Compliance-First Lead Sourcing: Vetting Third-Party Lead Vendors Under FCC and State Regulations

Buying third-party leads without auditing the vendor behind them is one of the fastest ways to inherit someone else's compliance liability. This guide walks agency operators through the exact steps to vet vendors, document consent, and build an ongoing monitoring process that holds up under regulatory scrutiny.

The FCC's one-to-one consent rule eliminates the comparison-shopping loophole that allowed lead generators to bundle consent for multiple unnamed sellers in a single form submission. Consent must now name a single seller explicitly before the consumer submits data, meaning any lead purchased from a multi-seller comparison flow is presumptively non-compliant.

This change forces a structural audit of every lead source in your portfolio. Affiliate networks and aggregator flows that previously embedded broad consent language covering dozens of buyers must now produce leads where your agency's name appears on the original form. According to analysis from Convoso, this ruling requires a full overhaul of how lead generation flows are architected, not just a contract amendment. If you are running outbound dialing on shared internet leads, confirming the one-to-one naming requirement is now a pre-purchase checklist item, not an afterthought. Kadence's Voice AI connects only to leads tied to a logged consent record, so noncompliant sources are blocked at the point of dial rather than discovered during an audit.

What compliance steps should be included in an insurance lead vendor audit?

A lead vendor audit must confirm four things: auditable consent proof for each record, clear and conspicuous consent language, a written contract defining vendor responsibilities, and a documented exit plan for data transfer at termination. One-time contract reviews are not sufficient; ongoing monitoring is the standard expected under SEC-style vendor oversight principles.

Each of those four pillars has a concrete deliverable. For consent proof, the vendor must supply the exact landing page URL, consent language as it appeared to the consumer, a timestamp, and a source record identifier for each lead. For consent language, the copy must state who will contact the consumer and for what purpose before the form is submitted, not buried in a terms-of-service link. Vendor contracts should define data handling, breach notification timelines, and your right to audit. The termination clause should specify how data is returned or destroyed, a requirement that mirrors the vendor oversight framework described in guidance from COMPLY on SEC-proposed service-provider rules. Log every vendor review with a date and the reviewer's name so you have a paper trail if a regulator asks.

Request the live landing page or a certified screenshot showing the consent language as a consumer sees it, including all pre-checked boxes, fine print, and the submit button. Consent must be logically and topically related to the site where it was collected, so a health-comparison form cannot generate valid consent for a life insurance outbound call.

The Astoria Company's compliance guide for insurance leads identifies a recurring failure mode: consent language is technically present but not clear and conspicuous because it is styled in gray text below the fold or bundled into a generic privacy policy acknowledgment. Ask vendors to show you a mobile rendering of the form, since that is where most opt-ins occur. Run the language against a plain-language test: can a consumer reading it once understand who will call them and why? If the answer requires a lawyer, the language will not survive a consumer complaint. Document your review with a screenshot archive dated and signed by whoever conducted the check.

When do state data privacy laws apply to insurance agency lead lists?

State data privacy laws apply when an agency processes personal data above each state's volume threshold, regardless of where the agency is headquartered. Indiana's 2026 law covers entities processing data on 100,000 or more consumers, or 25,000 or more if at least 50 percent of revenue comes from selling personal data. Rhode Island's 2026 law sets thresholds at 35,000 residents, or 10,000 if 20 percent of revenue comes from selling personal information.

For agencies buying multi-state lead lists, these thresholds can be reached faster than expected once aggregated across all active campaigns. Baker Donelson's review of 2026 state privacy law expansions notes that new states are adding or tightening consumer data rights each legislative cycle, which means a compliance posture built only around current federal rules will lag the actual risk surface. Practically, this means your CRM must be able to flag leads by state of residence, log consent revocations with timestamps, and suppress contacts by jurisdiction when a state-level right-to-delete or opt-out request arrives. Kadence's CRM stores consent metadata at the contact level so suppression can be applied by state, source, or revocation date without manual spreadsheet management.

How does FTC Telemarketing Sales Rule recordkeeping impact third-party leads?

The FTC's Telemarketing Sales Rule requires telemarketers and lead buyers to retain marketing and consent records for 24 months. Consent is only valid for calls made within 30 days of the original opt-in, unless the consumer has made a purchase from the seller within the last 18 months, which resets the eligibility window.

The 30-day window is the operational pinch point for agencies that buy batched or aged leads. A lead file delivered 45 days after opt-in is presumptively outside the compliant call window under TSR, even if the consent language was perfect. Your intake process should timestamp every lead at point of purchase and flag records where the consent date is unavailable or older than 30 days before they enter a dialing sequence. The FTC's guidance on complying with the Telemarketing Sales Rule also requires maintaining records of the source and nature of leads, not just call logs. Build your record-retention workflow so that consent documentation, call logs, and DNC suppression activity are stored together in a single retrievable file per contact for the full 24-month period.

How do I run DNC scrubbing correctly for purchased lead lists?

Internal Do Not Call scrubbing is a mandatory operating control: run every purchased list against your internal suppression file before any dial attempt, and log every revocation within 24 hours of receipt. Federal DNC compliance requires scrubbing against the National DNC Registry, but your internal list is equally binding and must be maintained separately.

The failure point for most agencies is the gap between when a revocation is received and when it is reflected in the active dialing queue. If a consumer who previously opted out appears in a newly purchased batch, the suppression file must catch them before the first dial, not after a complaint. Revocations received via call, email, text, or written request all count. Log the channel, the date, and the agent who received it. Kadence ties DNC suppression directly to the outbound dialing layer, so a revocation logged in the CRM blocks the number from entering any Voice AI sequence without a manual override. For a deeper look at building a compliant outreach workflow, see how to build a compliant insurance outreach sequence and speed-to-lead systems for insurance agencies.

Sources

The steps

Map every active lead source and its consent origin. List every vendor, affiliate, and aggregator supplying leads to your agency. For each source, document where the consumer originally submitted data, what consent language was shown, and whether your agency's name appeared on that form before submission. Sources that cannot answer all three questions move to a hold status until verified.
Request auditable consent proof from each vendor. Ask each vendor to supply the live landing page URL or a certified screenshot, the exact consent language as displayed to the consumer, a timestamp format for each lead record, and a unique source identifier. Reject any vendor that provides only a contract clause instead of record-level proof. File the documentation with a review date and reviewer name.
Verify one-to-one consent naming compliance. Confirm that your agency is named explicitly on the original consent form, not listed generically as one of many potential sellers. For leads sourced from comparison sites or affiliate networks, request a sample of five to ten records and trace each back to the originating form. Any flow that still uses bundled multi-seller consent language is non-compliant under the FCC's one-to-one ruling and must be removed from your active sourcing pipeline.
Scrub lists against internal DNC and apply state-level suppression. Before any purchased list enters a dialing or nurture sequence, run it against your internal suppression file and the National DNC Registry. Flag leads by state of residence and apply any applicable state data privacy suppression rules. Log the scrub date and the suppression file version used so you can demonstrate the control was applied at a specific point in time.
Check consent date against FTC TSR's 30-day call window. Timestamp every lead at point of purchase and compare it against the original opt-in date supplied by the vendor. Leads where consent was obtained more than 30 days before your intended first dial are outside the FTC Telemarketing Sales Rule's valid call window unless the consumer has made a purchase from your agency within the last 18 months. Flag out-of-window records and either re-verify consent or remove them from the dialing queue.
Encode vendor responsibilities and termination data handling in the contract. Ensure every vendor contract defines data handling standards, breach notification timelines, your right to conduct audits, and a termination clause specifying how lead data is returned or destroyed. Written contract terms are a baseline expectation under SEC-style vendor oversight principles. Review contracts annually and whenever a vendor changes ownership, technology stack, or lead sources.
Build a continuous monitoring schedule and retain records for 24 months. Schedule quarterly vendor re-audits and set a process to re-audit immediately after any change to a vendor's consent flow or affiliate mix. Retain all consent documentation, call logs, and DNC suppression records for at least 24 months as required by the FTC Telemarketing Sales Rule. Store records in a system that allows retrieval by contact, date range, and vendor source within one business day of a regulator or consumer request.

Frequently asked questions

How long must an insurance agency keep consent records for purchased leads?

The FTC Telemarketing Sales Rule requires retaining marketing and consent records for 24 months from the date of the activity. This applies to the consent documentation itself, call logs, and DNC suppression records. Store all three together in a single retrievable file per contact so a regulator request can be answered in one pull.

What happens if a lead vendor cannot produce the original consent record for a lead?

A vendor that cannot produce the landing page, consent language, timestamp, and source record for a lead has not met the auditable proof standard. Treat that lead as non-compliant and remove it from any dialing or nurture sequence before first contact. No contract clause indemnifies an agency from placing a call on a consent record that does not exist.

Does the FCC one-to-one consent rule apply to leads purchased before the ruling took effect?

Leads purchased before the rule took effect and already in your CRM should be reviewed against the new standard before re-engagement. If the original consent form named multiple sellers or no seller by name, the consent no longer meets the one-to-one requirement. Confirm re-engagement eligibility with compliance counsel before dialing legacy lists.

How often should an insurance agency re-audit an active lead vendor?

Re-audit active vendors at least quarterly, and immediately after any change to their landing pages, consent flows, or affiliate partners. Vendor oversight principles drawn from SEC guidance on service-provider due diligence treat monitoring as continuous, not periodic. A vendor that passed a January audit can fail a July audit if their form language or source mix changed.

Written by

Kadence Team

Kadence is the growth system for life insurance teams: a CRM with Voice AI, an AEO website, and done-for-you content. We write about speed to lead, AI search, CRM hygiene, and the systems that help agencies win more policies.

Book a demo