TL;DR

  • “TCPA compliant leads” is a marketing phrase, not a legal certification. There is no government registry, no industry seal, and no audit body that issues compliance ratings for individual leads. The buyer is responsible for proving consent — even when the publisher collected it.
  • Under FCC rules, prior express written consent must be specific, conspicuous, and tied to the seller making the call. A lead is only as compliant as the consent record behind it, and that record has to survive a four-year statute of limitations.
  • Most buyer-side TCPA exposure is procurement risk, not dialer risk. The contract, the consent capture method, the disclosure language, and the audit rights you negotiate before money changes hands matter more than any post-hoc scrub.
  • This guide walks through the diligence questions, contract terms, and verification practices buyers should require from every publisher — with checklists you can paste into your vendor onboarding flow.

Overview: What “TCPA Compliant” Actually Means for Buyers

Lead buyers operate under a structural disadvantage in TCPA litigation: you didn’t collect the consent, but you placed the call. When a plaintiff alleges they never agreed to be contacted, you are the one holding the dialer logs, and you are the one named in the complaint.

The Telephone Consumer Protection Act, codified at 47 U.S.C. § 227, prohibits telemarketing calls and texts made using an automatic telephone dialing system or prerecorded voice without the recipient’s prior express written consent. The FCC’s implementing rules at 47 C.F.R. § 64.1200(f)(9) define what that consent must include — a clear and conspicuous disclosure, identification of the seller, the technology being used, and an unambiguous signature.

A “compliant lead” is a lead where each of those elements was satisfied at the moment of capture, attributed to a specific consumer, and documented well enough to produce in litigation years later. Buying compliant leads means buying the evidence that proves it — not just the contact record.

The good news: the patterns that separate defensible programs from risky ones are well established. The questions you ask during diligence are the same questions a plaintiff’s attorney will ask during discovery. Asking them first is cheaper.

Vet the Publisher Before You Vet the Leads

Before evaluating a single lead file, evaluate the publisher’s program. Publishers vary widely in compliance maturity, and the cheapest leads almost always come from the publishers least equipped to defend them.

What to Ask About Lead Sourcing

  • Where do the leads originate? Publisher-owned properties, partner networks, co-registration paths, and third-party traffic sources each carry different risk profiles. Co-reg paths and unbranded landing pages are the most common source of TCPA litigation.
  • How many hops are between the consumer and the consent form? Each hop adds a place where disclosure language can drift, get stripped, or fail to render.
  • Is the seller named in the disclosure? Generic “marketing partners” language has been challenged repeatedly. Hand v. Beach Entertainment KC (W.D. Mo. 2020) is one of several cases where vague seller identification undermined the defendant’s consent defense.
  • Is consent capped to specific verticals or unrestricted? Insurance leads collected on a debt relief landing page are not insurance leads — they are litigation waiting for a connection.

What to Ask About the Form

  • The exact disclosure language, in writing
  • A live URL or screenshot of every consent form variant currently in production
  • Whether the form is responsive, and how it renders on mobile (the majority of lead traffic)
  • Whether disclosure language sits above or below the submit button (above is the defensible standard)
  • How A/B tests are tracked so you can identify which variant a specific lead saw

What to Ask About Their Evidence

This is the question that separates serious publishers from risky ones: What does your consent record for a single lead actually contain?

A defensible answer includes a contemporaneous capture of the rendered page, the consumer’s interactions, the form state, and the submission event — tied to a specific lead ID and retrievable on demand. A weak answer involves the phrase “we have a certificate” with no detail about what the certificate contains or how it was generated.

We’ve covered this distinction in depth in why consent certificates aren’t enough and in our complete guide to consent verification. For buyers, the practical question is: when a TCPA complaint lands, can the publisher produce the evidence within 30 days, and will it persuade a court?

Get the Right Terms in the Contract

Lead purchase agreements set the legal floor for the relationship. Buyers routinely sign templates from publishers that allocate risk in the publisher’s favor — broad indemnity carve-outs, narrow representations, and audit rights that exist only on paper.

A buyer-friendly TCPA section should cover the following at minimum.

Representations and Warranties

  • The publisher represents that each lead was collected with prior express written consent meeting all FCC requirements
  • The publisher represents that consent records are stored for at least four years (matching the TCPA statute of limitations)
  • The publisher represents that disclosure language explicitly identified the buyer or a list including the buyer
  • The publisher represents that consumer-facing UX (mobile and desktop) presented the disclosure clearly and conspicuously

Indemnification

  • Indemnity should cover TCPA, state mini-TCPAs (Florida, Washington, Oklahoma, Maryland have all enacted aggressive consent statutes), and DNC violations
  • Indemnity should cover attorneys’ fees and defense costs, not just settlements or judgments
  • Carve-outs should be narrow — limited to consumer revocation events that occur after lead delivery, not pre-existing flaws in consent capture

Audit Rights

  • The right to request consent evidence for any lead within a defined SLA (5 business days is reasonable)
  • The right to conduct or commission third-party audits of the publisher’s consent capture systems
  • The right to terminate without penalty if the publisher fails an audit or cannot produce evidence on demand

Data Retention

  • Specify the exact retention period for consent evidence — at least 4 years, ideally 5 to cover state law variations
  • Specify the format the evidence must be retrievable in (raw recording vs. exported summary)
  • Specify what happens to evidence if the publisher goes out of business — escrow arrangements are increasingly common

Buyer Contract Checklist

  • TCPA-specific representations and warranties
  • Indemnity for TCPA, state mini-TCPAs, and DNC violations
  • Defense costs covered, not just settlements
  • Per-lead audit right with defined SLA
  • Third-party audit right
  • Termination right tied to audit failures
  • Minimum 4-year retention for consent evidence
  • Data escrow or transfer obligations on publisher exit
  • Notice obligations for material changes to consent forms or disclosure language

Validate the Lead File at Ingestion

Even with strong contracts and a vetted publisher, every batch of leads should pass through a validation layer before it reaches your dialer. This is your last opportunity to catch problems before liability attaches.

Validation Checklist

  • Phone number format is valid and not on the National DNC Registry (unless an established business relationship applies)
  • State-level DNC lists are checked for jurisdictions where the consumer’s number is registered
  • Reassigned Numbers Database (RND) is checked — calling a number reassigned to a non-consenting consumer is a violation regardless of original consent
  • Lead IP address geolocation is consistent with the claimed consumer location (mismatches suggest fraud or bot traffic)
  • Timestamp of consent is recent enough that the consumer is likely to remember consenting (stale leads become “I never gave consent” claims)
  • Consent record is retrievable from the publisher for spot-checked leads
  • Disclosure language at the moment of capture matches the contractually warranted version

The Reassigned Numbers Database deserves special attention. The FCC established a safe harbor for callers who check the RND before dialing, but that safe harbor only protects against reassignment claims — it does nothing for original consent defects. Buyers should treat RND checks as a hygiene step, not a compliance shortcut.

Build a Per-Lead Evidence Trail

When a TCPA complaint lands, the company being sued is rarely able to produce a complete evidence package within the deadlines required for an effective defense. Buyers who pre-build the evidence trail save significant cost and stress.

For every lead you contact, you should be able to retrieve, on demand:

  • The original consent record from the publisher (recording, capture, or both)
  • The lead handoff record showing when and how the lead was delivered
  • Your dialer logs showing how and when you contacted the consumer
  • Any consumer interactions — opt-outs, callbacks, consent confirmations during the call
  • Records of any subsequent transfers (if you re-sold or shared the lead)

The closer this evidence sits to a faithful reproduction of the consumer’s actual experience, the more defensible it is. We’ve written about what courts actually accept as proof in detail; the short version is that consumer-perspective evidence — what the consumer saw, on the device they used, at the moment they submitted — consistently outperforms after-the-fact reconstructions.

Build a Revocation and Suppression System

Consent is not permanent. Under Van Patten v. Vertical Fitness Group (9th Cir. 2017), consumers may revoke consent through any reasonable means. The FCC’s 2024 revocation rules (the FCC’s One-to-One Consent Order, finalized in 2024) further expanded the operational requirements for honoring opt-outs.

Buyers need a revocation system that:

  • Captures revocation requests across every channel (call, text, email, web, mailed letter)
  • Propagates suppression upstream to publishers and downstream to any partners who received the lead
  • Persists for the full statute of limitations period — a re-dialed revoked number is a fresh violation
  • Logs the revocation event with timestamps, channel, and the exact request received

The mini-TCPA statutes are even more aggressive. Florida’s FTSA and Washington’s CEMA have both produced active class-action dockets, and consumer-friendly courts in those jurisdictions are unforgiving of operational gaps in revocation handling.

Pricing, Margins, and the Compliance Floor

Cheap leads exist for a reason. Below a certain price point, the math of running a defensible compliance program stops working for the publisher, and corners get cut. The savings show up in your dialer; the costs show up in litigation.

A useful heuristic: if a publisher is selling leads in your vertical at a price meaningfully below the market floor, they are either subsidizing growth (temporary), running an operation that cannot afford serious consent infrastructure (permanent), or both. The litigation tail on cheap leads tends to outlast the publisher.

We’ve written about the emerging two-tier lead market — buyers willing to pay for verified leads and buyers chasing the lowest CPL — and about the downstream economics of consent breakdowns. The pattern is consistent: under-priced leads concentrate risk on the buyer.

Key Takeaways

  • “TCPA compliant” is a description of evidence quality, not a regulatory designation. Buyers carry the proof burden regardless of who collected the consent.
  • Vet publishers based on what their consent record actually contains, not on certifications or marketing language. The diligence questions are the same questions plaintiffs’ attorneys will ask in discovery.
  • Negotiate contracts that lock in TCPA-specific representations, broad indemnity, per-lead audit rights, and 4+ year evidence retention. A weak template is the largest single avoidable source of buyer-side risk.
  • Validate every lead at ingestion against DNC, RND, geographic plausibility, and consent recency. Spot-check the evidence trail at the publisher.
  • Build a revocation system that captures opt-outs across every channel, propagates them upstream and downstream, and persists for the full limitations period.
  • The cheapest leads tend to carry the most expensive long tail. Compliance has a price floor, and buying below it transfers risk rather than eliminating it.

If you’re evaluating publishers and want to see what defensible per-lead consent evidence looks like in practice, see how independent verification compares to self-recorded approaches.