DNC Compliance for Aged Leads: What Every Agent Must Know (2026)

Compliance is the topic nobody in the lead industry wants to talk about. Lead vendors don't bring it up because it might scare buyers. Agents don't ask because they don't want to hear the answer. And the result is a lot of professionals calling leads without understanding the rules — which is a $500-$1,500-per-call mistake waiting to happen.

Here's the truth: you absolutely can call aged leads legally. But there are rules, and ignorance isn't a defense. DNC scrubbing, TCPA compliance, SMS consent, calling hours, and record-keeping all matter — and the penalties for getting it wrong are severe enough to end a business.

This guide covers the complete compliance landscape for aged lead buyers in 2026: what the law requires, how DNC scrubbing works, the TCPA checklist every agent needs, SMS and email rules, and what to demand from your lead vendor.

Disclaimer: This is educational guidance, not legal advice. Compliance requirements vary by state and change frequently. Consult a licensed attorney for legal questions specific to your situation. For specialized TCPA and lead generation legal counsel, see Henson Legal and Mac Murray & Shuster LLP.

The Compliance Landscape for Lead Buyers

Multiple federal and state laws govern how you contact leads. Understanding the framework prevents costly violations.

TCPA (Telephone Consumer Protection Act). The big one. The TCPA regulates phone calls, text messages, and faxes to consumers. It's a strict liability statute — violations are not contingent on fault or criminal intent. Even accidental violations trigger penalties. The TCPA requires prior express consent before making marketing calls, limits the use of auto-dialers and prerecorded voices, and establishes rules for calling hours and caller ID display. Violations carry penalties of $500-$1,500 per call — and class action lawsuits are common. The average TCPA class action settlement is $6.6 million.

What happened to the FCC 1:1 Consent Rule? In December 2023, the FCC adopted a "one-to-one consent" rule that would have required consumers to individually consent to each company that could contact them — eliminating the common practice of blanket consent with a hyperlinked partner list. This rule never took effect. In January 2025, the 11th Circuit Court of Appeals vacated the rule entirely in Insurance Marketing Coalition Ltd v. FCC, finding that the FCC "impermissibly exceeded its statutory authority" by attempting to redefine "prior express consent." The court held that under common law principles, a consumer can give consent to receive calls from multiple entities at once, as long as the consent is clear and unmistakable. The multi-company consent model with partner lists remains legally permissible.

Important caveat: The 1:1 rule being dead does not mean agents are "safe." As TCPA attorney John Henson warns: the lead practices that were risky before the rule was proposed are still risky today. The underlying TCPA requirements remain in full force, and Congress could pass similar legislation in the future.

National Do Not Call (DNC) Registry. Maintained by the FTC, this registry contains phone numbers of consumers who've requested not to receive telemarketing calls. You must check your lead lists against this registry before making calls — and at least every 31 days to maintain compliance. A Subscription Account Number (SAN) from the FTC is required to access the registry at telemarketing.donotcall.gov.

State-Specific DNC Lists and Mini-TCPA Laws. Many states maintain their own DNC registries in addition to the federal list. States like California, Florida, New York, Texas, and Pennsylvania have state-level lists that you must also check. Beyond DNC lists, states like Florida have enacted "mini-TCPA" statutes with stricter time restrictions and per-call limits. State and federal penalties can stack — up to $3,000 per call ($1,500 federal + $1,500 state). Approximately 36 states also require telemarketer registration.

CAN-SPAM Act. Governs commercial email messages. Less restrictive than TCPA — you can email leads without prior consent as long as you include an opt-out mechanism, your physical address, and honest subject lines. Still, best practice is to have some form of consent or prior relationship.

Can You Legally Call Aged Leads?

Yes — with proper DNC scrubbing and consent verification.

Here's how the legal framework applies specifically to aged leads:

Prior express consent. When a consumer fills out a web form requesting a quote, information, or a callback, they're giving prior express consent to be contacted. This consent is what makes calling internet leads legal in the first place — the prospect asked to be contacted. However, as Mac Murray & Shuster points out, there is no such thing as a "TCPA-compliant lead" — compliance depends on matching the lead's consent to your specific calling campaign, technology, and purpose.

Consent tiers matter. The technology you use determines the consent standard required:

• Prior express consent — sufficient for manual dialing
• Prior express written consent — required for auto-dialers (ATDS), prerecorded voice messages, AI-generated voice, and marketing text messages

This distinction is critical for aged lead buyers. If the original opt-in form only captured basic consent but you plan to use an auto-dialer, you may not have sufficient consent.

DNC exemption windows for aged leads. While TCPA consent itself doesn't have a hard expiration, the DNC exemption windows are specific and well-defined:

• Inquiry-based exemption: Expires 3 months after the consumer's inquiry (the form fill). After that, DNC registry rules fully apply.
• Transaction-based exemption: Expires 18 months after the last transaction.

As Mac Murray & Shuster notes: "These concerns come to the forefront when calling on aged leads, conducting win-back campaigns, or in industries where there may be a delay in purchase." For aged leads older than 90 days, DNC scrubbing is especially critical because the inquiry-based DNC exemption has expired.

Reassigned numbers — a hidden risk. Nearly 100,000 phone numbers are reassigned to new owners every day. Consent is tied to the person, not the phone number. If an aged lead's number has been reassigned, you're calling someone who never consented — creating TCPA liability. One major investment bank paid a $3.75 million TCPA settlement from 675,000 calls to reassigned numbers. Use a reassigned number database scrub to mitigate this risk.

The bottom line: Aged leads are legal to call if (1) the consumer gave consent when they filled out the form, (2) you've DNC scrubbed the list within the last 31 days, (3) you've checked for reassigned numbers, and (4) you follow TCPA calling rules. The age of the lead doesn't make calling illegal — lack of consent, failure to DNC scrub, or calling a reassigned number does.

DNC Scrubbing — What It Is and Why It's Non-Negotiable

DNC scrubbing is the process of checking your lead list against federal and state Do Not Call registries and removing any numbers that appear on those lists. It's not optional — it's required by law, and the penalties for skipping it are severe.

What a comprehensive scrub should cover:

• Federal National DNC Registry
• Applicable state DNC registries
• Reassigned number database (numbers now belonging to someone who never consented)
• Wireless/VoIP identification (wireless numbers have additional TCPA protections)
• Disconnected number detection
• Known TCPA litigator databases (professional plaintiffs who file serial lawsuits)
• Your internal company-specific DNC list

How to scrub your leads:

• Through your vendor. Reputable aged lead vendors like AgedLeadStore include DNC scrubbing before delivery. This is the easiest option — your leads arrive already scrubbed.
• Through your CRM. Some CRM platforms include DNC checking. GoHighLevel and other platforms offer built-in or add-on DNC tools.
• Through third-party services. Specialized compliance services like DNC.com (Contact Center Compliance) offer comprehensive scrubbing that covers federal, state, reassigned numbers, wireless identification, and litigator databases in a single pass.
• Directly through the FTC. You can access the National DNC Registry directly at donotcall.gov for a fee based on list size.

How often to scrub:

• Every 31 days at minimum — this is the legal requirement, not a suggestion. It's also a requirement for Safe Harbor protection.
• Before EVERY new campaign — even if you bought the same type of leads from the same vendor last month
• Numbers can be added to the DNC registry at any time, so a list that was clean 31 days ago may have new DNC entries

The cost of non-compliance — real cases:

• $500 per violation for standard TCPA infractions, $1,500 per violation for willful or knowing violations
• $43,280 per call for federal DNC violations
• American Income Life (insurance): $14 million settlement over DNC violations involving 49,695 phone numbers — despite having consent that likely would have met 1:1 standards
• QuoteWizard (insurance lead generator): $19 million settlement because they could not trace consent language back through their lead supply chain
• MediaAlpha/Assurance IQ: $145 million FTC settlement for deceptive lead generation practices

These are not hypothetical penalties. Individual agents have been fined and lost their licenses over DNC violations. One woman won $571,000 against a finance company and $229,500 against a cable provider in separate TCPA cases.

DNC scrubbing costs pennies. Non-compliance costs millions. There is no scenario where skipping the scrub is worth the risk.

Safe Harbor — Your Legal Shield

The TCPA provides a "Safe Harbor" defense that can protect you from liability for inadvertent DNC violations — but only if you've done the work upfront. DNC.com identifies five types of Safe Harbor, but the National DNC Safe Harbor is the most critical for aged lead buyers.

To qualify for Safe Harbor protection, you must maintain:

• Written DNC compliance policies and procedures — documented, not just verbal
• A DNC employee training program — everyone who touches leads must be trained
• An active in-house do-not-call suppression list — your own internal DNC list of people who've asked you to stop calling
• Proof of DNC registry access at least every 31 days — documented scrub records

Without these elements in place, you lose your Safe Harbor defense entirely. If a DNC violation occurs and you can't demonstrate all four requirements, you have no legal protection — even if the violation was genuinely accidental.

TCPA Compliance Checklist for Aged Lead Campaigns

Use this checklist before every aged lead campaign. Print it, bookmark it, and review it every time you import a new batch of leads.

Before You Call:

• DNC scrub completed within the last 31 days. Federal and applicable state registries checked. Reassigned number database checked. Known litigators removed. Flagged numbers removed from your calling list. Scrub records documented for Safe Harbor protection.
• Prior express consent documented. You can demonstrate that the lead gave consent when they filled out the form. Your vendor should provide documentation of the consent language used on the opt-in form — including the full user flow from ad to submission page.
• Consent level matches your calling method. If using an auto-dialer, prerecorded voice, or AI voice, you need prior express written consent — not just prior express consent.
• Lead age assessed against DNC exemption windows. Leads older than 90 days have passed the inquiry-based DNC exemption — scrubbing is especially critical. Leads older than 18 months have passed the transaction-based exemption.
• Lead data reviewed. Phone numbers are valid US formats. Wireless numbers identified (additional TCPA protections apply). State licensing verified — you're only calling leads in states where you're licensed.

During Your Calls:

• Calling during permitted hours. Calls made between 8:00 AM and 9:00 PM in the lead's LOCAL time zone. Not your time zone — theirs. Check state laws — some states have stricter windows.
• Caller ID displayed. Your real phone number or a properly registered business number is shown. No caller ID spoofing.
• Identify yourself immediately. State your name and company within the first few seconds of the call.
• Opt-out honored immediately. If a prospect says "don't call me again" or "take me off your list," honor it instantly. Add them to your internal DNC list. Internal DNC requests must be honored for five years.

For Every Campaign:

• Opt-out mechanism on every contact. Phone calls: honor verbal opt-out requests. Texts: include "Reply STOP to opt out." Emails: include unsubscribe link.
• Records retained. Keep records of your DNC scrubbing, consent documentation, and opt-out requests for a minimum of 5 years.
• Internal DNC list maintained and shared. Beyond the federal and state registries, maintain your own list of prospects who've asked not to be contacted. Check every campaign against this list. DNC requests must also be communicated to affiliates — in Moore v. Farmers Group, Inc., the court held that DNC requests apply to affiliates if a reasonable consumer would expect them to be included.
• State-specific rules reviewed. Some states have additional requirements beyond federal law (enhanced calling restrictions, additional consent requirements, stricter penalties, or telemarketer registration).

Vicarious Liability — You're Responsible for Your Vendors

One of the most dangerous misconceptions in lead buying is that you're only responsible for your own calls. In reality, you can be held liable for TCPA violations committed by your lead vendor, your call center partner, or anyone in your lead supply chain.

The FTC has been explicit about this. During the HomeAdvisor enforcement action, FTC Bureau Director Andrew Smith stated: "We're not just looking at the people who generate bad traffic, but looking at the people who purchase that bad traffic."

What this means for aged lead buyers: When you buy leads, you're also buying the lead generator's compliance processes. If those processes were deficient — bad consent language, deceptive forms, DNC violations upstream — you share in the liability.

SMS/Text Compliance for Aged Leads

Text messaging has stricter compliance requirements than phone calls, and many agents don't realize the distinction until they get a cease-and-desist letter.

Prior express written consent is required for marketing texts. The TCPA requires "prior express written consent" for text messages — a higher bar than the "prior express consent" needed for manual phone calls. This means the original opt-in form must have specifically authorized text message communication, not just phone calls.

How to verify SMS consent for aged leads:

• Ask your vendor whether the opt-in form included SMS consent language
• Look for specific language like "I agree to receive calls and text messages" on the original form
• Demand to see the actual user flow and consent language — not just a vendor's assurance
• If you can't verify SMS consent, don't text — call instead

Opt-out requirements for text messages:

• Include "Reply STOP to opt out" (or similar language) in every marketing text
• Honor opt-out requests immediately and permanently
• Don't send additional texts after a STOP request — not even a confirmation text

Penalties for non-compliant texting:

• Same as TCPA phone violations: $500-$1,500 per message
• Text message class actions are among the most common TCPA lawsuits
• Volume makes this especially risky — sending 500 texts to a list with SMS compliance issues creates 500 potential violations

Best practices for aged lead texting:

• Use your CRM's built-in SMS compliance features (automatic STOP handling, opt-out tracking)
• Keep texts conversational, not spammy — personalize with the prospect's name
• Limit text frequency — 2-3 texts in a 7-day follow-up cadence is reasonable
• Always identify yourself in the text

Email Compliance (CAN-SPAM)

Email is the lowest-risk channel for aged lead outreach from a compliance standpoint, but there are still rules to follow.

CAN-SPAM requirements for commercial emails:

• Opt-out mechanism required. Every commercial email must include a clear way to unsubscribe. Honor unsubscribe requests within 10 business days.
• Physical address required. Your business mailing address must appear in every email.
• Honest subject lines. The subject line cannot be deceptive or misleading about the email's content.
• Identify as an ad. If the email is a marketing message, disclose that fact (most businesses handle this through footer language).
• "From" line accuracy. The sender name and email address must accurately identify who's sending the message.

Why email is lower risk than phone or text:

• CAN-SPAM doesn't require prior consent for commercial emails — you can legally email someone without them opting in (though having consent is always better practice)
• Penalties are per-campaign rather than per-message
• Maximum penalty is $51,744 per violation, but enforcement against individual agents is rare
• Most email service providers (Mailchimp, your CRM's email tool) have built-in compliance features

Best practices for emailing aged leads:

• Use your CRM's email tools, which handle unsubscribe links and physical address automatically
• Don't buy or scrape email lists — use the emails that came with your purchased leads
• Respect unsubscribes immediately
• Keep your sending reputation clean to avoid spam filters

Industry-Specific Compliance

Beyond TCPA and DNC rules, your specific industry may have additional compliance requirements.

Insurance agents:

• State Department of Insurance (DOI) rules govern solicitation practices
• Medicare marketing has additional CMS (Centers for Medicare & Medicaid Services) restrictions — scope of appointment requirements, prohibited contact periods, and marketing material approvals
• E&O insurance is essential — compliance mistakes can trigger claims
• Some states require specific disclosures during insurance solicitation calls

Mortgage loan officers:

• TILA (Truth in Lending Act) and RESPA (Real Estate Settlement Procedures Act) govern advertising and disclosures
• NMLS licensing requirements — only contact leads in states where you're licensed and registered
• Fair lending laws prohibit discriminatory practices in lead selection or outreach
• State-specific mortgage solicitation rules may apply

Solar sales professionals:

• State-specific solicitation rules vary significantly
• Some municipalities have door-to-door solicitation ordinances that may apply to phone solicitation
• HOA restrictions can affect solar installations — be transparent about potential limitations
• State licensing requirements for solar contractors/salespeople

What Your Lead Vendor Should Provide

A reputable aged lead vendor handles the upstream compliance so you can focus on selling. Here's what to expect — and demand — from your vendor:

DNC scrubbing (included or clearly documented). Your vendor should scrub leads against federal and state DNC registries before delivery. Ask whether this is included in the lead price or an add-on service. Leads that arrive without DNC scrubbing shift all the compliance risk to you. Remember: even if your vendor scrubs, you must re-scrub every 31 days.

Full consent documentation and user flow transparency. Your vendor should be able to show you the entire user flow — from the initial ad to the final submission page — and the exact consent language the consumer agreed to. As Henson Legal advises with their "Show Me" principle: "If your potential marketing partners cannot or will not provide this transparency, you need to run, not walk, and find new ones."

Consent that matches your calling method. The consent language should cover the specific technology you'll use (auto-dialer, prerecorded voice, AI voice, SMS). Generic consent that doesn't mention these technologies may not meet the "prior express written consent" standard required for regulated technology.

Data source transparency. Where do the leads come from? Reputable vendors will disclose their lead generation sources. Be wary of vendors who can't or won't explain their lead generation process — you can't verify compliance if you don't know how the lead was created. The QuoteWizard $19 million settlement happened because they couldn't trace consent through their supply chain.

Return policy for non-compliant leads. What happens if you receive a lead with a disconnected number, a wrong number, or a number that shouldn't have passed DNC scrubbing? Reputable vendors have return policies for bad data.

Browse aged leads at AgedLeadStore — all leads are DNC-scrubbed before delivery, with no contracts required. Use promo code BILLRICE for a discount on your first order.

FAQ

Do I need to DNC scrub aged leads?

Yes — always, no exceptions. Every lead list must be checked against federal and state Do Not Call registries before you start calling, and you must re-scrub at least every 31 days. This applies regardless of the lead's age, source, or how recently your vendor scrubbed them. Consumers can add their number to the DNC registry at any time, and nearly 100,000 numbers are reassigned daily. A list that was clean when your vendor scrubbed it may have new DNC entries or reassigned numbers by the time you call. The cost of scrubbing is pennies per lead; the cost of a single DNC violation is $500-$1,500 per call.

Can I text aged leads?

Only if the original consent included specific SMS permission. The TCPA requires "prior express written consent" for marketing text messages — a higher standard than the consent needed for manual phone calls. Ask your lead vendor to show you the actual opt-in form and consent language. If you can't verify SMS consent, stick to manual phone calls and email. When you do text, always include "Reply STOP to opt out" and honor opt-out requests immediately.

What happens if I call someone on the DNC list?

Fines of $500 per call for standard violations, up to $1,500 per call for willful violations, and up to $43,280 per call for federal DNC violations. These penalties are per-call, meaning calling 100 DNC-listed numbers could result in $50,000-$150,000 or more in fines. American Income Life — an insurance company with proper consent — still paid $14 million over DNC violations. Beyond monetary penalties, DNC violations can trigger class action lawsuits (averaging $6.6 million in settlements), state regulatory action, and loss of your professional license.

Is the FCC 1:1 consent rule still in effect?

No. The FCC's "one-to-one consent" rule was vacated by the 11th Circuit Court of Appeals in January 2025 and never took effect. The court found the FCC overstepped its authority. This means the multi-company consent model — where a consumer consents on one form to be contacted by multiple companies via a partner list — remains legally permissible. However, this doesn't mean all lead practices are safe. The underlying TCPA requirements are fully in force, and Congress could pass similar legislation. Smart lead buyers still verify consent quality, demand transparency from vendors, and DNC scrub every list. For a deeper analysis, see our guide on the FCC consent rule and lead buying.

How often should I re-scrub my lead lists?

At least every 31 days — this is a legal requirement and a condition of Safe Harbor protection, not just a best practice. Phone numbers can be added to the DNC registry at any time, and numbers are constantly being reassigned and ported. If you're running ongoing nurture campaigns, set a recurring 31-day scrub cycle. Most scrubbing services charge $0.01-$0.05 per number, making frequent scrubbing extremely affordable relative to the risk. You should also maintain documented proof of every scrub for your Safe Harbor defense.

What is Safe Harbor and how do I qualify?

Safe Harbor is a TCPA defense that protects you from liability for inadvertent DNC violations. To qualify, you must maintain: (1) written DNC compliance policies and procedures, (2) a DNC employee training program, (3) an active internal do-not-call suppression list, and (4) documented proof of DNC registry access at least every 31 days. Without all four elements, you lose this protection entirely — even if a violation was genuinely accidental.

Stay Compliant, Stay in Business

Compliance isn't an obstacle to working aged leads — it's a business requirement that protects your livelihood and your reputation. The agents who take compliance seriously are the ones who build sustainable businesses. The ones who cut corners eventually pay the price — and the case law shows those prices run into the millions.

DNC scrub every 31 days. Verify consent. Check for reassigned numbers. Scrub for known litigators. Follow calling rules. Document everything. Maintain your Safe Harbor. It takes minutes and costs pennies — and it's the difference between a growing business and a seven-figure lawsuit.

Ready to work compliant aged leads? Browse DNC-scrubbed aged leads at AgedLeadStore — insurance, mortgage, solar, and more. No contracts required. Use promo code BILLRICE for a discount on your first order.