With the FCC’s lead generation regulations now in effect as of 2025, businesses must understand what changed and how to update their practices to comply with the Federal Communication Commission’s (FCC) requirements designed to eliminate unlawful text messages and robocalls (aka the lead generator loophole law).

The FCC order changed the lead generation space as we’ve known it. The new rule requires lead generators to obtain prior express written consent from consumers on a seller-by-seller basis. This eliminates the “batch consent” process and strengthens consumer protections.

No longer will comparison shopping websites exist where a consumer’s interest in a specific area results in an excessive number of unwanted robocalls/texts, mostly unrelated to the original inquiry. No longer will lead compilers be able to collect information from a consumer and then share it with hundreds of third parties, selling it over and over again without proper consent.   

Published in the Federal Register on January 26, 2024, and effective on January 27, 2025, the FCC has allowed ample time for companies to comply with the new requirements.

The new requirements of the lead generator loophole law 

1. One-to-one consent 

Sellers utilizing text messaging and calling to solicit business must obtain a consumer’s prior express written consent (PEWC) to robocall or robotext the consumer. This applies to one seller at a time and includes autodialers and prerecorded messages. 

2. “Clear and conspicuous” disclosure  

Sellers must provide “clear and conspicuous” disclosure to the consenting consumer, alerting the consumer that they will receive robotexts and/or robocalls from the seller. 

3. Topically and logically related  

Contact by the caller/sender must be topically and logically related to the origin of the consumer’s initial inquiry where consent was provided. 

4. Recordkeeping 

Lead compiler/seller must provide the applicable, full consent record to the caller/sender (lead buyer/brand.) 

Caller/sender must have a legally compliant consent record or records on file before any robocall or robotext can be made. The compliance burden falls on the “caller/sender” (lead buyer/brand), so if the caller/sender is unable to meet this compliance burden, the caller/sender may be liable under the Telephone Consumer Protection Act (TCPA). The caller/sender must also maintain consent for that lead (if the consumer subsequently opts out, new consent must be recorded, stored, and appropriately utilized for future contact).  

Frequently asked questions about the new lead generator requirements effective January 2025

Can I wait to comply with the lead generator loophole law? 

No. The FCC’s lead generator loophole requirements are now in effect, and businesses should already be operating in compliance. If you have thoroughly reviewed your existing processes against the FCC’s updated requirements and are confident they would withstand regulatory scrutiny, you may be well positioned.

That said, proceed with caution—the changes that took effect in January 2025 are significant and enforcement risk remains.

Even if you believe your organization is compliant, avoid leaving anything to chance. Seek legal counsel and obtain a formal assessment to validate your conclusions and identify any remaining gaps or areas of risk that require remediation.

Is the one-to-one rule retroactive? 

The new FCC rule for one-to-one consent doesn’t explicitly say it’s only leads from the effective date forward. Judicial opinions suggest that after January 27, 2025, calling leads generated prior to this date is risky. 

Without more clear-cut information about how this rule applies to existing data (lead records and consent already captured and stored using today’s rules), the overwhelming recommendation is to assume these updated disclosure and consent requirements will be applied retroactively.   

To be crystal clear, any leads you currently have or acquire going forward may be unusable unless they were collected in compliance with the updated disclosure and one-to-one consent requirements now in effect.

What can I do now to comply? 

One-to-one consent is official – and it’s time to get ready. 

1. Understand the requirements 

Allow time to prepare. It always takes longer than you think. Start immediately. Become familiar with all new lead generation requirements; study them, determine how they may impact your business specifically (operationally, legally, etc.), and document your compliance protocols and processes. Identify gaps in your current policies and practices and build a plan to address each, with a timeline. 

2. Scrutinize new and existing vendors  

Vendors can be part of your success, or your failure. Use reputable vendors to ensure compliance with existing laws, and regularly discuss and document compliance practices. Include detailed provisions and disclosure/consent process flows within your contracts that must be complied with so vendors can be held accountable, and relationships can be terminated if terms, conditions, and obligations are not adhered to.   

Here are some additional tips on dealing with lead providers:  

• Make sure your lead vendors and providers can furnish documented proof that they understand the FCC’s rule and its requirements, are providing the necessary disclosures, and are obtaining valid consent in accordance with the regulations now in effect.
• Consent reason (for topical and logical outreach) is required as part of consent capture; documentation supporting this requirement must also be provided to those purchasing leads
• Proactively work with your vendors and have them demonstrate their ability to operationally provide the fully compliant disclosure and consent records to the appropriate party
• Non-compliant leads are YOUR risk, not theirs

Here are more tips on working with call centers:

• Initial and ongoing vetting is critical, with different criteria for each
• Perform ongoing and random testing
• Have vendors demonstrate their ability to ingest the fully compliant consent record from the lead source, then store, utilize, maintain and report on consent history and current status to the appropriate party.
• Consent reason is required as part of consent capture and the outgoing message must tie back to this reason (for logical and topical messaging) 
• Know that if an action is filed, plaintiff’s lawyers will argue call center agents are your agents (vicarious liability)

3. Consider enhanced compliance scrubs 

It’s likely you’re already scrubbing for the standard items such as the National Do Not Call (DNC) list, Internal Do Not Call (iDNC) and other regulated requirements, but, consider additional options such as what’s available in real-time and automated through Gryph for Compliance to ensure your company is in the best possible position to mitigate sales and marketing risk.  

Gryph for Compliance is the only real-time, automated solution that mitigates risk of DNC and TCPA violations for all outbound communications. Gryph for Compliance checks against known litigator lists, VIP lists (configurable to specific requests, at your discretion), state-level telemarketing laws, DMA, wireless, legal calling hours/call curfews, holiday calling bans, state of emergency calling bans, existing business relationships, call frequency, CAN-SPAM for email communications, regulatory disclosures, known caller ID, reassigned numbers database, and more, to help your organization remain compliant. 

4. Consent management  

Consent is king. Well captured and maintained consent not only gives you a strong legal standing, but it honors your customers’ preferred communication choices, increasing trust and gaining loyalty, ultimately resulting in a higher return on investment (ROI). It’s worth every penny of investment. 

• One the front end: Closely examine the updated consent capture provisions (especially the required disclosures), and ensure every single point of consent capture fully complies with the requirements now in effect.

• Live/warm transfers: It’s smart to be wary. Establish processes to acquire consent as part of the transfer, even if it wasn’t available on the initial call. This is an area of exposure; understand that “ignorance of the law is no excuse.” The law doesn’t care about intent. 

• During and after messaging: Make sure systems talk, so consent changes during the communication process are easily captured, stored, utilized, maintained, and reported across systems (both internal and external), near real-time and as needed. Streamline this process, weaving it into existing processes so it is second nature. Gryph for Compliance makes this seamless. 

• Make consent easy to find: Maintaining consent records in a centralized location, dedicated to consent data and supporting consent documentation, provides compliance personnel the ability to find information quickly and easily, without having to dig through other noise and the complexity of unrelated data. This goes a long way in a compliance inquiry because the information can be provided timely, and in an organized manner that’s easy for the regulator to both review and understand. 

• Don’t forget about TSR’s new consent requirements: As outlined in a prior blog post, verifiable authorization requires consent requested, consent provided, and purpose of consent, among other elements. These requirements are now in effect, and businesses should ensure their consent practices align accordingly.

 5. Consent Adaptation 

Take action now to enable consent compliance across your existing contactable universe. Ensure your processes are aligned with the requirements now in effect and reduce compliance risk moving forward.

• Act now: Be proactive and expeditiously prioritize “consent capture compliance” at the top of your list.

• Capitalize on existing legislative rules: Reach out to gain consent based on the new compliance rules. Tackle both prospects and customers in this effort, as your universe may not currently have consent for automated system outreach. 

• Use every channel available to you: Don’t limit your efforts to just one channel. Create an omnichannel, multi-touch strategy to gain consent across other channels (for example, use email to gain “2025 compliant” consent for text messaging, etc.). 

• Continuous lead availability: The efforts you make now will continue to deliver value now that the January 27, 2025 effective date has passed. While your contactable universe may be smaller, proactive compliance helps preserve contactability by maintaining a pool of properly repermissioned, 2025-compliant leads.

As a caller, you are at risk – even if you try, in good faith, to call the right people. As a reminder, TCPA violations also include personal liability, so now is not the time to sit on your laurels. A methodical approach to planning and preparation will enable the best possible outcome across the board.