"TCPA compliant" is the most common — and least verified — claim in lead generation. The difference between a marketing line and an audit-grade program is whether the vendor can produce the artifacts for a single call, on demand.
If a vendor cannot pull the paper trail for a specific call within minutes of your request, you are not buying their compliance. You are absorbing their risk. This guide walks through every artifact in a complete consent chain, what each one actually proves, and how to verify it before you buy.
The premise: marketing language vs. provable compliance
Every inbound-call vendor has a compliance page. Most of them list the same four or five buzzwords — TCPA, DNC, TrustedForm, Jornaya — and stop there. That is not a compliance stack. That is a homepage.
Audit-grade compliance means one thing: for any individual call in your account, the vendor can produce a complete, timestamped evidence chain — before the call ever connected. Not in aggregate. Not as policy documents. Per call, on demand.
Why before connect? Because the audit trail needs to exist at the moment the call was made. Retroactive documentation is not documentation — it is reconstruction. If a complainant files a claim, regulators and plaintiff attorneys do not want to see your vendor’s privacy policy. They want the artifact that proves a specific person, at a specific time, gave express written consent to be contacted at a specific number.
The six artifacts — and what each one proves
A complete audit-grade consent trail for a single inbound call requires all of the following. Missing any one of them leaves a gap a plaintiff or regulator can step through.
| Artifact | What it proves | How to verify |
|---|---|---|
| Express written consent (source page) | The prospect affirmatively consented — in writing — to receive calls at their number, naming the calling entity, on the page they submitted | Request a screenshot or archived copy of the consent capture page, with the exact disclosure language visible. The timestamp must precede call connect. |
| Jornaya LeadiD token | An independent third-party witness that the consent event occurred in a real browser session at a specific date and time — not fabricated after the fact | Request the LeadiD token for a sample call. Validate it directly through Jornaya’s portal to confirm it matches the session. |
| TrustedForm certificate | A session recording of the browser interaction during consent capture — keystrokes, scroll depth, form fields — tied to the IP address and device | Request the TrustedForm certificate URL for a sample call. Open it to confirm the recording shows the consent disclosure was fully visible before submission. |
| Federal + state DNC scrubs | The number was checked against the National DNC Registry and applicable state DNC lists before the campaign went live | Ask for the scrub date and SAN registration number. SAN registration is publicly verifiable at the FTC. |
| SAN registration | The calling entity is a registered subscriber to the National DNC Registry — a baseline requirement for any compliant outreach program | Verify the SAN number through the FTC’s DNC portal. If the vendor cannot provide one, stop. |
| Carrier-level number block validation | The number has not been flagged by the carrier or number-reputation systems as blocked or invalid — so the call itself is deliverable and not routing around a block | Ask whether they run carrier-level validation pre-connect. This is often the artifact vendors skip entirely. |
An omitted artifact or a "0" in any column means you inherit the exposure for that gap.
The direction of consent rules: why specificity matters more now
The regulatory trend in TCPA enforcement has moved consistently toward stricter, more specific consent requirements. The general direction has been away from broad, bundled consent language — where a single form submission purported to authorize calls from dozens of unrelated companies — and toward what is sometimes called one-to-one consent: the consumer knows exactly which entity is being authorized, and the consent is specific to that entity.
What this means practically: consent language that said "you may be contacted by our marketing partners" — with a list of fifty companies in a dropdown — is increasingly the kind of consent that does not hold up. Regulators have signaled that the consumer must have a clear, direct relationship to the entity placing the call. Vague partner lists and pre-checked boxes are the paper trails that generate complaints.
Buying calls with documented, per-call, named-entity consent puts you on much stronger footing than buying from a vendor operating under legacy broad-consent practices. But the consent quality is only as good as the source page — and you cannot verify the source page without seeing it. That is why the audit trail, not the vendor’s assurances, is the product.
State-level rules add another layer. Many states have their own consent statutes that are stricter than the federal floor. Some require specific disclosure language, specific opt-out mechanisms, or limits on calling hours that differ from federal rules. If you are buying calls across multiple states, the compliance burden is not uniform. See the state-by-state compliance map for a vertical-by-vertical breakdown.
How Ringelo builds the audit trail
Ringelo owns the entire funnel — from ad creative to landing page to consent capture to live bridge. There is no third-party lead aggregator in the chain, which means no handoff where documentation gets lost or diluted.
- Express written consent is captured on the source landing page, with disclosure language naming Ringelo as the calling entity. The timestamp is logged before the call ever routes.
- Jornaya LeadiD tokens are generated at the moment of consent — an independent, timestamped record that the session was real.
- TrustedForm certificates record the full browser session so there is a playable audit artifact showing the consent disclosure was visible and completed.
- Federal and state DNC scrubs run on every campaign before it goes live, with SAN registration in place.
- Carrier-level number validation runs before connect — calls that cannot deliver cleanly do not get bridged.
- The full audit log is retained and queryable. If a call is disputed, the artifacts are there, not in a queue.
The result is that every call arriving at your dialer has a complete, per-call evidence chain that existed before connect — not assembled after the fact. Agents who want to verify this firsthand can request access on Ringelo OS and review the audit trail on live campaigns. For more on how real-time inbound calls work technically, or how the 90-second drop buffer protects you on non-compliant connects, those guides have the detail.
How to vet any vendor before you buy
Before your first campaign goes live, ask for the following in writing. A vendor with a real compliance stack will answer quickly and specifically. Vague responses — "we take compliance seriously" or "we work with certified partners" — are not answers.
- 01Pull the audit trail for a sample call from a prior campaign — LeadiD token, TrustedForm cert, consent page screenshot, DNC scrub date, SAN number. If they cannot do this within the hour, stop.
- 02Ask to see the consent disclosure language on the actual source page — not a generic privacy policy, the specific language the prospect saw before submitting.
- 03Confirm whether they use one-to-one named consent (your entity named) or broad partner-list consent (legacy, higher risk).
- 04Ask whether DNC scrubs are run per-campaign or per-call, and whether carrier-level number validation is in the stack.
- 05Get the dispute and credit policy in writing — for both automated credits (drops, dead air, wrong state) and manually reviewed disputes. Same-business-day resolution is the bar.
Ringelo live inbound programs
real conversations on qualified inbound
vs shared-call vendors, partner agencies