You bought 500 leads. You loaded them into your dialer. You started calling. Two weeks later, you got served with a lawsuit demanding $750,000 in damages.

That is not a hypothetical. TCPA class action filings hit 2,788 in 2024 — a 67% increase over 2023. By Q1 2025, that pace accelerated further with 507 class actions filed in just three months. Average settlements now exceed $6.6 million, and 78% of all TCPA cases land as class actions. The plaintiff's bar has turned TCPA litigation into an industry, and lead buyers who skip compliance are the easiest targets.

Here is the good news: TCPA compliance is not complicated once you understand the rules. And if you are buying aged leads, you are actually in a better position than most — because the consent was already captured at the point of original opt-in. The risk comes from how you contact those leads, not whether they exist.

This guide covers every TCPA rule that matters for lead buyers in 2026 — federal law, the FCC's consent revocation rules, auto-dialer restrictions, text messaging compliance, DNC requirements, state mini-TCPA laws, and a practical checklist you can implement today.

Disclaimer: This guide is educational. It is not legal advice. Consult a TCPA attorney for guidance specific to your business.

What Is the TCPA and Why Should Lead Buyers Care?

The Telephone Consumer Protection Act (TCPA) was signed into law in 1991 to curb telemarketing calls overwhelming American households. It restricts how businesses contact consumers by phone, text, and fax.

For lead buyers, the TCPA is the single most important law governing your outreach:

• Who you can call (DNC list requirements)
• How you can call (auto-dialer and pre-recorded message restrictions)
• When you can call (time-of-day restrictions)
• What consent you need (express consent vs. express written consent)
• How quickly you must honor opt-outs (consent revocation rules)

Each individual violation — each call, each text, each voicemail — carries statutory damages. Make 200 non-compliant calls and you face $100,000 to $300,000 in exposure from a single plaintiff.

TCPA Penalty Structure

The $500-per-violation number makes class actions lucrative for plaintiffs. A company that sent 10,000 non-compliant texts faces $5 million in base exposure — $15 million if willful. Courts routinely find violations willful when a company lacks a compliance program.

The FCC's 1:1 Consent Rule: What Actually Happened

If you followed telemarketing compliance news in 2024-2025, you heard a lot about the FCC's "one-to-one consent rule." Here is where things stand.

The Original Rule

In December 2023, the FCC adopted rules to close the "lead generator loophole." Under the old framework, a consumer could fill out a single form on a comparison-shopping website and unknowingly grant consent for dozens of companies to call them. The new rule would have required:

• One-to-one consent: Written consent limited to a single, identified seller
• Logical and topical association: The seller had to be logically related to the website where the consumer gave consent
• No blanket consent forms: Lead generators could not bundle consent for multiple companies in a single disclosure

The rule was scheduled to take effect on January 27, 2025.

What Happened Instead

The Insurance Marketing Coalition challenged the rule in the Eleventh Circuit Court of Appeals. On January 24, 2025 — three days before the effective date — the FCC issued a formal 12-month stay. That same month, the Eleventh Circuit vacated the rule entirely, finding the FCC had "impermissibly exceeded its statutory authority" by redefining "prior express consent" beyond what Congress intended. The court held that under common law principles, a consumer can grant consent to multiple entities at once, as long as the consent is clear and unmistakable. The one-to-one consent rule never took effect.

What This Means for Lead Buyers in 2026

The 1:1 consent rule is dead — for now. The old standard applies: a consumer can grant written consent covering multiple sellers, as long as the disclosure clearly identifies who may contact them. Important caveats:

1. Carrier requirements still exist. T-Mobile, AT&T, and Verizon still require one-to-one opt-in for SMS traffic. The carriers enforce their own policies regardless of the FCC ruling.
2. State laws may be stricter. Several states have adopted or are considering their own consent requirements beyond federal TCPA.
3. The FCC could try again. A new administration could revive the rule under a different legal theory.
4. Best practice is still 1:1. Leads with single-seller consent convert better and carry less litigation risk.

The Consent Revocation Rule (April 2025): This One Is Real

While the 1:1 consent rule was vacated, the FCC's consent revocation rules largely went into effect on April 11, 2025. These rules directly impact how lead buyers handle opt-outs.

Key Requirements

10 Business Day Processing Window: When a consumer revokes consent, you must stop all contact within 10 business days. This is down from the previous 30-day window. No excuses, no delays.

Any Reasonable Method: Consumers can revoke consent through any reasonable method — not just texting STOP. A voicemail, email, verbal request during a live call, or casual "stop contacting me" all count. You must honor it regardless of channel.

Standardized Keywords: These text keywords must be treated as automatic opt-outs: STOP, QUIT, REVOKE, OPT OUT, CANCEL, UNSUBSCRIBE, END. Any of these texted to your number is a legally binding revocation.

Confirmatory Text Opt-Out: As of April 11, 2025, if you send a confirmatory text after an opt-out and the consumer does not respond, that silence is treated as implied revocation for all future communications.

Practical Impact for Lead Buyers

If you are working a follow-up cadence and a prospect says "stop calling," you have 10 business days to suppress that number across every system — your dialer, CRM, text platform, and skip-tracing tools. Miss one system and that next automated text becomes a $500-$1,500 violation. Build your suppression workflow now.

Auto-Dialer (ATDS) Rules: What Equipment Triggers TCPA Restrictions

The TCPA's strictest requirements apply when you use an "automatic telephone dialing system" (ATDS). Understanding what qualifies as an ATDS determines which rules apply to your outreach.

The Supreme Court Definition (Facebook v. Duguid, 2021)

In 2021, the Supreme Court significantly narrowed the ATDS definition. To qualify as an ATDS, a device must have the capacity to:

1. Store telephone numbers using a random or sequential number generator, OR
2. Produce telephone numbers using a random or sequential number generator

The key word is "random or sequential number generator." If your dialer pulls numbers from a pre-loaded list — which is what every lead buyer does — it is likely not an ATDS under the federal TCPA. You are dialing specific numbers from a purchased list, not generating numbers randomly.

Why This Matters (and Why It Is Not a Free Pass)

The narrow ATDS definition means many predictive dialers, power dialers, and CRM-based click-to-call systems do not trigger ATDS-specific provisions at the federal level. However, this is not a free pass:

• Pre-recorded or artificial voice messages still require prior express written consent regardless of equipment
• National DNC list compliance still applies to all telemarketing calls
• State laws define ATDS much more broadly (Florida, Washington, Oklahoma all have expanded definitions)
• Internal DNC lists must be maintained

What This Means for Your Dialer Setup

Bottom line: Even if your dialer is not an ATDS under federal law, you still need consent for pre-recorded messages and voicemail drops, and you still need to scrub against the DNC list. The Duguid decision narrowed one category of liability — it did not eliminate your compliance obligations.

Text Message and SMS Compliance

Text messages are treated as "calls" under the TCPA. Every rule that applies to phone calls also applies to text messages, plus additional carrier-level requirements.

Federal TCPA Text Rules

• Marketing texts to cell phones using an ATDS: Require prior express written consent
• Marketing texts sent manually (no ATDS): Require prior express consent (verbal is sufficient, but written is safer)
• Informational texts: Require prior express consent (can be implied in some cases)
• Opt-out must be honored within 10 business days (per April 2025 consent revocation rule)
• STOP keyword must be supported and processed automatically

Carrier Requirements (Stricter Than the Law)

Wireless carriers enforce their own policies through the Campaign Registry (TCR) and filtering systems. Even if your texts are TCPA-compliant, carriers can block your messages:

• 10DLC registration required for all business text messaging on local numbers
• One-to-one consent required by most carriers — regardless of the FCC rule being vacated
• Campaign use case must match consent — mortgage consent does not authorize insurance texts
• Throughput limits based on your trust score and campaign registration

Register your campaigns through the TCR before sending. Unregistered traffic gets filtered aggressively, and violations can result in your numbers being permanently blocked.

Best Practices for Texting Purchased Leads

1. Verify the vendor provides SMS-specific consent documentation
2. Include opt-out instructions in every message ("Reply STOP to unsubscribe")
3. Process STOP requests immediately — do not wait the full 10 days
4. Do not text before 8 AM or after 9 PM in the recipient's time zone
5. Keep message content relevant to the original consent context

DNC Compliance: The Non-Negotiable Baseline

DNC compliance is the absolute minimum for any lead buyer. No exceptions, no shortcuts.

National Do Not Call Registry

The FTC maintains the National DNC Registry, and the TCPA prohibits telemarketing calls to numbers on that list. You must:

1. Register as a telemarketer with the FTC (free)
2. Download and scrub your lead lists against the registry before calling
3. Re-scrub every 31 days — the registry updates monthly
4. Maintain records of your scrub dates and procedures for at least 5 years

The cost is minimal ($75 per area code, capped at $20,868/year for the full list). The cost of not scrubbing — up to $43,792 per call — makes this the highest-ROI compliance investment you will ever make.

For a detailed DNC compliance walkthrough, see our DNC compliance guide.

Internal Do Not Call List

Separate from the national registry, you must maintain your own internal DNC list of everyone who has ever asked you or your company to stop calling. Internal DNC requests never expire. If someone told your predecessor at the company to stop calling in 2019, that request is still valid in 2026.

Established Business Relationship Exception

If a consumer has an existing relationship with you — they purchased from you or inquired about your services — you may call even if they are on the national DNC list. However:

• The EBR for purchases expires 18 months after the last transaction
• The EBR for inquiries expires 3 months after the inquiry
• The EBR does not override an internal DNC request
• The EBR does not apply to calls using pre-recorded messages or auto-dialers

For lead buyers working purchased lead lists, the EBR exception rarely applies because you do not have a prior relationship with those consumers. Scrub every list, every time.

State Mini-TCPA Laws: The Patchwork That Multiplies Your Risk

Federal TCPA is the floor, not the ceiling. At least 15 states enforce their own "mini-TCPA" statutes with stricter requirements and heavier penalties. The law of the consumer's state applies regardless of where you are located.

State Law Comparison: Key Differences

The States That Hurt the Most

Florida remains a high-risk state despite the 2023 FTSA amendments that added pre-suit notice and narrowed the autodialer definition. The 8 PM cutoff (vs. 9 PM federal) catches callers not adjusting for time zones.

Texas SB 140 (effective September 2025) ties violations to the Deceptive Trade Practices Act, enabling treble damages and attorney's fees. The $10,000 security bond requirement applies to any company calling Texas residents, regardless of where you are based.

Georgia SB 73 (2024) removed the "knowing" requirement, eliminated damage caps, and added vicarious liability — you are liable even if you did not know your employee was making non-compliant calls.

Virginia SB 1339 (effective January 2026) requires honoring text opt-outs for 10 years. A STOP request in 2026 must still be suppressed in 2036.

How to Handle the State Patchwork

1. Default to the strictest rule. If Florida says 8 PM and federal says 9 PM, stop calling at 8 PM for all calls — or at minimum, for all calls to Florida numbers.
2. Scrub by area code and state. Your dialer should be able to apply state-specific calling windows based on the area code of the number being dialed.
3. Register where required. Texas, Oklahoma, Washington, and several other states require telemarketer registration. Non-registration is a separate violation with its own penalties.
4. Track state law changes. Mini-TCPA legislation is accelerating. What was compliant last year may not be compliant this year.

How Aged Leads Fit Into TCPA Compliance

If you are working aged leads, you have a compliance advantage that fresh lead buyers do not — but it is not absolute.

Why Aged Leads Are Generally Safer

Aged leads were generated from opt-in web forms and quote requests where the consumer provided their information and agreed to be contacted. When you buy from a reputable vendor like Aged Lead Store, that consent was captured at generation — the consumer filled out a form, agreed to a disclosure, and provided their phone number expecting to be contacted about the product they inquired about.

The Consent Decay Question

The TCPA does not specify a consent expiration date. There is no federal rule that says consent expires after 30, 60, or 90 days. However:

• Industry best practice treats consent as valid for approximately 90 days
• Some lead contracts specify consent windows in their terms
• The older the lead, the more likely the consumer has forgotten they opted in — increasing complaint risk
• Carrier-level consent (for text messaging) may have shorter windows

This does not mean you cannot call a 120-day-old lead. It means your approach should account for consent age. Your scripts and templates should acknowledge the time gap and re-establish the context of the original inquiry.

Practical Guidelines for Aged Lead Compliance

What to Demand From Your Lead Vendor

Before you load a single lead into your dialer:

1. Request the consent language — the exact disclosure the consumer saw when they opted in
2. Ask for TrustedForm certificates or equivalent — timestamped proof of consent (remember: a certificate documents what happened, it does not guarantee the form was compliant)
3. Verify consent covers your use case — mortgage consent does not authorize insurance calls
4. Confirm DNC scrubbing — did the vendor scrub before delivery, or is that your responsibility?
5. Get it in your contract — include compliance representations and indemnification clauses

Vendor Due Diligence: Protecting Yourself Before You Buy

The TCPA does not care that you bought leads in good faith. If the underlying consent was deficient, you are still liable for every non-compliant call. That makes vendor due diligence essential.

The Due Diligence Checklist

Before signing a lead purchase agreement, verify:

• Can the vendor produce the original consent form language and TCPA disclosure?
• Is consent specific to the product/service you are selling?
• Does the vendor use consent verification tools (TrustedForm, Jornaya, etc.)?
• Has the vendor been the subject of any TCPA lawsuits or FCC enforcement actions?
• Does the purchase agreement include TCPA compliance warranties and indemnification?
• Can you audit the vendor's consent records if a complaint arises?
• Will the vendor cooperate with documentation if a lead files a claim?

For more on evaluating lead vendors, see our buying leads guide.

Your TCPA Compliance Checklist

Adapt this to your situation and have it reviewed by a TCPA attorney.

Before You Start Calling

• [ ] Register with the FTC as a telemarketer
• [ ] Scrub your lead list against the National DNC Registry
• [ ] Register in states that require it (TX, OK, WA, and others)
• [ ] Verify lead vendor consent documentation
• [ ] Configure dialer with state-specific calling windows
• [ ] Set up your internal DNC list process
• [ ] Register text messaging campaigns through TCR (if using SMS)
• [ ] Train your team on opt-out handling

During Outreach

• [ ] Identify yourself and your company at the start of every call
• [ ] Do not call before 8 AM or after 8 PM recipient's time (8 PM for Florida compliance)
• [ ] Honor every opt-out request immediately
• [ ] Log all opt-out requests with timestamps
• [ ] Include opt-out instructions in every text message
• [ ] Do not use pre-recorded messages or voicemail drops without written consent
• [ ] Keep call recordings and text logs for at least 5 years

Ongoing Maintenance

• [ ] Re-scrub against the National DNC Registry every 31 days
• [ ] Update your internal DNC list in real time
• [ ] Audit dialer settings quarterly for state law compliance
• [ ] Review vendor consent docs when purchasing new lead batches
• [ ] Monitor state mini-TCPA legislation for changes
• [ ] Document your compliance procedures in writing

For a downloadable version of this checklist, visit our compliance checklist tool.

Frequently Asked Questions

Do I need written consent to call leads I purchased?

It depends on how you call them. If you use an ATDS (generates numbers randomly or sequentially), you need prior express written consent. If you manually dial or use a list-based power dialer that does not qualify as an ATDS under the Duguid standard, you need prior express consent — which can be implied through submitting a web form. However, pre-recorded voicemail drops always require written consent regardless of dialer type, and state laws may impose stricter requirements. The safest approach: always have documented written consent.

Can I text leads that I bought from a lead vendor?

You can, but the requirements are strict. You need prior express written consent that specifically covers text messaging (not just phone calls). Carrier requirements still mandate that consent identify your company by name. You must register through the TCR for 10DLC compliance, include opt-out instructions in every message, and honor STOP requests immediately. If the vendor cannot document SMS-specific consent, do not text those leads.

How old is too old for a lead to still have valid consent?

The TCPA does not set a consent expiration date. Industry practice treats phone consent as reliable for about 90 days. After that, risk increases — not because consent legally expired, but because the consumer is more likely to have forgotten opting in and may file a complaint. For leads older than 90 days, consider email or direct mail as your first contact channel, then follow up by phone after a re-engagement signal.

What happens if I get a TCPA complaint?

A single complaint can escalate fast. A consumer can sue for $500-$1,500 per violation. If a plaintiff's attorney identifies a pattern — say you called 5,000 numbers without DNC scrubbing — that becomes a class action with millions in exposure. Your first steps: immediately suppress the number, pull your consent documentation, review your compliance records, and contact a TCPA attorney. Thorough records (consent docs, DNC scrub logs, opt-out timestamps) are your best defense.

Are aged leads safer from a TCPA perspective than fresh leads?

In some ways, yes. Aged leads have already gone through the consent collection process — the opt-in happened, the disclosure was presented, the consumer submitted their information. You are not dealing with the compliance risks of lead generation itself (deficient forms, misleading disclosures, pre-checked consent boxes). Your risk is limited to how you contact the lead, not how it was generated. That said, aged leads carry consent decay risk, and you are still responsible for DNC scrubbing, calling-hour compliance, and opt-out handling. A well-documented aged lead from a reputable vendor like Aged Lead Store gives you a solid consent foundation to build on.