Every lead purchase agreement in the industry has one. The indemnity clause. The provision that says if Buyer gets sued for calling a lead that Seller provided, Seller will cover the defense costs and any judgment.
It is the security blanket of the lead generation business. And in the past six months, three separate legal actions have demonstrated exactly how thin that blanket really is.
The Cases
Elevate Health v. Acquity LLC (December 2025)
In December 2025, Elevate Health filed suit against its lead vendor, Acquity LLC, seeking indemnity after Elevate was named as a defendant in a TCPA class action. The underlying claim alleged that consumers had been called without prior express written consent using leads purchased through Acquity.
Elevate’s lead purchase agreement with Acquity contained a standard indemnity provision. Acquity was contractually obligated to defend Elevate against TCPA claims arising from the leads it sold and to cover any resulting damages.
The problem: Acquity could not pay. By the time Elevate triggered the indemnity clause, Acquity was in financial distress. The company had limited assets, had already been named in separate TCPA litigation, and was unable to fund either Elevate’s defense or any settlement contribution.
Elevate was left holding a piece of paper that said someone else would pay — and a very real TCPA class action that still needed to be defended and resolved with its own money.
PillPack TCPA Settlement ($6.5 Million, 2025)
PillPack, the Amazon-owned pharmacy, agreed to a $6.5 million settlement in a TCPA class action in 2025. The case centered on outbound calls made to consumers whose leads were generated by third-party lead generators.
The core issue was straightforward: PillPack was not listed on the consent forms that consumers signed. The leads were generated through health insurance comparison sites where consumers consented to be contacted by insurance-related companies. PillPack — a pharmacy — was not among them. But PillPack purchased those leads and called the consumers anyway.
PillPack’s defense was hampered by a fundamental evidentiary gap. The company could not produce consent records showing that any of the consumers had specifically agreed to be contacted by PillPack. The consent forms referenced other companies. PillPack was not one of them.
No amount of indemnity language in PillPack’s agreement with its lead vendors could fix that problem. The consent simply did not exist. PillPack was the one making the calls, PillPack was the one the consumers sued, and PillPack was the one that wrote the $6.5 million check.
Whether PillPack had recourse against its lead vendors is a separate question — and one that depends entirely on whether those vendors had the financial capacity to pay. A $6.5 million indemnity obligation can bankrupt a mid-size lead generation company overnight.
The “Cooked Up” Consent Tokens Allegation
In a development that sent shockwaves through the lead generation industry, a well-known plaintiff’s attorney — referred to within the industry as “The Wolf” — personally filed suit against a lead generator, alleging that the company had fabricated consent evidence.
The complaint alleged that the lead generator had produced consent tokens — the data artifacts that purport to prove a consumer consented — that were “cooked up” after the fact. According to the allegations, the consent tokens did not correspond to actual consumer interactions. They were manufactured to provide post-hoc cover for leads that had been generated without proper consent.
This case is still in litigation, so the allegations have not been proven. But the fact that a plaintiff’s attorney filed a case specifically targeting the integrity of consent evidence marks a shift in TCPA litigation strategy.
For years, TCPA cases focused on whether consent existed. Now, plaintiff’s attorneys are challenging whether the consent evidence itself is real. That is a different and more dangerous question for the entire lead generation industry.
Why Indemnity Fails
These three cases illustrate different failure modes, but they all arrive at the same conclusion: indemnity clauses are a second line of defense that frequently does not hold.
Failure Mode 1: The Vendor Cannot Pay
The most common failure. Lead generation is a margin business with high revenue but thin margins. Many lead generators operate as relatively small companies. When a TCPA class action produces a seven-figure judgment or settlement, the lead seller’s indemnity obligation can exceed the company’s total assets.
In Elevate Health v. Acquity, Elevate did everything right from a contractual standpoint. It negotiated an indemnity clause. It documented its right to be held harmless. But none of that mattered when Acquity could not fund the obligation.
The financial reality is that many lead vendors are one large TCPA judgment away from insolvency. Their indemnity is worth exactly what they can pay — which, in a worst-case scenario, may be nothing.
Failure Mode 2: The Consent Does Not Exist
PillPack’s $6.5 million settlement illustrates a more fundamental problem. Even if PillPack’s lead vendors had unlimited financial resources and honored their indemnity obligations dollar for dollar, the underlying legal problem would remain: PillPack was calling consumers who had never consented to receive calls from PillPack.
Indemnity does not create consent. It does not rewrite the disclosure language on a lead form. It does not add your company’s name to a consent authorization after the fact. If the consent was defective at the point of capture — if the consumer never agreed to be contacted by you — an indemnity clause is just a mechanism for shifting the cost of that deficiency. It does not eliminate the deficiency itself.
And here is the part that matters to the lead buyer: the consumer sues you, not your lead vendor. Your name goes in the complaint. Your brand takes the hit. Your executives sit for depositions. Your legal budget absorbs the defense costs. The indemnity, if it works at all, reimburses you after the damage is done.
Failure Mode 3: The Evidence Is Challenged
The “cooked up” consent tokens case introduces a third failure mode that is qualitatively different from the first two. When a plaintiff’s attorney alleges that consent evidence was fabricated, the lead buyer faces a credibility crisis that indemnity cannot address.
If a court finds that your lead vendor manufactured consent tokens, every lead from that vendor becomes suspect. Not just the leads in the lawsuit — all of them. Your entire contact history with that vendor’s leads is potentially tainted.
In that scenario, indemnity is irrelevant. You are not arguing about who pays. You are arguing about whether your company knowingly called consumers using fabricated consent, which is the kind of allegation that turns a statutory damages case into a willful violation case with treble damages.
The Indemnity Illusion
Here is the uncomfortable truth that the lead generation industry has been slow to confront: indemnity is not a compliance strategy. It is a risk-transfer mechanism. And risk transfer only works when:
- The counterparty can absorb the risk (they have the money to pay)
- The underlying liability is a cost problem, not an evidence problem
- The contractual relationship survives the litigation timeline
In practice, all three conditions frequently fail simultaneously. The lead vendor is too small to pay. The consent was defective at collection. And by the time the lawsuit concludes, the vendor has dissolved, gone bankrupt, or simply disappeared.
The industry’s reliance on indemnity clauses is a form of collective self-deception. Buyers know the clauses may not hold. Sellers know they may not be able to pay. But both sides prefer the contractual comfort to the operational work required to actually fix the problem.
What Actually Protects You
If indemnity is the illusion of protection, what is the real thing? The answer is the same as it has always been: independently verified consent evidence that you control and can produce in court.
Own Your Evidence
The PillPack case makes this point clearly. PillPack relied on its lead vendors to obtain consent on its behalf. When that consent turned out to be defective, PillPack had no independent evidence to fall back on.
The alternative: verify, at the point of lead purchase, that consent evidence exists and meets your standards. Do not take the lead vendor’s word for it. Inspect the actual consent records. If possible, use a third-party consent verification platform like eConsent that captures consent evidence independently of the lead seller’s self-reporting.
When you own your consent evidence — when you can produce a consent certificate with a timestamped session replay, the exact disclosure language, and the consumer’s affirmative action — you are not dependent on your lead vendor’s credibility or solvency. Your defense stands on its own.
Verify Before You Buy
The “cooked up” consent tokens case is a warning about what happens when lead buyers accept consent evidence at face value. A consent token is just a data point. It can be fabricated.
Independent verification means confirming that the consent event actually occurred in real time, with a real consumer, on a real form, with the correct disclosure language. That requires technology that captures the consent session as it happens — not a retrospective data export from the lead seller’s CRM.
Build Your Own Record
Every lead buyer should maintain an independent record of consent evidence for every lead purchased and contacted. That record should include:
- The consent form as it appeared at the time of submission (a snapshot, not a current URL)
- The disclosure language, including the specific company names and consent authorizations
- The consumer’s affirmative action (click, check, signature)
- Session metadata: timestamp, IP address, device information, page URL
- Any session replay or behavioral evidence capturing the consumer’s interaction with the form
This record should be stored independently of your lead vendor. If the vendor goes out of business, your evidence survives. If the vendor’s credibility is challenged, your independent record is a separate evidence source.
The Cost Calculation
Lead buyers sometimes resist investing in independent consent verification because of the per-lead cost. A consent verification service adds a few cents per lead to your acquisition cost.
Put that cost in perspective.
PillPack paid $6.5 million to settle one TCPA class action. Elevate Health is defending a class action with an indemnity clause that cannot be collected. The lead generator in the “cooked up” tokens case faces allegations that could result in treble damages.
If PillPack had spent $0.10 per lead to independently verify consent before making calls, the company would have spent a fraction of a percentage of its marketing budget — and would have caught the consent gap before it became a $6.5 million problem.
The per-lead cost of consent verification is a rounding error compared to the cost of a single TCPA class action. The math is not close.
What You Should Do Now
1. Stress-test your indemnity clauses. Review every lead purchase agreement. For each vendor, ask: if I trigger the indemnity clause for a $5 million TCPA judgment, can this vendor actually pay? If the answer is no — or if you do not know — your indemnity is worth less than you think.
2. Require consent evidence at the point of sale. Stop accepting leads without inspecting the consent evidence. Require your lead vendors to provide session-level consent records with every lead, including the disclosure language, the consumer’s action, and the session metadata.
3. Implement independent verification. Use a third-party consent verification platform to capture or validate consent evidence independently of your lead vendors. Your evidence should not depend on your vendor’s honesty or survival.
4. Audit your current lead inventory. For leads you have already purchased and plan to contact, verify that consent evidence exists and meets current standards — including one-to-one consent identifying your specific company. If the evidence is missing or defective, do not call. The cost of suppressing a bad lead is infinitely less than the cost of calling one.
5. Rebalance your risk budget. If you are spending money on indemnity insurance or legal reserves to cover TCPA exposure from purchased leads, consider redirecting some of that budget toward consent verification. Prevention is cheaper than defense, and evidence is more reliable than indemnity.
The lead generation industry built itself on contracts and handshakes. For two decades, indemnity clauses were the mechanism that allowed lead buyers to feel protected while outsourcing consent compliance to their vendors. That model is breaking. The cases from the past six months have made it clear: when the lawsuit arrives, you are alone with your evidence.
Make sure your evidence is worth something.