Few federal statutes generate more litigation, more class actions, and more six- and seven-figure settlements than the Telephone Consumer Protection Act (TCPA). It is the law that governs how businesses may call and text consumers, and because it carries statutory damages of $500 to $1,500 per violation with no cap, a single non-compliant text campaign sent to thousands of numbers can produce existential liability. For a compliance topic that touches virtually every consumer-facing business with a phone or SMS channel, the TCPA gets remarkably little attention until a demand letter arrives.

And 2025–2026 was one of the most consequential periods for TCPA rules in years — largely because the most significant new regulation of the past decade was struck down before it ever took effect.

In late 2023, the FCC adopted what became known as the one-to-one consent rule, aimed squarely at the lead-generation industry. Under it, “prior express written consent” for telemarketing robocalls and robotexts would have had to be given to one identified seller at a time, and the calls would have had to be “logically and topically associated” with the website where consent was obtained. The practical effect would have been to dismantle the comparison-shopping lead-gen model, in which a consumer fills out one form and consents to contact from many partner sellers at once.

It never happened. On January 24, 2025, in Insurance Marketing Coalition v. FCC, the Eleventh Circuit vacated the rule — issued, notably, immediately after the FCC had postponed the rule’s effective date. The court held that the FCC had exceeded its statutory authority. Because “prior express consent” is undefined in the TCPA, the court reasoned, the phrase must carry its plain and ordinary meaning: to give prior express consent to a robocall, a consumer “need only clearly and unmistakably state, before receiving the robocall, that he is willing to receive it.” The FCC’s one-to-one and topical-association requirements impermissibly altered that ordinary meaning.

The FCC subsequently deleted the vacated language and reinstated the prior version of the rules, consistent with its broader “Delete, Delete, Delete” deregulatory proceeding. So as of 2026, the lead-generation consent standard reverts to the pre-2023 status quo: prior express written consent, without the one-to-one constraint.

The compliance takeaway is double-edged. The collapse of the one-to-one rule is a reprieve for lead generators and the businesses that buy leads — the feared restructuring is off the table. But it does not eliminate the underlying requirement for valid prior express written consent, and it does not slow the plaintiffs’ bar, which continues to litigate consent defects aggressively under the reinstated standard.

The ‘revocation-all’ rule: delayed to January 31, 2027

The second major development concerns revocation of consent — a consumer’s right to opt out. The FCC had adopted a rule, originally set to take effect in April 2026, that compliance teams nicknamed the “revocation-all” requirement. In broad terms, it would require a business to treat an opt-out request as revoking consent for all automated marketing messages and informational/transactional calls or texts from that sender — across all purposes and channels — not just the specific campaign the consumer replied to.

In January 2026, the FCC issued an order delaying that requirement until January 31, 2027. The delay gives businesses roughly a year of additional runway, but it is a postponement, not a repeal. The direction of travel is clear: when a consumer says “stop,” regulators expect that to mean stop everywhere, and the systems to honor a cross-channel, cross-purpose opt-out need to be built before the 2027 date arrives.

The other already-effective revocation principles remain in force and are heavily litigated: businesses must honor opt-out requests made through any reasonable means, must process them within a reasonable time (the FCC has pointed to a 10-business-day standard), and may send a single confirmation message after an opt-out without it being treated as a new violation.

Why this still matters enormously

It would be easy to read “the big new rule was struck down and the other was delayed” as “nothing to do here.” That is the wrong conclusion, for three reasons.

First, the statute itself is unchanged and ferociously enforced by private litigants. TCPA class actions do not depend on the FCC’s newest rules; they turn on the core prohibitions — calling numbers on the National Do Not Call Registry, using an automatic telephone dialing system or prerecorded voice without consent, texting without prior express written consent. Those claims are filed every day, and $500–$1,500 per message scales to catastrophe across a list.

Second, consent quality is now the entire battleground. With the one-to-one rule gone, the fight shifts to whether your prior express written consent is genuine, documented, and provable. Plaintiffs probe the consent capture: Was the disclosure clear and conspicuous? Is there a retained record tying this specific consumer to this specific consent? Purchased leads are a particular danger zone — you inherit the consent defects of whoever captured them.

Third, AI-generated voice and texting raised the stakes. The FCC has confirmed that AI-generated voice calls are “artificial” voices under the TCPA, meaning they require the same prior express consent as prerecorded calls. As businesses deploy AI calling agents, they are deploying them directly into TCPA scope — often without realizing the consent requirements attach.

What to do now

  1. Do not loosen consent practices because the one-to-one rule died. Valid prior express written consent is still required for marketing robocalls and robotexts. The standard reverted; it did not disappear.
  2. Audit your consent records. For every number you call or text for marketing, you should be able to produce a dated, specific record of consent. If you cannot prove it, you cannot defend it.
  3. Treat purchased leads as inherited liability. Diligence the consent capture of any lead source, secure contractual indemnities, and retain the underlying consent evidence — not just the phone number.
  4. Build for revocation-all now, ahead of January 31, 2027. Engineer your suppression so that an opt-out on any channel propagates across all marketing purposes and channels for that consumer. Honor opt-outs within 10 business days and limit post-opt-out messaging to a single confirmation.
  5. Scrub against the Do Not Call Registry and maintain an internal DNC list. These remain among the most common and most provable TCPA claims.
  6. Bring AI calling/texting agents into TCPA governance. AI voice is “artificial voice” under the statute. Any AI-driven outbound channel needs the same consent foundation as a prerecorded campaign.

The TCPA is the rare compliance area where the regulatory headlines of the past year — a vacated rule, a delayed rule — understate the ongoing exposure. The rules around the edges moved; the litigation engine at the center did not. For any business with an outbound phone or SMS program, consent provability is the whole game, and it just became the only game.

This article is provided for informational purposes only and does not constitute legal advice.