A plain-English read of the latest FCC consent rules — what counts as one-to-one consent, what does not, and the three workflow changes most outbound teams need to make.
For about a decade, the TCPA (Telephone Consumer Protection Act) consent landscape was built around a particular workflow: a consumer filled in a form on a website, the form said in fine print that "by submitting this form you agree to receive calls from us and our marketing partners," and an unspecified number of marketing partners — often dozens — gained the right to call that consumer. This is sometimes called the "consent farm" model, and it was the foundation of large parts of the lead-generation industry.
The FCC moved against the consent-farm model in late 2023 with a final rule that took effect in early 2024 and has been litigated, paused, partially restored, and otherwise tortured through the regulatory process since. The current state, as of the most recent FCC order, is that consent for prerecorded marketing calls and texts must be obtained on a one-to-one basis: one consumer, one specifically identified business, one consent transaction. The blanket-marketing-partner model is dead, at least on paper.
A lot of vendors are still operating as if it isn't. That is the gap this piece tries to clarify.
The shorthand version: prior written express consent for telemarketing calls and texts now requires the consumer to identify, by name, the single business that is being granted permission to contact them. "Acme Corp" — not "Acme Corp and its marketing partners." The consumer must affirmatively check a box that links to that single name.
Two related provisions tightened the noose. The consent must be logically and topically related to the form the consumer filled out — a consumer requesting a quote on auto insurance cannot be implicitly consenting to calls about solar panels. And the consent record must be auditable, with retention of the form text, the consumer's IP, timestamp, and the URL of the form, for a period sufficient to defend against a future complaint.
None of these provisions are technically new. They are extensions of principles the FCC has been signalling for years. What changed is that the agency moved from "we have written guidance" to "we have a rule with teeth." The litigation exposure for non-compliance now sits squarely on the dialer.
In practical terms, a compliant consent capture has six elements. None of these are surprising in isolation; the surprise is how few real-world forms actually meet all six.
The combination of (1) and (3) — single named seller plus topical relationship — is what kills the consent-farm model. A lead generator cannot capture one consent and resell it to fifty unrelated buyers. The compliant workflow either (a) names every buyer at the moment of consent, which consumers will not do, or (b) routes consent to one buyer per form, which collapses the consent-farm economics.
The order is narrower than the headlines suggest. Several things are unchanged.
Established business relationship (EBR) calls remain valid for a defined period after a transaction or purchase. A customer who bought from you three months ago can still receive transactional and informational calls under the same rules as before.
Calls to businesses, as opposed to wireless or residential consumers, are not subject to the same one-to-one consent regime. B2B telemarketing has its own rules, and they are looser. (Note: a personal mobile owned by a business owner can be a contested area.)
Calls explicitly initiated by the consumer, such as return calls from a missed-call number, do not require pre-existing written consent. Inbound is different from outbound, full stop.
Live-agent calls have a less stringent consent regime than prerecorded or AI-generated calls. The headline rule tightening applies to automated outbound. A human dialing manually is on the same legal ground as before — though "manually" has its own definition that has been litigated extensively.
For most of our customers, three changes account for the majority of compliance work.
If you operate any forms that capture consent, those forms need to be redesigned. The new form names the single seller, has the consent checkbox unchecked by default, makes the consent text visible at the point of capture, and is paired with a capture log that stores the form HTML at the moment of submission. The single most common failure we have seen during compliance audits is "the consent text on the form has changed since the consumer signed up, and we cannot prove what they actually agreed to."
If you buy leads from third parties, you need a contractual and technical mechanism that confirms the lead source captured the consent under the one-to-one regime, that your business name was on the form, and that the form text is available for audit. We see customers underestimate this. The dialer is on the hook, not the lead vendor. A lead bought in good faith but captured non-compliantly is your problem.
Revocation must be honored in any reasonable manner. That includes a consumer replying "STOP" to an outbound SMS, saying "do not call me again" on a live call, or sending an email to any address visibly associated with the business. Your CRM and dialer must ingest revocation signals from all these channels and propagate them in near-real-time across the calling stack. We see customers with revocation latency of 24-72 hours, which is well outside the regulatory expectation. Same-day is the floor; same-hour is the practical bar.
TCPA enforcement is primarily private-action driven. The FCC can fine, and does, but the more frequent damage comes from class-action lawsuits filed by plaintiffs' firms that have specialised in TCPA work for decades. Statutory damages run $500 per violation, treble to $1,500 per violation for willful or knowing violations. A campaign that places 200,000 non-compliant calls is, on paper, a $100M-to-$300M exposure.
In practice, settlements are negotiated well below statutory maximums, but they are still extraordinarily expensive. The settlements we have seen in publicly-reported TCPA cases routinely land in the $5M-$50M range for businesses that ran non-compliant campaigns of moderate scale.
The defence cost — even for a case you win — typically clears seven figures. Plaintiffs' firms know this and price their settlement demands accordingly. "Pay us $2M and this goes away" is a rational offer to make to a defendant facing $1.5M in defence costs.
The takeaway: compliance is a cost center until it is the only thing standing between you and a litigation event that ends the company. The investment to get this right is small relative to the worst case.
We took the position that consent capture and revocation are platform problems, not customer problems. Every account on Ajoxi gets, by default:
These are not premium features. They are part of every plan because the alternative — a customer running an outbound program without them — is a customer one bad week away from a litigation event we would all prefer to avoid.
Nothing on this page is legal advice. We are a phone-system vendor; we read the rules carefully, we build product against our reading of the rules, and we hire actual lawyers to validate the product before we ship. If you are running an outbound program and you have not talked to a TCPA-specialist attorney in the last twelve months, that conversation is the highest-leverage hour you can spend this quarter. The rules are stable enough now to defend a program against; they are not stable enough to assume yesterday's playbook still works.
AI receptionists, wholesale routes, virtual numbers — built on one platform with transparent pricing and a 24/7 NOC.