Ethan Brooks leads Sales and Partnerships at PeakIntent, where he helps high-ticket service businesses, from personal injury and tax resolution firms to cosmetic surgery, dental, restoration, and roofing companies, buy exclusive leads that actually convert. He writes about lead economics, why cost per signed case beats cost per lead, and how to scale acquisition without wasting budget.
If you buy inbound leads for insurance, financial services, legal, or high-ticket home services, TCPA compliance in 2026 is materially different from 2024. The FCC's 1:1 consent rule, originally scheduled for January 2025, delayed by litigation, now targeting later in 2026, is the biggest shift, but the enforcement climate has been trending in the same direction for two years. Plaintiff firms have gotten sophisticated. Settlements are up. Cheap-shared-list operators who ignored consent-capture hygiene are exiting the market.
This is the practical checklist for what every lead buyer should have documented, in writing, on file, before they take delivery of a single new lead in 2026. It is not legal advice, talk to your attorney, but it covers the operational specifics that separate compliant lead buying from settlement risk.
Prior Express Written Consent (PEWC), the foundation
Every outbound call or SMS to a lead requires prior express written consent if the outreach uses an autodialer or prerecorded voice, or if the number is on the Do Not Call registry. "Written" in the TCPA sense means an electronic record, check-the-box, signature, e-signature, is fine, as long as the consent is unambiguous and specific.
The four things PEWC must contain, per FCC guidance:
- The specific entity that will contact the prospect. Not "and our trusted partners." Not "our advertising partners may contact you." The named company that will call.
- What number(s) the consent covers. Landline, mobile, or both.
- The types of contact covered. Calls, SMS, both.
- A clear disclosure that consent is not required as a condition of purchase. This is often overlooked and is a common plaintiff-firm exhibit.
If your lead vendor's consent capture is missing any of these four elements, the leads are effectively worthless from a compliance standpoint. Ask for a sample audit trail before signing any new vendor. Expect a real vendor to provide it within one business day.
The 1:1 consent rule, 2026's biggest shift
The FCC's 1:1 consent rule fundamentally changes how lead marketplaces operate. Under the old rules, a lead form could disclose "you consent to be contacted by our marketing partners" and share the lead with dozens of buyers. Under the new rule, each consent must cover one clearly identified seller, and the seller must be "logically and topically associated" with the reason the consumer completed the form.
Practical implications for lead buyers:
- Shared-list marketplaces that distribute a single consent to 5-15 firms will need to either restructure their consent capture or exit the market for regulated verticals.
- Exclusive-lead vendors have a structural advantage, one lead, one seller, one clearly-identified relationship.
- Lead buyers should demand that vendors disclose, per lead, exactly who else the consent covers. If the answer is "12 other firms in our network," those leads carry material risk.
- For insurance and financial specifically, the topical-association requirement means a "car insurance quote" form cannot legitimately consent the prospect to receive life insurance calls. Cross-line spillover requires separate consent.
The rule was originally scheduled for January 2025, stayed by the Eleventh Circuit in early 2025 in Insurance Marketing Coalition v. FCC, and is now the subject of ongoing regulatory revision. Most compliance-forward buyers are structuring their vendor contracts as if the rule is already in effect, the direction of travel is clear even if the exact date is not.
The documentation checklist, what you need on file
For every lead you take delivery of, your vendor should be able to produce, on request, an audit trail containing:
- ✓ Timestamp of the consent event (ISO-8601, with timezone)
- ✓ IP address of the device that submitted the consent
- ✓ URL of the exact page where consent was captured (not just the domain)
- ✓ Exact consent language the prospect saw at the time (screenshot ideal, HTML snapshot acceptable)
- ✓ Named seller(s) the consent covers, as they appeared to the prospect
- ✓ User-agent string (helps rebut claims that the consent was submitted by a bot or third party)
- ✓ Session data, the fields the prospect filled in, in what order
- ✓ Opt-out record, timestamp and mechanism of any subsequent opt-out
If your vendor cannot produce all eight items on a random sample within one business day, treat that as a hard exclusion criterion. The reputable vendors have this instrumented and can produce it via API. The ones who can't are the ones plaintiff firms are targeting.
DNC scrubbing, federal and state
Federal DNC registry scrubbing is the floor, not the ceiling. State DNC lists cover different phone numbers, refresh on different schedules, and carry independent penalty structures. Buyers in TX, FL, WA, IN, MO, WY, LA, MS, TN, and OK specifically should be running state DNC scrubs on top of federal, those states have historically active plaintiff bars.
Operational implementation:
- Scrub every lead against federal DNC within 30 days of dial (registry data has 31-day freshness requirements)
- Scrub against applicable state DNC lists on the same cadence
- Scrub against your own internal DNC list (past opt-outs)
- Establish a suppression list update SLA with your vendor, opt-outs should propagate within 24 hours, ideally faster
- Log every scrub decision with timestamp, "we called this number because it was clean on the federal list on YYYY-MM-DD" is a defensible position
Vendor vetting, the questions to ask before signing
Before onboarding a new lead vendor, get written answers to these questions. If any answer is evasive or missing, walk.
- How is consent captured? Ask for a live URL of a working consent form.
- What is the named seller(s) on the consent language? Your entity name should appear.
- How many other firms are covered by the same consent? For exclusive leads, the answer should be zero. For shared, get the exact number.
- What audit-trail elements are captured per lead? Cross-check against the 8-item checklist above.
- What is the opt-out propagation SLA? Under 24 hours is standard; over 48 is a risk signal.
- Do you carry E&O insurance covering TCPA claims arising from your consent capture? If yes, get the certificate. If no, the vendor is transferring their compliance risk onto your balance sheet.
- Will you contractually indemnify me for TCPA claims arising from your leads? This is where reputable vendors distinguish themselves. Refusal to indemnify is a red flag.
- How do you handle scrub-list updates from client opt-outs? The answer should be automated and near-real-time.
Vertical-specific notes
Insurance leads. The most-litigated TCPA vertical. Plaintiff firms specifically target insurance producers because policy commissions are large enough to justify settlements. If you buy insurance leads, or specifically life insurance leads, treat every one of the checklist items above as non-negotiable.
Financial services. Not just wealth management, mortgage, refinance, tax resolution, debt consolidation, and business lending all sit in the TCPA hot zone. Financial services leads have the added complication of Reg S-P privacy overlay for SEC-registered firms.
Legal. Plaintiff firms often are the TCPA plaintiffs in enforcement cases, so the legal-leads segment has some of the most rigorous consent capture in the market. Personal injury and mass tort volume specifically operates under close scrutiny. See our legal leads guide for the plaintiff-firm sourcing framework.
Home services. Roofing, HVAC, and plumbing sit outside most TCPA litigation but are increasingly targeted as consumer-protection cases. The HVAC and roofing lead markets have been operationally sloppy on consent capture historically, the compliance-forward operators are pulling ahead.
What changed from 2024 to 2026
- Settlement values climbed. Median TCPA settlement per lead has roughly doubled since 2023 as plaintiff firms have gotten better at proving individual damages.
- Multi-defendant strategies emerged. Plaintiff firms now regularly sue the lead marketplace, the vendor of record, and the ultimate buyer as separate defendants. Being three-steps removed from the consent capture no longer insulates you.
- Aggregator liability tightened. Buyers who rely on "our vendor handles compliance" have watched courts hold them jointly liable when the underlying consent was defective.
- E&O coverage became a differentiator. Vendors carrying meaningful E&O and offering indemnity have become sought-after; those who don't are pricing accordingly (i.e. their leads are cheaper but riskier).
Quick reference, do and don't
Do:
- Insist on the 8-item audit trail per lead, per vendor, before signing
- Verify your entity name appears in the consent language
- Run federal + applicable state DNC scrubs before every batch
- Log every consent, every scrub, every opt-out with timestamps
- Require E&O + indemnity from any vendor handling more than $5k/month of your spend
- Read the 7-point vendor evaluation checklist before onboarding
Don't:
- Assume your vendor's compliance transfers to you, courts have said it doesn't
- Rely on generic "trusted partners" consent language
- Skip the DNC scrub because "the vendor said the number is opted in"
- Buy leads from any vendor that won't produce a sample audit trail
- Ignore the direction the 1:1 consent rule is heading, restructure your vendor mix now
Bottom line
TCPA compliance in 2026 is an operational discipline, not a policy document. The buyers who get it right have automated audit trails, sub-24-hour opt-out propagation, contractual indemnity from every meaningful vendor, and a checklist their compliance team runs monthly. The buyers who get it wrong are learning that the true cost of a shared-lead marketplace runs higher than the sticker price.
If you are re-evaluating your lead mix in light of the 1:1 rule and the current enforcement climate, start by reading how exclusive vs shared leads compare on real cost-per-signed-job, then work through the vendor evaluation checklist. The compliance overhead of an exclusive vendor almost always beats the settlement exposure of a shared-list operator working at scale.