Written by John H. Henson
TCPA Consent Language After the One-to-One Rule: Templates & Requirements [2026]
The lead generation industry prepared for over a year for the FCC's one-to-one consent rule to take effect, but it then got vacated by the Eleventh Circuit in Insurance Marketing Coalition v. FCC in January 2025. The rule is gone at the federal level. The consent architecture it forced into the market is not.
Federal consent law is in flux post-Loper Bright. The cost of getting consent wrong has moved from settlement nuisance to existential risk. Class actions filings are increasing, state AGs are coordinating across coalitions, and the FCC has shown it will hammer voice providers regardless of who originated the bad traffic.
This guide gives you the consent language that works, the templates you can adapt by channel and industry, and the operational architecture that makes the language defensible when it matters — at the moment of a class complaint or an AG investigation.
1. What "TCPA Consent Language" Means in 2026
TCPA consent language is the disclosure a consumer sees, hears, or agrees to before a company calls or texts them for a marketing purpose using regulated technology. It is not a single phrase. It is a four-part assembly: a clear identification of who is calling, a clear identification of what technology is being used, a clear statement of what the consumer is consenting to, and a clear statement that consent is not required to obtain any product or service.
The 2026 baseline is set by three forces operating together: the federal TCPA at 47 U.S.C. § 227 and its implementing regulations at 47 C.F.R. § 64.1200; the FCC's February 2024 declaratory ruling classifying AI-generated voice as "artificial" voice under the TCPA; and a growing stack of state mini-TCPA statutes that the federal savings clause at § 227(f)(1) expressly preserves. Federal compliance is necessary but never sufficient for any company with national reach.
The distinction that matters operationally is the difference between consent language and consent architecture. Consent language is the sentence on the form. Consent architecture is the system that captures it, stores it, links it to a specific lead and a specific seller, retains it for at least five years, and produces it on demand. Get the sentence right and lose the audit trail and you lose the case. The TSR's 2024 recordkeeping amendments made that explicit at the federal level. Plaintiff-friendly courts already operated this way.
2. The 14 Elements of a TCPA-Compliant Consent Disclosure
Every defensible TCPA consent disclosure does fourteen things. Some are statutory. Some are regulatory. Some are litigation-tested. Miss any one and the disclosure is challengeable — by the consumer, by a class plaintiff, or by a state AG. They group into three layers: how the consumer says yes, what the consumer is saying yes to, and who and where the yes attaches.
How the Consumer Says Yes
The first job of the disclosure is to capture an affirmative act of acceptance. Passive behavior is not consent. The consumer has to do something — check a box, click a clearly labeled CTA, sign a name. Continuing to browse the page is not enough; courts have been explicit on that point, and the Eleventh Circuit reinforced it in Tejon v. Zeus Networks, covered in Section 7.
The most defensible acceptance mechanism is an unchecked checkbox specifically tied to the consent, separate from any general "Submit" action. A submission that fires consent as a side effect of a different click is weaker than a click the consumer was told would constitute consent. The disclosure should state expressly that the consumer's action constitutes their authorized electronic signature — that language creates the written-consent record the TCPA regulations require and bridges the click to the "in writing" element of prior express written consent.
Placement matters as much as language. The disclosure should appear above the action button, not below it. One reason is that mobile users may never even see the disclosure if the disclosure is too far below the CTA. A disclosure the consumer never saw is a disclosure that never attached. The consent-not-required statement — "Accepting this consent is not required to obtain any good or service" — must appear in the same field of view, in the same size as the consent text, not behind a link or in an FAQ. This is a key definitional element of "prior express written consent". The consumer must also have a genuine alternative path to the product — a phone number or other contact method that does not require form submission and does not require the consumer to consent to marketing. The consent-not-required statement is statutory; the alternative path is what makes it true rather than ceremonial.
What the Consumer Is Authorizing
The second job of the disclosure is to scope what the consumer is agreeing to. Each channel and each technology has to be named on its own. A disclosure that names "calls" but not "text messages" does not authorize text messages — and for most insurance agents, lead generators, and AI voice operators, the outreach mix includes both. The disclosure has to specifically reference SMS and MMS, and to name texts and calls as parallel channels rather than burying one under a general reference.
Technology has to be named the same way. Reference to an automatic telephone dialing system is the baseline; generic phrases like "automated technology" are better than silence, but explicit ATDS disclosure is stronger and demonstrates the consumer understood the specific technology involved. Prerecorded or artificial voice is a separate disclosure that has to appear even where ATDS is also named — they're different regulatory categories under the TCPA.
One of the biggest mistakes companies are currently making is failing to explicitly get consent for the use of AI voice. The FCC's February 2024 declaratory ruling brought AI voice within the artificial-voice prong; several states have moved further with AI-disclosure obligations on top of that, and insurance and lead-gen operators should expect that trend to continue. The defensible position is to name "AI-generated voice" alongside ATDS and prerecorded or artificial voice in the same sentence. Again, hoping that the simple use of "calling technologies" or "autodialers" is a risk that companies should not be taking.
The purpose of the contact has to be marketing or promotional, stated explicitly. Marketing communications require prior express written consent under the TCPA's regulations; informational and transactional messages operate under a different and looser consent regime. The disclosure must make clear which the consumer is authorizing. "Marketing and promotional messages related to the product or service I am inquiring about" is the standard formulation and the one most defensible under the FCC's "logically and topically related" guidance. Open-ended language like "any offers we think you might like" creates scope problems and is plaintiff-bait.
Who and Where the Consent Attaches
The third job of the disclosure is to identify the parties to whom consent flows and to lock the consent to a specific number entered on a specific page. The seller has to be named by name, in the disclosure itself, not in a linked privacy policy. After Insurance Marketing Coalition v. FCC vacated the federal one-to-one rule, the formal federal named-seller requirement is gone, but Florida, Oklahoma, and Maryland still require it or its functional equivalent, and lead-buyer contracts demand it.
Where the consent contemplates contact by partners — a dialing vendor, an AI voice platform, an affiliated agency, a co-registration buyer — those parties must be authorized in the disclosure itself. A consent record that names the seller but not the seller's dialing or AI voice vendor may not cover the vendor's calls. A co-registration partner list must be reasonable in size and accessible at the point of click; under the FCC's current framework, each seller should ideally be obtaining consent independently rather than relying on a shared multi-seller list.
Finally, the phone number being authorized has to be collected on the same page as the consent language. Consent gathered on one page for a number entered on a different page is the textbook documentation gap, and plaintiffs' counsel know how to find it. Oklahoma's OTSA, in particular, has explicit statutory language requiring the specific number authorized — capturing it elsewhere in the flow is structurally defective and does not survive a state-court audit.
3. The One-to-One Consent Rule Explained
The FCC proposed the one-to-one consent rule in December 2023 to close the "lead generator loophole" — the practice of obtaining a single consumer consent that authorized contact by an unlimited list of unaffiliated sellers. The rule required that prior express written consent (1) authorize contact by a single, identified seller and (2) cover only calls and texts "logically and topically associated" with the website on which consent was obtained.
The Eleventh Circuit vacated the rule in Insurance Marketing Coalition v. FCC, 142 F.4th 1129 (11th Cir. 2025), holding that the FCC exceeded its statutory authority. The decision is consistent with the broader post-Loper Bright pattern of federal courts narrowing FCC rulemaking authority. Since Loper-Bright, there has been a rise in courts questioning well understood FCC guidance, including around the requirement for "prior express written consent".
Two things matter operationally. First, the underlying "logically and topically associated" scope concept remains intact as a TCPA interpretive principle even where the formal rule has been vacated. Second, the rule survives at the state level. Florida's FTSA requires "prior express written consent" tied to the specific seller. Oklahoma's OTSA requires the same and specifies the number authorized. Maryland's Stop the Spam Calls Act imposes a written-consent regime that does not depend on FCC rulemaking. A platform that relaxes its consent practices in response to the Eleventh Circuit decision will pass federal scrutiny and fail state scrutiny in the most plaintiff-heavy jurisdictions in the country.
4. TCPA Consent Language Templates
These templates below are considered the standard for either single seller consent or multiple seller consent (for example, lead generators). While these templates are standard, there can be variety in the language. Depending on the use case, industry, or the technologies being used, then the language should be altered to match the proposed use case.
Single Seller, Calls and Texts, Standard
By clicking "Accept" below, I am providing my E-SIGN signature and expressly consent to {COMPANY}, directly or by third parties acting on its behalf, to send marketing and promotional messages — including text/SMS and/or calls made using an automatic telephone dialing system, pre-recorded or artificial voice messages, or AI-generated voice — related to the product or service I am inquiring about, to the number I provide above. Accepting this consent is not required to obtain any good or service.
Comparison Shopper / Multi-Seller (Named List Required)
By clicking "See My Quotes," I expressly consent to each of the {#} {PRODUCT} providers listed at the link below — and {COMPANY} on their behalf — contacting me at the telephone number I provided, by call, pre-recorded or artificial voice, AI-generated voice, or text message, including with an automatic telephone dialing system, about {PRODUCT/SERVICE}. The full list of providers is shown here: [DIRECT LINK TO NAMED-SELLER LIST]. Accepting this consent is not required to obtain any good or service.
5. Industry-Specific Variations
Consent language has to match the regulated activity. The fourteen elements stay. The framing shifts.
Insurance
Insurance lead generation is one of the highest-volume TCPA litigation environment in the country. The two failure modes are (1) reliance on a multi-seller consent that names sellers only in a buried link, and (2) capturing a consumer's number on one page and authorizing contact on a different page. The cure is a single-seller named consent at the moment of submission, or a named-list multi-seller consent with the list visible at the point of click. Ideally, the named-list is organized and presented in a way to ensure the consumer sees the seller's name.
Health insurance, specifically Medicare Advantage, requires additional consent for the sharing of information with other third-party marketing organizations ("TPMO"). CMS rules require consumers to consent to sharing their data with additional TPMOs prior to the data being shared or the consumer being contacted. Consent language should be designed to obtain all necessary consents based on the sharing practices of the website.
Mortgage and Lending
Mortgage and lending consents have to thread the TCPA and the regulatory disclosures imposed by RESPA, TILA, and state-level mortgage advertising rules. Keep the consent specific to telephonic outreach, separate from credit application authorizations, and explicit that consenting to contact does not constitute an application. One way mortgage and lending lead generators thread these needles is by splitting the TCPA consent language and the credit related consents into separate paragraphs or even on separate pages.
AI Voice Platforms
Three layers of disclosure stack here. The TCPA prior express written consent for the artificial-voice prong. The state-specific AI disclosure obligations (California AB 2905, pending Illinois HB 3021, Washington HB 2225's chatbot reminder cadence). And, where calls are recorded or processed by an AI provider, the all-party recording consent under thirteen state wiretap statutes plus D.C. A consent line that mentions "AI-generated voice" and ends does not satisfy the recording-consent layer.
Healthcare
HIPAA does not preempt TCPA. The combined disclosure has to address both. Federal regulations at 47 C.F.R. § 64.1200(a)(3)(v) carve out narrow healthcare exemptions for some healthcare messaging, but marketing communications by healthcare providers and benefits sellers do not qualify. Build the consent to satisfy both standards — TCPA prior express written consent and HIPAA authorization standards — rather than relying on either alone.
Debt Relief
Debt relief sits at the intersection of the TCPA, the TSR, and state consumer protection statutes. The TSR's 2024 recordkeeping amendments to 16 C.F.R. § 310.5(a)(8) extended consent retention to five years and explicitly required a copy of the request for consent in the same manner and format presented. Debt relief consents should be captured with full-page screenshots, retained for five years, and tied to a single seller.
6. State-Specific Consent Requirements
Federal compliance is the floor. State compliance is the operating standard for any company that places calls or sends texts into more than one jurisdiction. Three states drive most of the litigation pressure; a fourth layer — two-party recording consent — applies in fourteen jurisdictions and is independent of the consent-to-be-called question.
Florida — FTSA + FSCA
The Florida Telephone Solicitation Act requires prior express written consent for telephonic sales calls made using an "automated system for the selection and dialing" of numbers. The 2023 amendments narrowed the autodialer definition (from "or" to "and") and added a pre-suit STOP requirement for text claims, but the core consent regime and the $500–$1,500 statutory damages, no actual-injury requirement, remain. Florida generated 11.8% of all TCPA/mini-TCPA filings nationally in 2024.
Texas — TTSA + CUBI + DTPA
Texas has historically been an AG-enforcement state rather than a private-litigation state, but the picture changed in 2025. SB 140 expanded the Texas Telephone Solicitation Act to add registration and a private right of action for telemarketing violations, including text messages. However, the SB 140 expansion has not been without confusion for callers. After a lawsuit from telemarketers, the AG agreed that for campaigns based on consent registration is not required.
CUBI (Tex. Bus. & Com. Code § 503.001) imposes $25,000-per-violation AG-enforceable penalties for capture of voiceprints without prior disclosure and consent — a separate consent obligation independent of the TCPA. The DTPA backstops everything with treble damages. AG Paxton has secured nearly $3 billion in biometric and data privacy settlements. Because of these changes and the high statutory damages, Texas has seen an increase in TCPA and related litigation.
The Two-Party Recording Overlay
Recording consent is a separate legal obligation from consent-to-be-called. Thirteen states (California, Connecticut, Delaware, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, New Hampshire, Pennsylvania, Washington — plus Nevada for wire communications) and the District of Columbia require all-party or two-party consent before a telephone call may be recorded.
An AI voice call that processes audio in real time may constitute "interception" under several of these statutes even without storing a recording. The Ambriz v. Google (N.D. Cal. 2025) "capability test" suggests California courts are moving toward treating any AI processing as interception. Build a recording-consent prompt that is separate from, and visible alongside, the TCPA consent line in all-party jurisdictions.
7. Consent Placement & Page Design: After Tejon v. Zeus Networks
Consent language is half the work. Consent placement is the other half. The Eleventh Circuit made that explicit on May 1, 2026 in Tejon v. Zeus Networks, LLC, No. 24-11114 (11th Cir. May 1, 2026), holding an arbitration clause unenforceable because the link to the Terms of Service sat below a large action button in small gray text. The clause was fine on its merits. The presentation of the language killed it. The Tejon case is another in a long line of cases looking at consent language and determining whether it is clear and conspicuous enough to be upheld.
The decision is about arbitration, but the conspicuousness standard applies to every hyperlinked disclosure on a signup page — TCPA consent, named-seller lists, partner disclosures, privacy policies, class-action waivers. A clause the consumer never reasonably encountered is a clause the court will refuse to enforce.
Clickwrap vs. Browsewrap
A clickwrap agreement requires the consumer to take an affirmative act — check a box, click an "I agree" button — before the consent attaches. A browsewrap agreement places a hyperlink to terms on the page and relies on continued use as implied consent. Florida courts (and increasingly courts nationally) enforce browsewrap only when the hyperlink is "conspicuous enough to put a reasonably prudent person on inquiry notice." MetroPCS Commc'ns, Inc. v. Porter, 273 So. 3d 1025 (Fla. 3d DCA 2018). Clickwrap routinely passes that test. Browsewrap is where the litigation lives. For TCPA consent, clickwrap is the operating standard. Browsewrap-only flows are no longer defensible in any jurisdiction with active plaintiff bar activity.
The Four Design Failures From Tejon
The Eleventh Circuit named four defects that defeat conspicuousness. Each is a problem on its own. Stacked, they make the disclosure unenforceable.
Location below the action button. The user's eye stops at the button. Disclosures below the button live in dead space. Place the consent line above or immediately adjacent to the click.
Font size that matches surrounding informational copy. A link that looks like the payment-terms paragraph next to it is not a link the user has been put on notice of.
Low-contrast color. Dim gray on black is the canonical fail pattern. Use contrasting blue or a branded link color, underline the link, and reserve all caps for the substantive label where the clause is high stakes.
No "by clicking" language. The page has to tell the user what the action means. The model phrase: "By clicking [Submit / Get My Quote], you consent to be contacted by [Seller] at the phone number above, including by autodialer and pre-recorded or AI-generated voice, about [Product]." Tie the action to the agreement in the same sentence.
Operating Standard
The defensible architecture for any TCPA consent capture is a clickwrap, unchecked by default, with disclosure text in the same field of view as the action, in plain unobstructed type, with an explicit "by clicking" sentence that names what the consumer is agreeing to. Where a named-seller list or partner disclosure sits behind a hyperlink, the link should look like a link — contrasting color, underlined, larger or bolder than surrounding copy, and labeled with the substance of what is behind it ("Named Seller List" beats "More Information"). Strip surrounding clutter; every additional block of text near the button reduces the disclosure's visual weight. Document every version of the page with dated, full-page screenshots. Plaintiffs' firms run archives of bad consent pages — build your own.
8. The Burden of Proof Problem
Consent language is a sentence. Consent proof is a system. The defendant bears the burden of proving prior express written consent. Every plaintiff's lawyer who files a class action and every state AG who opens an investigation will ask one question first: produce the consent record.
The TSR's 2024 amendments at 16 C.F.R. § 310.5(a)(8) extended the retention period to five years and specified what a "complete record of consent" must contain. The Commission stated the expansion was necessary to allow it to clarify what constitutes a complete record sufficient for a telemarketer or seller to assert an affirmative defense. The six required components:
The name and telephone number of the person providing consent.
A copy of the request for consent in the same manner and format in which it was presented to the person providing consent — for web forms, a full-page screenshot of the page as the consumer saw it.
The purpose for which consent is requested and given.
A copy of the consent provided.
The date consent was given.
Documentation specific to consent around billing information required by other sections of the TSR.
These are TSR requirements but they are also the de facto benchmark for TCPA litigation defense. A defendant who produces a name, a number, and an IP address but not a screenshot of the consent page as the consumer saw it has a problem. A defendant who produces a screenshot of a different version of the page has a worse problem. A defendant who relies on "we did not retain page versions" has lost. Use TrustedForm certificates, Jornaya LeadiD tokens, full-page session replays, or signed Hyperlink consent capture vendors. Default retention: five years minimum, longer in jurisdictions with biometric or wiretapping exposure.
9. Consent Revocation Architecture
Revocation is the second half of consent. A consumer's right to withdraw consent is statutory at the federal level (47 C.F.R. § 64.1200(a)(10)) and reinforced at the state level (FTSA's STOP-reply protocol, VCDPA opt-out rights, VTPPA's January 2026 tightened opt-out provisions). All reasonable revocation requests must be honored. Revocation that is not honored within a defined cure window is per-call exposure.
A defensible revocation architecture has five components. First, channel coverage — a STOP via SMS, a verbal "remove me" on a call, an unsubscribe link in email, and a written request through any reasonable channel all suppress contact across all channels. The 2024 FCC ruling on revocation made the cross-channel scope explicit. Second, a defined honoring window — the federal standard is up to 10 business days; the operational standard should be 24 to 48 hours given how quickly state-level claims accrue. Third, suppression list integrity — the suppression has to flow downstream to every dialer, every CRM, every co-registration partner, every reseller of the lead. Suppression that lives only in the originating system but not the downstream buyer's system is the most common preventable cause of "revoked-but-still-contacted" claims. Fourth, audit logging — the timestamp of the revocation, the channel, the verbatim message, and the timestamp the suppression took effect across all downstream systems. Fifth, vendor flow-down — contracts with lead buyers and dialer providers must require honoring of suppression within the same window.
10. FAQ
Q1. Is the FCC one-to-one consent rule still in effect?
No. The Eleventh Circuit vacated the rule in Insurance Marketing Coalition v. FCC, 142 F.4th 1129 (11th Cir. 2025). But the seller still must be identified at the federal levels and the state mini-TCPAs — Florida FTSA, Oklahoma OTSA, Maryland Stop the Spam Calls Act — still require single-seller written consent or its functional equivalent. One-to-one might be gone, but the requirement to clearly identify the seller is not.
Q2. Do I have to name AI voice specifically in my consent language?
Yes, as a practical matter. The FCC's February 2024 declaratory ruling classified AI-generated voice as "artificial" voice under the TCPA, bringing it within the prior express written consent requirement. The defensible position is to name "AI-generated voice" explicitly alongside "automatic telephone dialing system" and "pre-recorded or artificial voice messages" in the consent disclosure. It eliminates one more area for argument in a lawsuit.
Q3. How long do I have to retain consent records?
TCPA has a four-year look back, but the TSR's statute of limitations is five years under the 2024 amendments. The retained record must include the consumer's name and number, a copy of the request for consent in the same format presented to the consumer, the purpose, a copy of the consent provided, and the date. Web forms require a full-page screenshot. Where state biometric or wiretapping statutes are in play, retention horizons can extend further.
Q4. Is implied consent enough for AI voice calls?
No. AI voice calls fall within the artificial voice prong of the TCPA, which requires prior express written consent. Implied consent — "the consumer kept talking, so they consented" — is not a defense to a TCPA artificial-voice claim or to a state mini-TCPA claim, and in all-party recording states it is not a defense to a wiretap claim. Also, implied consent does not exist under TCPA.
Q5. Can I rely on a vendor's TrustedForm certificate as my proof of consent?
A TrustedForm certificate or Jornaya LeadiD token is strong evidence of the consent event but it is not a complete record of consent under the TSR. You also need the version of the consent page the consumer saw, the disclosure language, the seller identification, and the date. Treat the third-party certificate as one piece of the file, not the whole file.
Q6. Does my privacy policy count as consent?
No. TCPA prior express written consent must be a specific, conspicuous, and affirmative authorization to be contacted on a specified number by a specified entity using specified technology. Additionally, the definition of "clear and conspicuous" requires the consent to be "separate and distinguishable from the advertising copy or other disclosures", such as the privacy policy or terms of service. A privacy policy describing data practices is not consent to telephonic marketing. State mini-TCPAs reinforce this. Plaintiffs' lawyers test it as a routine theory.
Q7. Do consent rules apply to text messages the same way they apply to calls?
Yes, sometimes. Text messages are "calls" under the TCPA and are independently regulated by state mini-TCPAs. The Fifth Circuit has recently ruled that the TCPA does not apply to text messages and overrides FCC guidance based on Loper Bright. The CTIA and carrier rules — 10DLC registration, SHAFT-C compliance — sit on top of the TCPA consent regime, not in place of it.
Q8. What is the operating cost of a TCPA class action settlement?
Class-action settlements in the lead-generation, insurance, and mortgage spaces commonly run from $1 million to $20+ million, plus defense costs. Florida-specific FTSA matters and Illinois ATDA matters skew higher because of statutory-damages structure. The price of a defensible consent program is significantly lower than the price of one preventable class action.
Q9. What is the difference between clickwrap and browsewrap consent, and which one do I need?
Clickwrap requires the consumer to affirmatively check a box or click an "I agree" button. Browsewrap relies on a hyperlink to terms and treats continued use as implied consent. After Tejon v. Zeus Networks (11th Cir. May 1, 2026), browsewrap is hard to defend whenever a meaningful clause — TCPA consent, named-seller list, arbitration, class waiver — is buried in the linked terms. The operating standard for TCPA consent is clickwrap: an unchecked box with explicit "by clicking" language, in the same field of view as the action, with the link to any underlying disclosure rendered conspicuously. The cost of implementing clickwrap is trivial; the cost of losing arbitration or consent enforceability on a class action is not.
John Henson founded Henson Legal, PLLC in May 2025 after a career guiding household-name brands through TCPA, state privacy laws, and FTC regulations—including serving as interim General Counsel at LendingTree. He focuses on helping lead sellers and lead buyers manage TCPA vicarious liability risks, and advising AI voice product builders on FCC artificial voice compliance. John's clients span insurance, financial services, and technology companies on the leading edge of customer acquisition.