How to Audit Your Lead Generation Vendors Before the Lawsuit Does
You know you're exposed. If you buy leads or use third-party vendors to make calls on your behalf, TCPA vicarious liability means you can face damages for calls you never made, to people you never contacted, using consent you never collected.
The case law is clear. In Klassen v. SolidQuote, a company four entities removed from the actual caller still faced liability because its agent continued a sales pitch after learning the call was outbound. The FTC's MediaAlpha enforcement action held lead buyers accountable for their vendors' deceptive consent practices. And American Income Life paid $14 million to settle claims arising from calls made by independent agents.
Most companies respond to this risk by adding TCPA compliance provisions to their vendor contracts. That's necessary. It is not sufficient.
A compliance clause in a contract is a promise. An audit is proof. And when a plaintiff's attorney asks what you did to verify your vendor's practices, "we had a contract" is the answer that loses.
Why Contracts Aren't Enough
Here's the thing. Courts evaluating vicarious liability don't just look at what you wrote in an agreement. They look at what you knew, what you should have known, and what you did about it.
In Dickson v. Direct Energy, the defendant won on vicarious liability in part because the relationship was structured to avoid agency — no operational control, no authority to bind, clear contractual disclaimers. But even that court acknowledged that the analysis would shift if the defendant had knowledge of non-compliant practices and failed to act.
Ratification — the doctrine that killed SolidQuote — requires an opportunity to learn about and respond to a compliance problem. If your vendor is making non-compliant calls and you've never looked, you haven't avoided the problem. You've avoided knowing about the problem. Judges notice the difference.
A vendor audit of your lead generators gives you three things no contract can: actual knowledge of what your vendor is doing, a documented record of your due diligence, and the opportunity to fix problems before they become lawsuits.
The Seven-Point Vendor Audit
This isn't a compliance questionnaire you email once and file. It's a structured review you perform before onboarding a new vendor, repeat at regular intervals for existing vendors, and document thoroughly every time.
1. Consent Language Review
This is the single most important element of any lead gen vendor audit. The consent language on your vendor's forms is the foundation of every call you'll make using their leads.
Pull the actual form. Not the version the vendor sends you in a PDF — the live page a consumer sees. Screenshot it. Save the HTML. Timestamp it.
Check for the fourteen elements that TCPA consent language should contain. Is the disclosure clear and conspicuous? Is it above or immediately adjacent to the action button, not buried below the fold? Does it identify the specific company (you) that will be calling? Does it state the purpose of the calls? Does it disclose the use of automated technology, prerecorded voice, or AI voice if applicable?
After the Supreme Court's decision in Loper Bright and the Fifth Circuit's ruling questioning whether "prior express written consent" was validly promulgated by the FCC, the consent landscape is shifting. But the safe play remains: verify that the consent language on the form would satisfy the most demanding reading of the statute. Don't build your lead buying strategy on the hope that a regulatory rollback saves you.
Check the consent language placement. The SnapCommerce decision demonstrated that even if the language is present on the website, it still might not be sufficient if it's placed where consumers won't reasonably see it. If your vendor's consent language links to terms that contain the actual TCPA disclosure, verify the link is conspicuous, functional, and leads to the correct document.
2. Consent Record Retrieval
Having consent language on a form means nothing if the vendor can't prove a specific consumer actually saw it and clicked.
Request a sample consent record for a known lead. The vendor should be able to produce, at minimum: the consumer's name and phone number, the exact URL of the page where consent was collected, a timestamp of when consent was given, the IP address of the consumer, and the exact text of the disclosure that was displayed at the time of consent. This goes doubly true for your AI Voice vendors.
This last element — the exact disclosure text at the time of consent — is where most vendors fail. Forms change. Vendors update language, redesign pages, A/B test disclosures. If the vendor can only show you what the form looks like today, they can't prove what the consumer saw six months ago when they submitted their information.
The best vendors use consent management platforms that archive the form state at the time of each submission. If your vendor can't produce a time-stamped snapshot of the disclosure a specific consumer saw, you have a consent proof problem that no contract clause will fix.
3. DNC Scrubbing Verification
Ask three questions. First: does the vendor scrub against the National Do-Not-Call Registry? The TCPA requires scrubbing at least every 31 days. Second: does the vendor maintain an internal DNC list? If the vendor makes calls, they're required to maintain their own internal list and honor requests for five years. Third: does the vendor share DNC data across affiliated entities?
The Moore v. Farmers Group decision made clear that DNC requests made to one entity using a brand name can bind all affiliates operating under that brand. If your vendor generates leads for multiple buyers in the same industry, ask how they handle cross-entity DNC propagation. A consumer who tells one insurance agent using your vendor's leads to stop calling may have a reasonable expectation that all agents using that vendor's leads will stop calling.
Request proof of the last National DNC scrub — date, record count, and scrub provider. If the vendor can't produce this, they're either not scrubbing or not documenting it. Both are disqualifying.
4. Call Recording and Script Review
If your vendor makes outbound calls as part of the lead generation process — warm transfers, live call verification, appointment setting — you need to hear what they're saying.
Request a random sample of call recordings. Not the vendor's best calls. A random sample from the last 30 days, covering multiple agents and campaigns.
Listen for: proper identification of the caller at the outset, disclosure of the purpose of the call, an opt-out mechanism offered within two seconds of the initial message (for prerecorded or AI-generated calls), accurate identification of your company (not a generic or misleading name), and whether the agent continues the call after a consumer expresses disinterest or requests to be placed on a DNC list.
If the vendor uses prerecorded or artificial voice messages — including AI voice agents — the FCC's February 2024 Declaratory Ruling means every disclosure requirement under 47 C.F.R. § 64.1200(b) applies in full. The vendor should be able to demonstrate compliance with caller ID, callback number, and opt-out mechanism requirements.
Also review the vendor's scripts. Are they making representations about your company that are accurate? Are they using language that could be considered deceptive under the FTC Act or state UDAP statutes? You're not just auditing for TCPA compliance — you're auditing for any legal exposure their calls could create for your brand.
5. Lead Source Transparency
Where does the vendor get their leads? This question seems obvious, but the answer is often obscured by layers of aggregation.
If the vendor aggregates leads from sub-vendors, you need to know who those sub-vendors are. The MediaAlpha case demonstrated that lead buyers can be held responsible for the consent practices of entities in the lead chain, even if they never dealt with those entities directly.
Ask the vendor to identify every source from which they acquire leads that will be sold to you. If they refuse on competitive grounds, that's a red flag — not because competitive concerns aren't legitimate, but because it means you can't audit the actual consent collection process.
At minimum, insist on the right to audit any sub-vendor that generates leads sold to you. Include this right in your contract, and exercise it. The difference between a company that reserved audit rights and one that actually audited is the difference between a defense and a talking point.
6. Reassigned Number Database and Repeat Litigators Scrubs
The FCC's Reassigned Numbers Database (RND) has been available for callers to verify whether a phone number has been reassigned from the person who originally consented to calls. If you're calling a number that was reassigned after consent was obtained, you're calling without consent — period.
Additionally, there are vendors who offer a list of repeat litigators. According to a review of consumer class actions by Webrecon.com, over 40% of consumer class actions in 2025 were filed filed by a consumer who filed a prior lawsuit. Ask your vendor whether they scrub leads against the RND or repeat litigator list before delivery. If they don't, you need to scrub them yourself before making any calls. And document the scrub — date, number of leads checked, results — because the safe harbor for calling a reassigned number requires the caller to have checked the RND within 15 days of the call.
7. Data Handling and Retention
Consent records, call recordings, DNC lists, and lead source documentation are all discoverable in TCPA litigation. Your vendor's data retention practices determine whether you'll have the evidence you need to defend yourself.
Ask how long the vendor retains consent records. The TCPA's statute of limitations is four years. The TSR requires five years of call records. Your vendor should retain consent documentation for at least five years from the date of lead delivery.
Ask where the data is stored, who has access, and what happens if the vendor goes out of business. A vendor that stores consent records in a system that becomes inaccessible when the company folds leaves you holding leads with no provable consent.
If you're in a regulated industry — insurance, financial services, healthcare — confirm that the vendor's data handling practices comply with industry-specific requirements (GLBA, HIPAA, state insurance regulations). The TCPA audit is the floor, not the ceiling.
Ongoing Monitoring vs. One-Time Diligence
A pre-contract audit is the baseline. It tells you whether a vendor's practices pass muster at a single point in time. But vendors change forms, update scripts, add sub-vendors, and rotate call center staff. A vendor that was compliant in January may not be compliant in June.
Build ongoing monitoring into the relationship. At minimum: pull and review consent forms quarterly, request fresh call recording samples every 90 days, confirm National DNC scrub dates monthly, and re-verify lead sources annually.
Document every review. Date, reviewer, findings, any corrective action requested, and whether the vendor implemented it. This is the record you'll produce in discovery to show you didn't just sign a contract and look away.
Red Flags That Should Kill a Deal
Some findings from a vendor audit aren't fixable. They're disqualifying.
No consent records at all. If the vendor can't produce a consent record for a specific lead, they either aren't collecting consent properly or aren't retaining proof. Walk away.
Consent language that doesn't identify your company. Generic consent that says "you agree to be contacted by our partners" without naming the specific entity that will call is legally questionable after the FCC's one-to-one consent rulemaking — even if that specific rule was later vacated. Courts are still evaluating what "clear and conspicuous" means, and consent that doesn't name you is an uphill argument.
Refusal to disclose lead sources. If you can't audit the origin of your leads, you're buying a liability you can't evaluate.
No DNC scrubbing documentation. This is TCPA 101. A vendor that can't prove they're scrubbing is a vendor that isn't scrubbing.
Calls continuing after opt-out requests. If your call recording sample reveals agents proceeding with a pitch after a consumer says "don't call me" or "put me on your list," stop buying from this vendor immediately. This is the exact conduct that creates ratification liability — the lesson from SolidQuote.
The Bottom Line
TCPA vicarious liability is a documentation defense. You build the defense before you need it — during vendor selection, not after a demand letter arrives.
The audit process I've outlined here isn't complicated. It's thorough. And the companies that do it consistently are the ones that win summary judgment motions while their competitors are writing settlement checks.
Audit your vendors. Document the results. Fix what you find. And do it again next quarter.
The alternative is letting a plaintiff's attorney audit your vendor for you. They won't be as polite about it.
