TCPA Litigation Risks for Lead Buyers: What Agencies Need to Know in 2026

TCPA litigation is the single largest legal risk in the lead generation industry. The Telephone Consumer Protection Act (47 U.S.C. § 227) imposes statutory damages of $500 to $1,500 per call or text for violations, and plaintiffs' attorneys file these cases as class actions, meaning a single marketing campaign that missed proper consent can turn into a seven-figure liability overnight. What most lead buyers do not realize is that they are not insulated from lawsuits simply because they bought the lead from someone else. Courts have repeatedly held that the company that makes the call or sends the text shares responsibility with the company that collected the consent, even if those two entities are different.

According to the Federal Communications Commission, TCPA enforcement actions and private lawsuits have grown substantially over the past decade, with class action settlements regularly reaching into the tens of millions of dollars. The FCC's 2024 one-to-one consent rule (Report and Order, FCC 23-107) tightened those standards further, requiring each lead seller to obtain separate, named consent for each buyer that will contact the consumer. For pay-per-lead and pay-per-call agencies that buy leads from third-party suppliers, understanding the exact mechanics of TCPA litigation is no longer optional.

Key Takeaways

• Lead buyers face direct TCPA liability. You do not need to have collected the lead yourself to be sued. If your company placed the call or sent the text, you are a defendant.
• Statutory damages run $500 to $1,500 per violation. In a class action covering thousands of contacts, total exposure can reach eight figures before settlement.
• Stale leads are high-risk leads. TCPA consent does not last indefinitely. Calling an aged lead collected months ago under broad, multi-buyer consent language is one of the most common triggers for litigation.
• TrustedForm and Jornaya certificates reduce risk but do not eliminate it. A certificate proves a disclosure appeared on a form. It does not prove the consumer read it, that the language complied with TCPA, or that your company was specifically named as an intended caller.
• The FCC's one-to-one consent rule changes the game in 2026. Under FCC 23-107, blanket multi-buyer consent collected on a single form is no longer valid for TCPA purposes. Each seller must get individual, named consent for each buyer.
• A solid vendor agreement with indemnification is your contractual backstop. Without one, a non-compliant supplier's mistake becomes your legal bill.

What Is TCPA and Who Does It Apply To?

The Telephone Consumer Protection Act is a federal law enacted in 1991 that restricts unsolicited phone calls, text messages, and faxes. The law applies to any entity that initiates or causes to be initiated a call or text using an automatic telephone dialing system (ATDS), an artificial or prerecorded voice, or SMS to a wireless number. That last phrase, "causes to be initiated," is why lead buyers get sued alongside lead generators.

The FCC enforces TCPA at the federal level, and private plaintiffs can sue for statutory damages without proving actual harm. Each violation carries a $500 minimum penalty, rising to $1,500 per call or text if the court finds the violation was willful or knowing. There is no aggregate cap. Courts in the Eleventh Circuit and Ninth Circuit have certified TCPA class actions involving hundreds of thousands of class members, producing total statutory exposure in the billions of dollars before settlements are reached.

TCPA applies to insurance agencies, mortgage companies, legal intake operations, home services networks, and any other business that contacts consumers by phone or text using third-party lead data. Both pay-per-lead and pay-per-call agencies fall squarely within scope.

Why Lead Buyers Get Sued (Not Just Lead Generators)

The legal theory is called vicarious liability. A lead buyer who directs, controls, or ratifies a lead generator's calling conduct can be held as an initiator of the call even if the buyer never saw the consent form. Courts look at the practical relationship: who provided the leads, who set the calling instructions, and who benefited from the outreach.

In Campbell-Ewald Co. v. Gomez, 577 U.S. 153 (2016), the Supreme Court allowed a TCPA class action to proceed against a marketing contractor that sent text messages on behalf of the U.S. Navy, confirming that downstream entities in a lead chain carry direct exposure. In Kristensen v. Credit Payment Services Inc., a federal district court in Nevada found that a company could face TCPA liability for texts sent by an affiliate marketer because the company had set the terms of the campaign and received the leads.

From a plaintiff attorney's perspective, lead buyers are attractive defendants because they typically have more revenue than individual lead generators, carry errors and omissions insurance, and maintain records of lead purchases that establish standing for class certification.

The One-to-One Consent Rule: What Changes in 2026

On December 13, 2023, the FCC released Report and Order FCC 23-107, commonly called the one-to-one consent rule. Under the rule, a consumer's prior express written consent to be contacted is valid only for the specific seller named on the consent form at the time the consumer submits it. A form that lists 30 partner companies or uses vague language like "you may be contacted by our marketing partners" no longer meets the TCPA consent standard.

The rule was originally scheduled to take effect January 27, 2025. A Eleventh Circuit court stay in Insurance Marketing Coalition Ltd. v. FCC (No. 24-10277) delayed enforcement while the legal challenge proceeds. However, the FCC has signaled it intends to defend the rule, and industry compliance counsel widely advise treating the one-to-one standard as the operative rule today rather than waiting for litigation to resolve.

What this means for lead buyers: if you are purchasing leads from a supplier who collects consent under a multi-buyer disclosure, those leads carry elevated litigation risk starting now. Each buyer should be individually named on the consent disclosure, and you should obtain that confirmation from your supplier in writing before placing calls.

TCPA Statutory Damages: What You're Actually Risking

The math on TCPA exposure moves fast. Consider a campaign that called 10,000 consumers using leads where consent was later found defective:

These are theoretical maximums. Courts have discretion to reduce statutory damages in class actions under Spokeo, Inc. v. Robins, 578 U.S. 330 (2016), and many TCPA class actions settle for a fraction of statutory exposure. However, settlements in the lead generation vertical have been substantial. In 2021, Quicken Loans settled a TCPA class action for $18.5 million relating to mortgage refinance lead campaigns. In 2022, a major insurance carrier paid $13 million to resolve TCPA claims stemming from purchased internet leads. In 2023, a home warranty company settled for $9.25 million over alleged TCPA violations involving third-party lead calls.

The litigation cost itself, separate from settlement, commonly runs $500,000 to $2 million in legal fees for cases that proceed through discovery. That exposure exists even if the company ultimately wins.

How to Reduce TCPA Litigation Risk (Practical Steps)

No compliance program eliminates TCPA risk entirely, but these five controls reduce exposure substantially and build the documentation record you need if you are ever sued.

1. Require TrustedForm or Jornaya LeadID certificates on every lead you buy. A TrustedForm consent certificate creates a timestamped record that a disclosure appeared on the form at the moment of submission. Jornaya LeadID serves the same function via a different technical implementation. Neither certificate guarantees TCPA compliance, but both dramatically improve your evidentiary position in litigation.

2. Verify the consent language before calling. Certificate in hand, review the actual disclosure the consumer saw. It should include your company's name, state that the consumer consents to be contacted by phone or text, list the communication methods (including ATDS), and ideally include an opt-out mechanism. Vague language about "partners" or "affiliates" is insufficient under the post-FCC 23-107 standard.

3. Enforce lead age limits. TCPA consent is not indefinitely valid. Industry practice and emerging case law suggest that consent older than 90 days for internet leads carries meaningfully elevated risk. Set hard caps in your lead acceptance criteria and reject leads that exceed them.

4. Maintain your own Do Not Call scrub process. Scrubbing against the National Do Not Call Registry (operated by the FTC) before each campaign run is a statutory obligation for telemarketing calls, separate from TCPA consent requirements. Scrub every 31 days at minimum and maintain records of each scrub.

5. Keep a documented opt-out log. When a consumer opts out, honor the request within 10 business days (the TCPA standard) and maintain a permanent record. Contacting a known opt-out is one of the strongest fact patterns for a willful violation finding, which triggers the $1,500-per-call penalty.

What Compliant Consent Language Looks Like

The FCC requires prior express written consent for calls and texts made using an ATDS or prerecorded voice to a wireless number. "Written" includes electronic consent captured on a web form, provided the disclosure meets the standard.

A compliant consent disclosure contains four elements:

1. Clear authorization statement. "By submitting this form, I authorize [Company Name] to contact me by phone, including via automated dialing system, prerecorded voice, or text message, at the number provided above."
2. Named company. The specific business entity initiating the calls must be named. Generic "our partners" language fails post-FCC 23-107.
3. Communication methods listed. Phone, ATDS, text, prerecorded voice. Each method used must be disclosed.
4. Acknowledgment that consent is not a condition of purchase. "I understand that my consent is not a condition of any purchase and that I may opt out at any time by texting STOP."

The disclosure must appear adjacent to the form submission button, not buried in a terms of service link. Courts and the FCC have both held that consent buried in a linked document does not satisfy the "clear and conspicuous" standard.

For a practical implementation of TCPA compliance for lead generation from the publisher side, see our detailed consent-language guide.

How Lead Distribution Software Protects You

Lead distribution software does not replace TCPA compliance, but it creates the operational infrastructure that makes compliance scalable.

Lead Distro AI supports TCPA risk reduction through three mechanisms. First, the platform's lead acceptance criteria engine lets you configure mandatory field requirements: leads without a TrustedForm certificate ID, leads that fail age thresholds, or leads missing specific consent fields can be automatically rejected before they enter your distribution queue. Second, every lead that enters the system carries a complete inbound audit log: source, timestamp, field values, and supplier ID. That log is the data record you need in discovery if a plaintiff subpoenas your lead intake history. Third, how ping-post works in Lead Distro AI allows buyers to conditionally accept leads based on metadata fields before accepting and paying for the full record, so you can gate purchase on the presence of a valid consent certificate.

Lead Distro AI does not provide legal advice, does not verify the content of consent language on supplier forms, and does not guarantee TCPA compliance. Platform tools support your compliance processes; they do not substitute for legal counsel or supplier due diligence.

Start your free 7-day trial to see how acceptance criteria filters and audit logging work in practice. A credit card is required to activate the trial.

Frequently Asked Questions

Can I be sued for TCPA violations committed by my lead supplier?

Yes. TCPA liability can attach to the company that places the call, the company that provided the leads, or both, depending on how much direction or control the buyer exercised over the campaign. Courts apply a vicarious liability standard: if you set calling parameters, provided the scripts, or ratified the supplier's calling conduct, you share exposure. Even without a formal agency relationship, plaintiffs' attorneys routinely name lead buyers as defendants because they are identifiable, insured, and have deeper pockets than many lead generators.

What is the statute of limitations on TCPA claims?

TCPA claims must be filed within four years of the alleged violation under 28 U.S.C. § 1658, the general federal four-year catch-all statute. Some courts have applied a one-year limitations period to state-law TCPA claims, but federal claims carry the four-year window. This means a lead campaign run in 2022 could still generate valid litigation through 2026. Document retention policies for consent records and lead data should cover a minimum of five years.

Does TrustedForm protect me from TCPA lawsuits?

TrustedForm reduces your litigation risk and strengthens your evidentiary position, but it does not prevent lawsuits or guarantee a win. A TrustedForm certificate proves a disclosure appeared on a web form at the time of submission. It does not prove the disclosure language met TCPA standards, that your company was specifically named as an authorized caller, or that the consumer was not a minor or otherwise ineligible to consent. Use TrustedForm certificates as one layer of a multi-control compliance program, not as a standalone safe harbor.

What is prior express written consent under TCPA?

Prior express written consent is the legal standard required before placing an ATDS-powered or prerecorded call to a wireless number. The FCC defines it in 47 C.F.R. § 64.1200(f)(9) as a written agreement, including electronic agreement, that clearly and conspicuously authorizes the seller to deliver calls or messages using automated technology to the consumer's phone number. The word "written" covers web form checkboxes and digital signatures. The consent must be unambiguous, voluntary, and not bundled as a condition of purchasing a product or service.

How do I know if a lead was collected with proper consent?

The most reliable method is to obtain the TrustedForm certificate or Jornaya LeadID associated with the lead and independently verify what disclosure the consumer saw. Both tools provide a certificate URL or token that lets you replay or view a snapshot of the consent page as it appeared at the time of submission. Beyond the certificate, ask your supplier to provide the actual consent language, the URL of the form where it was collected, and confirmation that your company was named in the disclosure. If a supplier cannot provide these on request, treat the leads as high-risk.

What should I include in a lead vendor agreement to limit TCPA liability?

A TCPA-protective vendor agreement should include five provisions: a representation and warranty from the supplier that all leads were collected with valid TCPA prior express written consent naming your company specifically; an indemnification clause requiring the supplier to defend, indemnify, and hold you harmless from any TCPA claims arising from their leads; an audit right allowing you to inspect consent records on reasonable notice; a consent documentation requirement obligating the supplier to retain and produce TrustedForm or equivalent certificates for each lead; and a termination for cause clause allowing immediate termination if the supplier's leads generate TCPA complaints or a regulatory inquiry. Have legal counsel review the final agreement, as indemnification enforceability varies by state.

Conclusion

TCPA litigation is not a risk that stays with the lead generator. Lead buyers, agencies, and call centers that contact consumers using purchased leads share direct exposure under the statute, and the FCC's one-to-one consent rule has raised the bar for what constitutes valid consent going into 2026.

The practical defense is documentation at every layer: verify consent language before buying, require certificates on every lead, enforce lead age limits, maintain opt-out logs, and build indemnification into supplier contracts. For a deeper look at how the TCPA framework applies to the entire lead supply chain, read our guide on TCPA compliance for lead distribution.

Lead Distro AI's acceptance criteria engine and audit log infrastructure give pay-per-lead and pay-per-call agencies the operational controls to operationalize these standards at scale. Review the best lead distribution platforms comparison to see how compliance tooling stacks up across providers.