TCPA Compliance for Lead Generation: Everything You Need to Know

TCPA compliance is the set of rules that govern how businesses can contact consumers by phone, text, and fax under the Telephone Consumer Protection Act. For lead generation companies, it means obtaining proper consent before contacting or selling consumer data to buyers who will contact them. Violating the TCPA can result in fines of $500 to $1,500 per call or text, and class action lawsuits regularly produce settlements in the tens of millions of dollars.

If you generate, buy, or sell leads, TCPA compliance is not optional, and the regulatory landscape shifted dramatically in 2025. On January 24, 2025, the Eleventh Circuit Court of Appeals vacated the FCC's one-to-one consent rule in Insurance Marketing Coalition v. FCC, just three days before it was set to take effect. The FCC then reinstated the prior "prior express written consent" standard through a final rule on August 29, 2025. This guide covers what TCPA compliance actually requires today, the new April 2025 revocation rules, current penalties, and practical steps to protect your lead generation business. If you are running a multi-buyer distribution operation, the companion piece on TCPA compliance for lead distribution covers the six platform-level controls (consent capture, DNC scrubbing, time-of-day enforcement, revocation handling, buyer-side pass-through, and audit logging) every distribution platform must enforce. Lead Distro AI is built with compliance at the core, including consent tracking, suppression list management, and full audit trails.

Key Takeaways

• The TCPA requires prior express written consent before making marketing calls or texts using automated systems, and violations carry statutory damages of $500 to $1,500 per message.
• The FCC's one-to-one consent rule was vacated by the Eleventh Circuit on January 24, 2025 and the FCC reinstated the prior "prior express written consent" standard on August 29, 2025. Bundled-buyer consent is once again permitted, but the underlying consent must still be clear, in writing, and authorize the seller by name.
• The April 11, 2025 revocation rule requires callers to honor opt-out requests "as soon as practicable" and no later than 10 business days, and consumers can revoke using any reasonable means (not just "STOP").
• TCPA class action filings more than doubled in 2025, with 1,807 putative class actions filed through September and a projected full-year total approaching 2,400, per WebRecon data.
• Lead generation companies are liable alongside buyers if consent at the point of capture was insufficient, so platform-level consent documentation and suppression-list enforcement are essential.

What Is the TCPA?

The Telephone Consumer Protection Act (TCPA) is a federal law enacted in 1991 that regulates telemarketing calls, auto-dialed calls, prerecorded voice messages, text messages, and unsolicited faxes. It has been updated multiple times to keep pace with evolving technology.

The TCPA is enforced by the Federal Communications Commission (FCC) and through private lawsuits. Consumers have a private right of action, meaning any individual who receives a non-compliant call or text can sue the sender directly. According to WebRecon, TCPA-related lawsuits consistently rank among the top consumer protection claims filed each year.

For lead generation, liability extends beyond the caller. If you capture a lead and sell it to a buyer who calls the consumer without proper consent, both you and the buyer can be held liable.

The Rise and Fall of the One-to-One Consent Rule

In December 2023, the FCC issued a ruling that was scheduled to take effect on January 27, 2025, establishing a one-to-one consent requirement that would have ended bundled-buyer consent. Three days before the effective date, on January 24, 2025, the Eleventh Circuit vacated the rule in Insurance Marketing Coalition v. FCC, holding that the FCC had exceeded its statutory authority under the TCPA.

The court reasoned that because the phrase "prior express consent" is undefined in the statute, it must be given its plain and ordinary meaning. As long as a consumer "clearly and unmistakably" agrees to receive a robocall before it happens, the consent is valid. The FCC could not unilaterally impose additional restrictions like seller-by-seller consent or "logically and topically associated" content limits.

What Replaced It

On August 29, 2025, the FCC issued a final rule reinstating its prior definition of prior express written consent. The current standard is "an agreement, in writing, bearing the signature of the person called that clearly authorizes the seller to deliver or cause to be delivered advertisements or telemarketing messages using an automatic telephone dialing system or an artificial or prerecorded voice."

In plain English: bundled-buyer consent is once again permitted. A single form can authorize multiple sellers, provided each seller is clearly identified and the consumer signs (electronically or physically) authorizing contact.

What Lead Sellers Should Still Do

The vacatur does not erase the operational improvements lead sellers built in anticipation of the rule. The compliance-minded practices are still best practice and reduce class-action exposure:

• Name every buyer on the form. Even with bundled consent legal again, generic "our partners" language is a litigation magnet. List the sellers, and consider a short scrollable list rather than a buried hyperlink.
• Capture, store, and timestamp the consent record. The form URL, IP address, language version, and signature event are your first line of defense in a TCPA dispute, regardless of which version of the rule applies.
• Watch for state-level one-to-one rules. Several states are exploring their own one-to-one statutes that would not be affected by the Eleventh Circuit's federal ruling.
• Plan for the 2027 revoke-all rule. The FCC's "revoke-all" provision, which extends a single revocation to all communications from the caller on unrelated topics, was delayed to January 31, 2027. Build your revocation infrastructure now.

What this means for lead sellers: If you sell leads to multiple buyers, you can return to bundled consent forms, but your form design, consent language, and how you track consent through your lead distribution pipeline still need to meet the reinstated prior-express-written-consent standard, and your platform should be ready for the revoke-all rule before 2027.

The April 2025 Revocation Rule (Effective Now)

While the one-to-one rule died, the TCPA's new opt-out rules took effect on April 11, 2025 and apply today. Three operational changes matter most for lead generators:

1. 10 business days to honor opt-outs. The window dropped from 30 days to 10 business days. Marketing robocalls and robotexts must stop "as soon as practicable" once a request is received.
2. "Any reasonable means" opt-out. Consumers can revoke consent using any clearly expressed means, not just the exact keyword "STOP." Recognized opt-out terms include "QUIT," "END," "REVOKE," "OPT-OUT," "CANCEL," and "UNSUBSCRIBE." A free-text reply like "stop texting me" also counts.
3. One confirmation reply allowed. A single opt-out confirmation text is permitted if sent within five minutes and containing zero marketing content.

The "revoke-all" portion of the rule, which would have extended a single revocation across all unrelated topics from the same caller, was originally set for April 2026 and has now been pushed to January 31, 2027 per the FCC's January 6, 2026 order.

TCPA Requirements for Lead Generation Companies

Types of Consent

The TCPA defines different levels of consent depending on the type of communication:

• Express consent is required for non-marketing calls to cell phones using an autodialer. The consumer needs to provide their phone number.
• Express written consent is required for telemarketing calls and texts using an autodialer or prerecorded voice. This requires a clear written agreement (including electronic signatures) authorizing the marketing contact.
• Prior express written consent is the highest standard, required for marketing robocalls and robotexts. It must disclose that the consumer will receive marketing messages, identify who will send them, and state that consent is not a condition of purchase.

Do-Not-Call Rules

Companies must maintain an internal do-not-call list, honor opt-out requests within a reasonable time, and check the National Do Not Call Registry before making telemarketing calls. Calling a number on the registry without proper consent carries the same penalties as other TCPA violations.

Time Restrictions

Telemarketing calls are restricted to the hours of 8:00 AM to 9:00 PM in the consumer's local time zone. Some states impose tighter windows, so lead generation companies operating nationally need to track time zones carefully.

TCPA Penalties and Enforcement

The TCPA establishes the following penalty structure:

• $500 per violation for calls or texts made without proper consent
• $1,500 per violation (treble damages) for willful or knowing violations
• No cap on total damages, which is why class actions produce massive settlements

2025 Class Action Surge

The litigation environment got dramatically worse for lead generators in 2025. Per WebRecon data summarized by industry trackers, 1,807 TCPA putative class actions were filed in the first nine months of 2025, more than double the prior year, with the full-year total on track to approach 2,400. In September 2025 alone, TCPA class action filings spiked 283 percent year-over-year, per TCPAWorld's analysis. Putative class actions made up roughly 78 percent of all TCPA suits filed in September 2025.

Settlement Math

Average TCPA class action settlements run approximately $6.6 million, with the median in the $3.5 to $4.5 million range. The arithmetic average is skewed by mega-settlements like National Grid's $38.5 million payout in 2024. For a lead generation business with single-digit-million-dollar revenue, a single qualified class can be an extinction-level event.

Why Enforcement Is Up

The shift is driven by three forces: aggressive plaintiffs' bar adoption of automated text-message litigation tooling, the FCC's continued focus on robotexting (which now receives the same enforcement treatment as robocalls), and the wide availability of consent-record discovery in litigation. Even small lead generation companies face lawsuit risk if a single consumer's data is mishandled or if the consent paper trail is incomplete.

How to Stay TCPA Compliant

Here are seven steps every lead generation company should implement:

1. Use Clear, Specific Consent Language

Your forms must include consent language that identifies each company (or category of companies) that will contact the consumer, describes the communication type (calls, texts, or both), and states consent is not required to make a purchase. Even though the one-to-one rule was vacated and bundled-buyer consent is once again permitted, generic "our partners may contact you" language without a clear seller list is a class-action magnet and may run afoul of state-level one-to-one statutes that several states are exploring.

2. Document Every Consent Event

Record the timestamp, IP address, form URL, consent language displayed, and consumer action for every consent event. This documentation is your primary defense in any TCPA dispute.

3. Maintain Suppression Lists

Build suppression lists that include opt-outs, numbers on the National Do Not Call Registry, and litigation-flagged numbers. Check every lead against these lists before routing.

4. Vet Your Partners

If you sell leads, vet every buyer's calling practices, require contractual TCPA compliance commitments, and audit periodically. If you buy leads, verify the seller captured proper consent before you dial.

5. Build Audit Trails

Every lead should have a complete chain of custody: where it was captured, what consent was obtained, when it was sold, and to whom. This audit trail protects both sellers and buyers. Modern lead distribution software automates this tracking.

6. Train Your Team

Everyone who handles leads needs to understand TCPA basics. A single employee uploading a list without consent verification can trigger a lawsuit.

7. Use Technology Built for Compliance

Manual compliance processes break down at scale. Use platforms that automate consent tracking, suppression list checks, duplicate detection, and audit logging. This is where purpose-built lead distribution platforms provide the most value.

How Lead Distribution Software Helps with TCPA Compliance

The right lead distribution platform doubles as your compliance infrastructure:

Consent tracking. Every lead is tagged with its consent record: form URL, timestamp, consent language version, and the specific buyer the consumer agreed to hear from.

Suppression list management. The platform checks every inbound lead against your internal suppression lists, the National Do Not Call Registry, and custom exclusion lists. Leads matching a suppressed number are blocked before reaching a buyer.

Duplicate detection. Selling the same lead to a buyer twice increases compliance risk. Duplicate detection by phone number, email, or custom fields prevents this. Learn more in the lead marketplace guide.

Audit trails. Every action is logged: consent verification, scoring, routing decisions, delivery attempts, and buyer responses. If a dispute arises, you can pull the complete history of any lead in seconds.

Partner controls. Set buyer-level rules for contact methods, time windows, and consent requirements. If a buyer only has consent for texts, the platform blocks leads designated for phone contact. Explore the full feature set in the Lead Distro AI documentation.

FAQ

What is TCPA compliance in lead generation?

TCPA compliance in lead generation means obtaining legally required consent from consumers before their data is used for marketing calls or texts. It includes proper consent language on forms, suppression lists, opt-out honoring within 10 business days, consent documentation, and clearly identifying the sellers authorized to contact the lead. The reinstated August 2025 FCC rule requires that consent be in writing, bear the consumer's signature, and clearly authorize the named seller.

Is the FCC's one-to-one consent rule still in effect in 2026?

No. On January 24, 2025 the Eleventh Circuit Court of Appeals vacated the FCC's one-to-one consent rule in Insurance Marketing Coalition v. FCC, holding the FCC had exceeded its statutory authority. The FCC then issued a final rule on August 29, 2025 reinstating the prior "prior express written consent" standard, which permits bundled-buyer consent as long as the sellers are clearly identified and the consumer signs the agreement. Several states are exploring their own one-to-one statutes that would not be affected by the federal ruling.

What is the TCPA revocation rule that took effect in April 2025?

The April 11, 2025 TCPA opt-out rule requires callers to honor revocation requests "as soon as practicable" and no later than 10 business days from receipt, down from the previous 30-day window. Consumers can revoke consent using any reasonable means, including responding to a text with words like STOP, QUIT, END, REVOKE, OPT-OUT, CANCEL, UNSUBSCRIBE, or any free-text message that clearly expresses intent to opt out. A single confirmation text is permitted if sent within five minutes and containing no marketing content.

What is the TCPA "revoke-all" rule and when does it take effect?

The revoke-all provision requires that when a consumer revokes consent for one type of communication from a caller, the revocation extends to all future communications from that caller on unrelated topics. The FCC originally set it for April 11, 2025, then delayed it to April 11, 2026, and on January 6, 2026 extended the effective date again to January 31, 2027. Lead generators and lead distribution platforms should plan to honor cross-channel revocation by the end of 2026 to be ready.

What are the penalties for TCPA violations?

The TCPA imposes $500 per violation for non-compliant calls or texts, and up to $1,500 per violation for willful violations. Because damages are calculated per call or text, even a small campaign can generate millions in liability. There is no cap on total damages. Average class action settlements run approximately $6.6 million, with mega-settlements like National Grid's $38.5 million payout in 2024 skewing the average upward.

Can lead sellers be held liable for TCPA violations?

Yes. Lead sellers can be held liable if consent at the point of capture was insufficient or if they sold leads to buyers who contacted consumers without authorization. Courts have found that entities who "cause" non-compliant calls by providing leads without proper consent share liability with the caller.

How does lead distribution software help with TCPA compliance?

Lead distribution software automates consent tracking, suppression list management, duplicate detection, and audit trail creation. Every lead is tagged with its consent record, checked against suppression lists before routing, and logged at every step. This creates a defensible compliance record, supports the 10-business-day revocation window, and reduces human error.

Conclusion

TCPA compliance is the foundation of any sustainable lead generation business. Per-violation penalties, class action exposure, and regulatory scrutiny are all increasing, and 2025's 283 percent September-over-September surge in TCPA class actions shows no sign of cooling. The vacatur of the one-to-one consent rule was a near-term reprieve, but the April 2025 revocation rule and the January 2027 revoke-all deadline mean the operational bar keeps rising.

The good news: compliance does not have to slow you down. With the right processes and technology, you can protect your business while scaling lead volume.