Market Intelligence for Lenders

What a Consent Certificate Proves

Acquire Borrowers · July 18, 2026

Why this matters before you ever pick up the phone

A purchased lead is not just a name and a phone number. Under the TCPA, it is either a phone number you have permission to call, or a phone number that can turn into a costly per-call lawsuit. The permission slip is called consent, and the paper trail proving you had it is called a certificate. Most lenders buying leads have heard the word "TrustedForm" on a vendor call and nodded along without ever asking what the certificate actually proves, or what it does not. This piece answers both.

What "prior express written consent" actually requires

The TCPA and the FCC's rules under it require prior express written consent before a business can call or text a wireless number using an automatic telephone dialing system or a prerecorded voice, for a telemarketing purpose. "Written" does not mean a signed paper form. It means a record, and the FCC accepts an electronic signature such as checking a box or clicking a submit button, as long as it also satisfies the federal E-SIGN Act (ActiveProspect, "The Complete TCPA Express Written Consent Checklist," published June 18, 2026, accessed 2026-07-18).

To count, the consent language shown to the consumer at the moment they submit their information has to do four things:

  1. Clearly disclose that the consumer is agreeing to receive calls or texts, and that those calls or texts may use an autodialer or a prerecorded voice.
  2. Name the specific business or businesses that will be calling.
  3. State plainly that giving consent is not a condition of buying anything.
  4. Capture a signature, which can be a checked box, a clicked button, or a typed name, so long as it is E-SIGN compliant.

(Same source.) If any one of those four is missing, weak, or buried below the fold, the consent language is likely to be challenged as defective, and defective consent is exactly what a TCPA plaintiff's firm goes looking for. A lender calling a purchased lead is relying entirely on whoever built that landing page having gotten these four things right. You were not in the room when the form was filled out. The certificate is how you find out what actually happened.

What a TrustedForm certificate captures

TrustedForm, built by ActiveProspect, is the industry-standard way vendors document that moment. When a consumer lands on a page with the TrustedForm script running, the platform documents the consumer data submitted, the time and date of the interaction, and the URL where the lead was generated (ActiveProspect, "TrustedForm Certificate: The Ultimate Guide," accessed 2026-07-18). It also logs each keystroke, mouse click, and action in real time as the person fills out the form, and it can produce a session replay, a visual playback of what the consumer actually did on the page (ActiveProspect, "TrustedForm" product page, accessed 2026-07-18). That combination is what makes it useful in a dispute. It is not a vendor's word that consent language was shown. It is a record of the page and the interaction itself.

Retention has a hard deadline that catches people off guard. By default, ActiveProspect stores a certificate for 90 days. If the buyer of that lead does not actively "retain" the certificate inside that window, using the separate Retain feature, it will be deleted forever with no possibility of ever retrieving it (same source). Retained certificates are kept for five years. In practice, this means a certificate a vendor shows you on the sales call is worthless as a document unless somebody, either the vendor or you, actually claims and retains it before the 90-day clock runs out. Ask which side of that transaction is responsible, and get the answer in writing before you buy in volume.

The one-to-one consent rule is dead. Here is what replaced it.

If you read anything about TCPA consent in the last two years, you probably ran into the one-to-one consent rule, the FCC requirement that a lead-gen consent had to name exactly one seller, and that a call or text following that consent had to be logically and topically associated with whatever interaction produced it. That rule is gone.

On January 24, 2025, the Eleventh Circuit decided Insurance Marketing Coalition v. FCC and vacated the rule outright, finding the FCC had exceeded its statutory authority by adding restrictions Congress never wrote into the TCPA (Morrison Foerster, "Eleventh Circuit Vacates FCC's TCPA One-to-One Consent Rule," published January 30, 2025). The FCC did not appeal. It deleted the vacated language and restored the prior consent standard. As of mid-2026, the practical result is that lead-generation consent has reverted to the pre-2023 baseline: prior express written consent, without the one-to-one restriction (ComplianceHub.Wiki, "The TCPA in 2026," published June 9, 2026).

Two things to hold onto here, because both cut against getting comfortable. First, the ground is still moving. On February 25, 2026, the Fifth Circuit held, in Bradford v. Sovereign Pest Control of TX, Inc., a case involving prerecorded calls to a wireless number, that the statute itself only requires prior express consent, not written consent, and that oral consent tied to clear, ongoing engagement can be enough (Holland & Knight, "TCPA Reset: Fifth Circuit Rejects 'Prior Express Written Consent' Rule," published March 2026; TCPABlog, "Fifth Circuit Finds FCC's Prior Express Written Consent Rule Exceeded Its Statutory Authority," published February 25, 2026). That ruling applies only inside the Fifth Circuit for now, and every other circuit still expects written consent. Second, the federal rule reverting does not mean every state did. More than 15 states run their own mini-TCPA statutes on top of the federal rule, and Florida and Oklahoma in particular still enforce their own one-to-one-style consent standards at the state level, vacated federal rule or not (theidudes.com, "Mini-TCPA State Laws Insurance Agencies Must Track in 2026," accessed 2026-07-18). A federal rule getting struck down is not the same as the risk going away in every state you lend in.

None of this is legal advice. The analysis above is current as of publication. Confirm the state and circuit specifics that apply to you with your own TCPA counsel before relying on any of it.

What the certificate proves, and what it does not

A TrustedForm certificate proves one thing well: that a specific consumer, at a specific time, on a specific page, submitted their information after being shown specific consent language. That is real, and it is the single most useful document you can have in hand if a borrower later claims they never agreed to be called.

It does not prove, and cannot prove, any of the following:

A consent certificate is documentary evidence that speaks directly to one specific claim: "I never agreed to be called." It does not resolve that claim on its own, a court or your counsel does that, but it is the record you would hand your attorney if that claim came up. It is not a compliance program, and any vendor who implies otherwise is wrong.

The questions to ask any lead vendor about consent

These extend the five questions from our vendor-questions piece with the consent-specific set.

  1. Does every lead come with a TrustedForm certificate, or an equivalent, attached to that specific lead, not a general statement that "we use TrustedForm"?
  2. Who is responsible for retaining the certificate past the 90-day default window, you or the vendor, and is that written into the agreement?
  3. Does the consent language the vendor's landing page actually shows meet all four FCC elements: clear disclosure, seller identification, no-purchase-condition, and a valid signature?
  4. Is the lead scrubbed against the National Do Not Call Registry before it is sold to you, and can the vendor show you that scrub happened?
  5. Does the vendor make any promise, written or verbal, that the certificate protects you against anything beyond the consent-was-captured question? If they say yes, that is the wrong answer, and it is worth walking away from.

This is not legal advice. It is a plain description of what a consent certificate is and is not, built from vendor documentation and the court decisions cited above, current as of publication. Talk to your own TCPA counsel before you change how you call purchased leads, and before you decide how much weight a certificate can actually carry in your specific states.

Every lead we sell will carry a TrustedForm consent certificate attached to that specific lead, qualified on a property under contract, exclusive to one buyer. We are new in this vertical, and we say so plainly: no track record yet. That is exactly why we are not asking you to buy 100 leads. Take ten at our cost, judge the leads, not the pitch, and if they miss your bar, you have lost nothing, and we have learned something worth more than the money.

Book a Strategy Call

More lender-side market intelligence · The offer and the qualification bar