TL;DR

  • Insurance is the most litigated vertical under the Telephone Consumer Protection Act. Auto, health, Medicare, and final expense leads sit at the top of nearly every plaintiff’s-firm intake list because the contact economics make per-lead damages worth pursuing.
  • The federal compliance floor is the TCPA at 47 U.S.C. § 227 and the FCC’s rules at 47 C.F.R. § 64.1200. Insurance carriers and agencies that buy leads inherit the same proof burden as if they had collected the consent themselves.
  • Medicare and Medicare Advantage marketing carries an additional layer of obligations through CMS regulations at 42 C.F.R. § 422.2274 and the agent of record rules — a layer that does not exist in general property-and-casualty lines.
  • State mini-TCPA statutes — most prominently Florida (FTSA), Washington (CEMA), Oklahoma, and Maryland — apply on top of the federal framework and have triggered insurance-specific litigation waves over the past three years.
  • The consent record that survives in insurance litigation is not the lead form itself. It is the rendered disclosure, the affirmative consumer action, an immutable timestamp, and an unbroken chain of custody from the consent event to the number dialed by the agent.

Overview: Why Insurance Is the Hardest Vertical

Insurance lead generation operates at scale that few other regulated verticals match. A single national health insurance broker may purchase from a dozen publishers, each of whom aggregates from dozens of sub-publishers, who in turn buy traffic from hundreds of affiliates. By the time a Medicare Advantage lead reaches the licensed agent dialing the number, the consent record has often passed through four or five hands.

That distribution depth is the source of most insurance TCPA litigation. The plaintiff has to prove only that an unsolicited call or text was placed; the defendant has to prove that the consumer agreed to receive it. In a typical insurance dispute, the defendant cannot reproduce what the consumer saw, when they saw it, or whether the seller named in the eventual call was actually disclosed at the moment of consent.

Three regulatory regimes layer on top of one another:

  • The TCPA and the FCC’s implementing rules apply to any autodialed or prerecorded call or text to a mobile number, regardless of insurance line.
  • CMS marketing rules apply specifically to Medicare and Medicare Advantage outreach and impose substantive disclosure, scope-of-appointment, and recordkeeping obligations that have no counterpart in commercial insurance.
  • State mini-TCPAs and DOI advertising rules add jurisdiction-specific requirements on consent format, calling hours, abandoned-call rates, and disclosures.

Compliance in insurance lead generation is not about picking the strictest standard and applying it everywhere. It is about classifying each campaign correctly and engineering the record that the controlling regime actually requires.

The Federal Floor: TCPA and FCC Rules

The federal baseline that governs every insurance lead-funded outreach campaign is the TCPA, codified at 47 U.S.C. § 227, and the FCC’s implementing regulations at 47 C.F.R. § 64.1200.

For autodialed or prerecorded telemarketing calls or texts to a mobile number — the channel that virtually all modern insurance lead programs use — the operative requirement is prior express written consent under 47 C.F.R. § 64.1200(a)(2) and the four-element definition at § 64.1200(f)(9). The agreement must:

  • Be in writing, including electronic forms recognized under the E-SIGN Act at 15 U.S.C. § 7001.
  • Bear the signature of the consumer.
  • Include a clear and conspicuous disclosure authorizing the named seller to deliver autodialed or prerecorded telemarketing calls or texts.
  • Make clear that consent is not a condition of purchase.

The FCC’s 2023 Lead Generators Order and the subsequent 2025 reconsideration proceedings tightened the seller-identification element. Under the current rule, consent is given to one seller at a time, the seller must be identified by name within the disclosure, and the goods or services being offered must be specifically described. Generic “marketing partners” language no longer satisfies the rule and has been a reliable losing fact pattern in recent insurance litigation.

Insurance buyers should understand that the proof burden is on them, not the publisher. Murphy v. DCI Biologicals Orlando, LLC (11th Cir. 2015) is the most-cited authority for the consumer-volunteered-the-number theory of express consent, but courts have consistently held that providing a number to one party is not consent to be called by another — the seller-specific consent requirement is structural, not procedural. Van Patten v. Vertical Fitness Group, LLC (9th Cir. 2017) reinforced that consent must be commensurate with the scope of the messaging it authorizes, an analysis that maps directly onto cross-vertical lead sharing in insurance.

The internal-DNC rules at 47 C.F.R. § 64.1200(d) add operational obligations that survive any consent analysis: a written do-not-call policy, training, honoring requests within a reasonable time (the FCC has interpreted this as ten business days at most), and maintaining a list of opted-out consumers for five years.

Medicare and Medicare Advantage: The Extra Layer

Medicare Advantage and Part D marketing is regulated separately from general insurance marketing through the Centers for Medicare and Medicaid Services. The substantive rules at 42 C.F.R. §§ 422.2260–422.2276 and 423.2260–423.2276 govern who may market, how they may identify themselves, what disclosures they must make, and what consent they must obtain to discuss specific plans.

Three CMS requirements interact directly with the TCPA proof burden:

  • The agent of record concept. The consumer’s prior selection of an agent of record affects what other agents may offer. Marketing activities by agents who are not the agent of record are constrained, and the consumer’s selection must be documented.
  • The Scope of Appointment. Under 42 C.F.R. § 422.2264, agents must obtain and document a Scope of Appointment from the beneficiary at least 48 hours before discussing specific Medicare Advantage or Part D plans. The SOA must identify the product lines to be discussed and be retained for at least ten years.
  • The call-recording requirement. CMS rules promulgated in 2022 and refined since require that calls between agents (or third-party marketing organizations) and Medicare beneficiaries be recorded in their entirety and retained for ten years.

These CMS obligations sit on top of the TCPA’s prior-express-written-consent requirement. A Medicare lead that satisfies the TCPA four-element test but lacks a contemporaneous SOA still fails the federal regulatory regime that governs the line. Plaintiff-side firms have increasingly paired TCPA claims with state UDAP causes of action that incorporate CMS marketing violations as underlying unfair-or-deceptive acts.

CMS’s enforcement posture toward third-party marketing organizations has tightened since the 2023 marketing rule revisions. Carriers face direct liability for the marketing activities of their TPMOs, which means insurance buyers cannot rely on the publisher’s compliance posture to shield the carrier from regulatory exposure. The downstream effect is that every Medicare Advantage lead now needs a record that satisfies both the FCC and the CMS frameworks, and the two records are not interchangeable.

State Mini-TCPAs and DOI Rules

State-level statutes have produced several years of insurance-specific litigation that operates parallel to the federal TCPA framework.

  • Florida’s Telephone Solicitation Act (Fla. Stat. § 501.059) requires prior express written consent for telephonic sales calls placed using automated systems, including text messages. The 2021 amendments and subsequent revisions established a private right of action with statutory damages of $500 per violation, and Florida has remained one of the most active forums for insurance lead litigation since.
  • Washington’s Commercial Electronic Mail Act (RCW 19.190) applies to text messages and has been used in insurance lead disputes when carriers send Washington-resident leads to autodialed SMS campaigns.
  • Oklahoma’s Telephone Solicitation Act (Okla. Stat. tit. 15, § 775C.1 et seq.) substantially mirrors the Florida statute and has generated similar volumes of lead generation litigation.
  • Maryland’s Telephone Consumer Protection Act at Md. Code, Com. Law § 14-3201 et seq. and New York’s Do Not Call laws add jurisdiction-specific obligations on consent format, disclosure language, and time-of-day restrictions.

State Departments of Insurance overlay an additional set of marketing rules. Most state DOIs prohibit deceptive marketing practices, require licensing for agents who solicit insurance products, and regulate the use of consumer information obtained from lead generators. The NAIC’s Producer Licensing Model Act and the state implementations of the Suitability in Annuity Transactions Model Regulation extend further into how leads can be sourced and used in particular lines.

Compliance counsel for any nationwide insurance lead program should maintain a current map of which state statutes apply by consumer residence and which DOI advertising rules apply to the underlying carrier — neither of which the federal TCPA framework addresses.

How the Liability Cascade Actually Works

A typical insurance lead funnel illustrates how compliance gaps surface in litigation:

  • A consumer fills out a comparison quote form on an affiliate publisher’s website.
  • The publisher transmits the lead through a routing platform to an aggregator.
  • The aggregator distributes the lead to multiple buyers, including a national health insurance broker.
  • The broker assigns the lead to a licensed agent in the relevant state.
  • The agent’s dialer places an autodialed call within minutes of lead receipt.

If the consumer later files a TCPA claim, the defendant in the caption is the carrier or the brokerage that placed the call — not the publisher, not the aggregator, not the affiliate. That party bears the proof burden under the FCC’s rules. The publisher’s confirmation that consent was collected is not the record the defendant needs; the defendant needs the rendered disclosure, the affirmative consumer action, and the chain of custody from the consent event to the dialed number.

Insurance defendants have lost cases on each of the following recurring fact patterns:

  • The publisher’s lead form was generic (“our marketing partners”) and did not name the carrier as a seller.
  • The disclosure shown to the consumer differed from the template the publisher produced in discovery.
  • The seller-identification list at the moment of consent did not include the carrier whose product was eventually pitched.
  • The lead was shared across multiple verticals (auto + health + final expense) under a single consent that did not contemplate the cross-line sharing.
  • The consent record was a database flag with no corresponding rendered-form artifact.

The pattern is consistent: insurance defendants who can reconstruct the consumer’s experience at the moment of consent prevail; those who cannot, do not. Carriers that purchase leads and pass the compliance burden to their publishers retain the proof burden regardless of any contractual indemnity.

Practical Checklist for Insurance Lead Buyers

Buyers in insurance lines should treat lead procurement as a regulated activity, not a routine vendor relationship. The diligence required scales with the line: Medicare Advantage and health require the most depth, followed by auto, with home and renters at the lower end.

  • Map the regulatory regime line by line. Auto, home, life, health, and Medicare have overlapping but distinct rules. The contract terms and consent record requirements should reflect those differences.
  • Require the rendered disclosure with the seller named. Contracts should require publishers to deliver, for every lead, the exact disclosure the consumer saw — not a stored template — and to identify the carrier or brokerage by name within that disclosure.
  • Require contemporaneous session metadata. Timestamp, IP address, user agent, session identifier, and the consumer’s affirmative action (click, submission, signature) should be attached to every lead.
  • Verify the chain of custody. The phone number dialed by the agent should be the same number captured at the consent event, with no intermediate substitution. Lead enrichment and append services that substitute or update numbers create chain-of-custody gaps that defeat the record at trial.
  • Confirm seller-specific scope. Cross-line and cross-affiliate consent sharing is the most common point of failure. The disclosure should name the specific seller for the specific line.
  • Require state-by-state attestations. Florida, Washington, Oklahoma, and Maryland consumers should be flagged at lead delivery and the record should reflect the state-specific consent format where applicable.
  • For Medicare and MA leads, require an SOA and a recorded call from any prior agent contact. TPMO obligations under the CMS rules pass through to the carrier, and the SOA documentation is a prerequisite to any plan-specific discussion.
  • Audit publishers periodically. Test forms, verify disclosures, sample-record consent events against delivered leads. The contractual right is not enough; the inspection has to happen.

Practical Checklist for Insurance Lead Publishers

Publishers operating in insurance lines have to engineer their forms and records to satisfy the most stringent buyer in their distribution chain, not the median buyer.

  • Treat the seller identification element as a structural requirement, not a marketing flourish. Generic affiliate language fails. The disclosure must name the specific sellers a given consumer is consenting to hear from.
  • Capture the rendered form, not the template. Form versions change. The record needs to reflect what the specific consumer saw at the specific moment of consent, retrievable on demand.
  • Tie the consent to the phone number. The record should bind the affirmative action to the phone number provided, and the routing platform should preserve that binding through every downstream transmission.
  • Build for cross-state delivery. State-specific disclosure language for Florida, Oklahoma, Washington, and Maryland should be served conditionally based on consumer residence. The federal floor is not enough where state mini-TCPAs apply.
  • Document the revocation channel. An accessible opt-out mechanism is required, and the revocation must be honored across the entire downstream distribution within the FCC’s rule windows.
  • For Medicare lead programs, build CMS-aware capture. The TPMO disclosure language and the SOA prerequisites apply at the publisher level when the publisher’s traffic feeds licensed agents.
  • Retain records for the longest applicable window. TCPA: at least four years for the consent record; CMS: ten years for marketing materials and Scope of Appointment forms; state mini-TCPA windows vary. Default to ten years for any record touching a Medicare beneficiary.

Common Failure Modes in Insurance Lead Litigation

The same handful of fact patterns recur across insurance TCPA dockets:

  • Disclosure drift. The form a publisher produces in discovery does not match what the consumer saw. Without version history and a rendered-form artifact tied to the specific consent event, the defendant cannot establish that the consumer saw the language the rule requires.
  • Affiliate consent. The consumer agreed to be called by “marketing partners” but did not specifically agree to the carrier whose agent placed the call. Post-FCC reconsideration, this is the single most common point of failure in nationwide insurance lead programs.
  • Cross-line consent. A consumer who consented to receive auto insurance quotes was contacted for a Medicare Advantage plan under the same consent record. The consent does not extend, and the seller-identification element fails.
  • Number substitution. Lead enrichment or skip-tracing services replaced the consumer’s original number with an appended household number. The chain of custody is broken, and the consent record no longer corresponds to the dialed number.
  • Bare database records. The defendant produces a row from a CRM showing a consent timestamp but cannot produce the form, the disclosure, or the consumer’s affirmative action. The record fails the proof burden because the underlying event cannot be reconstructed.
  • CMS gaps in Medicare leads. The TCPA record is complete, but the Scope of Appointment was not obtained or was obtained for the wrong product line. The federal TCPA defense holds, but the CMS regulatory exposure remains, and state UDAP claims pile on.

Each of these is preventable at the point of consent capture, not at the point of litigation.

Key Takeaways

  • Insurance is the most heavily litigated TCPA vertical because of its distribution depth and per-lead economics. Buyers and publishers should design for proof from the start, not patch the record after a complaint arrives.
  • The federal floor — TCPA at 47 U.S.C. § 227 and FCC rules at 47 C.F.R. § 64.1200 — applies to every autodialed or prerecorded insurance lead campaign. The four-element prior-express-written-consent test at § 64.1200(f)(9) is mandatory and seller-specific.
  • Medicare and Medicare Advantage marketing layers CMS obligations under 42 C.F.R. § 422.2274 and related sections — SOA, agent of record, call recording, ten-year retention — on top of the TCPA. The two records are not interchangeable.
  • State mini-TCPAs in Florida, Washington, Oklahoma, and Maryland generate insurance-specific litigation that the federal framework does not preempt. State-specific disclosures and consent formats must be served conditionally based on consumer residence.
  • The proof burden in TCPA litigation runs to the caller. Insurance buyers retain liability regardless of contractual indemnity. The record that wins at trial is the rendered disclosure, the affirmative consumer action, the immutable timestamp, and the chain of custody from the consent event to the dialed number.

Insurance lead compliance is, fundamentally, a recordkeeping problem disguised as a regulatory problem. The rules are stable enough; what changes case to case is whether the defendant can reproduce, three years after the fact, what the consumer experienced at the moment of consent. Programs that build that reproduction capability into their lead pipeline survive litigation. Programs that rely on database flags and publisher attestations do not.

If you are evaluating an insurance lead program — as a carrier, a brokerage, or a publisher serving either — the practical question is whether the record you would produce in discovery would let an independent third party reconstruct the consumer’s consent experience. If it would not, the program is exposed regardless of which contract terms or compliance attestations sit upstream of it.