Key Principle: The type of consent required depends on (1) the technology used and (2) the purpose of the communication. Telemarketing calls/texts using automated systems require the highest level: prior express WRITTEN consent.
Consent Types Overview
Communication Type
Consent Required
Key Elements
Marketing calls/texts via ATDS or prerecorded voice
Prior Express Written Consent
Signed (including electronic), specific disclosure, not required as condition of purchase
Informational/transactional calls via ATDS
Prior Express Consent
Can be oral or written; person gave you the number for this purpose
Manual calls (not ATDS) - non-DNC
No TCPA consent needed
But check state laws and DNC rules
Calls to numbers on National DNC
Prior Express Invitation/Permission or EBR
Written permission OR established business relationship
Prior Express Consent (Non-Telemarketing)
Definition
The consumer has given their phone number to you with the understanding that you may contact them. This consent can be oral or written.
Sufficient Evidence
Customer provided number during transaction - Sign-up form, order form, account creation
Number provided with context - "Contact me regarding my order"
Oral consent (harder to prove) - Recorded call where customer provides number and agrees to contact
Scope Limitations
Consent is limited to the purpose for which number was provided
Order confirmation consent does NOT extend to marketing
Consent to one company does NOT transfer to affiliates without disclosure
Common Mistake: Assuming that having someone's number in your CRM = consent. The question is: did they give it to you for the purpose you're using it?
Prior Express Written Consent (Telemarketing)
Definition
A written agreement (paper or electronic) bearing the signature of the consumer that clearly authorizes telemarketing calls using automated technology.
Required Elements (47 CFR 64.1200(f)(8))
Written agreement - Paper document, webform, or electronic record
Signature - Handwritten, electronic (E-SIGN compliant), or checkbox click
Clear authorization - Must specifically authorize telemarketing calls
Telephone number disclosure - Consumer provides the number to be called
Automated technology disclosure - Consumer understands calls may use autodialer or prerecorded voice
Not a condition of purchase - Cannot require consent to complete transaction
Example Compliant Disclosure Language
"By providing your phone number and checking this box, you agree to receive marketing calls and text messages from [Company] at the number provided, including calls made using an automated dialing system or prerecorded voice. Consent is not a condition of any purchase. Message and data rates may apply."
Revocation of Consent
How Consent Can Be Revoked
Consumers can revoke consent through any reasonable means. You cannot limit revocation to specific channels.
STOP or UNSUBSCRIBE - Text response must be honored
Verbal request - "Please stop calling me"
Written request - Email, letter, webform submission
Account settings - Changing communication preferences
Revocation Timing
Must be honored within reasonable time (FCC suggests 10 business days max)
Best practice: Process STOP requests within 24-48 hours
Any calls/texts after revocation = new violations
Post-Revocation Calls Are High Risk: Calling after a clear STOP request often triggers willful violation status ($1,500 per call) because you had actual notice.
Consent Does NOT Transfer
Scenario
Consent Status
Company A acquired Company B; calling B's customer list
May not have consent unless B's disclosure covered "affiliates"
Lead purchased from third party
Need proof the lead seller obtained proper consent for YOUR calls
Phone number reassigned to new person
No consent from new subscriber - reassigned number liability
Customer gave number 5 years ago
May still be valid, but revocation risk increases over time
Evidence Hierarchy
Burden of Proof: In TCPA litigation, the defendant bears the burden of proving consent. This means you must have affirmative evidence - "I don't have records they didn't consent" is not a defense.
Evidence Strength Tiers
STRONG Gold Standard Evidence
Highest likelihood of prevailing on consent defense
Timestamped webform submission with consent checkbox
IP address and browser fingerprint
Screenshot or archived version of form
Signed paper agreement with TCPA disclosure
Recorded call with verbal consent (two-party states: with consent)
MEDIUM Supportive Evidence
Helpful but may require additional corroboration
CRM record showing consent checkbox marked
Lead seller attestation without underlying proof
System logs showing form submission (without content)
Customer service notes referencing consent
Email confirmation sent after consent
WEAK Insufficient Evidence
Unlikely to sustain consent defense alone
Number exists in database (no consent record)
Customer made a purchase (no call consent)
Privacy policy says "we may contact you"
Pre-checked consent boxes
Consent buried in terms of service
Strong Evidence: What Makes It Strong
Timestamped Webform with Checkbox
Element
What to Capture
Why It Matters
Timestamp
Exact date/time of submission (UTC preferred)
Proves consent was given before calls were made
Phone number
Number as entered by user
Connects consent to specific number
Consent checkbox state
Record whether box was checked
Proves affirmative action, not pre-checked
Disclosure text
Exact language shown to user
Proves proper disclosure was made
IP address
User's IP at time of submission
Helps verify identity; detects fraud
Form version/URL
Which form was used
If forms change, proves which version user saw
Best Practice: Consent Packet
Create a "consent packet" for each lead/customer that includes:
Screenshot or archived HTML of the consent form
Database record of the submission with all captured fields
System logs showing the submission event
Confirmation email sent to customer
Any subsequent consent modifications or revocations
Medium Evidence: Strengthening Weak Records
CRM Consent Fields
CRM records showing "consent = yes" are helpful but not sufficient alone because:
They can be manually edited
They don't show what the person actually saw/agreed to
They may lack timestamps
Strengthening CRM Evidence:
Add source field (webform ID, campaign, lead source)
Capture submission timestamp separately from record creation
Store archived form version reference
Implement audit trails showing when consent field was set
Lead Seller Attestations
When purchasing leads, the lead seller's consent claim is only as good as their documentation.
Ask for: Copy of consent form, sample consent record, certification letter
Contractually require: Indemnification, consent documentation on request
Verify: Spot-check leads by asking seller for specific consent proof
Weak Evidence: Why It Fails
Number in Database (No Consent Record)
"We have their number" proves nothing about consent. They may have:
Given it for a different purpose
Been added by third party without consent
Revoked consent later
Never given consent at all (data entry error, scraping)
Pre-Checked Boxes
Pre-checked consent boxes do not satisfy TCPA requirements. The FCC has been clear that consent must be an affirmative act. Pre-checked boxes are passive, not affirmative.
Buried Terms of Service
Consent language hidden in a Terms of Service document that users scroll past is generally insufficient because:
No proof user read the specific provision
Not "clear and conspicuous" as required
May not meet "separate agreement" requirements for written consent
Evidence Reconstruction
If you don't have strong evidence but need to defend a claim:
Circumstantial Evidence
Form version history: What did the form look like when this person signed up?
Industry practice: What was standard consent capture in your industry at the time?
System capabilities: What fields did your system capture by default?
Customer testimony: Does the customer acknowledge signing up?
Wayback Machine / Archive.org
If your website forms were captured by Archive.org, you may be able to show what disclosure language appeared on your forms at the time of consent.
Platform-Specific Logs
Export Now, Ask Questions Later: Most platforms have retention limits (30-90 days for detailed logs). Export everything related to the claimant immediately, even before you know what's relevant.
SMS/Text Platforms
Twilio
Where to Find: Console > Monitor > Logs > Messages
What to Export:
MessageSid - Unique message identifier
DateSent - Timestamp of message
To / From - Phone numbers
Body - Message content
Status - Delivered, failed, etc.
ErrorCode - If delivery failed, why
Retention: 13 months via API, then archived (may require support request)
Export Method: Use API or export CSV from console
EZTexting / SimpleTexting / Similar
Where to Find: Reports > Message History or Contacts > Individual Contact
What to Export:
Full message history for the phone number
Opt-in date and source
Opt-out date (if any)
Keyword responses (STOP, HELP, etc.)
Campaign/group assignments
Retention: Varies; typically 12-24 months
Klaviyo (SMS)
Where to Find: Profiles > Search phone number > Activity Feed
What to Export:
SMS consent status and date
All SMS sent/received
Consent source (form, import, etc.)
Suppression status
Key Field:$consent_timestamp for SMS consent date
Dialer Platforms
Five9 / RingCentral / Dialpad
Where to Find: Reports/Analytics section; Call Detail Records (CDR)
What to Export:
Call date, time, duration
Caller ID / ANI used
Destination number (DNIS)
Call disposition/outcome
Agent ID (if not automated)
Campaign/queue assignment
Recording file reference (if calls recorded)
Critical: Export dialer configuration showing whether ATDS features were used
CallFire / CallHub
Where to Find: Results/Reports for each campaign
What to Export:
Broadcast/campaign details
Call results by phone number
DNC/opt-out list membership
Audio file for prerecorded messages
Upload source for contact lists
CRM Systems
Salesforce
Where to Find: Contact/Lead record; Field History; Activity History
Submissions usually persistent; form versions may not be
Lead Vendor Portal
Lead records, consent certificates, purchase receipts
Highly variable; request immediately
Vendor Records to Request
Vendor evidence serves two purposes: (1) Supporting your consent defense and (2) Triggering indemnification obligations if the vendor's consent was defective.
Lead Seller Documentation
Immediate Requests to Lead Sellers
Consent record for specific lead - Timestamped proof this person consented on seller's form
Copy of consent form/page - Screenshot or archived version of what consumer saw
Consent language used - Exact disclosure text at time of consent
Source URL - Where was the form hosted?
IP address at consent - Consumer's IP when submitting form
Lead chain of custody - Did seller generate lead directly or buy from another party?
Lead Purchase Agreement Review
Pull your agreement with the lead seller and identify:
Consent warranties - What did seller represent about consent quality?
Indemnification clause - Does seller indemnify you for TCPA claims?
Consent documentation obligations - Is seller required to provide proof on request?
TCPA compliance representations - Did seller certify TCPA compliance?
Notice requirements - How must you notify seller of claims to trigger indemnity?
Indemnification Trigger: Many agreements require timely notice to preserve indemnification rights. Send written notice to vendor immediately upon receiving a TCPA demand, even before investigating.
Marketing Agency Records
If Agency Managed Campaigns
Campaign documentation - What campaigns did they run? What lists did they use?
List source - Where did agency get the phone numbers?
Scripts and content - What messages were sent?
Consent verification process - How did agency verify consent before calling?
Platform access - Can they export detailed logs from platforms they used?
Subcontractors - Did agency use any sub-vendors for calling/texting?
Agency Agreement Review
Scope of authority - What was agency authorized to do?
Compliance obligations - Who was responsible for TCPA compliance?
Indemnification - Does agency indemnify for their actions?
Insurance - Does agency carry E&O or liability coverage?
Dialer/Platform Vendor Records
Technology Documentation
System capabilities statement - Does vendor certify ATDS or non-ATDS status?
Configuration documentation - How was your instance configured?
DNC integration - How does system handle DNC scrubbing?
Opt-out processing - How are STOP requests handled?
Indemnity Tender Process
When to Tender
Immediately upon receiving demand - Don't wait until you've investigated
Before settling - Vendor may want to participate in defense/settlement
Per contract requirements - Check notice deadlines in your agreement
Tender Letter Elements
[YOUR COMPANY]
[Address]
[Date]
VIA EMAIL AND CERTIFIED MAIL
[Vendor Legal Name]
[Address]
Attn: Legal Department / Compliance
Re: Notice of TCPA Claim and Tender of Defense - [Claimant Name]
Dear [Vendor]:
Pursuant to Section [X] of the [Agreement Name] dated [date] between [Your Company] and [Vendor], we hereby provide notice of a claim and tender defense.
The Claim:
We have received a demand letter dated [date] from [Claimant/Counsel] alleging violations of the Telephone Consumer Protection Act arising from [calls/texts] made to [phone number]. A copy of the demand is attached.
Vendor's Involvement:
Our records indicate that [describe vendor's role: "the phone number at issue was obtained through leads purchased from Vendor" / "the calls were made using Vendor's dialing platform" / "the campaign was managed by Vendor"].
Contractual Obligations:
Under Section [X] of our Agreement, Vendor represented and warranted [quote relevant warranty]. Under Section [Y], Vendor agreed to indemnify [Your Company] for claims arising from [quote indemnification scope].
Requests:
We request immediate production of all documentation related to [consent for this lead / this campaign / calls to this number], including but not limited to consent records, form screenshots, timestamps, and IP addresses.
We tender defense of this claim to Vendor pursuant to the indemnification provisions of our Agreement.
Please confirm within ten (10) days whether Vendor accepts the tender and will assume defense.
Reservation of Rights:
This notice is provided to preserve our contractual rights. We reserve all claims against Vendor including but not limited to breach of warranty, indemnification, and contribution.
Please direct all responses to [contact].
Sincerely,
[Name, Title]
Enclosure: Copy of TCPA demand letter
What If Vendor Doesn't Cooperate?
Document all requests - Keep records of every request and non-response
Escalate internally - Contact vendor's legal or compliance team directly
Review contract remedies - May be able to withhold payments or terminate
Litigation discovery - If suit is filed, subpoena vendor's records
Third-party claim - May need to file cross-claim or separate action against vendor
Preservation Checklist
Spoliation Warning: Destroying, altering, or failing to preserve relevant evidence after receiving a demand can result in adverse inference (jury assumes destroyed evidence was harmful), sanctions, and separate liability. Take preservation seriously.
Litigation Hold Basics
What Is a Litigation Hold?
A directive to preserve all documents and data that may be relevant to anticipated or pending litigation. It overrides normal retention/deletion policies.
When to Implement
Upon receiving demand letter - Litigation is reasonably anticipated
Upon receiving lawsuit - Definitely implement if not already
Upon learning of potential claim - Even before formal demand
Litigation Hold Template
LITIGATION HOLD NOTICE
CONFIDENTIAL - ATTORNEY-CLIENT PRIVILEGED
Date: [Date]
From: [Legal/Compliance Officer]
To: [List of custodians: IT, Marketing, Sales, Customer Service, relevant individuals]
Re: Document Preservation - TCPA Claim from [Claimant Name]
IMMEDIATE ACTION REQUIRED
We have received a legal claim that requires immediate preservation of documents and electronic data. This notice supersedes any existing document retention policies.
YOU MUST PRESERVE all documents, records, and electronic data relating to:
Phone number: [XXX-XXX-XXXX]
Name: [Claimant Name]
All communications (calls, texts, emails) to or from this number/person
All consent records, webform submissions, or agreements from this person
All opt-out requests or DNC entries for this number
All campaign records, dialer logs, and SMS platform data involving this number
All lead source documentation if number was purchased
All policies, procedures, and training materials related to TCPA compliance
All vendor agreements related to calling/texting services
DO NOT:
Delete any files, emails, texts, or records related to this matter
Allow automatic deletion/archival systems to destroy relevant data
Modify or alter any existing records
Discuss this matter with anyone outside the company without authorization
REQUIRED ACTIONS:
Immediately suspend any auto-delete or retention policies for the data described above
Export and preserve copies of all relevant platform data
Identify and preserve any personal devices or accounts that may contain relevant data
Contact [Legal Contact] within 24 hours to confirm receipt and compliance
Duration: This hold remains in effect until you receive written notice that it has been lifted.
Questions: Contact [Legal Contact] at [email/phone].
Failure to comply with this notice may result in serious legal consequences for the company and may constitute grounds for disciplinary action.
ACKNOWLEDGMENT
I have read and understand this Litigation Hold Notice. I will preserve all relevant documents and data as described above.
Name: _______________________
Signature: _______________________
Date: _______________________
Who Should Receive the Hold
Department/Role
Why
Data They Control
IT / Systems Admin
Controls backup, retention, and system access
Server logs, backups, platform access
Marketing
Ran the campaigns; knows lead sources
Campaign records, lead lists, vendor contacts
Sales
May have contact records, CRM data
CRM records, call notes, customer files
Customer Service
May have opt-out requests, complaints
Support tickets, call recordings, complaint logs
Compliance/Legal
Policies, training, prior issues
Policies, procedures, prior complaints
Individual custodians
People who directly worked on campaigns
Personal files, emails, notes
System-Specific Retention Overrides
Actions by Platform Type
Email (O365/Google) - Place legal hold on relevant mailboxes; disable auto-archive