A practical framework for lead generation operators to evaluate TCPA compliance, identify vulnerabilities, and implement corrections before litigation finds them.
The process server standing at your door with a TCPA class action complaint does not care about your intentions. The statute does not distinguish between operators who meant well and those who did not. In the first quarter of 2025 alone, 507 TCPA class actions were filed – a 112% increase over the same period in 2024. The average settlement exceeds $6.6 million. Understanding the current TCPA litigation landscape is essential context for any audit. The four-year statute of limitations means violations you committed years ago can still generate liability today.
This is not theoretical risk. It is statistical probability for lead generation operations that have not systematically evaluated their compliance posture.
The good news: TCPA compliance is not impossible. Those who thrive in this environment are those who treat compliance not as a legal checkbox but as core business infrastructure – and that starts with honest self-assessment. Before you can fix problems, you must find them. Before you can prove compliance, you must verify it exists.
This guide provides a comprehensive framework for auditing your own TCPA compliance. It covers consent acquisition, documentation, calling operations, revocation handling, vendor management, and technology systems. By the end, you will have a clear picture of your compliance posture and a prioritized action plan for addressing any gaps.
Why Self-Assessment Matters Now
The litigation environment in 2024-2025 represents the most aggressive TCPA climate in the statute’s history. Understanding the current landscape helps calibrate the urgency of compliance investment.
The Statistical Reality and Serial Litigator Factor
In 2024, 2,788 TCPA cases were filed – a 67% increase over 2023, which was itself a record year. The percentage of cases filed as class actions reached historic highs, with 78-85% of monthly filings seeking class certification. By September 2025, 1,807 class actions had been filed year-to-date, running 97% ahead of 2024’s pace.
The math is unforgiving. Each TCPA violation carries statutory damages of $500 to $1,500. There is no cap on aggregate damages. A company that makes 10,000 non-compliant calls faces potential exposure of $5 million to $15 million – before attorney’s fees and litigation costs. The four-year statute of limitations means exposure can accumulate over extended periods before a lawsuit materializes. Class certification is common in TCPA litigation, and courts have certified classes of millions of call recipients, creating exposure that can reach hundreds of millions of dollars for large-scale operations.
Analysis of 2024-2025 filings reveals that 31-41% of TCPA lawsuits are filed by repeat plaintiffs who have turned TCPA claims into a business model. These professional plaintiffs employ sophisticated techniques: maintaining multiple phone numbers, providing consent and then challenging its validity, exploiting reassigned number scenarios, and timing lawsuits to maximize settlement leverage. One professional plaintiff testified in court that she maintained 35 cell phones to support her “business” of being a TCPA plaintiff. Another testified to filing approximately 60 TCPA class actions and earning roughly $60,000 annually from settlements since 2014. Self-assessment helps you identify the vulnerabilities these professional plaintiffs exploit before they do.
The Regulatory Intensification
Beyond private litigation, regulatory enforcement has intensified. The FCC’s April 2025 revocation rules require companies to honor consent withdrawal requests within ten business days through any reasonable method. The Telemarketing Sales Rule now requires five-year retention for consent records – extended from two years in March 2024.
The FTC sent warning letters to 21 healthcare lead generators in December 2024 alone. The August 2025 MediaAlpha settlement of $45 million for deceptive lead generation practices signals that regulators view lead generation compliance as a priority enforcement area. Self-assessment is not just about avoiding litigation. It is about demonstrating the good faith compliance commitment that can mitigate regulatory penalties when issues arise.
The Self-Assessment Framework
Effective TCPA self-assessment covers six interconnected domains: consent acquisition, consent documentation, calling operations, revocation handling, vendor management, and technology systems. Weakness in any domain can expose your entire operation.
The framework below provides specific questions to ask, documents to review, and benchmarks against which to evaluate your practices. For each domain, we identify critical requirements that demand immediate attention if not met, high-priority items that should be addressed within 30 days, and standard requirements that represent ongoing best practices.
Domain 1: Consent Acquisition
Prior express written consent (PEWC) is the gold standard for TCPA compliance in telemarketing. This domain examines how you obtain consent and whether your acquisition processes meet legal requirements.
Critical Requirements for Consent Disclosures
The FCC defines prior express written consent in 47 CFR 64.1200(f)(9), and valid PEWC requires specific elements that must all be present. You need an agreement in writing, where electronic signatures satisfying E-SIGN are acceptable. The document must bear the signature of the person called and include clear authorization for the seller to deliver advertisements or telemarketing messages using an automatic telephone dialing system or artificial/prerecorded voice. The consent must identify the specific telephone number to which the signatory authorizes calls and include a statement that consent is not a condition of purchasing any property, goods, or services. Finally, the disclosure must be clear and conspicuous – not buried in fine print or obscured by surrounding content. Review your current consent language against each element. Missing any single element can invalidate consent. Our complete guide on consent documentation for TCPA compliance covers each requirement in detail.
The “clear and conspicuous” standard means apparent to a reasonable consumer. The consent language must be separate from other disclosures on the page, not buried in terms of service. Font size should be at least as large as surrounding text, and the disclosure should be located proximate to the consent mechanism – the checkbox or signature field. The language must be unambiguous about marketing purpose. Review screenshots of your actual consent forms as consumers see them. Is the consent disclosure something a reasonable person would actually read and understand before clicking?
Affirmative action is equally essential. Pre-checked boxes do not constitute valid consent. The consumer must take affirmative action – clicking an unchecked checkbox, signing electronically, or otherwise actively indicating agreement. Audit your forms for any pre-checked consent mechanisms. These represent immediate compliance failures.
High-Priority Consent Requirements
Following the Eleventh Circuit’s January 2025 vacatur of the FCC’s one-to-one consent rule in Insurance Marketing Coalition v. FCC, blanket multi-seller consent remains technically permissible under federal law. However, sophisticated lead buyers increasingly require one-to-one consent or its functional equivalent. CMS already requires one-to-one consent for Medicare leads, and state regulators may pursue similar requirements. Even without a legal requirement, one-to-one consent provides stronger litigation defense. When a lead buyer can demonstrate that the consumer specifically identified their company and consented to receive their calls, the consent is harder to challenge than blanket multi-seller consent. Evaluate whether your consent practices meet buyer expectations and position you for potential regulatory changes.
When consent is obtained electronically, the federal Electronic Signatures in Global and National Commerce Act (E-SIGN) creates additional requirements. Courts have increasingly recognized that obtaining TCPA consent electronically triggers E-SIGN’s consumer disclosure and consent requirements. Before obtaining electronic consent, the consumer should receive a disclosure about electronic records and signatures. The consumer should consent to receive required disclosures electronically, separate from TCPA consent, and should be informed of hardware and software requirements to access electronic records. The practical implication: electronic TCPA consent captured without E-SIGN compliance may be unenforceable. Review your consent flow structure against E-SIGN requirements.
TCPA consent cannot be a condition of purchasing goods or services. Review your checkout flows, quote request processes, and service sign-ups. If a consumer cannot proceed without agreeing to receive marketing calls, that consent is invalid. Also review for constructive conditioning – situations where declining consent makes the process so difficult that consent is effectively required.
Standard Consent Requirements
Consent disclosure language changes over time, and you need documentation of exactly what language was presented to each consumer at the time they provided consent. Implement version control for consent language with timestamps showing when each version was deployed. Maintain historical versions indefinitely.
General business attorneys often lack the specialized knowledge to draft defensible TCPA consent language. Have your consent disclosures reviewed by counsel who specializes in TCPA compliance and defense. The investment in specialized review is minimal compared to the exposure created by deficient consent language.
Domain 2: Consent Documentation
Proving consent requires documentation sufficient to withstand litigation. The burden of proof rests with the caller – if you cannot prove consent existed at the time of the call, courts will presume non-compliance.
Critical Documentation Requirements
For each lead generated, you should capture and retain essential documentation elements. The consent timestamp records the exact date and time consent was provided, in a format that cannot be manipulated. The IP address from which consent was submitted helps establish that a real person provided consent. You need to capture the exact consent language displayed – the disclosure language shown to the consumer at the time of consent. Evidence of consumer action documents the affirmative action taken, whether checkbox selection, electronic signature, or other consent mechanism. The specific phone number for which consent was granted must be recorded, along with the form URL and configuration details from the page where consent was captured. Review a random sample of recent leads. Can you reconstruct exactly what each consumer saw and did when providing consent?
Industry best practice requires third-party verification of consent through services like TrustedForm or Jornaya’s TCPA Guardian. These services provide independent documentation that can be presented in litigation as evidence of consent. TrustedForm deploys JavaScript on lead capture forms that documents the consumer’s interaction in real time. For each form submission, it generates a unique certificate containing timestamp, IP address, page URL, and a visual recording of the consumer’s session showing exactly what the consumer saw and what actions they took. Jornaya’s LeadiD and TCPA Guardian products provide alternative consent documentation with additional lead intelligence features. If you are not using third-party consent verification, this represents a significant compliance gap. The nominal cost – typically $0.15 to $0.50 per lead depending on volume – is trivial compared to litigation value.
TrustedForm certificates must be claimed – retrieved and stored – by the lead buyer to be useful. Unclaimed certificates expire. Best practice is to claim certificates at the time of lead purchase, before any contact is attempted. Review your lead intake process. Are certificates being claimed for every lead before any outbound contact? Are claimed certificates being retained for the required period?
High-Priority and Standard Documentation Requirements
The Telemarketing Sales Rule now requires five-year retention for consent records and compliance documentation – extended from two years in March 2024. This aligns with the civil penalty statute of limitations. The four-year TCPA statute of limitations for private lawsuits means documentation should be retained for at least four years after the last contact made pursuant to that consent. Industry best practice is five years or longer. Audit your retention policies to confirm consent records, TrustedForm certificates, and related documentation are being retained for the required period.
When litigation arrives, you will need to produce consent documentation quickly. Early case assessment typically happens within the first 72 hours. If your documentation is scattered across systems or difficult to retrieve, you cannot mount an effective defense. Test your documentation retrieval by selecting a random phone number from your recent calling list. How long does it take to retrieve all associated consent documentation? If the answer is more than a few hours, your systems need improvement.
Consent timestamps and other documentation must be stored in formats that cannot be easily altered. Courts are skeptical of evidence that could have been manufactured after the fact. Use database timestamps rather than user-modifiable fields. Consider blockchain-based verification for critical records. Ensure audit trails capture any access to or modification of consent records. When leads pass through multiple systems or parties, each handoff should be documented. You should be able to trace a lead from initial capture through every system that touched it. Review your lead flow and identify any gaps in documentation when leads move between systems.
Domain 3: Calling Operations
Consent acquisition and documentation mean nothing if calling operations violate TCPA requirements. This domain examines the execution side of compliance.
Critical Calling Requirements
The National DNC Registry contains over 240 million phone numbers. TCPA requires suppression against the registry before telemarketing calls, and registry data must be refreshed at least every 31 days. Review your DNC suppression procedures. Are you accessing current registry data? Are all telemarketing calls suppressed against the registry before execution?
Beyond the national registry, companies must maintain internal DNC lists of consumers who have requested not to be called. These lists must be honored for all future calls. Review your internal DNC list management. Are opt-out requests being captured and added to the suppression list? Are all campaigns suppressed against the internal list before calling?
Federal rules prohibit telephone solicitations before 8:00 AM or after 9:00 PM in the recipient’s local time zone. State rules often impose narrower windows: Florida and Oklahoma restrict calls to 8:00 AM to 8:00 PM, Connecticut requires 9:00 AM to 8:00 PM, Maryland limits calls to 8:00 AM to 8:00 PM, and Texas specifies 9:00 AM to 9:00 PM Monday through Saturday with 12:00 PM to 9:00 PM on Sunday. Time zone determination for mobile numbers is particularly challenging – the area code may not correspond to the recipient’s actual location. Review your calling hour enforcement. Are you determining recipient time zones accurately? Are you honoring the most restrictive applicable requirements combining federal and state rules? Use our telemarketing calling hours by state reference for complete guidance.
TCPA requires displaying a valid phone number and providing business name when calling. The number displayed must be one at which your business can be reached. Audit your caller ID configuration. Are you displaying valid, working numbers? Can consumers reach your business at the displayed number?
High-Priority Calling Requirements
TCPA litigator list services maintain databases of known serial plaintiffs compiled from public court records. These databases include over 600,000 names – professional plaintiffs, TCPA attorneys, and individuals who have sent demand letters. Key services include Contact Center Compliance (Litigator Scrub), PossibleNOW (TCPA Litigator List), and Gryphon AI. The investment is minimal compared to the risk of calling a professional plaintiff. Review your suppression stack. Are you screening against litigator databases before calling?
When a consumer provides consent and later changes their phone number, the new owner has not consented. The FCC maintains a Reassigned Numbers Database to help callers identify numbers that have changed hands. Using the database provides a safe harbor from liability for certain call types. Review whether you have integrated reassigned number checking into your calling operations.
While federal TCPA does not specify call frequency limits, state laws increasingly do. Florida’s FTSA, for example, limits calls to three per 24-hour period on the same subject matter. Even without legal limits, excessive calling creates complainants who become plaintiffs. Industry best practice limits attempts to the same number. Review your call frequency controls. Are limits in place? Are they enforced across all campaigns?
Standard Calling Requirements
Call recording serves multiple compliance functions: verifying script compliance, resolving disputes, and providing litigation defense. However, recording itself has legal requirements. Many states require consent from one or both parties before recording. Review your recording disclosures and ensure compliance with applicable state laws.
Review your calling scripts for required disclosures and proper content. Then review call recordings to verify scripts are being followed in practice. The gap between written policy and actual behavior often creates compliance exposure.
Domain 4: Revocation Handling
The FCC’s April 2025 revocation rules fundamentally changed how companies must handle consent withdrawal. This domain has become particularly critical for compliance.
Critical Revocation Requirements
Companies must honor revocation requests within ten business days of receipt. This represents a significant tightening from prior practice where the outer limit was thirty days. The ten-day requirement creates operational challenges for companies with complex systems. If consent status is not synchronized across all channels and platforms within ten days, non-compliant contacts can occur after revocation. Test your revocation processing by issuing a test opt-out request and tracking how long it takes to propagate through all systems. If it exceeds ten business days, you have an immediate compliance gap.
The FCC identified specific keywords that constitute definitive revocation when received via text message: “stop,” “quit,” “revoke,” “opt out,” “cancel,” “unsubscribe,” and “end.” These terms trigger immediate revocation obligations regardless of other language in the message. Review your opt-out recognition systems. Are all standard keywords being captured and processed automatically?
Beginning April 11, 2026, companies must accept revocation via “any reasonable manner that clearly expresses a desire not to receive further calls or text messages.” Companies may not designate an exclusive means of revocation. Even before the 2026 deadline, treating any communication that reasonably conveys intent to stop receiving calls as a revocation is the safer approach. “No more texts” or “take me off your list” should be honored even if they do not use standard keywords.
High-Priority and Standard Revocation Requirements
Companies may send a one-time text message confirming a revocation request, but strict conditions apply. The message must be sent within five minutes of the opt-out request and cannot include any marketing content. If the consumer provided consent for multiple message categories, the confirmation may request clarification about which categories to discontinue. If the consumer does not respond to clarification, the revocation applies to all message categories. Review your confirmation message content and timing. Any marketing content in confirmation messages is a violation.
An opt-out received via text message must be honored for voice calls and vice versa. An opt-out received in one system must propagate to all systems that might contact the consumer. Map all systems that initiate consumer contact and verify that revocation in any system updates all systems within the ten-business-day window.
Maintain proof of when revocation requests were received and when they were honored. This documentation is essential for defending claims that contacts occurred after revocation. Some revocation requests are unclear – “I’m not interested right now” or “call me next month instead.” Document your procedures for handling ambiguous requests. The safer approach is to treat unclear requests as revocations.
Domain 5: Vendor Management
Third-party vendors – particularly lead generators, call centers, and marketing agencies – represent a significant source of TCPA exposure. Your compliance is only as strong as your weakest vendor.
Critical Vendor Requirements
Before engaging any vendor that generates leads or makes calls on your behalf, due diligence should cover their TCPA compliance policies and procedures, their consent capture mechanisms and documentation practices, their history of TCPA litigation or regulatory action (searchable via PACER and state court records), their insurance coverage for TCPA claims, and their willingness to provide indemnification. Review your vendor qualification process. Are you conducting meaningful due diligence or simply collecting certifications?
Vendor agreements should include specific TCPA compliance obligations and representations, requirements for consent documentation and verification, audit rights allowing you to verify compliance, indemnification provisions covering TCPA claims arising from vendor conduct, insurance requirements adequate to support indemnification, and termination rights for compliance failures. Review your vendor contracts. Are these provisions present and enforceable?
The most common mistake is accepting vendor certifications of compliance without verification. A vendor’s assertion that they capture compliant consent means nothing without the ability to verify that assertion against actual documentation. For purchased leads, verify that TrustedForm certificates or equivalent documentation exist, can be retrieved, and show compliant consent language. A TrustedForm certificate documents what happened – it does not ensure that what happened was compliant. The certificate must be retrieved, reviewed, and validated against compliance requirements. Sample vendor leads regularly. Retrieve consent certificates and verify the disclosure language meets requirements.
High-Priority and Standard Vendor Requirements
Do not assume vendor compliance after initial qualification. Implement regular audits of vendor consent documentation, periodic review of vendor calling practices, monitoring of complaints or litigation involving the vendor, and required reporting of any TCPA-related incidents. Subscribe to PACER alerts for your vendor names and track industry news for enforcement actions affecting your vendors.
When a lead arrives through an aggregator who purchased it from a sub-affiliate, you need documentation showing the consent trail through every party. Gaps in documentation create liability. For a sample of leads, attempt to trace complete provenance from initial capture to your receipt and document any gaps.
Indemnification provisions are only as valuable as the company providing them. If your lead vendor disappears or lacks assets, that indemnification right becomes worthless. Require vendors to carry TCPA-specific insurance and provide certificates of coverage. Evaluate vendor financial stability before relying on indemnification. When you discover vendor compliance issues, you need procedures for immediate response, remediation requirements, and potential termination. Document your vendor compliance incident response procedures.
Domain 6: Technology Systems
Technology is both the source of TCPA risk and the foundation of effective compliance. This domain examines whether your technology stack supports compliance.
Critical Technology Requirements
DNC suppression must occur before any call is placed, not as a batch process that can miss recent additions. Verify that suppression is integrated into the dialing workflow for all platforms and campaigns.
Before any lead enters a calling queue, consent should be verified. This means retrieving TrustedForm certificates or equivalent documentation and confirming consent validity. Review your lead intake workflow. Is consent verification a gate that must be passed before calling, or a parallel process that can be bypassed?
Manual time-zone management creates errors. Automated systems should determine recipient time zone and block calls outside permitted hours. Review your time-zone determination methodology. For mobile numbers, are you using carrier data or area code (which is less accurate)?
High-Priority and Standard Technology Requirements
Manual revocation processing cannot meet ten-business-day requirements at scale. Automated systems should recognize opt-out keywords, update suppression lists, and propagate changes across all platforms. Test your automated revocation flow end-to-end.
When litigation arrives, you need to retrieve consent documentation, call logs, and related records quickly. If data is siloed across systems, retrieval becomes difficult. Review your data architecture. Can you retrieve all relevant records for a given phone number from a single query or interface?
System audit trails should capture consent capture events, consent verification events, calling events, opt-out events, suppression events, and any modifications to consent or suppression records. Review your audit trail coverage. Are compliance-relevant events being logged with sufficient detail?
Courts may require explanation of how your systems work. Documentation should explain consent capture, verification, calling operations, and suppression in terms understandable to non-technical audiences. Consent records and compliance documentation must survive system failures. Verify that backup procedures cover compliance-critical data and that recovery has been tested.
Conducting the Audit
With the framework above, you have 46 specific questions to answer about your compliance posture. Here is a practical approach to conducting the audit across five phases.
Phase 1: Document Collection (Week 1)
Gather all relevant documentation before evaluation. This includes current consent language and form configurations, sample TrustedForm certificates or equivalent documentation (at least 20 random leads from the recent month), vendor contracts and compliance certifications, DNC suppression logs showing recent updates, revocation processing logs, calling hour restriction configurations, technology system documentation, and written policies for consent, calling, and revocation.
Phase 2: Critical Requirement Review (Week 2)
Evaluate all items marked “Critical” first, as these represent immediate compliance failures if not met. This phase covers consent disclosure elements, clear and conspicuous presentation, affirmative consent mechanisms, essential documentation capture, third-party consent verification, DNC Registry suppression, internal DNC list maintenance, calling hour restrictions, caller ID compliance, the ten-business-day revocation window, opt-out keyword recognition, vendor due diligence, vendor contract provisions, consent documentation verification for purchased leads, DNC system integration, consent verification in lead intake, and time-zone automation. For each critical requirement not met, document the gap and assign immediate remediation priority. If you need to build or strengthen your infrastructure, our TCPA compliance program implementation guide provides the roadmap.
Phase 3: High-Priority Review (Week 3)
Evaluate all items marked “High Priority,” which should be addressed within 30 days. This phase covers E-SIGN compliance, consent conditioning issues, documentation retention period, documentation retrieval capability, litigator database screening, reassigned number checking, call frequency limits, confirmation message compliance, revocation synchronization, vendor monitoring, lead provenance tracing, automated revocation processing, integrated data retrieval, and audit trail coverage.
Phase 4: Standard Requirement Review (Week 4)
Evaluate remaining items that represent best practices strengthening your compliance posture. This phase covers consent version control, legal review of consent language, documentation manipulation resistance, chain of custody documentation, call recording compliance, script compliance, ambiguous revocation procedures, vendor insurance and stability, vendor incident response, technology documentation, and backup and disaster recovery.
Phase 5: Remediation Planning (Week 5)
Based on your findings, develop a prioritized remediation plan. Immediate action within 72 hours addresses any critical requirement failures that create active, ongoing violation exposure. Urgent action within 30 days addresses remaining critical requirement failures and high-priority gaps. Planned action within 90 days addresses standard requirement improvements and system enhancements. Assign ownership, deadlines, and success criteria for each remediation item.
After the Audit: Maintaining Compliance
Self-assessment is not a one-time exercise. The regulatory landscape evolves, your operations change, and new vulnerabilities emerge.
Establishing Regular Audit Cycles
Conduct full self-assessments quarterly. Monthly spot-checks should cover random sampling of recent consent certificates to verify disclosure compliance, random sampling of recent calls to verify calling hour compliance, revocation processing time verification, DNC suppression verification, and vendor compliance incident review.
Assign someone to monitor regulatory developments including FCC orders and rulemaking, state mini-TCPA legislation, enforcement actions in your vertical, and industry association alerts. When requirements change, trigger targeted self-assessment of affected areas.
Documentation and Training
Maintain records of self-assessment findings and dates, remediation actions and completion dates, training provided and personnel trained, vendor audits conducted, and compliance incidents and resolutions. This documentation demonstrates good faith commitment to compliance – which can mitigate penalties when issues arise.
Compliance depends on people, not just systems. Ensure personnel understand TCPA requirements relevant to their roles, company compliance policies, consequences of non-compliance, and how to report compliance concerns. Document all training with dates, content covered, and personnel trained.
Key Takeaways
TCPA class action filings increased 112% in Q1 2025, with average settlements exceeding $6.6 million – self-assessment is essential risk management.
Valid prior express written consent requires six specific elements: written agreement, signature, clear seller authorization, identified phone number, not a condition of purchase, and clear/conspicuous disclosure. Missing any element can invalidate consent.
Third-party consent verification through TrustedForm or Jornaya is industry best practice – the nominal cost of $0.15 to $0.50 per lead is trivial compared to litigation defense value.
The FCC’s April 2025 rules require honoring revocation within 10 business days through any reasonable method – test your revocation processing time.
Vendor compliance is your compliance – conduct meaningful due diligence, include strong contract provisions, and verify consent documentation for purchased leads.
Consent documentation must be retained for at least five years (Telemarketing Sales Rule) and be retrievable within litigation timeframes.
Self-assessment should follow a structured framework covering six domains: consent acquisition, consent documentation, calling operations, revocation handling, vendor management, and technology systems.
Critical requirement failures demand immediate remediation; high-priority gaps should be addressed within 30 days; standard requirements represent ongoing best practices.
Regular audit cycles with quarterly full assessment and monthly spot-checks, combined with personnel training, sustain compliance over time.
Frequently Asked Questions
What is TCPA compliance and why does it matter for lead generation?
The Telephone Consumer Protection Act (TCPA) is federal legislation enacted in 1991 that regulates telephone solicitations, automated dialing systems, prerecorded messages, and text messaging. For lead generation operations, TCPA compliance matters because violations carry statutory damages of $500 to $1,500 per violation with no cap on aggregate damages. In 2024, 2,788 TCPA cases were filed, with approximately 80% seeking class certification. The average class action settlement exceeds $6.6 million. A lead generation operation making 10,000 calls per month could face potential exposure of $60 million to $180 million over one year if violations are established. TCPA compliance is not a legal technicality – it is existential risk management.
What is prior express written consent (PEWC) and what are its required elements?
Prior express written consent is the FCC’s standard for telemarketing calls using automated dialers or prerecorded voices to cell phones. Valid PEWC requires six specific elements: an agreement in writing, which can include electronic signatures satisfying E-SIGN requirements; the signature of the person to be called; clear authorization for the seller to deliver marketing messages using automated technology; identification of the specific telephone number authorized for calls; a statement that consent is not a condition of purchasing goods or services; and clear and conspicuous disclosure that is not buried in fine print or obscured by surrounding content. Missing any single element can invalidate the consent and create liability for every call made pursuant to that deficient consent.
How long must I retain TCPA consent documentation?
The Telemarketing Sales Rule, updated in March 2024, now requires five-year retention for consent records and compliance documentation – extended from the previous two-year requirement. This five-year retention period aligns with the civil penalty statute of limitations for FTC enforcement. For private lawsuits, the TCPA statute of limitations is four years from the date of violation. Industry best practice is to retain consent documentation for at least five years after the last contact made pursuant to that consent, or longer if feasible. TrustedForm offers certificate retention up to five years. Consent documentation should include timestamps, IP addresses, the exact disclosure language displayed, evidence of affirmative consumer action, and the phone number for which consent was granted.
What changed with the FCC’s 2025 revocation rules?
The FCC’s 2025 revocation order, with certain provisions effective April 11, 2025 and others delayed to April 11, 2026, fundamentally changed how companies must handle consent withdrawal. Effective April 2025: companies must honor revocation requests within 10 business days (reduced from 30 days); must recognize standard opt-out keywords including “stop,” “quit,” “revoke,” “opt out,” “cancel,” “unsubscribe,” and “end”; must include clear opt-out instructions in marketing texts; and must honor Do Not Call requests within 10 business days. Delayed until April 2025: the requirement to accept revocation via any reasonable method the consumer chooses; the requirement to treat revocation of one message type as applying to all message types from that sender. Confirmation messages are permitted within five minutes of opt-out if they contain no marketing content.
What is TrustedForm and do I need it?
TrustedForm is a consent verification service provided by ActiveProspect that has become the industry standard for TCPA consent documentation. The service deploys JavaScript on lead capture forms that documents the consumer’s interaction in real time. For each form submission, TrustedForm generates a unique certificate containing timestamp, IP address, page URL, and a visual session recording showing exactly what the consumer saw and what actions they took. This independent third-party documentation can be presented in litigation as evidence of valid consent. While not legally required, TrustedForm or equivalent verification such as Jornaya’s TCPA Guardian is considered industry best practice. The cost is typically $0.15 to $0.50 per lead depending on volume – trivial compared to the $40,000 to $50,000 average cost of defending even a successful TCPA case or the millions in potential settlement exposure.
How do I audit my lead vendors for TCPA compliance?
Auditing lead vendors for TCPA compliance requires moving beyond accepting certifications at face value to actually verifying compliance. Start with due diligence: review their TCPA policies and procedures, examine their consent capture mechanisms, search PACER and state court records for their litigation history, confirm their insurance coverage for TCPA claims, and evaluate their willingness to provide indemnification. For ongoing verification: regularly sample leads from each vendor and retrieve the associated TrustedForm certificates or equivalent documentation; review the certificates to confirm the consent disclosure language meets requirements; verify that consent was captured through affirmative action rather than pre-checked boxes. Your contracts should include specific TCPA compliance obligations, audit rights, indemnification provisions, insurance requirements, and termination rights for compliance failures. Remember that a vendor’s indemnification is only as valuable as their financial stability to honor it.
What should I do if I receive a TCPA demand letter?
When you receive a TCPA demand letter, your response sets the trajectory for what follows. Within the first 24 hours: verify the claim by pulling consent records for the phone number listed; check TrustedForm or Jornaya certificates; review call logs to confirm you contacted this person, when, and how often; determine whether the claimant is a known serial litigator by checking against litigator databases. If you have documented consent with clear evidence the person agreed to be contacted, you are in a strong position – share this evidence professionally with plaintiff’s counsel, as many will withdraw rather than pursue a case they know they will lose. If your records are incomplete or ambiguous, evaluate settlement economics quickly – individual settlements typically range from a few hundred dollars to $10,000 depending on the number of alleged violations, which is dramatically cheaper than defending a lawsuit. Never ignore a demand letter, as this typically leads to an actual lawsuit filing.
How often should I conduct TCPA compliance self-assessments?
Conduct comprehensive self-assessments quarterly, covering all six domains: consent acquisition, consent documentation, calling operations, revocation handling, vendor management, and technology systems. Monthly spot-checks should cover random sampling of recent consent certificates to verify disclosure compliance, random sampling of recent calls to verify calling hour compliance, revocation processing time verification, DNC suppression verification, and vendor compliance incident review. Trigger additional targeted assessments when regulatory requirements change (such as the April 2025 revocation rules), you onboard new vendors or lead sources, you implement new technology systems, you discover compliance incidents, or you receive demand letters or litigation. Document all assessments, findings, and remediation actions – this documentation demonstrates good faith commitment to compliance.
What are the biggest TCPA compliance mistakes lead generators make?
The most common TCPA compliance mistakes in lead generation include deficient consent language that omits required elements, particularly the statement that consent is not a condition of purchase. Buried or unclear consent disclosures that do not meet the “clear and conspicuous” standard create substantial exposure. Failing to use third-party consent verification like TrustedForm leaves no defensible evidence of consent. Accepting vendor certifications of compliance without actually verifying consent documentation for purchased leads is endemic. Insufficient revocation processing that exceeds the 10-business-day requirement, failing to suppress against both the National DNC Registry and internal DNC lists, and inaccurate time-zone determination leading to calling hour violations all represent common failures. Treating blanket multi-seller consent as adequate when buyers and regulators increasingly expect one-to-one consent creates vulnerability, as does failing to screen against known litigator databases before calling. Each of these mistakes creates exposure that can be identified and corrected through systematic self-assessment.
Do I need a TCPA attorney or can I handle compliance myself?
Self-assessment and ongoing compliance management can be handled internally with appropriate training and resources – this article provides a framework for doing so. However, specialized TCPA legal counsel is essential in several situations: reviewing and drafting consent disclosure language (general business attorneys often lack the specialized knowledge required); responding to demand letters or litigation; conducting external audits for independent assessment; interpreting new regulatory requirements and their application to your specific operations; and structuring vendor contracts with appropriate compliance provisions. When litigation arrives, you need counsel who specializes in TCPA defense – firms like Troutman Amin and others who focus on this space can provide guidance that general commercial litigators cannot. Establish relationships with TCPA-specialized counsel before you need them so you are not educating your lawyers about lead generation while simultaneously defending a class action.
This article provides general information about TCPA compliance and self-assessment practices. It does not constitute legal advice. TCPA requirements evolve continuously through FCC rulemaking, court decisions, and state legislation. Consult qualified legal counsel for advice specific to your operations. Statistics and regulatory information current as of late 2025.