TCPA, Consent, and Quiet Hours: The Compliance Questions to Ask Any Lead Vendor
Published July 4, 2026 · Mortgage Connect Pro
Before you buy mortgage leads from anyone, five compliance questions tell you most of what you need to know: How is the consumer's express written consent captured, and what does it say? Is that consent stored on each lead and retrievable on demand? Do automated texts and emails respect quiet hours in the consumer's time zone? How fast, and how broadly, are opt-outs honored? And how long are the records kept? A vendor with real answers protects you; a vendor with vague ones transfers their risk to your phone lines.
To be explicit up front: this is an operational checklist from a lead generation company, not legal advice. Telemarketing law is complicated, actively litigated, and periodically rewritten by regulators and courts. What follows is what a careful buyer should ask. Your own obligations are a conversation for a qualified attorney.
Why the buyer carries the risk
Here's the asymmetry that makes these questions worth twenty minutes of a sales call: when follow-up to a purchased lead draws a complaint or a claim, the calls and texts came from you. The vendor generated the lead; you did the outreach. Whatever indemnities your contract contains, the practical first line of defense is documentation: proof the consumer consented, proof of when and how they were contacted, proof contact stopped when they said stop.
All of that documentation lives (or doesn't) in the vendor's infrastructure. Which is why compliance is a purchasing criterion, not a legal department afterthought.
Question 1: How is consent captured, and what does it say?
Ask the vendor to show you the actual consumer experience: the form, the disclosure, the checkbox or signature moment. You're looking for prior express written consent (the consumer agreeing, in writing, before any contact, to receive calls and texts) with disclosure language that plainly covers the kind of outreach that will actually happen, including automated texts.
Also ask who the consent names. Consent language and the rules around it have been a moving target in recent years. Regulators and courts have gone back and forth on how specifically the consenting consumer must be told who will contact them. A vendor paying attention can tell you exactly what their current language says and why. A vendor who waves at "industry standard consent" is telling you they haven't read their own form lately.
Question 2: Is consent stored per lead, and can you pull it?
A compliant form is worth little if the record of what this consumer agreed to, and when, can't be produced later. The standard to look for: consent captured and stored on the lead record itself (text of the disclosure, timestamp, source page), retrievable for any individual lead, on demand, for as long as the retention policy runs.
The test question: "If I need the consent record for a lead you sold me eight months ago, what happens?" The right answer is a lookup, not a research project. This is how we build it at Mortgage Connect Pro: consent lives on the lead's own record, next to its event history, because the moment anyone needs that record, they need it specifically and quickly.
See exactly how your leads would be delivered
Twenty minutes, live screens, per-market pricing in writing, and a straight answer if your market is full.
Book a callQuestion 3: Do quiet hours apply to the automation?
Federal telemarketing rules restrict outreach to a daytime window (commonly described as 8 a.m. to 9 p.m. in the consumer's local time), and a number of states layer narrower windows and their own registries on top. Humans making calls can mind the clock. The exposure is in automation: the follow-up sequence that fires a text at 5 minutes after submission doesn't know it's 11:40 PM where the borrower lives unless someone built it to know.
So ask precisely that: "If a lead comes in at midnight, when does your automated first text go out?" The right answer involves the message holding until the window opens in the consumer's time zone, automatically. If the vendor has never thought about it, their automation is generating your risk on a schedule.
Question 4: What happens on opt-out?
When a consumer replies "stop" (or words to that effect), three things should be true, and you should ask about each:
- Speed. Suppression should be effectively immediate for automated outreach. Regulators have moved toward requiring opt-outs to be honored quickly, and "the sequence had two more messages queued" is not a sentence you want to say later.
- Breadth. The suppression should apply platform-wide, across every sequence and every channel, not just the one thread the consumer replied to.
- Record. The opt-out should be a timestamped event on the lead's timeline, so the moment contact stopped is provable, not remembered.
Question 5: What's kept, and for how long?
Ask what's retained and for how long: consent records, message logs, opt-out events. Claims can arrive well after the outreach they concern; records that expired before the claim did are the same as no records. You don't need the vendor to recite a statute of limitations; you need a retention policy that exists, is written down, and comfortably outlasts the follow-up activity it documents.
Reading the answers
Grade vendors the way you'd grade any operations claim: specificity wins. "Our platform enforces quiet hours by consumer time zone, opt-outs suppress globally in real time, and every lead carries its consent text and full event log" is a checkable set of statements. "We're fully TCPA compliant" is a mood. And notice which vendors bring these subjects up before you do: the ones who built the machinery generally like talking about it.
The bottom line
You can't outsource outreach risk, but you can buy from vendors whose infrastructure shrinks it: written consent captured at the source, stored per lead and retrievable in seconds, quiet hours enforced by the automation itself, opt-outs honored instantly and everywhere, records kept long enough to matter. Ask the five questions and insist on specifics. For what the law requires of you in particular, ask an attorney, not a lead vendor.
FAQ
What is TCPA consent for mortgage leads?
The Telephone Consumer Protection Act is the federal law governing calls and texts to consumers. For marketing outreach of the kind lead follow-up involves, the safest standard is prior express written consent: the consumer agreeing in writing, before contact, to receive calls or texts. What specifically requires which level of consent is a legal question; documenting consent on every lead is the operational one.
What are quiet hours under telemarketing rules?
Federal telemarketing rules restrict calls to a window commonly described as 8 a.m. to 9 p.m. in the consumer's local time, and some states impose narrower windows or additional rules. The practical question for a lead buyer is whether their vendor's automated outreach enforces those windows automatically, using the consumer's location, not the sender's.
What should happen when a consumer opts out?
The opt-out should suppress further automated outreach to that consumer immediately and across the whole platform (not just within one message sequence), and the opt-out event should be recorded on the lead's timeline with a timestamp, so there's a defensible record of when contact stopped.
Why do consent records matter to me as a lead buyer?
Because if outreach to a lead is ever challenged, the first document anyone asks for is the consent record. A vendor who stores consent on every lead and can retrieve it on demand protects you; a vendor who can't leaves you defending calls with no paper behind them.
Is this article legal advice?
No. It's an operational checklist for evaluating lead vendors, written by a lead generation company. Telemarketing law is genuinely complicated and changes frequently. For your own obligations, consult a qualified attorney.
Your market has a limited number of seats.
We cap loan officers per market to keep every lead exclusive. Book a call to see if yours is still open.
Book a call