Disclaimer: This page is for informational purposes only and does not constitute legal advice. Regulations change frequently. Always consult with your compliance team or legal counsel for guidance specific to your business and jurisdiction.

How to Use This Page

This is a quick-reference cheat sheet — not a compliance manual.

Bookmark it. Share it with your team. Pull it up before you sign a new lead vendor contract or launch a new dialing campaign. But do not treat it as a substitute for actual legal counsel.

What this page is:

• A plain-English summary of the regulations that affect lead buyers in 2026
• A scannable reference you can check in five minutes
• A starting point for conversations with your compliance team

What this page is not:

• Legal advice
• A complete catalog of every federal and state rule
• A substitute for a TCPA attorney

We update this page quarterly. If something looks outdated, check the update log at the bottom or review our full TCPA compliance guide for deeper coverage.

Federal Rules That Affect Lead Buyers

These are the federal regulations every lead buyer needs to know. Most lead-related lawsuits trace back to one of these rules.

TCPA Basics

The Telephone Consumer Protection Act (1991) is the big one. It governs how you contact consumers by phone, text, and fax.

• Prior express written consent (PEWC) is required for telemarketing calls using auto-dialers or pre-recorded messages
• Penalties: $500 per violation, $1,500 per willful violation — per call, per text
• Calling hours: 8 AM to 9 PM in the recipient's local time zone
• Consent must be clear and conspicuous — buried disclosures do not count
• Class action exposure adds up fast: 10,000 non-compliant texts = $5M to $15M

For the complete breakdown, see our TCPA Compliance for Lead Buyers guide.

FCC 1-to-1 Consent Rule — Where It Stands

This is the rule that caused the most confusion in the lead industry over the past two years. Here is the timeline:

• December 2023: FCC adopts a rule requiring "one-to-one" consent — consumers would have to name each specific company allowed to contact them
• January 2025: The 11th Circuit Court of Appeals vacated the rule, finding the FCC exceeded its authority
• July 2025: FCC formally repealed the rule from the federal register
• Current status: Comparison shopping consent is legal. A single opt-in can cover multiple sellers listed on the consent form

What this means for lead buyers: You can still buy leads where the consumer consented to be contacted by multiple companies, as long as those companies were identified at the point of opt-in. The 1-to-1 rule is dead. For now.

Read our full analysis of the FCC consent rule for the complete story.

FCC AI Voice Ruling (February 2024)

• AI-generated voices now qualify as "artificial" voices under the TCPA
• This means you need prior express written consent before using AI voice agents for marketing calls
• Applies to robocalls, voice cloning, and AI-generated speech
• Informational calls using AI voices still require prior express consent (not written)

FCC TCPA Deregulation Proposal (October 2025)

The FCC proposed several changes that would loosen TCPA restrictions:

• Eliminate company-specific DNC lists — would remove the requirement to maintain internal do-not-call lists
• Narrow consent revocation rules — would limit how consumers can revoke consent
• Status: Still pending as of March 2026. Not yet in effect.

Do not change your compliance practices based on proposals. Wait until rules are final.

Homebuyers Privacy Protection Act (March 2026)

This is brand new and directly impacts mortgage lead buyers:

• Bans the sale of trigger leads in the mortgage industry
• Trigger leads are generated when a consumer's credit is pulled during a mortgage application
• Lenders and lead aggregators can no longer sell these inquiry-based leads to third parties
• Effective date: Signed into law March 2026, with a compliance window for enforcement

If you buy mortgage leads, verify with your vendor that their lead sources do not include trigger data. See our trigger lead ban breakdown for details.

CAN-SPAM (Email)

Often forgotten, still enforced:

• Every marketing email must include a physical mailing address
• Unsubscribe mechanism must work within 10 business days
• Subject lines cannot be deceptive
• "From" address must be accurate
• You cannot email scraped or purchased email addresses without some form of opt-in relationship
• Penalties: Up to $51,744 per email violation (FTC enforcement)

National Do Not Call Registry

• Scrub your call lists against the National DNC Registry every 31 days minimum
• Registration is free for small volumes, paid subscription for larger files
• DNC violations carry penalties up to $43,792 per call (FCC) or $51,744 (FTC)
• Existing business relationships provide limited exemption (18 months from last transaction, 3 months from inquiry)

For aged lead compliance, see our guide on aged leads and DNC compliance.

SMS and Text Message Rules

Text messaging has its own compliance layer on top of the TCPA. Carriers enforce these independently, so even if you are technically TCPA-compliant, carrier-level blocking can shut you down.

10DLC Registration

• 10DLC (10-digit long code) registration is required for all business-to-consumer text messaging
• As of February 2025, carriers block 100% of unregistered A2P (application-to-person) traffic
• Registration happens through The Campaign Registry (TCR) via your messaging provider
• You must register your brand AND each messaging campaign separately
• Approval takes 1-5 business days; some industries face additional vetting

A2P Messaging Compliance

• All business text messages are classified as A2P (application-to-person)
• Messages must include your business name or brand identifier
• Marketing messages require prior express written consent
• Informational messages (appointment reminders, order confirmations) require prior express consent

Opt-Out Requirements

• Opt-out must be honored within 10 business days (reduced from 30 as of 2025)
• Must support standard opt-out keywords: STOP, UNSUBSCRIBE, CANCEL, END, QUIT
• Consumers can revoke consent through any reasonable method — not just the method you prefer
• A verbal request to stop texting counts as a valid opt-out
• Replying to an email asking to stop texts counts
• You must confirm opt-out receipt with a single final message

Throughput and Volume Limits

• Unregistered or low-trust 10DLC campaigns are throttled to as few as 1 message per second
• High-volume campaigns require additional vetting and higher trust scores
• Toll-free numbers have separate registration and verification requirements
• Short codes require carrier approval and are best for high-volume, established programs

State-Level Highlights

You do not need to memorize every state's rules. But you do need to know which states add requirements beyond federal law.

States with Separate DNC Lists

Eleven states maintain their own do-not-call registries. You must scrub against these in addition to the federal list:

Colorado, Florida, Indiana, Louisiana, Massachusetts, Missouri, Oklahoma, Pennsylvania, Tennessee, Texas, Wyoming

Some charge registration fees. Some require separate suppression file formats. If you are calling leads in these states, confirm your DNC scrubbing vendor covers state-level lists.

Texas

Texas has some of the strictest telemarketing rules in the country:

• AI or automated voice must disclose it is artificial within 30 seconds of the call starting
• Strict SMS consent requirements — violations enforced by the Texas Attorney General
• State DNC registration required separately from federal
• Telemarketing calls prohibited on state holidays

California

• Any AI-powered interaction (chatbot, voice agent, text bot) must disclose that the consumer is interacting with AI
• Violations carry $500 per incident penalties under the California Bolts Act
• CCPA/CPRA gives consumers the right to opt out of the sale of their personal information — including lead data
• Businesses must honor "Do Not Sell My Personal Information" requests within 15 business days

State Consumer Privacy Laws

As of January 2026, 20 states have comprehensive consumer privacy laws in effect:

• California (CCPA/CPRA), Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Montana, Texas, Oregon, Delaware, New Hampshire, New Jersey, Nebraska, Minnesota, Maryland, Kentucky, Rhode Island, and Vermont
• Most include opt-out rights for the sale of personal data
• Several require data processing agreements with lead vendors

If you buy leads across multiple states, your vendor agreements should specify how consumer data rights requests are handled.

For state-by-state details, see our state compliance guide.

AI Tools Compliance Quick Reference

Using AI for outbound calls, texts, or chat? Here is what you need to know.

AI Voice Calls

• Disclose AI at the start of the call — most states and the FCC require disclosure before substantive conversation begins
• Get specific consent mentioning that AI may be used in outreach — generic consent may not cover AI-generated calls
• Honor all-party consent recording laws — 12 states require all parties to consent to call recording (California, Connecticut, Delaware, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, New Hampshire, Oregon, Pennsylvania, Washington)
• No voice cloning without explicit consent — using someone's voice likeness without permission violates FTC rules and multiple state laws

AI Text and Chat

• Disclose that responses are AI-generated when using chatbots or AI SMS responders
• AI-generated marketing texts still require PEWC under the TCPA
• Automated responses must still honor opt-out keywords
• AI does not exempt you from any consent requirement — it adds disclosure requirements on top

Practical AI Compliance Checklist

• [ ] Consent forms mention AI may be used in follow-up
• [ ] AI voice calls begin with disclosure statement
• [ ] AI chat interfaces display bot disclosure before first interaction
• [ ] Voice cloning has documented written consent from the person whose voice is used
• [ ] All-party consent states flagged in your dialer for recording
• [ ] AI-generated content is reviewed by a human before regulatory or financial claims

Use our compliance checklist tool to audit your current setup.

Record Keeping Minimums

If you get sued — and in this industry, it is a matter of when, not if — your records are your defense. Courts consistently rule against companies that cannot produce documentation.

Record Keeping Best Practices

• Automate consent capture — do not rely on manual documentation
• Store consent independently from your CRM — if you switch systems, your consent records must survive
• Back up opt-out lists in multiple locations
• Timestamp everything in UTC to avoid time zone disputes
• Retain records even for leads you never contacted — you may need to prove you chose not to call someone on the DNC list

Frequently Asked Questions

Can I still buy leads that were sold to multiple companies?

Yes. The FCC's 1-to-1 consent rule was vacated in January 2025 and formally repealed in July 2025. As long as the consumer consented to be contacted by the companies listed on the opt-in form, comparison shopping leads remain legal. Verify that your vendor's consent language names the companies or categories of companies that may follow up.

How often do I need to scrub my lead lists against the DNC registry?

Every 31 days at minimum under federal rules. Some states require more frequent scrubbing. If you work aged leads, scrub again before reactivating any list that has been sitting idle, even if you scrubbed it when you first purchased.

Do I need separate consent for texting versus calling?

Technically, a single prior express written consent can cover both calls and texts if the consent language specifically mentions both. However, best practice is to obtain clear consent for each channel. Many TCPA lawsuits hinge on whether consent covered the specific method of contact used.

What happens if I buy leads from a vendor who did not obtain proper consent?

You are still liable. The TCPA places responsibility on the party making the call or sending the text, not the party that generated the lead. If your vendor's consent language is defective, you bear the legal risk. Always evaluate your lead vendors and request sample consent language before purchasing.

Are aged leads more or less risky from a compliance standpoint?

Aged leads carry some unique considerations. The consent was captured at the original opt-in, which is good — but the lead may have since been added to the DNC registry or revoked consent. Always scrub aged leads against current DNC lists before dialing. The upside: aged leads from reputable vendors typically have well-documented consent trails because the original opt-in was captured digitally.

Do the new AI rules apply if I am using AI to prioritize leads but not contact them?

No. The FCC's AI voice ruling and state AI disclosure laws apply to consumer-facing AI interactions — calls, texts, and chats where AI communicates directly with the consumer. Using AI internally for lead scoring, routing, or prioritization does not trigger disclosure requirements.

Is the trigger lead ban retroactive? Can I still call mortgage trigger leads I already purchased?

The Homebuyers Privacy Protection Act bans the sale of new trigger leads. Leads purchased before the effective date can still be contacted, provided you comply with all other TCPA and DNC rules. However, scrub them against current DNC lists and verify consent documentation before dialing.

Quarterly Update Log

Last updated: March 2026

Next scheduled review: June 2026

March 2026 changes:

• Added Homebuyers Privacy Protection Act (trigger lead ban signed March 2026)
• Updated state privacy law count to 20 (Vermont and Rhode Island effective January 2026)
• Confirmed FCC TCPA deregulation proposal still pending — no changes to current rules
• Updated opt-out response window to 10 business days (previously 30)

Previous updates:

• December 2025: Initial publication
• January 2026: Updated AI voice compliance section following state-level enforcement actions in Texas and California

Disclaimer: This page is for informational purposes only and does not constitute legal advice. Regulations change frequently. Always consult with your compliance team or legal counsel for guidance specific to your business and jurisdiction.