Theory Road
← InsightsLead Generation

The TCPA Compliance Checklist for Brands That Call or Text Leads.

Outbound calls and texts to leads carry real legal exposure. Here is the disciplined, candid checklist we wish every founder ran before their first dial.

By Theory RoadJune 29, 202616 min read

If your brand calls or texts the leads it generates or buys, you are operating in one of the most litigated corners of U.S. marketing law. The TCPA turns a single mistimed text into a line item with a price tag, and a sloppy lead list into a class action. The good news: compliance is mostly operational discipline, not magic. This is the checklist we run with performance clients before a single number gets dialed.

The stakes, briefly.

The reason this topic gets its own playbook is the damages math. The TCPA allows statutory damages of $500 per violating call or text, rising to $1,500 for willful or knowing violations, with no cap on the total. Multiply that across a campaign that touched tens of thousands of numbers and you understand why plaintiffs' firms treat outbound lists as a business model.

$500–$1,500.Statutory TCPA damages per violating call or text — no cap on the aggregate

Two facts shape everything below. First, liability sits with the caller — the brand whose offer is being marketed — not just the vendor pressing the button. Second, when a dispute arises, the practical burden of proving you had valid consent falls on you. If you cannot produce the record, you effectively do not have the consent. The rest of this is about earning, keeping, and proving that consent.

Marketing calls and texts placed with an autodialer / ATDS or a prerecorded voice generally require prior express written consent. That consent has to be specific, documented, and tied to your company by name.

Make the consent clear and company-specific.
The consent language the consumer agrees to should plainly identify your company and state that they agree to receive marketing calls and texts, including autodialed or prerecorded ones, at the number provided. Vague "our partners may contact you" language is where consent claims fall apart.
Capture proof on every lead.
For each lead, capture and store a TrustedForm / Jornaya certificate, the exact consent text shown, a timestamp, the originating URL, and the IP address. The certificate is your independent witness to what the consumer actually saw and agreed to.
Confirm the consent covers the channel and the method.
Consent for an email newsletter is not consent for autodialed marketing texts. Verify the language covers the specific channel (call and/or text) and the dialing method you will actually use.
Treat purchased leads as unproven until verified.
If you buy leads, the consent must be real, valid, and transferable to you. Require the proof-of-consent record for each lead, confirm the language named your brand or a permitted scope, and spot-check certificates before you dial. See our notes on buying leads safely.

2. Scrubbing: clean the list before every campaign.

Consent gets you the right to contact someone. Scrubbing makes sure you are not contacting someone you are forbidden to reach. Do it before every send, not once at onboarding.

  • Scrub every campaign against the National DNC (Do Not Call) Registry before dialing or texting.
  • Maintain and scrub against your own internal do-not-call / opt-out list — numbers that asked you specifically to stop.
  • Honor company-specific and reassigned-number risks; numbers change hands, and an old consent does not survive a new owner.
  • Keep dated scrub logs showing which lists you checked and when, so you can prove the campaign was cleaned.

3. Opt-outs and revocation: honor them fast.

A consumer can take back consent. When they do, the clock is short and the standard is generous to them.

Accept opt-outs by any reasonable method.
Revocation / opt-out does not have to come through your preferred channel. Treat a reply text, a phone request, an email, or a verbal "stop calling me" as valid, and process it promptly.
Process STOP and standard keywords for texts.
Honor STOP, UNSUBSCRIBE, QUIT, CANCEL, END and similar replies automatically and immediately, and confirm the opt-out as program rules require.
Suppress across the whole program.
Push the opt-out to your internal DNC list so the number is suppressed across every campaign and channel, not just the one they replied to.
Document the request and the action.
Log when the opt-out came in, through what channel, and when you suppressed the number. The record protects you if they are accidentally contacted again.

4. How you dial and text.

The mechanics of contact carry their own rules, independent of consent.

  • Understand whether your equipment qualifies as an autodialer / ATDS and whether you are sending prerecorded or artificial-voice messages — both trigger heightened consent and disclosure requirements.
  • Respect calling-time-of-day limits; the federal window generally permits telemarketing calls only between 8 a.m. and 9 p.m. in the consumer's local time, and some states are stricter.
  • Identify yourself: state your company name and a way to be contacted, and follow identification rules on every call and message.
  • Watch quantity and frequency caps; some states limit how many marketing contacts you can make in a given period.
  • Speed matters, but never at the cost of consent — pair fast follow-up with clean lists, as we cover in our note on speed-to-lead.

5. State mini-TCPA laws: the patchwork.

Federal law is the floor, not the ceiling. A growing number of states have passed their own state mini-TCPA laws — Florida, Oklahoma, and Washington among the most cited — and they often impose stricter consent rules, tighter calling windows, and separate penalties enforceable on their own.

Why the state layer matters (illustrative — confirm current rules with counsel)
DimensionFederal TCPAState mini-TCPA layer
ConsentPrior express written consent for autodialed/prerecorded marketingMay add its own definitions, scope, or stricter consent triggers
Calling windowGenerally 8 a.m.–9 p.m. local timeSome states narrow the window further
Penalties$500–$1,500 per violationSeparate statutory damages, sometimes stackable on top of federal
Who can suePrivate right of action plus regulatorsOften its own private right of action and AG enforcement

The operational takeaway: you must know where each consumer is and apply the strictest applicable rule. Build state into your scrubbing and timing logic, and have counsel map the states you actually contact.

6. Records: assume you will have to prove it.

Because the burden of proving consent effectively sits with you, your recordkeeping is your defense. Keep it organized, dated, and retrievable on demand.

  • Consent records: the certificate, the exact language shown, timestamp, URL, and IP for every lead.
  • Scrub logs: which lists (National DNC, internal DNC, state lists) you checked and when, per campaign.
  • Opt-out logs: each request, its channel, and the time you suppressed the number.
  • Call and message logs: who was contacted, when, by what method, and under which consent record.
  • A retention policy long enough to cover the statute of limitations your counsel identifies.

7. Vendors and contracts.

Most brands do not call alone — they use lead sellers, dialers, or call centers. Each adds risk you must contract around and verify in practice.

  • Get written compliance representations and warranties: the vendor affirms the leads or services are TCPA- and state-law compliant.
  • Require indemnification so the vendor bears the cost if their failure causes your liability — while remembering this is money, not immunity.
  • Demand transferable proof of consent for every purchased lead, and audit a sample before you scale.
  • Verify their actual practices: how they capture consent, where the certificates live, how they handle opt-outs, and whether they scrub.
  • Reserve the right to terminate and to request records on demand.

8. Stand up a real compliance program.

Individual checks are not enough; they have to live inside a program someone owns. Here is how to stand one up.

Write the policies down.
Document your consent standard, scrubbing cadence, opt-out handling, calling windows, and recordkeeping. A written policy is both an operating manual and evidence of good faith.
Train everyone who touches outbound.
Reps, marketers, and vendors should know the rules, the scripts, and the opt-out procedure. Re-train when laws or scripts change.
Monitor and audit continuously.
Spot-check certificates, sample call recordings, review opt-out timeliness, and re-scrub. Catch drift before a plaintiff does.
Keep an attorney on call.
Have a qualified TCPA attorney review your flows at launch and on a recurring basis, and be reachable when a demand letter arrives.
Carry the right insurance.
Confirm you have TCPA-aware coverage and appropriate errors-and-omissions (E&O) insurance, and read the exclusions before you need them.

Does having a purchased lead's phone number mean I have consent to call it?

No. Possessing a number is not consent. You need a record showing the consumer gave prior express written consent that covers marketing calls or texts to that number, and for purchased leads that consent must be valid and transferable to you. If the seller cannot produce the certificate and language, treat the lead as unconsented.

We use a CRM that auto-dials. Is that an autodialer under the TCPA?

It might be, and the legal definition has shifted over time and varies by court. Because autodialer and prerecorded-message rules raise the consent bar, do not assume your tool is exempt. Have counsel assess your specific dialing technology and how you use it, and default to the stricter consent standard if there is any doubt.

A lead replied STOP but later filled out another form. Can we contact them again?

Be very careful. The safest course is to treat the original opt-out as controlling until you have a fresh, unambiguous, documented consent that post-dates it. Confirm the new consent is genuine and well-recorded, and run the scenario by counsel before re-engaging — this is a common trigger for claims.

The lead vendor signed a contract saying everything is compliant. Are we covered?

Contractually you may have indemnification, but legally you are still the party a plaintiff can sue, and the burden of proving consent still falls on you. A vendor's assurance is not a defense. Verify the underlying proof of consent yourself and keep the records.

Do state laws really add much on top of the federal TCPA?

Yes. State mini-TCPA laws in places like Florida, Oklahoma, and Washington can impose stricter consent, narrower calling windows, and their own separate penalties with their own private right of action. You generally must apply the strictest rule that fits the consumer's location, so the state layer can change how and when you are allowed to contact someone.

How long should we keep consent and opt-out records?

Long enough to cover the relevant statute of limitations and any state requirements, which means keeping them for years, not months. Because the burden of proving consent is effectively on you, retention is a core defense. Ask your counsel to set a specific retention period for your program and document it.

The bottom line.

TCPA compliance is not a clever loophole or a one-time setup — it is a discipline: earn clear, company-specific consent, keep the proof on every lead, scrub before every campaign, honor opt-outs the moment they arrive, respect the state patchwork, and document all of it so you can prove it later. Do that, and outbound becomes a durable growth channel instead of a liability waiting to compound. If you want a candid second set of eyes on how your brand generates, buys, and contacts leads — with compliance built into the funnel rather than bolted on after — start a brief with us, and pair it with qualified legal counsel before you rely on any of this.

Keep reading

  1. What to Do When You Hit Your Claude Usage Limits.

  2. Buy Leads or Generate Your Own? How to Decide.

Let’s build yours.

Brief us →Our services