Understanding Lead Generation Compliance in 2026
Lots of companies start an online platform wanting to match consumers with lead buyers, but never think of lead generation compliance. And in not taking compliance to account, they are opening themselves up to potentially large lawsuits. Every consumer who fills out a form is a potential class member. Every affiliate you don't control is a potential liability. Every consent record you can't produce is a settlement you can't fight.
Most lead-gen operators don't get sued because they're bad actors. They get sued because the paper doesn't match the practice. They are missing the consent language, the disclosures, the vendor contracts, the data flow, or a dozen other things. Their lack of their own documentation is the thing that does them in.
I spent years running compliance from inside the machine — VP of Compliance at LendingTree, one of the largest lead-generation businesses in the country, and General Counsel at ConsumerAffairs. I know what a ping tree looks like at 3 a.m. when a buyer's volume spikes. I know how consent gets lost between the form and the CRM. I know where the revenue is and where the risk is, because I've had to protect both at the same time.
This page lays out what lead generation compliance actually requires in 2026, where operators get burned, and how to build the system that keeps the questions from becoming lawsuits.
What "lead generation compliance" actually covers
Lead generation isn't one regulated activity. It's a chain. Publishers who capture the consumer, aggregators who route the lead, and buyers who call or text. And the defining feature of that chain is shared liability. Everyone in the chain can be held responsible for what the others do.
A buyer inherits the publisher's bad consent. An aggregator inherits the affiliate's deceptive ad. A publisher inherits the buyer's illegal call. "We just passed the lead along" is not a defense. It's the theory of the complaint.
So compliance here isn't about one statute. It's about proving, at every handoff, that the consumer agreed to what actually happened to them, and that everyone in the chain is who they said they were and did what they said they'd do.
The laws that put you at risk
Five bodies of law drive nearly every lead-gen enforcement action and class case. Here's where each one bites.
TCPA — the one that writes the biggest checks
The Telephone Consumer Protection Act (“TCPA”) governs calls and texts to consumers. Statutory damages run $500 to $1,500 per call or text, with no cap. Multiply that by a lead file and you understand why TCPA is the plaintiff's bar's favorite tool against lead-gen.
Three points where operators are consistently wrong on the current law:
The FCC's one-to-one consent rule is dead, but written consent is not. YET. The rule that would have required consent to be tied to a single, specific seller was struck down by the Eleventh Circuit in early 2025 before it ever took effect. The FCC lacked the authority. If a vendor, a "compliance" webinar, or a competitor's out-of-date blog post is still telling you to build your business around one-to-one consent, they're working from a rule that no longer exists. That doesn't mean consent got easier. It means the standard reverted to prior express written consent for marketing communications (both calls and texts), and that standard still has to be real, documented, and tied to your brand. However, even this is still being contested in court.
Revocation is the new battleground. The FCC's 2025 revocation rules are in effect. A consumer can revoke consent through any reasonable method — text, email, a live "stop calling me" — and you have to honor it within 10 business days across channels. The broader "revoke once, revoke everything" expansion was pushed to January 31, 2027, which gives you runway to build the infrastructure now. Most operators don't have it.
Using AI Voice is simple. The use of AI voice is covered by the TCPA, as well as other law and regulations including state laws. But, the lead generators who are using AI voice to contact consumers are not always doing it correctly. The consent language matters, the scripting matters, and understanding how the product works are all areas where lead generators are tripping over themselves.
Telemarketing Sales Rule
The FTC's TSR overlays the TCPA for telemarketing: do-not-call scrubbing, disclosure requirements, record retention, and rules on abandoned and prerecorded calls. It carries its own penalties and its own enforcement path. Lead buyers who dial routinely underestimate how much of their exposure lives here rather than in the TCPA.
State data-broker and privacy law
If you sell leads, you almost certainly meet the legal definition of a "data broker" and the definition of a "data sale." That triggers registration obligations in a growing list of states. California's enforcement is real. The state's privacy regulator is active, and has already issued five- and six-figure penalties for failure to register. Layer on CCPA, the other state privacy statutes, and "Do Not Sell or Share" obligations, and the data side of lead-gen is now a standalone compliance program, not a footnote. New Jersey's data broker can require an annual registration fee of $1.5 million and the requirements to register are broader than you think.
FTC UDAP and the SCAM Act
The FTC has broad authority over unfair and deceptive practices across the entire lead ecosystem. The ads used to capture leads, the disclosures on the form, who the consumer thinks they're talking to. Newer measures like the proposed SCAM Act push advertiser-verification duties further down the chain. If an affiliate three hops away runs a deceptive ad, that can become your problem.
State mini-TCPAs and vertical rules
Florida, Oklahoma, Washington and others have their own telemarketing statutes. Some of these state laws are stricter than federal law and even include their own private rights of action. And vertical-specific rules matter: California's SB 37, for example, created new exposure for legal lead generation specifically. If you operate in insurance, mortgage, solar, debt, or legal, the vertical has its own rulebook on top of everything above.
Where operators actually get burned
Understanding the statutes are the starting point, but the implementation of that knowledge is where lead-gen businesses lose, in my experience running one:
Consent you can't prove. You may have collected valid consent. But if you can't produce the checkbox state, the exact disclosure language shown, the source URL, and the timestamp (even years later), then you have no consent that counts. Proof is the product.
Affiliates and publishers you don't control. Your worst legal exposure is usually a partner you've never met making claims you never approved. Liability flows up the chain to you.
The gap between the form and the buyer. Consumers who think they're talking to a lender, an insurer, or "the government" instead of a lead generator. That mismatch is a deception claim waiting to happen — and it's often invisible until a regulator maps it.
Ping-tree and resale surprises. Leads sold and resold to buyers with no legitimate need for the data. Sensitive data going where it shouldn't. Every hop adds a party who can sue or be sued.
Contracts that don't allocate the risk. When the lawsuit lands, the indemnification clause decides who actually pays. Most lead-gen contracts I review either don't address it or get it backwards.
What good looks like: the compliance architecture
Answering a single question — "is this consent language okay?" — buys you a day of safety. Building the system is what makes the question stop recurring. A defensible lead-gen compliance program has seven parts:
Consent capture and proof. Disclosure language that's current and brand-tied, plus independent, retained proof of every consent — checkbox, language, URL, timestamp — kept for at least five years.
Disclosures that are clear and conspicuous. It's not enough to have the language. The consumers have to have seen it and agreed to it. Footers are not always enough.
Vendor and publisher vetting and monitoring. Onboarding diligence, contractual compliance standards, ongoing monitoring, and the willingness to terminate partners who fail. Policing the chain is a legal duty, not a courtesy.
Revocation handling across channels. Workflows that capture "stop" from any channel and honor it within 10 business days. All reasonable requests have to be honored, even when using AI voice or text messages.
Data-broker and privacy compliance. Registration where required, "Do Not Sell or Share" mechanics, and a data map showing where every lead goes.
Contract architecture. Marketing agreements, data-use terms, and indemnification that put the risk where it belongs before a claim, not after.
A record you can defend. Documentation designed to be handed to a regulator or a plaintiff's lawyer and to end the conversation, not extend it.
How Henson Legal helps
Most lawyers who advise lead-gen operators have read about the industry. I ran compliance inside it. That's the difference you're buying: an attorney who understands both the legal risk and the revenue mechanics, and won't hand you advice that quietly kills your funnel.
The way we work is simple. You bring a discrete question (a consent form, a new vertical, a vendor contract, a demand letter, etc.) and we answer it. In a useful way, not a twenty page memo you stick on a shelf.
Frequently asked questions
Is the FCC one-to-one consent rule still in effect? No. The Eleventh Circuit struck it down in 2025 before it took effect, holding that the FCC exceeded its authority. Consent reverts to the prior express written consent standard — which still has to be documented and tied to your brand. Anyone advising you to build around one-to-one consent is working from a dead rule.
Do I need consent if I'm only buying leads, not generating them? Yes. Liability under the TCPA and FTC Act flows to buyers, not just publishers. If the underlying consent was defective, the buyer who calls or texts is the one holding the $500–$1,500-per-contact exposure. Demand documented, brand-tied proof of consent for every lead.
Am I a "data broker" if I sell leads? Almost certainly. Selling leads generally meets the legal definition of a data sale, and lead sellers typically meet the data-broker definition — which triggers state registration duties. California has already imposed penalties for failure to register.
How long do I have to honor an opt-out? No more than 10 business days, under the FCC's 2025 revocation rules, and you must accept revocation through any reasonable method and channel. A broader "revoke once, applies to everything" requirement takes effect January 31, 2027.
What are the penalties for getting this wrong? TCPA statutory damages are $500–$1,500 per call or text with no cap, which is why cases become class actions fast. Add FTC actions, state data-broker penalties, and state mini-TCPA private rights of action, and a single compliance gap can threaten the business.
How is Henson Legal different from a bigger firm? The founder ran compliance at LendingTree and served as General Counsel at ConsumerAffairs — operator experience in lead generation, not just outside counsel who studied it. You get advice that protects the business and the revenue at the same time, plus retainer options built for how lead-gen companies actually operate.
About John Henson
John Henson founded Henson Legal, PLLC in May 2025 after a career guiding household-name brands through TCPA, state privacy laws, and FTC regulations—including serving as interim General Counsel at LendingTree. He focuses on helping lead sellers and lead buyers manage TCPA vicarious liability risks, and advising AI voice product builders on FCC artificial voice compliance. John's clients span insurance, financial services, and technology companies on the leading edge of customer acquisition.