Consent & TCPA
The Court Just Told You What Wins a TCPA Suit
Hossfeld v. Allstate didn't just clear one insurer of vicarious liability. It laid out, on the record, exactly what evidence made the difference — and it's evidence most agencies aren't currently keeping.
Updated July 2026
The short answer
On June 24, 2026, the Seventh Circuit held that Allstate was not vicariously liable under the TCPA for telemarketing calls made by a sub-vendor several steps removed in its lead-generation chain. The court applied traditional agency-law principles and found that Allstate’s documented vendor oversight and its prompt corrective action when problems surfaced were enough to defeat the claim. Compare that outcome to the $61 million Krakauer v. DISH verdict and the $990,000 Health Insurance Associates settlement, where the record showed no comparable oversight — and the pattern is clear: the paper trail you build before a suit is filed is the defense.
What the court actually decided
According to legal summaries of the decision from Bubeck Law and Mondaq, a unanimous Seventh Circuit panel rejected an expansive theory of TCPA vicarious liability that would have held Allstate responsible for calls made by a marketing sub-vendor operating several layers down its lead-generation chain. The court applied ordinary common-law agency principles — the same framework used in Krakauer — and found that the relationship between Allstate and the offending caller didn’t establish the kind of control or ratification that creates vicarious liability.
Two facts did the work in Allstate’s favor: it had documented processes for overseeing its vendors, and when it learned of potential problems in the chain, it acted on them promptly rather than ignoring them. The court treated both as evidence weighing against a finding of agency — not as boilerplate compliance-policy language, but as facts in the record.
Same legal theory, opposite outcomes — the difference was the record
Vicarious liability under the TCPA isn’t a coin flip decided by which circuit hears the case. It turns on the facts each defendant can put in the record. Put the three cases side by side and the pattern that separates a $61 million verdict from a clean win is visible.
| Case | Outcome | What the record showed |
|---|---|---|
| Krakauer v. DISH (4th Cir., 2019) | $61M verdict affirmed | No documented vendor oversight sufficient to defeat agency; DISH held liable for a retailer’s calls |
| Health Insurance Associates settlement (2024–25) | $990K class settlement | Lead vendor’s Do-Not-Call violations traced to the agency’s warm-transfer relationship |
| Hossfeld v. Allstate (7th Cir., 2026) | Vicarious liability rejected | Documented oversight process plus prompt corrective action when issues surfaced |
The legal question in all three was essentially the same: is the defendant responsible for a vendor’s calls under agency principles. The answer changed based on what each defendant could actually document, not on sympathy for the calling party or the size of the company being sued.
Don't confuse this with the one-to-one consent ruling — different case, different question
It’s easy to conflate this decision with the other major TCPA development from the past two years: the Eleventh Circuit’s January 2025 vacatur of the FCC’s one-to-one consent rule in Insurance Marketing Coalition v. FCC. That case addressed a different question entirely — whether the FCC had authority to require consent naming a specific company rather than allowing bundled consent across multiple marketing partners. The court vacated that rule on administrative-authority grounds. It did not touch the underlying vicarious-liability doctrine at issue in Hossfeld, and it did not weaken the baseline Do-Not-Call or prior-express-written-consent requirements that still govern telemarketing calls. See the full breakdown of what changed and what didn’t if you need the distinction spelled out for lead buyers specifically.
Two separate rulings, two separate legal questions. One narrowed a consent-formatting rule. The other clarified what evidence defeats a vicarious-liability claim. Both matter to Medicare lead buyers; neither substitutes for the other.
What 'documented oversight' actually has to look like
The opinion doesn’t hand agencies a certification checklist, but the fact pattern it credited points to a specific standard: not just having a vendor contract with compliance language in it, but being able to show active, ongoing oversight and a documented response when something went wrong.
- 1A documented vetting process before onboarding a vendor — not just a signed agreement, but evidence you assessed how the vendor generates and consents leads before you started buying from them.
- 2Ongoing monitoring, not a one-time check— periodic review of the vendor’s practices, complaint rates, or consent documentation over the life of the relationship.
- 3A documented response when problems surface — this is the piece that specifically helped Allstate. When issues were identified, action followed, and that action is part of the record.
- 4Consent and call records tied to the specific vendor and lead— so if a claim names your agency, you can show which vendor supplied which lead and what consent covered it, rather than a general assertion that your vendors are “vetted.”
Building the record before you need it
The uncomfortable truth in all three cases is that the defense was built — or wasn’t — long before any lawsuit was filed. Nobody assembles vendor-oversight documentation after being served. The agencies and carriers that come out ahead are the ones whose ordinary operating process happens to generate exactly the record a court wants to see.
- Log which vendor supplied every lead, at intake, not reconstructed later from memory.
- Keep consent documentation tied to the specific lead and call, not a general vendor assurance.
- Review vendor complaint rates and Do-Not-Call scrub practices on a recurring schedule, and document that you did.
- When a problem surfaces — a complaint, a bounced number, a vendor pattern that looks off — document the corrective action taken, and when.
- Keep the underlying call recording retrievable, since it’s the fastest way to resolve a dispute about what was actually said or consented to. See how a complaint moves through the carrier’s investigation chain for the parallel compliance-side version of this same discipline.
This is the same underlying operating discipline whether the threat is a CMS-adjacent carrier investigation or a TCPA class action — the two threats just show up on different letterhead. A system that captures consent, call recordings, and lead source automatically at intake builds this record as a byproduct of normal operations, instead of as a scramble after a complaint or a summons arrives.
See this on your own numbers
ClaimFlow ties every recorded, SOA-timestamped call to the lead source and the commission it produced — compliance record and ROI answer from the same log. Founding members get 50% off setup and a rate locked for life.
Sources
- Bubeck Law — Seventh Circuit rejects expansive TCPA vicarious liability theory (Hossfeld v. Allstate)
- Mondaq — Unanimous Seventh Circuit panel limits TCPA liability for downstream telemarketers
- Troutman Pepper — Fourth Circuit affirms $61M vendor-liability verdict, Krakauer v. DISH
- Wiley — 11th Circuit vacates FCC’s one-to-one TCPA consent rule