We’re media buyers and lead-gen operators sharing what we see in the field. This isn’t legal advice. TCPA stuff is genuinely complicated and varies by state and vertical — talk to an actual attorney before changing your consent flows or vendor contracts.
The Eleventh Circuit knocked out the FCC’s 1:1 consent rule in early 2025. A lot of buyers exhaled. Then they kept buying leads the same way they always had — and the same gaps we’ve been flagging in audits for two years are still there. The federal rule going away didn’t fix anyone’s routing layer. It didn’t tighten anyone’s vendor SLA. It didn’t make a TrustedForm cert match the brand on the dialer.
Here’s what we see when we audit a buying stack in 2026, and what the cleanest books do differently.
- The FCC’s 1:1 rule got rolled back. The operational gaps it was pointing at didn’t go anywhere.
- Most buying stacks we audit are leaking callable volume at the routing layer and don’t know it. The cert names Seller A, the dialer fires under Brand B, and nobody is checking at the moment of the call.
- In our audits, fewer than 1 in 5 stacks run a cert-to-dialer match before release. That’s the single biggest gap we see.
- Effective CPL = Gross CPL ÷ cert-to-dialer match rate. At an 80% match rate and a $40 gross CPL, your true cost per callable lead is $50. Most buyers aren’t running this math.
- State-level rules vary and some are stricter than the federal floor. That’s where the noise is in 2026.
1. What the rollback actually changed
In January 2025, the Eleventh Circuit vacated the FCC’s specific 1:1 consent rule in IMC v. FCC before it took effect. That rule would have required consent to name a single seller and limited it to communications “logically and topically related” to the page where it was captured. Industry coverage of the ruling — including Search Engine Land’s reporting on the vacated 1:1 consent rule — captures the immediate operator reaction.
What changed: that specific FCC rule, as a federal mandate, is gone.
What didn’t change: the underlying TCPA prior express written consent standard. The consumer still needs to clearly know who is calling and what for. Vague multi-seller consent has always been weak under that standard, with or without the FCC rule on top.
State-level rules vary, and a handful of states are noticeably stricter than the federal floor. Worth knowing which states your traffic touches.
For the longer history, our piece on one-to-one consent for lead generation covers the 2024–2025 timeline. This article is about what we see operationally now.
2. What still bites operators in 2026
The stuff that’s been getting buyers in trouble for years is still the stuff getting buyers in trouble. None of it is new. Most of it is unsexy.
- Prior express written consent basics. Unchecked box, clear disclosure, named caller, captured at the moment the consumer hits submit. If any of those are loose, the lead is a coin flip.
- Reassigned numbers. The FCC’s Reassigned Numbers Database exists. It’s cheap. We still see stacks that don’t run it, or run it once at intake and never again. A call to a reassigned number is real money on the line per dial.
- Internal DNC and revoked consent. If a consumer told you to stop, your suppression list has to actually catch them across every source, every sub-buyer, every dialer. We see this break constantly when buyers add a new lead source and don’t sync the suppression file.
- Aged consent. Consent doesn’t expire on a calendar, but the realistic shelf life of a form-fill before you should re-touch is shorter than most buyers act like.
This is the kind of gap that turns into a problem if somebody comes asking questions.
3. Form-fill quality from a buyer’s perspective
When we accept a lead, here’s what we want to see on the form-fill side. Not because a statute says so — because if somebody comes asking later, this is what’s defensible and what isn’t.
What we want on the page where the consumer hits submit:
- Clear disclosure of who’s actually going to call. Not a generic “marketing partners.” The brand on the dialer should be visible to the consumer at the moment of capture.
- Contact methods stated explicitly — call, text, prerecorded, autodialed.
- The offer on the page matches what the caller is actually pitching. A Medicare quote form shouldn’t be funneling consent into solar calls.
- Unchecked checkbox or an explicit click action. Not pre-ticked.
- Captured artifact: IP, timestamp, the disclosure text exactly as it appeared, and a snapshot of the page state.
What we see in audits: Scrollable iframes with 40+ partner names are a mess to defend. The consent quality is weaker, the replays are harder to make sense of, and when we score those sources against single-named-seller sources, the callable yield gap is real. We’re not going to tell you scrollable lists “fail” — we’ll tell you they price down hard once you measure what’s actually callable.
Meta lead forms
Meta’s native lead form puts the privacy disclosure behind a link. The default form does not surface the named-caller disclosure on the same screen as the submit button. That’s a gap.
What we recommend: use Meta’s custom question fields for lead ads to put the named-caller consent text directly on the form, with an explicit consent checkbox the user has to tap. Don’t lean on the privacy policy link alone. Fire a TrustedForm or Jornaya script via the post-submit thank-you page or Meta’s CAPI lead-form integration so you’ve got an actual capture artifact. If your seller can’t show you a session replay of a Meta lead, treat the lead as unverified.
4. TrustedForm and Jornaya: evidence, not verdicts
This is the most misunderstood part of the consent stack we see. Buyers treat the cert as a verdict. It’s a payload.
TrustedForm (ActiveProspect) records a session-level replay of the form fill: page state, disclosure text as displayed, IP, timestamp, submit event. You can replay what the consumer saw. ActiveProspect’s TrustedForm documentation walks through what’s captured and how the replay works. Genuinely useful evidence.
Jornaya LeadiD (Verisk) creates a unique token at submission and records the page interaction so you can later confirm the capture happened on the page and at the time the seller claims. Similar spirit, different replay UX.
For a side-by-side, our TrustedForm vs Jornaya breakdown covers when to run one, the other, or both.
The gap both products leave open: neither one names the dialing party at runtime. Both certify the capture moment. If the lead then gets posted to you, routed to a sub-buyer, white-labeled under a different brand, and dialed — the cert doesn’t update. It still says Seller A. The call goes out as Brand B.
5. Vendor agreements: what we negotiate for
Most buyer-side contracts in this industry were written before 2024 and are quietly tilted toward the seller. When we rewrite buyer agreements, here’s the playbook.
Cert fields we require on every lead. If any of these are missing, the lead is non-conforming and we don’t pay for it:
- TrustedForm or Jornaya cert URL (often both)
- Disclosure text exactly as displayed at capture
- Named seller(s) on the disclosure
- IP, full timestamp with timezone
- Originating page URL
- User agent string
- Form-field values as submitted
- Consent checkbox state and click event
Replay rights. Seller provides cert replay within 72 hours of any request, no charge, for any lead in the retention window.
Sampling rights. Quarterly, we pull a random 50, they replay all 50. Pass rate is tracked. We typically anchor a 95% replay pass-rate floor; below that, credits or exit.
The clause we push hardest on when we rewrite buyer agreements: the seller owns consent-capture defects. If the form was broken, the disclosure was wrong, or the named-party was missing, that’s on them — including when the claim lands on a downstream sub-buyer. We’re not asking them to absorb our routing decisions; that’s fair. But capture defects are theirs.
This is the single most-resisted clause in our experience and the single most valuable one to win.
6. Routing-time consent matching
If you take one operational change away from this article, take this one.
Cert verification at intake confirms the cert exists and is valid when the lead arrives.
Routing-time consent matching is a separate check, fired in your dispatcher (ActiveProspect’s LeadConduit, in-house router, CRM workflow) at the moment a lead is about to release to a dialer. It does three things:
- Reads the named seller(s) off the cert payload.
- Reads the dialing entity — the brand the call will go out under — from the routing rule about to fire.
- Compares them. Match: release. No match: hold for re-consent or reject.
Most stacks do the first check and skip the second. That’s the leak.
The cert-vs-dialer mismatch is where the money actually leaks
We’ve audited buyer stacks where 100% of certs replayed cleanly and 30%+ of leads were still being dialed by an entity not named on the cert. Every one of those calls is a problem if anyone goes looking.
The sub-buyer trap
Most common failure pattern we see: you buy a lead with a TrustedForm cert naming “QuoteCo Insurance.” You route it to a sub-buyer call center that dials under “AgentNet.” Consumer answers a call from AgentNet, who was never named at capture. Cert is technically valid. The call isn’t defensible.
Multiply this by every sub-buyer relationship in your stack, every white-labeled call center, every “transfer partner” your seller mentioned in passing during onboarding. The routing-time match catches it. Nothing else does.
The math
Effective CPL = Gross CPL ÷ cert-to-dialer match rate.
>
At an 80% match rate and a $40 gross CPL, your true cost per callable lead is $50. That’s 25% more than your reports say.
Re-consent economics on aged leads
When a routing-time match fails, you can re-consent (SMS or email with a fresh disclosure naming the actual dialing brand) or reject.
In our experience across final-expense and Medicare buyer engagements, re-consent yield drops sharply with lead age — drop-off on leads over 72 hours from original capture typically runs 40–60%. So if you’re at $35 per lead and only re-consenting half the mismatches, your effective recovered cost is $70 on the recoverable half, and the rest is sunk.
At some point the cheaper move is to kill the source, not re-consent the file. Build that into your seller scorecard, not into ad-hoc reactions.
Marketplace leads need a different playbook
Many-to-many marketplaces are structurally hard to reconcile. The form often named the marketplace operator or a generic partner list, not you. By the time the lead hits your dialer, you may be the third or fourth party in the chain.
What we recommend: treat marketplace leads as requiring a re-consent step before any first dial. SMS or email opt-in that names you specifically, captures a fresh timestamp. Yes, it tanks immediate-dial conversion. It also stops you from buying expensive surprises.
7. Suppression stack
Table stakes. Before any dial, every lead should pass:
- Internal DNC and revoked-consent suppression
- FCC Reassigned Numbers Database lookup, dated against the consent timestamp
- Known-litigator scrub (commercial lists exist; budget for one)
- State-level DNC overlays where applicable
The RND lookup is the cheapest insurance most buyers still aren’t buying. The database exists. Use it.
8. Vendor scorecard
This is what closes the loop. Without it, every fix above is a one-time project that decays. We grade every seller monthly on these. The thresholds below are what mature stacks target — yours may differ by vertical.
| Metric | What we target | Action threshold |
|---|---|---|
| Cert presence rate | 100% | Below 100%: reject non-conforming, no credit |
| Cert replay pass rate | 95%+ | Below 90%: credit + watch period |
| Cert-to-dialer match rate | 95%+ | Below 85%: pause source, require form fix |
| Reassigned-number hit rate | Below 2% | Above 4%: seller absorbs cost of bad numbers |
| Litigator-list hit rate | Below 0.5% | Above 1%: exit |
Share the scorecard with the seller monthly. The conversation changes when they see the math.
9. Per-lead audit trail
When we say audit trail, we mean: what we want to be able to pull up if anyone asks. Per lead, we keep:
- Full cert (TrustedForm and/or Jornaya), replay accessible
- Disclosure text exactly as displayed at capture
- Named seller(s) on the disclosure
- IP, timestamp, originating URL, user agent
- Full routing path: every entity the lead passed through, with timestamps
- Dialing entity and brand on every call attempt
- Result of every routing-time consent match check
- Any re-consent events and the new disclosure text
- Suppression-check results (DNC, RND, litigator) per dial
- Call recordings and dispositions
Retain it for a meaningful window — your counsel can tell you exactly how long for your verticals and states. The point is to build the retention into your CRM or warehouse from day one rather than reconstructing under pressure later.
If any of those fields is missing, the per-lead record has a hole. Pick the hole and close it before you need the file.
FAQ
What did the Eleventh Circuit ruling actually change?
The FCC’s specific 1:1 consent rule, which would have required consent to name a single seller and stay logically related to the capture page, got vacated in IMC v. FCC in January 2025 before it ever took effect. The underlying TCPA prior-express-written-consent standard is still in place, and state rules vary. Operationally, the rollback didn’t fix anything in most buyers’ stacks because the gaps we see weren’t really about that specific federal rule.
If 1:1 got rolled back, why does any of this still matter?
Because the routing layer didn’t get fixed by the ruling. The cert still names one party. The dialer still fires under whatever brand the routing rule says. If those don’t match, the call isn’t defensible regardless of what the FCC did or didn’t finalize. And state-level rules in some states are stricter than the federal floor.
What’s the difference between checking a cert at intake and matching it at routing?
Intake checks confirm the cert exists and is valid when the lead arrives. Routing-time matching compares the named party on the cert against the actual dialing brand at the moment the call fires. The intake check passes constantly while the routing check fails — that’s exactly the gap we keep finding in audits.
How do I calculate my real cost per callable lead?
Effective CPL = Gross CPL ÷ cert-to-dialer match rate. If you’re paying $40 a lead and 80% match cleanly to your dialing brand, your real cost per callable lead is $50. Most buyers don’t run this math, which is why sources that look cheap on the invoice are often the most expensive ones in the stack.
What do mature buying stacks keep on file per lead?
The cert with replay access, the disclosure text exactly as displayed, named seller(s), IP and timestamp, originating URL, full routing path with timestamps, dialing entity per call, routing-time match results, any re-consent events, suppression-check results, and call recordings. Retention window is a conversation for your counsel — but the fields don’t change much by vertical.
How should I handle Meta lead form consent in practice?
The default Meta form puts the disclosure behind a link, which is weak from a defensibility standpoint. What we recommend: use custom question fields to surface the named-caller consent text directly on the form with an explicit checkbox, and fire a TrustedForm or Jornaya capture. Require your seller to provide the form image and replay for any Meta-sourced lead. If they can’t, treat it as unverified.
What goes in a vendor scorecard that actually drives behavior?
Cert presence rate, cert replay pass rate, cert-to-dialer match rate, reassigned-number hit rate, litigator-list hit rate. Set targets and action thresholds, share the scorecard monthly, and tie price reductions and pauses to the thresholds. The conversation with the seller changes the moment they see they’re being graded on match rate, not just lead volume.
Build a 2026 stack where every lead you pay for is still callable
The through-line is simple. The buyers we see winning in 2026 stopped treating the consent cert as an acceptance-time checkbox and started treating it as a runtime payload that has to match the dialer at the moment of the call. The form, the vendor agreement, the routing logic, and the per-lead record all serve that one shift.
If you’re spending $25k–$500k a month buying leads in insurance, final expense, Medicare, ACA, mortgage, solar, or any high-volume vertical, the work above is the difference between a clean book and a stack of expensive surprises.
If you want a second set of eyes on your consent stack, your vendor agreements, or your routing logic, talk to our pay-per-call team. We rewrite buyer-side agreements, audit cert-to-dialer match rates, and build routing-time matching into LeadConduit or in-house dispatchers across insurance, home services, financial services, and B2B lead gen. Book a free strategy call with Elevarus and we’ll build a custom paid media and lead-buying plan around your specific compliance posture.
We’re media buyers and lead-gen operators sharing what we see in the field. This isn’t legal advice. TCPA stuff is genuinely complicated and varies by state and vertical — talk to an actual attorney before changing your consent flows or vendor contracts.
