The Compliance Checklist for Lead Generators: TCPA, FCC, FTC & How to Stay Out of Court

TL;DR: Lead generation is a legal minefield. One TCPA violation can cost you $500–$1,500 per call/text. One FTC violation can trigger a $50,000 fine. One FCC complaint can shut down your business. This post is your compliance checklist: how to capture consent properly, scrub against Do Not Call lists, store records for 4+ years, avoid robocall violations, handle GDPR/CCPA data requests, and protect yourself from lawsuits. Follow these rules or risk everything you've built.

You're generating 1,000 leads/month. Revenue is $80K/month. Life is good. Then you get a letter from a law firm: "Class action lawsuit for TCPA violations. You made unauthorized robocalls to 5,000 consumers. Statutory damages: $2.5 million." Your business is over. This happens more often than you think. Lead generators get sued constantly for:

• Calling/texting without consent (TCPA)
• Not honoring Do Not Call registry (FTC)
• Violating the FCC's one-to-one consent rule
• Selling leads without proper disclosures (FTC)
• Mishandling personal data (GDPR, CCPA)

The fix: Build compliance into your system from Day 1. Here's your compliance checklist.

The 5 Big Compliance Regimes (And What They Require)

1. TCPA (Telephone Consumer Protection Act)
2. FCC One-to-One Consent Rule (Effective Jan 2025)
3. FTC Do Not Call Registry
4. FTC Endorsement/Advertising Rules
5. State Privacy Laws (GDPR, CCPA, CPRA, etc.)

1. TCPA: Consent for Calls and Texts

What it is: The TCPA (Telephone Consumer Protection Act) is a federal law that restricts telemarketing calls and texts.

Key rules:

• You need "prior express written consent" to call or text someone for marketing purposes.
• No autodialers or prerecorded messages without consent.
• Consent must be clear and specific (can't be buried in terms and conditions).

What "prior express written consent" means: The person must:

• Sign or electronically agree to be contacted
• Agree to be contacted at the specific phone number they provided
• Understand that consent is not required to purchase (you can't force them to agree to marketing calls in order to buy something)

Example of compliant TCPA consent:

"By clicking 'Submit,' you consent to receive calls and text messages from [Your Company] and our partners at the phone number you provided, including via automated dialing system or prerecorded messages. You understand that consent is not required as a condition of purchase. Message/data rates may apply."

Example of NON-compliant consent:

"By using this website, you agree to our Terms of Service." [buried in ToS: "You agree to receive marketing calls"]

Why this doesn't work: Consent must be clear, conspicuous, and separate from other agreements.

Penalties for TCPA violations:

• $500 per violation (each unauthorized call/text)
• $1,500 per violation if willful/knowing
• Class action lawsuits (if you called 10,000 people without consent, damages could be $5–$15 million)

How to stay compliant:

• Capture consent on your form (checkbox or click-to-agree before submitting)
• Store consent records (timestamp, IP address, copy of the consent language)
• Never use autodialers or robocalls without consent
• Honor opt-out requests immediately (if someone says "stop calling me," add them to your DNC list within 24 hours)

2. FCC One-to-One Consent Rule (Jan 2025)

What changed: In January 2025, the FCC implemented a new rule: one-to-one consent is required for telemarketing.

Old rule (pre-2025): You could get "blanket consent" where someone agrees to be contacted by "you and your partners."

New rule (post-2025): You must get explicit consent for each specific seller that will contact the consumer.

What this means for lead generators: If you're selling leads to multiple buyers, you can't just say "you agree to be contacted by our partners."

You must either:

Option A: Name each seller in the consent

"By submitting, you consent to be contacted by ABC Roofing (License #12345), XYZ Roofing (License #67890), and DEF Roofing (License #11111)."

Problem: This doesn't scale. You'd need to list every potential buyer.

Option B: Use a "marketplace" model

"By submitting, you request quotes from up to 3 roofing contractors. You will be shown a list of contractors and can select which ones to contact you."

Then, on the next page, show 3 contractors and let the user select which ones they want to hear from. Only pass the lead to the contractors they selected.

Option C: Sell exclusive leads only Generate leads for one buyer at a time. Consent names that buyer specifically.

"By submitting, you consent to be contacted by ABC Roofing (License #12345)."

Penalties for violating one-to-one consent: Same as TCPA: $500–$1,500 per violation, plus class action risk.

3. FTC Do Not Call Registry

What it is: The National Do Not Call Registry is a list of phone numbers where consumers have opted out of telemarketing calls.

Key rules:

• You can't call numbers on the DNC list (unless you have prior express written consent or an established business relationship).
• You must scrub your leads against the DNC list every 31 days.
• Violations cost $50,120 per call (yes, seriously).

What's an "established business relationship" (EBR)? If someone bought from you or inquired about your services in the past 3–18 months, you have an EBR and can call them even if they're on the DNC list.

For lead generators: You typically don't have an EBR with the leads you're generating, so you must:

• Scrub leads against the DNC list before selling them.
• Or: Only sell to buyers who will scrub themselves.
• Or: Get explicit consent on your form (which overrides DNC).

How to scrub: Use the FTC's official scrubbing service:

• DNC.com ($65/year for 5 area codes + $0.06 per scrub)

Workflow:

1. Lead submits form
2. Before selling, check phone number against DNC list
3. If on DNC and no consent → Don't sell (or only sell to buyers who have consent to call)
4. If not on DNC → Sell normally

4. FTC Endorsement/Advertising Rules

What it is: The FTC Endorsement Guides require clear disclosures when you're being paid to recommend products or services.

For lead generators: If you're generating leads and selling them, you're essentially referring customers to businesses. The FTC requires you to disclose this relationship.

Example of compliant disclosure:

"By submitting this form, you agree to be contacted by roofing contractors in our network. We may receive compensation if you hire one of our partners."

Or simpler:

"We connect you with local roofers and may earn a referral fee."

Where to disclose:

• On your landing page (above or near the form)
• In your privacy policy
• In confirmation emails

What happens if you don't disclose:

• FTC can fine you up to $50,000 per violation
• FTC can issue a cease-and-desist order
• You can be sued by consumers for deceptive practices

5. State Privacy Laws (GDPR, CCPA, CPRA, etc.)

What they are: Various states and countries have privacy laws that regulate how you collect, store, and use personal data.

Key laws:

• GDPR (Europe): If you collect data from EU residents, you must comply with GDPR.
• CCPA/CPRA (California): If you collect data from California residents, you must comply.
• VCDPA (Virginia), CPA (Colorado), CTDPA (Connecticut): Similar to CCPA.

Key requirements:

• Disclosure: Tell people what data you're collecting and how you'll use it (privacy policy).
• Consent: Get consent before collecting sensitive data (varies by law).
• Opt-out rights: Let people opt out of data sales or request deletion.
• Data security: Protect personal data with encryption, access controls, etc.

CCPA/CPRA Compliance (California)

If you collect data from California residents and you sell it (which you do—you're selling leads), you must:

• Add a "Do Not Sell My Personal Information" link to your website footer.
• Honor opt-out requests within 15 days.
• Disclose in your privacy policy that you sell personal data and list the categories (e.g., contact info, service requests).

Example privacy policy snippet:

"We collect your name, phone number, email, and service request details. We sell this information to service providers (contractors, agencies, etc.) who may contact you to fulfill your request. California residents: You have the right to opt out of the sale of your personal information. Click here to opt out."

Penalties:

• $2,500 per unintentional violation
• $7,500 per intentional violation
• Private lawsuits if data breaches occur

GDPR Compliance (Europe)

If you collect data from EU residents:

• Get explicit consent before collecting data (pre-checked boxes don't count).
• Provide a privacy policy that explains what data you collect, why, and who you share it with.
• Honor "right to be forgotten" requests (delete their data within 30 days).
• Report data breaches to authorities within 72 hours.

Penalties:

• Up to €20 million or 4% of global revenue (whichever is higher).

Practical advice for lead generators: If you're US-based and only targeting US traffic, focus on CCPA compliance (California is the strictest US state). Add a "Do Not Sell" link to your footer and honor opt-out requests.

---

The Compliance Checklist (Step-by-Step)

✅ Step 1: Consent Language on Your Form

What to include:

"By clicking 'Submit,' you consent to receive calls and text messages from [Your Company] and/or [Specific Partner/Network] at the phone number you provided, including via automated dialing system. You understand that consent is not required as a condition of purchase. You also agree to our [Privacy Policy] and [Terms of Service]."

If you're subject to one-to-one consent (FCC rule):

"By submitting, you consent to be contacted by ABC Roofing (License #12345) at the phone number provided."

✅ Step 2: Store Consent Records

For every lead, store:

• Timestamp (when they submitted the form)
• IP address (where they submitted from)
• Consent language (a copy of the exact text they agreed to)
• Form submission data (what they filled out)

How long to store: Minimum 4 years (FCC requirement). Some lawyers recommend 7 years. Where to store: Your CRM (Airtable, HubSpot, etc.) or a compliance tool like Jornaya or TrustedForm.

✅ Step 3: Scrub Against Do Not Call List

Before selling a lead (or before calling/texting them yourself), check if the phone number is on the DNC list.

Tool: DNC.com

Workflow:

1. Export leads from CRM
2. Upload to DNC.com
3. DNC.com returns a list of numbers that are on the registry
4. Flag those leads as "DNC" and don't sell (or only sell to buyers with consent)

How often: Every 31 days (if you're holding leads that long).

✅ Step 4: Validate Phone Numbers (Avoid Calling Wrong Numbers)

Even if you have consent and the number isn't on DNC, you can still get sued if you call the wrong person (e.g., the number was reassigned).

Tool: Twilio Lookup API

What it tells you:

• Is the number active?
• Is it mobile, landline, or VoIP?
• Carrier info

Workflow:

• Before selling a lead, validate the phone number via Twilio
• If disconnected → Don't sell (or disclose to buyer)

✅ Step 5: Add Privacy Policy and Terms of Service

Your website needs:

• Privacy Policy (what data you collect, how you use it, who you share it with)
• Terms of Service (rules for using your site)

If you're subject to CCPA:

• Add a "Do Not Sell My Personal Information" link to your footer
• Link to a page where California residents can opt out

Tools:

• Termly (generates privacy policies and ToS)
• PrivacyPolicies.com
• Hire a lawyer (if you're generating serious volume)

✅ Step 6: Honor Opt-Out Requests Immediately

If someone says "stop calling me" or "unsubscribe" or "remove me from your list," you must:

• Add them to your internal DNC list
• Stop calling/texting them within 24 hours (TCPA requirement)
• Keep them on your DNC list permanently (or at least 5 years)

How to manage opt-outs:

• Keep a "suppression list" in your CRM (phone numbers and emails of people who opted out)
• Before selling a lead, check if they're on the suppression list
• If yes → Don't sell

✅ Step 7: No Robocalls or Autodialers (Without Consent)

Robocall = prerecorded message Autodialer = automatic dialing system

Both are illegal without prior express written consent (TCPA).

If you're generating leads (not calling them yourself), this mostly doesn't apply to you.

But if you're calling leads to qualify them, or if your buyers are using autodialers, make sure consent is captured properly.

✅ Step 8: Disclose Affiliate/Referral Relationships (FTC)

On your landing page, add a disclosure:

"We may receive compensation from contractors who use our service."

Or:

"By using this site, you agree to be contacted by contractors in our network. We earn a referral fee when you hire a contractor through our service."

Where to place it:

• Above or near the form
• In your privacy policy
• In footer

✅ Step 9: Train Buyers on Compliance (If You're Selling to Them)

If you're selling leads to contractors or agencies, make sure they know:

• Leads must be contacted in compliance with TCPA, DNC, and state laws
• They're responsible for their own compliance (not you)

Add this to your Terms of Service:

"Buyer agrees to comply with all applicable telemarketing laws (TCPA, FCC, FTC, state laws) when contacting leads purchased from Seller. Buyer indemnifies Seller against any claims arising from Buyer's use of leads."

Translation: If a buyer gets sued for calling leads without consent, that's on them (not you).

✅ Step 10: Get Lawyers and Insurance

Hire a lawyer who specializes in TCPA/FTC compliance.

They can:

• Review your consent language
• Draft Terms of Service and Privacy Policy
• Advise on specific scenarios

Cost: $2,000–$10,000 for initial setup + ongoing retainer.

Also consider:

• Errors & Omissions (E&O) Insurance (covers legal defense if you get sued)
• Cyber Liability Insurance (covers data breaches)

Cost: $1,000–$5,000/year depending on volume.

Is it worth it? If you're generating $10K+/month, absolutely. One lawsuit can wipe you out. Insurance and legal fees are cheap compared to a $500K judgment.

---

Common Compliance Mistakes (And How to Avoid Them)

Mistake #1: Vague or missing consent language ❌ "By using this site, you agree to be contacted." ✅ "By clicking 'Submit,' you consent to receive calls and texts from [Company] at the phone provided."

Mistake #2: Not storing consent records ❌ "We have consent somewhere... I think?" ✅ "Every lead has a timestamp, IP, and copy of the consent language stored in our CRM."

Mistake #3: Not scrubbing DNC ❌ "I'll just sell all leads and hope buyers scrub." ✅ "I scrub every lead against DNC before selling."

Mistake #4: Using autodialers without consent ❌ "I'll just robo-call all my leads to qualify them." ✅ "I have explicit consent for automated calls, and I honor opt-outs immediately."

Mistake #5: No privacy policy or ToS ❌ "I don't need legal stuff, I'm just a small lead gen business." ✅ "I have a privacy policy, ToS, and CCPA opt-out link on my site."

Mistake #6: Ignoring opt-out requests ❌ "Someone said 'stop calling,' but I'll try again next week." ✅ "I added them to my suppression list within 24 hours and will never contact them again."

Mistake #7: Selling leads without disclosure ❌ "I don't tell people I'm selling their info to contractors." ✅ "My form clearly states: 'We share your info with contractors who will contact you.'"

---

The Bottom Line

Lead generation is profitable—but legally risky.

One TCPA violation can cost $500–$1,500. A class action can cost millions.

Build compliance into your system from Day 1:

• Capture clear, explicit consent
• Store consent records for 4+ years
• Scrub against DNC
• Add privacy policy and opt-out mechanisms
• Honor opt-out requests immediately
• Hire a lawyer and get insurance

Compliance isn't optional. It's the cost of doing business legally.

Spend $5K–$10K on legal setup and insurance now, or spend $500K+ defending a lawsuit later.

Your choice.