Your lead form is your consent mechanism. It is the legal instrument that determines whether every downstream call and text is lawful or a potential TCPA violation. A form that looks compliant to a product manager may be riddled with defects that a plaintiff attorney can exploit in discovery.
This guide covers the technical and legal requirements for building lead forms that capture valid prior express written consent under the TCPA, the FCC’s rules, and the E-SIGN Act. No theory. Just the specific implementation decisions that determine whether your consent holds up.
Disclosure Placement and Presentation
The FCC requires that the TCPA disclosure be “clear and conspicuous.” Courts interpret this phrase by examining whether a reasonable consumer would have noticed and understood the disclosure before taking the consent action. Here is what that means in practice.
Position relative to the consent action
The disclosure must appear in close visual proximity to the consent checkbox or button. The safest placement is directly above or immediately adjacent to the checkbox. If the consumer has to scroll past the disclosure to reach the submit button, you have created an argument that they may not have seen it.
On mobile devices, this is especially critical. A disclosure that appears above the fold on desktop may be several scroll lengths away from the consent checkbox on a phone. Test your form on the smallest common screen size (375px width for modern smartphones) and verify that the disclosure and checkbox are visible together or in immediate sequence.
Font size and contrast
There is no FCC rule specifying a minimum font size for TCPA disclosures. However, courts evaluate whether the disclosure was legible and visually distinct from surrounding content. Practical guidelines:
- Minimum 12px font size for the disclosure text. Anything smaller creates a readability argument, especially on mobile.
- Sufficient color contrast. Light gray text on a white background is a red flag. Use a contrast ratio that meets WCAG AA standards (4.5:1 for normal text) as a minimum baseline.
- Do not reduce the disclosure font size relative to other form text. If your form labels are 14px and your disclosure is 10px, you are signaling that the disclosure is less important, which is exactly the argument a plaintiff attorney will make.
Language clarity
Write the disclosure in plain language. Legal jargon does not make your disclosure more defensible. It makes it less clear and conspicuous.
A compliant disclosure should communicate:
- That the consumer agrees to receive telemarketing calls and/or text messages
- The identity of the specific seller who will contact them (required under the one-to-one consent rule effective January 27, 2025)
- That calls may be made using an automatic telephone dialing system or prerecorded voice
- That consent is not a condition of purchasing any good or service
- The phone number to which calls or texts will be directed
Example:
By checking this box, I consent to receive telemarketing calls and text messages from [Specific Company Name] at the phone number I provided, including calls made using an autodialer or prerecorded voice. I understand that my consent is not a condition of any purchase.
Do not bury this language inside a paragraph of general terms and conditions. The TCPA disclosure should stand alone and be visually distinct.
Consent Checkbox Implementation
The consent checkbox is the consumer’s signature under the TCPA. Its implementation must meet both FCC requirements and E-SIGN Act standards for electronic signatures.
No pre-checking
The consent checkbox must default to unchecked. The FCC explicitly prohibits pre-checked boxes as a method of obtaining prior express written consent. This was addressed in the 2012 rule amendments and has been consistently upheld by courts.
Implementation detail: verify that your checkbox’s default state is unchecked in the HTML source and that no JavaScript sets it to checked on page load, after a delay, or in response to any user action other than the consumer clicking the checkbox itself. Plaintiff attorneys will inspect your page source and test for auto-checking behavior.
<!-- Correct --><input type="checkbox" id="tcpa-consent" name="tcpa_consent" required>
<!-- Wrong: pre-checked --><input type="checkbox" id="tcpa-consent" name="tcpa_consent" checked required>One checkbox per seller
Under the FCC’s one-to-one consent rule, each seller needs its own discrete consent. If your form generates leads for multiple buyers, you need a separate checkbox and disclosure for each buyer. A single checkbox covering “our marketing partners” no longer produces valid consent.
If your form serves a single seller, a single checkbox naming that seller is sufficient. If you operate a comparison or marketplace model, you need a multi-consent implementation where each seller is individually disclosed and individually consented to.
Checkbox must be tied to form submission
The consent checkbox must be required for the form submission that captures the consumer’s phone number. If the consumer can submit their phone number without checking the consent box, you do not have prior express written consent for calls to that number.
Validate this on both client and server side. Client-side validation alone can be bypassed, and a plaintiff attorney may argue that the form could be submitted without consent.
Separate from terms of service
Do not combine the TCPA consent checkbox with a general terms of service agreement. The consent to receive telemarketing calls should be a standalone, affirmative action. Bundling it with terms of service acceptance creates arguments that the consumer did not knowingly agree to be called.
Capturing Metadata
A consent certificate is only as strong as the metadata that supports it. At the moment of form submission, capture and store the following data points alongside the consumer’s consent.
IP address
Capture the consumer’s IP address at the time of submission. This provides geolocation data that can corroborate the consumer’s identity and location. Store both IPv4 and IPv6 addresses. If your form sits behind a CDN or load balancer, make sure you are capturing the consumer’s actual IP from the X-Forwarded-For header, not your infrastructure’s internal IP.
Timestamp
Record the exact time of consent in UTC with millisecond precision. Use a server-side timestamp, not a client-side JavaScript timestamp, since the client’s clock may be inaccurate. The timestamp establishes when consent was given and is critical for evaluating whether consent was still valid at the time of the call.
User agent
Capture the full user agent string from the HTTP request. This identifies the consumer’s browser, operating system, and device type. It also provides evidence that a real browser was used, as opposed to a bot or script submitting the form programmatically.
Page URL and referrer
Record the exact URL of the page where consent was given, including query parameters, and the referring URL. This establishes which form and which campaign generated the consent, which is valuable when you manage multiple landing pages or traffic sources.
Geolocation signals
If available, capture browser geolocation data or IP-based geolocation. Location data corroborates the consumer’s identity and can be relevant in cases where the plaintiff claims they never visited the form.
Form field values
Capture all form field values at the time of submission: name, phone number, email, zip code, and any other fields. These values, combined with the consent checkbox state, create a complete record of what the consumer submitted.
E-SIGN Act Compliance
The E-SIGN Act (15 U.S.C. Section 7001) provides the legal framework for electronic signatures. For a checkbox click to constitute a valid “signature” under the TCPA, your implementation must satisfy E-SIGN requirements.
Affirmative act
The consumer must take a deliberate action to indicate consent. Checking a box qualifies. Clicking a clearly labeled “I Agree” button qualifies. Scrolling past a disclosure does not qualify. Passively loading a page with consent language does not qualify.
Intent to sign
The form design must make clear that the consumer’s action constitutes an agreement. The checkbox should be labeled in a way that communicates the consumer is agreeing to something specific, not just moving through a form flow.
Association with the record
The electronic signature must be logically associated with the consent record. In practice, this means the checkbox state should be captured and stored as part of the same data record that includes the disclosure text, timestamp, and other metadata. A standalone database entry of “consent: true” with no connection to the disclosure or form state is weaker than an integrated consent record.
Record retention
The E-SIGN Act requires that electronic records be retained in a form that accurately reproduces the information. For TCPA consent, this means you need to preserve not just the data but the presentation. A consent certificate that includes the disclosure text, the form layout, and the session recording satisfies this requirement more fully than a database row.
Generating Tamper-Proof Consent Artifacts
Capturing consent data is necessary but not sufficient. You need to prove that the data has not been modified since the consent event. This requires tamper-proof consent artifacts generated at the moment of submission.
Cryptographic hashing
Generate a SHA-256 hash of the complete consent record at the time of submission. The hash should cover all fields: consumer data, disclosure text, timestamp, metadata, and checkbox state. Store the hash alongside the consent record. Any modification to any field after the fact will produce a different hash, proving tampering.
Session recording
Capture a visual recording of the consumer’s browsing session, including the form as rendered, the disclosure as displayed, scrolling behavior, and the consent action. This recording serves as independent evidence of the consent experience that exists separately from the structured data.
Session recordings should be converted to a permanent format (such as MP4 video) at the time of capture, while all page assets are still available. Replay-based recordings that depend on external CSS and JavaScript files may break when those files change.
Immutable storage
Store consent artifacts in a way that prevents modification after the fact. This means write-once storage, not a database where records can be updated. Immutable storage ensures that neither the data collector nor anyone else can alter the consent record after it is created.
Certificate generation
Combine all of the above into a structured consent certificate: a single document that contains the consumer data, disclosure text, metadata, cryptographic hash, and links to the session recording and video evidence. This certificate becomes the canonical reference for the consent event.
eConsent generates all of these artifacts automatically. A single script tag on your lead form captures the session recording, collects metadata, and triggers certificate generation at the moment of form submission. The certificate, session recording, and MP4 video are stored immutably for seven years and accessible via API for downstream verification.
Common Form Mistakes That Plaintiff Attorneys Exploit
TCPA plaintiff attorneys have a playbook. These are the form issues they look for first.
Mobile rendering failures
Your form may look compliant on a 27-inch monitor. On a phone, the disclosure may be cut off, the checkbox may be obscured, or the consent language may require scrolling to reach. Plaintiff attorneys test forms on mobile devices and submit screenshots showing that the disclosure was not visible at the time of the consent action.
Fix: Test every form on mobile devices with screen widths of 375px and 390px. Ensure the disclosure and checkbox are visible together without horizontal scrolling.
JavaScript-dependent disclosures
If your disclosure text is loaded via JavaScript after the page renders, there is a window where the form is interactable but the disclosure is not visible. A consumer (or a bot) could submit the form before the disclosure loads.
Fix: Render disclosure text in the initial HTML. Do not rely on JavaScript to inject consent language.
Missing “not a condition of purchase” language
The FCC requires the disclosure to state that consent is not required as a condition of purchasing any good or service. Omitting this language creates a facial deficiency in your consent that is trivially provable by the plaintiff.
Fix: Include the exact language. Do not paraphrase it in a way that obscures the meaning.
Dynamic seller lists
Some lead forms dynamically change the listed seller based on targeting logic, bid responses, or A/B tests. If the seller name in the disclosure changes between page load and form submission, or if the seller listed does not match the company that actually calls, the consent is defective.
Fix: Ensure the seller name displayed in the disclosure at the time of submission is the same seller that will contact the consumer. Capture the displayed seller name in your consent record as proof.
No evidence of checkbox state
If you capture the form submission but do not record whether the consent checkbox was checked, you cannot prove affirmative consent. Your database might show a lead was submitted, but not that the consumer actively checked the box.
Fix: Capture the checkbox state as a distinct field in your consent record, and supplement it with a session recording that visually documents the consumer checking the box.
Building the Right Way
A TCPA-compliant lead form is not just a legal document. It is a technical system that must capture, structure, and preserve consent evidence in real time. The form itself, the metadata collection, the consent artifact generation, and the storage layer all need to work together as a single integrated system.
Companies that treat the lead form as a marketing asset and bolt compliance on afterward are the companies that end up in litigation. Companies that build compliance into the form architecture from the start are the ones with defensible consent records when the subpoena arrives.
eConsent captures session recordings, metadata, and tamper-proof consent certificates automatically with a single script tag. Start for free or view the docs to integrate with your lead forms.