Three Questions to Ask Before Buying Leads
For any high-growth business, buying leads at scale can feel like pouring fuel on the fire. From a revenue generating perspective, it's one of the fastest ways to scale a customer acquisition engine. But from a legal perspective, it can be the fastest way to bankrupt a company.
The reason is a federal statute called the Telephone Consumer Protection Act (TCPA), and its risks are staggering: statutory damages of up to $1,500 per call or text. Do the math on your own outreach campaigns, and you'll quickly realize this is a "bet the company" issue.
The Three Foundational Questions to Ask Lead Generators
When you start exploring how to buy leads, you must conduct rigorous due diligence. To avoid being the low-hanging fruit for professional plaintiffs, every business leader must get clear, unequivocal answers to three foundational questions.
1. How Are These Leads Sourced? Not all leads are created equal. You need to know the exact origin and nature of the data you are purchasing. Are they first-party leads that you are generating yourself through your own ad campaigns? Or are they coming from a third-party aggregator that sources leads from various places? If it's an aggregator, are the leads exclusive to you, or are they shared leads being sold to you and your competitors simultaneously or even on a delay? First-party leads offer more control, but they aren't without risk—your own ad campaigns and website funnels must be perfectly compliant.
2. How Will You Contact These Leads? Your technology stack is a core part of your risk profile. The method you use to contact a lead dictates the entire compliance framework you must follow. There is a vast spectrum of risk, from sending an email on the low end to using an Automatic Telephone Dialing System (ATDS), an AI-generated voice, or prerecorded voicemails on the high end. This isn't just an IT decision; it's a strategic risk management decision. The technology you deploy determines the level of consent you are legally required to have.
3. What Level of Consent Was Obtained? This is the most important question of all, and the answer depends entirely on your answer to question #2. The TCPA has two primary tiers of consent: Prior Express Consent and the much higher standard of Prior Express Written Consent. Understanding which one you need—and verifying that your lead provider has obtained it—is the absolute key to compliant outreach.
Decoding TCPA Compliance: A Tale of Two Risks
At a high level, TCPA liability comes in two main flavors. The good news is that the right consent can solve for both.
Risk #1: Regulated Technology This is the risk associated with your tech stack. If you use an ATDS or an artificial/prerecorded voice (which the FCC has confirmed includes AI-generated voices), you are using regulated technology. For any marketing messages sent using this tech, you must have Prior Express Written Consent. This is non-negotiable, and it means your company must be explicitly named in the consent language the consumer agreed to.
Risk #2: The Do-Not-Call (DNC) Registry The second risk involves the National DNC Registry, which prohibits "telephone solicitations" to any number on the list. However, there are two key exceptions to this rule: one is consent (similar to the consent required for Regulated Technology) and the other is the Established Business Relationship (EBR). If a consumer has reached out to you with an inquiry, you generally have a three-month window to contact them back, even if they are on the DNC list. This EBR exception, however, does not apply if you use regulated technology.
From Defense to Offense: Your Proactive Data Strategy
The best way to mitigate risk is to be proactive.
In addition to securing proper consent, a robust compliance program involves systematically cleaning your data to remove high-risk contacts before you ever reach out. This includes the following tactics for risk mitigation:
Scrub the DNC List: Regularly scrub your lists against the National DNC Registry to ensure you are honoring consumer preferences.
Scrub the Reassigned Number Database: Over two million phone numbers are reassigned each year. Scrubbing against this database prevents you from contacting a new owner who never gave you consent.
Scrub for Litigators: Maintain and scrub against a list of known professional TCPA plaintiffs and litigators to remove bad actors who are looking for a quick payday.
The "Show Me" Principle for Fearless Growth
Ultimately, the burden of proof is on you. When vetting a marketing partner, you must adopt the mindset of the Missouri, the "Show Me State." Don't just take their word for it—demand proof.
This is what to ask potential lead generation partners:
Show me the entire user flow, from the initial ad to the final submission page. Let me see the exact consent language the consumer agreed to. Show me the complete list of companies that are named in that consent.
If your potential marketing partners cannot or will not provide this transparency, you need to run, not walk, and find new ones.
A trustworthy partner will be proud to show you their compliant process. The difference between the two is the difference between buying a scalable asset and buying a future class-action lawsuit.
