TCPA Compliance Guide

The Telephone Consumer Protection Act (TCPA) is a federal law that restricts telemarketing calls, auto-dialed calls, pre-recorded calls, text messages, and unsolicited faxes. Violations can cost between $500 and $1,500 per call or text, making TCPA litigation one of the most expensive categories of consumer class actions in the United States.

eConsent provides the evidentiary infrastructure to prove that consent was obtained, what the consumer saw, and when they agreed.

Who needs TCPA compliance

Any business that contacts consumers by phone or text message should evaluate their TCPA exposure. This includes:

• Lead generators selling consumer leads to buyers who will call or text
• Insurance agencies contacting prospects about quotes
• Solar and home improvement companies following up on form submissions
• Financial services reaching out about loan offers or debt relief
• Healthcare organizations sending appointment reminders or marketing

Caution

TCPA lawsuits do not require proof of harm. A single consumer can file a claim, and class actions regularly reach millions of dollars. The burden of proof is on the caller to demonstrate that valid consent was obtained.

Prior express written consent

The FCC requires prior express written consent (PEWC) before making telemarketing calls or sending marketing texts using an autodialer or prerecorded voice. PEWC must meet these requirements:

1. Written agreement (electronic signatures count) that clearly authorizes the calls or texts.
2. Clear and conspicuous disclosure of what the consumer is agreeing to.
3. Not a condition of purchase --- consent cannot be required to complete a transaction.
4. Identifies the specific seller(s) authorized to contact the consumer.
5. Includes the phone number to which calls or texts will be made.

What eConsent captures for PEWC

eConsent automatically records and certifies the following for every consent event:

Evidence element	How eConsent captures it
Consent language shown	SHA-256 hash of the exact disclosure text on the page
Consumer interaction	Full session replay showing the consumer checking the box and submitting
Timestamp	Server-side UTC timestamp with millisecond precision
Phone number	Extracted from the form submission and stored on the certificate
IP address and device	Captured in the session metadata
Page structure	DOM snapshot proving the disclosure was visible and not hidden

Five-year record retention

The FCC mandates that businesses retain consent records for a minimum of 5 years from the date consent was obtained. eConsent supports configurable retention periods up to 5 years per property.

Tip

Configure 5-year retention on your properties in the dashboard under Settings > Properties. See Retention Management for details on auto-retention and quota management.

Recommended retention configuration

curl -X PUT https://api.econsent.org/api/retention/settings \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer YOUR_API_TOKEN" \
  -d '{
    "autoRetentionEnabled": true,
    "autoRetentionMode": "certificates",
    "notifyOnOverage": true,
    "overageNotificationEmails": ["compliance@yourcompany.com"]
  }'

Set the property-level expiration to 5 years in the dashboard to align with FCC requirements.

Revocation rules

Under the TCPA, consumers have the right to revoke consent at any time and through any reasonable means. The FCC has clarified that callers cannot restrict the method of revocation (e.g., requiring a specific keyword or phone call).

eConsent supports revocation through:

• API endpoint for programmatic opt-out processing
• Dashboard for manual single or bulk revocation
• CSV upload for large-scale opt-out list processing

Once revoked, all verification API calls for that certificate return a 403 response. See Revocation & Opt-Out for full details.

Implementing consent tracking

Step 1: Install the tracking script

Add the eConsent script to your lead form pages:

<script
  src="https://api.econsent.org/api/web"
  data-property-id="YOUR_PROPERTY_ID"
  async
></script>

Step 2: Configure the consent selector

Tell eConsent which element on your page represents the consent action (typically a checkbox or submit button adjacent to a TCPA disclosure):

Dashboard

Use the Consent Selector tool in your dashboard to visually select the consent element on your page. See Consent Selector for a walkthrough.

Script attribute

<script
  src="https://api.econsent.org/api/web"
  data-property-id="YOUR_PROPERTY_ID"
  data-consent-selector="#tcpa-checkbox"
  async
></script>

Step 3: Verify consent via API

After a lead is submitted, verify that a valid consent certificate exists before making a call:

Node.js

async function verifyConsent(phone, email) {
  const response = await fetch('https://api.econsent.org/api/verify/match', {
    method: 'POST',
    headers: {
      'Content-Type': 'application/json',
      'Authorization': `Bearer ${process.env.ECONSENT_API_TOKEN}`,
    },
    body: JSON.stringify({
      phone: phone,
      email: email,
      company_id: process.env.ECONSENT_COMPANY_ID,
    }),
  });

  const result = await response.json();

  if (result.status === 200 && result.certificate_id) {
    // Consent verified --- safe to call
    return { verified: true, certificateId: result.certificate_id };
  }

  // No matching consent found --- do not call
  return { verified: false };
}

Python

import os
import requests

def verify_consent(phone, email):
    response = requests.post(
        'https://api.econsent.org/api/verify/match',
        headers={
            'Content-Type': 'application/json',
            'Authorization': f'Bearer {os.getenv("ECONSENT_API_TOKEN")}',
        },
        json={
            'phone': phone,
            'email': email,
            'company_id': os.getenv('ECONSENT_COMPANY_ID'),
        },
    )
    result = response.json()

    if result.get('status') == 200 and result.get('certificate_id'):
        return {'verified': True, 'certificate_id': result['certificate_id']}

    return {'verified': False}

PHP

<?php
function verifyConsent($phone, $email) {
    $payload = json_encode([
        'phone' => $phone,
        'email' => $email,
        'company_id' => getenv('ECONSENT_COMPANY_ID'),
    ]);

    $ch = curl_init('https://api.econsent.org/api/verify/match');
    curl_setopt($ch, CURLOPT_POST, 1);
    curl_setopt($ch, CURLOPT_POSTFIELDS, $payload);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_HTTPHEADER, [
        'Content-Type: application/json',
        'Authorization: Bearer ' . getenv('ECONSENT_API_TOKEN'),
    ]);

    $response = json_decode(curl_exec($ch), true);
    curl_close($ch);

    if ($response['status'] === 200 && !empty($response['certificate_id'])) {
        return ['verified' => true, 'certificate_id' => $response['certificate_id']];
    }

    return ['verified' => false];
}
?>

TCPA compliance checklist

Disclosure language

Ensure your TCPA disclosure is clear, conspicuous, and identifies all parties who may contact the consumer. eConsent captures a SHA-256 hash of the exact disclosure shown.

Consent evidence

Every consent event generates a certificate with a full session replay, DOM snapshot, and cryptographic attestation.

Record retention

Configure 5-year retention on all properties to meet FCC requirements. Enable auto-retention in certificates mode to retain only sessions with valid consent.

Revocation handling

Process opt-out requests immediately via the API or dashboard. eConsent propagates revocations in real time with no delay.

Next steps

• Consent Certificates. Understand what is captured in a certificate
• Consent Attestation. How cryptographic attestation proves consent validity
• Revocation & Opt-Out. Handle consumer opt-out requests
• Retention Management. Configure retention periods and quotas
• Verification API. Verify consent before making calls