TCPA compliance for lead buyers refers to the legal requirements under the Telephone Consumer Protection Act that govern how law firms can contact purchased leads via phone, text, or automated systems. TCPA violations carry penalties of $500-$1,500 per call or text, with average class action settlements reaching $6.6 million. In 2024, TCPA lawsuit filings hit 2,788, a 67% increase year-over-year.

In 2024, TCPA lawsuits surged to 2,788 federal class action filings, a 67% increase year-over-year (WebRecon TCPA Litigation Stats, 2025). The average class action settlement hit $6.6 million. And if you're buying leads to contact consumers by phone or text, you're the one holding the liability, not the vendor who generated the lead.

We route TCPA-compliant leads daily through Claim Supply. Every lead we deliver includes consent documentation, TrustedForm certificates, and full audit trails. We built our systems this way because we've watched firms get blindsided by six-figure defense bills over leads they bought in good faith from vendors who couldn't prove consent. The compliance gap between "we think our leads are clean" and "we can prove it in court" is where lawsuits live.

This guide covers the current state of TCPA enforcement, what the law actually requires, how recent FCC rule changes affect your operations, the tools you need for consent verification, the real cost of compliance versus litigation, who bears liability when things go wrong, and a 12-step process for building a compliance program that holds up under legal scrutiny. If you buy leads, this is the article you bookmark.

TL;DR: TCPA lawsuits hit 2,788 in 2024 (+67% YoY), with Q1 2025 filings up 112% and September 2025 setting a single-month record of 224 filings. Average class action settlements reach $6.6M, and 80% of TCPA suits are class actions. The FCC's 1:1 consent rule was vacated in January 2025; the revoke-all rule is delayed to January 2027. Defense costs run $40K-$750K+ per case. Compliance costs $0.25-$0.75/lead via TrustedForm certificates and DNC scrubbing. The lead buyer, not the generator, bears primary liability. This guide covers everything you need to build a bulletproof compliance process.

Why Should Lead Buyers Care About TCPA in 2026?

TCPA class action filings hit 2,788 in 2024, up 67% from 1,669 in 2023 (WebRecon, 2025). That number accelerated in 2025. Q1 2025 saw 507 filings alone, a 112% increase over Q1 2024 (TCPAWorld Q1 2025 Tracker, 2025). September 2025 shattered single-month records with 224 filings, a 283% spike over September 2024 (TCPAWorld September 2025 Tracker, 2025). Full-year 2025 is on pace for 2,400+ class actions.

The numbers tell a story that's impossible to ignore. Eighty percent of TCPA lawsuits are filed as class actions, compared to just 2-5% for other consumer protection statutes (WebRecon, 2025). That's not a typo. The class action rate is 16 to 40 times higher than typical consumer litigation. Why? Because TCPA's statutory damages of $500-$1,500 per violation make individual suits impractical but make class actions wildly profitable for plaintiff firms.

The average TCPA class action settlement is $6.6 million (LeadGen Economy TCPA Analysis, 2025). That's not the maximum. That's the average. Some settlements run far higher. Capital One paid $75.5 million in 2014. Dish Network was hit with a $280 million verdict in 2017. These aren't hypotheticals for lead buyers. Liberty Mutual spent $1.36 million defending TCPA lawsuits that originated from defective leads purchased through third-party vendors (Insurance Journal, 2023).

TCPA Class Action Filings by Year (2021-2025) 2025 (proj.) 2024 2023 2022 2021 1,000 2,000 3,000 ~2,400+ (on pace) 2,788 (+67%) 1,669 1,483 1,327 Source: WebRecon TCPA Litigation Stats (2025) · TCPAWorld Class Action Tracker

For lead buyers, this trend is personal. Every lead you purchase and call without verifiable consent is a potential $500-$1,500 per-violation liability. If your vendor sold the same lead to five other buyers, and one of those buyers triggers a class action, plaintiff attorneys will subpoena the lead generator's records and discover every buyer who contacted that consumer. You don't need to be the one who triggered the lawsuit to get dragged into it.

The math is simple. If you buy 1,000 leads per month and call each one three times, that's 3,000 potential violations. At $500 per violation, your exposure is $1.5 million. At $1,500 per willful violation, it's $4.5 million. Per month. And that's before class certification multiplies the damages across every consumer your vendor sourced leads from.

For a broader look at how compliance fits into your lead buying strategy, see our complete guide to buying MVA leads. For the full TCPA lawsuit statistics breakdown, we'll publish a dedicated analysis soon.

What Does the TCPA Actually Require for Lead Buying?

The Telephone Consumer Protection Act of 1991 (FCC TCPA Overview) imposes one core requirement that matters for lead buyers: you must have prior express written consent before calling or texting a consumer using an automatic telephone dialing system (ATDS) or prerecorded voice message. That consent must be "clear and conspicuous," signed (including electronic signatures), and must disclose that the consumer may receive calls using an autodialer.

Here's what qualifies as prior express written consent under 47 C.F.R. § 64.1200(f)(9):

That last point is where lead buying gets complicated. If a consumer fills out a form on a lead generation website and consents to be contacted by "our partners," does that consent transfer to you as the lead buyer? The answer depends on how specific the consent language is, whether the consumer could reasonably identify who would call them, and which circuit court hears the case.

Penalties are steep. The TCPA provides $500 per violation for non-willful violations and $1,500 per violation for willful or knowing violations. There's no cap on total damages. A single class action covering 10,000 consumers with three calls each represents $15 million in exposure at the base rate, or $45 million at the treble-damage rate.

Manual dialing is different. If you pick up a phone and manually dial a number without autodialer technology, the TCPA's prior express written consent requirement doesn't apply for non-telemarketing calls. But the moment you use any system that stores or produces numbers and dials them automatically, you need written consent. Most law firm intake systems qualify as autodialers under state-level definitions, even if the federal definition was narrowed by the Supreme Court in Facebook v. Duguid (2021).

State mini-TCPA laws add another layer. Florida's FTSA requires prior express written consent for all sales calls, regardless of dialing technology. Oklahoma's TCPA equivalent has its own consent requirements. Washington state requires two-party consent for call recording. You need compliance at both the federal and state level.

The FCC's one-to-one consent rule, finalized in December 2023, would have required that each consumer consent name exactly one specific seller. If you bought leads generated on a comparison site where the consumer consented to hear from "up to 5 insurance companies," that consent would have been invalid under the new rule. The entire lead generation industry was preparing for this change.

Then the 11th Circuit Court of Appeals vacated the rule on January 24, 2025 (Insurance Marketing Coalition v. FCC, No. 24-14396). The court ruled the FCC exceeded its authority. The FCC formally abandoned the rule in September 2025, choosing not to appeal or re-issue it under a different legal theory.

This was a significant win for the lead generation industry. Under the vacated rule, every lead form would have needed a separate consent checkbox for each potential buyer, effectively killing comparison-shopping lead gen. With the rule gone, the pre-2024 standard applies: consent can cover multiple identified parties, as long as the consumer reasonably understands who may contact them.

But don't celebrate too hard. Two other rules are still in play.

The revocation-of-consent processing rule went into effect on April 11, 2025. Once a consumer revokes consent (by saying "stop calling," texting STOP, or any other reasonable method), you have 10 business days to process the revocation and cease all contact. Before this rule, the FCC didn't specify a processing timeline, and some companies argued they needed 30+ days.

The revoke-all rule was originally scheduled for April 2026 but has been delayed to January 31, 2027. This rule will allow consumers to revoke consent to all future communications from a company through a single request. The practical impact: if a consumer texts STOP in response to one campaign, you must stop all campaigns and all numbers associated with that consumer, not just the specific campaign that triggered the opt-out.

For a complete breakdown, read our upcoming FCC 1:1 consent rule explained deep dive. The regulatory timeline changes frequently, so we'll keep that article updated as new rulings drop.

TrustedForm certifies 2.5 billion+ lead events annually and is the industry standard for consent verification (ActiveProspect TrustedForm). At $0.15-$0.50 per certificate, it's the cheapest insurance you'll ever buy against a $6.6 million class action settlement.

Here's how the consent verification workflow works in practice:

Step 1: Lead form submission. A consumer fills out a form on a lead generation website. At that moment, TrustedForm's JavaScript captures a full session recording: the page content, consent language displayed, the consumer's interactions (scrolling, clicking, typing), their IP address, browser fingerprint, and a timestamp. This creates an independent, tamper-proof certificate hosted by ActiveProspect.

Step 2: Certificate delivery. When the lead is sold to you, the TrustedForm certificate URL is included with the lead data. You should receive it alongside the consumer's name, phone number, and case details. If your vendor doesn't include a certificate URL, that's a red flag.

Step 3: Certificate claiming. Before contacting the lead, your system calls the TrustedForm API to "claim" the certificate. This verifies the certificate exists, confirms the consent language, checks the age of the lead, and locks the certificate to your account. Unclaimed certificates expire after 90 days.

Step 4: Consent language review. The claimed certificate shows you exactly what consent language the consumer saw. You verify that it authorizes calls/texts using an autodialer, that your company name (or a clear category like "personal injury law firms") is listed, and that consent wasn't required as a condition of purchase. If the language doesn't meet these requirements, don't call the lead.

Jornaya (LeadiD) is the other major consent verification platform. It generates a unique LeadiD token for each lead event, capturing similar data to TrustedForm. Some vendors use Jornaya instead of TrustedForm, and some use both. Either platform provides the documentation you need for TCPA defense. The key is having at least one independent third-party record of consent.

TCPA Settlement Cost: With Vs. Without Consent Docs WITHOUT CONSENT DOCS $6.6M avg. settlement WITH CONSENT DOCS $1.3M 50-80% lower avg. settlement No third-party consent records TrustedForm / Jornaya certificates on file Source: LeadGen Economy TCPA Settlement Analysis (2025)

We require TrustedForm certificates on every lead routed through Claim Supply. It's non-negotiable. When a buyer asks "why does my lead cost $0.25 more than the other vendor?", the answer is: because we've included the documentation that prevents a $6.6 million lawsuit. That $0.25 is the best money you'll spend.

For side-by-side platform comparisons, watch for our upcoming consent verification tools compared article.

What Does a TCPA Compliance Stack Cost?

Defense costs for a single TCPA lawsuit range from $40,000-$50,000 for early resolution or dismissal, $100,000-$300,000 if the case proceeds through discovery, and $500,000-$750,000+ for a full trial (LeadGen Economy, 2025). That's the cost to defend yourself even when you win. When you lose, settlements average $6.6 million.

Now compare that to what compliance actually costs:

Compliance Component Cost Per Lead Annual Cost (1,000 leads/mo)
TrustedForm certificates $0.15-$0.50 $1,800-$6,000
DNC list scrubbing (federal + state) $0.02-$0.05 $240-$600
TCPA-compliant call recording $0.01-$0.03 $120-$360
Consent management platform ~$0.04 $500/mo flat
Quarterly consent language audit ~$0.02 $1,000-$2,000 (legal review)
Total compliance cost $0.25-$0.75 $3,000-$9,000

At the high end, you're spending $9,000 per year to protect against an average $6.6 million settlement. That's a 733:1 risk-to-cost ratio. Even if you think the odds of getting sued are only 1%, the expected cost of non-compliance (0.01 x $6,600,000 = $66,000) still exceeds the annual compliance cost by 7x.

And the odds aren't 1%. With 2,788 TCPA class actions filed in 2024 alone, and 80% of them being class actions, the probability is significantly higher than most firms estimate. If you're buying leads at scale (500+ per month), the question isn't whether you'll face a TCPA inquiry. It's when.

Here's the real cost that firms miss: the time cost of litigation. Even if your attorney handles the defense, TCPA lawsuits consume 200-400 hours of internal time over 12-18 months. Depositions, document production, interrogatories, settlement negotiations. For a PI firm where every attorney hour is worth $300+, the opportunity cost of a TCPA defense is $60,000-$120,000 in lost billable time, on top of the actual defense costs.

Who Bears Liability When a Lead Generates a TCPA Lawsuit?

The company making the call bears primary TCPA liability. Period. Courts have been consistent on this point. In Mais v. Gulf Coast Collection Bureau (11th Cir. 2015), the court held that the entity that initiates the call is liable, regardless of whether a third party provided the phone number. If you buy a lead and call it, you're the one on the hook.

This is the single most misunderstood aspect of TCPA compliance in the lead buying industry. Firms assume their vendor contract, which says "all leads are TCPA compliant," protects them. It doesn't protect you from the consumer. It might give you a contribution claim against the vendor, but you'll need to sue them separately after you've already paid to defend yourself.

Liberty Mutual's experience illustrates the risk. The insurer spent $1.36 million defending TCPA lawsuits that originated from leads purchased through third-party lead generators (Insurance Journal, 2023). The lead generators had represented that their leads were TCPA-compliant. They weren't. Liberty Mutual paid the defense costs, then had to pursue separate claims against the generators for indemnification.

Vicarious liability adds another dimension. If you hire a call center to contact leads on your behalf, you're still liable for their TCPA violations under agency theory. The FCC has explicitly stated that "a person or entity on whose behalf a call is made is liable for violations" even when using a third-party caller. You can't outsource your way out of TCPA compliance.

Your vendor agreement should include these protective provisions:

Even with all of these provisions, you're still the first defendant in any TCPA lawsuit. The indemnification clause helps you recover costs after the fact, but it doesn't prevent the lawsuit. Your primary defense is always your own compliance process, not your vendor's promises.

How Do You Build a Bulletproof TCPA Compliance Process?

After routing millions of leads through Claim Supply and working with dozens of PI firms on their compliance programs, here's the 12-step process we recommend. This isn't theoretical. Every step maps to a specific failure mode we've seen generate lawsuits.

Compliance Cost Vs. TCPA Defense Costs by Stage $0 $150K $300K $450K $600K $750K Annual Compliance Early Resolution Through Discovery Full Trial $9K $45K $200K $750K+ 83x more than compliance → Source: LeadGen Economy TCPA Settlement Analysis (2025) · Claim Supply estimates

1. Require TrustedForm or Jornaya certificates on every lead. No certificate, no purchase. This is your first line of defense and your primary evidence in any TCPA proceeding. Configure your CRM to reject leads that arrive without a valid certificate URL.

2. Claim certificates before making contact. Don't just store the URL. Call the TrustedForm API to claim the certificate within 24 hours of lead receipt. Claimed certificates are locked to your account and can be retrieved indefinitely. Unclaimed certificates expire.

3. Review consent language quarterly. Visit your vendor's lead forms every 90 days. Screenshot the consent language. Verify it meets the prior express written consent standard. If the language changes without your approval, that's a contract violation and a compliance risk.

4. Scrub against the National Do Not Call Registry. The FTC's DNC list must be checked within 31 days of calling. Use a scrubbing service that checks both the national registry and state-specific DNC lists. Some states (Indiana, Pennsylvania, others) maintain separate lists with different registration requirements.

5. Maintain your internal DNC list. When a consumer asks you to stop calling, add them to your internal suppression list immediately. Under the revocation-of-consent processing rule (active since April 11, 2025), you have 10 business days to process the revocation. Build this list in your CRM with a hard block that prevents anyone from calling suppressed numbers.

6. Record all outbound calls. Call recordings serve as evidence that your agents disclosed proper information and respected consumer requests. Many states require two-party consent for recording. Know which states require disclosure ("This call may be recorded for quality assurance") and configure your dialer to play the appropriate announcement.

7. Set calling hours by time zone. TCPA prohibits calls before 8:00 AM and after 9:00 PM in the consumer's local time zone. Your dialer should automatically block calls outside these windows based on the lead's area code or zip code. State laws may impose narrower windows.

8. Limit call attempts per lead. While the TCPA doesn't set a specific call attempt limit, excessive calling can be used as evidence of willfulness (triggering $1,500 vs. $500 penalties) and may violate state laws. We recommend a maximum of 6 call attempts over 7 days, with at least 4 hours between attempts.

9. Train intake staff on TCPA requirements. Your intake team should know what TCPA is, why compliance matters, how to respond to opt-out requests, and what to say when a consumer asks "how did you get my number?" Document your training with sign-off sheets. If you're ever sued, training records demonstrate good-faith compliance efforts.

10. Audit vendor compliance annually. Request your vendor's TCPA compliance documentation once per year. This includes their consent language, their certificate provider, their DNC scrubbing process, and their data retention policies. If they can't produce this documentation, find a new vendor.

11. Retain consent records for 5+ years. The TCPA's statute of limitations is 4 years. Keep all consent certificates, call recordings, and opt-out records for at least 5 years. Storage is cheap. Lawsuits are not.

12. Build a rapid response plan for TCPA demand letters. When (not if) you receive a demand letter, you need a predefined response: who reviews it, which attorney handles TCPA defense, what documentation you pull, and what your settlement authority is. Having this plan reduces your response time from weeks to days and often reduces settlement costs by 30-50%.

For a downloadable version of this process, see our upcoming lead compliance checklist.

Frequently Asked Questions

Who is liable for a TCPA violation when buying leads: the buyer or the generator?

The company making the call or sending the text bears primary TCPA liability, not the lead generator. Courts have consistently held that the caller is responsible for obtaining proper consent. If your vendor provided fraudulent consent documentation, you may have a contribution claim against them, but you'll need to pursue that separately after defending the TCPA suit. Always require contractual indemnification from your lead vendors, and maintain your own consent verification process.

What is a TrustedForm certificate and do I need one for every lead?

A TrustedForm certificate is a timestamped, independent record of a prospect's consent at the moment they submitted a lead form. It captures the page content, consent language, IP address, and user interaction data. Certificates cost $0.15 to $0.50 per lead through ActiveProspect. You need one for every lead you intend to contact via autodialer or prerecorded message. Cases with TrustedForm documentation settle TCPA claims 50-80% lower than cases without documentation (LeadGen Economy, 2025).

What happened to the FCC's 1:1 consent rule?

The FCC's one-to-one consent rule was vacated by the 11th Circuit Court of Appeals on January 24, 2025, in Insurance Marketing Coalition v. FCC (No. 24-14396). The court ruled the FCC exceeded its authority. The FCC formally abandoned the rule in September 2025, choosing not to appeal. The current standard allows consent to be given for multiple identified parties, as long as the consumer can reasonably identify who may contact them.

How much does it cost to defend a TCPA lawsuit?

Defense costs range from $40,000 to $50,000 for early resolution or dismissal, $100,000 to $300,000 through discovery, and $500,000 to $750,000+ for full trial. These are defense costs only, separate from any settlement or verdict. Average class action settlements reach $6.6 million. Compliance spending of $0.25 to $0.75 per lead ($3,000-$9,000 annually at 1,000 leads/month) is far cheaper than a single defense engagement.

What is the TCPA revoke-all rule and when does it take effect?

The revoke-all rule allows consumers to revoke consent to receive calls and texts from a company through any reasonable method. It was originally scheduled for April 2026 but has been delayed to January 31, 2027. The separate revocation-of-consent processing rule, requiring companies to honor opt-outs within 10 business days, has been active since April 11, 2025. Start building your opt-out infrastructure now to be ready for the January 2027 deadline.

Can I still use an autodialer to call purchased leads?

Yes, but only with documented prior express written consent from the consumer. The consent must specifically authorize calls using an autodialer or prerecorded messages, must not be a condition of purchase, and must identify who may call. Without this consent, penalties are $500 per violation and $1,500 per willful violation. Manual dialing without autodialer technology has lower consent requirements under federal TCPA, but state mini-TCPA laws (like Florida's FTSA) may impose additional restrictions.

Key Takeaways

Here's what you need to know about TCPA compliance as a lead buyer in 2026:

The firms that treat TCPA compliance as a cost center get sued. The firms that treat it as a competitive advantage don't. When you can prove consent on every lead, you call with confidence, your intake team operates without legal anxiety, and your vendors know you hold them to a real standard.

We built Claim Supply to deliver leads that come with proof of consent, not promises. Every lead includes a TrustedForm certificate, documented consent language, and a full audit trail. If you're buying leads without this documentation, you're taking a risk that the data says you'll eventually lose.

Ready for compliant leads? See how Claim Supply works. For a broader view of the lead buying process, read our complete guide to buying MVA leads.