You bought 500 leads. You loaded them into your dialer. You started calling. Two weeks later, you got served with a lawsuit demanding $750,000 in damages.

That is not a hypothetical. TCPA class action filings hit 2,788 in 2024 — a 67% increase over 2023. By Q1 2025, that pace accelerated further with 507 class actions filed in just three months. Average settlements now exceed $6.6 million, and 78% of all TCPA cases land as class actions. The plaintiff's bar has turned TCPA litigation into an industry, and lead buyers who skip compliance are the easiest targets.

Here is the good news: TCPA compliance is not complicated once you understand the rules. And if you are buying aged leads, you are actually in a better position than most — because the consent was already captured at the point of original opt-in. The risk comes from how you contact those leads, not whether they exist.

This guide covers every TCPA rule that matters for lead buyers in 2026 — federal law, the FCC's consent revocation rules, auto-dialer restrictions, text messaging compliance, DNC requirements, state mini-TCPA laws, and a practical checklist you can implement today.

Disclaimer: This guide is educational. It is not legal advice. Consult a TCPA attorney for guidance specific to your business.

What Is the TCPA and Why Should Lead Buyers Care?

The Telephone Consumer Protection Act (TCPA) was signed into law in 1991 to curb the explosion of telemarketing calls that were overwhelming American households. It restricts how businesses can contact consumers by phone, text, and fax.

For lead buyers, the TCPA is the single most important law governing your outreach. It controls:

• Who you can call (DNC list requirements)
• How you can call (auto-dialer and pre-recorded message restrictions)
• When you can call (time-of-day restrictions)
• What consent you need (express consent vs. express written consent)
• How quickly you must honor opt-outs (consent revocation rules)

The penalties are severe. Each individual violation — meaning each call, each text, each voicemail — carries statutory damages. Make 200 non-compliant calls and you could face $100,000 to $300,000 in exposure from a single plaintiff.

TCPA Penalty Structure

The $500-per-violation number is what makes class actions so lucrative for plaintiffs. A company that sent 10,000 non-compliant texts faces $5 million in base exposure — $15 million if a court finds the violations were willful. And courts routinely find violations willful when a company did not have a compliance program in place.

The FCC's 1:1 Consent Rule: What Actually Happened

If you followed telemarketing compliance news in 2024-2025, you heard a lot about the FCC's "one-to-one consent rule." Here is where things stand.

The Original Rule

In December 2023, the FCC adopted new rules designed to close the "lead generator loophole." Under the old framework, a consumer could fill out a single form on a comparison-shopping website and unknowingly grant consent for dozens of companies to call them using auto-dialers and pre-recorded messages. The FCC's new rule would have required:

• One-to-one consent: Written consent limited to a single, identified seller
• Logical and topical association: The seller had to be logically related to the website where the consumer gave consent
• No blanket consent forms: Lead generators could not bundle consent for multiple companies in a single disclosure

The rule was scheduled to take effect on January 27, 2025.

What Happened Instead

The Insurance Marketing Coalition challenged the rule in the Eleventh Circuit Court of Appeals. On January 24, 2025 — three days before the effective date — the FCC issued a formal 12-month delay. The court subsequently ruled that the FCC had exceeded its authority by redefining "prior express written consent" under the TCPA. The one-to-one consent rule was vacated.

In August 2025, the FCC formally reinstated the prior standard for written consent.

What This Means for Lead Buyers in 2026

The 1:1 consent rule is dead — for now. The old standard applies: a consumer can grant written consent that covers multiple sellers, as long as the consent language clearly discloses who may contact them. However, there are important caveats:

1. Carrier requirements still exist. T-Mobile, AT&T, and Verizon still require one-to-one opt-in for SMS traffic on their networks. Even though the FCC rule was vacated, the carriers enforce their own policies, and violating them gets your messages blocked.
2. State laws may be stricter. Several states have adopted or are considering their own consent requirements that go beyond federal TCPA.
3. The FCC could try again. A new administration or FCC composition could revive the rule under a different legal theory.
4. Best practice is still 1:1. Even without the legal mandate, leads with clear single-seller consent are worth more, convert better, and carry less litigation risk.

The Consent Revocation Rule (April 2025): This One Is Real

While the 1:1 consent rule was vacated, the FCC's consent revocation rules largely went into effect on April 11, 2025. These rules directly impact how lead buyers handle opt-outs.

Key Requirements

10 Business Day Processing Window: When a consumer revokes consent, you must stop all contact within 10 business days. This is down from the previous 30-day window. No excuses, no delays.

Any Reasonable Method: Consumers can revoke consent through any reasonable method — not just by texting STOP. A voicemail saying "don't call me," an email requesting removal, a verbal request during a live call, or even a casual "stop contacting me" all count as valid revocation. You must honor it regardless of the channel.

Standardized Keywords: The following text keywords must be treated as automatic opt-out requests: STOP, QUIT, REVOKE, OPT OUT, CANCEL, UNSUBSCRIBE, END. If someone texts any of these words to your number, that is a legally binding revocation.

Confirmatory Text Opt-Out: As of April 11, 2025, if you send a one-time confirmatory text after an opt-out and the consumer does not respond, that silence is treated as implied revocation of consent for all future communications.

Practical Impact for Lead Buyers

If you are working a follow-up cadence and a prospect says "stop calling" during a voicemail callback or live conversation, you have 10 business days to make sure that number is suppressed across every system — your dialer, your CRM, your text platform, your skip-tracing tools. Miss one system and that next automated text becomes a $500-$1,500 violation.

Build your suppression workflow now. Do not wait until you get your first revocation request to figure out how your systems talk to each other.

Auto-Dialer (ATDS) Rules: What Equipment Triggers TCPA Restrictions

The TCPA's strictest requirements apply when you use an "automatic telephone dialing system" (ATDS). Understanding what qualifies as an ATDS determines which rules apply to your outreach.

The Supreme Court Definition (Facebook v. Duguid, 2021)

In 2021, the Supreme Court significantly narrowed the ATDS definition. To qualify as an ATDS, a device must have the capacity to:

1. Store telephone numbers using a random or sequential number generator, OR
2. Produce telephone numbers using a random or sequential number generator

The key word is "random or sequential number generator." If your dialer pulls numbers from a pre-loaded list — which is what every lead buyer does — it is likely not an ATDS under the federal TCPA. You are dialing specific numbers from a purchased list, not generating numbers randomly.

Why This Matters (and Why It Is Not a Free Pass)

The narrow ATDS definition means that many predictive dialers, power dialers, and CRM-based click-to-call systems do not trigger the ATDS-specific provisions of the TCPA at the federal level. This is significant because the ATDS rules require prior express written consent for marketing calls to cell phones.

However, this is not a free pass to call anyone without consent. Other TCPA provisions still apply:

• Pre-recorded or artificial voice messages still require prior express written consent — regardless of what equipment you use to deliver them
• National DNC list compliance still applies to all telemarketing calls
• State laws define ATDS much more broadly (Florida, Washington, and Oklahoma all have expanded definitions)
• Internal DNC lists must be maintained

What This Means for Your Dialer Setup

Bottom line: Even if your dialer is not an ATDS under federal law, you still need consent for pre-recorded messages and voicemail drops, and you still need to scrub against the DNC list. The Duguid decision narrowed one category of liability — it did not eliminate your compliance obligations.

Text Message and SMS Compliance

Text messages are treated as "calls" under the TCPA. Every rule that applies to phone calls also applies to text messages, plus additional carrier-level requirements.

Federal TCPA Text Rules

• Marketing texts to cell phones using an ATDS: Require prior express written consent
• Marketing texts sent manually (no ATDS): Require prior express consent (verbal is sufficient, but written is safer)
• Informational texts: Require prior express consent (can be implied in some cases)
• Opt-out must be honored within 10 business days (per April 2025 consent revocation rule)
• STOP keyword must be supported and processed automatically

Carrier Requirements (These Are Stricter Than the Law)

Wireless carriers enforce their own messaging policies through the Campaign Registry (TCR) and carrier filtering systems. Even if your texts are technically TCPA-compliant, carriers can block your messages if you violate their terms:

• 10DLC registration required for all business text messaging on local numbers
• One-to-one consent required by most carriers — regardless of the FCC rule being vacated
• Campaign use case must match consent — you cannot use a mortgage consent list to send insurance texts
• Throughput limits based on your trust score and campaign registration

If you are using text messaging as part of your lead outreach, register your campaigns properly through the TCR. Unregistered traffic gets filtered aggressively, and carrier violations can result in your numbers being permanently blocked.

Best Practice for Text Outreach to Purchased Leads

1. Verify that the lead vendor provides documentation of SMS consent (not just phone consent)
2. Send an initial opt-in confirmation text before marketing messages
3. Include opt-out instructions in every message ("Reply STOP to unsubscribe")
4. Process STOP requests immediately — do not wait the full 10 days
5. Do not text before 8 AM or after 9 PM in the recipient's time zone
6. Keep message content relevant to the original consent context

DNC Compliance: The Non-Negotiable Baseline

DNC compliance is the absolute minimum for any lead buyer. No exceptions, no shortcuts.

National Do Not Call Registry

The FTC maintains the National DNC Registry, and the TCPA prohibits telemarketing calls to numbers on that list. You must:

1. Register as a telemarketer with the FTC (free)
2. Download and scrub your lead lists against the registry before calling
3. Re-scrub every 31 days — the registry updates monthly
4. Maintain records of your scrub dates and procedures for at least 5 years

The cost of accessing the registry is minimal ($75 per area code, capped at $20,868 per year for the full national list). The cost of not scrubbing — up to $43,792 per call — makes this the highest-ROI compliance investment you will ever make.

For a detailed DNC compliance walkthrough, see our DNC compliance guide.

Internal Do Not Call List

Separate from the national registry, you must maintain your own internal DNC list of everyone who has ever asked you or your company to stop calling. Internal DNC requests never expire. If someone told your predecessor at the company to stop calling in 2019, that request is still valid in 2026.

Established Business Relationship Exception

There is a limited exception for established business relationships (EBR). If a consumer has an existing relationship with you — they purchased from you, they inquired about your services — you may have permission to call even if they are on the national DNC list. However:

• The EBR for purchases expires 18 months after the last transaction
• The EBR for inquiries expires 3 months after the inquiry
• The EBR does not override an internal DNC request
• The EBR does not apply to calls using pre-recorded messages or auto-dialers

For lead buyers working purchased lead lists, the EBR exception rarely applies because you do not have a prior relationship with those consumers. Scrub every list, every time.

State Mini-TCPA Laws: The Patchwork That Multiplies Your Risk

Federal TCPA is the floor, not the ceiling. At least 15 states now enforce their own telemarketing statutes — commonly called "mini-TCPAs" — and many impose stricter requirements and heavier penalties than federal law. When you call a consumer, the law of their state applies regardless of where you are located.

State Law Comparison: Key Differences

The States That Hurt the Most

Florida was the epicenter of TCPA litigation before the 2023 FTSA amendments, which added the pre-suit notice requirement and narrowed the autodialer definition. The 30-day cure period for texts has reduced frivolous litigation, but Florida remains a high-risk state for lead buyers. The 8 PM cutoff (vs. 9 PM federal) catches callers who are not adjusting for time zones.

Texas SB 140 (effective September 1, 2025) is the most significant recent development. By tying TCPA violations to the Texas Deceptive Trade Practices Act, it opens the door to treble damages and attorney's fees. The registration requirement — including a $10,000 security bond — applies to any company making telemarketing calls or texts to Texas residents, even if the company is based in another state.

Georgia SB 73 (2024) removed the "knowing" requirement and eliminated damage caps, while adding vicarious liability for employers. This means a company can be held liable even if it did not know its employee or contractor was making non-compliant calls.

Virginia SB 1339 (effective January 1, 2026) requires honoring text opt-out commands for a full 10 years. If a Virginia consumer texted STOP to a previous number you used in 2026, you must still suppress that consumer in 2036.

How to Handle the State Patchwork

1. Default to the strictest rule. If Florida says 8 PM and federal says 9 PM, stop calling at 8 PM for all calls — or at minimum, for all calls to Florida numbers.
2. Scrub by area code and state. Your dialer should be able to apply state-specific calling windows based on the area code of the number being dialed.
3. Register where required. Texas, Oklahoma, Washington, and several other states require telemarketer registration. Non-registration is a separate violation with its own penalties.
4. Track state law changes. Mini-TCPA legislation is accelerating. What was compliant last year may not be compliant this year.

How Aged Leads Fit Into TCPA Compliance

If you are working aged leads, you have a compliance advantage that fresh lead buyers do not — but it is not absolute.

Why Aged Leads Are Generally Safer

Aged leads were generated from opt-in web forms, quote requests, or inquiry forms where the consumer provided their contact information and agreed to be contacted. That original consent is the foundation of TCPA compliance.

When you buy aged leads from a reputable vendor like Aged Lead Store, the consent was captured at the point of generation. The consumer filled out a form, checked a disclosure box, and provided their phone number with the understanding that they would be contacted about the product or service they inquired about.

The Consent Decay Question

Here is where it gets nuanced. The TCPA does not specify an expiration date for consent. There is no federal rule that says consent expires after 30, 60, or 90 days. However:

• Industry best practice treats consent as valid for approximately 90 days for telemarketing purposes
• Some lead contracts specify consent windows in their terms
• The older the lead, the more likely the consumer has forgotten they opted in — which increases the chance they will file a complaint or claim they did not consent
• Carrier-level consent (for text messaging) may have shorter windows based on carrier policies

This does not mean you cannot call a 120-day-old lead. It means your approach should account for the age of the consent. That is where your scripts and templates matter — your opening should acknowledge the time gap and re-establish the context of the original inquiry.

Practical Guidelines for Aged Lead Compliance

What to Demand From Your Lead Vendor

Regardless of lead age, you need documentation. Before you load a single lead into your dialer:

1. Request the consent language — the exact disclosure the consumer saw when they opted in
2. Ask for TrustedForm certificates or equivalent — timestamped proof that consent was captured (but remember: a certificate documents what happened on the form, it does not guarantee the form was compliant)
3. Verify the consent covers your use case — mortgage consent does not authorize insurance calls
4. Confirm DNC scrubbing — did the vendor scrub before delivery, or is that your responsibility?
5. Get it in your contract — your lead purchase agreement should include compliance representations and indemnification clauses

Vendor Due Diligence: Protecting Yourself Before You Buy

The TCPA does not care that you bought the leads in good faith from a vendor. If the underlying consent was deficient, you are still liable for every non-compliant call you make. That makes vendor due diligence essential.

The Due Diligence Checklist

Before signing a lead purchase agreement, verify the following:

Consent Documentation

• Can the vendor produce the original consent form language?
• Is the consent specific to the product/service you are selling?
• Does the consent include proper TCPA disclosure language?
• Are consent records timestamped and retained?

Data Handling

• How does the vendor collect lead data? (Web forms, co-registration, call center, etc.)
• Does the vendor use consent verification tools (TrustedForm, Jornaya, etc.)?
• How are leads stored, and who has access?
• What is the vendor's data retention policy?

Compliance Infrastructure

• Does the vendor have a written TCPA compliance policy?
• Has the vendor been the subject of any TCPA lawsuits or FCC enforcement actions?
• Does the vendor carry errors and omissions (E&O) insurance?
• Will the vendor indemnify you for consent deficiencies?

Contractual Protections

• Does the purchase agreement include TCPA compliance warranties?
• Is there an indemnification clause covering consent-related claims?
• Can you audit the vendor's consent records?
• What happens if a lead files a complaint — does the vendor cooperate with documentation?

For more on evaluating lead vendors, see our buying leads guide.

Your TCPA Compliance Checklist

Use this checklist as a baseline. Adapt it to your specific situation and have it reviewed by a TCPA attorney.

Before You Start Calling

• [ ] Register with the FTC as a telemarketer
• [ ] Download and scrub your lead list against the National DNC Registry
• [ ] Register as a telemarketer in states that require it (TX, OK, WA, and others)
• [ ] Verify lead vendor consent documentation
• [ ] Configure your dialer with state-specific calling windows
• [ ] Set up your internal DNC list process
• [ ] Register your text messaging campaigns through TCR (if using SMS)
• [ ] Train your team on opt-out handling procedures

During Outreach

• [ ] Identify yourself and your company at the beginning of every call
• [ ] Do not call before 8 AM or after 8 PM in the recipient's time zone (use 8 PM to comply with Florida)
• [ ] Honor every opt-out request immediately — do not wait the full 10 days
• [ ] Log all opt-out requests with timestamps
• [ ] Include opt-out instructions in every text message
• [ ] Do not use pre-recorded messages or voicemail drops without prior express written consent
• [ ] Keep call recordings and text logs for at least 5 years

Ongoing Maintenance

• [ ] Re-scrub lead lists against the National DNC Registry every 31 days
• [ ] Update your internal DNC list in real time
• [ ] Audit your dialer settings quarterly for state law compliance
• [ ] Review vendor consent documentation when renewing or purchasing new lead batches
• [ ] Monitor state mini-TCPA legislation for changes
• [ ] Document your compliance procedures in writing

For a downloadable version of this checklist, visit our compliance checklist tool.

Frequently Asked Questions

Do I need written consent to call leads I purchased?

It depends on how you are calling them. If you are using a predictive dialer that qualifies as an ATDS (generates numbers randomly or sequentially), you need prior express written consent. If you are manually dialing or using a list-based power dialer that does not qualify as an ATDS under the Duguid standard, you need prior express consent — which can be verbal or implied through the act of submitting a web form. However, pre-recorded voicemail drops always require written consent regardless of your dialer type. And state laws may impose stricter requirements. The safest approach is to always have documented written consent.

Can I text leads that I bought from a lead vendor?

You can, but the requirements are strict. You need prior express written consent that specifically covers text messaging (not just phone calls). The consent must identify your company by name (under carrier requirements, even though the federal 1:1 rule was vacated). You must register your campaign through the TCR for 10DLC compliance, include opt-out instructions in every message, and honor STOP requests immediately. If the lead vendor cannot provide documentation of SMS-specific consent, do not text those leads.

How old is too old for a lead to still have valid consent?

The TCPA does not set a specific expiration date for consent. However, industry practice generally treats phone consent as reliable for 90 days. After 90 days, the risk increases — not because consent legally expired, but because the consumer is more likely to have forgotten opting in and may file a complaint. For leads older than 90 days, consider using email or direct mail as your first contact channel, and use phone calls only after re-establishing engagement. The age of the lead does not invalidate the consent, but it does affect how you should approach the outreach.

What happens if I get a TCPA complaint?

A single complaint can escalate quickly. At the individual level, a consumer can sue for $500-$1,500 per violation. If a plaintiff's attorney identifies a pattern — say you called 5,000 numbers without proper DNC scrubbing — that becomes a class action with millions in exposure. Your first steps should be: immediately suppress the complaining number, pull your consent documentation for that lead, review your compliance records, and contact a TCPA attorney. Having thorough records (consent documentation, DNC scrub logs, opt-out processing timestamps) is your best defense.

Are aged leads safer from a TCPA perspective than fresh leads?

In some ways, yes. Aged leads have already gone through the consent collection process — the opt-in happened, the disclosure was presented, and the consumer submitted their information. You are not dealing with the compliance risks of the lead generation process itself (deficient forms, misleading disclosures, pre-checked consent boxes). Your risk is limited to how you contact the lead, not how the lead was generated. That said, aged leads carry the consent decay risk described above, and you are still responsible for DNC scrubbing, calling-hour compliance, and proper opt-out handling. The lead's existence does not exempt you from compliance — but a well-documented aged lead from a reputable vendor like Aged Lead Store gives you a solid consent foundation to build on.