog, April 2026 – https://www.regulatoryoversight.com/2026/04/navigating-multistate-state-ag-investigations-from-first-cid-to-final-settlement/

  2. Troutman Pepper Locke, “Troutman Pepper Locke State Attorneys General Monitor – April 16, 2026,” Insights, April 16, 2026 – https://www.troutman.com/insights/troutman-pepper-locke-state-attorneys-general-monitor-april-16-2026/

  3. Wiley Rein LLP, “State AG Robocall Enforcement Trends: Targeting of VoIP Service Providers Continues With Coordinated AG Scrutiny of Intermediate Providers,” 2025 – https://www.wiley.law/alert-2025-State-AG-Robocall-Enforcement-Trends-Targeting-of-VoIP-Service-Providers-Continues-With-Coordinated-AG-Scrutiny-of-Intermediate-Providers

  4. Troutman Pepper Locke / Regulatory Oversight Blog, “AGs Demand End to Unlawful Robocalls Through Operation Robocall Roundup,” December 2025 – https://www.regulatoryoversight.com/2025/08/ags-demand-end-to-unlawful-robocalls-through-operation-robocall-roundup/

  5. NAAG, “AG Insights – Multistate Investigations and Enforcement,” accessed April 28, 2026 – https://www.naag.org/issues/

  1. Troutman Pepper Locke State Attorneys General Practice, accessed April 28, 2026 – https://www.troutman.com/services/practices/state-attorneys-general

  2. Cozen O’Connor State Attorneys General Practice, accessed April 28, 2026 – https://www.cozen.com/practices/litigation/state-attorneys-general

  3. Davis Wright Tremaine, “TCPA and State Telemarketing Compliance Resources,” accessed April 28, 2026 – https://www.dwt.com/

  4. Venable LLP, “Advertising and Marketing – Telemarketing and TCPA,” accessed April 28, 2026 – https://www.venable.com/

Tier 4: Supporting Industry Commentary

  1. Federal Communications Bar Association, “TCPA and Robocall Compliance,” 2026 – https://www.fcba.org/

  2. ACA International, “State DNC and Telemarketing Compliance Resources,” 2026 – https://www.acainternational.org/

  3. Professional Association for Customer Engagement (PACE), “State Telemarketing Enforcement Tracker,” 2026 – https://paceassociation.com/

Closing

The multistate civil investigative demand has displaced the federal class action as the leading edge of TCPA risk for lead generators in 2026, and the displacement is structural rather than cyclical. The federal regulatory retreat – Duguid doctrinal narrowing, the FCC’s “Delete, Delete, Delete” rollbacks – has removed the deterrent gravity that federal enforcement once exerted. The state attorneys general have read the environment correctly, organized through NAAG’s coordination infrastructure, and produced a multistate enforcement architecture that operates faster than federal litigation, costs less for the AGs to run, and reaches deeper into the lead-gen value chain than federal enforcement has historically reached. Operation Robocall Roundup’s December 2025 fifty-one-state action established the protocol. Texas SB 140’s September 2025 SMS expansion extended the protocol’s reach into the SMS channel. The Rising Eagle Capital lineage frames the personal-liability ceiling. Troutman Pepper Locke’s April 2026 navigation guide is the practitioner-facing articulation of how the protocol works and how it should be triaged. The lead-gen operators who treat the multistate CID as a single-state nuisance will spend the next two years as the multistate coalition’s settlement template. The operators who treat it as the dominant enforcement vector and rebuild their compliance architecture against state-by-state requirements – twelve registries, state-specific retention, state-specific consent disclosures, state-specific call-time and recording compliance – will run the next eighteen months from a defensible posture. The first seventy-two hours of CID response are where the choice between those two outcomes becomes visible. The work that determines which side of that choice an operator lands on happens in the ninety days before the CID arrives.

Regulatory developments, state attorney general enforcement coordination, and statutory amendments described in this analysis reflect publicly reported conditions through April 28, 2026. State telemarketing law, enforcement priorities, and multistate coordination architecture change continuously; verify current terms through primary sources and qualified counsel before making operational decisions. This article provides general industry analysis and does not constitute legal advice. Operators receiving a civil investigative demand should engage external counsel with state attorney general investigation experience immediately and should not rely on generic regulatory guidance for matter-specific response decisions.

Last updated

The Podcast

Industry Conversations.

Candid discussions on the topics that matter to lead generation operators. Strategy, compliance, technology, and the evolving landscape of consumer intent.

Listen on Spotify