How to Vet a Lead Vendor: The Compliance Questions That Separate Clean Sources From Lawsuit Factories

Bill Rice

30+ years in mortgage & lead gen

July 3, 2026

If you buy leads and dial them, here is the uncomfortable truth that took me too long to internalize: when a consumer sues over an unwanted call, the phone that rang is yours, not your vendor's. You are the caller. And under the TCPA, the caller carries the burden of proving consent. Buying a lead does not buy you a defense.

This is a field guide, operator to operator, on how to vet a lead vendor before you wire the first dollar. It is not legal advice. But it is the checklist I wish someone had handed me before I learned these lessons the expensive way.

The buyer is the one who is exposed

Start here, because it reframes every question that follows. The FCC has been explicit that consent is your problem to prove. In its 2015 Omnibus order, the Commission stated that "if any question arises as to whether prior express consent was provided by a call recipient, the burden is on the caller to prove that it obtained the necessary prior express consent" (FCC 15-72). Not the lead seller. Not the consumer. You.

That means a vendor's assurance that a record "consented" is not evidence you can use. What protects you is a consent record you can independently produce and defend in front of a trier of fact. When you vet a vendor, you are really vetting whether they can hand you defensible proof, and whether they will stand behind it in writing.

You hold the burden, not the seller

The FCC's 2015 Omnibus order (FCC 15-72) places the burden of proving prior express consent squarely on the caller. Every diligence question below exists to make sure the vendor can give you proof you can actually stand on.

Why diligence got harder, not easier

Many operators assumed the ground had gotten simpler. It got more complicated.

In 2023, the FCC adopted a "one-to-one consent" rule that would have required a consumer's written consent to name a single, identified seller and be logically and topically associated with the interaction that produced it. In practice that would have killed shared and bulk consent lists, where one form fill authorizes contact from many buyers.

That rule is gone. On January 24, 2025, the Eleventh Circuit vacated it in Insurance Marketing Coalition Ltd. v. FCC, No. 24-10277, holding that the one-to-one and "logically and topically related" restrictions impermissibly conflicted with the ordinary statutory meaning of "prior express consent." The court granted the petition, vacated that part of the FCC's order, and remanded.

Here is the counterintuitive part: the rule's death does not lower your risk, it raises your diligence duty. Shared and bulk consent lists are legally back in play, which means the marketplace is once again full of leads whose consent was captured on someone else's form, disclosing a list of sellers you have never seen. The regulator is no longer drawing the bright line for you. You have to draw it yourself, one vendor at a time.

The one-to-one rule was vacated

The FCC's 2023 one-to-one consent rule was vacated by the Eleventh Circuit in Insurance Marketing Coalition Ltd. v. FCC, No. 24-10277 (11th Cir. Jan. 24, 2025). Shared and bulk consent is not per se prohibited, but it puts the entire weight of consent diligence back on the buyer.

Ask to see the actual form the consumer completed, not a description of it. Then work through:

  • Exact disclosure language. Get the verbatim text the consumer saw. For calls using an autodialer or artificial or prerecorded voice, prior express written consent under 47 CFR 64.1200(f)(9) means a signed written agreement that clearly authorizes those calls and discloses that the person is not required to sign as a condition of purchase. If the vendor cannot produce that language, they cannot produce the consent.
  • Single seller or shared list. Was your company named, or was the consumer consenting to a list of "marketing partners"? If it is a shared list, get the list. You want to know exactly which sellers were disclosed and confirm you are on it.
  • The URL and brand. What site was the consumer actually on? A generic quote page you have never heard of is a very different risk than a recognizable brand with a real value exchange.

The Operator’s Compliance Brief

What changed in lead-gen compliance, and what to do about it. Free, no spam.

This is where clean vendors separate themselves. Ask whether every lead carries an independent consent certificate: a TrustedForm certificate or a Jornaya (now Verisk) LeadiD token captured at the moment of the form fill. These tools record what the consumer saw and did, and TrustedForm's certificates include a session replay of the actions the consumer took during the lead event, which is exactly the kind of documentary proof the 64.1200(f)(9) standard rewards.

But a token on a spreadsheet is not proof. Insist that you can independently pull, verify, and replay the certificate yourself, on every lead, not a sample the vendor curates for you. Certificates get faked. Real tokens get attached to the wrong lead. The existence of something that looks like a TrustedForm or Jornaya artifact is not the same as verified consent for the specific person you are about to dial.

A certificate is not consent

Fraudulent and mismatched consent tokens are a known problem. Never treat the mere presence of a TrustedForm or Jornaya/LeadiD token as proof. If you cannot independently retrieve and replay the certificate for a specific lead, treat that lead as having no consent at all.

DNC scrubbing: national, internal, and state

Consent handles the autodialer and prerecorded-voice exposure. Do-Not-Call rules are a separate layer, and both you and your vendor need clean process.

Ask how, and how often, leads are scrubbed against the national registry, the seller's internal DNC list, and applicable state lists. The Telemarketing Sales Rule sets the floor: under 16 CFR 310.4(b)(3)(iv), a seller or telemarketer must use a version of the do-not-call registry obtained "no more than thirty-one (31) days prior to the date any call is made" and keep records documenting the process. If a vendor cannot describe their scrub cadence and their recordkeeping, assume there isn't one.

Data provenance and lead age

Where did this record originate, and when? A "fresh" lead that is actually a resold aggregator record from months ago is both a performance problem and a compliance one, because the consent that theoretically supports it may be stale, disputed, or attached to a different campaign entirely.

Watch for co-registration and incentivized consent. If the consumer got a gift card or sweepstakes entry for filling out a form, or agreed via a pre-checked box buried in a co-reg flow, the "consent" may not reflect any real willingness to be called, which is the substance the Eleventh Circuit said prior express consent has to carry.

Co-reg and incentivized-consent red flags

Sweepstakes entries, gift-card incentives, pre-checked boxes, and long shared-partner lists are the classic markers of a lawsuit-factory source. Consent captured that way is technically present and practically worthless.

Contractual protections

Diligence that lives only in a phone call evaporates when you need it. Get it in the contract:

  • Reps and warranties that every lead was collected in compliance with the TCPA and the Telemarketing Sales Rule, with valid, documented consent.
  • Indemnification that actually covers TCPA and TSR claims, from a counterparty with the assets or insurance to honor it. An indemnity from a shell is decoration.
  • Audit rights, including the right to sample-audit raw consent records and certificates on demand, not just to receive a summary.

The vendor's own history

Search the vendor, its principals, and its affiliated brands for TCPA litigation and regulatory actions before you sign. A pattern of consumer suits or state attorney-general activity tells you how their leads behave in the wild, regardless of how clean the pitch sounds.

An operator workflow that holds up

Sample-audit before you scale

Buy a small batch first. Independently pull and replay the consent certificate on every lead in the sample. Confirm your brand appears in the disclosed seller list. Check the sample against DNC. Only then scale spend.

The discipline is simple to state and hard to keep: sample-audit before scaling, monitor continuously once you are live, and define your kill criteria in advance. Set thresholds, for example a certificate-verification failure rate, a complaint or dispute rate, or any litigation demand tied to the source, that trigger an immediate pause and pull, not a negotiation. The vendors worth keeping will pass these tests quarter after quarter. The lawsuit factories reveal themselves the moment you insist on proof.

Not legal advice

This is a practical field guide for operators, not legal advice. Compliance rules change and turn on your specific facts. Confirm anything here with a qualified telemarketing/TCPA attorney before you rely on it.

Sources

  1. 47 CFR 64.1200 — Delivery restrictions (prior express written consent definition, 64.1200(f)(9))Cornell Law School Legal Information Institute (accessed 2026-07-03)
  2. 16 CFR 310.4 — Abusive telemarketing acts or practices (Do-Not-Call scrub, 310.4(b)(3)(iv))Cornell Law School Legal Information Institute (accessed 2026-07-03)
  3. In re Rules and Regulations Implementing the TCPA of 1991, Omnibus Declaratory Ruling and Order, FCC 15-72 (2015)Federal Communications Commission (accessed 2026-07-03)
  4. Insurance Marketing Coalition Ltd. v. FCC, No. 24-10277 (11th Cir. Jan. 24, 2025)U.S. Court of Appeals for the Eleventh Circuit (accessed 2026-07-03)
  5. TrustedForm — Consent documentation and certificatesActiveProspect (accessed 2026-07-03)
Bill Rice

30+ years in lead gen · BRSG Founder

Bill Rice has spent 30+ years in mortgage, lending, and performance marketing — generating leads, buying them, and building the systems that route and work them. He founded a performance-marketing agency, owned a direct-to-consumer lender, and wrote The Lead Buyer's Playbook. He built Lead Compliance Hub to help operators navigate the legal landmines of online lead generation from an operator's seat, not a law firm's. Nothing he writes here is legal advice.

Key Terms to Know

The Operator’s Compliance Brief

What changed in lead-gen compliance, and what to do about it. Free, no spam.