Consent & TCPA
The FCC Rule Died. CMS's Consent Rule Didn't. Don't Get These Confused.
A federal court struck down one FCC rule about consumer consent — but agencies buying Medicare leads are governed by two separate rulebooks, and only one of them changed.
Updated July 2026
The short answer
In January 2025, the 11th Circuit vacated the FCC’s one-to-one consent rule, which would have banned “bundled consent” for marketing robocalls and texts under the TCPA (the federal law governing telemarketing calls and texts). That ruling did not touch CMS’s separate requirement that TPMOs (third-party marketing organizations — lead vendors, call centers, agents) get a beneficiary’s written, recipient-specific consent before sharing their data with another TPMO or plan. If you buy Medicare leads, the CMS rule is the one that actually governs you.
What actually happened
The FCC’s 2023 order tried to redefine “prior express consent” under the TCPA to require one-to-one consent — a consumer agreeing to be called by a specific company, not a list of companies they never heard of. Lead-gen groups sued, and in Insurance Marketing Coalition Limited v. FCC, the 11th Circuit agreed the FCC overstepped its authority. The court vacated that part of the order in January 2025. The FCC does not have a live appeal reversing that outcome.
Practically, this means bundled consent — one checkbox covering multiple marketing partners — is legal again under the TCPA, the way it was before the FCC’s 2023 order. Standard TCPA prior-express-written-consent rules for telemarketing calls and texts still apply. Nothing about this ruling makes it legal to call someone who never consented at all.
Why the 'consent is dead' headlines don't apply cleanly to you
Most of the coverage of this ruling was written for telemarketing counsel across every industry — debt collection, solar, home services, insurance in general. Read literally, a lot of those headlines make it sound like the consent requirement disappeared. For a general marketing list, that’s roughly true.
For Medicare lead buyers specifically, it is not the full picture. CMS regulates TPMOs on its own track, independent of the FCC and the TCPA. That track was not part of this case, was not argued in this case, and was not affected by this case.
CMS's own consent rule, which this ruling never touched
Separate from the FCC, CMS requires that a TPMO get a beneficiary’s prior express written consent — naming the specific recipient — before sharing that beneficiary’s contact information with another TPMO or a plan sponsor for marketing or enrollment purposes. This is a data-sharing consent rule, and it is one-to-one by design: a beneficiary consents to being contacted by Vendor A, not to having their information passed to Vendors B through Z.
Nothing in the CY2027 Final Rule or the 11th Circuit’s decision changed this requirement. If a lead vendor tells you the FCC ruling means they can go back to selling the same lead to five buyers off one generic opt-in, that is a claim about the TCPA, not about CMS’s TPMO consent rule.
| FCC one-to-one consent rule (TCPA) | CMS TPMO consent requirement | |
|---|---|---|
| Status after 2025 | Vacated by the 11th Circuit — not in effect | Unchanged — still in effect |
| What it covered | Consent to receive marketing robocalls/texts from a specific company vs. a bundled list | Consent to have a beneficiary’s data shared from one TPMO to another TPMO or plan |
| Who enforces it | FCC, via TCPA private rights of action | CMS, via TPMO oversight and plan audits |
| What changed for agencies | Bundled consent is legal again for general marketing outreach | Nothing — recipient-specific written consent is still required before data sharing |
The practical question: should you change what you require from lead vendors?
No — not because of this ruling. If your intake process already requires documented, recipient-specific consent before a lead vendor hands you a beneficiary’s contact information, keep doing exactly that. That requirement comes from CMS, not the FCC, and CMS didn’t move.
Where this ruling matters is upstream, at the lead vendor’s own acquisition step — how they got the consumer’s consent to be contacted in the first place. A vendor whose intake form now uses bundled consent (one checkbox, several unnamed marketing partners) is on firmer TCPA ground than a year ago. But that same vendor still has to get separate, recipient-specific written consent before passing that consumer’s data to you as a TPMO. Ask which consent they’re describing before you assume anything changed for your side of the transaction.
Bundled consent vs. one-to-one consent: what's legal, what CMS still expects
- •Legal under TCPA today: a consumer checking one box to be contacted by multiple named or unnamed marketing partners for general telemarketing purposes.
- •Still required by CMS for TPMOs:a beneficiary’s written consent naming the specific TPMO or plan that will receive their data, obtained before that data changes hands.
- •Unaffected either way: the documented Scope of Appointment (SOA) requirement before a covered sales appointment — see what actually changed with the 48-hour SOA wait.
- •Unaffected either way: your obligation to have a Business Associate Agreement with any vendor that touches protected health information on your behalf — see the BAA checklist for call-center vendors.
A decision checklist before you change your lead-buying behavior
- Ask the vendor directly: is the consent you’re describing the TCPA consent for being contacted, or the CMS consent for sharing my data as a TPMO? These are not the same document.
- Confirm the vendor can produce a timestamped, recipient-specific consent record naming your agency — not a generic list opt-in — before you accept the lead.
- Don’t accept “the FCC ruling means we don’t need that anymore” as an answer. It’s true for the vendor’s own outreach consent. It is not true for the data-sharing consent CMS requires from TPMOs.
- Keep your existing intake and consent-logging process as-is if it already captures recipient-specific consent — there is no regulatory reason to loosen it.
- Re-check this if CMS issues further TPMO guidance; the FCC side of this is settled, but CMS updates its sub-regulatory guidance more often than the Federal Register moves.
Both over-correcting and under-correcting create risk
- 1Over-correcting— assuming nothing changed and re-litigating your own TCPA marketing consent language when it didn’t need to change — burns compliance-review time on the wrong problem.
- 2Under-correcting — assuming the FCC ruling gives you cover to accept leads without recipient-specific consent documentation — leaves you holding a CMS violation with no defense, because the CMS rule was never affected by this case.
- 3The safe read: treat the FCC ruling as good news for your vendors’ own marketing consent, and treat CMS’s TPMO data-sharing consent rule as exactly as strict as it was last year — because it is.
This is also where the audit trail earns its keep. ClaimFlow records the SOA timestamp and consent documentation for every lead at intake, so when a plan sponsor or CMS auditor asks which consent covered a given call, you have the record instead of a vendor’s word. See why compliance and attribution belong in the same system for the bigger picture, or check pricing for founding-member terms.
Get your compliance stack AEP-ready
Start with the AEP compliance readiness checklist — scripts, retention, consent capture, and attribution tagging, reviewed before Oct 15 volume hits.
Sources
Keep reading
AEP
Is Your Compliance Stack Ready for AEP — Not Just Your Sales Team?
HIPAA
Does Your Call-Recording Vendor Need a BAA? Here’s How to Tell
Strategy
Compliance Is the Wedge. Attribution Is the Retention.
Consent & TCPA
The Court Just Told You What Wins a TCPA Suit
Consent & TCPA
The $990K Lead-Vendor Mistake: You Own the Calls You Buy