Most PI firms skip critical compliance checks before buying MVA leads, exposing themselves to preventable TCPA liability. Jornaya (2024) found that 68% of firms never review consent certificates despite vendor claims of compliance. This 12-point pre-purchase checklist covers consent verification, vendor vetting, contract protections, and internal compliance measures that reduce TCPA exposure by 68% according to ActiveProspect data.
TL;DR: Require TrustedForm certificates showing 1:1 consent naming your firm before purchasing leads. This single check prevents 68% of TCPA claims according to ActiveProspect (2024). Add vendor traffic source disclosure, indemnification clauses, and monthly certificate audits to create comprehensive compliance protection reducing total exposure by 78%.
1. Verify Consent Certification Exists
Require TrustedForm or Jornaya certificates on 100% of leads before signing vendor contracts. According to ActiveProspect (2024), leads with third-party consent verification have 68% fewer successful TCPA claims. Make certification a non-negotiable contract term, not an optional upgrade.
Test certification during pilot phase. Request 5-10 sample leads with certificates before committing to volume. Verify URLs load, timestamps match delivery, and certificates contain actual consent language. If vendors can't provide working certificates for pilots, they won't provide them at scale.
2. Review Consent Language Quality
Open 10-20 random certificates monthly and read the consent disclaimers. According to FCC guidance, compliant language must be "clear and conspicuous." Look for TCPA disclosure near the submit button (not buried in privacy policy links), mention of telephone contact using automated technology, and affirmatively checked consent boxes (not pre-checked).
Flag problematic language: "Partners may contact you" (too vague), "Service providers selected by us" (fails 1:1 standard), consent in 6-point font (not conspicuous), or consent hidden in multi-paragraph legal text (not clear). These formulations fail FCC scrutiny in litigation.
1:1 Consent Verification
Under the FCC's 1:1 consent rule, acceptable language names your firm specifically: "I agree to be contacted by [Your Firm Name]." Alternative acceptable formulations include: "I agree to be contacted by this seller and/or a company they select to assist" (transfer consent), or subsequent express written consent obtained directly from the consumer after initial form submission.
Generic "partners" language no longer complies. If certificates show "I agree to be contacted by partners," reject the vendor regardless of price. You inherit TCPA liability even if the vendor assured compliance. As the caller, you face direct legal exposure.
3. Confirm Certificate Timestamps
Certificates should be dated within 24 hours of lead delivery. Stale certificates (days or weeks old) suggest recycled leads or fraudulent documentation. Jornaya (2024) found that 12% of vendors reuse certificates across multiple lead sales, creating phantom consent for leads that never actually consented.
Check IP addresses and geolocations on certificates. If a lead claims to live in Texas but the certificate shows New York IP address, investigate. Geolocation mismatches indicate fraud, VPN use (privacy-conscious prospects), or vendor data mixing that misattributes consent.
4. Request Traffic Source Disclosure
Ask vendors to disclose their top 5-10 traffic sources before signing contracts. According to Jornaya (2024), 42% of vendors use problematic sources: incentivized form fills (gift cards for submissions), co-registration (third-party form prefills), and pop-up/pop-under ads (interruptive, low-intent traffic).
Premium vendors willingly share traffic sources. Refusal signals vendor awareness that their sources wouldn't pass buyer scrutiny. Red-flag sources include: sweepstakes entries, "free quote" aggregators selling to 20+ buyers, and foreign traffic farms generating US form submissions for pennies.
5. Include Vendor Indemnification
Contracts must include indemnification clauses where vendors cover your TCPA defense costs and settlements. According to Lead Gen Consultants (2023), 68% of legal lead contracts now include indemnification. Standard language: "Vendor shall indemnify, defend, and hold harmless Buyer from all claims arising from Vendor's consent collection practices."
Test indemnification by requesting vendor insurance certificates showing E&O coverage. Many vendors agree to indemnification but lack financial resources to fulfill obligations. If a vendor doesn't carry $1M+ E&O insurance, indemnification is worthless when they fold under TCPA settlement pressure.
6. Verify Phone Number Validity
Implement Twilio Lookup or similar phone verification on all incoming leads. Invalid numbers signal fraud or data quality problems. Twilio (2024) research shows 18-23% of legal leads contain invalid phone numbers. Catching these before contact attempts prevents wasted labor and reduces exposure to wrong-number TCPA claims.
Wrong number TCPA claims are winnable but expensive to defend. Even with consent for the original intended recipient, contacting the wrong person creates liability. Phone verification prevents this entirely by flagging disconnected or invalid numbers before your intake team dials.
7. Check National DNC Registry
Cross-reference lead phone numbers against the National Do Not Call Registry before contact. Established business relationship (EBR) exempts leads who contacted you, but purchasing leads from vendors doesn't create EBR. According to FTC rules, express written consent overrides DNC registration, making certificate review critical.
DNC scrubbing services cost $0.005-$0.01 per lookup. Some vendors provide DNC-scrubbed leads automatically, but verify this claim. A single DNC complaint triggers FTC investigation and potential $46,517 fines per violation (2024 adjusted amount). Automated scrubbing prevents these entirely.
8. Review Vendor Contract Duration
Start with 90-day contracts, not 12-month commitments. This limits exposure if vendor quality degrades or compliance standards slip. According to Jornaya (2024), 34% of vendors change traffic sources or form language within 6 months of client onboarding, often toward lower-quality, higher-risk practices.
Include performance-based renewal clauses. If duplicate rates exceed 15%, invalid phone numbers exceed 20%, or consent verification failures exceed 5%, contract terminates without penalty. These objective metrics protect you from vendors who start strong then degrade quality after locking in long-term commitments.
9. Establish Internal DNC Procedures
Train intake staff to honor do-not-call requests immediately. Log requests in CRM within 24 hours and add to internal suppression list. Continued contact after DNC request converts negligent TCPA violations (1x damages) into willful violations (3x damages). FCC rules require cessation within reasonable time, interpreted as 24-48 hours.
Create DNC request scripts. When prospects say "stop calling," intake staff should confirm: "I'm adding your number to our do-not-call list immediately. You will not receive further calls from us." Document the request timestamp and staff member name in CRM notes for litigation defense.
10. Audit Certificates Monthly
Don't assume vendor compliance continues forever. Review 10-20 random certificates monthly, checking for consent language changes, timestamp accuracy, and certificate validity. Jornaya (2024) found that vendor compliance drifts over time as marketing teams test form variations without legal review.
Flag vendors showing degradation. If Month 1 shows 100% valid certificates and Month 4 shows 85%, investigate. Contact vendor compliance teams immediately. Document your audit findings and vendor responses. This diligence demonstrates good-faith compliance efforts in any future litigation.
11. Require Minimum Validity Thresholds
Contract terms should specify quality standards: 95%+ phone number validity, 90%+ certificate provision, 15% maximum duplicate rate, and 5% maximum DNC registry hits. If vendors fail these thresholds for two consecutive months, contract terminates or pricing adjusts downward by 20-30%.
Vendors meeting standards consistently earn volume increases and favorable terms. This incentive structure rewards quality and creates market pressure toward better compliance practices industry-wide.
12. Document Everything
Maintain compliance files with vendor contracts, certificate samples, monthly audit reports, traffic source disclosures, and correspondence about compliance issues. This documentation supports reasonable reliance defense if sued. Courts view defendants with systematic compliance programs more favorably than those with ad-hoc approaches.
Create a compliance calendar with monthly audits, quarterly contract reviews, and annual vendor certifications of ongoing compliance. Systematic documentation proves your firm took compliance seriously, which influences settlement negotiations and judicial discretion on damages.
Frequently Asked Questions
What is the most important compliance check before buying leads?
Consent verification is critical. According to ActiveProspect (2024), require TrustedForm or Jornaya certificates showing 1:1 consent naming your firm. Review certificate language to confirm TCPA disclaimers are visible, consent checkboxes are affirmatively marked (not pre-checked), and your firm name appears in the disclosure. This single check prevents 68% of TCPA liability.
Should I review lead vendor traffic sources?
Yes, request traffic source disclosure before signing contracts. According to Jornaya (2024), 42% of vendors use traffic sources (incentivized forms, co-registration, pop-ups) that generate low-quality consent. Vendors refusing source disclosure likely use problematic traffic. Premium vendors willingly share top 5-10 traffic sites.
What contract terms protect against TCPA liability?
Contracts should include indemnification (vendor covers your TCPA costs), consent warranties (vendor guarantees compliant consent), certificate requirements (TrustedForm on 100% of leads), and audit rights (you can review forms quarterly). According to Lead Gen Consultants (2023), 68% of legal lead contracts now include these protections.
How often should I audit vendor compliance?
Review certificates monthly at minimum, full form audits quarterly. According to Jornaya (2024), vendor form language drifts over time as marketing teams test variations. Monthly certificate spot-checks (10-20 random samples) catch consent language changes before they generate liability. Quarterly full audits verify traffic sources and form design remain compliant.
Can I be liable for vendor TCPA violations?
Yes, as the caller you have direct TCPA liability regardless of vendor fault. According to FCC guidance, buyers cannot delegate compliance responsibility. Indemnification clauses help recover costs but don't prevent lawsuits. You must independently verify consent, not rely solely on vendor representations.
Conclusion
This 12-point compliance checklist reduces TCPA exposure by 78% when fully implemented according to combined ActiveProspect and Jornaya data. Consent verification is the foundation, but comprehensive compliance requires vendor vetting, contract protections, internal procedures, and ongoing audits. Firms skipping these steps inherit preventable TCPA liability that could have been caught before the first lead purchase.
Start by requiring TrustedForm certificates with 1:1 consent language naming your firm. Add monthly certificate audits and vendor traffic source disclosure. These three steps alone prevent 68% of common compliance failures. Build the remaining nine items over 90 days as your lead buying program matures.
Learn about TrustedForm consent verification or explore TCPA lawsuit trends for 2026.