Quick Answer
Fake and unconsented leads are a legal liability, not just wasted spend. Under the US TCPA, the business that makes the call or sends the text is liable, not the lead seller. Penalties run $500 per negligent violation and up to $1,500 per willful violation, with class settlements regularly in the millions. The much-discussed one-to-one consent rule was struck down in 2025 and is not in force, but the underlying duty to obtain and document genuine consent remains. Run a free wasted spend analysis to see how many of your leads look suspect.
Why Fake Leads Are a Legal Problem, Not Just Wasted Spend
When advertisers talk about fake leads, the conversation almost always stops at money. You paid for a click, a bot or a paid form-filler submitted junk, and your cost per acquisition took the hit. That is real, and it is worth fixing. But it is only half the story.
The other half is what happens next. Most businesses do not let a lead sit in a spreadsheet. They call it. They text it. They drop it into an automated follow-up sequence. The moment you contact a phone number that never genuinely opted in to hear from you, you have potentially crossed a legal line under the US Telephone Consumer Protection Act (TCPA).
Fake and fraudulent leads make this worse in a specific way. A bot-submitted form, a recycled number from a shady vendor, a consent checkbox that was pre-ticked or buried, all of these produce contacts you have no real permission to call. The fraud that wasted your budget is the same fraud that creates your legal exposure. Cleaning it up protects both.
If you want the broader picture on how this junk enters your funnel in the first place, start with our complete guide to lead generation fraud.
Who Is Actually Liable: The Business Making the Call
This is the single most misunderstood point, so it is worth being blunt about it. Under the TCPA, liability generally falls on the business that makes the call or sends the text, not the lead generator that sold the contact.
You cannot buy your way out of compliance. A vendor can tell you every lead is fully consented, hand you a tidy paper trail, and stamp it with reassuring language. None of that transfers the legal risk off your shoulders. If the number you dialed did not actually provide valid prior express written consent to be contacted by you, you are the party a plaintiff or regulator will come after.
That asymmetry is exactly why fake leads are so dangerous. The seller collects payment and moves on. The advertiser inherits the contact, the call, and the liability. Treating a purchased lead list as someone else's compliance problem is one of the most expensive assumptions in performance marketing.
The Penalties
The TCPA carries statutory damages that do not require a plaintiff to prove actual financial harm. That is what makes it such fertile ground for litigation:
- $500 per violation for negligent violations.
- Up to $1,500 per violation for willful or knowing violations.
The detail that turns these numbers into a real threat is the phrase "per violation." Each individual call or text can count as its own violation. Multiply $500 to $1,500 across an automated dialing or texting campaign that touched thousands of numbers and the math becomes alarming very quickly. This is why TCPA class action settlements regularly reach the millions.
Regulators take the lead generation side seriously too. In January 2024, the FTC settled with Response Tree LLC, a lead generator that ran more than 50 deceptive websites to harvest consumer data. The action banned the company from telemarketing for life under a $7 million suspended judgment. The lesson cuts both ways: deceptive lead generation draws regulatory fire, and buying from that ecosystem pulls you closer to it.
The One-to-One Consent Rule: Why Most 2024 to 2025 Advice Is Wrong
If you have read anything about TCPA and lead generation in the last couple of years, you have almost certainly seen breathless coverage of the FCC's "one-to-one consent rule." The idea was that a consumer would have to consent to be contacted by each specific seller individually, rather than handing one broad consent to a long list of partner companies behind a single checkbox.
Here is the critical fact a lot of content gets wrong: that rule is not in force. The FCC's one-to-one consent rule was vacated by the Eleventh Circuit on 24 January 2025 in Insurance Marketing Coalition v. FCC, and the FCC subsequently repealed it. A great deal of 2024 and 2025 guidance was written in anticipation of the rule taking effect and simply assumes it is active. It is not.
Do not let that lull you into complacency. The one-to-one consent rule being struck down does not erase the TCPA. The underlying consent obligations are still very much alive. You still need valid prior express written consent before placing certain automated marketing calls and texts. The mechanism that would have made consent more granular is gone, but the duty to obtain and prove genuine consent remains. Documenting it properly still matters, arguably more than ever, because it is the evidence that protects you when a claim lands.
How to Protect Yourself
Compliance and lead quality are the same project approached from two angles. Here is where to focus.
1. Document genuine consent
Your consent language should be clear, specific, and name your company, placed directly next to the submit button rather than buried in a footer or a pre-ticked box. The person submitting the form should plainly understand who they are agreeing to hear from and how. Capture and store the timestamp, the language shown, the IP address, and the page URL so you can reconstruct exactly what the user saw and agreed to. That record is your single best defense if a contact is ever challenged.
2. Run real vendor due diligence
If you buy leads, treat the vendor like a compliance partner, not a faucet. Demand traffic-source transparency so you know where the leads actually originated. Require access to the underlying consent records, not just a blanket assurance. And insist on a clear return or credit policy for invalid and fraudulent leads. A vendor that cannot or will not show you any of this is selling you risk along with the leads.
3. Scrub against do-not-call and suppression lists in real time
Before any number is dialed, check it against do-not-call and internal suppression lists at the moment of contact, not on a weekly batch that is already stale. Real-time scrubbing catches numbers that should never be called and keeps your suppression list authoritative as it grows.
4. Scrub fake leads before they are ever called
The cleanest way to avoid calling a number you have no right to call is to filter the fraud out before it reaches the dialer. Detect and quarantine bot submissions, gibberish entries, recycled numbers, and suspicious patterns at the point of capture. The same filtering that protects your budget protects your compliance posture. For practical tactics on stopping junk at the source, see our guide to stopping spam leads in Google Ads.
Clean Pipelines Are a Budget Win and a Compliance Win
The same fake leads that drain your budget are the ones that create legal exposure when your team calls or texts them. That is the quiet good news. Every improvement you make to lead quality, tighter consent capture, honest vendors, real-time scrubbing, and fraud filtering, pays you twice. You spend less on junk and you shrink your TCPA risk surface at the same time.
If you want to know how much of your current spend is going to leads that should never have been called, PPC Chief offers a free Wasted Spend Analysis. Prefer to talk it through with a specialist? Get in touch and we will help you tighten both your lead quality and your compliance footing.