Consent Resolve
Compliance & Privacy Blog

Is Buying a Homeowner Lead List Legal?

The straight answer to a question a lot of contractors quietly wonder about: is it actually legal to buy a list of homeowners and market to them? Here's the real legal picture — federal and state.

By Tyler Spurlock, Account Manager at Consent Resolve 7 min readReviewed by Stefan Dimitrov, Head of Engineering

The question contractors ask quietly

Somebody offers you a spreadsheet of 5,000 homeowners in your service area for a few hundred dollars, and a reasonable question pops into your head before you buy: is this even legal? It’s the right question, and the answer is more useful than a flat yes or no. Buying the list usually isn’t the illegal part. What you do next is where the law lives.

Let me walk through the actual legal picture — federal first, then the state laws that have changed the game — and then a path that skips the whole question. This is general information, not legal advice.

Buying vs. using: the line that matters

Data changes hands legally all the time. So owning a purchased list, on its own, generally isn’t a crime. The exposure starts the moment you contact the people on it, because the law you’re now up against isn’t about who holds the data — it’s about who agreed to be reached.

That’s the trap in the pitch. A bought or rented list isn’t a list of people who want to hear from you. It’s a list of people who agreed to something, somewhere, on terms you can’t see and can’t prove. When you dial or text them, the burden of showing they consented lands on you — and you’re holding nothing.

The federal law: TCPA

The big one is the TCPA. It carries statutory damages of $500 to $1,500 per unsolicited call or text, and — this is the part that makes it dangerous — a private right of action. That means the homeowner who got your text can sue you directly; no regulator has to get involved. Multiply $500 across a few thousand strangers on a purchased list and the “cheap” list becomes the most expensive marketing decision of the year. These numbers aren’t a prediction about your shop. They’re the reason it’s worth never being in range of them.

The state laws that changed the game

Federal law was only ever half the picture, and the state half has grown teeth fast.

California’s CIPA adds $5,000 per violation and is mass-filed by plaintiffs’ firms hunting for exactly the pattern a bought list creates. California’s CCPA (Civil Code §1798.155) regulates how personal information is collected, sold, and used, and gives regulators real penalties to hand out. And the Texas TDPSA now governs the same territory for Texas residents.

Here’s the newer wrinkle that should give any list-buyer pause: regulators are going after the sellers, not just the users. The Texas Attorney General sued Allstate and its Arity subsidiary over collecting and selling tens of millions of people’s data without proper consent. That case is about driver data, but the principle travels: when the collection and sale of consumer data is itself unlawful, the list you bought may be carrying problems that started long before it reached your inbox. You didn’t create those problems — but by contacting the list, you’d be the one standing in front of the person who got the message.

So what’s the safer path?

The cleanest way to stay out of all of this isn’t a better list. It’s to stop contacting strangers altogether and only reach people who agreed to hear from you on your own turf.

That’s what consent-first identification does. Instead of a spreadsheet of people who agreed to nothing you can show, you capture homeowners who came to your website, on their own, and accepted a clear consent banner — each one logged with a timestamp. You know exactly who agreed, when, and to what. The lead is exclusive to you, never resold, and it comes with a receipt you own rather than someone else’s assumptions.

And the follow-up is the part that keeps you clean. With consent-first, you never get handed a phone number to cold-dial. Leads are email-grade, dropped into the funnel you already run — Jobber, Housecall Pro, ServiceTitan, Klaviyo, GoHighLevel — so you reach people who agreed to hear from you, by the channel that carries the least risk. The behavior that triggers TCPA and CIPA claims simply isn’t on your menu.

  • Don’t contact rented strangers. A list you can’t prove consent for is liability with a price tag, not an asset — and the law cares about the contact, not the purchase.
  • Capture the people already on your site, on consent, with a clear banner. They found you on purpose.
  • Follow up by email, into your existing funnel, never a cold call or text to a number you bought.
  • Keep the receipt. A timestamped consent log and a 7-year audit trail mean the proof exists before anyone asks for it.

The whole thing costs a flat $7 per lead, exclusive and never resold — a fraction of what a single TCPA claim would run you, and without inheriting a data broker’s legal baggage. The comparison guides show what each lead channel actually costs, in fees and in exposure, and every figure here is sourced on our stats page.

”But it’s an opt-in list” and other reassurances

Sellers of contact lists have a set of comforting lines, and it’s worth knowing what each is actually worth before you lean on it.

“It’s an opt-in list.” Opt-in to what, and to whom? A homeowner who checked a box on some unrelated website years ago did not agree to hear from your roofing company. Consent under the TCPA generally has to be specific, and consent you can’t produce on demand isn’t much of a defense. If the seller can’t hand you a clear, per-person record of what each contact agreed to, treat “opt-in” as marketing, not protection.

“We scrub against the Do Not Call registry.” Helpful, but narrow. The registry covers certain calls; it doesn’t grant you consent, and it does nothing for the CIPA, CCPA, or TDPSA questions around how the data was gathered and used in the first place. A scrubbed list of strangers is still a list of strangers.

“Everyone in the trade buys lists.” Common isn’t the same as safe. The private right of action baked into the TCPA means it only takes one recipient who knows the law to turn a routine campaign into a demand letter, and enforcement of the state statutes has been climbing, not fading.

The through-line is simple: every reassurance is about the seller’s paperwork, not your protection. When the person who got your text asks a court where their consent came from, the seller’s assurances aren’t the ones on the hook. You are. That’s why capturing your own consenting visitors — where you hold the record — is a fundamentally different position than trusting someone else’s list. This is general information, not legal advice.

The honest bottom line

Is buying a homeowner lead list legal? Usually the purchase is. But that’s the wrong question, because the risk was never in owning the list — it’s in using it. Between the TCPA’s per-message damages, CIPA’s per-violation penalties, and state privacy laws now policing how the data was gathered in the first place, contacting a list of strangers is one of the most exposed moves a contractor can make. Capturing homeowners who chose to visit you and consented on the record sidesteps the entire question. This article is general information, not legal advice.

FAQ

Frequently asked questions

Buying the list itself usually isn't illegal — data changes hands legally all the time. The legal risk lives in what you do with it. Calling or texting people who never agreed to hear from you can trigger the TCPA ($500–$1,500 per message, with a private right of action) and, in California, CIPA ($5,000 per violation). So the honest answer is: buying is often legal, contacting is where you get exposed. This is general information, not legal advice.