Consent Resolve
Compliance & Privacy Blog

Why Lead Resellers Can't Tell You Where They Got the Info

The reason 'where did you get my info?' rattles contractors isn't the question — it's that a bought lead comes with no answer. Here's why chain of custody is the whole problem, and how consent-first fixes it.

By Tyler Spurlock, Account Manager at Consent Resolve 7 min readReviewed by Stefan Dimitrov, Head of Engineering

The question is a chain-of-custody test

When a homeowner replies to your follow-up with “where did you get my info?”, it feels like a question about you. It isn’t. It’s a question about the lead — specifically, whether anyone can trace how that person agreed to be contacted. And with a bought lead, the honest answer is usually: nobody can.

That’s the real reason the question rattles good contractors. It’s not stage fright. It’s that a purchased or shared lead genuinely comes with no clean answer, because you were never in the room when the consent was — or wasn’t — given. You’re being asked to prove something you were never handed the proof for.

Where a bought lead actually comes from

Think about the path a shared lead travels before it lands in your inbox. A homeowner filled out something, somewhere — a form on a site you’ve never seen, a “get quotes” widget, an offer that may or may not have mentioned your trade. That data gets packaged, sometimes passed through an aggregator or two, then sold to four or five contractors at once, you among them.

Now ask the question the homeowner just asked. Where did they agree to hear from you specifically? On which page, at what time, under what disclosure? The reseller can’t fully tell you, because the consent — if it existed — was collected under someone else’s banner, for someone else’s purpose. You inherited a consent claim you can’t inspect. The lead came with a story but no receipt, and now you’re the one being asked to produce it.

Here’s the part that turns an awkward moment into real risk: the law doesn’t care that a reseller told you the lead was consented. It cares whether you can prove it.

The TCPA governs calls and texts and carries $500 to $1,500 per message, and it lets recipients sue the business that contacted them — you — directly. California’s CIPA is mass-filed at $5,000 per violation over non-consented tracking. State privacy laws are moving the same way; Texas brought its first-ever enforcement suit under its data-privacy statute over information collected and sold without clear consent. In each of these, the burden of showing consent falls on the party doing the contacting. A reseller’s assurance is not evidence. Your own timestamped record is.

The clearest warning shot came from the FTC, which required Angi’s HomeAdvisor to pay a $7.2 million settlement tied to how it represented where its leads came from and what they were worth. When the origin of a lead is murky at the top of the chain, everyone downstream inherits the problem — and the contractor at the bottom is the one holding the bag with nothing to point to.

The tell: watch how a source answers “prove it”

You can spot the difference between a safe lead source and a risky one with a single question: show me the consent record for this specific person.

A reseller will hedge — “our leads are opted in,” “it’s all compliant,” “the homeowner requested quotes.” Notice what’s missing: a date, a time, a page, a receipt for this homeowner. General assurances about the pipeline aren’t the same as documentation for the individual you’re about to contact. If the source can’t produce the second thing, you can’t produce it either, which means you can’t answer the homeowner and you can’t answer a regulator.

That’s not a knock on any one company. It’s structural. A lead that’s been aggregated and resold has, by its nature, a chain of custody with gaps in it. You can’t buy your way to a receipt that was never created.

The fix isn’t a better reseller. It’s collecting the consent yourself, on ground you control. That’s the whole idea behind consent-first identification.

The homeowner visits your site and accepts your clear banner. That agreement is logged with a date and time and kept on a 7-year audit trail, and the receipt travels attached to the lead. There’s no unknown middle step, no third party’s word to trust, no aggregated origin you can’t reconstruct. When someone asks where you got their info, you’re reading back a fact you recorded firsthand: “You visited our site on Tuesday and accepted our consent banner at 2:14 p.m.”

A few things follow from doing it this way:

  • Only consented visitors ever become leads. If the homeowner didn’t accept the banner, they never enter your pipeline — so the un-provable cases simply don’t exist for you to explain.
  • The proof is yours, not borrowed. You’re not relying on a seller’s compliance claim; you’re holding your own timestamped record.
  • The chain of custody is unbroken. Consent on your site, logged at your source, delivered with the lead. Nothing to reconstruct after the fact.

The homeowner’s trust follows the same line

There’s a business cost to the broken chain of custody that lands long before any regulator does, and it shows up in the homeowner’s reaction. When a person asks where you got their info and you fumble — “we work with a few lead sources,” “you must have filled something out” — you’ve just told them you don’t actually know how you ended up contacting them. That’s unsettling in exactly the way it sounds. A homeowner who was curious becomes a homeowner who’s suspicious, and suspicion is a terrible starting point for a five-figure sale.

Now run the same moment with a firsthand record. “You visited our site Tuesday and accepted our banner at 2:14 — that’s when you opted in.” The homeowner hears a shop that keeps clean books, not a shady operation that bought their number. Nine times out of ten they relax, and you’re back to talking about their job. The same document that keeps you clear of a TCPA or CIPA claim is the one that makes you look like the professional you are in front of the customer. Chain of custody isn’t only a legal concept — it’s the difference between sounding like you know what you’re doing and sounding like you don’t.

Own the receipt, own the answer

The reason “where did you get my info?” is scary with bought leads is that the honest answer is “I don’t fully know” — and that’s also the answer that gets shops in legal trouble. Consent-first identification replaces the missing receipt with one you created yourself, so the question becomes a five-second lookup and the exposure goes away with it.

And because it was built to the strictest privacy bar out there — GDPR, whose maximum fine reaches €20 million or 4% of global revenue — the record you’d read to a curious homeowner is the same one that holds up if a regulator ever asks. One document does both jobs.

Capture leads on consent, keep the record, and follow up by email at a flat $7 per exclusive lead that’s yours alone and never resold. See how consent-first identification works, then look at what your current lead channels actually cost — in fees and in the exposure you can’t see on the invoice.

This article is educational, not legal advice. Talk to a qualified attorney about your specific situation.

FAQ

Frequently asked questions

Because by the time a shared or purchased lead reaches you, it may have passed through an aggregator, a form on a site you've never seen, or a list of unknown origin. The reseller is passing along a consent claim you can't inspect — and often they can't fully document it either. You're trusting their word, but you carry the liability.