Blog

Vendor TCPA Liability: When You're Responsible for Third-Party Calls

Vendor TCPA Liability: When You're Responsible for Third-Party Calls

The comprehensive guide to vicarious liability in lead generation – understanding when your company faces exposure for calls you never made.

Introduction: The $15 Million Wake-Up Call You Never Expected

The process server arrived on a Thursday afternoon. The lawsuit named your company as a defendant in a TCPA class action alleging 47,000 violations. Potential exposure: $23.5 million to $70.5 million.

The problem: You never made a single one of those calls.

Your lead vendor did. Your marketing partner did. The call center you contracted with did. But under the theory of vicarious liability, their violations became your liability. The consent deficiencies in leads they generated. The calling hour violations their dialers committed. The DNC suppression failures their systems allowed. All of it now sits in a complaint with your company’s name on it.

This is not a hypothetical scenario. It is the operational reality for thousands of companies that purchase leads, contract with call centers, or engage marketing partners to make calls on their behalf. In the TCPA litigation environment of 2025 – with 2,788 cases filed in 2024 alone, a 67% increase over 2023, and class actions now representing 80% of all filings – vendor liability has become one of the most dangerous and least understood risks in the lead generation industry.

This article provides lead generation professionals, insurance agencies, mortgage companies, solar installers, and any business that uses third parties to generate leads or make calls with a comprehensive understanding of when and how vicarious liability applies, how to structure relationships to manage exposure, and what to do when the complaint arrives despite your precautions.

The math is unforgiving. Understanding it before the lawsuit arrives is the only way to survive it.

Understanding Vicarious Liability Under the TCPA

The Telephone Consumer Protection Act creates liability not just for the party that makes a non-compliant call, but potentially for any party on whose behalf the call was made. This doctrine – vicarious liability – extends TCPA exposure far beyond the entity that actually dialed the phone.

The Statutory Foundation

The TCPA itself does not explicitly address vicarious liability. The statute prohibits certain calls and provides for damages against violators, but it does not specify whether liability extends to parties who did not personally make the calls.

The FCC addressed this gap in its 2013 Declaratory Ruling, establishing that calls made by third parties can create liability for the entity on whose behalf the calls were made. Understanding TCPA compliance fundamentals is essential before examining vicarious liability. Understanding TCPA compliance fundamentals is essential before examining vicarious liability. The FCC applied traditional agency principles to TCPA liability, holding that a seller may be held liable for the TCPA violations of its marketing partners under federal common law agency principles.

This means that if a lead generator, call center, or marketing partner makes non-compliant calls on your behalf, you may face the same liability as if you had made the calls yourself – $500 to $1,500 per violation, with no cap on aggregate damages.

Agency Principles Applied to TCPA

The FCC and courts have applied two primary theories to extend TCPA liability beyond the actual caller: actual authority and apparent authority.

Actual Authority

Actual authority exists when the third party acts pursuant to express or implied consent from the principal. If you hire a call center and authorize them to make calls promoting your services, they act with your actual authority. Their TCPA violations become your violations.

The analysis centers on the relationship between the parties. Courts examine whether you directed or authorized the calling activity, whether you provided the list of numbers to call, whether you specified or approved the calling scripts, whether you controlled or influenced the timing and volume of calls, and whether the calls were made to generate business for your company. When the answer to these questions is yes, actual authority likely exists, and you share liability for any violations.

Apparent Authority

Apparent authority exists when the third party’s conduct creates a reasonable belief in the call recipient that the caller acts on your behalf, even if you did not actually authorize the specific conduct. This doctrine can create liability even when you did not know about or approve the violating calls.

Apparent authority analysis focuses on what the call recipient perceived. Did the caller identify themselves as calling on your behalf? Did the caller mention your company, products, or services? Would a reasonable consumer believe the call was authorized by you? Did your prior conduct create a reasonable expectation that such calls would occur?

The apparent authority doctrine makes vicarious liability particularly dangerous because it can attach without your knowledge or consent. A lead generator who mentions your company name to generate interest, even without your approval, may create apparent authority that exposes you to liability.

The Ratification Risk

Even if you did not authorize calls initially, accepting their benefits can create liability through ratification. Ratification occurs when you learn of unauthorized conduct and take action that appears to approve or adopt it.

In the lead generation context, ratification risks arise from purchasing leads generated through non-compliant calling, paying commissions on sales resulting from violating calls, continuing to work with a vendor after learning of compliance issues, and failing to investigate complaints about vendor calling practices.

Courts have found ratification where companies continued purchasing leads from vendors they knew or should have known were engaging in non-compliant practices. The continued business relationship, and particularly the continued payment for leads, constitutes adoption of the vendor’s conduct.

How Vicarious Liability Creates Exposure

Understanding how vicarious liability actually creates exposure in practice helps operators identify and manage their specific risks.

The Lead Buyer Scenario

You operate an insurance agency. You purchase 1,000 leads per month from three different lead vendors at $45 per lead. Each vendor represents that their leads include valid prior express written consent for telemarketing contact.

Vendor A generates leads through compliant web forms with TrustedForm certificates documenting proper consent disclosure. Vendor B generates leads through forms with consent language buried in fine print that fails the “clear and conspicuous” requirement. Vendor C generates leads through a subcontractor whose forms use pre-checked consent boxes – invalid under FCC rules.

When you call the leads from Vendors B and C, you make non-compliant calls – even though you had no idea the consent was defective. Your reliance on your vendors’ representations does not eliminate your liability; it may give you indemnification claims against the vendors, but the consumers you called can still sue you directly.

Worse, if the consent deficiency is systemic – affecting all leads from those vendors – your exposure multiplies. At 350 leads per month from each non-compliant vendor, over a four-year statute of limitations, your exposure reaches 16,800 potentially non-compliant calls. At $500 to $1,500 per violation, that is $8.4 million to $25.2 million in potential damages.

The Call Center Scenario

You hire an outsourced call center to contact your leads. You provide scripts, calling hours, and suppression lists. You pay per dial or per appointment set.

The call center uses a predictive dialer with aggressive settings that occasionally calls consumers multiple times per day, violating call frequency standards. Their time zone management system has a bug that places calls at 7:15 AM in the recipient’s time zone – 45 minutes before the permitted calling window.

You did not instruct the call center to call early or excessively. But the call center acts with your actual authority when making calls on your behalf. Their technical failures become your liability.

The Marketing Partner Scenario

You have an affiliate marketing relationship with a lead generator who runs Facebook ads driving traffic to your co-branded landing page. The landing page captures leads that route to your sales team.

The affiliate, seeking to maximize volume, begins running ads with misleading claims about insurance savings. They add incentivized traffic sources without your approval. Their landing page consent disclosure fails to clearly identify your company as one of the callers.

Consumers who submit forms on the affiliate’s landing page receive calls from your sales team. But the consent they provided is defective – either because the disclosure was unclear, the traffic was incentivized, or the claims that induced submission were deceptive.

You face liability for calls made to leads where consent was not properly obtained, even though you never controlled the affiliate’s advertising or landing page design.

The Subcontractor Chain

Perhaps the most dangerous scenario involves subcontractor chains where you have no direct relationship with the violating party.

You purchase leads from an aggregator. The aggregator sources leads from multiple publishers. One publisher subcontracts lead generation to a call center that makes outbound calls to generate leads. That call center makes non-compliant calls – no consent, wrong hours, DNC violations.

The leads flow up the chain: call center to publisher to aggregator to you. You call the leads, having no idea they were originally generated through violating calls.

When the class action is filed, it names you as a defendant. Plaintiff’s counsel argues that you are the ultimate beneficiary of the calling scheme, that the calls were made to generate business for your company, and that you ratified the conduct by purchasing and using the leads.

You may have indemnification claims all the way down the chain. But indemnification rights are only as valuable as the companies providing them. If the call center that actually made the calls has no assets, the publisher has minimal insurance, and the aggregator disclaims liability, your indemnification rights may be worthless.

The Moore v. Torchlight Case Study

Recent case law reinforces both the exposure and the potential remedies in vendor liability situations. The Moore v. Torchlight Technology Group case in the Northern District of Illinois provides instructive guidance.

The Facts

Torchlight Technology Group operated as a lead generator, selling leads to clients who would contact consumers for marketing purposes. Torchlight generated leads through various sources, including some obtained through subcontractors.

A plaintiff filed a TCPA class action against both Torchlight and one of its lead buyers. The plaintiff alleged that calls made using leads from Torchlight violated the TCPA because proper consent had not been obtained.

The Indemnification Ruling

The court granted summary judgment requiring Torchlight to indemnify its client for TCPA claims arising from the defective leads. The court’s analysis highlighted several critical failures on Torchlight’s part.

Torchlight could not produce documentation showing that valid prior express written consent was obtained for the leads at issue. They had inadequate systems for tracking consent documentation, and when challenged, they could not prove what consent language consumers had seen or agreed to. Additionally, Torchlight used subcontractors to generate some leads but did not verify that those subcontractors maintained compliant consent practices.

The indemnification judgment underscores that lead generators who fail compliance standards may be required to cover the full costs incurred by their buyers – including settlements, judgments, and defense costs.

The Practical Lessons

The Moore v. Torchlight case teaches several practical lessons for lead generation operations.

First, document everything. The generator’s inability to produce consent documentation was fatal to their defense. TrustedForm certificates, Jornaya LeadiDs, or equivalent documentation should be captured for every lead and retained for at least five years.

Second, indemnification provisions matter. The buyer’s contractual indemnification rights allowed them to shift liability back to the generator. But indemnification only works if the indemnifying party has resources to pay.

Third, due diligence is not optional. Buyers who rely on vendor representations without verification inherit vendor problems. The court’s analysis suggests that buyers have responsibility to verify vendor compliance practices.

Fourth, subcontractor chains create risk. Torchlight’s use of subcontractors without adequate oversight contributed to their liability. Every party in the lead flow chain should verify compliance upstream.

Structuring Vendor Relationships to Manage Exposure

Given the vicarious liability exposure that vendor relationships create, structuring those relationships to manage and allocate risk becomes essential.

Contractual Protections

Every vendor agreement – whether you are buying leads, hiring a call center, or engaging marketing partners – should include specific TCPA compliance provisions.

Compliance Representations and Warranties

The vendor should represent and warrant that all leads are generated in compliance with the TCPA and applicable state laws, that prior express written consent was obtained for all leads where marketing calls will be made, that consent disclosures meet “clear and conspicuous” standards, that consent was not obtained as a condition of purchase, that the vendor’s consent language has been reviewed by qualified counsel, and that the vendor uses TrustedForm, Jornaya, or equivalent consent verification.

These representations create a basis for indemnification claims if they prove false.

Indemnification Provisions

The vendor should agree to indemnify, defend, and hold harmless the buyer against TCPA claims arising from consent deficiencies in leads provided, claims arising from the vendor’s calling practices, claims arising from subcontractor conduct, and all defense costs, settlement amounts, and judgments.

The indemnification should be backed by adequate insurance. A contract promise to indemnify means nothing if the vendor lacks resources to pay.

Insurance Requirements

Require vendors to maintain errors and omissions insurance with limits adequate for TCPA exposure, specific TCPA coverage endorsements where available, your company listed as an additional insured on relevant policies, and certificates of insurance provided upon request.

Standard commercial liability policies often exclude TCPA claims. Verify that coverage actually applies.

Audit Rights

Reserve the right to audit vendor compliance practices, including review of consent language and form design, verification of TrustedForm and Jornaya implementation, examination of calling technology configurations, review of DNC suppression procedures, and inspection of subcontractor agreements.

Audit rights are useless if never exercised. Schedule periodic audits and document findings.

Termination Rights

Include termination rights for compliance failures: immediate termination upon discovery of material compliance deficiency, termination for failure to cure identified issues, and termination upon receipt of regulatory inquiry or litigation.

Do not be contractually bound to continue purchasing leads from a vendor whose compliance practices are questionable.

Due Diligence Before Engagement

Before engaging any vendor that will generate leads or make calls on your behalf, conduct comprehensive due diligence.

Compliance Program Assessment

Review the vendor’s written TCPA compliance policies, consent capture procedures and documentation, calling hour management systems, DNC suppression processes, revocation handling procedures, and training programs with their documentation.

Obtain samples of all consent language the vendor uses. Have qualified counsel review for clear and conspicuous disclosure, proper seller identification, E-SIGN compliance for electronic consent, and state-specific requirements.

Technology Verification

Verify that the vendor uses TrustedForm, Jornaya, or equivalent consent documentation, implements real-time lead validation, maintains proper time zone management, and has functioning DNC suppression.

Litigation History

Search for prior TCPA litigation against the vendor through PACER for federal cases, state court searches in major jurisdictions, and industry reputation among other buyers. A vendor with a history of TCPA litigation may indicate systemic compliance failures.

Financial Stability

Assess whether the vendor can actually honor indemnification obligations through financial statements or references, insurance certificates, and business longevity and stability. An indemnification promise from an undercapitalized vendor provides no protection.

Ongoing Monitoring

Due diligence at engagement is necessary but not sufficient. Compliance can degrade over time as vendors cut corners, change processes, or add subcontractors.

Regular Audits

Conduct periodic audits of vendor compliance through quarterly review of consent certificates, random sampling of TrustedForm replays, verification that consent language remains compliant, and review of any form or process changes.

Performance Monitoring

Track metrics that indicate compliance issues, including consumer complaint rates by source, TCPA demand letter origins, return rates suggesting data quality problems, and contact rate declines indicating list issues.

Complaint Investigation

When consumers complain about unwanted calls, trace the lead to its source, review consent documentation, assess whether the complaint indicates systemic issues, and address patterns with the vendor if they emerge.

Incident Response

When you receive a TCPA demand letter or lawsuit, immediately identify the lead source, pull consent documentation, notify the vendor in writing, invoke indemnification provisions, and preserve all related records.

Managing Subcontractor Exposure

If your vendors use subcontractors, your exposure extends to those subcontractors’ conduct. Managing this exposure requires disclosure requirements that mandate vendors disclose all subcontractors involved in lead generation or calling, with no subcontractor additions without prior approval. Flow-down obligations require vendors to impose the same compliance obligations on their subcontractors that you impose on the vendor, and indemnification should cover subcontractor violations. Verification rights reserve your ability to audit subcontractor compliance directly or require the vendor to conduct and document such audits. Finally, subcontractor insurance requirements ensure subcontractors maintain adequate coverage that lists both the vendor and you as additional insureds.

The Liability Defense Playbook

When vicarious liability claims arise – and they will, regardless of precautions – having a defense strategy prepared in advance dramatically improves outcomes.

Immediate Response Protocol

The first 72 hours after receiving a TCPA complaint or demand letter determine the trajectory of the entire matter.

The First Four Hours

In the first four hours, you must stop all calling campaigns involving the plaintiff’s phone number, preserve all records without deleting anything, contact TCPA-specialized defense counsel, notify your E&O insurance carrier, and begin documenting everything you learn.

The First Twenty-Four Hours

Between hours four and twenty-four, issue written litigation hold to all relevant personnel, identify the lead source for the plaintiff, pull consent documentation including TrustedForm certificates, gather call logs showing contact with the plaintiff, and identify potential indemnification claims against vendors.

The First Seventy-Two Hours

By the end of the third day, work with counsel to assess consent documentation strength, evaluate vendor indemnification rights and vendor solvency, determine if early individual settlement makes sense, and begin preparing opposition to class certification if applicable.

The Vendor Notification Process

When a claim involves leads from a vendor, proper notification preserves your indemnification rights.

Written Notice

Send formal written notice to the vendor within contractually specified timeframes, often ten to thirty days. The notice should include a copy of the complaint or demand letter, identification of leads at issue, request for consent documentation, demand for defense and indemnification, and request for vendor’s TCPA insurance information.

Documentation Request

Demand immediate production of TrustedForm certificates for all leads from the plaintiff’s phone number, consent language versions in effect during the relevant period, form configuration and change history, and any prior complaints from this consumer.

Cooperation Requirement

Invoke contractual cooperation provisions requiring the vendor to assist in the defense, produce witnesses as needed, provide ongoing documentation, and coordinate defense strategy.

Insurance Tender

If the vendor has TCPA insurance naming you as additional insured, tender the claim to their carrier directly. Do not rely solely on the vendor to do this.

Building the Defense

Even in vicarious liability cases, defenses exist. Your counsel should evaluate several potential approaches.

If you have strong consent documentation showing the plaintiff agreed to receive calls, this provides your best defense. Strong consent evidence includes TrustedForm certificates with session replay, clear disclosure identifying your company, consumer affirmative action such as a checkbox or signature, and complete metadata including timestamp, IP address, and form URL. See our guide on TrustedForm vs Jornaya for platform comparison. See our guide on TrustedForm vs Jornaya for platform comparison. Many cases settle quickly when defendants can produce compelling consent evidence.

Negating Agency

You may challenge whether an agency relationship existed by examining whether the third party actually acted on your behalf, whether you had control over the calling practices, whether the violation was within the scope of authority, and whether a reasonable consumer would believe the calls were from you. This defense is fact-intensive and requires careful analysis of the actual relationship.

Standing Challenges

Following TransUnion v. Ramirez, defendants increasingly challenge plaintiff standing by questioning whether the plaintiff suffered concrete harm, whether beyond receipt of the unwanted call any injury occurred, and whether the plaintiff can demonstrate actual damages or concrete consequences. This defense works best when plaintiffs cannot show tangible harm beyond annoyance.

ATDS Defense

Following Facebook v. Duguid, the definition of automatic telephone dialing system was narrowed. The analysis examines whether the dialer actually used random or sequential number generation or simply called from a stored list. If no ATDS was used and calls were not prerecorded, certain TCPA provisions may not apply.

Statute of Limitations

The TCPA has a four-year statute of limitations. Review when the alleged calls occurred and whether the limitations period has expired for any claims. Claims for calls made more than four years before filing are time-barred.

The Indemnification Claim

Parallel to defending the underlying claim, pursue indemnification from vendors.

Trigger Events

Indemnification obligations typically trigger upon receipt of a claim alleging facts covered by indemnification, demand for indemnification made in writing, and compliance with notice requirements in the contract.

Scope of Indemnification

Most indemnification provisions cover defense costs including attorney fees, expert fees, and discovery costs, along with settlement amounts, judgments, and related costs and expenses. Verify whether indemnification covers only third-party claims or also regulatory investigations.

Enforcement

If a vendor refuses to honor indemnification, document all demands and refusals, consider separate litigation to enforce the indemnification, evaluate insurance coverage that may apply, and assess collectability before investing in enforcement.

Settlement Coordination

If the underlying case settles, coordinate with the vendor to obtain vendor consent to settlement if contractually required, ensure settlement does not waive indemnification rights, document the vendor’s share of settlement costs, and pursue collection after settlement if the vendor does not participate.

Insurance Considerations

Insurance provides critical protection against both direct TCPA exposure and the risk that vendor indemnification proves worthless.

Limitations of Standard Coverage

Most standard commercial general liability policies do not cover TCPA claims. CGL policies typically exclude “invasion of privacy” claims, courts have applied these exclusions to deny TCPA coverage, and standard errors and omissions policies also often exclude TCPA.

Do not assume your existing insurance covers TCPA exposure. Request a coverage opinion from your broker specifically addressing TCPA scenarios.

TCPA-Specific Coverage

Specialized TCPA insurance has become more available as TCPA litigation has grown.

TCPA-specific policies may cover defense costs for TCPA claims, settlement amounts, judgments, and regulatory investigation costs. Policies typically offer limits from $250,000 to $5 million or more. Consider your exposure based on call volume and evaluate whether limits are adequate.

Even TCPA-specific policies contain exclusions. Known violations, meaning claims arising from conduct you knew was non-compliant, are typically excluded, along with intentional violations, claims outside the policy period, and certain types of calling technology. Review policy language carefully before purchasing.

TCPA insurance premiums typically range from $15,000 to $50,000 or more annually for $1-5 million in coverage, depending on your call volume, your industry vertical, your claims history, and your compliance program strength. For context on the financial exposure these policies address, see our TCPA settlement costs analysis. For context on the financial exposure these policies address, see our TCPA settlement costs analysis.

Additional Insured Status

When contracting with vendors, require that you be named as an additional insured on their TCPA policies. This provides direct access to their coverage, allows claims against you to be tendered to their carrier, and ensures coverage applies even if the vendor is uncooperative.

Obtain certificates of insurance confirming additional insured status and verify the policy remains in effect annually.

Coordinating Coverage

When a claim involves both your coverage and vendor coverage, tender to all potentially applicable policies, understand which coverage is primary versus excess, coordinate defense to avoid coverage gaps, and document all insurance communications.

Building Vendor Liability Protection Into Operations

Beyond contracts and insurance, operational practices can reduce vicarious liability exposure.

Lead Source Vetting

Implement systematic vetting for all lead sources.

Initial Qualification

Before accepting leads from any source, review their consent capture forms, verify TrustedForm and Jornaya implementation, examine their TCPA compliance policies, check litigation history, and assess financial stability.

Ongoing Qualification

Requalify vendors periodically through annual compliance audits, quarterly performance reviews, and immediate review after any complaint or demand letter.

Do not rely solely on vendor representations about consent.

Certificate Retrieval

For every lead, retrieve and store consent certificates by claiming TrustedForm certificates before calling, verifying that certificates exist and are valid, and reviewing certificate content for key elements.

Certificate Review

Before calling, verify that certificates show your company identified in consent disclosure, clear and conspicuous disclosure language, consumer affirmative consent action, and appropriate timestamp and IP address.

Random Audits

Conduct random deep audits of certificates by watching TrustedForm session replays, verifying disclosure matches compliance requirements, and identifying patterns suggesting systemic issues.

Documentation Practices

Create documentation that supports defense if claims arise.

Lead Records

For every lead, maintain source identification, consent certificate URL or reference, date and time of receipt, all contact attempts and outcomes, and any revocation requests.

Vendor Records

For every vendor, maintain contracts with compliance provisions, due diligence documentation, audit reports and findings, insurance certificates, and compliance communications.

Retention Period

Retain all documentation for at least five years. This accommodates the four-year statute of limitations plus buffer time, meets the TSR five-year consent retention requirement, and provides sufficient time to defend delayed claims.

Call Center Management

If you use call centers, manage them as high-risk vendors.

Script Control

Provide approved scripts and monitor compliance, ensuring required disclosures are included, prohibited claims are excluded, and opt-out handling is specified.

Technology Oversight

Verify call center technology functions properly, confirming time zone management is accurate, DNC suppression is operational, call recording is active, and attempt limits are enforced.

Quality Monitoring

Implement ongoing quality monitoring through call recording review, compliance audits, consumer complaint tracking, and disposition analysis.

Frequently Asked Questions

1. When am I liable for calls made by a vendor or partner?

You face potential vicarious liability when a third party makes calls on your behalf under agency principles. This includes situations where you authorized the calls (actual authority), where the caller created a reasonable belief they were calling on your behalf (apparent authority), or where you accepted the benefits of the calls after learning they may have been non-compliant (ratification). If the calls promoted your products or services, generated leads for your business, or were made using lists or data you provided, vicarious liability may apply.

2. Does an indemnification clause protect me from TCPA lawsuits?

An indemnification clause does not prevent you from being sued – consumers can still name you as a defendant. However, a properly drafted indemnification clause allows you to seek reimbursement from the vendor for defense costs, settlements, and judgments. The practical protection depends on whether the vendor has resources to honor the indemnification, either through their own assets or through TCPA insurance coverage. An indemnification promise from an undercapitalized vendor provides no real protection.

3. What due diligence should I conduct before purchasing leads?

Before purchasing leads from any vendor, review their consent capture forms and disclosure language, verify they use TrustedForm or Jornaya for consent documentation, examine their written TCPA compliance policies, check their litigation history through PACER and state court searches, assess their financial stability to honor indemnification obligations, obtain certificates of insurance confirming TCPA coverage, and have qualified counsel review their consent language. This due diligence should be documented and repeated periodically.

4. Can I rely on vendor representations that leads are compliant?

You can contractually require representations and warranties about compliance, which provide a basis for indemnification claims. However, relying solely on vendor representations without verification exposes you to risk. Courts have found that purchasers have responsibility to verify compliance, particularly when red flags exist. Retrieve and review consent certificates before calling leads. Document your verification processes. Vendor representations provide legal remedies but do not eliminate your direct liability to consumers.

5. What should I do immediately upon receiving a TCPA demand letter?

Within the first 24 hours: stop calling the complaining consumer, preserve all related records (issue a litigation hold), contact TCPA-specialized defense counsel, notify your insurance carrier, identify the lead source for the consumer, and retrieve consent documentation. Within the first week: pull TrustedForm or Jornaya certificates for the consumer, notify the vendor in writing of the claim and your intent to seek indemnification, gather call logs and contact history, and assess the strength of your consent defense with counsel.

6. Does my general liability insurance cover TCPA claims?

Most standard commercial general liability policies do not cover TCPA claims. Common policy exclusions for “invasion of privacy” have been applied by courts to deny coverage for TCPA lawsuits. Standard errors and omissions policies also often exclude TCPA. You should request a specific coverage opinion from your broker addressing TCPA scenarios and consider purchasing specialized TCPA coverage. Do not assume coverage exists without explicit confirmation.

Have qualified TCPA counsel review the vendor’s consent language against current requirements: the disclosure must be clear and conspicuous (not buried in fine print), must identify authorized callers specifically, must not be a condition of purchase, must include required ATDS/prerecorded voice disclosure, must identify the phone number for which consent is granted, and must satisfy E-SIGN requirements for electronic signatures. Also verify through TrustedForm or Jornaya certificates that the disclosed language actually appears on the forms and is visible to consumers at the moment of consent.

8. What if my vendor uses subcontractors I did not approve?

Subcontractor chains create significant exposure because the subcontractor’s violations can create liability for you through the vendor relationship. Contractually require vendors to disclose all subcontractors and prohibit adding subcontractors without your approval. Require flow-down of compliance obligations to subcontractors. Ensure indemnification covers subcontractor violations. Consider requiring subcontractors to name you as additional insured on their TCPA policies. If you discover undisclosed subcontractors, evaluate whether to terminate the vendor relationship.

Retain consent documentation for at least five years after the last contact made pursuant to that consent. The TCPA has a four-year statute of limitations, so you need documentation available throughout that period plus buffer time for claims filed near the deadline. The Telemarketing Sales Rule was amended in March 2024 to require five-year retention for consent records. TrustedForm certificates should be claimed at the time of lead receipt and stored in your systems, not relied upon to remain available at TrustedForm indefinitely.

10. What recourse do I have if a vendor refuses to honor indemnification?

If a vendor refuses to honor indemnification obligations: document all demands and refusals in writing, review the contract for dispute resolution procedures, evaluate whether the vendor has assets or insurance to satisfy a judgment, consider whether the cost of enforcement exceeds likely recovery, and consult with counsel about filing a separate action to enforce indemnification. You may also tender the claim directly to the vendor’s insurance carrier if you are named as an additional insured. In some cases, the vendor’s refusal to honor indemnification may constitute breach justifying contract termination.

Key Takeaways

  • Vicarious liability extends TCPA exposure to calls you never made. Under agency principles recognized by the FCC and courts, you can be held liable for TCPA violations by lead generators, call centers, and marketing partners who act on your behalf.

  • The two primary liability theories are actual authority and apparent authority. Actual authority arises when you authorize calling activity. Apparent authority arises when callers create reasonable belief they act on your behalf, even without actual authorization.

  • Indemnification clauses do not prevent lawsuits. They provide contractual remedies to shift costs back to the responsible vendor. But indemnification is only valuable if the vendor has resources or insurance to pay.

  • Due diligence before engagement is essential. Review vendor consent language, verify TrustedForm/Jornaya implementation, check litigation history, and assess financial stability before purchasing leads or engaging call services.

  • Standard insurance typically excludes TCPA claims. General liability and standard E&O policies often do not cover TCPA exposure. Specialized TCPA insurance and additional insured status on vendor policies provide necessary protection.

  • Consent certificate verification is non-negotiable. Do not rely on vendor representations alone. Retrieve and review TrustedForm or Jornaya certificates before calling. Document your verification processes.

  • The first 72 hours after receiving a claim are critical. Stop calling the complaining consumer, preserve records, contact specialized counsel, notify insurance, identify the lead source, and retrieve consent documentation immediately.

  • Subcontractor chains multiply exposure. Require vendor disclosure of subcontractors, prohibit additions without approval, mandate flow-down of compliance obligations, and ensure indemnification covers subcontractor violations.

  • Documentation practices support defense. Maintain comprehensive records of lead sources, consent certificates, vendor contracts, due diligence findings, and compliance communications for at least five years.

  • The math is unforgiving. A vendor compliance failure affecting 1,000 leads per month over four years creates exposure of $24 million to $72 million. Invest in prevention proportionate to the risk.

Build Protection Before You Need It

Vendor liability in TCPA enforcement has become one of the industry’s most dangerous and least understood risks. The companies that survive are not those with perfect vendors – perfection does not exist in a complex supply chain. The survivors are companies that structured relationships to allocate risk, documented practices to support defense, maintained insurance to absorb exposure, and responded quickly when claims arose.

The litigation environment will not moderate. With 2,788 TCPA cases filed in 2024 and class actions representing 80% of filings, the plaintiff’s bar has organized to pursue these claims systematically. Every lead you purchase, every call center you engage, every marketing partner you work with represents both opportunity and exposure.

Build the protection infrastructure now. The complaint will not wait for you to be ready.

This article provides general information about TCPA vicarious liability. It is not legal advice. TCPA requirements change frequently, and specific situations require specific analysis. Consult qualified TCPA counsel for guidance on your particular circumstances.

Statistics current as of late 2025. Source: WebRecon TCPA litigation data, FCC regulatory filings, published case law.

The Podcast

Industry Conversations.

Candid discussions on the topics that matter to lead generation operators. Strategy, compliance, technology, and the evolving landscape of consumer intent.

Listen on Spotify