How Long to Keep Proof-of-Consent Records (Hint: Longer Than Four Years)
The unglamorous truth about lead-gen compliance is that you almost never win a dispute by arguing you were right. You win by producing the record that proves it — cleanly, quickly, and years after the lead came in. So the question "how long do I keep proof of consent?" isn't a filing-cabinet question. It's a survival question.
I've watched operators let consent records auto-expire at the three- or four-year mark because someone said, "the statute of limitations is four years, we're fine." That advice is half-right, which is the most dangerous kind. Let me walk through why, using the actual rules.
The record is your defense — because you carry the burden
Start with who has to prove what. When a consumer claims you called or texted without proper consent, the caller is the one who has to show consent existed. The FCC said this plainly when it adopted the written-consent regime:
"Finally, under the TSR, the seller bears the burden of proving that a clear and conspicuous disclosure was provided, and that an unambiguous consent was obtained."
You are the one who has to prove consent
In a consent dispute the plaintiff doesn't have to prove you lacked consent. You have to prove you had it. No record, no defense — even if the consent genuinely happened.
That single sentence reframes everything. Your consent record is not paperwork. It is the evidence you will stand on. If it's gone, expired, or unreadable when you need it, you are functionally in the same position as someone who never got consent at all.
The four-year federal floor
Where does "four years" come from? The TCPA doesn't state its own limitations period, so courts apply the federal catch-all in 28 U.S.C. § 1658(a):
"a civil action arising under an Act of Congress enacted after [December 1, 1990] may not be commenced later than 4 years after the cause of action accrues."
The TCPA was enacted in 1991, so the four-year clock applies. That's real, and it's the reason people say "keep it four years." But read the words carefully: four years after the cause of action accrues — not four years after the lead form was submitted.
Read the clock language literally
Section 1658 runs four years from when the claim accrues — i.e., from the violating call or text — not from when you captured consent. A number you keep marketing to keeps resetting the window on the newest contact.
Why four years is a floor, not a ceiling
Three things stretch the real-world window well past four years.
- The clock runs from the last violation, not the first contact. If a lead sits in your dialer and gets a text in year two, a new four-year window opens on that text. A record captured on day one may need to defend a contact made much later.
- Claims surface late. Consumers don't file the week they're annoyed. Demand letters and class actions routinely reference conduct from years back, and you'll be asked to produce the original consent artifact long after you've forgotten the lead existed.
- State mini-TCPAs run on their own clocks. Florida's Telephone Solicitation Act (FTSA), Fla. Stat. § 501.059, requires "prior express written consent" for automated sales calls and texts, and treats checking a box indicating consent as a qualifying signature. The FTSA doesn't state its own limitations period, so Florida's general four-year period for "an action founded on a statutory liability" under Fla. Stat. § 95.11(3) applies — again, measured from the violation.
Put those together and a record you need to prove consent for a contact made in, say, year three could be litigated into year six or seven. Four years of retention doesn't cover that. This is why experienced operators land on five years and up.
The Operator’s Compliance Brief
What changed in lead-gen compliance, and what to do about it. Free, no spam.
The FTC already told telemarketers: five years
You don't have to guess at a prudent number. The FTC's own Telemarketing Sales Rule now sets one. In its 2024 amendments to the TSR, the FTC increased the recordkeeping retention period from two years to five and expanded what must be kept. Under 16 C.F.R. § 310.5(a), a seller or telemarketer must keep, "for a period of 5 years from the date the record is produced," records including advertising and scripts, prerecorded messages, and detailed logs of each telemarketing call.
Anchor your policy to the strictest rule that touches you
If the TSR reaches your operation, five years isn't a best practice — it's the floor the regulator wrote down. Set your default retention to at least five years across all consent artifacts so one clock governs everything and you're not sorting records by which rule applies.
What a defensible consent record actually contains
Retention only matters if what you retain is worth keeping. The federal definition of "prior express written consent" at 47 C.F.R. § 64.1200(f) requires a signed written agreement that (1) clearly authorizes the seller to deliver telemarketing calls or texts using an autodialer or a prerecorded/artificial voice, and (2) includes the specific phone number — plus a clear and conspicuous disclosure that signing authorizes those calls and that the person is not required to sign as a condition of purchase.
To prove all of that later, a defensible record ties together:
- The TrustedForm certificate or Jornaya LeadiD for the submission
- The exact disclosure language the consumer saw, verbatim
- The timestamp and IP address of the submission
- The specific web form / URL where consent was captured
- The checkbox state or signature showing the affirmative act
A bare "TCPA consent: yes" flag is not a record
A boolean in your CRM proves nothing about what was disclosed or where. If you can't reproduce the page, the language, and the affirmative act, you don't have a defense — you have a note to yourself.
Your retention policy in practice
Here's the piece operators miss most: the vendor cert is not permanent, and it isn't really yours until you claim it.
TrustedForm certificates are deleted after 90 days unless they're retained; the TrustedForm Retain product stores claimed certificates for up to five years. That's a good backstop — but it's a vendor's window, on a vendor's servers, subject to your account staying in good standing. Treat it as a copy, not the copy.
- Claim and store your own copy. Don't rely solely on the cert living in a vendor account. Persist the certificate URL — and, where the vendor allows, a stored snapshot — against the lead record in a system you control.
- Make it immutable. Write consent artifacts to append-only or write-once storage (object storage with versioning or an object-lock is fine). A record you could have edited is a record a plaintiff will argue you did edit.
- Retain the whole bundle, not just the ID. The LeadiD or cert URL is the pointer; keep the disclosure text, timestamp, IP, and form URL alongside it so the record stands on its own if the vendor link ever goes dark.
- Set one clock, and make it long. Five years from last contact is a sane default; if you operate in litigious mini-TCPA states or buy and sell aged data, longer is cheaper than the alternative.
The whole thing rounds to one habit: assume you will have to prove consent for any given contact years after everyone has forgotten it, and keep the record that lets you. Storage is cheap. Being the caller who can't produce the cert is not.
Not legal advice
This is a practical field guide for operators, not legal advice. Compliance rules change and turn on your specific facts. Confirm anything here with a qualified telemarketing/TCPA attorney before you rely on it.
Sources
- 28 U.S.C. § 1658 — Time limitations on the commencement of civil actions — Cornell Legal Information Institute (accessed 2026-07-03)
- 16 CFR § 310.5 — Recordkeeping requirements — Cornell Legal Information Institute (accessed 2026-07-03)
- Telemarketing Sales Rule — 2024 Amendments (recordkeeping extended to five years) — Federal Register / Federal Trade Commission (accessed 2026-07-03)
- 47 CFR § 64.1200 — Delivery restrictions (definition of prior express written consent) — Cornell Legal Information Institute (accessed 2026-07-03)
- In re Rules Implementing the TCPA of 1991 (2012 Report and Order, FCC 12-21) — Federal Register / Federal Communications Commission (accessed 2026-07-03)
- Fla. Stat. § 501.059 — Florida Telephone Solicitation Act — The Florida Senate (accessed 2026-07-03)
- Fla. Stat. § 95.11 — Limitations other than for the recovery of real property — The Florida Senate (accessed 2026-07-03)
- Access your certificates with TrustedForm Retain — ActiveProspect (accessed 2026-07-03)
30+ years in lead gen · BRSG Founder
Bill Rice has spent 30+ years in mortgage, lending, and performance marketing — generating leads, buying them, and building the systems that route and work them. He founded a performance-marketing agency, owned a direct-to-consumer lender, and wrote The Lead Buyer's Playbook. He built Lead Compliance Hub to help operators navigate the legal landmines of online lead generation from an operator's seat, not a law firm's. Nothing he writes here is legal advice.
Key Terms to Know
Do-Not-Call (DNC)
The National Do Not Call Registry and the scrubbing obligation that comes with it: telemarketers must generally avoid calling registered numbers and maintain an internal DNC list, absent consent or a qualifying exemption.
Proof of Consent
The documented record that a consumer agreed to be contacted — the form, the disclosure language shown, a timestamp, and the originating page. Tools like TrustedForm and Jornaya capture it so you can produce it when a plaintiff, buyer, or regulator asks.
The Operator’s Compliance Brief
What changed in lead-gen compliance, and what to do about it. Free, no spam.