TCPA compliance posture

Effective January 1, 2026

Leadality is designed to meet the consent + recordkeeping obligations of the Telephone Consumer Protection Act (47 U.S.C. § 227), the related FCC rules, and the parallel state telemarketing laws. This page explains how — both as a customer FAQ and as a roadmap for the attorney's annual review.

1. Consent architecture (FCC one-to-one)

In December 2023 the FCC adopted a rule requiring prior express written consent to be specific to a single seller (the "one-to-one" rule). The Eleventh Circuit vacated that rule in January 2025, but the underlying TCPA still requires consent to clearly identify who will be contacting the consumer. Our policy is to behave as if the one-to-one rule is in force, because:

  • It is the safer posture against future re-promulgation
  • It defeats class actions that allege ambiguous consent
  • It matches what sophisticated buyers (e.g., national carriers requiring TrustedForm) already require

What this looks like in practice: every consent disclosure on a Leadality landing page names the specific Agency (and its legal entity) that will contact the consumer. There is no "and partners" or "and affiliates" language. Consent is to one seller, period.

2. Disclosure copy (versioned)

The exact disclosure text shown to each consumer at the moment of consent is stored on every opt_ins row, along with a version identifier (e.g., tcpa-2024-01). When the copy changes, we bump the version and write a new entry — prior consents stay valid under their original version. This makes consent provable on a specific date with specific wording.

3. The immutable consent ledger

Every consent is written to an append-only opt_instable containing:

  • Lead identifier + Agency identifier
  • The consumer's name, email, and E.164 phone number at the time of consent
  • The exact disclosure text and version shown
  • Consent channel (web form, SMS reply, etc.)
  • The landing-page URL the consent was given on
  • The consumer's IP address and browser user agent
  • Server-issued timestamp
  • (Where contracted) a TrustedForm certificate URL from ActiveProspect for third-party witness

The ledger has no UPDATE or DELETE policy in the database — even the application cannot modify it. Plaintiff lawyers typically drop TCPA cases when this row can be produced.

4. TrustedForm certificates

For Agency Customers on Team or Agency tiers, every consent submission additionally mints a TrustedForm certificate from ActiveProspect, Inc. (a neutral third party). The certificate contains a session recording, IP, geolocation, timestamp, and a page screenshot — independent of Leadality's own records. The certificate URL is stored on the correspondingopt_ins row.

5. Suppression cascade

Before any outbound contact (email, SMS, voice), we check a composite suppression_list table populated from:

  • National Do Not Call Registry (federal DNC scrub via contracted provider)
  • Internal DNC (any consumer who asks us or any Agency to stop)
  • STOP keyword replies (SMS)
  • Unsubscribe link clicks (email)
  • Hard bounces (email — auto-suppress on Resend webhook)
  • Spam complaints (email — auto-suppress on Resend webhook)
  • Known TCPA litigator lists (where licensed from a compliance vendor)

A consumer matching any of these is dropped silently from outbound queues. We never reveal suppression status to the consumer.

6. Revocation

Revocation is honored on all channels:

  • SMS: reply STOP (or STOPALL / UNSUBSCRIBE / CANCEL / END / QUIT)
  • Email: click the unsubscribe link in any message (RFC 8058 one-click + visible footer link)
  • Voice: tell the Agency representative — they are contractually required to log it back to Leadality
  • Website: email privacy@leadality.ai

The unsubscribe link is a cryptographically signed token (HMAC-SHA256) with a 90-day TTL — recipients cannot forge an unsubscribe for someone else, and old links remain valid for legitimate use long after sending. Once revoked, both phone and email are added to the suppression list, and the lead's status is updated to suppressed.

7. AI SMS conversations

Leadality offers an AI-driven SMS opt-in flow (powered by Twilio + Anthropic Claude). The first outbound SMS is sent onlyafter the consumer initiates — either by submitting a web form, replying to a keyword shortcode, or clicking a tracked link in an email. The opening message contains the full disclosure and requires an explicit YES before any further messages. The complete conversation transcript is stored as part of the consent record.

8. CAN-SPAM compliance (email)

Every email we send on behalf of an Agency includes:

  • Honest header information (no spoofed From / Reply-To)
  • A non-deceptive subject line (validated programmatically — no "Re:" or "Fwd:" on cold outreach)
  • The Agency's physical postal address in the body
  • A visible unsubscribe link
  • The List-Unsubscribe and List-Unsubscribe-Post: List-Unsubscribe=One-Click headers (RFC 8058) for Gmail/Yahoo bulk-sender compliance

9. State-specific addenda

TCPA is federal, but several states have stricter requirements:

  • Florida (FTSA): aligned with our federal-only posture
  • Texas: Agencies must hold a Texas Telephone Solicitation Act registration to make cold calls into TX. We surface this requirement on signup.
  • Washington (CEMA): stricter SMS rules — we apply a state-aware template variant
  • California, Virginia, Colorado, Connecticut, Texas, Oregon (and any future state privacy law): right-to-delete handled per our Privacy Policy
  • New York / New Jersey: stricter call-recording consent — disclosure includes notice

10. Annual attorney review

TCPA and state privacy laws change frequently. Our disclosure copy and compliance procedures are reviewed annually by a licensed attorney. When copy changes, the version identifier is bumped, prior consents remain valid under their version, and Agency Customers receive 30 days' notice before the new version takes effect.

11. Questions

Compliance questions: compliance@leadality.ai