Consent Resolve
Feature Deep-Dive Blog

Which Privacy Laws Actually Require You to Prove Lead Consent?

The TCPA, CIPA, and state privacy laws each govern a different piece of how you contact leads — but they converge on one question you'd better be able to answer: can you prove the person agreed?

By Tyler Spurlock, Account Manager at Consent Resolve 7 min read

Four laws, one question

Ask a busy contractor which privacy law they need to worry about and you’ll usually get a blank look, or a guess. It’s a fair confusion — there isn’t one law. There are several, they overlap, and they each govern a different slice of what happens between a homeowner landing on your site and you following up.

Here’s the shortcut that cuts through it. However many statutes apply, they all end up asking the same practical question: can you prove the person agreed? Get comfortable answering that once, cleanly, and you’ve handled the part that matters across every one of them. Let me walk through who’s asking and why one record answers them all. (This is background, not legal advice — for your specific situation, talk to your own counsel.)

The TCPA: how you call and text

The TCPA — Telephone Consumer Protection Act — is the one most contractors have half-heard of. It governs calls and texts, and it’s why cold-dialing a number you bought off a list is genuinely risky. The law cares whether the person consented to be contacted that way, and the penalties are per-violation, which adds up fast.

The relevant point for lead-buying: a phone number with no consent behind it isn’t a fast lead, it’s a TCPA question waiting to happen. This is a large part of why consent-first identification delivers email-grade leads you follow up with by email — not phone numbers to cold-call. You’re not tiptoeing around the TCPA; you’re operating outside the behavior it targets.

CIPA and state wiretap laws: how you track

CIPA — California’s Invasion of Privacy Act — and its counterparts in other states were written for wiretapping, but plaintiffs have applied them to website tracking technology. The theory is that certain tracking without consent is like eavesdropping on the visitor.

You don’t have to litigate that theory to draw the practical lesson: how you identify a visitor matters, and doing it before they’ve agreed is where the exposure lives. Consent-first flips the order deliberately — a visitor is only identified after they accept a clear banner, and that acceptance is logged. The consent isn’t an afterthought bolted onto tracking; it’s the gate that has to open first.

TDPSA, CCPA, and the comprehensive state laws: how you collect and use data

Then there’s the newer wave of comprehensive privacy statutes — Texas’s TDPSA, California’s CCPA, and a growing list of others. These govern the collecting, using, and selling of personal data more broadly, and enforcement is real. Texas has been especially active; its attorney general sued Allstate and its data subsidiary Arity over collecting and selling driving data without proper consent — a signal that data collected without a clear basis is a live enforcement target.

For a contractor, the message is the same one in a different key: it’s not enough to have the data. You need a lawful basis for holding and using it, and consent is the cleanest one to point to.

Why one record answers all of them

Here’s the part that makes this manageable instead of overwhelming. You might expect four laws to mean four compliance files, four processes, four things to get wrong. They don’t. Because the through-line is proof of consent, a single well-formed record does most of the work no matter which statute is asking.

A consent record captures the three facts every one of these regimes cares about: who agreed, what they agreed to, and when. The TCPA wants to know they consented to contact. CIPA-style claims turn on whether identification happened with permission. The comprehensive laws want a basis for the data. One timestamped receipt — written the moment the visitor accepts the banner and attached to that lead from then on — speaks to all of them. You’re not managing four regimes. You’re keeping one artifact that satisfies the question underneath all four.

What this means for how you get leads

  • Match the contact method to the consent. Consent-first leads are email-grade for a reason — email into your own funnel keeps you clear of the call-and-text rules the TCPA polices.
  • Consent before identification, not after. The order of operations is the whole point. A visitor becomes a lead only after they’ve agreed, so the tracking question never gets ahead of the permission.
  • Keep the record per-lead. A blanket privacy policy isn’t proof for a specific homeowner. What answers a regulator is a receipt tied to that person, on that date.
  • Don’t try to memorize the statutes — hold the proof. You won’t out-lawyer every state law from a job site. You will be fine if every lead you touched arrived with its consent already recorded.

The laws will keep multiplying and evolving. The demand underneath them won’t change: show that the person agreed. Consent-first identification is built so that answer is already on file for every lead — a flat $7, exclusive to you, with the receipt written before anyone thinks to ask for it. See how it works on the feature page.

FAQ

Frequently asked questions

It depends on how you contact them and where they live. The TCPA governs calls and texts nationwide, CIPA and similar state wiretap laws govern how visitors are tracked, and comprehensive statutes like the Texas TDPSA and California's CCPA govern collecting and using personal data. A single lead can touch several of these at once.