In 2021, Sunrun paid $5.5 million to settle a class action alleging robocalls placed by three named third-party vendors, Media Mix 365 LLC, RMC, and Americor. Two years earlier, it paid another $5.5 million in a separate case over robocalls placed by a different named vendor, Clean Energy Experts LLC. Sunrun did not dial either set of calls itself.
That is the part of buying leads most vendor pitches leave out. When a court decides a batch of outreach was not properly consented to, the installer whose name is on the campaign is usually the one holding the bag, not the subcontractor who actually dialed the number. Paying for an appointment does not buy legal cover for how it was generated.
This post covers what "vicarious liability" actually means for a solar installer, what happened to the federal rule that was supposed to close the shared-lead consent problem (it did not survive to its own effective date), what a TCPA violation actually costs, and the specific contract language that moves the risk back onto the vendor where it belongs.
You Can Be Sued for a Call You Never Placed
The Telephone Consumer Protection Act does not require a court to catch the person who physically dialed the phone. Under ordinary agency principles, a company can be held liable for a telemarketing call or text made by a vendor acting, or appearing to act, on its behalf, even if that company never touched the list and never wrote the script. Courts have found lead buyers and lead sellers vicariously liable for each other's actions in TCPA cases, which means signing a vendor contract does not transfer the legal risk the way it transfers the invoice.
How courts decide who is on the hook
The core question is whether the party that placed the call was acting as an agent of the company that benefited from it, or was reasonably perceived that way, and whether there were red flags that should have put the buyer on notice the leads were bad. Courts have sometimes found an agency relationship even where the buyer had little day-to-day control over the vendor's calling practices. That standard is exactly why "we didn't know" is a weaker defense than most installers assume: the legal test is not just what you knew, it is what you reasonably should have known and asked about before you started paying for volume.
The pattern shows up across the largest names in residential solar, not just small regional shops. SolarCity, now part of Tesla, paid $15 million in 2018 over unsolicited robocalls. Vivint Solar paid $975,000 in 2019 over the same theory. None of these cases turned on whether the installer's own W-2 employees made the calls. They turned on whether outreach done in the company's name, by a vendor or affiliate, had valid consent behind it.
What Solar Companies Have Actually Paid
Disclosed TCPA settlements involving solar companies are not hypothetical numbers pulled from a compliance memo. They are court-approved figures, and the pattern is consistent: the company that sold and installed the panels pays, regardless of who originated the call.
| Company | Settlement | Resolved | What the calls involved |
|---|---|---|---|
| Momentum Solar | Up to $30 million (payable as $20 million if paid within 7 years) | Final approval Aug. 18, 2025 | Automated telemarketing calls without prior consent, across two combined class actions |
| SolarCity (now Tesla) | $15 million | 2018 | Unsolicited robocalls, TCPA violations |
| Sunrun (Loftus case) | $5.5 million | 2021 | Robocalls placed by three named third-party vendors: Media Mix 365 LLC, RMC, Americor |
| Sunrun (Slovin case) | $5.5 million | 2019 | Robocalls without express written consent, placed by named vendor Clean Energy Experts LLC |
| Vivint Solar | $975,000 | 2019 | Unsolicited robocalls, TCPA violations |
Combined, disclosed TCPA settlements across these five cases exceed $57 million since 2018. Two of the five settlements name the specific third-party vendors whose calls triggered the claim, not an in-house call center.
The Rule That Was Supposed to Close the Loophole Never Took Effect
In December 2023, the FCC adopted a "one-to-one consent" rule aimed at exactly the pattern behind cases like Sunrun's: a homeowner fills out one form, and that single consent gets attached to calls from a dozen unrelated sellers. The rule would have required that written consent to receive robocalls or robotexts apply to one identified seller at a time, with an effective date of January 27, 2025.
It never got there. On January 24, 2025, three days before the rule was due to take effect, the Eleventh Circuit vacated it entirely in Insurance Marketing Coalition v. FCC, ruling that the FCC had exceeded its statutory authority by redefining what "prior express consent" means. The FCC did not challenge the ruling, and in September 2025 it issued a final rule formally eliminating the one-to-one consent requirement.
The practical result for 2026: the federal consent standard reverted to what existed before 2023. A single consent can, in principle, still be read to apply to multiple sellers at the federal level, and the specific "lead generator loophole" fix never became binding law.
That does not mean shared leads are now safe to buy on faith. The underlying TCPA requirement, that a real, documented "prior express written consent" exist before an autodialed or prerecorded marketing call goes out, was never touched by the vacatur and is still aggressively litigated, as the settlement table above shows. The regulatory picture stays unsettled in other ways too: a separate FCC rule requiring companies to honor a consent revocation across every channel and business unit, not just the one a consumer contacted, has already been delayed three times, most recently to January 31, 2027. Installers should not assume a pending rule change will do their compliance work for them. None of the rules currently in flux remove the consent requirement that already exists.
What TCPA Actually Penalizes
TCPA is enforced mainly through private lawsuits, not FCC fines against individual companies. The statute sets damages at $500 per violation, rising to $1,500 per violation if a court finds it knowing or willful, and there is no cap on total statutory damages. Since a single bad campaign can generate hundreds or thousands of individual calls or texts, and each one can count as a separate violation, the math scales fast without any single call needing to be worth much on its own.
The volume of litigation is rising, not falling. In the first quarter of 2025 alone, 507 TCPA class actions were filed, up from 239 in the same quarter of 2024, a 112% year-over-year increase. Buying leads or appointments from a vendor with weak consent practices is not a compliance formality you can defer. It is a live and growing source of litigation risk in the exact industry this article is about.
The Contract Language That Actually Protects You
You cannot audit a vendor's calling floor in real time, and you should not have to in order to buy an appointment. What you can do is put the risk where it belongs in writing, before you pay for a single lead.
- Warranties and representations. The vendor affirmatively warrants, in the contract itself, that every lead or appointment delivered complies with TCPA consent requirements. A verbal assurance on a sales call is not a warranty.
- Indemnification. A clause requiring the vendor to indemnify you for TCPA claims that trace back to how its leads were sourced or consented, so a defective lead's legal cost does not fall entirely on the buyer.
- Audit rights. A contractual right to request and review the vendor's actual consent records, not a summary or a compliance badge on their website.
- A non-agency clause. Language stating the vendor operates as an independent contractor, not as your agent. This helps your legal position but is not a shield on its own, especially if you ignore obvious red flags in the leads you are buying.
None of these four terms eliminate risk by themselves. Together, they give you a documented basis to push financial responsibility back onto the vendor if a claim does show up, instead of discovering after the fact that your contract is silent on the exact issue in the lawsuit.
A Pre-Payment Compliance Checklist
Run this before you commit to a new solar lead or appointment vendor, not after the first invoice clears.
| Step | What to require | Why it matters |
|---|---|---|
| Consent proof | The actual dated record: source page or call, disclosure language, timestamp | A "trust us, it's compliant" answer is not documentation you can produce later |
| Source vetting | Where the lead originated, and whether it passed through a reseller | Resold or aged lists carry the highest documented consent risk |
| Contract terms | Warranty, indemnification, audit rights, and a non-agency clause, all in writing | These are the specific terms that shift financial exposure back to the vendor |
| Small pilot | Start with a limited paid batch before committing to full monthly volume | Limits exposure while you see how a new vendor actually operates, not how they pitch |
| Retention | Keep consent records on file well beyond the campaign date | You may need to produce this evidence years after the outreach ran |
What this means for you
- Do not treat the FCC's one-to-one consent rule as a compliance backstop. It never took effect, and it is not coming back in its original form.
- Vicarious liability means a vendor's bad consent practices can become your lawsuit. Ask for the actual consent record, not a compliance claim, before you pay.
- Put warranties, indemnification, audit rights, and a non-agency clause in every vendor contract. These are the terms that decide who pays if a claim lands.
