TCPA liability is the single risk most likely to end an insurance agency in 2026. A single class action can carry $500–$1,500 per call in statutory damages. Multiply that by a 12-month dialing window across a few hundred wrong numbers and the exposure crosses seven figures before any actual harm is proven. This guide is not legal advice — talk to your TCPA counsel — but it is the operating playbook we use inside OneLife to keep agency partners audit-ready and lawsuit-resistant.
The three rules that govern every dial#
- Express written consent. Before any auto-dialer or pre-recorded voice call to a wireless number for marketing, the consumer must have signed a clear consent that names the calling parties and the marketing nature of the call.
- Internal and federal DNC. You must maintain an internal DNC list, honor opt-outs within 24 hours, and scrub against the federal DNC registry and applicable state DNC lists.
- Caller ID and identification. Outbound marketing calls must transmit accurate caller ID and identify the agency or carrier at the start of the call.
The 1:1 consent rule and what it changed#
The 1:1 consent rule reshaped how insurance lead consent forms work. Consent must now be specific to a single seller per call — the days of a single "I consent to be contacted by our marketing partners" checkbox covering dozens of agencies are over for marketing autodialer purposes. Practically, this means:
- Consent forms must name the calling party (the agency or the specific list of sellers) clearly and individually.
- Lead vendors that sell the same record across multiple buyers under one consent are exposed — and so are you when you dial that record.
- Aged data with old consent strings is high-risk. Re-consent or don't dial.
What a compliant consent string actually contains#
At a minimum, a defensible consent record contains:
- The full URL the consumer visited and a snapshot of the page at time of submission.
- The exact text of the consent disclosure shown to the consumer.
- The list of sellers / agencies covered by the consent, named individually.
- Timestamp, IP address, and user agent at submission.
- The phone number consented and a checkbox or signature confirming the consent.
- Method of capture (web form, telephone signature, SMS) and the channel of marketing consented to.
Demand a sample consent record from every vendor before contracting. If they can't produce one in a defensible format within 24 hours, you are buying TCPA risk wrapped in a phone number.
DNC scrubbing: the daily hygiene that prevents class actions#
| List | Frequency | Penalty per Violation |
|---|---|---|
| Federal DNC | Daily | Up to $51,744 (FTC) |
| State DNC (where applicable) | Daily | Varies by state |
| Internal agency DNC | Real-time on opt-out | TCPA statutory damages |
| Wireless block list (free) | Daily | Reduces wireless misdial risk |
The audit trail every agency needs#
If you cannot produce, within 24 hours of a subpoena, all of the following for any dialed phone number, you have a problem:
- The consent string and snapshot of the consent page at submission time.
- The original call recording (if dialed by your agency).
- Evidence of DNC scrubbing on the day of dial.
- The lead-vendor contract that warrants the consent.
- The CRM disposition for the call.
Contract terms that protect you#
The vendor contract is the second line of defense after consent capture. Negotiate these terms before wiring a dollar:
- Indemnification for TCPA claims arising from consent defects, with no aggregate cap below $2M.
- Right to audit consent records on 5 business days notice.
- Vendor obligation to produce consent string and recording within 24 hours of request.
- Vendor warranty that all data was collected under 1:1 consent meeting current FCC rules.
- Termination right with no penalty on any material compliance breach.
Common compliance failures we see#
- Buying aged data and dialing on the original consent. The clock has likely run on consent freshness — re-consent or don't dial.
- Single internal DNC list shared across agencies under one ownership group, without segregation by branding. Opt-out for one brand must propagate to the dialer that brand uses.
- Skipping the federal DNC scrub because "all our leads are consented." The federal DNC overlap with consented data is non-trivial and the safe move is to scrub anyway.
- Trusting a vendor's verbal assurance instead of reviewing a sample consent record.
- Not recording outbound dials, then having no defense when a plaintiff says the call was made.
Actionable takeaways#
- Review every lead supplier's consent capture flow before signing.
- Stand up daily federal and state DNC scrubs. Real-time internal DNC propagation.
- Record every outbound dial. Retain four years minimum, ten years for Medicare.
- Get indemnification and a right-to-audit clause in every vendor contract.
- Audit your own consent records quarterly. If you wouldn't show them to your lawyer, fix them today.
Frequently asked questions
TCPA stands for the Telephone Consumer Protection Act. It applies to any business making marketing calls or texts to US consumers, including all insurance agencies and lead vendors.
Two years from the date of the alleged violation, but plaintiffs frequently file at the back end of that window. Retain consent records and recordings for at least four years.
FCC clarification that express written consent for marketing autodialer calls must be specific to a single seller. Multi-seller consent buckets no longer cover marketing autodialer calls under that interpretation.
Yes. Statutory damages are $500 per violation, trebled to $1,500 for willful violations. Class actions aggregate quickly across multi-month dialing windows.
Inbound calls initiated by the consumer don't require prior express consent under TCPA, but follow-up outbound dialing to a wireless number does. Track which calls were truly consumer-initiated.
Both parties have exposure, but plaintiffs almost always sue the agency that dialed. Vendor indemnification mitigates downstream cost but rarely prevents the suit.