Skip to main content
VA Horizon
Book a Call
Compliance Guide

TCPA Compliance for MCA Lead Buyers: What ISOs Must Verify Before Outsourcing Outreach

What TCPA-compliant lead generation actually requires, why a vendor's promise isn't proof, and the exact documentation an ISO should demand before a single text goes out under its name.

Quick answer

TCPA compliance for MCA outreach requires documented, timestamped consent tied to a specific seller and disclosure, not a vendor's verbal assurance, because there is no blanket B2B exemption for texts to wireless numbers. ISOs can be held vicariously liable for a vendor's violations under agency principles, and statutory damages run $500 to $1,500 per message, uncapped. Before outsourcing, get consent records, DNC scrubbing cadence, opt-out handling, exclusivity, and indemnification in writing.

An ISO signs with a lead vendor who promises a "TCPA-compliant" list of prequalified merchants. That claim does a lot of unverified work. The vendor sourced the numbers, wrote the consent language, and ran the dialer or the texting platform. But when a merchant who never asked to be contacted files a complaint, the phone number on the message and the business name behind the outreach is the funder's, not the vendor's back-office.

This post covers what TCPA compliance actually requires for MCA and business-funding outreach: why "we only contact businesses" isn't the shield most ISOs assume it is, what counts as valid consent, why liability tends to follow whoever benefits from the outreach and not just whoever sent it, what changed with the FCC's shared-consent rule in 2025, and the specific questions to put in writing before outsourcing a single campaign.

Not legal advice. This article is educational only. TCPA law, its state overlays, and the underlying case law shift often and turn on specific facts. Consult a qualified telecommunications attorney before launching, approving, or purchasing any outbound calling or texting campaign.

Why "We Only Contact Businesses" Isn't a TCPA Defense

The confusion has a real source, and it is an easy one to walk into. The FTC's Telemarketing Sales Rule exempts most solicitation calls between a marketer and a business from its National Do Not Call Registry provisions. An ISO owner hears "B2B calls are exempt" and reasonably assumes that covers text outreach too. It does not. The FTC's rule and the TCPA are two different statutes enforced by two different federal agencies, and the FCC does not extend a matching business exemption to autodialed or prerecorded texts sent to a wireless number. B2B texts to a cell phone are covered by the same TCPA consent requirements as consumer texts.

That matters more in the MCA space than almost anywhere else, because the "business number" on a merchant's website or Meta ad is, in a large share of small operators, the owner's personal cell. A restaurant owner, a contractor, a salon operator: the phone that rings when a customer calls is very often the same phone the owner keeps in a pocket all day. The TCPA does not care how the number is labeled on a landing page. It cares whether the recipient consented to receive that specific kind of message on that specific device.

What Valid Consent Actually Looks Like

Most volume SMS platforms built for lead-generation outreach, including the dialers and texting tools that power aged-data campaigns and appointment-setting vendors alike, send from a stored, pre-loaded contact list. That kind of sending generally sits inside the TCPA's strictest consent bar: prior express written consent. To be valid, that consent needs a documented, timestamped record showing four things: a clear and conspicuous disclosure that the person is agreeing to receive marketing calls or texts, identification of which seller will be sending them, a statement that consent is not a condition of any purchase, and a signature, which can be electronic (a checked box, a typed name, a click-through).

A vendor telling you their list is "opted in" is not the same thing as a vendor producing that record. Ask for the actual artifact: the source page or call where consent was captured, the exact disclosure language shown at that moment, and the timestamp. If a vendor cannot hand that over on request, there is no way to independently verify the claim, and the underlying legal exposure does not disappear just because a salesperson said the word "compliant."

The Do Not Call Registry Covers Less Than Most ISOs Assume

Because most pure B2B calls to a clearly identified business line are exempt from the National DNC Registry, ISOs sometimes conclude DNC scrubbing is irrelevant to their outreach entirely. Two problems with that. First, the exemption is narrower than "any number tied to a business": calls that solicit an individual employee for a personal purchase, and calls to mixed-use or home-based-business lines, fall outside it. Second, and more directly relevant here, the DNC exemption governs the Telemarketing Sales Rule, not the TCPA's separate wireless-consent requirement. A number can be fully exempt from National DNC rules and still require TCPA consent before an autodialed text lands on it, because those are two different legal tests answering two different questions.

In practice, an MCA prospect list built from scraped websites and directories will always include some share of sole proprietors and owner-operators whose "business number" is a personal mobile line. Treating every number on the list as automatically DNC-exempt because it came from a business source is the kind of assumption that looks fine until one merchant with a plaintiff's attorney on retainer tests it.

Why Liability Tends to Follow the Funder, Not Just the Lead Seller

The FCC and courts apply ordinary agency-law principles to TCPA cases: actual authority, apparent authority, and ratification. In plain terms, if an ISO supplies the contact list, dictates the script, or directs the campaign strategy, or if the vendor's operations are closely tied to the ISO's business, a court can hold the ISO vicariously liable for the vendor's violations, not just the vendor that physically sent the message. Courts have held both the lead buyer and the lead seller vicariously liable for the other's conduct in TCPA disputes, and the level of control the buyer exercises over the outreach is the key factor courts weigh.

This is the part that gets lost in a rate-card conversation about cheap aged leads. A bargain-priced appointment lead and a documented, held-and-qualified meeting are not just different in quality. If the cheap lead came from a data broker with no documented consent chain, and the ISO's fingerprints are on the campaign, the exposure from a single bad list can dwarf the entire lead budget many times over.

The Ground Shifted Under Shared MCA Leads in 2025

In 2023 the FCC adopted a "one-to-one consent" rule requiring that a consumer's consent be tied to a single seller at a time, aimed squarely at the practice of reselling one lead, and one underlying consent claim, to several buyers at once. On January 24, 2025, the Eleventh Circuit vacated that rule in Insurance Marketing Coalition v. FCC, finding the agency exceeded its statutory authority, and remanded it back to the FCC with no mandatory deadline to act. The FCC can start a new rulemaking or abandon the rule altogether, and as of this writing there is no fixed timeline either way.

For an ISO buying MCA leads, the practical read is not "the coast is clear." It is closer to the opposite. The rule that would have forced tighter, per-seller documentation onto shared and resold lead consent never took effect, which means the market is currently operating on the older, looser standard where a single consent claim can still travel with a resold lead. That is precisely the environment where a vendor's verbal assurance is weakest and an ISO's own diligence matters most, because regulators and plaintiffs' firms have not stopped filing cases just because the FCC's rule got vacated.

What a Violation Actually Costs at Campaign Volume

Federal TCPA violations carry statutory damages of $500 per message for a negligent violation, rising to as much as $1,500 per message for a willful or knowing one, and there is no cap on the number of violations a plaintiff can claim. A recipient does not need to prove actual monetary harm to collect; the statutory amount is available on showing an unauthorized message was sent. Multiplying those two federal figures against typical MCA campaign volumes makes the exposure concrete:

Messages sentExposure at $500/msg (negligent)Exposure at $1,500/msg (willful)
1,000$500,000$1,500,000
5,000$2,500,000$7,500,000
10,000$5,000,000$15,000,000

Figures are simple multiplication of the cited federal per-message statutory range against illustrative MCA campaign volumes; they are not a specific case outcome or a prediction.

The exposure isn't theoretical volume, either. TCPA litigation surged through 2025: total filings rose to roughly 2,628 cases for the year, a 60% increase over 2024, with class actions accounting for 76.4% of all filings. California, Florida, and Texas together accounted for nearly 60% of the federal TCPA lawsuits filed in the first half of 2025. Those three states are also among the largest merchant markets an MCA campaign is likely to target, which is not a coincidence a lead budget should ignore.

Documented Consent vs. an Undocumented List

Not every source of merchant contacts carries the same risk profile. The distinction that actually matters isn't "cheap list" versus "expensive list." It's whether a consent record exists and can be produced.

SignalDocumented consent chainUndocumented / resold list
Consent recordTimestamped, tied to a specific disclosure and sellerA verbal assurance, or none on file
Seller identificationThe exact entity authorized to text is named in the recordUnclear or generic, often reused across resales
Opt-out handlingImmediate, permanent, applied across every future campaignInconsistent, or only removes the number from one send
DNC scrubbingRun against federal and state lists on every sendRun once at list purchase, if at all
Exclusivity of the underlying consentConsent tied to one buyer, not resoldSame consent claim used to justify texts from multiple buyers

Seven Questions to Put in Writing Before You Outsource MCA Outreach

Before any lead or appointment vendor texts a single merchant under your ISO's name, get written answers to these seven questions. A vendor that cannot answer clearly is asking you to absorb their compliance risk under your own name.

  1. Where did each number and its consent record come from? Ask for the source page or call, the disclosure language shown, and the timestamp, not a summary assurance.
  2. What technology sends the message? Auto-dialing or list-management features push a campaign toward the strict prior-express-written-consent standard regardless of how the contract describes it.
  3. Do they scrub against federal and state Do Not Call lists on every send? A one-time scrub at list purchase does not protect a campaign that runs for months.
  4. How fast and how permanently are opt-outs honored? A "STOP" reply should remove the number from every campaign the vendor runs, not just the one that triggered it.
  5. Is the lead or appointment exclusive, or does the underlying consent get resold? With the one-to-one consent rule vacated, this question is the only thing standing between you and a consent claim shared across several buyers.
  6. What does the contract say about indemnification? Get it in writing before the first message sends, not after the first demand letter arrives.
  7. Will they produce the actual consent documentation on request? Not a compliance statement. The record itself.

These questions are a starting point, not the full picture. Our broader vendor-vetting process, covering pricing red flags, replacement policy, and pilot structure before committing real spend, is in how to buy MCA leads without getting burned.

What this means for you

  • There is no B2B exemption from the TCPA for texts sent to a wireless number, and a merchant's "business line" is very often a personal cell phone.
  • Statutory damages run $500 to $1,500 per message federally, uncapped, and liability can follow the ISO through vicarious-liability principles, not just the vendor that sent the text.
  • The FCC's one-to-one consent rule was vacated in January 2025, so shared and resold lead consent is currently governed by the older, looser standard. Verify the consent chain yourself instead of assuming the market has tightened.
  • Get the actual consent record, DNC scrubbing cadence, opt-out handling, exclusivity, and indemnification language from any vendor in writing before the first campaign launches.

FAQ

Does the TCPA apply to texting business owners, or is B2B exempt?
There is no blanket B2B exemption from the TCPA for text messages sent to a wireless number. The FTC's Telemarketing Sales Rule exempts most business-to-business calls from its Do Not Call provisions, but that is a separate rule from the TCPA, and it does not extend to autodialed or prerecorded texts sent to a cell phone. A merchant's business line is very often their personal cell, and the TCPA does not distinguish based on how the number is labeled.
If a lead vendor's list wasn't compliant, is the ISO liable or just the vendor?
Both can be, under standard agency principles the FCC and courts apply to TCPA cases: actual authority, apparent authority, and ratification. If an ISO supplies contact lists, scripts, or campaign direction to a vendor, or is closely tied to how the vendor operates, courts have held the ISO vicariously liable for the vendor's violations, not just the vendor itself. The buyer of the leads can end up holding the judgment even when someone else sent the message.
What happened to the FCC's one-to-one consent rule for shared leads?
The FCC adopted a rule in 2023 requiring that consent be given to one seller at a time, aimed at closing the loophole where a single consent record gets used to justify texts from many different buyers of a resold lead. The Eleventh Circuit vacated that rule on January 24, 2025, finding the FCC exceeded its authority, and sent it back to the agency with no mandatory timeline to act. The practical result is that the tighter documentation standard the rule would have forced onto shared and resold MCA leads never took effect, which makes an ISO's own consent verification more important, not less.
What does TCPA-compliant consent actually look like for a merchant text campaign?
For outreach sent through a platform with auto-dialing or list-management features, the safe standard is prior express written consent: a documented, timestamped record showing the merchant was clearly told they were agreeing to receive marketing texts, which seller would be sending them, that consent was not a condition of any purchase, and a signature, which can be an electronic one such as a checked box. A vendor telling you a list is opted in is not the same as a vendor showing you the actual consent record.
What should an ISO ask a lead or appointment vendor before outsourcing outreach?
At minimum: where each number and its consent record came from, what technology sends the message, whether they scrub against federal and state Do Not Call lists on every send rather than once at setup, how fast and how permanently opt-outs are honored, whether the appointment or lead is exclusive to you or the underlying consent gets resold to other buyers, and what the contract says about indemnification if a complaint follows. If a vendor cannot produce the actual consent documentation on request, the exposure sits with whichever name is on the outreach, which is often the funder's, not the vendor's.

Want appointments you can actually document?

Book a 15-minute call. We'll walk through how our consent, qualification, and confirmation records work before you put a single meeting on your calendar.

Book a Call