TCPA After the 11th Circuit: What Still Counts as Proof of Consent on a Lead Form in 2026
One-to-one consent is gone. The evidentiary burden on lead buyers and sellers remains in full force. Here is what a defensible TCPA record actually looks like today.
The FCC’s one-to-one consent rule was vacated by the 11th Circuit in January 2025 and formally eliminated in September 2025. But TCPA proof of consent on a lead form is still required. In 2026, defensible consent means a tamper-evident record of the exact language shown, the checkbox state, the IP, the timestamp, and the identity of the seller. Screenshots and raw logs no longer hold up in court.
A lead buyer calls a consumer they purchased from an affiliate network three weeks earlier. The consumer does not remember opting in. A plaintiff’s attorney files a TCPA class action and subpoenas the consent record. Your team pulls a log file, a CRM entry, and a screenshot of the form “as it appears today.” The judge asks: what did this specific consumer see, at this specific moment, on this specific device?
That is the question the 11th Circuit did not answer for you. And it is still the question that decides whether you pay five figures per violation or walk away clean.
If you run lead generation, buy consumer leads, or operate a business that makes contact calls or texts, the legal landscape around TCPA proof of consent looks different in 2026 than it did eighteen months ago. Some of what changed is good news. Some of it is a trap. This piece walks through both.
What the 11th Circuit actually changed
In January 2025, the Eleventh Circuit Court of Appeals issued its ruling in Insurance Marketing Coalition v. FCC, vacating the FCC’s one-to-one consent rule before it ever took effect. The court held that the TCPA does not authorize the FCC to require a consumer to consent to a single, specifically identified seller in order to receive telemarketing calls or texts. In September 2025, the FCC issued a final rule formally eliminating the one-to-one requirement.
For lead generation, that means the following is no longer required:
- Listing every seller by name on the consent form
- Limiting consent to sellers whose products are “logically and topically related” to the form’s subject matter
- Obtaining a separate consent checkbox for each seller
A single clearly worded consent disclosure that references a list of partners, whether on-page or linked, is once again legally acceptable. That is the win.
Many lead generators read the ruling and assumed TCPA compliance just became simpler. It did, in one narrow respect. The formatting rules relaxed. The evidentiary burden did not.
The evidentiary burden that survived
The TCPA still requires prior express written consent before a business places an autodialed or prerecorded telemarketing call or text to a cell phone. The statute has not changed. The private right of action, with statutory damages of $500 per violation and up to $1,500 per willful violation, has not changed. The four-year statute of limitations has not changed.
What plaintiffs’ lawyers need to prove has not changed either. When a TCPA case lands, the merchant is asked to produce evidence that the specific consumer, at a specific moment, saw a specific disclosure, and affirmatively consented. That burden sits on the business, not the consumer.
Over the last two quarters, plaintiffs’ firms have adapted fast. Settlement demands no longer hinge on one-to-one technicalities. They hinge on whether the defendant can produce a complete, tamper-evident record of the consent moment. When that record is missing or reconstructible only from server logs, settlement pressure climbs.
What a defensible TCPA record looks like in 2026
Courts and arbitration panels have become far more specific about what they expect when reviewing TCPA consent evidence. A PDF export of the current lead form is not enough. Neither is a timestamp in a CRM field. The bar is now a reconstruction of the consent interaction.
A reconstruction answers three questions without ambiguity:
- What did the consumer see? Not the form as it appears today, but the rendered HTML the consumer’s browser displayed at the moment of consent, including any AB test variant.
- What did the consumer do? Did the checkbox state change from unchecked to checked? Was the submit button clicked from that device? Was any field prefilled from a URL parameter or cookie?
- Who and what device was it? IP, user agent, geolocation signals, and any bot-detection score for the session.
If your current consent stack cannot produce all three, your TCPA defense is improvised, not prepared.
The 5 evidence elements every captured consent needs
Across the TCPA cases that have settled or gone to verdict since the 11th Circuit ruling, a consistent shortlist of evidentiary elements has emerged. Every captured consent record should contain all five.
1. The rendered consent language, verbatim
Not a reference, not a URL, but the actual string the consumer read, stored as part of the lead record. If you change the disclosure language in July, the June leads still need the June language preserved.
2. The interaction state, not just the outcome
A checkbox that was unchecked and then checked tells a different story than a checkbox that was prechecked. Your record should capture the before and after state, and the user action that flipped it.
3. A trusted, externally verifiable timestamp
Server clocks drift. A timestamp signed by an external trust authority, or cryptographically chained to other session records, removes the argument that your log was edited after the fact.
4. Device and network context
IP address, user agent, and any bot-detection signal captured at the session level. This connects the consent to a real, non-fraudulent human session.
5. The seller context
Even though one-to-one is gone, naming the seller list (or providing a retained snapshot of the partner page) remains the clearest way to defeat a “I never consented to hear from this company” argument. Consent specificity is the single most predictive factor in TCPA defense outcomes.
Most TCPA defense packages cover items 1 and 3. The missing pieces are almost always items 2, 4, and 5 together. Without the interaction state, the device context, and the seller snapshot, a judge is being asked to trust your summary of events. With them, your summary is corroborated by the session itself.
Where merchants still get sued
Post-2025, the plaintiff’s bar has consolidated around three attack patterns. None of them were neutralized by the ruling.
Attack one: the reconstruction gap. Plaintiff alleges a call or text was placed without consent. Merchant produces a CRM record and server log. Plaintiff’s expert demonstrates that the log could have been generated by a script, not a consumer. Without session-level evidence, the merchant settles.
Attack two: the variant mismatch. Merchant produces the “current” consent form. Discovery reveals the lead was captured during an AB test with a different disclosure. Merchant cannot produce the variant the consumer saw. Merchant settles.
Attack three: the revocation argument. Consumer claims they revoked consent. Merchant cannot produce a clean audit trail showing revocation state over time. Plaintiff argues any contact after an alleged revocation is willful, tripling damages. Merchant settles hard.
The pattern is consistent. The substantive rule did not shift after the 11th Circuit decision. The burden of proof shifted to whoever has the cleaner record, and courts are more willing than ever to treat gaps in that record as dispositive.
Closing the gap with digital interaction evidence
If your consent stack today relies on form submissions stored in a CRM, a compliance checklist, and periodic screenshots of live pages, you have the compliance structure of 2019. The litigation environment has moved past it.
The fastest way to close the gap is to treat every form submission as a potential future legal exhibit. That means capturing, on submission, the full rendered state of the page, the interaction timeline, the device and network context, and a tamper-evident timestamp, and retaining all of it for at least the four-year TCPA statute of limitations.
This is exactly the gap Evidora was built to close. A single line of code on the lead form captures a court-ready evidence record for every submission, with the exact rendered consent language, the interaction state, the IP and user agent, a trusted timestamp, and a bot-detection score. You retain what you need, expire what you do not, and produce a complete reconstruction in seconds when a demand letter arrives.
For more on how evidence quality moves the outcome of disputes and TCPA cases, see our guide to what actually wins disputes and an overview of how Evidora captures form consent. For the FCC’s document on the one-to-one consent rule and the statutory text, see the FCC’s one-to-one consent rule document and the 47 U.S.C. § 227 text.
Frequently asked questions
Is the FCC one-to-one consent rule still in effect in 2026?
No. The 11th Circuit vacated the rule in January 2025 in Insurance Marketing Coalition v. FCC, and the FCC issued a final rule in September 2025 formally eliminating the one-to-one consent requirement. Consent from a single, clearly worded disclosure is once again acceptable under the TCPA.
Does that mean TCPA consent rules are easier now?
The formatting rule relaxed, but the evidentiary burden did not. You still need prior express written consent with documented, retainable proof of the exact consent language, timestamp, IP, and the form state the consumer saw. Plaintiffs’ attorneys continue to file TCPA class actions against merchants who cannot reproduce that record.
What qualifies as defensible TCPA proof of consent in 2026?
A defensible record captures at minimum: the exact consent text displayed, a screenshot or rendered reproduction of the page, the consumer’s IP address, the user agent, a trusted timestamp, and the identity of the seller or sellers the consumer agreed to hear from. The record must be tamper-evident and stored for the duration of the statute of limitations, which is typically four years.
Do I still need to name each seller on the consent form?
Not as a regulatory mandate. The 11th Circuit held that the TCPA does not require a one-to-one seller listing. But naming the seller remains a best practice for evidentiary clarity, and consent language that is vague about who will contact the consumer is still a common loss factor in TCPA litigation.
How long should I retain TCPA consent evidence?
The federal TCPA statute of limitations is four years. Some state consumer protection laws extend longer. A safe retention floor is four years from the date of last communication, with many compliance programs retaining for five years to cover edge cases.
Are screenshots of the lead form enough to win a TCPA case?
Rarely. A screenshot taken after the fact does not prove what the consumer saw at the moment of consent. Courts increasingly expect session-level reconstruction tied to the specific lead record, including the actual HTML state, the consent checkbox status, and a tamper-evident timestamp.
How does Evidora help with TCPA proof of consent?
Evidora captures a tamper-evident record of every form submission, including the rendered consent language, IP, user agent, timestamp, and session interactions. When a TCPA claim lands, you can produce a complete reproduction of what the consumer saw and agreed to, rather than reconstructing it from logs.
Turn every lead form into a defensible record
Evidora captures court-ready TCPA consent evidence on every submission. One line of code. Retain what matters, expire what does not, produce complete reconstructions when a demand letter arrives.
See how it works →