TCPA Consent for Insurance Leads: Agency Compliance Checklist for Medicare and ACA Lead Buyers

A purchased lead may look simple: name, phone number, email, ZIP code, age, and interest in Medicare or ACA coverage. But if your agency cannot show where that lead came from, what disclosure the consumer saw, who the consumer authorized to contact them, when the consumer submitted the form, and whether the consumer later opted out, the lead can create risk long after the sale is made.

That is why TCPA consent should not be treated as a vendor checkbox. It should be treated as part of the agency’s compliance file.

This guide is for agency owners, compliance leaders, call-center managers, lead buyers, FMOs, IMOs, Medicare agencies, and ACA agencies that buy, generate, transfer, call, or text insurance leads.

This article is not legal advice. TCPA, state telemarketing, FTC, CMS, carrier, FMO, and Marketplace rules can overlap. Agencies should work with legal counsel on their specific calling, texting, lead-generation, and enrollment workflows.

The operational question is simple:

If the answer is “the lead vendor probably has that,” the agency has a compliance gap.

Regulatory quick map for insurance lead buyers

Here are the main rules and official sources agency leaders should know.

The point is not that every lead requires the same file. The point is that TCPA consent is only one layer. Medicare leads may also trigger TPMO, call recording, Scope of Appointment, disclaimer, and data-sharing rules. ACA leads may also trigger Marketplace consumer consent, application review documentation, SEP documentation, and 10-year record retention rules.

What TCPA prior express written consent requires

The TCPA rules are found at 47 CFR 64.1200. For many insurance lead programs, the most important definition is prior express written consent in 47 CFR 64.1200(f)(9).

Under that rule, prior express written consent means a written agreement bearing the signature of the person called. The agreement must clearly authorize the seller to deliver, or cause to be delivered, advertisements or telemarketing messages using an automatic telephone dialing system or an artificial or prerecorded voice. It must also identify the telephone number authorized for those messages. The rule requires a clear and conspicuous disclosure that the consumer authorizes the seller to deliver those telemarketing calls and that the consumer is not required to sign the agreement as a condition of purchasing goods or services. Electronic or digital signatures can qualify if recognized under applicable law.

For agencies, that means a lead record should be more than a name and phone number.

At minimum, the agency should be able to retrieve:

• the consumer’s name
• the phone number authorized
• the date and time of submission
• the form URL or source
• the exact consent disclosure shown to the consumer
• the seller or caller identity
• the electronic signature, checkbox, button click, call recording, or other submission evidence
• the no-condition-of-purchase disclosure
• the IP address or equivalent submission metadata, where available
• any revocation or opt-out history

A CRM field that says “TCPA: yes” is not the same as the underlying consent proof.

A vendor saying “our leads are compliant” is not the same as the agency being able to produce the consumer-level record.

The agency standard should be:

TCPA consent is not the same as Do Not Call compliance

Agencies sometimes assume that if they have consent, they do not need to worry about Do Not Call procedures. That is too simplistic.

The FCC’s rules include separate provisions for national Do Not Call and internal do-not-call procedures. Under 47 CFR 64.1200(c)(2), residential telephone numbers on the national do-not-call registry are protected unless an exception applies, such as a consumer’s prior express invitation or permission. The rule also describes a safe-harbor framework involving written procedures, training, maintaining records of numbers not to contact, accessing the national registry no more than 31 days before calls, and documenting that process.

The internal do-not-call rules in 47 CFR 64.1200(d) require written policies, training, recording do-not-call requests, honoring those requests within a reasonable time not exceeding 10 business days, and maintaining do-not-call records for five years. The rule also makes clear that if a do-not-call request is recorded or maintained by another party, the person or entity on whose behalf the call is made can still be liable if the request is not honored.

That last point is important for large agencies.

If your agency uses:

• a lead vendor
• a call center
• a dialer
• a CRM
• a text platform
• independent agents
• downline agents
• multiple FMOs or IMOs

then opt-outs can become scattered across systems.

The consumer does not care which system failed. The consumer only knows they asked not to be contacted.

Agencies should have a central suppression process that syncs opt-outs across lead vendors, dialers, CRMs, texting tools, call centers, and agents.

Consumers can revoke consent using reasonable methods

The current FCC rule at 47 CFR 64.1200(a)(10) says a called party may revoke prior express consent, including prior express written consent, using any reasonable method that clearly expresses a desire not to receive further calls or texts. The rule lists examples such as using an automated opt-out mechanism, replying with words like “stop,” “quit,” “end,” “revoke,” “opt out,” “cancel,” or “unsubscribe,” or using a website or telephone number designated for opt-outs. It also says all reasonable revocation requests must be honored within a reasonable time not exceeding 10 business days.

This creates a real operational issue for agencies.

A consumer may revoke consent by:

• replying “STOP” to a text
• telling an agent “do not call me”
• leaving a voicemail
• replying to an email
• submitting a website request
• calling the office
• complaining to the carrier
• complaining to CMS
• telling a call center representative they do not want further contact

The agency needs a process for capturing those revocations even when they occur outside the main CRM.

A strong agency policy should answer:

• Who logs verbal opt-outs?
• Where are text opt-outs stored?
• Are opt-outs from the dialer synced to the CRM?
• Are opt-outs from the CRM synced to the texting platform?
• Are lead vendors notified when a consumer opts out?
• Are agents prohibited from continuing outreach on personal phones?
• Are opt-outs honored across Medicare, ACA, ancillary, and life campaigns?
• Can leadership prove the opt-out was processed within the required timeframe?

This is why opt-out management should not be left to individual agents.

The one-to-one consent rule changed, but lead risk did not disappear

Many lead buyers followed the FCC’s proposed “one-to-one consent” changes because those changes would have affected comparison-shopping websites and lead generators. The FCC later conformed its rules to an Eleventh Circuit decision that vacated the revised version of 47 CFR 64.1200(f)(9) that had been adopted in the 2023 order. The Federal Register rule was effective August 29, 2025, and explains that the court’s mandate vacated the relevant rule change as of April 30, 2025.

Some agencies may hear that and conclude:

That is the wrong lesson.

The better lesson is:

Lead compliance still involves:

• TCPA prior express written consent
• national Do Not Call rules
• company-specific do-not-call rules
• state telemarketing laws
• FTC advertising and lead-generation standards
• Medicare TPMO requirements
• Medicare call recording rules
• ACA Marketplace consumer consent
• ACA application review documentation
• carrier compliance requirements
• FMO and IMO requirements
• complaint-response documentation

The one-to-one rule is only one piece of a much larger lead compliance picture.

TCPA consent is not ACA Marketplace consent

For ACA agencies, this is one of the most important points.

A lead form may create permission to call or text under TCPA rules. It does not automatically authorize an agent or broker to assist with a Marketplace application, submit an enrollment, update a consumer’s application, estimate income, request a Special Enrollment Period, or change coverage.

ACA Marketplace consent is addressed separately under 45 CFR 155.220(j)(2)(iii). That rule requires agents, brokers, and web-brokers assisting with Federally-facilitated Exchange enrollment or APTC/CSR applications to obtain and document consumer consent before assisting with or facilitating enrollment or helping the individual apply for advance premium tax credits or cost-sharing reductions. The documentation must involve an action by the consumer or authorized representative that produces a record, such as a signature, recorded verbal confirmation, written response, electronic response, or other method specified by HHS.

The consent documentation must include:

• scope
• purpose
• duration
• date consent was given
• name of the consumer or authorized representative
• name of the agent, broker, web-broker, or agency being granted consent
• a process for rescinding consent

The rule also requires that this documentation be maintained for at least 10 years and produced upon request in response to monitoring, audit, or enforcement activity.

That is very different from TCPA consent.

TCPA consent answers:

ACA Marketplace consent answers:

Those are not the same question.

For a deeper breakdown, use the guide to ACA consumer consent vs. application review. For agencies, FMOs, IMOs, brokerages, and broker networks standardizing this across a downline, the ACA consent platform for agencies gives agents personal consent links, QR codes, application-review records, SEP document storage, Marketplace notices, and exportable files.

ACA application review documentation is also separate

ACA agencies also need to distinguish consumer consent from application review documentation.

Under 45 CFR 155.220(j)(2)(ii), agents, brokers, and web-brokers must document that eligibility application information was reviewed by the consumer or authorized representative and confirmed to be accurate before submission. Acceptable documentation can include a consumer signature, recorded verbal confirmation, written or electronic response, or other HHS-specified method. The required documentation must include the date reviewed, the consumer or authorized representative’s name, an explanation of the attestations at the end of the eligibility application, and the name of the assisting agent, broker, or web-broker. This documentation must also be maintained for at least 10 years.

This matters when an agency buys ACA leads.

A purchased ACA lead may include:

• phone number
• email
• income estimate
• household size
• ZIP code
• tobacco status
• immigration status
• Medicaid status
• employer coverage information
• desired plan type

But the agency still needs the consumer or authorized representative to review and confirm eligibility application information before submission.

The agency should not treat lead-form data as automatically verified application data.

For agency leaders, the control should be:

For year-round ACA operations beyond lead intake, pair this article with ACA compliance and Marketplace operations and the field guide to ACA SEPs in 2026.

CMS is increasing ACA marketing and consent scrutiny

The 2027 HHS Notice of Benefit and Payment Parameters Final Rule adds another reason agencies should take lead-source records seriously.

CMS finalized stronger marketing rules for agents, brokers, and web-brokers assisting consumers with enrollment through the federal platform and State-based Exchanges on the federal platform. CMS identified prohibited marketing examples involving cash, monetary rebates, cash equivalents, misleading claims that consumers will always qualify for zero-dollar insurance or premiums, and misstatements about enrollment timelines and deadlines. CMS also finalized requirements for timely production of marketing materials for monitoring, audit, and enforcement purposes.

CMS also finalized that agents, brokers, and web-brokers must use the HHS-approved form for eligibility application review documentation and consumer consent documentation for enrollments for plan years beginning on or after January 1, 2028.

This means ACA lead buyers should not review only the TCPA disclosure.

They should also review:

• the ad
• the landing page
• the lead form
• the transfer script
• the call script
• the subsidy language
• the zero-dollar premium language
• the cash, rebate, or giveaway language
• the enrollment deadline language
• the consumer consent workflow
• the application review workflow

A lead can be “callable” and still create ACA Marketplace compliance risk.

ACA unauthorized enrollment activity changed the risk environment

ACA lead programs also operate against the backdrop of CMS’s unauthorized enrollment and plan-switching enforcement activity.

CMS reported that from January through August 2024, it received 183,553 complaints that consumers were enrolled in Federally-facilitated Marketplace coverage without consent and 90,863 complaints that consumers had their FFM plan changed without consent. CMS also reported suspending 850 agents’ and brokers’ Marketplace Agreements from June through October 2024 for reasonable suspicion of fraudulent or abusive conduct related to unauthorized enrollments or unauthorized plan switches.

CMS also implemented a system change beginning July 19, 2024, blocking an agent or broker from making changes to a consumer’s FFM enrollment unless that agent or broker is already associated with the consumer’s enrollment. If the consumer wants to work with a different agent or broker, additional steps are required, such as a three-way call with the Marketplace Call Center or consumer action through approved pathways.

For ACA agencies, this means lead buying should be connected to an authorization workflow.

Before an agent works an ACA lead, the agency should know:

• Did the consumer authorize the agency to assist with Marketplace coverage?
• Is the consumer already enrolled?
• Is the agency or agent associated with the consumer’s FFM enrollment?
• Is a three-way call or consumer action required before changes can be made?
• Was consumer consent documented under 45 CFR 155.220(j)(2)(iii)?
• Was application review documented under 45 CFR 155.220(j)(2)(ii)?
• Is SEP authorization documented if the lead is outside Open Enrollment?
• Can the agency produce the file if CMS, a carrier, or the consumer asks?

A generic lead certificate will not answer those questions.

TCPA consent is not Medicare TPMO consent

Medicare lead buying creates a different layer of compliance.

CMS defines a Third-Party Marketing Organization, or TPMO, at 42 CFR 422.2260 for Medicare Advantage and 42 CFR 423.2260 for Part D. The definition includes organizations and individuals, including independent agents and brokers, compensated to perform lead generation, marketing, sales, and enrollment-related functions as part of the chain of enrollment.

That definition matters because many agencies think “TPMO” means only big call centers or lead companies.

In practice, Medicare agencies, independent agents, lead vendors, call centers, and referral partners may fall within the TPMO framework if they are compensated for lead generation, marketing, sales, or enrollment functions in the Medicare enrollment chain.

Under 42 CFR 422.2274(g), MA organizations must ensure TPMOs disclose subcontracted relationships used for marketing, lead generation, and enrollment. They must also ensure that marketing and sales calls, including the audio portion of web-based calls, are recorded and retained for a minimum of six years. For the first three years, records must be kept in audio format; for years four through six, records may be kept as audio or complete and accurate transcripts.

The same Medicare lead may therefore require:

• TCPA consent
• DNC scrubbing
• opt-out tracking
• TPMO disclosure
• call recording
• Scope of Appointment
• plan-fit documentation
• TPMO disclaimer
• beneficiary data-sharing consent

Those are separate requirements. For call-recording timing and storage, see Medicare call recording retention. For SOA workflow context, see Medicare Scope of Appointment and written SOA for in-person Medicare appointments.

Medicare lead generation has its own disclosure rules

Under 42 CFR 422.2274(g)(3), when a TPMO conducts lead-generating activities directly or indirectly for a Medicare Advantage organization, it must disclose, when applicable, that the beneficiary’s information will be provided to a licensed agent for future contact. The disclosure must be provided verbally when communicating by phone, in writing when communicating by mail or paper, and electronically when communicating by email, online chat, or other electronic messaging platform. The rule also requires disclosure when the beneficiary is being transferred to a licensed agent who can enroll them into a new plan.

The parallel Part D provision is found at 42 CFR 423.2274(g).

For agencies, this affects lead-source review.

Before buying Medicare leads, ask the vendor:

• Was the consumer told their information would be provided to a licensed agent?
• Was the disclosure made in the same channel used to collect the lead?
• If the lead was a warm transfer, was the consumer told they were being transferred to a licensed agent who could enroll them?
• Can the vendor produce the disclosure and timestamp for a specific consumer?
• Was the disclosure retained with the lead record?

A Medicare lead vendor should be able to provide more than a spreadsheet.

Medicare TPMO data sharing requires specific consent

Beginning October 1, 2024, 42 CFR 422.2274(g)(4) restricts sharing personal beneficiary data collected by a TPMO for marketing or enrollment into a Medicare Advantage plan with another TPMO unless the beneficiary gives prior express written consent. The rule requires a clear and conspicuous disclosure that lists each entity receiving the data and allows the beneficiary to consent or reject sharing with each individual TPMO.

The Part D version appears at 42 CFR 423.2274(g)(4) and applies to personal beneficiary data collected by a TPMO for marketing or enrollment into a Part D plan.

This is a major issue for large agencies and lead networks.

It affects:

• shared leads
• resold leads
• warm transfers
• lead aggregators
• lead buyers
• call centers
• downline agencies
• FMOs
• IMOs
• routing to multiple agents

The agency should not simply ask, “Did the consumer consent to be contacted?”

The agency should also ask:

And:

Medicare TPMO disclaimers should be part of lead review

Medicare TPMO disclaimer requirements are found in 42 CFR 422.2267(e)(41) for Medicare Advantage and 42 CFR 423.2267(e)(41) for Part D.

The rules provide standardized disclaimer language depending on whether the TPMO sells for all organizations in the service area. The rule also states that the disclaimer must be verbally conveyed during sales calls before discussion of benefits, electronically conveyed in email, online chat, or other electronic communications, prominently displayed on TPMO websites, and included in marketing materials, including print and television advertisements.

For agencies buying Medicare leads, this means compliance review should include:

• landing pages
• websites
• call scripts
• email templates
• online chat
• SMS workflows
• print materials
• television ads
• lead-vendor pages
• agent microsites

If the lead vendor generated the lead through a Medicare-related website or ad, the agency should know whether the required disclaimer appeared where it should have appeared.

For broader Medicare rule changes that affect SOAs, call recordings, disclaimers, and event workflows, see CMS 2027 Medicare rule changes for agents.

The FTC is watching healthcare lead generation

Lead compliance is not only a TCPA issue and not only a CMS issue.

In December 2024, the FTC announced warning letters to 21 companies that market or generate sales leads for healthcare plans, including ACA Marketplace coverage and other healthcare-related products. The FTC said the letters provided guidance and put companies on notice about deceptive or unfair claims that likely violate laws enforced by the agency.

This matters because many health insurance leads are generated through aggressive ad claims, such as:

• “free health insurance”
• “$0 health plans”
• “claim your government benefit”
• “get a spending card”
• “new subsidy available”
• “you qualify”
• “final deadline”
• “no-cost coverage”
• “act now before benefits end”

Some claims may be accurate in narrow contexts. But if the overall impression is misleading, the agency may inherit complaint risk even if a vendor created the ad.

A lead-source review should therefore include two separate questions:

1. Did the consumer give valid contact consent?
2. Was the ad or landing page truthful and not misleading?

Both matter.

What agencies should require from lead vendors

A lead vendor’s statement that “all leads are TCPA compliant” is not enough.

Agency leaders should require consumer-level proof.

For each lead, the vendor should be able to provide:

• lead source
• campaign name
• form URL
• ad creative
• landing page screenshot or archive
• exact consent language
• timestamp
• IP address or equivalent metadata
• consumer phone number
• consumer email address
• electronic signature or submission event
• identity of the seller or caller authorized
• whether the lead was exclusive, shared, aged, or resold
• DNC scrub process
• opt-out process
• subcontractor list
• Medicare TPMO disclosure, if applicable
• Medicare TPMO data-sharing consent, if applicable
• ACA Marketplace consent workflow, if applicable
• ACA application review workflow, if applicable
• proof-retrieval turnaround time

The most important operational question is:

If the answer is no, the agency should treat that as a red flag.

Agency checklist: what to store before calling or texting insurance leads

Before importing leads into a CRM, dialer, text platform, or agent workflow, the agency should confirm the following.

1. Lead-source documentation

Store:

• vendor name
• source URL
• campaign ID
• ad creative
• landing page
• lead form
• consent disclosure
• timestamp
• IP address or equivalent metadata
• consumer phone number
• consumer email address
• product interest
• lead age
• shared, exclusive, or resold status

Why: TCPA prior express written consent depends on the consumer’s written agreement, disclosure, signature, authorized phone number, and seller authorization. The agency needs the underlying evidence, not just a CRM field.

2. TCPA consent documentation

Store:

• exact prior express written consent language
• no-condition-of-purchase disclosure
• seller identity
• phone number authorized
• date and time of consent
• electronic signature or submission event
• record of consent revocation, if any
• proof that the consent can be produced later

Why: 47 CFR 64.1200(f)(9) defines the required elements of prior express written consent.

3. Do Not Call and opt-out controls

Store:

• national DNC scrub records
• company-specific DNC list
• opt-out requests
• revocation requests
• text STOP logs
• verbal opt-out notes
• email unsubscribe records
• suppression-list updates
• proof that requests were honored within the required timeframe

Why: The FCC’s rules require national DNC procedures, written internal DNC policies, personnel training, recording do-not-call requests, honoring requests within the required time, and maintaining DNC records.

4. ACA-specific documentation

For ACA leads, store:

• Marketplace consumer consent
• scope, purpose, and duration of consent
• date consent was given
• consumer or authorized representative name
• agent, broker, web-broker, or agency granted consent
• rescission process
• application review documentation
• date application information was reviewed
• explanation of attestations
• SEP authorization and documentation, if applicable
• records retained for at least 10 years

Why: 45 CFR 155.220(j)(2)(ii) and 45 CFR 155.220(j)(2)(iii) require consumer consent and application review documentation, including 10-year retention and production upon request.

5. Medicare-specific documentation

For Medicare leads, store:

• TPMO disclosure
• licensed-agent future-contact disclosure
• warm-transfer disclosure
• TPMO data-sharing consent, if applicable
• entity list showing each TPMO receiving data
• call recording
• Scope of Appointment
• TPMO disclaimer evidence
• plan-fit notes
• complaint-response notes

Why: Medicare Advantage and Part D rules define TPMOs broadly and impose lead-generation, data-sharing, disclaimer, and call-recording requirements.

If your Medicare SOAs, recordings, ACA records, and enrollment files are scattered across systems, the article on Medicare SOA and call recording storage when leaving an FMO explains why portability and retrieval matter after a vendor, FMO, or platform relationship changes.

Red flags when buying Medicare or ACA leads

Agency leaders should slow down when a vendor says or does any of the following:

• “We cannot provide the exact consent language.”
• “We only provide proof if there is a lawsuit.”
• “The leads are TCPA compliant, but we do not provide lead certificates.”
• “The consumer agreed to hear from our partners.”
• “We use a partner list, but we cannot show who was on it when the consumer submitted.”
• “The lead has been sold before, but it is still good.”
• “We do not store landing page screenshots.”
• “We do not disclose subcontractors.”
• “We do not provide ad creative.”
• “We cannot show opt-out history.”
• “We do not know whether the lead is ACA or Medicare.”
• “We do not know whether the consumer was already enrolled.”
• “We cannot produce proof within 24 to 72 hours.”
• “Agents can text from their own phones.”
• “Opt-outs are handled by each agent individually.”

These are not just marketing issues. They are recordkeeping and supervision issues.

Agency SOP before launching a lead campaign

Before launching a Medicare or ACA lead campaign, leadership should require a pre-launch review.

Step 1: Review the offer

Ask:

• What is being promised?
• Does the ad imply government affiliation?
• Does the ad suggest everyone qualifies for $0 coverage?
• Are cash, rebates, gift cards, or cash equivalents mentioned?
• Are deadlines accurate?
• Are Medicare benefits or ACA subsidies described accurately?
• Is the offer appropriate for the product being marketed?

Regulatory anchor: CMS’s 2027 Payment Notice Final Rule identifies examples of prohibited Marketplace marketing practices involving cash, monetary rebates, cash equivalents, misleading zero-dollar claims, and deadline misstatements.

Step 2: Review the TCPA consent

Ask:

• Does the disclosure identify the seller?
• Does it authorize calls or texts to the consumer’s number?
• Does it include required no-condition-of-purchase language?
• Does the consumer take an action that creates a record?
• Is the signature electronic, digital, recorded, or otherwise documented?
• Can the agency retrieve the proof later?

Regulatory anchor: 47 CFR 64.1200(f)(9) defines prior express written consent.

Step 3: Review opt-out handling

Ask:

• How are STOP replies captured?
• How are verbal opt-outs captured?
• How are voicemail opt-outs captured?
• How are email opt-outs captured?
• Are opt-outs synced to all systems?
• Are opt-outs honored within 10 business days?
• Are company-specific DNC records maintained for five years?

Regulatory anchor: 47 CFR 64.1200(a)(10) and 47 CFR 64.1200(d) address revocation and internal do-not-call procedures.

Step 4: Review Medicare TPMO issues

Ask:

• Is the vendor a TPMO?
• Is the agency a TPMO?
• Are beneficiaries told their information will be provided to a licensed agent?
• Are warm transfers disclosed?
• Is beneficiary data shared with another TPMO?
• If so, is there prior express written consent listing each receiving TPMO?
• Are marketing and sales calls recorded and retained?
• Is the TPMO disclaimer used where required?

Regulatory anchor: 42 CFR 422.2260, 42 CFR 422.2274(g), 42 CFR 422.2267(e)(41), and the corresponding Part D rules in 42 CFR Part 423 Subpart V.

Step 5: Review ACA Marketplace issues

Ask:

• Is this lead being used for Marketplace enrollment?
• Has consumer consent been obtained and documented?
• Has the consumer reviewed and confirmed application information?
• Is the agency retaining the documentation for 10 years?
• Is the consumer already enrolled?
• Is the agent associated with the consumer’s FFM enrollment?
• Is a three-way call or consumer action needed?
• Is SEP authorization documented if applicable?

Regulatory anchor: 45 CFR 155.220(j)(2)(ii), 45 CFR 155.220(j)(2)(iii), CMS’s July 2024 FFM system-change announcement, and CMS’s 2024 unauthorized enrollment enforcement update.

What agency owners should review weekly during AEP and OEP

Agency leaders should not review only sales volume.

During Medicare AEP or ACA OEP, leadership should review:

• leads purchased by vendor
• lead age
• consent-proof availability
• invalid or missing consent records
• national DNC scrub exceptions
• internal DNC requests
• text STOP replies
• opt-out processing time
• complaints by vendor
• complaints by agent
• complaints by campaign
• ACA enrollments missing consumer consent
• ACA enrollments missing application review documentation
• Medicare calls missing recordings
• Medicare leads missing TPMO disclosures
• warm transfers missing required documentation
• average time to produce a complete lead file

The goal is not to slow down production. The goal is to prevent growth from creating invisible compliance gaps.

If a lead source produces high volume but also produces complaints, missing consent records, or poor retrieval rates, leadership should know before a carrier, CMS, FTC, state DOI, or plaintiff’s attorney asks for the file.

The agency compliance file: what should exist for every lead

A strong agency lead file should be able to answer five questions.

1. Where did the lead come from?

The file should show the vendor, source, campaign, form, landing page, ad, date, and time.

2. What did the consumer see?

The file should show the actual disclosure, offer, ad claim, form language, and any Medicare or ACA-specific language.

3. What did the consumer authorize?

The file should show TCPA consent, Marketplace consent, Medicare contact permission, TPMO data-sharing consent, or other authorization that applies to the workflow.

4. What happened after the lead was received?

The file should show calls, texts, transfers, recordings, opt-outs, SOAs, application review records, and enrollment activity.

5. Can the agency produce the file?

The file should be retrievable by consumer, phone number, agent, vendor, campaign, date, and enrollment.

That is the difference between a sales database and a compliance file.

A sales database helps agents sell.

A compliance file helps the agency prove what happened.

Large agencies need both.

Final checklist: TCPA consent for Medicare and ACA lead buyers

Use this before importing leads into your CRM, dialer, text platform, or agent workflow.

Lead source

• Vendor identified
• Campaign identified
• Landing page stored
• Ad creative stored
• Lead form stored
• Lead age documented
• Exclusive/shared/resold status documented
• Subcontractors disclosed
• Proof retrieval SLA confirmed

TCPA consent

• Exact consent language stored
• Seller identity reviewed
• Consumer phone number tied to consent
• Timestamp stored
• IP address or equivalent metadata stored
• Electronic signature or submission event stored
• No-condition-of-purchase disclosure included
• Revocation process documented
• Consent proof retrievable by consumer

Do Not Call and opt-out

• National DNC process documented
• Company-specific DNC policy documented
• Personnel trained on DNC process
• Text opt-outs captured
• Verbal opt-outs captured
• Email opt-outs captured
• Suppression lists synced across systems
• Opt-outs honored within required timeframe
• DNC records retained

Medicare-specific

• TPMO status reviewed
• Licensed-agent future-contact disclosure reviewed
• Warm-transfer disclosure reviewed
• TPMO data-sharing consent reviewed
• Receiving TPMOs specifically listed where required
• Call recording workflow confirmed
• Six-year call recording retention workflow confirmed
• TPMO disclaimer placement reviewed
• Scope of Appointment workflow confirmed
• Complaint file workflow confirmed

ACA-specific

• ACA ad claims reviewed
• Zero-dollar premium language reviewed
• Cash/rebate/cash-equivalent language reviewed
• Enrollment deadline language reviewed
• Marketplace consumer consent documented
• Application review documentation captured
• SEP authorization documented when applicable
• Consumer contact information belongs to consumer
• Records retained for at least 10 years
• NPN/agent association workflow confirmed

Agency oversight

• Compliance owner assigned
• Vendor contract reviewed
• Vendor proof SLA defined
• QA sampling process created
• Complaint escalation process documented
• Agent offboarding record policy created
• Records stored outside individual agent control
• Weekly AEP/OEP dashboard created
• Leadership reviews missing-record exceptions

Closing

Insurance agencies do not lose control of compliance all at once. They lose it one disconnected record at a time.

One vendor has the lead form.

One dialer has the call.

One CRM has the notes.

One agent has the text thread.

One FMO has the recording.

One carrier has the enrollment.

One consumer files the complaint.

By the time leadership needs to prove what happened, the evidence is scattered.

That is why TCPA consent should not be treated as a marketing checkbox. For Medicare and ACA agencies, it should be part of the agency’s compliance file.

The agencies that scale safely will not be the ones that simply buy more leads. They will be the ones that can prove where each lead came from, what the consumer agreed to, how the agency contacted them, what Medicare or ACA rules also applied, and what happened next.

Sources

• 47 CFR 64.1200 - Delivery restrictions: eCFR Accessed 2026-06-15.
• Federal Register: FCC conforming rule after Insurance Marketing Coalition v. FCC: Federal Register Accessed 2026-06-15.
• 42 CFR 422.2260 - Medicare Advantage communication definitions: eCFR Accessed 2026-06-15.
• 42 CFR 423.2260 - Part D communication definitions: eCFR Accessed 2026-06-15.
• 42 CFR 422.2274 - Medicare Advantage agent, broker, and TPMO requirements: eCFR Accessed 2026-06-15.
• 42 CFR 423.2274 - Part D agent, broker, and TPMO requirements: eCFR Accessed 2026-06-15.
• 42 CFR 422.2267 - Medicare Advantage required materials and content: eCFR Accessed 2026-06-15.
• 42 CFR 423.2267 - Part D required materials and content: eCFR Accessed 2026-06-15.
• 45 CFR 155.220 - Agents, brokers, and web-brokers in Exchanges: eCFR Accessed 2026-06-15.
• HHS Notice of Benefit and Payment Parameters for 2027 Final Rule: Centers for Medicare & Medicaid Services Accessed 2026-06-15.
• CMS Update on Actions to Prevent Unauthorized Agent and Broker Marketplace Activity: Centers for Medicare & Medicaid Services Accessed 2026-06-15.
• CMS Statement on System Changes to Stop Unauthorized Agent and Broker Marketplace Activity: Centers for Medicare & Medicaid Services Accessed 2026-06-15.
• Agent, Broker, and Web-broker Guidelines for Compliant Marketplace Advertising and Marketing: Centers for Medicare & Medicaid Services Accessed 2026-06-15.
• Consumer Consent and Application Review Requirements FAQ: Centers for Medicare & Medicaid Services Accessed 2026-06-15.
• FTC Staff Sends Warning Letters to Healthcare Plan Marketers and Lead Generators: Federal Trade Commission Accessed 2026-06-15.

Frequently Asked Questions

Is TCPA consent the same as Do Not Call compliance?

No. TCPA prior express written consent and Do Not Call compliance are related but separate controls. Agencies should be able to prove consent, DNC scrubbing, company-specific opt-outs, revocation handling, and internal suppression procedures.

Is TCPA consent the same as ACA Marketplace consumer consent?

No. TCPA consent generally addresses permission to call or text. ACA Marketplace consumer consent is a separate record authorizing an agent, broker, web-broker, or agency to assist with Marketplace enrollment or APTC and CSR application activity.

Can an ACA lead form replace application review documentation?

No. ACA application review documentation is separate. The consumer or authorized representative must review and confirm the accuracy of eligibility application information before submission, and the agency should retain the required record.

Do Medicare leads trigger TPMO requirements?

They can. CMS defines TPMOs broadly to include compensated lead generation, marketing, sales, and enrollment functions in the Medicare enrollment chain, including independent agents and brokers.

What should agencies ask lead vendors for?

Agencies should ask for consumer-level proof: source, campaign, ad creative, landing page, exact disclosure, timestamp, phone number, seller identity, submission event, DNC and opt-out process, subcontractors, and Medicare or ACA-specific proof when applicable.