What Records Do Dealerships Need for TCPA Defense?

TCPA statutory damages start at $500 per text message — and jump to $1,500 if a court finds willful violation. For a dealership running a BDC sending hundreds of follow-up texts a day, a single missing consent record can turn a routine lead-response workflow into a six-figure exposure.

Why TCPA Record-Keeping Is a Dealership-Specific Problem

Most industries collect leads through one or two channels. A dealership might pull prospects from Cars.com, CarGurus, AutoTrader, the dealer website, walk-in trade-in forms, service lane tablets, conquest campaigns, and third-party finance portals — sometimes all in the same week. Each source has different consent language, and each represents a separate paper trail you’ll need to produce if you’re ever sued.

The complexity compounds when staff turnover is high. A BDC rep who set up an SMS drip sequence in VinSolutions 18 months ago is likely gone by the time a class-action notice arrives. If the record of how and why that customer was enrolled in texts lives only in someone’s memory, you have a problem.

Understanding the record-keeping requirements also matters for day-to-day operations. Read Does SMS Marketing Work for Car Dealerships in 2026? to understand how compliance shapes which SMS programs are actually worth running.

The 6 Records Every Dealership Must Retain

A defensible TCPA file has six components. Miss any one of them and you’re arguing from a weakened position.

1. Timestamped opt-in record — exact date, time, and method (web form, text-to-join, verbal with script confirmation, etc.).
2. Source URL or consent script — a screenshot or archived copy of the form language the consumer saw when they agreed, including your dealership’s name.
3. Phone number match confirmation — proof the number you texted is the one associated with the consent event.
4. Lead-source documentation — if the lead came through AutoTrader or a third-party aggregator, a copy of their consent terms in effect on the date of submission.
5. Opt-out log — every STOP request, the timestamp it was received, and confirmation it was honored within the required window.
6. Message delivery receipts — carrier-level or platform-level logs showing which messages were sent, to which number, and when.

How Long to Keep TCPA Records (Statute of Limitations Explained)

The federal TCPA carries a 4-year statute of limitations under 28 U.S.C. § 1658. That means a plaintiff can file suit up to four years after the alleged violation — so a text sent today is still actionable in 2030.

Several states, including California and Florida, have their own telephone solicitation laws with different limitation periods. Defaulting to 5 years of retention gives you coverage against both federal claims and most state-level exposure without requiring a jurisdiction-by-jurisdiction legal audit.

Store records in a format that’s searchable by phone number. A PDF archive that takes 40 hours to manually search is technically compliant but practically useless in litigation.

Where These Records Should Live (CRM, SMS Platform, or Both)

The practical answer is both — with a designated system of record.

Platforms like VinSolutions, eLead, and CDK can log consent at the lead-entry point if configured correctly. SMS platforms like Podium and Conversica maintain delivery receipts on their end. The gap is that neither system automatically links the consent record to the delivery receipt to the opt-out log in a single retrievable file.

Dealerships running Synthevo today get an audit trail that timestamps consent source, message delivery, and opt-out events in one unified log — exactly what an attorney would need to produce in response to a litigation hold letter. Vanguard Auto Group, operating across 50-plus rooftops in the Sterling, VA market, uses this kind of centralized record architecture to manage compliance across a high volume of daily AI-assisted conversations without requiring a dedicated compliance officer to manually reconcile platform exports.

What Happens When a Record Is Missing During Litigation

When a plaintiff’s attorney sends a demand letter, the first thing they ask for is consent documentation. If you can’t produce it quickly and cleanly, settlement pressure escalates immediately — regardless of whether you actually had valid consent.

Courts do not require plaintiffs to prove you lacked consent. The burden shifts to you to prove you had it. “We always get consent” is not a defense. A timestamped record is.

The Contrarian Take: Your CRM Vendor Is Not Your Compliance Partner

Most dealers assume their CRM vendor owns the compliance burden. It’s an easy assumption — you’re paying for the software, the software sends the texts, so the software company must be responsible if something goes wrong.

Courts have consistently ruled otherwise. The dealership is the sender under TCPA. The CRM provider is a tool. When consent records can’t be produced, judges and juries do not look at your VinSolutions contract — they look at the entity whose name was in the text message. That’s yours. See how this fits into the broader shift in BDC operations in The State of Automotive BDC in 2026: 7 Trends Every GM Should Know.

Objection Handled: “We Use Opt-In Forms, Isn’t That Enough?”

A checkbox on a lead form is a start, not a finish. The TCPA requires that written consent for marketing texts specifically identify the dealership by name, explicitly authorize autodialed messages, and not be bundled as a condition of purchase. Generic “contact me” language that a web vendor dropped in four years ago may not meet the current standard — particularly after the FCC’s 2024 one-to-one consent rule changes tightened what counts as valid express written consent for multi-seller lead aggregators.

Audit your forms annually. Archive a dated copy every time consent language changes. If a form has been live for three years unchanged, pull a screenshot now and save it with a timestamp. It costs ten seconds and could be worth considerably more in a dispute.

Quick-Reference Checklist: TCPA Defense File for Dealers

Record	What to Capture	Minimum Retention
Opt-in event	Timestamp, source URL/script, phone number	5 years
Lead-source consent terms	Third-party T&C copy dated at submission	5 years
Message delivery receipts	Platform log, carrier confirmation if available	5 years
Opt-out log	STOP keyword, timestamp, confirmation of suppression	5 years
Consent form versions	Archived screenshot with date each version went live	Indefinitely
Suppression list	Full DNC and internal opt-out list, updated in real time	5 years

Managing consent across every lead source also intersects with your broader customer experience strategy — including how you handle post-sale communications. How should a car dealership respond to Google reviews? covers the related question of what you can and can’t say in automated follow-up that requests feedback.

---

If you want to see how Synthevo auto-generates a complete, attorney-ready audit trail for every AI-assisted conversation your BDC handles, request access to our live demo and we’ll walk through exactly what gets logged and how it’s stored.